Putin’s fundamental misreading of Ukraine is now plain to see. Far from welcoming Russia’s invasion, the Ukrainian nation united and rose up in resistance. What was anticipated by the Kremlin as a brief and victorious military campaign has instead become the biggest European war since World War II. But if the scale of Putin’s blunder is obvious, it is important to note that he is far from the only Russian harboring such delusions. Russia’s elites and Russian society as a whole tend to assume everything that needs to be known (or is worth knowing) about Ukraine and Ukrainians has long been known and requires no further inquiry. This helps to explain why until fairly recently, there were hardly any academic or analytical centers in Russia devoted specifically to Ukrainian studies.

Today’s Russian attitudes toward Ukraine reflect centuries of imperial Russian and Soviet nationality policy. In the former case, Ukrainians (and Belarusians) were officially viewed as components of a larger, supranational “all-Russian people” that also included the Russians themselves. Meanwhile, for most of the Soviet period, the Ukrainian, Belarusian, and Russian republics were seen as the Slavic core and foundation for another supranational entity, the “Soviet people.”

The similarity between the imperial and Soviet views is unmistakable, albeit with one dissonant nuance: Soviet nationality policy, while doing all it could to erase Ukrainian national identity, at the same time officially recognized the Ukrainian Soviet Socialist Republic as a state entity and Ukrainians as a separate nationality. Putin has been highly critical of Lenin for this approach, and has claimed the Bolshevik leader was personally responsible for “creating” Ukraine. This line of thinking reached what may be seen as its logical conclusion with Putin’s insistence that Ukrainians and Russians are “one people.” By denying the existence of a separate Ukrainian national identity, Putin brought the legitimacy of Ukrainian statehood into question and set the stage for the current war.

Subscribe to UkraineAlert

As the world watches the Russian invasion of Ukraine unfold, UkraineAlert delivers the best Atlantic Council expert insight and analysis on Ukraine twice a week directly to your inbox.

• Name
  First Last
• Email*
• 
  
  
• Email
  This field is for validation purposes and should be left unchanged.

Russian misconceptions about Ukraine are in part due to the simplistic notion that ethnic Russians and Russian-speakers in Ukraine, as well as those who express an affinity for Russian culture or share Russia’s antagonism toward the EU, NATO, and the West in general, all fall within the same “pro-Russian” category. Likewise, Many Russians have been all too ready to assume that any Ukrainian expressing nostalgia for the Soviet era is waiting to be “liberated” by Moscow. These misconceptions have been echoed by numerous commentators in the West, who have similarly treated evidence of favorable Ukrainian attitudes toward modern Russia or the Soviet past as indications of a desire for some form of Russian reunion.

In reality, being “pro-Russian” is understood one way in Ukrainian cities like Donetsk, Kramatorsk, or Mariupol, and quite differently in Moscow, Omsk, or Tomsk. During the initial stages of Russian aggression against Ukraine in April 2014, the Kyiv International Institute of Sociology conducted a wide-ranging poll in the eight southeastern Ukrainian provinces (excluding Crimea) targeted by the Kremlin. This revealed that 70 percent of respondents were against separation from Ukraine and unification with Russia, while just 15 percent were in favor.

If separation from Ukraine was not on their wish list, what did they in fact want? A relative majority of 45 percent preferred the decentralization of power and greater rights for their region; another 25 percent favored a federated Ukraine, while only 19 percent were happy with the existing relationship with Kyiv. Other surveys conducted at around the same time yielded similar findings.

Eurasia Center events

Online Event Thu, July 20, 2023 • 8:00 am ET

After Vilnius: What’s next on Ukraine’s path to NATO?

Eastern Europe NATO Security & Defense Ukraine

Unsurprisingly, Russia’s full-scale invasion has further shaped Ukrainian attitudes toward issues of national identity. Today, the people of Ukraine are more consolidated as a political nation than at any time since regaining independence more than thirty years ago. According to the Razumkov Centre, 94 percent of respondents in a May 2023 survey expressed pride in their Ukrainian citizenship; 74 percent expressed feelings of patriotism and love for their country; and 71 percent were ready to come to its defense, either with weapons in hand or as participants in volunteer support groups.

Meanwhile, negative attitudes toward Russia and Russian citizens have skyrocketed. At the end of 2019, only 20 percent of Ukrainians held negative attitudes toward Russians; six months after the start of the full-scale Russian invasion in September 2022, 80 percent of respondents asserted that they would not allow Russians into Ukraine. In terms of attitudes toward Russia, the turnaround has been even more drastic. In early February 2022, about a week before the Russian invasion, 34 percent of Ukrainians held positive views of Russia. That number dropped to just two percent three months later, with 92 percent saying they viewed the country in a negative light.

With the war clearly going badly for the Kremlin, there could now be a glimmer of hope for some reality-based adjustments to Russian illusions about Ukraine. Russian MP Konstanin Zatulin, who is well known for championing the plight of Russian “compatriots” abroad and promoting aggressive policies toward Ukraine, has recently questioned the wisdom of denying Ukrainian identity. “I would be happy if there was no Ukraine, but if we continue to constantly repeat that there is no Ukraine and no Ukrainians,” this will only strengthen their resistance on the battlefield, he noted at a June 2023 forum in Moscow.

Zatulin’s comments hint at growing recognition in Russia that widely held beliefs about Ukraine’s indivisibility from Russia are both inaccurate and unhelpful. However, resistance to the entire notion of Ukrainian statehood is so deeply ingrained in Russian society that it may take generations before the attitudes underpinning the current war are no longer dominant.

Roman Solchanyk is author of “Ukraine and Russia: The Post-Soviet Transition” (2001). He has previously served as a senior analyst at the Radio Free Europe/Radio Liberty Research Institute and the RAND Corporation.

Further reading

UkraineAlert Jul 13, 2023

After Wagner: Could the Russian army now turn against Putin?

By Mercedes Sapuppo

With dozens of senior Russian officers reportedly detained following the Wagner revolt and a senior commander dismissed this week for criticizing the conduct of the Ukraine invasion, could Putin face a mutiny within the Russian army?

Conflict Crisis Management

UkraineAlert Jun 12, 2023

Beyond the counteroffensive: 84% of Ukrainians are ready for a long war

By Peter Dickinson

84% of Ukrainians reject any compromise with Russia and are ready for a long war if necessary in order to fully de-occupy their country. Most simply see no middle ground between genocide and national survival, writes Peter Dickinson.

Civil Society Conflict

UkraineAlert Jun 21, 2023

Putin’s nuclear threats will escalate as Ukraine’s counteroffensive unfolds

By Diane Francis

As Ukraine’s long-awaited counteroffensive gets underway, there are fears that Russia’s deteriorating military predicament could lead to an escalation in Vladimir Putin’s nuclear threats, writes Diane Francis.

Conflict Disinformation

The views expressed in UkraineAlert are solely those of the authors and do not necessarily reflect the views of the Atlantic Council, its staff, or its supporters.

Read more from UkraineAlert

UkraineAlert is a comprehensive online publication that provides regular news and analysis on developments in Ukraine’s politics, economy, civil society, and culture.

The Eurasia Center’s mission is to enhance transatlantic cooperation in promoting stability, democratic values and prosperity in Eurasia, from Eastern Europe and Turkey in the West to the Caucasus, Russia and Central Asia in the East.

Learn more

The post Putin’s biggest mistake was believing Ukrainians were really Russians appeared first on Atlantic Council.

On June 30, Markus Garlauskas and Global China Hub Nonresident Senior Fellow John Culver were the guests for Voice of America’s Washington Talk panel discussion show, which focuses on North and South Korean audiences and is often watched by the US Korea analysis and policy community. The discussion focused on the new North Korea intelligence estimate, other North Korea developments and various Korea-China issues. The show aired in the region and was posted on YouTube on July 1.

Staff

Markus Garlauskas

Director

Indo-Pacific Security Initiative Scowcroft Center for Strategy and Security

Crisis Management Indo-Pacific

Fellow

John K. Culver

Nonresident Senior Fellow

Global China Hub

China East Asia

The post Garlauskas and Culver Panelists for VOA Show appeared first on Atlantic Council.

On June 29, Markus Garlauskas was the guest for the Center for Strategic and International Studies’ Capital Cable talk show. The moderator, retired US Ambassador Mark Lippert, introduced the show by highlighting Garlauskas’ New Atlanticist piece on the new North Korea intelligence estimate. The discussion that followed addressed a wide range of defense and security issues related to Korea.

Staff

Markus Garlauskas

Director

Indo-Pacific Security Initiative Scowcroft Center for Strategy and Security

Crisis Management Indo-Pacific

The post Garlauskas on the Capital Cable appeared first on Atlantic Council.

The new NIE lays out three pathways through 2030 for how North Korean leader Kim Jong Un’s strategy could evolve as his nuclear weapons capabilities improve. The NIE concludes that the by far most likely pathway is for Kim to leverage his nuclear capability for “coercion, potentially including non-nuclear lethal attacks, aimed at advancing the North’s goals.” It also delineates two additional low-likelihood pathways: North Korea could employ an offensive strategy to dominate the Korean Peninsula through the use of force, or it could turn to a defensive strategy, in which nuclear weapons are used solely as a deterrent. According to the estimate, Kim is most likely to continue pursuing coercion because he will be “confident that his growing nuclear capabilities will deter any unacceptable retaliation or consequences” but that he would not actually attack with them unless he “believes his regime is in peril.”

As a former National Intelligence Officer for North Korea who led the development of NIEs, I see this document as monumental in my particular niche, but some additional context is needed to understand why. Since the 1950s, NIEs have been the US intelligence community’s most authoritative written judgments on national security issues, developed through a collaborative process led by the Office of the Director of National Intelligence’s National Intelligence Council (NIC) and its predecessor organizations. This new NIE is a tantalizing glimpse of the US intelligence community’s larger strategic intelligence picture on North Korea, even as it necessarily represents only the tip of the iceberg of a much longer classified document.

What is perhaps most remarkable about the latest NIE is that it highlights very recent key intelligence community judgments about North Korea. This is a major and unusual step, given that this practice was largely halted after the declassification of key judgments in the 2007 NIE on Iran’s nuclear program caused a number of public controversies. It also marks a change from how the intelligence community has generally approached public assessments of North Korea. Though US intelligence leaders have openly described North Korea as a “hard target,” they have generally been guarded in their assessments of Pyongyang’s capabilities and how they know what they know. With a few exceptions (many of them during the “fire and fury” period of 2017) most of the intelligence community’s publicly released assessments have been small portions of the larger Annual Threat Assessment provided to Congress. 

Given this history, and the fact that the NIE does not address the possibility that North Korea will give up its nuclear weapons, it could have been withheld on the unfair grounds that it could be interpreted as an implicit rebuttal to the longstanding US policy of negotiating the denuclearization of North Korea. It is therefore a testament to the sincerity of Director of National Intelligence Avril Haines’s commitment to transparency that this NIE was released. 

Even with its notable and welcome transparency, however, it does not give a full picture of the strategic North Korea nuclear challenge. There are (at least) three areas that are worth adding to the discussion.

First, China. The NIE’s analysis related to Beijing is guarded and subtle, particularly compared to how much intelligence leaders openly focus on the threat. While Washington publicly and loudly grapples with the premise that the United States and the People’s Republic of China (PRC) will likely be in a heightened state of military confrontation or outright war over Taiwan before 2030, these key judgments do not explicitly address the possibility, much less explore the massive implications this has for Korea. The declassified NIE does warn, among other factors, that an offensive strategy would “become more likely” if Kim believed he could “maintain China’s support” or “if [Kim] concluded that [an] international crisis presented a last chance to accomplish revisionist goals.” As current National Intelligence Officer Sydney Seiler acknowledged to me last week, the need to consider North Korea’s potential to escalate during a Taiwan crisis is a “no brainer.” That the key judgments omit this subject is neither surprising nor troubling to me as a former NIO. I know how hard it is to keep this document’s scope manageable and the challenges of considering hypotheticals piled upon hypotheticals. However, readers should keep in mind that the risk of North Korea using its nuclear weapons, or taking the offensive in general, could be much greater in the event of a US-PRC conflict.

Second, South Korea. Specifically, it is important to recognize Seoul’s potential to field its own nuclear arms. If Kim pursues a strategy of coercion, as the NIE judges he most likely will, and “may be willing to take greater conventional military risks, believing that nuclear weapons will deter an unacceptably strong US or South Korean response,” the value of South Korean nuclear capability to counter such threats would fuel the already-strong South Korean public sentiment for the country to acquire nuclear weapons. It would, however, be impolitic to warn that April’s Washington Declaration, wherein South Korean President Yoon Suk Yeol pledged to forgo nuclear weapons, may not last beyond the end of his constitutional single term in 2027. The window between a decision for nuclear weapons and operational capability would be a logical time for a preventive attack, a concrete example of the general “now or never crisis” the NIE cites as a driver for an offensive.  

Third, military and policy prescriptions. These are outside the remit of the NIC and violate intelligence analysis tradecraft standards, so it makes sense that they are not included in the NIE. However, several logical strategic-level policy and military recommendations could be derived from this estimate’s judgments. At least three come to mind immediately:

• First, the United States should not politically recognize North Korea as a de facto or de jure legitimately nuclear-armed state in the hope that this would lead it to be a defensively focused “responsible” power, given how unlikely this is to happen. 
• Second, the United States and South Korea should ensure that their primary efforts in deterrence of North Korea are focused on the most likely threat. US and allied efforts at deterrence should not be content with just deterring an “all-out” military offensive or nuclear strikes. They should also counter as much as possible the sort of incremental creeping coercive escalation that could either fatally undermine the security of South Korea and the US position in the region over time or could spin out of control into an escalating conflict. 
• Third, the United States and South Korea should recognize that, though it is not the most likely scenario, they must be prepared to fight a nuclear war with North Korea. Washington and Seoul must contend with the unpleasant reality that there is a plausible set of conditions, particularly in the context of a hypothetical US-PRC war or a South Korean decision for nuclear arms, that could lead North Korea to undertake an offensive use of nuclear weapons. 

Though this NIE is neither the first nor the last word on the implications of North Korea’s growing nuclear capabilities, it is a huge step forward for public and classified policy debates. The NIE provides the intellectual foundation to prepare for a long struggle with an increasingly well-armed and coercive North Korea, instead of abandoning the principle of denuclearizing North Korea in a vain attempt to secure peace or embarking on the reckless path of embracing preventive war in fear that Kim will strike first. The NIE demarcates the field in which the United States and its allies must be prepared to play a high-stakes game—a contest in which the PRC’s aggression and South Korea’s own nuclear weapons could have game-changing consequences.

Markus Garlauskas served as the national intelligence officer for North Korea, leading the US intelligence community’s strategic analysis of North Korea from 2014 to 2020. He is the director of the Indo-Pacific Security Initiative at the Scowcroft Center for Strategy and Security of the Atlantic Council, and tweets at @Mister_G_2.

The post Reading between the lines of the new North Korea intelligence estimate appeared first on Atlantic Council.

Security

Ukrainian counteroffensive sees advances in Zaporizhzhia and eastern Ukraine

Wagner attempts to draft gamers as UAV pilots

Tracking narratives

Deripaska blames hackers after his website briefly takes credit for potential war crime

Rumors of alleged death of popular pro-Kremlin war correspondent gain traction on Twitter

Ukrainian counteroffensive sees advances in Zaporizhzhia and eastern Ukraine

On June 19, Ukrainian forces launched counteroffensive actions in at least three areas and appear to have made gains in Zaporizhzhia and eastern Ukraine. The Telegram channel of Russian military blogger WarGonzo reported that Ukrainian forces continued attacks northwest, northeast, and southwest of Bakhmut and advanced near Krasnopolivka. Ukrainian Deputy Defense Minister Hanna Maliar announced that over the past week Ukrainian troops advanced up to seven kilometers in the direction of Zaporizhzhia and retook 113 square kilometers of territory. Russian Telegram channels also reported that fighting was ongoing south and southwest of Orikhiv on June 19. Zaporizhzhia and Donetsk oblasts continue to be the most active areas of the frontline, as the Ukrainian army attempts to advance in the directions of Novodarivka, Pryutne, Makarivka, Rivnopil, Novodanylivka, and Robotyne.

On June 17, the Russian Ministry of Defense claimed that Ukrainian forces conducted ground attacks west and south of Kreminna. It also stated that the Russian army had repelled Ukrainian attacks on the Avdiivka-Donetsk sector. Meanwhile, Ukrainian forces continued operations around Velyka Novosilka near the border between Donetsk and Zaporizhzhia oblasts. 

According to Ukrainian forces, Russian forces conducted offensive actions in Donetsk and Luhansk oblasts. The Ukrainian military reported forty-five combat engagements with Russian forces near Yampolivka, Torske, Hryhorivka, Spirne, Avdiyivka, Krasnohorivka, Marinka, Pobieda, Novomykhailivka, and Donetsk’s Dibrova and Orikhovo-Vasylivka. According to Ukraine, the Russian army continued to shell villages in the direction of Marinka, Zaporizhzhia, Kherson, Lyman, and Kupiansk. Ukraine also alleged that Russian forces launched Kalibr cruise missiles from a submarine in the Black Sea and Shahed drones from the eastern coast of the Sea of Azov.

On June 20, Kyrylo Budanov, chief of the Main Directorate of Intelligence for the Ministry of Defense of Ukraine, alleged that Russian troops mined the Zaporizhzhia nuclear power plant’s cooling pond, which is necessary for the safe operation of the plant. According to Budanov, if Russia triggers an explosion, there is a “high probability that there will be significant problems.” Budanov did not provide any evidence to support the allegation, and the statement cannot be independently verified at this time. If true, however, it would put the nuclear plant at greater risk of a significant accident. The power plant complex, Europe’s largest, has been under occupation since February 2022.

On January 22, the governor of Russian-occupied Crimea accused Ukraine of targeting a bridge that connects the peninsula to Kherson Oblast, near the village of Chonhar. In a Telegram post, Vladimir Sal’do alleged that Ukraine struck the bridge with “British Storm Shadow missiles,” creating a hole in the middle of the bridge.

As fierce hostilities continue in eastern and southern Ukraine, there are signs of a new wave of arrests in Russia, including of people with ties to Ukraine. On June 20, Russian state media outlet RIA Novosti announced that a woman of Ukrainian origin was detained in Saransk and charged with treason.

—Ruslan Trad, resident fellow for security research, Sofia, Bulgaria

Wagner attempts to draft gamers as UAV pilots

A June 19 Telegram post from Russian opposition news outlet Verstka claimed that Wagner Group is encouraging gamers to apply to serve as unmanned aerial vehicle pilots in the war against Ukraine. The media outlet reported that no prior military experience was required to apply for the position. Posts from Wagner emerged on Vkontakte the same day, inviting gamers with experience in “manipulating joysticks in flight simulators” to enroll.

Verstka, which contacted a Wagner recruiter as part of its reporting, stated that the campaign aims to recruit soldiers to pilot “copters and more serious machines.” In this particular context, “copters” (коптеры) is a reference to commercial drones that are sold to the public and have been widely used in the war against Ukraine. A May 19 investigation published by the Organized Crime and Corruption Reporting Project found that Chinese manufacturers have reportedly continued to provide Russian armed forces with DJI drones through third parties in Kazakhstan. 

Verstka also noted that in 2022, the Russian defense ministry attempted to recruit gamers with a targeted ad campaign that invited them to play “with real rules, with no cheat codes or saves.”

—Valentin Châtelet, research associate, Brussels, Belgium

Deripaska blames hackers after his website briefly takes credit for potential war crime

The Russian-language website of Russian industrialist and US-sanctioned oligarch Oleg Deripaska briefly displayed an article appearing to take credit for deporting Ukrainian children to Russian-occupied Crimea in partnership with Kremlin official Maria Lvova-Belova, who is already facing an International Criminal Court arrest warrant for allegedly deporting children. 

Yaroslav Trofimov, chief foreign affairs correspondent at the Wall Street Journal, noted the article’s appearance and disappearance in a June 15 tweet. Trofimov shared screengrabs of the article, which by that time had already been deleted from Deripaska’s Russian-language website, deripaska.ru. A complete copy of the article can be found at the Internet Archive.

Later in the article, it added, “Separately, the Fund and personally Oleg Vladimirovich [Deripaska] express their gratitude to Maria Lvova-Belova and her project ‘In Hands to Children,’ which not only provided methodological materials, but also found an opportunity to send employees for psychological work with affected babies.” In March 2023, the ICC issued an arrest warrant for Lvova-Belova and Russian President Vladimir Putin, alleging they are responsible for unlawful deportation and transport of children from Russian-occupied parts of Ukraine to the Russian Federation.

In a response to Russian independent news outlet Meduza, which also covered the incident, a team of representatives for Deripaska called the article a “gross fake press-release” and blamed hackers for the article’s appearance. “The team added that Deripaska ‘unequivocally condemns the separation of children from their parents’ and that he is ‘one of the very few prominent Russian industrialists who openly criticizes the fratricidal war and consistently advocates for peace in Ukraine, as well as a reduction in global military spending,’” Meduza noted.

—Eto Buziashvili, research associate, Tbilisi, Georgia

Rumors of alleged death of popular pro-Kremlin war correspondent gain traction on Twitter

Rumors are spreading online that claim Ukrainian forces killed pro-Kremlin war correspondent Semyon Pegov, who operates an influential group of social media accounts under the name Wargonzo. The rumor first spread on Twitter on June 19 following the release of a graphic video from the 73rd Naval Center of Operations documenting how Ukrainian special forces unit had shot Russian soldiers in trenches. On June 19, Pegov’s Twitter account disregarded the allegations as fake. Wargonzo’s Telegram account has continued to operate as usual.

DFRLab analysis conducted with the social media monitoring software Meltwater Explore revealed that the most retweeted tweet came from the pro-Ukraine Twitter account @GloOouD, which stated, “LOOKS LIKE RUSSIAN TERRORISTS AND WAR REPORTER SEMEN PEGOV WAS KILLED BY UKRAINIAN SPECIAL FORCES.” The account shared a screenshot of a low-quality video frame depicting a red-bearded man that bears resemblance to Pegov.

The DFRLab confirmed that the video frame depicting Pegov’s look-alike was extracted from the graphic video posted posted by the 73rd Naval Center of Operations. The video’s metadata indicates the clip was created on June 18, 2023, at 22:16:07 GMT+0300. However, the video shows events occurring in daylight.

Pegov’s most recent public appearance was on June 13 during a meeting between Putin and Russian war correspondents. The Kremlin-controlled Channel One Russia broadcast the meeting on June 18.

—Nika Aleksejeva, resident fellow, Riga, Latvia

The post Russian War Report: Wagner attempts to draft gamers as drone pilots appeared first on Atlantic Council.

The concept of Gulf security is not new. It was always top of mind for those who inhabited its shores. Historians have written of Russian Tsars’ desires to push south to the Gulf. This desire can be seen in the language of the purported will of Peter the Great from 1725. He advised his descendants to “approach as near as possible to Constantinople and India. Whoever governs there will be the true sovereign of the world. Consequently, excite continual wars, not only in Turkey but in Persia… Penetrate as far as the Gulf, advance as far as India.” The Carter Doctrine, outlined in US President Jimmy Carter’s State of the Union Address in January 1980, committed the United States to use military force, if necessary, to defend its national interests in the Gulf—the doctrine was a direct response to the Soviet Union’s entry into Afghanistan the year prior. 

Generations of US strategic thinkers have spoken of US opposition to threats lodged by any country aiming to control the waters or air space of the Gulf and the adjacent Arabian Sea. Those thinkers focused on what would impede the peaceful relations that the United States and its allies have enjoyed with Gulf countries—countries that have energy resources that make them important for the global economy. 

In over forty years, many realities have changed. US imports of Gulf energy supplies declined. By contrast, US exports to the region have expanded many times over. The parties and conditions that would likely pose a threat to US trade and other relationships with the Gulf are now largely located within the region. In the 1980s and early 1990s, it was the Iraq-Iran War and the Iraqi invasion of Kuwait. Recently, it has been nonstate terrorist groups and Iran. 

In addition, the countries with which the United States has friendly relations don’t depend on the United States to do the job of Gulf security for them. These countries do want Washington to be a reliable partner in support of their individual and collective defense efforts. This is also the goal of the United States. Through diplomacy and through working with the US private sector, Gulf countries’ militaries have been connected to military contacts with US companies and joint exercises conducted by the US Central Command. That fits what the Arab countries in the region need, and it fits what the US political system can accept. 

This takes me back to the Iranian attacks on tankers and other commercial vessels in the final years of the Iran-Iraq War. I was the US ambassador to the United Arab Emirates at the time. Together with other US envoys to the Gulf Cooperation Council (GCC) countries, I was called back to Washington in early 1987 for consultations at the US State Department. 

The Kuwaiti government had formally requested that the United States put its flags on Kuwaiti oil tankers in order to gain the protection of US naval warships. The Kuwaitis promised to reimburse the United States handsomely for the flagging operation and to steadfastly maintain it was merely a commercial arrangement. Kuwait wished to shun any overt military alliance with the United States; for example, it did not even welcome US Navy ship visits. Indeed, the United States only had a small contingent of warships in the Gulf at the time, homeported in Manama, Bahrain. The answer from Washington was negative. The Kuwaitis then redirected their request to the Soviet Union. 

When the group of US envoys and I gathered in the State Department, it was clear that the White House and top US politicians were still disinclined to make a major commitment to protect neutral-flag shipping in the Gulf, despite the unanimity among those of us coming from our posts in the region—we were in favor of some kind of positive response. After a half day of talks, we were told that then US President Ronald Reagan did not want to allow an opportunity for the Soviet Union to bring its military force into the Gulf. So, for that reason (however flawed it may be), Operation Earnest Will was born.

The United States committed to sending a military presence sufficient to protect neutral-flag commercial shipping without spending time quibbling over whether the GCC countries were actually neutral in the Iran-Iraq War. When I returned to Abu Dhabi, I received a warm welcome from Sheikh Zayed bin Sultan Al Nahyan, who was then the president of the United Arab Emirates (UAE), and soon after from the rulers of the UAE’s other six emirates and from Sheikh Mohammed bin Rashid Al Maktoum, the minister of defense. At the time, the UAE was a confederation that granted only limited federal powers and separated military commands across Dubai and several other northern emirates. Even without actual authority outside Abu Dhabi, a young rising star in the Abu Dhabi military command, Sheikh Mohamed bin Zayed, along with Dubai’s Sheikh Mohammed bin Rashid, eventually became key contacts for me as the United States ramped up its military presence in the Gulf. 

When I had arrived at my post in September 1986, the United States was limited to a mere four visits per year by its Navy warships and had very limited military relationships with the UAE emirates. By the time I left in October 1989, the United States had a large number of Navy ship visits, refueling and even making critical ship repairs at the large (and, at the time, new) port of Jebel Ali, as well as at established ports from Abu Dhabi to the city of Fujairah. The United States was also on its way to becoming a major supplier of military aircraft to the UAE. The rulers of the seven emirates were seeking joint military exercises as well as ship visits. Moreover, the leaders of these individual emirates had responded to the crisis of the tanker wars and various other demands by strengthening federal powers. 

Because the United States responded to the GCC countries during their time of need (the so-called Tanker War), a strategic partnership formed—one that became the foundation for cooperation to reverse the Iraqi military occupation of Kuwait in 1990. The success of Operation Desert Storm gave the United States political credibility to bring GCC countries and other Arab countries to the Madrid Conference, a peace conference geared toward reviving the Israeli-Palestinian peace process, at the end of 1991. Those talks between Israel and the United States built upon peace between Egypt and Israel negotiated with the help of the United States at Camp David in September 1978 and the peace treaty between those two former military adversaries in March 1979. Camp David, the Madrid Conference, and Israel’s growing relationships with countries ranging from the UAE in the east and Morocco in the west laid the foundation for normalization. In a shrewd move, the Trump administration labeled this growing interaction as the “Abraham Accords.” The Biden administration has continued to play a role as a convenor and mediator. 

As the Biden administration continues to play this role, it and Congress will find that the Arab countries of the GCC want to do their part when it comes to Gulf security. They are not expecting the United States to be the policeman of their neighborhood. Along with other key Arab and global leaders, they will welcome the United States as a partner in facing shared strategic interests. 

Defense coalitions have historically been tricky, requiring skill and mid-course corrections. As the United States continues to work with the Gulf on security, expect blips, such as the report of a UAE withdrawal from the Combined Maritime Forces, a US-led maritime coalition. But if the United States shows that it is ready to work together with Gulf countries, Washington can get this partnership back on course. Read more about improving Gulf security frameworks in our latest report here.

David Mack is a nonresident senior fellow with the Atlantic Council’s Middle East Programs, a former deputy assistant secretary of state for Near East affairs, and a former US ambassador to the United Arab Emirates.

The post The way for the US to ensure Gulf security is through partnership, not policing appeared first on Atlantic Council.

China’s assumptions and lessons learned
US assumptions and lessons learned
Europe’s lessons learned
Implications of conflicting lessons for deterrence
Policy recommendations
Conclusion
Acknowledgements
About the authors

The lessons that Washington and Beijing appear to be learning from Russia’s February 2022 invasion of Ukraine, and from Ukraine’s resistance and counteroffensive, could set the stage for a crisis over Taiwan in the next few years. This grim prospect is driven by the United States and China arraying themselves for a strategic rivalry since 2017 through the continuing trade war, economic decoupling, and increasing rhetorical and military positioning for confrontation over Taiwan. In light of the Chinese military’s threatening gestures, belligerent rhetoric, and other recent actions that read like they could be preparation for war, there is a danger that the successive warnings by senior US military commanders that Chinese CCP General Secretary and President Xi Jinping has already decided to use military force in the near term could become the proverbial tail wagging the dog — and could impose a logic that makes a US-China war more likely, rather than enhancing deterrence.¹ Therefore, the key question for the United States and its allies is how an increasingly truculent and belligerent Chinese leadership can be incentivized to walk back from the brink. This paper examines what lessons China, the United States, and European allies have drawn from the Ukraine conflict and how such lessons have shaped these actors’ strategic assumptions. It concludes with a discussion of policy recommendations for the transatlantic community confronting the possibility of a US-China conflict over Taiwan.

China’s assumptions and lessons learned

Even as Beijing modulates its public statements in support of Moscow, China’s strategic assumptions from before the Ukraine invasion likely have not changed, and may depend on the longer-term outcome in Ukraine. That includes the prospect of an outcome that Vladimir Putin can claim as a Russian “victory,” in which Russia continues to hold territory and forecloses Ukraine’s NATO or European Union (EU) integration.

China is likely to apply the following strategic assumptions as it digests lessons learned from the Ukraine war.

According to Beijing, the United States is an adversarial, declining hegemony that will be antagonistic to China’s rise for the foreseeable future, and which will seek to foment instability within China and hostility on its periphery. In Beijing’s view, US antagonism to China is now structural and bipartisan. China’s previous self-imposed restraint, as it chose to prioritize stable US relations and drive economic reform and growth, is therefore moribund. For the Chinese Communist Party (CCP), the relatively peaceful global and regional environment that prevailed in the late bipolar Cold War and the post-Cold War period is severely challenged, as Xi told President Joe Biden in their March 18 call.“² Economic growth and rising prosperity are still important, but diminishing, sources of regime legitimacy. Defense of the CCP system, fueled by nationalism, expanded party control, while more active cooperation with Russia and other US adversaries, such as Iran, is becoming more prominent. Xi made this explicit in his speech to China’s National People’s Congress on March 6: “Western countries led by the United States have implemented all-around containment, encirclement and suppression of China, which has brought unprecedented severe challenges to our country’s development.”³

Economic growth and rising prosperity are still important, but diminishing, sources of regime legitimacy.

Giant screen displays a live broadcast of Chinese President Xi Jinping delivering a speech during the closing ceremony of the National People’s Congress (NPC), in Beijing. (Tingshu Wang via Reuters)

Another key view in Beijing is that Russia is China’s strategic partner. This status was further elevated on the eve of Russia’s invasion of Ukraine, when Russian President Putin and Xi met in Beijing and signed a joint statement on February 4, 2022.“⁴ Throughout the war in Ukraine, China’s leaders have reiterated their stance, most recently during visits to Moscow by Xi and by China’s top foreign affairs official Wang Yi in early 2023.⁵ The two countries are unlikely to ever have a formal mutual-defense treaty, but intensified cooperation in many spheres—including military coordination, intelligence sharing, energy, and trade—will continue and even accelerate.⁶ Even before its invasion of Ukraine, Russia was the junior partner in the bilateral relationship, but Beijing has deep strategic interest in ensuring that Moscow—and Putin personally—remains a viable ally in blunting US power and coordinating at the United Nations. Most importantly, Beijing has a strategic need to keep Russia from internal turmoil or international setbacks that could result in the rise of a regime that is hostile to China. One of the greatest gifts to Beijing of the Sino-Russian rapprochement that started during the 1990s, and truly took off from the mid-2000s, was a passive 4,200-kilometer border that enabled China to focus military modernization on naval, rather than land, warfare for potential conflict with the United States and Japan over Taiwan, or with India or Vietnam over border and maritime sovereignty disputes, respectively. The fact that Russia had dared to commit an estimated 97 percent of its entire forces to the fight in Ukraine by mid-February 2023 and, thus, baring its far-eastern borders, is a testament to this.⁷

Third, in the view of China’s leadership, the EU can act as a Western counterweight to perceived US hostility to China, and Beijing has at times tweaked its approach when deemed necessary to try to stabilize its ties to Europe. The EU lacked unanimity about following Washington’s lead, or did so only slowly and with less intensity, on hostile trade action and efforts to isolate China internationally prior to Russia’s invasion. In late April, inflammatory comments from China’s ambassador to France Lu Shaye, who essentially denied the sovereignty of former Baltic states, sparked an outcry across Europe and beyond.⁸ Shortly thereafter, Xi held his long-awaited call with Ukrainian President Zelenskyy,⁹ and separately, the Chinese Government voted in favor of a UN resolution containing language that explicitly acknowledges “the aggression by the Russian Federation against Ukraine,” a sharp departure from Beijing’s previous neutral UN voting patterns on Ukraine.¹⁰ While these moves are largely symbolic and mark a slight tactical rather than a strategic shift, they underscore Beijing’s willingness to make adjustments to try to maintain favorable relations with Europe, given the value Chinese leaders place on the region as a counterbalance to the United States.

However, China’s refusal to condemn the war against Ukraine and its enabling stance toward Russia have galvanized worries, particularly in Eastern European countries, over the trustworthiness of the Chinese government.¹¹ On January 30, Czechia’s president-elect made it a point to accept a phone call from Taiwan’s President Tsai Ing-Wen, in a stark departure from previous practice.¹² US intelligence made public in February 2023 that China was considering lethal arms supplies to Russia, causing grave concern in European capitals.¹³ Should Beijing actually deliver arms or ammunition to Russia despite its assurances to the contrary, China’s relations with much of Europe could be stretched past the breaking point and, indeed, there are signs of worsening strain, such as the aforementioned call between the Czech president-elect and President Tsai and his intention to plan a personal meeting with her, an unprecedented step from any Western leader; the withdrawal of the Baltic states from the Chinese 17+1 format; and, following similar decisions by many other European countries, Germany’s decision after long hesitation to finally ban and remove key components delivered by Chinese telecoms firms Huawei and ZTE from its fifth-generation (5G) network.¹⁴ At the same time, German leaders have continued to reach out diplomatically to China in the hopes of avoiding a complete Cold War-style economic decoupling scenario. On the other hand, European Commission President Ursula von der Leyen’s March 30, 2023, speech on EU relations with China put the future of the shelved Comprehensive Agreement on Investment (CAI) firmly in doubt.¹⁵

How the CCP and the People’s Liberation Army (PLA) ultimately digest strategic lessons from Russia’s war on Ukraine, therefore, will depend on that conflict’s course, the longer-term effects of Western sanctions on Russia and the global economy, and myriad other aspects, including elections in the United States and Taiwan in 2024.

Beijing has deep strategic interest in ensuring that Moscow—and Putin personally—remains a viable ally in blunting US power.

Vladimir Putin and President of the People’s Republic of China Xi Jinping made statements for the media following the Russian-Chinese talks on March 21, 2023. (Mikhail Tereshenko, TASS via Russian Presidential Press and Information Office)

Beijing likely is also watching closely to see how deeply entrenched in—or distracted by—the Ukraine conflict the United States becomes, where it contributes the lion’s share of direct military aid, including key munitions and weapons platforms that are in short supply; Ukraine is currently expending US annual production of nine thousand HIMARS missiles every two months.¹⁶ As Russia continues to achieve reduced war aims in the east and south, the war seems likely to continue for the foreseeable future. It presents new opportunities for fissures in the Alliance, and reduced US strategic standing headed into US presidential elections in 2024 that are likely to be even more disruptive than previous election campaigns after former US President Donald Trump’s March 30 grand-jury indictment on business-fraud charges.¹⁷ Partly because of Washington’s massive arms support for Ukraine, its deliveries of key weapons and munitions already sold to Taiwan have been significantly delayed.¹⁸

But one momentous strategic implication of Russia’s invasion is probably already clear to Xi and the CCP. For the first time since the end of the Cold War, the prospect of major-power military conflict, and even nuclear-weapons use, is again a characteristic of the global order. Russia’s gamble in Ukraine that it could quickly defeat a non-NATO European neighbor and secure its near abroad has so far failed, but US-led Western unity and imposition of sanctions against Moscow have the earmarks of a protracted conflict that could drive new instability. If Beijing concludes that this is a characteristic of geopolitics and great-power competition in the twenty-first century, it could increase Chinese preparations for military conflict in Asia with either the United States or its proxies.

The deepening enmity of US-China strategic rivalry since 2017 has already eroded core CCP assumptions that competition would remain bounded by nuclear deterrence, deep economic integration, shared stewardship of financial stability, and cooperation on global challenges such as pandemics and climate. The Western reaction to the Russian war against Ukraine is likely to reinforce these judgments, and may be amplifying Beijing’s assessment that the United States is on a trajectory to pursue overthrow of the CCP as a strategic goal.

Even China’s February 24 “Position on the Political Settlement of the Ukraine Crisis” seemingly centers most around its affirmation of “sovereignty” as the key thing to be respected—crucially, without ever mentioning Ukraine’s sovereignty in particular, nor calling Russia’s invasion of Ukrainian sovereign territory an invasion, let alone illegal, despite this being a peace template for the Ukraine war.¹⁹ This implies the text has more to do with reaffirming China’s position on Taiwan and offering support to Russia than being an actual attempt to mediate. In calling to freeze the conflict, it would cement Russian territorial gains; ending the “unilateral” sanctions would again benefit Russia; and “promoting post-conflict reconstruction” would presumably benefit Chinese infrastructure companies. Beijing’s proposal on its face seems decidedly tilted toward Moscow or self-serving goals.

US assumptions and lessons learned

While dealing with the Russian aggression against Ukraine, the US government has not reduced its attention on the strategic challenge posed by China. At the time of the invasion, the Biden administration was aggressively focused on continuing and expanding Trump-era strategic competition with China. Even as Washington openly warned of intelligence regarding Moscow’s intentions, it continued adversarial policies and alliance building directed at China. It has since announced multiple rounds of technology restrictions on Chinese companies, and signed the CHIPS and Science Act to revitalize US semiconductor leadership.²⁰ Moreover, the president has personally eroded US strategic ambiguity on US military commitments to Taiwan—despite National Security Council (NSC) staff “clarifications” after each repeated instance that US policy has not, in fact, changed.

While dealing with the Russian aggression against Ukraine, the US government has not reduced its attention on the strategic challenge posed by China.

President Joe Biden talks to workers as CEO of TSMC C. C. Wei and Chairman of TSMC Mark Liu look on during a visit to TSMC AZ’s first Fab (Semiconductor Fabrication Plant) in P1A (Phase 1A), in Phoenix, Arizona. (REUTERS/Jonathan Ernst)

In its National Defense Strategy (NDS) released last year, the Biden administration focused on homeland defense challenges posed by Russia and China, rather than simply on military contingencies in the Indo-Pacific or Europe.²¹ This sends a strong message that the world is actively contested now, and that the Department of Defense and all of the US government are not just preparing for potential kinetic conflict, but engaged already in active operations to disadvantage China—tantamount to a new Cold War. Moreover, the NDS’ emphasis on “integrated deterrence” with allies and partners will underscore the threat to China of the United States designating Taiwan as a “key non-NATO ally,” potentially breaking existing US policy barriers to a virtual defense guarantee.

The United States is likely to apply the following lessons learned from the Ukraine war as it prepares for potential future conflict with China.

The United States sees public intelligence disclosures of Russian plans to invade Ukraine since November 2021 as a major success, despite failing to deter Russia or realize major pre-war Alliance (or Ukrainian government) preparation for the attack.²² The credibility that Washington gained when Russia invaded in February helped drive the immediate post-invasion international reaction (the reverse of the 2003 Iraq weapons of mass destruction (WMD) fiasco) and resulted in even more comprehensive sanctions than were threatened pre-invasion to deter Russia. Senior US military and administration warnings of Beijing’s “2027 plans” echo US intelligence warnings about Ukraine, albeit without the same specificity and high confidence.²³

Similarly for the United States, a Russian military “paper tiger” perception can be applied to the PLA in a Taiwan scenario that draws on the usual tropes.

• “China hasn’t fought a major war since 1979” and, therefore, its military operational abilities may be more limited than expected.
• “Amphibious invasion across 100NM Taiwan Strait is far more challenging than Russian land invasion of Eastern Ukraine,” due to the enormous inherent complexity of a Normandy-style amphibious landing and the PLA’s insufficient lift capacity for the task.
• “Economic sanctions work, imposing a heavy burden for Moscow, thereby increasing regime insecurity, which can deter Beijing from taking action on Taiwan.”²⁴

The key lesson Washington probably finds applicable to a Taiwan 2027 scenario is the importance of providing both conventional and non-conventional support, including intelligence sharing and equipment, in the runup to, and during, any conflict. In the case of Ukraine, Kyiv’s ability to blunt Moscow’s invasion was enabled by the strengthening of Ukraine’s resilience and resistance post-2014. While the United States and its NATO allies have not directly intervened in Ukraine, they maintain military equipment, intelligence, and economic/communications lifelines that have helped deny Russia its original war aims. Specifically, deliveries of new weapons (Javelin, Stingers, artillery/HIMARS, antiship missiles), near-real-time battlefield intelligence and targeting, and initial success in the public-relations/propaganda/information domain seemed to have blunted Russian hybrid warfare and aligned developed world/Global North opinion behind Ukraine and NATO. However, it is far from clear how well Taiwan could be resupplied in the event of a blockade, if at all. As an island nation, Taiwan has no cross-border sanctuaries for stockpiling and delivery of key military and civilian supplies. And while Russia has been restrained from striking NATO members on Ukraine’s western and southwestern borders, US bilateral allies in the Pacific have no NATO-like structure for collective defense.

A lesson the United States so far seems resistant to learning from Ukraine is that nuclear deterrence by the aggressor (Russia in the case of Ukraine, China in Taiwan) enables conventional war and blunts outside major-power intervention.²⁵ The United States and its NATO allies are strongly united in resisting pressure from pundits to enforce a no-fly zone over Ukraine, break the Russian blockade of Ukraine’s Black Sea ports, or other ideas that could risk direct NATO-Russian war. China could very well conclude that inducing self-deterrence in Western capitals has worked well in Ukraine, and is a promising approach for Taiwan.²⁶ On the other hand, nuclear deterrence works both ways. One could speculate how things would stand today had Ukraine been given a security guarantee akin to NATO’s Article Five in time, and whether this would not have effectively deterred a Russian attack.²⁷ When President Biden conversely ruled out military intervention on behalf of Ukraine during the lead-up to the attack, deterrence was arguably weakened rather than strengthened. Rather than appreciating the transparency and reliability displayed by the United States, and accepting the olive branch it represents, an authoritarian aggressor might see preemptive self-constraint as a weakness to be exploited.

The more the United States talks up the prospect of a 2027 Taiwan war scenario, the more it will turn to buttressing Taiwan’s “resilience”—regardless of whether Taiwan wants this, given the island’s failure to buttress its own defense during twenty-five years of rapid PLA modernization and growing tensions on the strait.²⁸

The more the United States talks up the prospect of a 2027 Taiwan war scenario, the more it will turn to buttressing Taiwan’s “resilience”—regardless of whether Taiwan wants this

US Senate Majority Leader Chuck Schumer (D-NY) announces that he will unveil a new package of legislation to address competition with China. (REUTERS via Craig Hudson)

So far, the drumbeat in US media, from Congress, and among some members of the current administration is to be prepared for direct US military intervention to defend Taiwan from a Chinese military attack. The United States, and its allies and partners, should assume that China would be at least as determined as Russia to wield its rapidly expanding nuclear-capable forces (and space/counterspace and cyber capabilities) to deter direct US intervention. China has stated numerous times that it would be prepared to declare a state of war today if it saw Taipei, Washington, or Tokyo violate the understandings that have preserved the peace since at least 1979. The main potential triggers for this are: Chinese perceptions that Taiwan is moving irrevocably away from the possibility of unification and toward the founding of a new state under the moniker “Taiwan” at some future point; a renewed Taiwanese effort to acquire nuclear weapons; or a return to a quasi-formal US military-security relationship with Taiwan, including through stationing US forces on the island or integrating Taiwan into the US alliance sphere through actions such as inviting it to participate in regional or bilateral military exercises or in Alliance intelligence-sharing arrangements. At the same time, China itself through its threatening actions has been doing the most to upend the understandings that constituted the peaceful status quo in the Taiwan Strait, forcing Taiwan, other regional actors such as Japan, and the United States to reposition themselves.

Europe’s lessons learned

Europe as a whole—comprising not just the EU, but also the United Kingdom, Norway, and other key non-EU states—has rather divergent regional security cultures. Former Eastern Bloc countries, for instance, have been far more alert to the risks posed by a belligerent Russia than have Western European countries that have never been under Russian occupation. European lessons learned from the Ukraine war, therefore, differ markedly in each region. For countries with a traditional Russia-friendly outlook—in particular, Germany, France, and Austria—the Ukraine war came as a shock and was met with initial disbelief and disorientation, giving way to a painful process of finding a new security paradigm.²⁹ Other countries—such as the Nordics, Baltics, and Central and Eastern European (CEE) countries—were not as surprised, and indeed felt vindicated after decades of open disregard for their warnings.³⁰ With the exception of Finland, most European countries discovered that their previous strategies of reaping a “peace dividend” by shrinking the armed forces and neglecting societal preparedness for crises and war had backfired.³¹ Collectively, Europe has learned (or is learning) five primary lessons.³²

First, a real effort to bolster collective defense through tangible capabilities was urgently required, after countries paid only lip service to NATO commitments (such as the pledge to commit 2 percent of gross domestic product (GDP) to defense spending). This includes the need to ramp up production of defense goods in support of Ukraine during what could be a long struggle.³³

Second, Europe learned the dangers of energy dependence on Russia. Prior to the war, Germany had dismissed concerns voiced by its eastern neighbors, the United States, and especially Ukraine that Nord Stream 2 would make Germany dependent and vulnerable to coercion, while also massively weakening Ukraine’s geopolitical situation. These warnings were proven right and have led to a painful reorientation process in Germany (dubbed the “Zeitenwende”) that is still in full swing more than a year after the war started, and is far from concluded.³⁴ Intense debates still surround the questions of rebuilding German military capability, lethal arms supplies for Ukraine, and the future orientation of Germany’s Russia policy. As Germany is a key member state of both the EU and NATO, due to its size and geographic location, its unresolved security-political identity crisis negatively impairs both these organizations, leading to impatience—particularly among the Eastern European states—and a diminished German stance.³⁵

China’s dubious role in the Ukraine war definitely has the potential to make China “lose Europe,” even if China refrains from delivering arms and ammunition to Russia.

German Foreign Minister Annalena Baerbock and Chinese Foreign Minister Qin Gang attend a joint press conference at the Diaoyutai State Guesthouse in Beijing, China. (Suo Takekuma/Pool via REUTERS)

Third, Europe has recognized China’s apparent role in the Ukraine war as a covert supporter and enabler of the Russian aggressor, and the consequences this realization has for the security of critical infrastructures in Europe that were built with Chinese technology.³⁶ Rather than supporting Ukraine and using its influence on Russia to stop the war, China has bolstered Russia diplomatically and economically, stopping just short of violating Western sanctions that would endanger China’s economy, while failing to condemn the invasion and effectively calling in its February 2023 “Position” for a freezing of the conflict that would reward Russia’s aggression with territorial gains.³⁷ Particularly among the post-socialist EU and NATO member states in the Baltics and in CEE, this has led to intense distrust of China and disillusionment regarding the official EU formula of China as a “partner, competitor and rival” of the EU.³⁸ The final outcome of this reevaluation will largely depend on China’s further actions of support for Russia—or its refraining from such support, as it may be. Against the backdrop of negative experiences with Chinese “wolf warrior diplomats” during the pandemic, and following coercive diplomacy, China’s dubious role in the Ukraine war definitely has the potential to make China “lose Europe,” even if China refrains from delivering arms and ammunition to Russia.³⁹ Previous Chinese Foreign Minister Wang Yi’s hostile stance during the February 2023 Munich Security Conference, and a rather aggressive first speech by China’s new Foreign Minister Qin Gang, do not seem to offer much hope in this regard.⁴⁰

Moreover, Europeans have come to realize that war over Taiwan could break out, despite the risk of nuclear escalation and despite the huge economic constraints in place, and regardless of the political risk such a war would pose to China’s leaders.⁴¹ Given Putin’s complete disregard for such constraints when following through with his attack plan, Europeans have had to accept that their assumptions about the economic rationale as a deterring factor in security-political decision-making of autocratic countries can no longer be relied upon, and that military forms of deterrence are ultimately more meaningful.⁴² The notion that China’s even greater degree of economic dependence on the outside world than Russia’s would serve as sufficient deterrent against military adventurism, therefore, might not hold. Consequently, there has been a palpable uptick in European analyses and discussions surrounding the risk of escalation in the Taiwan Strait, possible military and economic consequences, and Europe’s role in such a scenario, while exchanges with Western and South Pacific NATO partner states have markedly increased. French President Macron’s initiative during his early April 2023 China visit of implying that Taiwan is not Europe’s problem was quickly rebutted across European capitals, and Germany’s Foreign Minister Annalena Baerbock made it a point during her subsequent China visit to name war over Taiwan a “horror scenario” that would send “shock waves” around the world and deeply affect Europe.⁴³

Finally, European countries in general, and NATO members in particular, have a newfound appreciation of the United States as the ultimate security provider for European NATO member states. Particularly in Germany and France, the realization that a European “strategic autonomy” remains a pipe dream for the foreseeable future due to lack of capabilities, and the fact that Ukraine’s defense effort would likely not be viable without massive US support, has been an unwelcome, yet necessary, reality check.⁴⁴ Finland and Sweden’s applications for NATO accession are a testament to the indispensability of the nuclear umbrella provided by US forces to frontline NATO states. Russia’s decision to withdraw from the New Strategic Arms Reduction Treaty (New START), the nuclear blackmail it employed to keep Western countries from intervening on behalf of Ukraine, and China’s massive expansion of its nuclear arsenal all run counter to European hopes of creating effective arms-control regimes and working toward nuclear threat reduction.⁴⁵ Six years after the International Campaign to Abolish Nuclear Weapons (ICAN) was awarded the Nobel Peace Prize, Europeans are needing to accept that there is currently no substitute for nuclear deterrence in the face of the Russian—and, potentially, the Chinese—threat, and that the global trend points toward more nuclear-armed states in the medium term rather than successful arms reduction.⁴⁶ This also implies a newfound sense of European vulnerability to exposure, should the United States become tied down in a conflict with China. All in all, Europe is still reeling from the shock of the war and the challenge it poses to long-held assumptions of economic interdependence and institutionalism as the effective and civilized way to resolve conflicts. Regardless of the war’s ultimate outcome, it is already clear that its humanitarian, economic, political, and security consequences massively complicates the way European states will calibrate their exchanges with China going forward.

Implications of conflicting lessons for deterrence

The collision of these conflicting “lessons” could result in a deterrence trap. If the US increasingly acts on its conviction that China plans to attack on its own initiative in the next few years, the United States is likely to put enormous pressure on Taiwan to prepare to become the next Ukraine, and its self-imposed restraints on security assistance will further erode. US fear of a Chinese attack would increasingly drive a deepening cycle that is bound to cross at least some of China’s red lines.

Deterrence traps, of course, usually have more than one moving part; for its part, China’s actions drive this dangerous dynamic more strongly than those of the United States. China keeps moving the red lines, conducting increasingly provocative military operations around Taiwan, creating provocative situations (such as its “blockade drill” after Speaker Nancy Pelosi’s August 2022 visit to Taiwan, which included the unprecedented shooting of ballistic missiles over the island), and intensifying efforts to choke off Taiwan’s international breathing space.⁴⁷ Honduras’ switch to China leaves Taipei with only thirteen formal diplomatic partners as of April 2023, demonstrating that Beijing’s “checkbook diplomacy” threatens to flip others soon and making Taipei more reliant on the United States, Japan, and the EU to prevent greater isolation. And, crucially, if war over Taiwan ever breaks out, it will have been because China chose to use lethal force against Taiwan for the first time since 1958, not the other way around.

Upping the military ante to some degree seems necessary as long as China is changing its military posture and behaving aggressively.

An F/A-18E Super Hornet flies over the flight deck of the Navy’s only forward-deployed aircraft carrier USS Ronald Reagan in the South China Sea. (US Navy)

The key question, therefore, is what steps Washington, Taipei, and others can take to preserve a stable status quo without fueling tensions. Upping the military ante to some degree seems necessary as long as China is changing its military posture and behaving aggressively. The United States is far from alone in seeing a military threat from China, as that perception is shared within much of the region (including Japan, Australia, Vietnam, the Philippines etc.), and even Europeans are becoming increasingly worried, despite remaining relatively inattentive to the military details of China’s behavior.

The Ukraine war, therefore, offers all sides a chance to learn how such a situation can be avoided: signaling weakness and indecisiveness on the part of the West before February 24, in any case, was not helpful in avoiding the Ukraine war. In the case of China, there is no reason to assume that signaling weakness and indecisiveness will yield any better outcome. In other words, there is a chance to drive home to China the great risks of going to war, and to signal allied resolve in aiming to avoid a second scenario of the same type as that in Ukraine. However, the Ukraine example has limits when applied to Taiwan, where China’s decision to use force—either to convince Washington or Taipei to reverse actions that cross Beijing’s long-established “red lines” (formal independence, a US military alliance) or to compel unification—likely would not be as opportunistic, or as lacking in constructive strategic aims, as Moscow’s decision to invade Ukraine.

Policy recommendations

The collision of these conflicting “lessons” identified by the United States, China, and Europe could result in a deterrence trap, and China’s actions drive this dangerous dynamic more strongly than those of the United States. However, Washington, Taipei, Brussels, and others can still play important roles in preserving stability without fueling tensions.

• Allies must analyze, and urgently address, the reasons why deterrence failed in Ukraine. A key lesson to draw from the Ukraine war should be the realization that deterrence failed for a number of reasons, including naiveté and wishful thinking; a willingness among allies to make themselves overly dependent on Russian energy supplies; a lack of resolve in showing a unified front before aggression; and disregard for basic military preparedness among most of the allies.
• Non-kinetic scenarios might be China’s favored option for subduing Taiwan, and could be difficult to effectively address as allies. In light of the military difficulties Russia is experiencing in Ukraine, which came as a surprise to the Chinese leadership, it can be assumed that China might prefer non-military or less decisive options of coercing Taiwan if at all possible, short of a PRC perception that Taiwan has taken actions tantamount to a declaration of independence or an explicit US defense commitment. Allies should wargame and prepare for such non-kinetic scenarios, including blockades, hybrid attacks, and subversion, because a less than clear-cut case of aggression might prove far more difficult to react to as united allies than a clearly attributable violation of the United Nations (UN) Charter as in the case of the Ukraine war.
• Information warfare over Taiwan presents a key challenge for allies. Just like Russia, China is highly effective at using information and psychological warfare to its advantage. Likeminded countries in the transatlantic and Indo-Pacific communities should identify and address, in a timely fashion, any false narratives China is spreading to sow discord among them or to shape perceptions in the Global South that are detrimental to the goal of upholding the UN Charter and the principles of the rules-based international order.
• “Anti-colonial” and “anti-hegemonial” self-justifying narratives by aggressor states targeting audiences in the Global South should be countered more effectively. China and Russia are jointly positioning themselves as “anti-hegemonial” champions of a multipolar world order and, in some cases, are successful despite the fact that Russia is fighting to regain a former colony, or that the PRC threatens war as it seeks “reunification” over Taiwan, which it has never controlled. Transatlantic allies should, therefore, make sure to correct this self-representation by publicly addressing China’s violations of its own 2013 Friendship and Cooperation Treaty with Ukraine, signed by Xi Jinping himself, in which China reinforced the security guarantee extended to Ukraine in recognition of its voluntary relinquishment of its nuclear arms via the Budapest Memorandum (Article 2); pledged to assist Ukraine in the protection of its territorial integrity (Article 5), promised not to take any action prejudicial to the sovereignty, security or territorial integrity of Ukraine (Article 6), and is bound to hold “urgent consultations” with Ukraine to develop measures to counter a threat in case of a crisis (Article 7).⁴⁸ Despite China’s obligations under this treaty, Xi didn’t reach out to Zelenskyy until more than a year after the Russian invasion began.⁴⁹ Ukraine, for its part, has always upheld its treaty obligations to China.⁵⁰
• Allies should not put too much hope in a “wedge” strategy. Though some political leaders still harbor hopes of driving a wedge between China and Russia, and incentivizing China to work against Russia, there is currently no reason to believe such an approach might yield viable results. Rather, based on recent Chinese leaders’ consistent actions and rhetoric, allies should assume that Beijing continues to share Russia’s strategic vision of challenging, and fundamentally revising, the international rules-based order (as laid out in their joint statement of February 4, 2022). China can, at best, be hindered from throwing its full weight behind Russia in this war, but not weaned from Russia as long as Xi Jinping is in power, due to the countries’ mutual synergies and shared geopolitical interests.⁵¹
• Sharing intelligence can bolster credibility and unity among allies and beyond. The US strategy of sharing intelligence prior to the Ukraine war, and the accuracy of that intelligence, was highly effective in foiling a Russian surprise attack and bolstering US credibility among allies. This approach should also be continued with regard to China’s military actions in the Western Pacific. Care should be taken, however, not to repeat the mistake of sharing unreliable assessments, as in the infamous Iraq “weapons of mass destruction” analysis, which damaged US credibility in Europe at the time.

Although NATO is chiefly concerned with the European theater, its member states represent a sizeable share of global GDP, and the economic deterrence they can provide toward China is not to be discounted.

French President Emmanuel Macron talks to other European leaders during the second day of the European Union leaders summit in Brussels, Belgium October 18, 2019. (Aris Oikonomou/Pool via REUTERS)

• Frustrations notwithstanding, European allies make valuable contributions to security. From the US perspective, notwithstanding its predilection toward working with the United Kingdom and its existing frustrations with large EU and NATO partners Germany and France, Europe as a whole should not be discounted as a valuable security partner—including as a partner for routine engagement to better understand and track China’s capabilities and intent toward Taiwan in the military, economic, information, and political domains. In particular, the Nordic, Baltic, and many CEE states, and NATO as an organization, have proven capable of quickly drawing meaningful security-related conclusions from the Ukraine war. NATO accession by Finland, soon followed by Sweden’s, can be expected to improve NATO’s effectiveness as a whole, since at least Finland is going to be a net security provider—for instance, in a scenario of the Baltic states coming under threat. Although NATO is chiefly concerned with the European theater, its member states represent a sizeable share of global GDP, and the economic deterrence they can provide toward China is not to be discounted.

Conclusion

The lessons that Washington and Beijing appear to be learning from Russia’s February 2022 invasion of Ukraine and Ukraine’s resistance and counteroffensive, in terms of military effectiveness and deterrence, could set the stage for a crisis over Taiwan in the next few years if those lessons are not accompanied by simultaneous efforts to defuse tensions where that is possible. European allies, just like US allies in Asia, can—and should—play a key role in this. For that, it is necessary to think of Eastern Europe and the Western Pacific not as two distinct theaters, but as interlinked theaters where events in one will inevitably have repercussions in the other. In other words, despite the cost, supporting Ukraine is not a detraction from deterring China if it leads to an outcome in which Russian aggression is thwarted, as that also enhances deterrence regarding Taiwan. At the same time, when the United States is focusing more strongly on the Western Pacific, Europeans need to cease seeing this as “abandoning Europe,” and instead step up their own game to bolster the rules-based international order both at home and abroad, with the means at their disposal.

Understanding more closely why deterrence failed in Ukraine, and exploring how these lessons could be applied to enhancing deterrence, bolstering diplomatic initiatives, and, thereby, hopefully defusing tensions over Taiwan should be high on the agenda of the entire Alliance. After all, all members share the same interest, as does China: finding out how to avoid sleepwalking into a global war.

Acknowledgements

This publication was produced under the auspices of a project conducted in partnership with the Norwegian Ministry of Foreign Affairs focused on the impact of China on the transatlantic relationship.

About the authors

Fellow

John K. Culver

Nonresident Senior Fellow

Global China Hub

China East Asia

John K. Culver is a nonresident senior fellow with the Atlantic Council’s Global China Hub and a former Central Intelligence Agency (CIA) senior intelligence officer with thirty-five years of experience as a leading analyst of East Asian affairs, including security, economic, and foreign-policy dimensions.

Previously as national intelligence officer for East Asia from 2015 to 2018, Culver drove the Intelligence Community’s support to top policymakers on East Asian issues and managed extensive relationships inside and outside government. He produced a large body of sophisticated, leading-edge analysis and mentored widely on analytic tradecraft. He also routinely represented the Intelligence Community to senior US policy, military, academic, private-sector and foreign-government audiences.

Culver is a recipient of the 2013 William L. Langer Award for extraordinary achievement in the CIA’s analytic mission. He was a member of the Senior Intelligence Service and CIA’s Senior Analytic Service. He was also awarded the Distinguished Career Intelligence Medal.

Fellow

Sarah Kirchberger

Nonresident Senior Fellow

Scowcroft Center for Strategy and Security Scowcroft Strategy Initiative

China Defense Industry

Dr. Sarah Kirchberger is a nonresident senior fellow with the Scowcroft Center for Strategy and Security. She serves as head of Asia-Pacific Strategy and Security at the Institute for Security Policy at Kiel University (ISPK) and vice president of the German Maritime Institute (DMI). Her current work focuses on maritime security in the Asia-Pacific region, emerging technologies in the maritime sphere, Russian–Chinese military-industrial relations, China’s arms industries, and China’s naval and space development.

Before joining ISPK she was assistant professor of contemporary China at the University of Hamburg, and previously worked as a naval analyst with shipbuilder TKMS Blohm + Voss. She is the author of Assessing China’s Naval Power: Technological Innovation, Economic Constraints, and Strategic Implications (2015). Her earlier work includes a monograph on informal institutions in the Chinese and Taiwanese political systems as well as studies of reform discourses within the Communist Party of China and of Mainland Chinese perceptions of Taiwan’s post-war transformation. She completed undergraduate and graduate studies in Sinology, Political Science and Archaeology in Hamburg, Taipei, and Trier and holds an MA and a PhD in Sinology from the University of Hamburg.

Related programs

The Transatlantic Security Initiative, in the Scowcroft Center for Strategy and Security, shapes and influences the debate on the greatest security challenges facing the North Atlantic Alliance and its key partners.

Explore the Initiative

Global China Hub

The Global China Hub researches and devises allied solutions to the global challenges posed by China’s rise, leveraging and amplifying the Atlantic Council’s work on China across its 15 other programs and centers.

Explore more

Related content

Report Feb 2, 2023

Implementing NATO’s Strategic Concept on China

By Hans Binnendijk and Daniel S. Hamilton

Allies made it clear that they consider Russia their most immediate and direct threat. Yet they also made headlines by addressing challenges emanating from the People’s Republic of China (PRC).

China Europe & Eurasia

Report Jan 20, 2023

China and the new globalization

By Franklin D. Kramer

The unitary globalized economy no longer exists. Driven in significant part by security considerations, a new and more diverse globalization is both required and being built. The transition is ongoing, and its final form is yet to be determined.

China Economy & Business

Issue Brief Feb 23, 2023

United States–China semiconductor standoff: A supply chain under stress

By Jeremy Mark, Dexter Tiff Roberts

What are the implications of US semiconductor policy for global semiconductor supply chains and the competition for primacy in an industry critical to the economy and global security?

China Economy & Business

The post US-China lessons from Ukraine: Fueling more dangerous Taiwan tensions appeared first on Atlantic Council.

This speculation is understandable; after all, expectations have been mounting since early 2023 over an offensive that is being widely billed as a potential turning point in the sixteen-month war. It may be more helpful, however, to view Ukraine’s counteroffensive as a rolling series of local probes and thrusts rather than a single big push to penetrate Russian defenses and secure a decisive breakthrough.

Talk of a coming Ukrainian counteroffensive began following the liberation of Kherson from Russian occupation in late 2022. In the six months since that last major military success, Ukraine has sent tens of thousands of fresh troops for training in NATO countries and received unprecedented amounts of Western military aid including modern battle tanks, cruise missiles, armored personnel carriers, and enhanced air defense systems. With these newly trained and equipped formations now believed to be largely in position, observers have been watching for indications that the offensive is indeed underway. Ukrainian President Volodymyr Zelenskyy added to the sense of anticipation by declaring in a June 3 interview with the Wall Street Journal: “We are ready” for the counteroffensive.

Anyone expecting to witness major battles is set to be disappointed, at least for the time being. While the long lines of opposing trenches and emphasis on artillery duels has led many to compare the fighting in Ukraine to the horrors of World War I, few expect the Ukrainian military to begin its counteroffensive by going “over the top” and attempting to smash through Russian lines with their newly formed brigades. Instead, Ukrainian commanders will likely seek to test Russian defenses at a number of locations along the length of the 1,000-kilometer front in a bid to stretch Vladimir Putin’s invasion force and identify weak points to exploit.

A series of recent cross-border incursions into the Russian Federation conducted by Ukrainian-backed Russian militias may be part of these efforts. While militarily insignificant in terms of size or territorial gains, the raids have proved a major personal embarrassment for Putin and could force Moscow to reduce its military presence in Ukraine in order to bolster the badly exposed home front.

Subscribe to UkraineAlert

As the world watches the Russian invasion of Ukraine unfold, UkraineAlert delivers the best Atlantic Council expert insight and analysis on Ukraine twice a week directly to your inbox.

• Name
  First Last
• Email*
• 
  
  
• Comments
  This field is for validation purposes and should be left unchanged.

As they look to advance, Ukraine’s troops will face formidable obstacles. Russia has not sat idly by during the past half-year; it has created a defense in depth in anticipation of Ukraine’s coming attack that includes several lines of trenches and other fortifications.

Russia appears to have provided an indication of its resolve early on June 6 by blowing up the Kakhovka dam and power plant on the Dnipro River in southern Ukraine. While Moscow officially denies destroying the dam, initial analysis points to Russian responsibility. A June 7 New York Times article referencing engineering and munitions experts concluded that a deliberate explosion inside the Russian-controlled dam “most likely caused its collapse.” The ensuing ecological disaster has flooded the surrounding area, virtually ruling out a Ukrainian thrust across the river toward Crimea.

Moscow’s preparations for the Ukrainian counteroffensive certainly look impressive, but questions remain over the morale of Russian troops, with a steady stream of video addresses posted to social media in recent months indicating widespread demoralization among mobilized Russian soldiers complaining of poor conditions, suicidal tactics, and heavy losses. In contrast, Ukrainian morale is believed to be high, despite the large numbers of casualties incurred during intense fighting over the winter and spring months around the eastern Ukrainian city of Bakhmut.

Crucially, Ukraine’s troops are defending their homes and have a clear vision of what they are fighting for, while Russia has struggled to articulate its war aims or define what a potential victory could look like. In the heat of the coming summer counteroffensive, this morale factor could play a critical role.

Eurasia Center events

Online Event Thu, July 20, 2023 • 8:00 am ET

After Vilnius: What’s next on Ukraine’s path to NATO?

Eastern Europe NATO Security & Defense Ukraine

Most commentators agree that the primary military objective of Ukraine’s summer counteroffensive is to cut the land bridge running across southern Ukraine that connects Russia itself and the occupied Donbas region with the Crimean peninsula. If this is achieved, it would isolate large numbers of Russian troops in Crimea and south Ukraine while dealing a painful blow to Russian prestige.

Ultimately, Ukraine’s stated goal remains the liberation of Crimea itself, which has been under Russian occupation since 2014. A successful advance toward Crimea would leave the peninsula exposed to Ukrainian airstrikes and could spark a political crisis inside Russia. The military failures of the past sixteen months have already led to significant infighting among different elements within the Russian establishment; if Crimea itself is threatened, the international community must brace for a major escalation in Putin’s nuclear threats as he attempts to ward off what would be a catastrophic defeat.

Many believe a showdown over the fate of Crimea will serve as the end game of the entire war. But before we approach that point, Ukraine must first deploy its fresh forces effectively and overcome Russia’s deeply entrenched army on the mainland. This will involve much maneuvering and diversionary attacks before any major advances are attempted.

Ukraine’s successful 2022 campaigns may offer the best indication of what to expect from the summer counteroffensive. In August 2022, Ukrainian officials loudly trumpeted a counteroffensive in the south to retake Kherson. When Russia duly dispatched many of its best units to meet the expected Ukrainian attack, Ukraine struck instead in the thinly defended east and liberated most of the Kharkiv region. With Russia still reeling from this defeat and scrambling to hold the line, the Ukrainian military then renewed its southern offensive and forced Russia to abandon Kherson.

This masterclass in the art of military deception rightfully won Ukraine considerable plaudits. Ukrainian commanders will be looking to spring some similar surprises in the months ahead. Their stated goal is the complete liberation of Ukrainian territory, but they will aim to keep the Russians guessing as to exactly how they plan to achieve this.

Peter Dickinson is the editor of the Atlantic Council’s UkraineAlert service.

Further reading

Fast Thinking Jun 7, 2023

Has Ukraine’s counteroffensive really begun?

By Atlantic Council

Atlantic Council experts share their insights on the intensifying war in Ukraine.

Conflict Europe & Eurasia

UkraineAlert May 23, 2023

Ukraine’s coming counteroffensive has a good chance of succeeding

By Richard D. Hooker, Jr.

Ukraine’s coming counteroffensive has a great chance of succeeding due to a number of factors including superior leadership, equipment upgrades, and strong morale, writes Richard D. Hooker, Jr.

Conflict Defense Technologies

UkraineAlert Jun 6, 2023

Ukraine’s summer counteroffensive is a key moment but long-term resolve remains crucial

By Tennyson Dearing

Ukraine’s summer counteroffensive is an important moment in the war with Russia but it is critical to maintain a sense of perspective and underline the need for long-term Western backing, writes Tennyson Dearing.

Conflict Freedom and Prosperity

The views expressed in UkraineAlert are solely those of the authors and do not necessarily reflect the views of the Atlantic Council, its staff, or its supporters.

Read more from UkraineAlert

UkraineAlert is a comprehensive online publication that provides regular news and analysis on developments in Ukraine’s politics, economy, civil society, and culture.

The Eurasia Center’s mission is to enhance transatlantic cooperation in promoting stability, democratic values and prosperity in Eurasia, from Eastern Europe and Turkey in the West to the Caucasus, Russia and Central Asia in the East.

Learn more

The post Ukraine’s summer counteroffensive will aim to keep the Russians guessing appeared first on Atlantic Council.

A core objective of the Atlantic Council’s Cyber Statecraft Initiative is to shape policy in order to better secure users of technology by bringing together stakeholders from across disciplines. Cybersecurity is strengthened by ongoing collaboration and dialogue between policymakers and practitioners, including cyber threat intelligence analysts. Translating the skills, products, and values of these communities between each other can be challenging but there is prospective benefit, as it helps drive intelligence requirements and keeps policymakers abreast of the latest developments and realities regarding threats. For younger professionals, jumping from one community to another can appear to be a daunting challenge.

We brought together five individuals with experience from both the worlds of cyber threat intelligence and cyber policy to share their experiences, perspectives on the dynamics between the two communities, and advice to those interested in transitioning back and forth.

#1 What’s one bad piece of advice you hear for threat intelligence professionals interested in making a transition to working in cyber policy?

Winnona DeSombre Bernsen, nonresident fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council: 

“I have not heard bad pieces of advice specifically geared toward threat intelligence professionals, but I was told by someone once that if I wanted to break into policy, I could not focus on cyber. This is mostly untrue: the number of cyber policy jobs in both the public and the private sectors are growing rapidly, because so many policy problems touch cybersecurity. Defense acquisition? Water safety? Civil Rights? China policy? All of these issues (and many more!) touch upon cybersecurity in some way. However, cyber cannot be your only focus! As most threat intelligence professionals know, cybersecurity does not operate in a vacuum. A company’s security protocols are only as good as the least aware employee, and a nation-state’s targets in cyberspace usually are chosen to further geopolitical goals. Understanding the issues that are adjacent to cyber in a way that creates sound policy is important when making the transition.” 

Sherry Huang, program fellow, Cyber Initiative and Special Projects, William and Flora Hewlett Foundation: 

“I would not count this as advice, but the emphasis on getting cybersecurity certifications that is persistent in the cyber threat intelligence community is not directly helpful to working in the cyber policy space. Having technical knowledge and skills is always a plus, but in my view, having the ability to translate between policymakers and technical experts is even more valuable in the cyber policy space, and there is not a certification for that.” 

Katie Nickels, nonresident senior fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council; director of intelligence, Red Canary: 

“I think there is a misconception that to work in cyber policy, you need to have spent time on Capitol Hill or at a think tank. I have found that to be untrue, and I think that misconception might make cybersecurity practitioners hesitant to weigh in on policy matters. The way I think of it is that cyber policy is the convergence of two fields: cybersecurity and policymaking. Whichever field is your primary one, you will have to learn about the other. Practitioners can absolutely learn about policy.” 

Christopher Porter, nonresident senior fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council: 

“When intelligence professionals think about policy work, they often experience a feeling of personal control—‘now I get to make the decisions!’ So there is a temptation to start applying your own pet theories or desired policy outcomes and start working on persuasion. That is part of it, but in reality policymaking looks a lot like intelligence work in one key aspect—it is still a team sport. You have to have buy-in from a lot of stakeholders, many of whom will have different perspectives or intellectual approaches to the same problem. Even if you share the same goal, they may have very different tools. So just as intelligence is a team sport, policymaking is too. That is a reality that is not reflected in a lot of academic preparation, which emphasizes theoretical rather than practical policymaking.” 

Robert Sheldon, director of public policy & strategy, Crowdstrike: 

“I sometimes hear people treating technical career paths and policy career paths as binary–and I do not think that is the direction that we are headed as a community. People currently working in technical cybersecurity disciplines, including threat intelligence, should consider gaining exposure to policy work without fully transitioning and leaving their technical pursuits behind. This is a straightforward way to make ongoing, relevant contributions to a crowded cyber policy discourse.”

#2 What about working in threat intelligence best prepared you for a career in cyber policy, or vice versa?

Desombre Bernsen: “Threat intelligence gave me two key skills: the first is the ability to analyze a large-scale problem. Just like threat intelligence analysts, cyber policymakers must look through large systems to find chokepoints and potential vulnerabilities, while also making sure that the analytic judgments one makes about the system are sound. This skill enables one to craft recommendations that best fit the problem. The second skill is the ability to tailor briefings to different principal decisionmakers. Threat intelligence is consumed by network defenders and C-suite executives alike, so understanding at what level you are briefing is key. A chief information security officer does not care about implementing YARA rules, just like a network defender does not want their time wasted with a recommendation on altering their company-wide phishing policies. Being able to figure out what the principal cares about, and to tailor recommendations to the audience best able to action on them is applicable to the cyber policy field as well. When briefing a company or government agency, knowing their risk tolerance and organization mission, for example, helps tailor the briefing to help them understand what they can do about the problem.” 

Huang: “Being a cyber threat intelligence analyst gave me exposure to a wide variety of issues that are top of mind for government and corporate clients. In a week, I could be writing about nation-state information operations, briefing clients on cybersecurity trends in a certain industry, and sorting through data dumps on dark web marketplaces. Knowing a bit about numerous cyber topics made it easier for me to identify interest areas that wanted to pursue in the cyber policy space and, more importantly, allows me to easily understand and interact with experts on different cyber policy issue areas, which is helpful in my current role.” 

Nickels: “The ability to communicate complex information in an accessible way is a skill I learned from my threat intelligence career that has translated well to policy work. Threat intelligence is all about informing decisions, so there are many overlaps with writing to inform policy.” 

Porter: “In Silicon Valley, it is typical to have a position like ‘chief solutions architect.’ I have spent most of my career in intelligence being the ‘chief problems architect.’ It is the nature of the job to look for threats, problems, and shortcomings. Policymakers have the inverse task—to imagine a better future and build it, even if that is not the path we are on currently. But still, I think policymakers need to keep in mind how their plans might fail or lead to unintended consequences. When it comes to cybersecurity, new policies almost never eliminate a threat, they only change its shape. Much like the end to Ghostbusters, you get to choose the kind of problem you are going to face, but not whether or not you face one. Anyone with a background in intelligence will be ready for that step, where you have to imagine second- and third-order implications beyond the first-order effect you are seeking to have.” 

Sheldon: “Working as an analyst early in my career taught me a lot about analytical methods and rigor, evidence quality, and constructing arguments. Each of these competencies apply directly to policy work.”

#3 What realities of working in the threat intelligence world do you believe are overlooked by the cyber policy community?

Desombre Bernsen: “The cyber policy community has not yet realized that threat intelligence researchers and parts of the security community themselves—similarly to high level cyber policy decisionmakers—are targets of cyberespionage and digital transnational repression. North Korea, Russia, China, and Iran have all targeted researchers and members of civil society in cyberspace. Famously, North Korea would infect Western vulnerability researchers, likely to steal capabilities. In addition, threat intelligence researchers lack the government protections many policymakers have. Researchers that publicly lambast US adversaries can be targeted and threatened online by state-backed trolls. Protections for these individuals are few and far between—CISA just this year rolled out a program for protecting civil society members targeted by transnational repression, so I hope it gets expanded soon.” 

Huang: “Most of the time, threat intelligence analysts (at least in the private sector) do not hear from clients after a report has gone out and do not have visibility into whether their analysis and recommendations are helpful or have real-world impact. Feedback, whether positive or constructive, can help analysts fine-tune their craft and improve future analysis.” 

Nickels: “I think the cyber policy community largely considers threat intelligence to be information to be shared about breaches, often in the form of indicators like IP addresses. While that can be one aspect of it, they may not recognize that threat intelligence analysts consider much more than that. Broadly, threat intelligence is about using an understanding of how cyber threats work to make decisions. Under that broad definition, cyber policymakers have a significant need for threat intelligence—if policymakers do not know how the threats operate, they cannot determine how to create policies to help organizations better protect against them.” 

Porter: “There are aspects of the work—such as attribution—that are more reliable and not as difficult as imagined. Conversely, there are critical functions, like putting together good trends data or linking together multiple different pieces of evidence, that can be very difficult and time-intensive but seem simple to those outside the profession. So there is always a little bit of education that needs to take place before getting into a substantive back-and-forth, where the cyber intelligence community needs to explain a little bit about how they are doing their work, and the strengths and limitations of that so that everyone has the same assumptions and understands one another’s perspective.” 

Sheldon: “The policy community sometimes lacks understanding of the sources and methods that threat intelligence practitioners leverage in their analysis. This informs the overall quality of their work, the skill needed to produce it, timeliness, extensibility, the possibility for sharing, and so on. All of these are good reasons for the two communities to talk more about how they do their work.”

More from the Cyber Statecraft Initiative:

The 5×5—Minding the cyber talent gap

The 5×5—Strengthening the cyber workforce

Cyber 9/12 Strategy Challenge

#4 What is the biggest change in writing for a threat intelligence audience vs. policymakers? 

Desombre Bernsen: “The scope is much broader. Threats to a corporate system are confined largely to the corporate system itself, but the world of geopolitics has far more players and many more first- and second-order effects of the policies you recommend.” 

Huang: “Not having to be as diligent about confidence levels! Jokes aside, it is similar in that being precise in wording and being brief and to the point are appreciated by both audiences. However, I do find that a policy audience often cares more about the forward-looking aspect and the ‘so what?’” 

Nickels: “The biggest difference is that when writing for policymakers, you are expected to express your opinion! As part of traditional intelligence doctrine, threat intelligence analysts avoid injecting personal opinions into their assessments and try to minimize the effects of their cognitive biases. Intelligence analysts might write about potential outcomes of a decision, but should not weigh in on which decision should be made. However, policymakers want to hear what you recommend. It can feel freeing to be able to share opinions, and it remains valuable to try to hedge against cognitive biases because it allows for sounder policy recommendations.” 

Porter: “Threat intelligence professionals are going to be very interested in how the work gets done, as the culture—to some degree—borrows from academic work, in terms of rewarding reproducibility of results and sharing of information. But, strictly speaking, policymakers do not care about that. Their job is to link the findings in those reports to the broader strategic context. One really only need to show enough of how the intelligence work was done to give the policymaker confidence and help them use the intelligence appropriately without understating or overstating the case. The result is that for policy audiences you end up starting from the end of the story—instead of a blog post or white paper building up to a firm conclusion, you talk about the conclusion and, depending on the level of technical understanding and skepticism on the part of the policymaker, may or may not get into the story of how things were pieced together at all.” 

Sheldon: “Good writing in both disciplines has much in common. Each should be concise, include assertions and evidence, provide context, and make unknowns clear. But there are perhaps fewer ‘product types’ relevant to core threat intelligence consumers and, in some settings, analysts can assume some fundamental knowledge base among their audience.” 

#5 Where is one opportunity to work on policy while still in industry that most people miss?

Desombre Bernsen: “You absolutely can work on policy issues while working in threat intelligence! I cannot just choose one, but I highly recommend searching for non-resident fellowship programs in think tanks (ECCRI, Atlantic Council, etc.), speaking at conferences on threat trends and their policy implications, and doing more policy through corporate threat wargaming internally.” 

Huang: “Volunteering at conferences that involve the cyber policy community, such as Policy@DEF CON and IGF-USA. These are great opportunities to support policy-focused discussions and to have deeper interactions with peers in the cyber policy space.” 

Nickels: “In the United States, one commonly missed opportunity is to reach out to elected representatives with opinions on cybersecurity legislation. Cybersecurity practitioners can also be on the lookout for opportunities to provide comments that help shape proposed regulations affecting the industry. For example, the Commerce Department invited public comments to proposed changes to the Wassenaar Arrangement around export controls of security software, and cybersecurity practitioners weighed in on how they felt the changes would influence tool development.” 

Porter: “That will vary greatly from company to company; almost universally though, you will have the opportunity to help your colleagues and future generations by providing mentorship and career development opportunities. Personnel is policy, so in addition to thinking about particular policies you might want to shape, think also about how you can shape the overall policymaking process by helping others make the most of their talents. It will take years, but, in the long run, those are the kinds of changes that are most lasting.” 

Sheldon: “Regardless of your current role, you can read almost everything relevant to the policy discourse. National strategies, executive orders, bills, commission and think tank reports, and so on are all publicly available. Unfortunately, many in the policy community are only skimming, but reading these sources deeply and internalizing them is a great basis to distinguish yourself in a policy discussion. Also, there are more opportunities than ever to read and respond to Requests for Comment from the National Institute of Standards and Technology and other government agencies, and these frequently include very technical questions.”

Simon Handler is a fellow at the Atlantic Council’s Cyber Statecraft Initiative within the Digital Forensic Research Lab (DFRLab). He is also the editor-in-chief of The 5×5, a series on trends and themes in cyber policy. Follow him on Twitter @SimonPHandler.

The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

learn more

The post The 5×5—Cross-community perspectives on cyber threat intelligence and policy appeared first on Atlantic Council.

Security

New barrage of missiles targets Ukraine as UK promises hundreds of ‘kamikaze’ drones

Russian missile from December found in Polish forest sparks ‘cover-up’ controversy

Another barrage of missiles targets Ukraine as UK promises hundreds of ‘kamikaze’ drones

On May 16, Russian media reported that the Russian army had strengthened its positions in the Bakhmut area. According to Russian reports, four battalions have deployed around Bakhmut to prevent Ukrainian advances. The Russian Ministry of Defense said that its forces are focused on repelling Ukrainian counterattacks. Ukraine’s Deputy Defense Minister Hanna Maliar said on May 15 that Russian forces are deploying additional airborne forces to defend their flanks in Bakhmut. Russian forces appear to have made limited gains within Bakhmut.  

Another wave of Russian attacks targeted Ukraine with missiles and drones. The General Staff of the Ukrainian Armed Forces reported that, in the early hours of May 16, Russia launched six Kh-47 Kinzhal missiles from six MiG-31K aircraft at Kyiv, in addition to nine Kalibr missiles and ten S-400 and Iskander-M missiles that targeted other areas. Ukraine said its air defenses shot down most of the missiles, including six Kinzhal missiles and nine drones, of which six were Iranian-made Shahed-131/136s drones. The Russian defense ministry claimed—and US officials later confirmed—that one of the Kinzhal missiles struck a Patriot missile defense system in Kyiv. A US official told CNN that the US-made Patriot system likely suffered damage but was not destroyed. 

Elsewhere, the dam connected to the Russian-controlled Kakhovka hydroelectric power plant appears to be gushing water. A video taken on May 11 appears to show powerful streams of water flowing through the dam, which sits across the Dnipro River. The Ukrainian Center for Journalistic Investigations reported that the damage to the dam was caused by Russia. The report also cited Russian Telegram channels that claimed Russian positions were flooded and that a soldier had died as a result.  

Meanwhile, allied military aid continues to flow into Ukraine, albeit at a slower pace. On May 15, the United Kingdom said it would send Ukraine hundreds of custom-built ‘kamikaze’ drones. According to The Telegraph, the drones will have a range of more than 200 kilometers, comparable to an artillery shell. Their delivery to Ukraine is expected in the coming months.  

The German company Hensoldt said it will deliver six more TRML-4D radars compatible with the IRIS-T air defense system to Ukraine. These radars were introduced in 2018 and can detect and track up to 1,500 aerial targets at a distance of ten meters up to 250 kilometers, with an altitude reaching thirty kilometers. The radars can be used for detecting inconspicuous targets, such as hovering helicopters or low-flying cruise missiles. The combined value of the radar stations is €100 million ($108 million). Currently, Ukraine has only four TRML-4D radar systems. 

In addition, Ukraine joined the NATO Cooperative Cyber Defense Centre of Excellence on May 16, with the Ukrainian flag raised near the center’s headquarters, in Tallinn, Estonia. The center comprises thirty-one nations who exchange information, conduct research and specialist training, and undergo cyber military exercises.

—Ruslan Trad, resident fellow for security research, Sofia, Bulgaria 

Russian missile from December found in Polish forest sparks ‘cover-up’ controversy

On May 10, Polish broadcaster RMF reported on preliminary findings from the Polish Air Force Institute of Technology, which found that, on December 16, 2022, a Russian KH-55 cruise missile landed in Polish territory. The missile was not discovered until April 27, 2023, when a woman came across the remains of an air-to-surface missile while riding a horse through a forest. The Russian rocket reportedly flew 300 kilometers into Polish airspace before landing in a forest in Zamość, near the northern city of Bydgoszcz, 265 kilometers northwest of Warsaw. The missile was reportedly launched from a Russian plane flying over Belarusian territory. On December 16, 2022, Russian forces fired at least seventy-six missiles toward Ukraine.  

The delayed discovery of the missile has sparked discussions about whether the Polish government tried to cover up the incident. Ukraine reportedly informed Polish armed forces on December 16 that an object, which could be a missile, was approaching Polish air space. Polish radars also spotted an unspecified object but later lost track of it near Bydgoszcz. Polish Armed Forces Operational Command reportedly initiated an immediate search, but according to Polish media outlet Onet citing high-ranking unnamed sources, the Ministry of Defense decided to halt the search after attempts to find the object were unsuccessful. RMF reported that the armed forces did not notify the prosecutor’s office about the airspace violation, meaning the investigation was not launched until months after the missile landed on Polish territory. Prime Minister Mateusz Morawiecki and President Andrzej Duda also claimed that they were not immediately notified about the incident and only learned of it in April 2023.  

On May 11, Defense Minister Mariusz Blaszczak claimed that Operational Commander of the Polish Armed Forces Tomasz Piotrowski had “failed to carry out his duties by not informing me about the object that appeared in Polish airspace, nor informing the Government Centre for Security and other services associated with the procedures.” Blaszczak also claimed that Piotrowski had “failed to launch a sufficient search for the object.” However, Chief of General Staff of the Polish Armed Forces Rajmund Andrzejczak argued on May 11 that he immediately informed his superiors about the incident, in accordance with standard procedure. Poland’s TVN24 reported that, on December 19, Blaszczak met with Piotrowski and Andrzejczak at a Christmas event for Polish soldiers.  

Donald Tusk, leader of the main opposition Civic Platform party, demanded Blaszczak’s resignation, accusing him of hiding “behind Polish generals.”

—Givi Gigitashvili, research associate, Warsaw, Poland

The post Russian War Report: Russia fires barrage at Kyiv while UK promises ‘kamikaze’ drones appeared first on Atlantic Council.

Security

Interference on satellite imagery suggests Russia is increasing its means to surveil border activity

Zelenskyy says Ukraine preparing for “new events” as Transnistrian official asks for increased Russian troop presence

Tracking narratives

Prigozhin accuses Russian defense ministry of creating “shell hunger” in Bakhmut

Russian city organizes Victory concert on riverbank facing Estonia

Interference on satellite imagery suggests Russia is increasing its means to surveil border activity

A May 6 satellite image caught by the Sentinel-1 satellite of the European Space Agency revealed an interference pattern that was recorded stretching 172 kilometers in north-eastern Ukraine. This pattern almost exactly covers the border between the Russian city of Belgorod and Kharkiv, Ukraine’s second most populous city. The interference was cast as a result of electromagnetic emissions caught within the 5Ghz range, also known as the NATO C-band. Open source researcher Brady Africk first reported the pattern. 

The imagery shows several layers of pink straight lines, which are different from patterns usually observed by analysts. In a January 2023 edition of the Russian War Report, the DFRLab reported an interference pattern with bulkier interferences that was attributed to a potential anti-air defense missile system deployed in the Krasnodar Krai region. 

Additionally, similar patterns were recorded throughout April 2023. The DFRLab compiled imagery data from April 14 to April 21 that shows how Russia may have increased its deployment of military radars and anti-air defense systems in the region. The April 29 drone attack against an oil depot in Crimea also indicates that Russia could have been building up its defense systems in the southern occupied territories of Ukraine. 

The May 6 interference pattern resembles the one cast over mainland Crimea in April, suggesting similarity in the type of devices or equipment responsible for its emission. This assessment indicates that Russia could be transitioning towards further deployments of defense systems and military-class radar monitoring on its borders with Ukraine and in occupied territories.  

–Valentin Châtelet, Research Associate, Security, Brussels, Belgium

Zelenskyy says Ukraine preparing for “new events” as Transnistrian official asks for increased Russian troop presence

The Russian army carried out a large-scale missile and drone strike over Ukrainian territory in the early hours of May 8. The General Staff of the Ukrainian Armed Forces reported on May 8 that Russian forces launched sixteen missiles at Kharkiv, Kherson, Mykolaiv, and Odesa, and that Ukrainian troops shot down all thirty-five launched Shahed drones. A drone appears to have hit a tall building in Kyiv, possibly after being shot down. There were also reports that falling debris caused other damage. The drone strike is one of the largest attacks on Kyiv since February 2022. 

Ukrainian President Volodymyr Zelenskyy announced on May 7 that Ukrainian forces are preparing for “new events” in May or June 2023, an indication that Ukrainian forces may be preparing to conduct counter-offensive operations. Ukrainian military sources said that Russian forces continue to transfer equipment, ammunition, and supplies to prepare for defensive operations. 

Footage from Bakhmut on May 5 shows the possible use of incendiary shells against the remaining areas held by the Ukrainian army. The footage suggests ammunition is available, despite Wagner’s Yevgeny Prigozhin claiming the group does not have enough ammunition in Bakhmut. 

Meanwhile, the evacuation of civilians from Russian-occupied frontline towns in the Zaporizhzhia region has led to fuel shortages, problems with ATMs, and connectivity issues, according to Enerhodar Mayor Dmytro Orlov. He added that Russian forces have reportedly removed medical equipment from the city’s hospital, asked patients to evacuate, and closed several hospital wards.  

Elsewhere, conflicting reports are emerging from the Orikhiv region. The city is in north Zaporizhzhia Oblast, eight-five kilometers from Melitopol. On May 3, Russian media claimed that Ukrainian forces were trying to attack Orikhiv. On the same day, Vladimir Rogov, a member of the Zaporizhzhia occupation administration, told the media that the situation in the direction of Orikhiv was under control, adding that Ukraine’s army is conducting surveillance. The Zaporizhzhia region is critical to Russia because of its proximity to Melitopol. On May 9, Russian Telegram channels reported their belief that the Ukrainian army had completed preparations for a counter-offensive and that Orikhiv would be among the areas that would come under pressure. In addition, reports emerged that the Russian Volunteer Corps, fighting for Ukraine, is conducting attacks against Russian forces in Orikhiv. The Russian Volunteer Corps is a paramilitary unit that claimed responsibility for an attack in Russia’s Bryansk region in March 2023. The same unit published a video on May 9 claiming they are actively fighting against Russian forces in Orikhiv.  

The Russian government does not recognize that Russian actors are fighting on the side of Ukraine, shifting responsibility for the attacks to Ukrainian forces. The strengthening of such military units is a trend that likely causes concern within the Russian command structure. Moscow will likely continue to deny the participation of Russians in the battles against Russian forces. However, as Ukraine prepares a possible counter-offensive, the Russian command could use the presence of Russian volunteers as propaganda, creating a state of paranoia and suspicion to attack opposition groups within Russia. The video footage of the Russian Volunteer Corps received attention among Russian opposition groups, like Rospartizan, who on May 9 attacked the liberal opposition for not taking arms against the Russian government.  

Lastly, Leonid Manakov, Transnistria’s representative in Moscow, asked Russia to increase the number of Russian forces in Transnistria due to claims of “terrorist risks.” His request follows reports that Moldovan authorities detained members of the pro-Russian Shor party in April and May. US officials warned in March that individuals linked to Russian military intelligence were planning staged protests against the Moldovan government. Russia is unlikely to increase its military presence in Transnistria, especially when considering a possible Ukrainian counter-offensive. However, the risk of infiltrations and attempts to destabilize Moldova remains, including through disinformation and fear-mongering, which would serve Russia’s military goals in the Odesa region and western Ukraine.

—Ruslan Trad, Resident Fellow for Security Research, Sofia, Bulgaria 

Prigozhin accuses Russian defense ministry of creating “shell hunger” in Bakhmut

In a press release published on May 6, Wagner financier Yevgeny Prigozhin revealed more details about the group’s ongoing dispute with the Russian Ministry of Defense (MoD). Prigozhin said that in October 2022, in cooperation with Sergei Surovikin, General of the Russian Armed Forces, Wagner launched “Operation Bakhmut Meat Grinder” to provoke Ukrainian President Volodymyr Zelenskyy into sending as many Ukrainian forces as possible to defend the city. Prigozhin argued that taking control of Bakhmut was not a key objective of the operation; rather, the primary goal was “grinding the units of the Armed Forces of Ukraine” to allow the Russian army respite to restore its combat capability. Prigozhin stated that Wagner killed about 50,000 Ukrainian soldiers in Bakhmut and prevented Ukraine’s counter-offensive.

The statement claimed that Wagner has successfully managed to occupy 1,500 square kilometers of Ukrainian land and seventy-one settlements, while the Russian MoD has suffered setbacks and defeats on the frontlines. Prigozhin purported that the Russian army faced a lack of control and discipline, was embroiled in mobilization scandals, and had supply problems. He asserted that to compensate for their failures and envy towards Wagner, the MoD took counter-actions against Wagner, prohibiting it from recruiting Russian prisoners as volunteers and reducing the supply of ammunition to 30 percent of the amount Wagner required, followed by a further decrease to 10 percent. Other measures reportedly taken by the Russian MoD included suspending issuing orders and medals to dead Wagner fighters, denying personnel transfers from Africa to Ukraine, and disabling special communication systems.

Prigozhin added that to impose a complete “shell blockade” on Wagner, the Russian MoD fired Colonel General Mikhail Mizintsev, who led the siege of Mariupol in 2022 and later became deputy ninister of defense overseeing logistics and supplies. After leaving the MoD, Mizintsev reportedly joined Wagner as a deputy commander. Prigozhin said that most of Wagner’s fighters and commanders left the Russian army to join Wagner because they had lost confidence in the MoD. Due to this, he ruled out the possibility of Wagner integrating into the MoD. 

After seven months of carrying out “Operation Bakhmut Meat Grinder,” Prigozhin concluded that Wagner has lost its combat potential. He claimed that between October 2022 and May 2023, Wagner received 38 percent of the ammunition requested from the MoD and 30 to 40 percent of the tanks, artillery, and armored vehicles required for combat missions. He added that Wagner currently has 30,000 soldiers on combat missions in Bakhmut, while Ukraine has around 35,000 troops in the area, and its numbers would need to be three times higher to achieve success. He suggested that “shell hunger” resulted in two-thirds of Wagner’s losses and killed “tens of thousands” of Russian soldiers.

—Givi Gigitashvili, Research Associate, Warsaw, Poland

Russian city organizes Victory concert on riverbank facing Estonia

The Russian city of Ivangorod, separated by a small river from the Estonian city of Narva, organized a May 9 Victory Day concert for residents of Narva, a predominately Russian-speaking town with a large Russian population. This is the first time Ivangorod has organized a May 9 concert on the riverbank, opposite the Narva Museum. In response, the Narva Museum hung a large poster on the exterior of the building depicting Russian President Vladimir Putin with blood-like spatter over his face and the text “Putin War Criminal.” 

The decision to host the “large format” concert on the Narva riverbank for “Narva inhabitants to see” was made at the “federal level,” according to Aleksandr Sosnin, head of the Ivangorod administration, during an April 12 press conference.

Videos shared online show that scores of people gathered in Narva to listen to the concert. LenTV24, a pro-Kremlin regional infotainment YouTube channel, reported an altercation between a younger man carrying a Ukrainian flag–more than five hundred Ukrainian refugees reside in Narva–and an older man who attacked him. The altercation was captured on video and spread on Telegram and Facebook. Zhanna Ryabceva, a member of the Russian Duma, shared the video on Telegram. It was then shared approximately one thousand times, including by sixteen public Telegram groups and channels, according to Telegram monitoring tool TGStat. Later, the video, with a caption identical to the one used in Ryabceva’s post, was published by at least three Facebook accounts that identified as being based in Russia. One of the accounts, Ruslon Bely, was previously involved in amplifying a Secondary Infektion influence operation targeting Denmark with a forged letter that alleged Greenland was seeking independence and closer cooperation with the United States.

—Nika Aleksejeva, Resident Fellow, Riga, Latvia

The post Russian War Report: Russia wages an invisible war with radar waves and Russian music across borders appeared first on Atlantic Council.

In January 2023, a South Korean intelligence service and a team of US private investigators conducted an operation to interdict $100 million worth of stolen cryptocurrency before its hackers could successfully convert the haul into fiat currency. The operation was the culmination of a roughly seven-month hunt to trace and retrieve the funds, stolen in June 2022 from a US-based cryptocurrency company, Harmony. The Federal Bureau of Investigation (FBI) attributed the theft to a team of North Korean state-linked hackers—one in a string of massive cryptocurrency hauls aimed at funding the hermit kingdom’s illicit nuclear and missile programs. According to blockchain analysis firm Chainalysis, North Korean hackers stole roughly $1.7 billion worth of cryptocurrency in 2022—a large percentage of the approximately $3.8 billion stolen globally last year.

North Korea’s operations have brought attention to the risks surrounding cryptocurrencies and how state and non-state groups can leverage hacking operations against cryptocurrency wallets and exchanges to further their geopolitical objectives. We brought together a group of experts to explore cybersecurity implications of cryptocurrencies, and how the United States and its allies should approach this challenge.

#1 What are the cybersecurity risks of decentralized finance (DeFi) and cryptocurrencies? What are the cybersecurity risks to cryptocurrencies?

Eitan Danon, senior cybercrimes investigator, Chainalysis: 

Disclaimer: Any views and opinions expressed are the author’s alone and do not reflect the official position of Chainalysis. 

“DeFi is one of the cryptocurrency ecosystem’s fastest-growing areas, and DeFi protocols accounted for 82.1 percent of all cryptocurrency stolen (totaling $3.1 billion) by hackers in 2022. One important way to mitigate against this trend is for protocols to undergo code audits for smart contracts. This would prevent hackers from exploiting vulnerabilities in protocols’ underlying code, especially for cross-chain bridges, a popular target for hackers that allows users to move funds across blockchains. As far as the risk to cryptocurrencies, the decentralized nature of cryptocurrencies increases their security by making it extraordinarily difficult for a hostile actor to take control of permissionless, public blockchains. Transactions associated with illicit activity continue to represent a minute portion (0.24 percent) of the total crypto[currency] market. On a fundamental level, cryptocurrency is a technology—like data encryption, generative artificial intelligence, and advanced biometrics—and thus a double-edged sword.” 

Kimberly Donovan director, Economic Statecraft Initiative, and Ananya Kumar, associate director of digital currencies, GeoEconomics Center, Atlantic Council: 

“We encourage policymakers to think about cybersecurity vulnerabilities of crypto-assets and services in two ways. The first factor is the threat of cyberattacks for issuers, exchanges, custodians, or wherever user assets are pooled and stored. Major cryptocurrency exchanges like Binance and FTX have had serious security breaches, which has led to millions of dollars being stolen. The second factor to consider is the use of crypto-assets and crypto-services in money-laundering. Often, attackers use cryptocurrencies to receive payments due to the ability to hide or obfuscate financial trails, often seen in the case of ransomware attacks. Certain kinds of crypto-services such as DeFi mixers and aggregators allow for a greater degree of anonymity to launder money for criminals, who are interested in hiding money and moving it quickly across borders.” 

Giulia Fanti, assistant professor of electrical and computer engineering, Carnegie Mellon University: 

“The primary cybersecurity risks (and benefits) posed by DeFi and cryptocurrencies are related to lack of centralized control, which is inherent to blockchain technology and the philosophy underlying it. Without centralized control, it is very difficult to control how these technologies are used, including for nefarious purposes. Ransomware, for example, enables the flow of money to cybercriminial organizations. The primary cybersecurity risks to cryptocurrencies on the other hand can occur at many levels. Cryptocurrencies are built on various layers of technology, ranging from an underlying peer-to-peer network to a distributed consensus mechanism to the applications that run atop the blockchain. Attacks on cryptocurrencies can happen at any of these layers. The most widely documented attacks—and those with the most significant financial repercussions—are happening at the application layer, usually exploiting vulnerabilities in smart contract code (or in some cases, private code supporting cryptocurrency wallets) to steal funds.” 

Zara Perumal, chief technology officer, Overwatch Data: 

“Decentralized means no one person or institution is in control. It also means that no one person can easily step in to enforce. In cases like Glupteba, fraudulent servers or data listed on a blockchain can be hard to take down in comparison to cloud hosted servers where companies can intervene. Cybersecurity risks to cryptocurrencies include endpoint risk, since there is not a centralized party to handle returning accounts as the standard ways of credential theft is a risk to cryptocurrency users. There is a bigger risk in cases like crypto[currency] lending, where one wallet or owner holds a lot of keys and is a large target. In 2022, there were numerous high-profile protocol attacks, including the Wormhole, Ronin, and BitMart attacks. These attacks highlight the risks associated with fundamental protocol vulnerabilities via blockchain, smart contracts or user interface.”

#2 What organizations are most active and capable of cryptocurrency hacking and what, if any, geopolitical impact does this enable for them?

Danon: “North Korea- and Russia-based actors remain on the forefront of crypto[currency] crime. North Korea-linked hackers, such as those in the Lazarus Group cybercrime syndicate, stole an estimated $1.7 billion in 2022 in crypto[currency] hacks that the United Nations and others ­­have assessed the cash-strapped regime uses to fund its weapons of mass destruction and ballistic missiles programs. Press reporting about Federation Tower East—a skyscraper in Moscow’s financial district housing more than a dozen companies that convert crypto[currency] to cash—has highlighted links between some of these companies to money laundering associated with the ransomware industry. Last year’s designations of Russia-based cryptocurrency exchanges Bitzlato and Garantex for laundering hundreds of millions of dollars’ worth of crypto[currency] for Russia-based darknet markets and ransomware actors cast the magnitude of this problem into starker relief and shed light on a diverse constellation of cybercriminals. Although many pundits have correctly noted that Russia cannot ‘flip a switch’ and run its G20 economy on the blockchain, crypto[currency] can enable heavily sanctioned countries, such as Russia, North Korea, and others, to project power abroad while generating sorely needed revenue.” 

Donovan and Kumar: “We see actors from North Korea, Iran, and Russia using both kinds of cybersecurity threats described above to gain access to money and move it around without compliance. Geopolitical implications include sanctioned state actors or state-sponsored actors using the technology to generate revenue and evade sanctions. Hacking and cyber vulnerabilities are not specific to the crypto-industry and exist across digital infrastructures, specifically payments architecture. These threats can lead to national security implications for the private and public entities accessing or relying on this architecture.” 

Perumal: “Generally, there are state-sponsored hacking groups that are targeting cryptocurrencies for financial gain, but also those like the Lazarus Group that are disrupting the cryptocurrency industry. Next, criminal hacking groups may both use cryptocurrency to receive ransom payments or also attack on chain protocols. These groups may or may not be associated with a government or political agenda. Many actors are purely financially motivated, while other government actors may hack to attack adversaries without escalating to kinetic impact.”

#3 How are developments in technology shifting the cryptocurrency hacking landscape?

Danon: “The continued maturation of the blockchain analytics sector has made it harder for hackers and other illicit actors to move their ill-gotten funds undetected. The ability to visualize complex crypto[currency]-based money laundering networks, including across blockchains and smart contract transactions, has been invaluable in enabling financial institutions and crypto[currency] businesses to comply with anti-money laundering and know-your-customer requirements, and empowering governments to investigate suspicious activity. In some instances, hackers have chosen to let stolen funds lie dormant in personal wallets, as sleuths on crypto[currency] Twitter and in industry forums publicly track high-profile hacks and share addresses in real-time, complicating efforts to off-ramp stolen funds. In other instances, this has led some actors to question whether this transparency risks unnecessary scrutiny from authorities. For example, in late April, Hamas’s military wing, the Izz al-Din al-Qassam Brigades, publicly announced that it was ending its longstanding cryptocurrency donation program, citing successful government efforts to identify and prosecute donors.” 

Donovan and Kumar: “Industry is responding and innovating in this space to develop technology to protect and/or trace cyber threats and cryptocurrency hacks. We are also seeing the law enforcement, regulatory, and other government communities develop the capability and expertise to investigate these types of cybercrimes. These communities are taking steps to make public the information gathered from their investigations, which further informs the private sector to safeguard against cyber operations as well as technology innovations to secure this space.” 

Fanti: “They are not really. For the most part, hacks on cryptocurrencies are not increasing in frequency because of sophisticated new hacking techniques, but rather because of relatively mundane vulnerabilities in smart contracts. There has been some research on using cutting-edge tools such as deep reinforcement learning to try to gain funds from smart contracts and other users, particularly in the context of DeFi. However, it is unclear to what extent DeFi users are using such tools; on-chain records do not allow observers to definitively conclude whether such activity is happening.” 

Perumal: “As the rate of ransomware attacks rises, cryptocurrency is more often used as a mechanism to pay ransoms. For both that and stolen cryptocurrency, defenders aim to track actors across the blockchain and threat actors increase their usage mixers and microtransactions to hide their tracks. A second trend is crypto-jacking and using cloud computing from small to large services to fund mining. The last development is not new. Sadly, phishing and social engineering for crypto[currency] logins is still a pervasive threat and there is no technical solution to easily address human error.”

More from the Cyber Statecraft Initiative:

Countering ransomware: Lessons from aircraft hijacking

Untangling the Russian web: Spies, proxies, and spectrums of Russian cyber behavior

Loose cobras: DPRK regime succession and uncertain control over offensive cyber capabilities

#4 What has been the approach of the United States and allied governments toward securing this space? How should they be approaching it?

Danon: “The US approach toward securing the space has centered on law enforcement actions, including asset seizures and takedowns with partners of darknet markets, such as Hydra Market and Genesis Market. Sanctions in the crypto[currency] space, which have dramatically accelerated since Russia’s invasion of Ukraine last February, have generated awareness about crypto[currency] based money laundering. However, as is the case across a range of national security problems, the United States has at times over relied on sanctions, which are unlikely to change actors’ behavior in the absence of a comprehensive strategy. The United States and other governments committed to AML should continue to use available tools and data offered by companies like Chainalysis to disrupt and deter bad actors from abusing the international financial system through the blockchain. Given the blockchain’s borderless and unclassified nature, the United States should also pursue robust collaboration with other jurisdictions and in multilateral institutions.” 

Donovan and Kumar: “The United States and its allies are actively involved in this space to prevent regulatory arbitrage and increase information sharing on cyber risks and threats. They have also increased communication with the public and private sectors to make them aware of cyber risks and threats, and are making information available to the public and industry to protect consumers against cybercrime. Government agencies and allies should continue to approach this issue by increasing public awareness of the threats and enabling industry innovation to protect against them.” 

Fanti: “One area that I think needs more attention from a consumer protection standpoint is smart contract security. For example, there could be more baseline requirements and transparency in the smart contract ecosystem about the practices used to develop and audit smart contracts. Users currently have no standardized way to evaluate whether a smart contract was developed using secure software development practices or tested prior to deployment. Standards bodies could help set up baseline requirements, and marketplaces could be required to report such details. While such practices cannot guarantee that a smart contract is safe, they could help reduce the prevalence of some of the most common vulnerabilities.” 

Perumal: “Two recent developments from the US government are the White House cybersecurity strategy and the Cybersecurity and Infrastructure Security Agency’s (CISA) move to ‘secure by default.’ They both emphasize cooperation with the private sector to move security of this ecosystem to cloud providers. While the system is inherently decentralized, if mining or credential theft is happening on major technology platforms, these platforms have an opportunity to mitigate risk. The White House emphasized better tracing of transactions to “trace and interdict ransomware payments,” and CISA emphasizes designing software and crypto[currency] systems to be secure by default so smaller actors and users bear less of the defensive burden. At a high level, I like that this strategy moves protections to large technology players that can defend against state actors. I also like the focus on flexible frameworks that prioritize economics (e.g., cyber liability) to set the goal, but letting the market be flexible on the solution—as opposed to a prescriptive regulatory approach that cannot adapt to new technologies. In some of these cases, I think cost reduction may be a better lever than liability, which promotes fear on a balance sheet, however, I think the push toward financially motivated goals and flexible solutions is the right direction.”

#5 Has the balance of the threats between non-state vs. state actors against cryptocurrencies changed in the last five years? Should we be worried about the same entities as in 2018?

Danon: “Conventional categories of crypto[currency]-related crime, such as fraud shops, darknet markets, and child abuse material, are on the decline. Similarly, the threat from non-state actors, such as terrorist groups, remains extremely low relative to nation states, with actors such as North Korea and Russia continuing to leverage their technical sophistication to acquire and move cryptocurrency. With great power competition now dominating the policy agenda across many capitals, analysts should not overlook other ways in which states are exercising economic statecraft in the digital realm. For example, despite its crypto[currency] ban, China’s promotion of its permissioned, private blockchain, the Blockchain-based Service Network, and its central bank digital currency, the ‘digital yuan,’ deserve sustained research and analysis. Against the backdrop of China’s rise and the fallout from the war on Ukraine, it will also be instructive to monitor the efforts of Iran, Russia, and others to support non-dollar-pegged stablecoins and other initiatives aimed at eroding the dollar’s role as the international reserve currency.” 

Donovan and Kumar: “More is publicly known now on the range of actors in this space than ever. Agencies such as CISA, FBI, and the Departments of Justice and the Treasury and others have made information available and provided a wide array of resources for people to get help or learn—such as stopransomware.gov. Private blockchain analytics firms have also enabled tracing and forensics, which in partnership with enforcement can prevent and punish cybercrime in the crypto[currency] space. Both the knowledge about ransomware and awareness of ransomware attacks have increased since 2018. As the popularity of Ransomware as a Service rises, both state and non-state actors can cause destruction. We should continue to be worried about cybercrime in general and remain agnostic of the actors.” 

Perumal: “State actors continue to get more involved in this space. As cryptocurrencies and some digital currencies based on the blockchain become more mainstream, attacking it allows a more targeted geopolitical impact. In addition to attacks by governments (like Lazarus Group), a big recent development was China’s ban on cryptocurrency, which moved mining power from China to other parts of the world, especially the United States and Russia. This changed attack patterns and targets. At a high level, we should be worried about both financially-motivated and government-backed groups, but as the crypto[currency] market grows so does the sophistication of attacks and attackers.”

Simon Handler is a fellow at the Atlantic Council’s Cyber Statecraft Initiative within the Digital Forensic Research Lab (DFRLab). He is also the editor-in-chief of The 5×5, a series on trends and themes in cyber policy. Follow him on Twitter @SimonPHandler.

The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

learn more

The post The 5×5—Cryptocurrency hacking’s geopolitical and cyber implications appeared first on Atlantic Council.

In Season 1, Episode 2 of the Guns for Hire podcast, host Alia Brahimi speaks with the Russian defence analyst Pavel Luzin about what the proliferation of Russian mercenaries abroad tells us about Russia at home. They explore the domestic forces that gave rise to the Kremlin’s co-optation of Russian mercenaries, how they are funded by the Russian federal budget, and the effects mercenaries are already having on Russian society. They also discuss how Russia’s strategy of playing the troublemaker in Libya won it a seat at the table in determining Libya’s future.

Find the Guns For Hire podcast on the app of your choice

About the podcast

The Guns for Hire podcast is a production of the Atlantic Council’s North Africa Initiative. Taking Libya as its starting point, it explores the causes and implications of the growing use of mercenaries in armed conflict.

The podcast features guests from many walks of life, from ethicists and historians to former mercenary fighters. It seeks to understand what the normalisation of contract warfare tells us about the world as we currently find it, but also about the future of the international system and about what war could look like in the coming decades.

Further reading

MENASource Feb 28, 2023

To counter the Wagner Group’s presence in Africa, the US will need to prioritize stabilizing Libya

By Emadeddin Badi

Quelling the Wagner Group’s influence in Libya will be challenging, as the US must address Libyan realities and unite Europe and regional powers to support its foreign policy endeavor.

Libya Middle East

MENASource Feb 1, 2023

Libya’s political impasse and the $6 billion question

By Alia Brahimi

On January 5, after months of talks brokered in Egypt, Libya’s rival legislative bodies finally agreed to begin discussions to develop the constitutional basis for elections.

Libya Middle East

MENASource Nov 15, 2022

A moment of opportunity: Can the UN’s new special representative for Libya break the country’s cycle of devolution?

By Emadeddin Badi

After two months into the job, Abdoulaye Bathily may be quickly realizing that Libya’s war never abated, and that it is now simply fought by other means in the halls of the United Nations and corridors of foreign capitals.

Libya Middle East

Middle East Programs

Through our Rafik Hariri Center for the Middle East and Scowcroft Middle East Security Initiative, the Atlantic Council works with allies and partners in Europe and the wider Middle East to protect US interests, build peace and security, and unlock the human potential of the region.

Explore More

The post What Russian mercenaries tell us about Russia appeared first on Atlantic Council.

Security

Russian army presses on in Bakhmut despite losses

Russia enacts “e-drafting” law

Drone imagery locates new burial site east of Soledar

Russian hackers target NATO websites and email addresses

Russian army presses on in Bakhmut despite losses

The General Staff of the Ukrainian Armed Forces recorded fifty-eight attacks on Ukrainian troop positions on April 9 and 10. Of these attacks, more than thirty were in the direction of Bakhmut, and more than twenty were in the direction of Marinka and Avdiivka. Russian forces also attempted to advance toward Lyman, south of Dibrova.

On April 10, Commander of the Eastern Group of Ukrainian Ground Forces Oleksandr Syrskyi said that Russian forces in Bakhmut increasingly rely on government special forces and paratroopers because Wagner units have suffered losses in the recent battles. Syrskyi visited Bakhmut on April 9 to inspect defense lines and troops deployed to the frontline. According to the United Kingdom’s April 10 military intelligence report, Russian troops are intensifying tank attacks on Marinka but are still struggling with minimal advances and heavy losses. 

On April 13, Deputy Chief of the Main Operational Directorate of Ukrainian Forces Oleksiy Gromov said that Bakhmut remains the most challenging section on the frontline as Russian forces continue to storm the city center, trying to encircle it from the north and south through Ivanivske and Bohdanivka. According to Ukrainian estimates, during a two-week period, Russian army and Wagner Group losses in the battle for Bakhmut amounted to almost 4,500 people killed or wounded. To restore the offensive potential in Bakhmut, Russian units that were previously attacking in the direction of Avdiivka were transferred back to Bakhmut.

On April 8, Commander of the Ukrainian Air Forces Mykola Oleshchuk lobbied for Ukraine obtaining F-16 fighter jets. According to his statement, Ukrainian pilots are now “hostages of old technologies” that render all pilot missions “mortally dangerous.” Oleshchuk noted that American F-16 jets would help strengthen Ukraine’s air defense. Oleshchuk said that even with a proper number of aircraft and pilots, Ukrainian aviation, which is composed of Soviet aircraft and missiles, may be left without weapons at some point. He noted the F-16 has a huge arsenal of modern bombs and missiles. The commander also discussed the need for superiority in the air and control of the sea. Currently, Russian aviation is more technologically advanced and outnumbers Ukraine, meaning Ukraine cannot adequately protect its airspace. In order for the Ukrainian army to advance and re-capture territory occupied by Russia, it will require substantial deliveries of aviation and heavy equipment like tanks, howitzers, and shells. 

April 10, Ukrainian forces reported they had spotted four Russian ships on combat duty in the Black Sea, including one armed with Kalibr missiles. Another Russian ship was spotted in the Sea of Azov, along with seven in the Mediterranean, including three Kalibr cruise missile carriers. 

Meanwhile, according to Ukrainian military intelligence, Russia plans to produce Kh-50 cruise missiles in June. If confirmed, this could potentially lead to increased missile strikes against Ukraine in the fall. The Kh-50 missiles in the “715” configuration are intended to be universal, meaning they can be used by many Russian strategic bombers, including the Tu-22M3, Tu-95MS, and Tu-160.

—Ruslan Trad, Resident Fellow for Security Research, Sofia, Bulgaria

Russia enacts “e-drafting” law

On April 11, the Russian State Duma approved a bill reading allowing for the online drafting of Russian citizens using the national social service portal Gosuslugi. One day later, the Russian Federal Council adopted the law. The new law enables military commissariats, or voenkomat, to send mobilization notices to anyone registered in the Gosuslugi portal. Contrary to the traditional in-person delivery of paper notices, the digital mobilization order will be enforced immediately upon being sent out to the user; ordinarily, men drafted for mobilization could dispute the reception of the notice during the twenty-one-day period after the notice was sent. As of 2020, 78 million users were reportedly registered in the Gosuslugi portal, nearly two-thirds of the Russian population.

Alongside the adoption of the digital mobilization notices are newly adopted restrictions regarding unresponsive citizens. Those who fail to appear at their local military commissariat in the twenty-day period following notice will be barred from leaving the country and banned from receiving new credit or driving a car. Of the 164 senators who took part in the vote, only one voted against the bill; Ludmila Narusova argued that the law had been adopted exceptionally hastily and that the punishments against “deviants” who do not respond to the notice are “inadequate.”

As explained by Riga-based Russian news outlet Meduza, the law also states that reserves could be populated with those who legally abstained from military service until the age of twenty-seven, due to an amendment in the bill that allows for personal data to be shared with the Russian defense ministry in order to establish “reasonable grounds” for mobilization notices to be sent out. Several institutions across the country will be subject to the data exchange, including the interior ministry, the federal tax office, the pension and social fund, local and federal institutions, and schools and universities.

–Valentin Châtelet, Research Associate, Security, Brussels, Belgium

Drone imagery locates new burial site east of Soledar

Images released by Twitter user @externalPilot revealed a new burial site, located opposite a cemetery, in the village of Volodymyrivka, southeast of Soledar, Donetsk Oblast. The DFRLab collected aerial imagery and assessed that the burial site emerged during the last week of March and the first week of April. The city of Soledar has been under Russian control since mid-January. The burial site faces the Volodymyrivka town cemetery. Drone footage shows several tombs with no apparent orthodox crosses or ornaments. Analysis of the drone imagery indicates around seventy new graves have been dug on this site. A DFRLab assessment of satellite imagery estimates the surface area of the burial site amounts to around thirteen hectares.

–Valentin Châtelet, Research Associate, Security, Brussels, Belgium

Russian hackers target NATO websites and email addresses

On April 8, the pro-war Russian hacktivist movement Killnet announced they would target NATO in a hacking operation. On April 10, they said they had carried out the attack. The hacktivists claimed that “40% of NATO’s electronic infrastructure has been paralyzed.” They also claimed to have gained access to the e-mails of NATO staff and announced they had used the e-mails to create user accounts on LBGTQ+ dating sites for 150 NATO employees.

The hacktivists forwarded a Telegram post from the KillMilk channel showing screenshots of one NATO employee’s e-mail being used to register an account on the website GayFriendly.dating. The DFRLab searched the site for an account affiliated with the email but none was found.

Killnet also published a list of e-mails it claims to have hacked. The DFRLab cross-checked the e-mails against publicly available databases of compromised e-mails, like Have I been Pwned, Avast, Namescan, F-secure, and others. As of April 13, none of the e-mails had been linked to the Killnet hack, though this may change as the services update their datasets.

In addition, the DFRLab checked the downtime of the NATO websites that Killnet claims to have targeted with distributed denial of service (DDoS) attacks. According to IsItDownRightNow, eleven of the forty-four NATO-related websites (25 percent) were down at some point on April 10.  

—Nika Aleksejeva, Resident Fellow, Riga, Latvia

The post Russian War Report: Russian army presses on in Bakhmut despite losses appeared first on Atlantic Council.

ISSUE BRIEF

What does the record of combat in the year since Russia began its full-scale invasion of Ukraine herald about the future character of ground war? Defense analysts are split on whether the conflict manifests transformative change or merely reinforces the verities of ground combat. On the one hand, the bulk of each side’s formations are armed with decades-old equipment and trained in Soviet-era tactics. However, both forces are adapting, and the Ukrainian military is demonstrating an impressive propensity to improvise and innovate. In particular, Russia was not prepared for Ukraine’s convergence of new capabilities in command and control, persistent surveillance, and massed, precision fires which are changing the game of ground warfare.

Want to learn more? Watch the launch event.

Public Event Mon, April 3, 2023 • 3:30 pm ET

Game-changers or little-changed? Implications of ground combat in Ukraine

Experts discuss what lessons policymakers should draw from land warfare in Ukraine and what adaptations the United States, as well as allies and partners, should make to their force posture and plans.

Conflict Defense Policy Defense Technologies National Security

Verities of ground combat

The Russo-Ukraine war has reinforced important continuities in military operations. These include the importance of preparation, logistics, and industrial capacity which are the core components needed to sustain a capable force. The war has also driven home the importance of both massed and precision fires. Cannon artillery has played a central role in the war, firing about two million rounds to date. Ukrainian forces have also adeptly employed long-range High Mobility Artillery Rocket Systems (HIMARS) to dramatically damage Russian ammunition resupply. Artillery fires have been, and will continue to be, crucial for supporting maneuver, degrading adversary communications and logistical capabilities, and destroying or suppressing adversary artillery. Consequently, the industrial capacity to produce the necessary ammunition, maintenance equipment, and systems to replace losses, will remain a defining feature of military preparedness.

Game-changers

The Ukrainian military has combined existing and new technologies to develop three capabilities that are dramatically altering the dynamics on the battlefield. First, Ukraine has developed truly connected, high-speed command and control. Second, Ukraine has access to near-persistent surveillance of the battlespace. Third, Ukraine’s skilled use of precision artillery, drones, and loitering munitions demonstrated how their smaller, lighter forces could defeat Russia’s offensive.

Recommendations

• Recognize that these game-changing capabilities are giving new and powerful advantages to defenders in ground combat.
• Structure and organize forces to operate in an environment of ubiquitous surveillance.
• Prepare for ground combat in which large numbers of “semiautonomous” loitering munitions dominate the battlefield.
• Recognize ground-based missiles and drones as key instruments of air power.
• Engage the commercial sector as a key source of technology and innovation.

Generously sponsored by

About the author

T.X. Hammes

Distinguished Research Fellow, Institute for National Strategic Studies, National Defense University

Dr. Thomas X. Hammes joined Institute for National Strategic Studies in June 2009. His areas of expertise include future conflict, the changing character of war, military strategy, operational concepts, and insurgency. Dr. Hammes earned a Bachelor of Science from the Naval Academy in 1975 and holds a Masters of Historical Research and a Doctorate in Modern History from Oxford University. He is a Distinguished Graduate from the Canadian National Defence College. He has published three books: Deglobalization and International Security; The Sling and the Stone: On War in the 21st Century; and The 1st Provisional Marine Brigade, the Corps’ Ethos, and the Korean War. He has also published over 160 articles. His publications have been used widely in staff and defense college curricula in the US, UK, Canada, Australia, and Singapore. Dr. Hammes has lectured extensively at leading academic and military institutions in the United States and abroad. Prior to his retirement from active duty, Dr. Hammes served 30 years in the Marine Corps to include command of an intelligence battalion, an infantry battalion and the Chemical Biological Response Force. He participated in military operations in Somalia and Iraq and trained insurgents in various locations.

Forward Defense, housed within the Scowcroft Center for Strategy and Security, generates ideas and connects stakeholders in the defense ecosystem to promote an enduring military advantage for the United States, its allies, and partners. Our work identifies the defense strategies, capabilities, and resources the United States needs to deter and, if necessary, prevail in future conflict.

Learn more

The post Game-changers: Implications of the Russo-Ukraine war for the future of ground warfare appeared first on Atlantic Council.

The most recent iteration was in February, when the Indian government initiated a process to ban 138 betting apps and ninety-four lending apps, many of which it claimed have links to China. Authorities walked a few of these bans back after Indian companies like LazyPay and Kissht reportedly demonstrated they had no such links. Some US policymakers have praised India’s app bans, namely Federal Communications Commission Commissioner Brendan Carr, who said in January of this year that India set an “incredibly important precedent” by banning TikTok from the country.

But India’s app bans are not an example of constructive, careful, and established policy and process on the risks posed by foreign technology companies, products, and services.

Government overreach with no transparency

The administration of Prime Minister Narendra Modi is grossly mistaken in playing hundreds of rounds of whack-a-mole against Chinese apps. The bans were imposed with very little transparency and little or no public consultation. They were followed up by state orders—which went largely unquestioned—for internet service providers (ISPs) in India to filter out Indians’ access to TikTok servers. To top it off, India has no comprehensive privacy regime—exactly what it needs to better protect Indian citizens’ data, including from the undemocratic Modi government.

Instead, the country is witnessing overreaching government policies that make sweeping assessments of mobile apps behind closed doors, with few avenues of recourse by the public. Citizens’ data, meanwhile, remains vulnerable to widespread abuse.

India has banned hundreds of apps since the first round of app expulsions in June 2020. The government banned fifty-nine Chinese apps in June 2020, forty-seven apps in July 2020, 118 apps in September 2020, and forty-three apps in November 2020. In February 2022, over a year after the prior set of bans, New Delhi announced fifty-four new app bans. Most recently, in February 2023, the government initiated a process to ban 232 apps; the exact number of banned applications is unclear due to a lack of media coverage on subsequent walk-backs.

A data analysis of the bans indicates that they focus heavily on utility apps, photo and video apps, social media apps, messaging and social networking apps, and gaming apps. In many of these cases, New Delhi has asserted that the apps are prejudicial to the national security and sovereignty of India. Clearly, this language was selected because it pulls from Section 69(A) of India’s Information Technology Act of 2000, the legislation which the Indian government invokes with these bans. The provision states that:

“Where the Central Government or a State Government or any of its offers specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if satisfied that it is necessary or expedient to do so, in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offense relating to or above or for investigation of any offense, it may be subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource.”

With each of these app bans, the Indian government has given little public notice or none at all. For example, the scramble in the wake of the February 2023 bans—where companies in India were banned because of alleged links to China, though they subsequently demonstrated nothing of the sort—suggests the companies were not approached or notified by the government prior to the bans’ public announcement. New Delhi has also consistently provided insufficient information on its reasoning for the bans. As the nonprofit Internet Freedom Foundation in India wrote after the first round of June 2020 bans, “currently we only have a press release and not the actual order,” which is needed “since it contains the reasons for the ban which are important when we try to assess the legality and validity of the ban.” The lack of public notice is especially significant given that the actions did not target a single app or company at once; instead, each round of bans threw dozens or even more than one hundred apps out of India at a time.

Governments need to provide a clear public explanation (if not also evidence) for decisions to restrict a tech company, product, or service’s market access for “security” reasons. This is because not every risk posed by a technology company, product, or service is the same. Consider a hypothetical example: a social media platform could raise questions about the risk of corporate data abuse; foreign government data access; foreign government content manipulation; addictiveness for children; and so on. Each of these are different concerns requiring unique diagnoses and policy responses. Hence, broadly claiming “security” and “sovereignty” is an insufficient justification for a complete ban—just as US policymakers who initially said “TikTok is owned by a Chinese firm” were not properly breaking down the perceived risks. Democracies (even if backsliding) should provide the public, the private sector, and civil society with explanations for their tech policy decisions. 

In India’s case, the state has failed to properly do so time and time again with these bans.

A lack of due process for ban policies

The process for India’s app bans is also highly concerning. The so-called IT Blocking Rules from 2009 laid out regulations for how these types of bans should take place (as required in Section 69(B) of the Information Technology Act). But, as the Internet Freedom Foundation noted in June 2020, it was unclear if the Indian government’s decision to enact these bans followed the proper process—to include holding a pre-decisional hearing. Process rarely makes for interesting conversation, but it’s vital. How a government reviews tech companies, products, and services for security risks; how it makes determinations about those risks; whether it consults with outside voices on those risks; and how it communicates those risks and that process to the public all shape whether government security reviews are nuanced, transparent, and accountable.

Even if one agrees with the result of a ban—such as expelling TikTok from India—how the Modi government arrived there, and its unilateral power to block and censor in this area, are still great reasons for concern. There has been woefully insufficient press attention, in India and even more so in the West, to the fact that New Delhi quickly got Apple and Google to remove apps from their stores and then ordered ISPs, at least in TikTok’s case, to filter Indians’ web traffic to block access to servers.

There is also a strong political dimension to these actions. When the Indian government first started banning China-linked apps in June 2020, including TikTok, it followed an India-China border clash in which twenty Indian soldiers and four Chinese soldiers reportedly died. That India’s app bans were compared to “digital counterstrikes” from India to China underscore the fact that the move was heavily politically motivated, meant to signal to the Indian public that the Modi government was responding, and to China that India was willing to constrain Chinese apps’ market access. New Delhi was able to signal resolve against Beijing (at least in its mind), defending Indian “sovereignty” (as per the ban press release) without taking military action.

Modi’s administration has also been increasing pressure on tech companies operating in India. For instance, there was significant media reporting about Facebook, India, and the ruling Bharatiya Janata Party (BJP); in addition to underinvesting in content moderation in India and many other countries, Facebook reportedly had internal pushes to relax its rules for BJP officials spreading hate speech because the users in question belonged to the party in power. Indian police also raided (empty) Twitter offices in 2021—a move reminiscent of the Russian government’s coercive tactics—after the company applied a “manipulated media” label to a tweet from a BJP official. Even with discussions of data localization in India, one of the many motivations at play was the Indian government’s interest in applying pressure to—and holding leverage over—tech companies operating there. 

The app bans fit within this broader context of tech company coercion and state efforts to increase control of the tech environment.

No data privacy regime means “anything goes”

Lastly, India has no comprehensive privacy law. The new Digital Personal Data Protection Bill is a mixed bag for privacy but has some improvements over the previous legislation (the Personal Data Protection Bill) which had broad data localization requirements among other things. Negotiations are still ongoing. Yet, that is exactly the point: the Modi government has banned hundreds and hundreds of apps, many with links to China, in the past 2.5 years, while India is still without a law to constrain corporate data collection, rein in the sale of Indians’ data by data brokers, and place guardrails around expanding Indian government surveillance.

Without a doubt, the Chinese government is heavily engaged in espionage against countries around the world—India included—and it’s safe to assume that most if not all Chinese tech firms must answer to Beijing when asked. China is not micromanaging all companies all the time (as that would be unwieldy) but the risks of Chinese state influence on Chinese tech firms are certainly present. 

The Indian government needs to build a comprehensive, transparent, and accountable means of addressing data privacy and security risks. Playing endless rounds of arbitrary whack-a-mole against apps—with little to no public consultation—is a step in the wrong direction with serious consequences.

The author thanks Rose Jackson for comments on an earlier draft of this article.

Justin Sherman (@jshermcyber) is a nonresident fellow at the Atlantic Council’s Cyber Statecraft Initiative and the founder and CEO of Global Cyber Strategies, a Washington, DC-based research and advisory firm.

The South Asia Center serves as the Atlantic Council’s focal point for work on the region as well as relations between these countries, neighboring regions, Europe, and the United States.

Learn more

Related content

SouthAsiaSource Mar 6, 2023

Amid Pakistan’s political and economic turmoil, risks to curbs on digital freedoms grow

By Uzair Younus

Growing polarization and instability in Pakistan have increased the likelihood that as elections draw near, curbs on speech, largely limited thus far to television channels, may extend to internet platforms like YouTube, Facebook, and Twitter.

Civil Society Elections

SouthAsiaSource Dec 5, 2022

India’s data localization pivot can revamp global digital diplomacy

By Anand Raghuraman

India’s stance on data localization constrained its ability to engage in digital diplomacy. With a new privacy bill, however, it has outlined a compromise option.

Digital Policy Economy & Business

SouthAsiaSource Nov 23, 2022

India’s new data bill is a mixed bag for privacy

By Justin Sherman

India’s parliament has released its Digital Personal Data Protection Bill, offering a mixed bag for privacy.

Digital Policy Economy & Business

The post The problem with India’s app bans appeared first on Atlantic Council.

In Season 1, Episode 1 of the Guns for Hire podcast, host Alia Brahimi speaks with the author and former mercenary Dr. Sean McFate about his three-pronged strategy for defeating the Wagner Group. They also discuss internal dynamics within the Kremlin-linked private military company, the dangerously outsized influence of its leader in the war in Ukraine, and Sean’s argument that there’s nothing more unconventional today than a conventional war– and that this is borne out by the way that Russia is fighting in Ukraine.

Find the Guns For Hire podcast on the app of your choice

About the podcast

The Guns for Hire podcast is a production of the Atlantic Council’s North Africa Initiative. Taking Libya as its starting point, it explores the causes and implications of the growing use of mercenaries in armed conflict.

The podcast features guests from many walks of life, from ethicists and historians to former mercenary fighters. It seeks to understand what the normalisation of contract warfare tells us about the world as we currently find it, but also about the future of the international system and about what war could look like in the coming decades.

Further reading

MENASource Feb 28, 2023

To counter the Wagner Group’s presence in Africa, the US will need to prioritize stabilizing Libya

By Emadeddin Badi

Quelling the Wagner Group’s influence in Libya will be challenging, as the US must address Libyan realities and unite Europe and regional powers to support its foreign policy endeavor.

Libya Middle East

MENASource Feb 1, 2023

Libya’s political impasse and the $6 billion question

By Alia Brahimi

On January 5, after months of talks brokered in Egypt, Libya’s rival legislative bodies finally agreed to begin discussions to develop the constitutional basis for elections.

Libya Middle East

MENASource Nov 15, 2022

A moment of opportunity: Can the UN’s new special representative for Libya break the country’s cycle of devolution?

By Emadeddin Badi

After two months into the job, Abdoulaye Bathily may be quickly realizing that Libya’s war never abated, and that it is now simply fought by other means in the halls of the United Nations and corridors of foreign capitals.

Libya Middle East

Middle East Programs

Through our Rafik Hariri Center for the Middle East and Scowcroft Middle East Security Initiative, the Atlantic Council works with allies and partners in Europe and the wider Middle East to protect US interests, build peace and security, and unlock the human potential of the region.

Explore More

The post Defeating the Wagner Group appeared first on Atlantic Council.

Just over one year ago, on February 24, 2022, Russia launched a full-scale invasion of neighboring Ukraine. The ensuing conflict, Europe’s largest since World War II, has not only besieged Ukraine physically, but also through the information environment. Through kinetic, cyber, and influence operations, Russia has placed Ukraine’s digital and physical information infrastructure—including its cell towers, networks, data, and the ideas that traverse them—in its crosshairs as it seeks to cripple Ukraine’s defenses and bring its population under Russian control. 

Given the privately owned underpinnings of the cyber and information domains by technology companies, a range of local and global companies have played a significant role in defending the information environment in Ukraine. From Ukrainian telecommunications operators to global cloud and satellite internet providers, the private sector has been woven into Ukrainian defense and resilience. For example, Google’s Threat Analysis Group reported having disrupted over 1,950 instances in 2022 of Russian information operations aimed at degrading support for Ukraine, undermining its government, and building support for the war within Russia. The present conflict in Ukraine offers lessons for states as well as private companies on why public-private cooperation is essential to building resilience in this space, and how these entities can work together more effectively. 

We brought together a group of experts to provide insights on the war being waged through the Ukrainian information environment and take away lessons for the United States and its allies for the future. 

#1 How has conflict in the information environment associated with the war in Ukraine compared to your prior expectations?

Nika Aleksejeva, resident fellow, Baltics, Digital Forensic Research Lab (DFRLab), Atlantic Council: 

“As the war in Ukraine started, everyone was expecting to see Russia conducting offensive information influence operations targeting Europe. Yes, we have identified and researched Russia’s coordinated information influence campaigns on Meta’s platforms and Telegram. These campaigns targeted primarily European countries, and their execution was unprofessional, sloppy, and without much engagement on respective platforms.” 

Silas Cutler, senior director for cyber threat research, Institute for Security and Technology (IST): 

“A remarkable aspect of this conflict has been how Ukraine has maintained communication with the rest of the world. In the days leading up to the conflict, there was a significant concern that Russia would disrupt Ukraine’s ability to report on events as they unfolded. Instead of losing communication, Ukraine has thrived while continuously highlighting through social media its ingenuity within the conflict space. Both the mobilization of its technical workforce through the volunteer IT_Army and its ability to leverage consumer technology, such as drones, have shown the incredible resilience and creativity of the Ukrainian people.” 

Roman Osadchuk, research associate, Eurasia, Digital Forensic Research Lab (DFRLab), Atlantic Council: 

“The information environment was chaotic and tense even before the invasion, as Russia waged a hybrid war since at least the annexation of Crimea and war in Eastern Ukraine in 2014. Therefore, the after-invasion dynamic did not bring significant surprises, but intensified tension and resistance from Ukrainian civil society and government toward Russia’s attempts to explain its unprovoked invasion and muddle the water around its war crimes. The only things that exceeded expectations were the abuse of fact-checking toolbox WarOnFakes and the intensified globalization of the Kremlin’s attempts to tailor messages about the war to their favor globally.” 

Emma Schroeder, associate director, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council: 

“The information environment has been a central space and pathway throughout which this war is being fought. Russian forces are reaching through that space to attack and spread misinformation, as well as attacking the physical infrastructure underpinning this environment. The behavior, while novel in its scale, is the continuation of Russian strategy in Crimea, and is very much living up to expectations set in that context. What has surpassed expectations is the effectiveness of Ukrainian defenses, in coordination with allies and private sector partners. The degree to which the international community has sprung forward to provide aid and assistance is incredible, especially in the information environment where such global involvement can be so immediate and transformative.” 

Gavin Wilde, senior fellow, Technology and International Affairs Program, Carnegie Endowment for International Peace: 

“The volume and intensity of cyber and information operations has roughly been in line with my prior expectations, though the degree of private and commercial activity was something that I might not have predicted a year ago. From self-selecting out of the Russian market to swarming to defend Ukrainian networks and infrastructure, the outpouring of support from Western technology and cybersecurity firms was not on my bingo card. Sustaining it and modeling for similar crises are now key.” 

 
#2 What risks do private companies assume in offering support or partnership to states engaged in active conflict?

Aleksejeva: “Fewer and fewer businesses are betting on Russia’s successful economical future. Additionally, supporting Russia in this conflict in any way is morally unacceptable for most Western companies. Chinese and Iranian companies are different. As for Ukraine, supporting it is morally encouraged, but is limited by many practicalities, such as supply chain disruptions amid Russia’s attacks.” 

Cutler: “By providing support during conflict, companies risk becoming a target themselves. Technology companies such as Microsoft, SentinelOne, and Cloudflare, which have publicly reported their support for Ukraine, have been historically targeted by Russian cyber operations and are already familiar with the increased risk. Organizations with pre-conflict commercial relationships may fall under new scrutiny by nationally-aligned hacktivist groups such as Killnet. This support for one side over the other—whether actual or perceived—may result in additional risk.” 

Osadchuk: “An important risk of continuing business as usual [in Russia] is that it may damage a company’s public image and test its declared values, since the continuation of paying taxes within the country-aggressor makes the private company a sponsor of these actions. Another risk for a private company is financial, since the companies that leave a particular market are losing their profits, but this is incomparable to human suffering and losses caused by the aggression. In the case of a Russian invasion, one of the ways to stop the war is to cut funding for and, thus, undermine the Russian war machine and support Ukraine.” 

Schroeder: “Private companies have long provided goods and services to combatants outside of the information environment. The international legal framework restricting combatants to targeting ‘military objects’ provides normative protection, as objects are defined as those ‘whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage’ in a manner proportional to the military gain foreseen by the operation. This definition, however, is still subject to the realities of conflict, wherein combatants will make those decisions to their own best advantage. In the information environment, this question becomes more complicated, as cyber products and services often do not fall neatly within standard categories and where private companies themselves own and operate the very infrastructure over and through which combatants engage. The United States and its allies, whether on a unilateral of supranational basis, work to better define the boundaries of civilian ‘participation’ in war and conflict, as the very nature of the space means that their involvement will only increase.” 

Wilde: “On one hand, it is important not to falsely mirror onto others the constraints of international legal and normative frameworks around armed conflict to which responsible states strive to adhere. Like Russia, some states show no scruples about violating these frameworks in letter or spirit, and seem unlikely to be inhibited by claims of neutrality from companies offering support to victimized states. That said, clarity about where goods and services might be used for civilian versus military objectives is advisable to avoid the thresholds of ‘direct participation’ in war outlined in International Humanitarian Law.”

#3 What useful lessons should the United States and its allies take away from the successes and/or failures of cyber and information operations in Ukraine?

Aleksejeva: “As for cyber operations, so far, we have not seen successful disruptions achieved by Russia of Ukraine and its Western allies. Yes, we are seeing constant attacks, but cyber defense is much more developed on both sides than before 2014. As for information operations, the United States and its allies should become less self-centered and have a clear view of Russia’s influence activities in the so-called Global South where much of the narratives are rooted in anti-Western sentiment.” 

Cutler: “Prior to the start of the conflict, it was strongly believed that a cyber operation, specifically against energy and communication sectors, would act as a precursor to kinetic action. While a WannaCry or NotPetya-scale attack did not occur, the AcidRain attack against the Viasat satellite communication network and other attacks targeting Ukraine’s energy sector highlight that cyber operations of varying effectiveness will play a role in the lead up to a military conflict.” 

Osadchuk: “First, cyber operations coordinate with other attack types, like kinetic operations on the ground, disinformation, and influence operations. Therefore, cyberattacks might be a precursor of an upcoming missile strike, information operation, or any other action in the physical and informational dimensions, so allies could use cyber to model and analyze multi-domain operations. Finally, preparation for and resilience to information and cyber operations are vital in mitigating the consequences of such attacks; thus, updating defense doctrines and improving cyber infrastructure and social resilience are necessary.” 

Schroeder: “Expectations for operations in this environment have exposed clear fractures in the ways that different communities define as success in a wartime operation. Specifically, there is a tendency to equate success with direct or kinetic battlefield impact. One of the biggest lessons that has been both a success and a failure throughout this war is the role that this environment can play. Those at war, from ancient to modern times, have leveraged every asset at their disposal and chosen the tool they see as the best fit for each challenge that arises—cyber is no different. While there is ongoing debate surrounding this question, if cyber operations have not been effective on a battlefield, that does not mean that cyber is ineffective, just that expectations were misplaced. Understanding the myriad roles that cyber can and does play in defense, national security, and conflict is key to creating an effective cross-domain force. 

Wilde: “Foremost is the need to check the assumption that these operations can have decisive utility, particularly in a kinetic wartime context. Moscow placed great faith in its ability to convert widespread digital and societal disruption into geopolitical advantage, only to find years of effort backfiring catastrophically. In other contexts, better trained and resourced militaries might be able to blend cyber and information operations into combined arms campaigns more effectively to achieve discrete objectives. However, it is worth reevaluating the degree to which we assume offensive cyber and information operations can reliably be counted on to play pivotal roles in hot war.”

More from the Cyber Statecraft Initiative:

A parallel terrain: Public-private defense of the Ukrainian information environment

Untangling the Russian web: Spies, proxies, and spectrums of Russian cyber behavior

Hackers, Hoodies, and Helmets: Technology and the changing face of Russian private military contractors

#4 How do comparisons to other domains of conflict help and/or hurt understanding of conflict in the information domain?

Aleksejeva: “Unlike conventional warfare, information warfare uses information and psychological operations during peace time as well. By masking behind sock puppet or anonymous social media accounts, information influence operations might be perceived as legitimate internal issues that polarize society. A country might be unaware that it is under attack. At the same time, as the goal of conventional warfare is to break an adversary’s defense line, information warfare fights societal resilience by breaking its unity. ‘Divide and rule’ is one of the basic information warfare strategies.” 

Cutler: “When looking at the role of cyber in this conflict, I think it is critical to examine the history of Hacktivist movements. This can be incredibly useful for understanding the influences and capabilities of groups like the IT_Army and Killnet.” 

Osadchuk: “The information domain sometimes reflects the kinetic events on the ground, so comparing these two is helpful and could serve as a behavior predictor. For instance, when the Armed Forces of Ukraine liberate new territories, they also expose war crimes, civilian casualties, and damages inflicted by occupation forces. In reaction to these revelations, the Kremlin propaganda machine usually launches multiple campaigns to distance themselves, blame the victim, or even denounce allegations as staged to muddy the waters for certain observers.” 

Schroeder: “It is often tricky to carry comparisons over different environments and context, but the practice persists because, well, that is just what people do—look for patterns. The ability to carry over patterns and lessons is essential, especially in new environments and with the constant developments of new tools and technologies. Where these comparisons cause problems is when they are used not as a starting point, but as a predetermined answer.” 

Wilde: “It is problematic, in my view, to consider information a warfighting ‘domain,’ particularly because its physical and metaphorical boundaries are endlessly vague and evolving—certainly relative to air, land, sea, and space. The complexities and contingencies in the information environment are infinitely more than those in the latter domains. However talented we may be at collecting and analyzing millions of relevant datapoints with advanced technology, these capabilities may lend us a false sense of our ability to control or subvert the information environment during wartime—from hearts and minds to bits and bytes.”

#5 What conditions might make the current conflict exceptional and not generalizable?

Aleksejeva: “This war is neither ideological nor a war for territories and resources. Russia does not have any ideology that backs up its invasion of Ukraine. It also has a hard time maintaining control of its occupied territories. Instead, Russia has many disinformation-based narratives or stories that justify the invasion to as many Russian citizens as possible including Kremlin officials. Narratives are general and diverse enough, so everyone can find an explanation of the current invasion—be it the alleged rebirth of Nazism in Ukraine, the fight against US hegemony, or the alleged historical right to bring Ukraine back to Russia’s sphere of influence. Though local, the war has global impact and makes countries around the world pick sides. Online and social media platforms, machine translation tools, and big data products provide a great opportunity to bombard any internet user in any part of the world with pro-Russia massaging often tailored to echo historical, racial, and economic resentments especially rooted in colonial past.” 

Cutler: “During the Gulf War, CNN and other cable news networks were able to provide live coverage of military action as it was unfolding. Now, real-time information from conflict areas is more broadly accessible. Telegram and social media have directly shaped the information and narratives from the conflict zone.” 

Osadchuk: “The main difference is the enormous amount of war content, ranging from professional pictures and amateur videos after missile strikes to drone footage of artillery salvos and bodycam footage of fighting in the frontline trenches—all making this conflict the most documented. Second, this war demonstrates the need for drones, satellite imagery, and open-source intelligence for successful operations, which distances it from previous conflicts and wars. Finally, it is exceptional due to the participation of Ukrainian civil society in developing applications, like the one alerting people about incoming shelling or helping find shelter; launching crowdfunding campaigns for vehicles, medical equipment, and even satellite image services; and debunking Russian disinformation on social media.” 

Schroeder: “One of the key lessons we can take from this war is the centrality of the global private sector to conflict in and through the information environment. From expedited construction of cloud infrastructure for the Ukrainian government to Ukrainian telecommunications companies defending and restoring services along the front lines to distributed satellite devices, providing flexible connectivity to civilians and soldiers alike, private companies have undoubtedly played an important role in shaping both the capabilities of the Ukrainian state and the information battlespace itself. While we do not entirely understand the incentives that drove these actions, an undeniable motivation that will be difficult to replicate in other contexts is the combination of Russian outright aggression and comparative economic weakness. Companies and their directors felt motivated to act due to the first and, likely, free to act due to the second. Private sector centrality is unlikely to diminish and, in future conflicts, it will be imperative for combatants to understand the opportunities and dependencies that exist in this space within their own unique context.” 

Wilde: “My sense is that post-war, transatlantic dynamics—from shared norms to politico-military ties—lent significant tailwinds to marshal resource and support to Ukraine (though not as quickly or amply from some quarters as I had hoped). The shared memory of the fight for self-determination in Central and Eastern Europe in the late 1980s to early 1990s still has deep resonance among the publics and capitals of the West. These are unique dynamics, and the degree to which they could be replicated in other theaters of potential conflict is a pretty open question.”

Simon Handler is a fellow at the Atlantic Council’s Cyber Statecraft Initiative within the Digital Forensic Research Lab (DFRLab). He is also the editor-in-chief of The 5×5, a series on trends and themes in cyber policy. Follow him on Twitter @SimonPHandler.

The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

learn more

The post The 5×5—Conflict in Ukraine’s information environment appeared first on Atlantic Council.

C4ISR is the backbone on which NATO awareness, decisions, and action rely, yet the complexity of the system makes its modernization both difficult and essential.

Amid historical neglect and focus on crisis response, C4ISR capabilities for collective defense lag behind the level of ambition necessary for the currently volatile geopolitical environment.

With Russia’s war in Ukraine drastically changing the context of European security and defense, the speed of understanding, decision-making, and action among allies are more important than ever. NATO’s strength lies in its ability to collectively decide and act, organize, and integrate. However, the C4ISR capabilities that allow the allies to do that—and much more—remain under resourced and much less effective than required. While much has been done to improve NATO C4ISR over the past decade, much work remains.

NATO has a unique opportunity to leverage the current sense of unity, urgency and shared vision among allies to build the C4ISR architecture the Alliance needs for the future. The time to act is now, when the war in Ukraine is providing a treasure trove of lessons for the Alliance, ranging from the requirements to be ready from day one for any NATO mission (also called day zero readiness) to the important role the private industry plays in the security and resilience of any modern nation state. Early progress can also prepare the Alliance for emerging threats and challenges, such as China’s rise and climate change. The political decisions and level of ambition set by the June 2022 Madrid Summit Declaration and NATO 2022 Strategic Concept—the most important of which include those related to strengthening NATO deterrence and defense and increasing focus on innovation and emerging and disruptive technologies—will be guiding and shaping the requirements and development of the NATO C4ISR architecture of the future.

How to seize the moment

There are five critical steps transatlantic decision-makers can take to modernize NATO C4ISR and help the Alliance maintain its military edge against potential adversaries in an increasingly contested geopolitical environment. Improving  NATO’s C4ISR capabilities will give NATO a relevant and credible nervous system equal to the challenges ahead.

1. Share more data and intelligence.
   
   Shared data, information and intelligence are fuel for C4ISR. The uncomfortable truth is that data and intelligence sharing is not at the level it can or needs to be. This also means that the opportunity cost of not sharing sometimes can be enormous. With the right political will and tailored security measures, the vast amounts of data and intelligence collected by NATO and its member states could be better exploited for the benefit of collective security and defense.
   
2. Transform digitally.
   
   Digital transformation, intended to address digitalization, connectivity, data frameworks and data management, is a nascent effort that is fundamental for strengthening security and defense and improving resilience. The digital revolution is intertwined with  C4ISR architecture, because a more technologically advanced C4ISR edge can help the Alliance achieve significant increases in speed, security, and effectiveness in command and control, communications, data and intelligence analysis, decision-making, operations, and interoperability. Proceeding along this journey is particularly important as the Alliance is trying to shift to a new concept of operations, effective multi-domain operations, which entails the integration of kinetic and non-kinetic efforts, across all warfighting domains, at speed and scale.
   
3. Implement new concepts, policies, and plans to clarify C4ISR requirements.
   
   To outthink and outpace potential adversaries, NATO must act now to develop the future C4ISR architecture it needs. Several efforts underway, such as the new NATO Force Model, Alliance Multi Domain Operations Concept, Allied Command Operations Command and Control (C2) assessment, and NATO’s Joint Intelligence Surveillance and Reconnaissance (JISR) Vision 2030+, will directly influence future NATO C4ISR requirements. NATO must provide a definition for C4ISR in an allied context, build a shared understanding among allies around that definition, and ensure coherence in planning, capability and concept development.
   
4. Modernize, augment, and acquire capabilities to meet new C4ISR requirements.
   
   There are a few practical steps NATO should take to maintain its technological and military edge in the future. This includes transforming existing C4ISR force structure, improving NATO’s ability to receive national and commercial space-based information, reducing gaps in integrated air and missile defense (IAMD), developing greater electronic warfare capabilities, and investing in and promoting innovation and adoption of emergent and disruptive technologies such as Artificial Intelligence, autonomy, space-based capabilities, and quantum computing.
   
5. Continue to invest in C4ISR interoperability, readiness, resilience, innovation, and adaptation.
   
   NATO’s strength lies in its ability to collectively decide and act, organize, and integrate. NATO C4ISR forces and capabilities provide the interoperable structure and digital backbone into which member states plug for collective awareness, decision-making, and action. Investing in C4ISR readiness, resilience, and capabilities is a direct contribution to greater potential of the Alliance itself.

NATO needs a modern and well-defined C4ISR architecture to keep pace with the rapidly changing operational environment and achieve its mission of securing and defending its thirty allies and their interests. Ultimately, the question is not whether NATO will need to evolve and develop its C4ISR capabilities, but whether it can do so in time to meet the ever-growing threats to the Alliance. In its current state, NATO C4ISR will be severely challenged to guarantee the security and defense of the Alliance against the threats it expects to face over the coming decade.

Although C4ISR underpins the success of every NATO operation, its criticality remains underappreciated. However, transatlantic decision-makers right now have the perfect opportunity to implement the recommendations above and set forth the path for the necessary modernization of NATO’s C4ISR architecture. NATO stands stronger and more united than ever. Allied defense investments are rising. Additionally, the foundations of a future C4ISR architecture and its components are progressing in various stages of development and planning. NATO must prioritize C4ISR in light of these positive developments, helping it leapfrog from an underappreciated piece of the puzzle to a key enabler for the Alliance’s defense and deterrence.

Like what you read? Dive deep into our full report.

Report

Mar 16, 2023

The future of NATO C4ISR: Assessment and recommendations after Madrid

By Gordon B. “Skip” Davis Jr.

Current C4ISR capabilities, concepts, policies, and processes do not meet all of the Alliance’s needs. While much has been done to improve NATO C4ISR over the past decade, much work remains.

China Conflict

Related program

The Transatlantic Security Initiative, in the Scowcroft Center for Strategy and Security, shapes and influences the debate on the greatest security challenges facing the North Atlantic Alliance and its key partners.

Explore more

Subscribe for more content

The post In brief: C4ISR – A five-step guide to maintaining NATO’s comparative military edge over the coming decade appeared first on Atlantic Council.

Table of contents

Foreword
Premise
Introduction
Threats and challenges shaping NATO C4ISR
Lessons from the Russia-Ukraine war for NATO C4ISR and future needs
Multi-domain operations
Day zero readiness
NATO Intelligence Enterprise (NIE)
Persistence and survivability
Multidisciplinary intelligence and fusion
Tasking, Collection, Processing, Exploitation, and Dissemination (TCPED)
Cyber
The role of private industry
Digitalization, connectivity, and Big Data
Decisions taken at the Madrid Summit and work underway affecting NATO C4ISR
Multi-domain warfighting
Digital Transformation
Strengthened deterrence and defense posture
Robust, resilient, and integrated command structure and enhanced C2 arrangements
Global awareness
Innovation and EDTs
Defense investment
Recommendations: Share, transform, implement, modernize and invest
1. Share more data and intelligence
2. Transform digitally
3. Implement new concepts, policies, and plans to clarify requirements for NATO C4ISR
4. Modernize, augment, and acquire capabilities to meet new C4ISR requirements
5. Continue to invest in NATO C4ISR interoperability, readiness, resilience, innovation, and adaptation
Conclusion
Glossary
About the author

Foreword

Even as Russia’s illegal and unprovoked war in Ukraine rages, the transatlantic community is seeking to integrate lessons from the battlefield to adapt its defense planning for a rapidly changing world. Already, one lesson is clear: In a contested Europe, allies need to have better awareness of the operating environment. The speed and quality of decision-making and execution must improve. Effective and ethical NATO decision-making must be translated into operational effects. NATO must prioritize the modernization and integration of its command, control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR) architecture to keep pace with the rapidly changing operational environment.

While a complex concept, C4ISR is most easily understood as the “nervous system” of the military. It is essential to everyday operations, automatic responses, and the complicated processes inherent to large enterprises. Rapid and fundamental changes in our security environment—including the return of large-scale war in Europe, China’s growing global ambitions, climate change, and the transformative potential of emerging technologies—require an immediate and critical examination of NATO’s C4ISR architecture. Modernizing C4ISR is necessary to maintain a competitive advantage against state-based adversaries, other systemic challenges, and threats yet to materialize—all of which could overturn the rules-based international order NATO is dedicated to preserving.

The platform offered by NATO’s new Strategic Concept for strengthening defense and deterrence while leveraging emerging and disruptive technologies provides a unique window of opportunity for transatlantic decision-makers. It is NATO’s C4ISR capabilities that will enable a relevant and credible NATO “nervous system” equal to the challenges ahead.

To that end, this study by the Atlantic Council—the culmination of a year of research and interviews by NATO’s former deputy assistant secretary general for defense investment—offers a detailed roadmap to achieve this goal. This comprehensive report offers an expert treatment on the topic of C4ISR modernization to help transatlantic decision-makers, operational forces, the expert and policy community, and military technology watchers alike better understand the challenges and opportunities inherent to NATO’s C4ISR architecture. Importantly, it imagines the possibilities for C4ISR modernization through a series of thoughtfully considered recommendations.

Ultimately, the question is not whether NATO will need to evolve and develop its C4ISR capabilities, but whether it can do so in time to meet the gathering threats to the Alliance. I believe this extensive study skillfully sets forth the path for the necessary modernization of NATO’s C4ISR architecture.

Gen. James E. Cartwright, USMC (Ret.)
Board Director
Atlantic Council 
Former Vice Chairman of the Joint Chiefs of Staff

Premise

NATO needs to urgently respond to changing requirements, leverage the potential of technology and innovation, and address critical issues to provide the command and control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR) architecture that Alliance leaders and forces need to maintain their comparative military advantage over the coming decade.

Current C4ISR capabilities, concepts, policies, and processes do not meet all of the Alliance’s needs. While much has been done to improve NATO C4ISR over the past decade, much work remains. Russia’s war in Ukraine and other threats and challenges, including from China and climate change, have added a sense of urgency to this task. Russian aggression, in particular, has tested some aspects of NATO C4ISR and provided initial lessons learned in terms of its strengths, vulnerabilities, and shortfalls.

NATO has a unique window of opportunity to leverage the current sense of urgency, newfound cohesion among allies, and an agreed vision to build the C4ISR architecture it needs for the future.

NATO needs to first provide a clarifying definition of C4ISR architecture, which does not currently exist. A defined C4ISR architecture would harmonize defense planning efforts across multiple domains, enable aggregation and assessment of related capability targets, and ensure greater coherence in concept and capability development.

The trajectory of NATO C4ISR is impacted by political ambitions. These include Digital Transformation, increasing resilience, understanding the security implications of climate change, reducing defense impacts on climate change (e.g., reducing the use of fossil fuels, energy consumption, carbon emissions, toxic waste, and contaminants), and raising the level of NATO common funding.

Political decisions and ambitions announced in the June 2022 Madrid Summit Declaration and NATO 2022 Strategic Concept—the most important of which include those related to strengthening deterrence and defense and increasing focus on innovation and emerging and disruptive technologies—will shape the NATO C4ISR architecture of the future.

Read our in-brief summary of the report

Executive Summary

Mar 16, 2023

In brief: C4ISR – A five-step guide to maintaining NATO’s comparative military edge over the coming decade

By Transatlantic Security Initiative

The Atlantic Council presents a five step guide to maintaining NATO’s comparative military edge over the coming decade.

Defense Policy Defense Technologies

Introduction

The context of European security and defense has drastically changed since Russia invaded Ukraine on February 24, 2022. The war has upended conventional wisdom on Russia’s willingness to use violence, exposed the destructiveness of modern weapons and barbarity of an undisciplined force, and revealed Russian hubris and the limits of Russian power.

On the flip side, the war has strengthened the bond between NATO and the European Union (EU). NATO and EU leaders have taken an unprecedented level of coordinated decisions and actions to impose costs on Russia, defend Europe from further aggression, and support Ukraine in its battle for survival and independence. Alliance and EU leaders have also begun to seriously address other challenges affecting security, such as energy, climate change, and China.

Russia’s war has highlighted the power of united action while exposing the limits of Alliance adaptation to date and identifying vulnerabilities and shortfalls that allies and EU member states must address to ensure their security and defense.

More than ever, the speed of understanding, decision-making, and action are important in modern warfare. Russia has demonstrated on multiple occasions over the past fifteen years that it is capable of rapid decision-making, assembly, and maneuver that has arguably challenged NATO’s ability to respond at the speed of relevance. Georgia in 2008, Ukraine in 2014, annual strategic exercises, and frequent combat readiness tests are all examples.

NATO has improved intelligence sharing and its defense posture since 2014, the year Russia annexed the Crimean Peninsula from Ukraine and began its support to separatists in the Donbas. These improvements have enabled a cohesive and coherent NATO response to the Russian military buildup in 2021 and subsequent invasion of Ukraine in 2022. Whether NATO can effectively identify, prepare for, and defend against Russian aggression toward an ally anywhere in Europe without significant additional posture adjustments is in question.¹

NATO command and control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR) structures, capabilities, and processes enable effective political and military awareness, decision-making, and action.² These capabilities encompass an array of land, air, maritime, cyber, and space systems, platforms, and applications that can be owned and operated by all thirty allies (which may soon be thirty-two with Finland and Sweden joining the Alliance),³ by a group of allies (e.g., multinational formations), or by single nations contributing to NATO missions, operations, and activities.

The time to act is now. NATO allies currently enjoy unprecedented cohesion, share an agreed and clear vision for the future, and are motivated by a common sense of urgency, all imbued by the ongoing Russian war on Ukraine.

Despite a growth in collective and national capabilities over the past ten years, NATO C4ISR capabilities remain under resourced, vulnerable, and much less effective than required. Supporting concepts, policies, and procedures related to NATO C4ISR need urgent revision. Many are under development. NATO is engaging industry and the broader private sector, but the latter’s role is not yet fully leveraged. In its current state, NATO C4ISR will be severely challenged to guarantee the security and defense of the Alliance against the threats and challenges it expects to face over the coming decade.⁴

The time to act is now. NATO allies currently enjoy unprecedented cohesion, share an agreed and clear vision for the future, and are motivated by a common sense of urgency, all imbued by the ongoing Russian war on Ukraine. Defense investment is rising and the foundations of a future C4ISR architecture and its components are in various stages of development or planning.

NATO and national capabilities must be interoperable and more integrated within and across domains to deliver multidomain effects. The Alliance needs a modern and well-defined C4ISR architecture to achieve its ambition of securing and defending the Alliance and its interests. NATO must improve and further enable its C4ISR with common structure, policies, concepts, frameworks, standards, procedures, and connectivity. NATO must also modernize and integrate current capabilities and acquire new capabilities. Allies need to further increase sharing of data and intelligence, interoperability, and national contributions (forces, platforms, systems, people, and resources) to strengthen NATO C4ISR.

Threats and challenges shaping NATO C4ISR

Russia’s war against Ukraine is a major inflection point for NATO, which is in the midst of a long-term effort to improve its deterrence and defense. NATO’s response to Russian aggression has been to assure and defend allies, deter Russia, and support Ukraine. This response has included a surge in the employment of NATO-owned C4ISR forces such as the NATO Alliance Ground Surveillance Force (NAGSF);⁵ still at Initial Operational Capability and the NATO Airborne Early Warning and Control Force (NAEW&CF).⁶ National joint intelligence, surveillance, and reconnaissance (JISR) assets have contributed to Alliance shared awareness. NATO cooperation with the EU has led to a united front in communications and complementary actions by EU and non-EU allies on sanctions against Russia, energy security, and support to Ukraine.

Russia “poses the most significant and direct threat” to NATO,⁷ but there are other threats and challenges that the Alliance must also face or prepare for. Other threats identified by NATO include terrorism in all its forms, missiles from Iran, and cyber and hybrid attacks. All of these threats require constant vigilance, early warning, intelligence, rapid response, and defense and security capabilities enabled by NATO C4ISR.

Among the challenges identified by NATO, China and climate change are the most significant, along with regional instability and strategic shocks. China’s policies and its rising economic, financial, diplomatic, informational, and military power pose a multitude of challenges to NATO’s security, interests, and values. NATO C4ISR must enable shared awareness of China’s policies, actions, and growing military and civilian capabilities. NATO C4ISR must be resilient and respond to Chinese cyber and hybrid activities and favorably compete with Chinese technological advancements and norm-setting efforts.

With respect to climate, NATO C4ISR must contribute to awareness and understanding of the security implications of climate change and contribute to the reduction and mitigation of adverse impacts on climate. Similarly, NATO C4ISR must be able to contribute to anticipation and response related to regional instability and strategic shocks. The addition of crisis prevention to the previous core task of crisis management in the 2022 Strategic Concept highlights a NATO ambition to ensure sufficient awareness (only provided by an effective C4ISR architecture) to understand potential challenges in time to proactively shape, attenuate, or mitigate them.

Preparing for and facing the other threats and challenges listed above implies an ability to cooperate with a broad range of partner organizations and nations, including sharing information and intelligence, and an adequate level of interoperability for coordinated responses. Interaction and combined action with partners will both contribute to and set demands on NATO C4ISR.

Lessons from the Russia-Ukraine war for NATO C4ISR and future needs

The ongoing Russian war in Ukraine is providing a treasure trove of lessons for NATO. NATO is still gathering, processing, and internalizing these lessons, but many are already evident. Some are already captured in reports and articles from journalists, academia, industry, and civilian and military leaders. After reviewing open sources and interviewing several NATO civilian and military leaders, I have assembled the following lessons as most relevant to the future development of NATO C4ISR.

Multi-domain operations

NATO C4ISR must be able to support multi-domain operations (MDO) and deliver multi-domain effects. Much work in connectivity, integration, and interoperability is needed.

The Russian war on Ukraine is the first of its scale in Europe in the twenty-first century. No other recent conflict in Europe—Russia’s war on Georgia in 2008 or Ukraine from 2014 to February 24, 2022—has involved a similar number of military forces or employed such destructive power. Russia and Ukraine have employed or leveraged capabilities in all five domains—air, land, maritime, cyberspace, and space. Russia has struggled with coordinating joint action, let alone achieving multi-domain effects. “Russia has definitely showed us how not to fight,” said Rear Adm. Nicholas Wheeler, director of NATO Headquarters C3 Staff (NHQC3S).⁸ Ukraine appears to have had more success leveraging multi-domain capabilities. Ukrainian forces have effectively targeted and engaged Russian land and maritime forces using limited multi-source intelligence, aerial drones, maneuver and fires units, and commercial space-based open-source intelligence (OSINT) services from a variety of private companies.

The Russian war in Ukraine is a likely catalyst for NATO leaders to hasten the development of an Alliance MDO Concept. Additionally, NATO’s 2022 Strategic Concept highlights the importance of multi-domain forces and warfighting⁹ NATO has added cyber and space as operational domains over the past decade and has been working on an MDO concept for some time.¹⁰ Allied Command Transformation (ACT) and Allied Command Operations (ACO) delivered an Initial Alliance Concept for MDO in July 2022.¹¹ NATO’s “working definition” of MDO is “the orchestration of military activities, across all domains and environments, synchronized with non-military activities, to enable the Alliance to deliver converging effects at the speed of relevance.”¹²

According to Headquarters (HQ) Supreme Allied Commander Transformation (SACT) Deputy Chief of Staff (DCOS) for Capability Development Lt. Gen. David Julazadeh, NATO leaders have directed the Strategic Commands to accelerate delivery and implementation of an Alliance MDO Concept.¹³

Day zero readiness

The scale of Russia’s military buildup and geographically broad and rapid employment of force against Ukraine have caused NATO civilian and military leaders to question whether the Alliance’s current plans and defense posture would have deterred or rapidly repelled a similar Russian assault against an ally, particularly a small nation.¹⁴ Could NATO respond with the speed, scale, and coherence needed to prevent initial success?

Two ongoing efforts will help. First, a new Supreme Allied Commander Europe’s (SACEUR’s) Area of Responsibility (AOR)-Wide Strategic Plan (SASP) was approved earlier in 2022, but the underlying regional and subordinate strategic plans have yet to be completed and stitched together. Second, a new NATO Force Model approved at the Madrid Summit in June 2022 will address much of the speed, scale, and coherence lacking in current policies and posture by assigning a much larger number of forces (up to four hundred thousand) to regional plans.

Other efforts are in the works. The adapted command and control (C2) structure is not yet fit for purpose and ACO has been directed to conduct a comprehensive C2 assessment. NATO’s Air Command and Control System (ACCS) is woefully behind the times, and a transition plan to a future Air C2 system is in development. According to NATO Assistant Secretary General (ASG) for Operations Tom Goffus: “The NATO Crisis Response System [NCRS] was designed for out of area operations where NATO drives the timeline and has the luxury of time. Now we don’t have that time advantage.”¹⁵ The NCRS needs significant revision to enable day zero readiness for collective defense. Goffus is determined to drive such a revision.

The family of plans under development, the new NATO Force Model, and revised C2 structure and NCRS will influence future requirements for NATO C4ISR. NATO must review and update C4ISR requirements for standing defense and baseline activities, as well as exercise and enable rapid activation and deployment related to a short to no-notice collective defense scenario. 

NATO Intelligence Enterprise (NIE)

The NATO Intelligence Enterprise (NIE) surged, adapted, and delivered the intelligence political and senior military leaders needed to respond to the Russian war in Ukraine.¹⁶ This is good news. The decisions post-2014 to establish the NATO HQ Joint Intelligence and Security Division (JISD), increase JISR capabilities, and improve NATO’s indicators and warnings (I&W) system have all been validated. The capabilities and processes were not always ideal, but holistically the NIE enabled cohesion, collective decision-making, an effective military response, and effective communications for aggression against a partner nation. The bad news is these outcomes are related to, but not sufficient for, defense against a peer adversary.

NIE’s ability to function and deliver in a collective defense, multi-domain, and high-intensity combat situation requires further improvements in the C4ISR architecture. 

NATO-owned C4ISR capabilities like the Alliance Ground Surveillance¹⁷ (AGS) and Airborne Early Warning and Control System¹⁸ (AWACS) have proven their value in the current conflict in Ukraine, yet operations have exposed limitations in readiness, types of sensors, quantity of platforms, and connectivity.¹⁹ NATO ASG for Intelligence and Security David Cattler highlighted the positive: “NATO and nations contributed with data, platforms, and intelligence. The US shared and declassified intelligence in an unprecedented way and even small nations responded and contributed to specific requirements. Strategic and operational intelligence provided to allies was well coordinated between JISD and ACO.”²⁰ That said, personalities drove much of the success in overcoming standing C4ISR issues in terms of sharing, declassification, coordination procedures between NATO HQ and ACO, and related budgetary issues.²¹

Persistence and survivability

One clear lesson from the Russian invasion of Ukraine, said former ACO DCOS Strategic Employment Maj. Gen. Philip Stewart, “is the need for persistent surveillance.”²² Persistent surveillance is fundamental for effective NATO deterrence and defense and crisis prevention and management because it provides military and political leaders the near-real-time awareness of threat I&W that enable timely decision-making and action. The ability to see and communicate the Russian buildup, invasion, and military action at the operational and tactical levels enabled shared awareness, decision-making, and response. The allies had the luxury of time in the case of Ukraine.

To ensure an effective response against a highly capable peer adversary, NATO needs persistent surveillance, which requires new structures, policies, processes, and capabilities. Persistent surveillance will likely demand a combination of assets from multiple domains. According to NATO ASG for Defense Investment (DI) Camille Grand, “The ability to use and fuse different tools will be critical to achieve persistent surveillance.”²³ Both Russian and Ukrainian combatants have employed a vast array of drones, from high and medium-altitude long-endurance platforms to small and very small systems, with an array of capabilities for a variety of missions (including intelligence, surveillance, and reconnaissance, or ISR, and target acquisition). Increases in dedicated NATO and national capabilities from space, high, medium, and low altitude are needed to respond to strategic and operational intelligence requirements in a collective defense scenario.

One clear lesson from the Russian invasion of Ukraine is the need for persistent surveillance.

Former ACO DCOS Strategic Employment Maj. Gen. Philip Stewart

“The Alliance needs robust, in-depth, and survivable JISR platforms in the future,” Cattler said.²⁴ Survivability of NATO C4ISR in modern warfare against a peer adversary is a critical requirement. NATO-owned AGS RQ-4s and AWACS E3As have limited survivability in a contested environment. NATO and national tactical communications are vulnerable to adversary electronic warfare (EW) capabilities. Future solutions may come from a combination of greater sensor range, stealth characteristics, electronic countermeasures, other performance characteristics, or next generation communications systems. Survivability of non-deployable and deployable NATO C2 is another aspect highlighted by the destructive effect of missiles employed in the Russia-Ukraine war. Passive measures like dispersion, displacement, alternate locations, concealment, and degraded operational procedures are all being reviewed or planned. Active measures like air and missile defense planning and deployment to protect NATO C2, not so much. That said, NATO has increased its air and missile defense posture along its eastern flank in the form of short deployments of air and land assets under NATO’s Air Shielding mission.²⁵

Space-based intelligence (as well as other space-based services like communications, early warning, tracking, and guidance) offers a partial answer to the need for both persistent surveillance and survivability, as space-based capabilities are expected to expand rapidly in the coming years.²⁶ National, military, and commercial space-based intelligence (imagery, communications, and electronic signatures) has the potential to contribute greatly to persistent surveillance. NATO will be more and more interested in protection, durability, and survivability of space-based assets, which must be addressed by nations and industry. Redundancy in space-based sensors and assets and the decreasing cost of replacement and remote maintenance may offset some of the need for survivability.

Multidisciplinary intelligence and fusion

Imagery intelligence (IMINT), signals intelligence (SIGINT),²⁷ and OSINT played a key role in unmasking Russian intent and disinformation from the national to tactical level, as well as in targeting. Allies, NATO, Ukraine, and Russia have all exploited space-based data and information (imagery, signals, signatures) for intelligence analysis and production. Ukraine has combined commercially available space-based data and crowdsourced information (technically both part of OSINT) to effectively identify and engage key Russian targets (e.g., leadership, C2 and logistic nodes, and major platforms), refute Russian official narratives, and identify war crimes and war criminals.

There is a need for improvements in NATO’s multidisciplinary intelligence capabilities and ability to collect, fuse, and process such intelligence. The Alliance has powerful all-weather sensors in its NATO-owned AGS (Synthetic Aperture Radar, Ground Movement Target Indicator), but no electrical-optical (EO), infrared (IR), full-motion video (FMV), or SIGINT capabilities.²⁸ The latter capabilities are key for collective defense and a broad range of other crisis and security operations. NATO SIGINT (provided through national contributions) has contributed to strategic shared awareness and decision-making but is still too compartmentalized and often overclassified to be fused and used meaningfully at the operational and tactical levels. NATO has no NATO-owned SIGINT sensors or platforms, and its EW capabilities are a long-standing shortfall at the tactical level.

Two initiatives underway can partially address NATO’s need for SIGINT and OSINT. First, the Alliance Persistent Space Surveillance²⁹ (APSS) initiative set up in April 2022 and formally launched in February 2023 is a key step toward enabling NATO’s collection of national contributions and commercial contracting of space-based data, products, and services.³⁰ Second, the NATO Public Diplomacy Division’s (PDD) Information Environment Assessment (IEA) project (supported by JISD and ACT) is prototyping an artificial intelligence (AI) tool to help NATO professionals sort and analyze vast amounts of print, media, and online information.³¹ The APSS and IEA initiatives deserve expansion and acceleration in delivery to meet NATO’s current and future C4ISR needs.

Tasking, Collection, Processing, Exploitation, and Dissemination (TCPED)

TCPED is the information management process that NATO and other military or government organizations use to synchronize intelligence and operational efforts to acquire and deliver intelligence in response to specific requirements.³² An effective and responsive TCPED process is fundamental to NATO’s ability to deliver timely and relevant intelligence in response to strategic political and operational military demands. The NIE’s response to the Russia-Ukraine crisis as well as observations of the combatants in the war have highlighted the need for vastly improved capacity for TCPED.

NATO’s TCPED process is operating at a level below its potential and short of strategic and operational need. Speed and efficiency of the TCPED process are already challenged by current levels of structure, data, assets, and analysts. According to NAEW&C Force Commander Maj. Gen. Tom Kunkel, “NATO leaves so much data on the cutting floor.”³³ Matters would only be worse if NATO were fully engaged in a modern conflict attempting to execute MDO.

AI and machine learning (ML) tools, along with improved data management and connectivity, could offer relatively cheap solutions (as opposed to major equipment programs) to vastly improve the speed, efficiency, and effectiveness of the NATO TCPED process (from the strategic to tactical levels).

You can’t cyber your way across a river.

Gen. Patrick Sanders, Chief of Britain’s General Staff

Cyber

The role of cyber in the Russia-Ukraine war has been surprising. Pre-invasion, leaders and analysts generally expected the Ukrainian government and military to succumb to the crippling effects of Russia’s “overwhelming” cyber capabilities. That has not happened.

According to Cattler, open sources reveal that Russia deployed destructive cyber malware against Ukrainian government and military C2, rendered systems inoperable, and sabotaged an Internet provider that both Ukrainian police and military depend on. All of this was evidence of “good cyber reconnaissance ahead of time by Russia,” he said.³⁴ However, he added, Russian cyber operations were “not coordinated with conventional ops” nor exploited.³⁵ The reasons are likely a mix of restraint on the part of Russia; a limited ability of Russia to coordinate cyber and other domain effects; the competence of Ukrainian military, government, and private citizens in restoring and protecting systems and services; and significant assistance to Ukraine from powerful private companies like SpaceX and Microsoft (see more on this later).

There are also limits to cyber effects. Chief of Britain’s General Staff, Gen. Patrick Sanders, said: “You can’t cyber your way across a river.”³⁶ But you might be able to stop a river crossing (see more on this later). While cyber-related lessons from Russia’s war on Ukraine have yet to be comprehensively gathered, Cattler said: “Allies have recognized that cyberspace is contested at all times and cyber defense underpins the broader deterrence and defense posture.”³⁷ Cyberspace is an enabler of C4ISR and an operational domain for cyber operations, activities, and effects related to C4ISR. Cyber represents great potential and opportunities as well as risk and vulnerabilities. NATO must build cyber resilience in its C4ISR architecture and capabilities, leverage private sector expertise and services, and incorporate voluntary national contributions of cyber ISR.

The role of private industry

Private industry has played an outsized role in enabling the Ukrainian response to the Russian aggression, and providing security, resilience, communications, and intelligence to Ukraine and allies alike—all key elements and enablers of C4ISR. SpaceX’s decision to provide thousands of Starlink terminals to enable satellite communications and Internet services for Ukrainian private and public users has been a game changer.³⁸ Microsoft’s support to Ukraine and other countries under Russian cyberattack has enabled understanding of the threat, capabilities to secure data and networks and enable resilience, and provided a comprehensive strategy for response.³⁹ According to NATO ASG for Emerging Security Challenges David van Weel, Microsoft’s talent, expertise, and tools are critical for NATO cyber defense and data management.⁴⁰

Private companies like Maxar, BlackSky, and Planet (imagery) and HawkEye 360 (signals) are providing AI-enabled space-based services to Ukraine and NATO allies.⁴¹ Commercial data, information, and services provided to Ukraine and the allies have been used to confirm Russian military locations and actions (including atrocities and war crimes) and refute disinformation. According to Van Weel, one commercial AI tool is being prototyped by the NATO Intelligence Fusion Center⁴² (NIFC) to save hours of costly analyst time spent counting aircraft from massive amounts of collected imagery. This tool has enabled near-real-time analysis of Russian air assets and battle damage as well as cueing of changes to existing status.⁴³

NATO Communications and Information Agency (NCIA) General Manager Ludwig Decamps offered that “perhaps we need to add industry as another domain of operations.”⁴⁴ Noting that NATO already depends on industry for critical services and innovative responses to military need, Decamps added: “How do we include in our planning to account for industry’s expertise, inherent responsibilities, and potential contributions?”⁴⁵ NATO engagement with industry includes a robust relationship through the NATO Industrial Advisory Group (NIAG),⁴⁶ which includes national industry delegations from all allies, and recently launched NATO initiatives like Defense Innovation Accelerator for the North Atlantic (DIANA)⁴⁷ and the NATO Innovation Fund.⁴⁸

There have been several NATO initiatives and policy efforts over the past five years to increase engagement with parts of the private sector that produce some of the most advanced and innovative technologies. Developed for commercial use, these technologies could also respond to defense requirements.

Until recently, many start-ups and small and medium-sized enterprises (SMEs) rarely engaged with NATO for a variety of reasons, including lack of visibility of NATO needs, lack of experience in NATO procurement processes, concerns over the capital investment needed to compete, and a general view that NATO focused on large, complex systems that were the bailiwick of major primes or consortiums of traditional defense industry.⁴⁹

NATO-Industry Forums (NIFs),⁵⁰ multinational cooperation in capability development,⁵¹ internal NATO HQ trials,⁵² ACT innovation initiatives,⁵³ NCIA industry key events,⁵⁴ and NATO policy efforts to address emerging and disruptive technologies (EDTs)⁵⁵ are all examples of NATO engaging nontraditional industry partners to leverage their creative and innovation potential. Among this broad list of efforts, multinational cooperation in capability development has provided the most concrete, albeit still limited, results. DIANA, specifically, will focus on engaging and leveraging start-ups and SMEs, which until recently (prior to 2019) had been under-represented or less represented in NATO engagements with industry.⁵⁶

The importance of these initiatives in engaging the private sector and leveraging its technology, innovation, and expertise, including that of promising start-ups and SMEs, to develop creative solutions to NATO military problems at pace has only grown due to the ongoing war in Ukraine.

Digitalization, connectivity, and Big Data

Interrelated to many of the previous lessons identified are the importance of digitalization of information (including signals, print, and electronic media), connectivity (efficient, secure, robust, and resilient networks), common data frameworks (standard protocols and interfaces), and data management tools to enable data sharing and Big Data exploitation. More comprehensive intelligence analysis (as well as research in general) has long been hampered by several limitations: the number of documents or signals available in digital form, disconnected private and public data silos containing exploitable information, the lack of common protocols and interfaces to access and share data, and the lack of data management tools in general. While data management and cloud services have become the norm in the private sector, the public defense sector has been wary and slow to adopt. But necessity is the mother of invention and Ukraine is a particularly relevant proving ground.

A prominent example of digitally enabled C4ISR that has been used to rapidly target and destroy Russian forces is the Ukrainian-developed and British-enabled GIS Arta application.⁵⁷ Described as “Uber-style technology” providing situational awareness and rapid targeting, the system is fed by “real-time battlefield data from reconnaissance drones, rangefinders, smartphones, GPS [global positioning system] and NATO-donated radars.”⁵⁸ The system then identifies targets and “rapidly selects artillery, mortar, missile or combat drone units that are within range.”⁵⁹ Rapid calculation of firing options and alerting of firing units has cut the (Ukrainian) military’s targeting time from twenty minutes to one.⁶⁰

A prominent example of digitally enabled C4ISR that has been used to rapidly target and destroy Russian forces is the Ukrainian-developed and British-enabled GIS Arta application.

Microsoft’s ability to connect, secure, and exploit data globally is another example of effective Big Data management and exploitation. While digitalization is proceeding, NATO connectivity currently falls short of requirements to effectively link NATO HQ, commands, forces, other bodies, and nations in peacetime, let alone crisis or conflict. A common data framework is not yet operational, data management tools are rudimentary, and data sharing is far below potential. Former NATO Director General of the International Military Staff (DGIMS) Lt. Gen. Hans-Werner Wiermann advocated for a NATO digital backbone to enable connectivity and a military Internet of Things (IoT) to connect C2, systems, sensors, and shooters. The envisioned military IoT would support applications for all manner of military assessment, planning, coordination, and execution functions.⁶¹

As a result of impetus from the Russia-Ukraine war, other NATO efforts, and productive collaboration across NATO HQ and Strategic Commands, Wiermann’s ambition expanded to a more comprehensive Digital Transformation (DT) concept.⁶² This DT concept would address digitalization, connectivity, data frameworks, and management tools across the NATO Enterprise. According to Julazadeh, “The nascent NATO DT effort is similar to the US Joint All Domain Command and Control (JADC2) effort, but a bit broader as it encompasses transforming people, processes, and technology. DT is recognized as a sine qua non component of NATO MDO.”⁶³ NATO DT will also enable the design of a future NATO C4ISR architecture.

This is not a complete list of lessons relating to C4ISR to be gained from the Russia-Ukraine war, but it provides a good starting point for identifying recommendations for the improvement and further development of NATO C4ISR. Other lessons related to NATO C4ISR, such as the variety of missions autonomous systems can perform, the importance of counter-unmanned aircraft system (C-UAS) capabilities in protecting C4ISR, the importance of EW capabilities, and how to replicate aspects of Ukraine’s whole-of-society response to Russian aggression in a whole-of-enterprise NATO effort to adapt, modernize, and transform, will be included in this report’s final set of recommendations.

In summary, NATO and the allies have gained valuable lessons related to C4ISR from the Alliance’s response to Russian aggression and from the employment of C4ISR capabilities by both Russia and Ukraine.

Decisions taken at the Madrid Summit and work underway affecting NATO C4ISR

Russian aggression and other threats and challenges, including from China and climate change, resulted in a historic NATO summit in Madrid in June 2022. A new NATO 2022 Strategic Concept was approved clearly delineating the threats and challenges facing the Alliance, revising NATO’s three core tasks (deterrence and defense, crisis prevention and management, and cooperative security), and laying out key lines of effort for adapting the Alliance politically and militarily for 2030 and beyond.⁶⁴ Political decisions and ambitions announced in the Summit Declaration and in the Strategic Concept, the most important of which include those related to achieving a strengthened deterrence and defense and an increased focus on innovation and EDTs, will shape the requirements and development of NATO’s C4ISR architecture.

Other political ambitions impacting the trajectory of NATO C4ISR include DT, increased resilience, understanding the security implications of climate change, reducing defense impacts on climate change (e.g., reducing the use of fossil fuels, energy consumption, carbon emissions, toxic waste and contaminants), and increasing the level of NATO common funding.

The following analysis summarizes decisions taken at the Madrid Summit, the expected follow-through on these decisions, and other ongoing adaptation efforts previously decided and impacting NATO C4ISR.

NATO’s 2022 Strategic Concept broadly sets the context for C4ISR architecture and requirements in its description of threats and challenges expected over the coming decade, and the political guidance under NATO’s three revised core tasks.⁶⁵ The concept refers to decisions taken at and prior to the Madrid Summit and has critical implications for the enablement, development, and employment of NATO C4ISR..

Multi-domain warfighting

NATO’s 2022 Strategic Concept sets an ambition for multi-domain warfighting and multi-domain forces.⁶⁶ NATO has taken an initial step toward this end by adopting a working definition for MDO (as previously noted).⁶⁷ To achieve NATO’s level of ambition with respect to multi-domain warfighting several more steps are required, such as an approved Alliance MDO Concept, revised Allied Joint Doctrine, improved awareness of threats and opportunities in all domains, upgrades and improvements in capabilities, and secure use of and access to cyberspace and space capabilities. Multi-domain warfighting also requires trained and educated leaders and professionals, trained and exercised forces in MDO, a data-centric approach, and, above all, a cultural shift and new mindset.⁶⁸

The level of effort will be demanding, but the expected outcome is worth the effort: greater shared understanding, collaboration, and synchronization of capabilities and activities across domains to achieve multi-domain effects. MDO concept development and implementation will be enabled by ACT’s Warfare Development Agenda, DT, and NATO initiatives related to innovation and EDTs. According to Julazadeh, HQ SACT DCOS for Capability Development, NATO leaders are pressing for accelerated delivery of an Alliance MDO Concept by 2023.⁶⁹ Given the breadth and complexity of MDO and the need for supporting studies this is a stretch goal for NATO’s Strategic Commands, but its approval and implementation will be revolutionary for the Alliance. Future C4ISR architecture and capabilities will have to be designed, optimized, integrated, and interoperable to support multi-domain warfighting and full-spectrum operations at the speed of relevance.

Digital Transformation

As mentioned earlier, DT is intended to address digitalization, connectivity, data frameworks, and data management tools across the NATO Enterprise. DT is intended to enable significant increases in speed, security, and effectiveness in C2, communications, data analysis, intelligence analysis and dissemination, decision-making, operations, and interoperability. Proceeding along this journey will make NATO more agile, resilient, and capable of seizing and maintaining the initiative in peacetime and conflict.

Much of the vision under development is not new and many strands have been under development for some time. Former NCIA General Manager Kevin Scheid was a strong advocate of digitally transforming NATO and had initiated an effort known as “NCIA’s digital endeavor” to modernize and improve the security of NATO’s communications and information infrastructure and services.⁷⁰ Wiermann, the former NATO DGIMS, advocated for development of a NATO digital backbone, which in his view would constitute the new NATO added value to nations in the information age.⁷¹

The current effort includes both initiatives and is broader and more ambitious. The effort will address the entire NATO Enterprise and include political approval by nations of a vision in fall 2022 and an implementation plan (ideally with resource assessment) by 2023.⁷² According to NHQC3S Deputy Director Marco Criscuolo, a three-step concurrent process (modernization, optimization, and transformation) is necessary to address the complexity and uncertainty of a DT journey.⁷³

In brief, in step one—modernization—the current main effort includes continuing modernizing existing capabilities and resourcing ongoing programs and projects such as Information Technology Modernization and related network, data, and cybersecurity initiatives. Step two—optimization—includes reviewing and cohering the numerous and currently disconnected capability programs to build synergies, gain efficiencies, and develop better processes, including adopting current off-the-shelf capabilities. Step three—transformation—begins as NATO gains an understanding of the potential of related technologies and tools, starts to adopt them, then revises structures, processes, and capabilities, and builds in resilience (in cyber, space, and physical infrastructure).⁷⁴

DT will enable connectivity between data pools and access to and exploitation of data across the NATO Enterprise. NATO Enterprise coherence will be driven by top-down guidance and internalized principles (a whole-of-enterprise approach). DT will rely on a new organizational culture and mindset that is digitally savvy and data centric. It will also rely on greater engagement with industry to leverage its expertise and services, and greater integration and interoperability, the latter supported by the active setting and shaping of standards. DT will also rely on an agility in capability development and resource management (budgetary and human capital) and a modern approach to obsolescence management that do not currently exist.

DT will influence and enable the design of future C4ISR architecture and capabilities and improve the integration, connectivity, ability to manage and exploit Big Data, and the quality and speed of C4ISR processes.

Strengthened deterrence and defense posture

The Alliance’s decision to “strengthen our deterrence and defense posture to deny any potential adversary any possible opportunities for aggression”⁷⁵ is a major change in strategy and has multiple implications for future NATO C4ISR. In particular, the enhanced NATO posture will increase requirements for persistent surveillance and improved awareness of potential threats, a rapid and more effective intelligence process, a revised and robust C2 structure, and resilient and secure networks.

A strengthened posture will be enabled by a new NATO Force Model,⁷⁶ which will identify and assign around three hundred thousand allied forces at high readiness (ready to move in less than thirty days) to a family of NATO strategic and regional defense plans for the first time since the Cold War.

C4ISR assets from NATO and national services will be an integral part of the NATO Force Model and support the requirements in the SASP and family of regional and subordinate strategic plans. C4ISR architecture and capabilities must also support a strengthened integrated air and missile defense (IAMD) through improved ISR for shared awareness, early warning, and tracking, and improved air and surface-based C2 systems. Persistent surveillance is needed to support the Alliance’s I&W requirements. There will certainly be shortfalls in available assets and interoperability.

Strengthened IAMD is an important and new commitment associated with the 2022 Strategic Concept; it is a must to respond to the broad range of Russian air and missile capabilities, which can threaten allied populations, forces, and infrastructure from any direction given their ranges and mobility. Strengthened IAMD should include greater day zero connectivity and integration of existing IAMD-related C2 nodes, sensors, and effectors; new and improved IAMD capabilities; and an improved Air C2 system. The Air C2 system is already the focus of a transition effort by allies in conjunction with NCIA and ACO that seeks to address numerous shortfalls in the existing system while concurrently planning for the upgrades and development of an Air C2 system that can meet future needs. This transition effort should be accelerated. In particular, a strengthened IAMD should prioritize the ability to detect and defeat the broad range of tactical ballistic and cruise missiles in the current and future Russian inventory. This includes closing the low-altitude surveillance gap to detect and track cruise missiles across SACEUR’s AOR.

Ongoing planning, force generation, and future exercises will identify C4ISR shortfalls and refine future C4ISR requirements to meet the demands of an improved NATO posture, including persistent surveillance and strengthened IAMD.

Robust, resilient, and integrated command structure and enhanced C2 arrangements

NATO leaders recognize that the strengthened deterrence and defense posture they envision must be enabled by an improved Alliance C2 structure, parts of which do not yet exist. ACO’s C2 structure currently includes one strategic headquarters (Supreme Headquarters Allied Powers Europe; SHAPE), three joint force commands (JFCs) (Brunssum, Naples, and Norfolk), three service component commands (Air, Maritime, and Land Commands), a theater logistics command (Joint Support and Enabling Command), and several operational commands (e.g., Striking Forces NATO, the NATO Airborne Early Warning and Control Force, and NATO Alliance Ground Surveillance Force).

The existing structure was designed for maximum flexibility and options to respond to multiple crises of different scale and operational requirements, primarily outside SACEUR’s AOR. It was not optimized for collective defense. The JFCs do not have regional geographic boundaries or AORs. Maritime and Land Commands are neither manned nor trained for C2 of large-scale or AOR-wide operations. Staffs at strategic and operational levels lack critical expertise in key warfighting competencies (e.g., targeting, cyber defense and response, and space support).

Current ACO C2 structure and supporting command, control, communications, and computers (C4) systems (i.e., the current Air Command Control System, Federated Mission Network, Land tactical C2) are not yet fit for modern multi-domain warfare against a peer adversary. Viable Joint, Land, and Maritime C2 structures for an AOR-wide defense accommodating two new allies in the north (Finland and Sweden) will be priorities to establish. According to International Military Staff (IMS) Director of Plans and Capabilities Maj. Gen. Karl Ford, “SHAPE is working on a C2 assessment which will identify the drivers of change, review current capabilities and shortfalls, and propose design principles for future NATO C2.”⁷⁷

The assessment will look at C2 in three time horizons in order to capture short, medium, and long-term NATO adaptation needs. First, NATO C2 here and now and how to achieve the Concept for the Deterrence and Defense of the Euro-Atlantic Area (DDA) with the current NATO Command Structure and thirty allies. This stage aims to respond to current NATO needs, within the current membership format. Second, decision-makers are exploring NATO C2 needs for a potential thirty-two-nation Alliance, which would operate based on an MDO Concept and with a DT plan in place. This stage represents a much-expanded level of ambition, with NATO C2 over a contiguous northern region able to coordinate and execute cross-domain effects increasingly enabled by DT. Finally, the third stage will include SACT’s vision of NATO C2 out to 2040 carrying out MDO and tailored to future challenges and threats that are expected to be increasingly persistent, boundless, and simultaneous from multiple state and non-state actors as well as from changes in the physical and social environment.⁷⁸ The third time horizon will be informed and enabled by the NATO Warfighting Capstone Concept (NWCC) and Warfare Development Agenda to get there.⁷⁹

The NATO Force Structure must also be reviewed. This includes assessing requirements, overlaps, and gaps, in some cases rationalized (numbers of tactical headquarters), in some cases reinforced (creating sufficient manpower and expertise for MDO and peer combat), aligned with plans, and integrated with the NATO Command Structure (i.e., ACO and JFCs). The 2022 Strategic Concept’s increased emphasis on resilience will require increased understanding and intelligence sharing of cyber and other related threats to civilian infrastructure. It will also require sustained investment to meet resilience targets (notably to improve cybersecurity and defense for NATO networks, national communications, transportation, health systems, and financial networks).

DT and increased cyber resilience will need to account for an enhanced NATO Command Structure integrated with a rationalized NATO Force Structure and connected to national forces associated with the new NATO Force Model and NATO plans.

Global awareness

Enhanced shared, situational, and global awareness are all referenced in the 2022 Strategic Concept.⁸⁰ The first, enhanced shared awareness, implies improved collective awareness enabled by better intelligence sharing and more effective NATO C4ISR to enable timely and relevant intelligence for political and military leaders. The second, situational awareness, likewise implies timely and relevant intelligence and the addition of persistent surveillance of threat indicators that can rapidly evolve and thus require rapid response. The third, global awareness, refers to the need to monitor and analyze data and intelligence related to global factors such as climate change, pandemics, and strategic shocks emanating from abroad that could affect the Alliance. Global awareness also applies to China and Russia and their related activities and influence across the globe that impact Alliance security, interests, and values.

NATO’s revised core tasks include deterrence by denial and crisis prevention. China and climate change are now characterized as long-term challenges. The revised tasks and long-term challenges will lead to new or revised strategic and operational intelligence requirements. Revised intelligence requirements will justify and generate a need for persistent, multidisciplinary, data-enabled, multi-domain NATO JISR and higher-quality and faster analysis to enable shared awareness, decision-making, and action at the speed of relevance (speed is more of a requirement for crisis and conflict than for long-term challenges).

Intelligence to enable awareness for crisis prevention and addressing long-term challenges will need to integrate inputs from a variety of national, regional, and organizational partners, and commercial providers (e.g., space industry, media, and data; computing; and network service and security providers). For example, broader NATO understanding of China would be enabled by financial, commercial, and science and technology data and analysis and greater information sharing with Indo-Pacific partners. NATO climate policy will require better analytics to understand and respond to the security implications of climate change and require greater NATO and national efforts to incorporate aspects of climate change mitigation in defense infrastructure and capability development (e.g., greater energy efficiency and use of sustainable energy sources, better monitoring of defense impacts on climate, reduced waste production, reduced carbon emissions, etc.).⁸¹

The approval of JISR Vision 2030+ by the North Atlantic Council (NAC) in Spring 2022 will enable enhanced awareness, multi-domain warfighting, and other aspects of the 2022 Strategic Concept. Giorgio Cioni, director of Armament and Aerospace Capabilities in NATO’s Defense Investment Division, said the new JISR vision “includes a series of strategic outcomes, the overall purpose of which are to render JISR architecture more robust.”⁸²

Cioni said the strategic outcomes include: “1) increased investment in collection capabilities, looking beyond existing NATO-owned platforms and payloads (AGS and AWACS), achieving persistent surveillance through a combination of capabilities and services; 2) expanding the APSS initiative to collect and acquire space-based data, products, and services to improve NATO indicators & warnings and strategic anticipation; 3) improving PED [Processing, Exploitation, and Dissemination] with capabilities and tools to ensure timely and efficient analysis; 4) achieving coherence and integration of different programs contributing to the NATO C4ISR network of sensors, C2 nodes and systems, and effectors; 5) review of the JISR TCPED process to ensure it can cope with more data and capabilities (sensors, platforms, AI and ML tools) and support decentralized MDO operations; 6) enhance the human element of ISR, ensuring training and education of leaders, operators, intelligence professionals involved in ISR or end users of its output.”⁸³

NATO’s level of ambition for global awareness will lead to much greater demands to provide persistent, multidisciplinary, data-enabled, and multi-domain NATO JISR. It will also instigate higher-quality and faster analysis which the new JISR Vision 2030+ and the existing JISR Capability Development Strategy should help NATO and its member states deliver.

Innovation and EDTs

NATO is currently focused on protecting and fostering adoption of EDTs in “nine priority technology areas:” AI, data, autonomy, quantum-enabled technologies, biotechnology, hypersonic technologies, space, novel materials and manufacturing, and energy and propulsion.⁸⁴ The 2022 Strategic Concept states NATO’s aims for innovation and EDTs.⁸⁵

NATO has always focused on innovation as a critical element of maintaining its technological edge. However, since 2018 it has redoubled internal efforts to develop policy and external work to engage industry and the private sector to capture the potential of innovative technologies, concepts, applications, and processes.

Advanced, rapidly developing technologies have captured the attention of NATO leaders and led to a series of policies and plans related to EDTs. At the 2021 Brussels Summit, for example, NATO leaders agreed to stand up DIANA and a NATO Innovation Fund.⁸⁶

According to Van Weel, NATO ASG for Emerging Security Challenges, the Alliance is learning how to promote innovation tailored to its needs. “We can create [a location and context to meet and discuss a particular topic], communicate what we want to achieve, and leverage civilian and commercial expertise,” he said.⁸⁷ Van Weel also explained that for DIANA, “nations will collectively agree on strategic guidance developed from end users.” The strategic guidance will include a set of prioritized defense needs developed by NATO Military Authorities (who set NATO defense requirements) and informed by the armaments community (consisting of the Conference of National Armaments Directors, or CNAD, and its subordinate structure, which are responsible for supporting capability delivery of NATO defense needs)⁸⁸ and the Science & Technology Organization (STO), which focuses on horizon scanning of technology developments and enabling collaboration in research and development (R&D).

This strategic guidance for DIANA will subsequently be transformed by the DIANA executive into challenge programs for the private sector. These challenge programs will articulate prioritized defense problems that will be shared with industry to seek potential solutions, much like how national security challenges are used by the US Defense Advanced Research Projects Agency to guide US government investment in private sector technology. NATO engagements to date have demonstrated that two-way communications with high-tech enterprises are more than just an opportunity for NATO to communicate needs.⁸⁹ This dialogue also exposes business opportunities that commercial enterprise may not know exist. “Many private sector companies don’t know they can help in the defense and security field,” said Van Weel.⁹⁰

DIANA and the NATO Innovation Fund are being designed specifically to enable delivery of solutions versus simply to promote R&D. “DIANA will not just provide access to dual-use commercial solutions, but it will help mature them,” said Van Weel. “Start-ups need founders, venture capital, business coaching, networking, and solution iteration between end users and industry. DIANA will make sure there is a connection with defense primes. The end of program is to showcase to all allies what solutions have been identified to respond to the agreed problems. Go to the Conference of National Armaments Directors, etc. And the NATO Innovation Fund can come in and put equity into a start-up company to help it scale up.”⁹¹

NATO efforts to promote innovation and investment in EDTs will also help allies retain interoperability.⁹² Interoperability by design is to be baked into capability development supported by DIANA and the NATO Innovation Fund. National efforts in R&D are less likely to be so inspired. Market competition and differing levels of available funding and technology across the Alliance will continue to create gaps in compatibility and interoperability. Without increased commitment by allies to ensure NATO interoperability as a requirement in the development of advanced technology, gaps will persist or increase.

Most of the nine priority technology areas that NATO EDT efforts are focused on will enable improvements in NATO C4ISR and consequently improve the speed and effectiveness of NATO intelligence, decision-making, and operational processes. Here are key points for four priority technology areas most relevant to NATO C4ISR:

Defense investment

NATO’s 2022 Strategic Concept mentions the importance of fulfilling the 2014 Defense Investment Pledge,⁹³ which was created to ensure adequate investment in defense in support of an ambitious NATO Readiness Action Plan⁹⁴ agreed at the 2014 Wales Summit.⁹⁵ The NATO Readiness Action Plan and increased defense investment were meant to adapt NATO politically and militarily in response to Russia’s illegal annexation of Crimea earlier that year and its ongoing aggression against Ukraine. The pledge commits NATO allies to spend 2 percent of their gross domestic product (GDP) on defense by 2024 and to ensure 20 percent of defense spending is allocated for “major new equipment, including research and development.”⁹⁶

In the 2022 Strategic Concept, allies further commit “to provide the full range of required capabilities,” “ensure that increased national defence expenditures and NATO common funding will be commensurate with the challenges of a more contested security order,” and “increase our investments in emerging and disruptive technologies to retain our interoperability and military edge.”⁹⁷ These new commitments are the sine qua non foundation for strengthening deterrence and defense and achieving the level of ambition NATO has set for adapting its political and military instruments of power to meet the threats and challenges of the coming decade.

NATO C4ISR structure and NATO-owned capabilities (e.g., AGS, AWACS, AFSC, JISR, Air C2 System, and Federated Mission Network) figure prominently in NATO’s current defense investment programs and projects. Capability targets for national C4ISR are likely to increase in NATO’s next defense planning cycle because of the new strategic environment and a new level of ambition to prepare for “high-intensity, multi-domain warfighting against nuclear-armed peer-competitors.”⁹⁸ Both NATO-owned and national capabilities will consequentially be the object of future increases in defense spending.

In addition to supporting the costs of NATO’s common military and civilian structure (i.e., manpower, operations, and sustainment), NATO common funding also supports collective defense investment in C4ISR capability development, which is of great political interest and subject to significant collective oversight and governance. Attempts to streamline and accelerate common-funded capability development and oversight have produced limited positive results to date. Low risk tolerance for early or any failure, detailed reporting requirements, and limited options for accelerated procurement are some of the main issues.⁹⁹ Upgrades of information technology (IT), which rapidly become obsolete, are taken as distinct collective decisions instead of being embedded in upfront requirements. Upgrades and modernization of major capabilities like NATO-owned AGS have been similarly delayed. Hence the need to review how NATO manages obsolescence in the modern age. The private sector provides ample examples of faster capability development and the NIAG has provided tailored advice on how to improve agility in acquisition.¹⁰⁰ Allies have not achieved the acceleration and expansion of common-funded capability development they desire, which has frustrated NATO military, civilian staff, and agencies involved. Further change is needed.

The biggest challenges will be in achieving the cultural shift and sustained sense of purpose needed to enable a whole-of-enterprise approach in the face of inevitable resistance to change and competing domestic and global challenges.

The NWCC, approved in 2021, managed by ACT, and supervised by the Allied Chiefs of Defense, should be a major driver of military innovation and investment over the coming decade, specifically concept and capability development.¹⁰¹ While details in open sources are scarce, the NWCC will be managed through a Warfare Development Agenda that includes imperatives (e.g., cognitive superiority, multi-domain command, integrated multi-domain defense) and principles (e.g., right people, data centric technology, day zero integration, persistent disruptive preparation) which are meant to influence national and NATO C4ISR development and delivery decisions.¹⁰² The ability to synchronize ACT’s Warfare Development Agenda across NATO and nations and with existing NATO defense planning and capability development processes will be a daunting task. ACT has a direct role in common-funded capability development but has not yet leveraged its authorities and abilities to support national and multinational capability development.

NATO ambition is high for its innovation and EDT adoption efforts, both of which are meant to direct investment into capability development that enables NATO’s military edge. Initial efforts like DIANA, the NATO Innovation Fund, use cases for AI, and ongoing work to develop strategies for individual EDTs are all promising. Engagement with industry and the broader private sector is strong and growing. Similar to DT efforts, success in NATO innovation efforts will rely on an agility in investing in capability development and resource management (budgetary and human capital) that does not exist within NATO’s current structure and processes. DIANA and the NATO Innovation Fund will offer alternative development and resourcing options to include bilateral, multilateral, and multinational programs. Scaling up solutions to provide NATO-wide enterprise capabilities would require common funding and be subject to NATO governance that has been historically resistant to higher risk and decentralized control. To achieve NATO’s level of ambition, the Alliance will need to embrace a whole-of-enterprise effort, ensure sustained commitment and investment, and change the way it currently does business with regard to common-funded capabilities.

Deductions from the Madrid Summit and other recent developments include the following. NATO’s 2022 Strategic Concept and recent policy decisions, including the political commitment to increase defense investment, have set the context for future NATO C4ISR. The foundation for future NATO C4ISR is being built through existing programs and initiatives, supporting concepts, assessments, and plans under development. The devil will be in the implementation of decisions taken and others still to be taken. The biggest challenges will be in achieving the cultural shift and sustained sense of purpose needed to enable a whole-of-enterprise approach in the face of inevitable resistance to change and competing domestic and global challenges.

Recommendations: Share, transform, implement, modernize and invest

Efforts are already underway to improve NATO C4ISR and more will follow as decisions taken at the Madrid Summit are implemented. Lessons and security implications from the Russia-Ukraine war for NATO C4ISR will and must be a priority for directing efforts and investment in C4ISR improvements, modernization, and future capability development. Due to its importance to effective Alliance security and defense, NATO C4ISR deserves special focus and effort to improve its multiple components (i.e., organizations, capabilities, networks, concepts, policies, processes, and people). NATO must change in several areas to maintain its technological and military edge and increase the likelihood of achieving the security and defense it deserves. The following recommendations build on positive momentum, leverage new concepts and initiatives, and offer suggestions for improvement, including adopting new efforts and approaches.

1. Share more data and intelligence

Sharing data and intelligence is first and foremost a matter of political will, as NATO relies on voluntary information sharing by its allies. Sharing requires trust in NATO, specifically that the Alliance can protect information shared. Sharing will always be a delicate subject, as not all nations trust NATO or one another to protect their shared data and intelligence in the face of aggressive espionage, cyber incidents, mishandling, and leaks. NATO and its member states collect vast amounts of data and intelligence that are not exploited for the benefit of collective security and defense or other Alliance aims.
Trust is enabled by modern and secure networks, a common data framework and standards respected by all, and an efficient and effective NIE, all of which act as guarantees that the information can be protected and effectively exploited by the Alliance. Much of this is in place, but two key elements require attention: political will (greater emphasis) and security (continued emphasis).

The NAC must commit politically to addressing obstacles and shortfalls in sharing. Shared data or shared intelligence do not appear in the 2022 Strategic Concept or Madrid Summit Declaration. Their absence may reflect a view of adequacy in current levels of sharing or discomfort in addressing the many national policy and technical issues that affect trust in NATO’s ability to protect data and intelligence.¹⁰³ Technical issues also inhibit interoperability, which must be addressed through greater emphasis on common standards (see sections 4 and 5 below). Shared data, information, and intelligence are fuel for C4ISR. Sharing is not at the level it can and needs to be to ensure NATO maintains its comparative military advantage.¹⁰⁴

Security, including cybersecurity, remains an issue. But cybersecurity, document security, and communications security are improving with policy emphasis, cyber adaptation efforts, improved security measures, and with improved supporting tools being put in place or planned for the future.

A golden opportunity lies in the ability of NATO and its member states to tap into the potential of shared data and intelligence to exponentially improve the quality and speed of shared awareness, decision-making, and action. The opportunity cost of not sharing is enormous. For example, restricted sharing of intelligence on Russian violations of the Intermediate-Range Nuclear Forces (INF) Treaty complicated NATO consensus from 2014 to 2018 on US findings that the Russian 9M729 (or SSC-8) missile constituted a violation of the treaty.¹⁰⁵ Earlier sharing of sensitive intelligence could have significantly accelerated common positions on Russian nuclear-capable missiles, leading to earlier decisions on mitigation and pressure on Russia to comply. By contrast, the early decision by the United States and other NATO allies to share sensitive intelligence on Russian intentions vis-à-vis Ukraine in early 2022 led to greater and timely shared awareness, clarity in communications, and timely consensus on decisions taken to assure and defend allies and deter Russia.¹⁰⁶ Here are basic, but critical, recommendations for NATO:

• Implement the NATO Data Exploitation Framework Policy (DEFP) agreed by Alliance defense ministers in October 2021. While details on the DEFP are not widely known, it is fundamental to establishing a common data framework across the NATO Enterprise to enable Big Data sharing, exchange, and exploitation. NATO Military Authorities (NMAs) have begun the implementation process, but it will require a whole-of-enterprise approach, with commitment from the nations, NATO HQ, and common funding. NCIA expertise and support will be critical. NATO should leverage the NIAG and look to industry for expertise and enabling services, such as cloud computing and Big Data management.
  
• Task the NIE in conjunction with NMAs to assess and recommend critical improvements needed to enhance intelligence-sharing procedures and tools, specifically:
  • Mutually supporting strategic and operational intelligence management procedures for warfighting and crises,
  • Intelligence functional services fit for MDO, and
  • AI tools to assist in real-time exploitation of shared intelligence (including sorting, cueing, and other automated functions).
• Set realistic and measurable objectives to share more data with metadata, information, and intelligence, both military and commercial, related to threats and challenges.

2. Transform digitally

DT is a nascent effort that is fundamental for strengthening security and defense and improving resilience. DT is a key enabler of MDO. In turn, effective MDO depend on multi-domain C4ISR. Multi-domain C4ISR is critical for delivering multi-domain effects through multi-domain awareness, decision-making, and action. Enabling multi-domain C4ISR should, therefore, be a particular focus of DT.

A DT vision was developed in fall 2022 and an implementation plan is expected in 2023.¹⁰⁷ The 2021 DEFP is a fundamental first step in the process. The DT vision and implementation plan constitute policy that will have to be followed by investment in infrastructure, capabilities, people, supporting policies, and governance processes. Standards in data exchange and connectivity will be particularly important for networks, weapons systems, platforms, equipment, and software. The US Department of Defense’s C4ISR/Electronic Warfare Modular Open Suite of Standards (CMOSS) provides a national example of an open standard approach that could be used to develop a similar NATO open standard approach allowing various national and commercial entities to design and develop interoperable capabilities.¹⁰⁸

NATO DT must be comprehensive in its objectives and enterprise wide in its application to achieve what NATO needs for shared awareness, decision-making, and action at the speed of relevance for multi-domain warfighting as well as for effective crisis prevention and management.¹⁰⁹ NATO is politically committed to transform digitally, and policy development is in progress. As the NATO consultation, command, and control (C3) staff and board are central to DT policy development, implementation of DT into current and future C3 capability efforts is almost a given. A similar sense of urgency and focus will be needed across the NATO Enterprise. Given current positive momentum, NATO should:

• Ensure funding matches political ambition for and military (and Enterprise) requirements inherent to DT.
• Ensure requirements for enabling multi-domain C4ISR are captured, resourced, and addressed as a priority.
• Seek and leverage private sector expertise and capabilities. Large and small industries offer expertise and capabilities (services) related to DT.
• Look long to enable transition to technologies and applications in NATO’s near-term horizon (i.e., the next six years), such as 6G networks and space-based capabilities and services.
• Ensure a whole-of-enterprise approach to link DT policy development and implementation, including:
  • Active collaboration between relevant NATO governance bodies (e.g., those covering C3, cyber defense, security, armaments, standards, budgeting and resourcing, IAMD policy, defense planning) and the Military Committee, and
  • Collaboration within and among key staff management bodies (e.g., those responsible for communications, information and data management, cybersecurity, JISR, and innovation), including Strategic Commands, agencies, and perhaps Centers of Excellence where relevant.
• Ensure the political focus and funding support to the NATO C3 community to achieve and accelerate the delivery of critical C3 capabilities such as Federated Mission Network and Information Technology Modernization, and a standing operational net for current operations and activities (day zero readiness).
• Ensure implementation of DT is integrated into related ongoing lines of effort beyond C3, i.e., cyber defense adaptation, standards development, common-funded capability development, multinational capability development cooperation, and complex armaments programs (e.g., Air C2, AWACS, and AFSC).
• Adapt existing service contracts and capability development plans, programs, and projects to include DT implementation guidance and standards.
• Develop and implement a human capital development and management policy focused on hiring the right talent, and training and educating NATO civilian and military workforce and leaders to enable DT. Seek and leverage private sector expertise.

3. Implement new concepts, policies, and plans to clarify requirements for NATO C4ISR

NMAs determine C4ISR requirements through the NATO defense planning process (NDPP), and the NAC and allies decide how to meet those requirements through collective, multinational, and national capabilities. NATO’s C3 community plays a key role in determining the technical aspects of interoperable and secure C2, communications, and computers for NATO’s military and broader NATO Enterprise. With this as context, several efforts underway over the next year or the longer term will directly influence future NATO C4ISR requirements. The Alliance should leverage these efforts to clarify requirements and ensure coherence in the next NDPP cycle and future capability development and delivery to develop the future C4ISR architecture NATO needs.

First, the new NATO Force Model and alignment of forces with NATO’s new family of plans (SASP and regional and subordinate strategic plans) will identify C4ISR force and capability requirements. This effort is underway and will likely conclude at the June 2023 defense ministers’ meeting.¹¹⁰ These requirements could include new or revised NATO C4ISR structure. If force generation shortfalls reflect shortfalls in national inventories, then C4ISR capability requirements should increase.

Second, an Alliance MDO Concept will help define what NATO C4ISR must deliver to outthink and outpace potential adversaries and how NATO C4ISR will contribute to achieving multi-domain effects. The final Alliance MDO Concept is under development by the Strategic Commands and allies expect it to be delivered in 2023. Likewise, a DT implementation plan is expected in the first half of 2023.¹¹¹ DT is a fundamental condition for MDO and will set standards for digitalization, connectivity, and data exchange and exploitation that will affect current and future NATO C4ISR.

Third, NATO leaders have tasked ACO to produce a C2 Assessment to enable allied ministers to consider new requirements from NMAs and defense policy proposals (from relevant committees) by Spring 2023.¹¹² Adjustments to the NATO Command Structure over several time horizons will impact C4ISR requirements, specifically to enable effective AOR-wide C2 and multi-domain warfighting. The NATO Force Structure, which is composed of allied national and multinational forces and HQs, should also be part of proposals for change to execute SASP and support the new NATO Force Model. Additional or new C4ISR structure should be considered as well. The timing of the ministers’ decision in 2023 is fortuitous and will allow endorsed C4ISR-related requirements to be captured in the next NDPP cycle, specifically in the Minimum Capability Requirements (MCR) that NMAs will produce for NAC approval in 2024.

Fourth, over a longer term, the JISR component of NATO C4ISR is driven by several agreed documents and programs. Strategic outcomes of NATO’s JISR Vision 2030+, discussed earlier along with the JISR Capability Development Strategy, and JISR community stakeholder decisions will drive enhancements in JISR capabilities, including existing JISR programs and initiatives (e.g., AGS, APSS). JISR Vision 2030+ strategic outcomes will address NATO TCPED (structure, tools, and processes), human capital supporting JISR architecture, and overall coherence in JISR architecture.¹¹³

There is another effort not yet on NATO’s task list that merits attention. A clarifying definition for NATO C4ISR does not exist (as a whole versus in its subcomponents of C2, C3, or C4, and JISR). NATO Architecture Framework Version 4 provides guidance for developing, designing, and managing enterprise architectures.¹¹⁴ According to Paul Savereux, director of Defense Planning in NATO’s Defense Policy and Planning Division, NATO C4ISR capabilities are addressed in multiple planning domains of the NDPP but are neither aggregated nor treated as part of a single function.¹¹⁵

Achieving the full potential of NATO C4ISR and ensuring it is fit for multi-domain warfighting requires coherence in defense planning, capability, and concept development supported by a recognized and defined NATO C4ISR architecture. A defined C4ISR architecture would harmonize defense planning efforts across multiple domains, enable aggregation and assessment of related capability targets, and ensure greater coherence in concept and capability development. A common definition would assist in the development of common standards for the various components that comprise or enable C4ISR (including interfaces and data-sharing protocols).¹¹⁶ A common definition would also enable engagement with the private sector. Here are some recommendations for NATO to capitalize on current efforts and improve their collective outcomes relative to C4ISR. NATO should:

• Define NATO C4ISR architecture to provide a shared understanding of what makes up NATO C4ISR in terms of capabilities (forces, systems, platforms, networks, applications) and enabling policies, concepts, standards, and processes.
  • Author’s proposed definition: NATO C4ISR architecture is the whole of structures, organizations, systems, platforms, networks, applications, policies, concepts, and processes connecting decision-makers, operators, intelligence professionals, and capabilities in support of NATO shared awareness, decision-making, and execution in a multi-domain environment.
• Include goals or objectives and operating principles for each of the key NATO-owned components of NATO C4ISR architecture that leverages existing elements and addresses gaps. This would allow for a methodical approach to determining effectiveness and progress over time of both components of NATO C4ISR and C4ISR architecture as a whole.
• Ensure C4ISR requirements are rigorously collected from efforts to strengthen deterrence and defense through the NATO Force Model aligned with the SASP and family of plans, to conduct MDO, to digitally transform NATO, and to enhance C2.
• Improvement of the TCPED process (a strategic outcome of JISR Vision 2030+) should be an early focus of DT and EDT efforts (e.g., related to AI, data, autonomy, and space) to enable speed and multidisciplinary intelligence fusion, and improvements in processing capacity and quality demanded for multi-domain warfighting.
• Leverage existing NATO C4ISR forces and build upon their potential. Consider adjustments to NATO C4ISR forces (NAEW&CF and NAGSF) to enhance their effectiveness and contributions in support of the SASP and force generation related to the NATO Force Model.
  • The NAEW&CF has two subordinate component commands, one of which (the British national component) is currently phasing out its E3Ds for higher performance E7s. The NAEW&CF could potentially command other nationally contributed C4ISR platforms or new NATO C4ISR forces. Similarly, the NAGSF has the potential to command additional JISR assets and platforms.
  • NATO should review NAEW&CF and NAGSF manpower and operational requirements, and funding levels for operations and sustainment to support a higher level of baseline activities and missions in view of the new political ambition for strengthened deterrence and defense.
  • NATO should ensure C4ISR coherence throughout the defense planning process.
  • C4ISR elements contained in Political Guidance 2023 should be mapped and consolidated for future reference, e.g., through the delivery of MCR in 2024.
  • C4ISR-related MCR should be the subject of multi-domain wargaming based on the SASP, the NATO Force Model, ACO C2 adjustments, and known NATO capability program milestones.
  • NATO should ensure a method to aggregate and track C4ISR-related capability targets apportioned in 2025.
  • Revised procedures for capturing C4ISR requirements will also enable biennial assessments of progress in achieving C4ISR-related targets.

4. Modernize, augment, and acquire capabilities to meet new C4ISR requirements

This category of recommendations is the most extensive and associated with practical delivery of what the Alliance needs to maintain its technological edge and comparative military advantage over the coming decade. The following recommendations are grouped by central themes.

(A) The first step must be ensuring coherence in concept and capability development. Such coherence does not yet exist. A recognized definition for NATO C4ISR architecture will help, but other steps must be taken to ensure 1) a whole-of-enterprise approach, 2) synergy between political and military efforts, and 3) greater agility and effectiveness in concept and capability development.

• NATO must take a holistic approach to C4ISR concept and capability development. Cross-committee efforts related to C4ISR policy and capability development need a forcing function, including top-down guidance with clear responsibilities for lead, but also NATO Enterprise contribution to ensure coherence and synergy. NATO committee and military efforts supporting concept and capability development must be better connected and integrated.
• Implementation of ACT’s Warfare Development Agenda should incorporate a coherent approach to C4ISR concept and capability development, enabled by a defined NATO C4ISR architecture.
• The approach intended for DT (modernize, optimize, transform concurrently) is practical and inherently agile and offers an example of how C4ISR capabilities can be planned and developed in concurrent phases.

(B) According to NATO Deputy ASG for Defense Investment Robert Weaver, on October 2021 the CNAD agreed a NATO armaments policy on Achieving and Accelerating Capability Development and Delivery (A2CD2).¹¹⁷ Speed, agility, and effectiveness are at the heart of this policy, which aims to identify opportunities for accelerated delivery, pursue approaches with highest potential payoffs, and deliver results. Greater collaboration between the CNAD, Science & Technology Board, and Strategic Commands is the primary enabler of the policy’s aims. The policy includes ideas for increased multinational cooperation, leveraging testing and experimentation within NATO exercises to enable warfighter interaction with the private sector, wargaming and tabletop exercising of capability solutions, and improved collaboration in concept development.¹¹⁸

ACT and ACO need to change how they currently support capability development to enable A2CD2 policy implementation. ACT currently focuses primarily on common-funded capability development and experimentation and lower technology readiness levels, which limits support to other approaches to capability development (i.e., national and multinational). ACO owns control, design, and funding of training and exercises, which offer the venue and opportunity for critical testing and experimentation of maturing technologies. However, ACO has ceded responsibility for operational testing and experimentation to ACT along with capability integration.

• NATO leaders should encourage NMAs to take a broader role in supporting national and multinational capability development through operational experimentation efforts. NATO should ensure both authority and funding to do so.
• NATO leaders should align appropriate responsibilities and focus within the Strategic Commands concerning operational testing and experimentation. Testing and experimentation opportunities are critical for enabling warfighter interaction with industry. They lead to industry refinements necessary for effective capability delivery. They also lead to warfighter awareness of new technology and applications and follow-on action to develop the concepts, plans, and procedures for effective integration. ACO Maritime Command’s collaboration with ACT, nations, and private industry in preparation for exercise Dynamic Messenger in September 2022 is a good example of operational testing and experimentation that deserves replication and institutionalization.¹¹⁹
• NATO leaders should expand and ensure dedicated funding for biannual Unified Vision trials (long-standing ACO interoperability tests and experimentation supported by ACT, nations, and the JISR community) to include testing and experimentation of mature promising C4ISR capabilities and enablers.

(C) Modernize, augment, and build on existing C4ISR force structure. NATO’s AFSC program’s innovative approach of partnering closely with industry to replace AWACS by 2035 with C4ISR capabilities that are fit for the future offers an excellent example of innovation in action.

At the Madrid Summit, NATO leaders expressed their commitment to support the AFSC program into design and delivery and procure an advanced C4ISR platform in time for crew training to replace NATO E3As as they start to phase out in the early 2030s. “The fast-track approach will deliver an initial element of the AFSC capability in coherence with the agreed AFSC concept and with the subsequent stages of delivery of the selected technical solution,” said Cioni, director of Armament and Aerospace Capabilities in NATO’s Defense Investment Division.¹²⁰ The selected technical solution is yet to be determined and may consist of crewed and/or unmanned systems or a network of systems. Follow-through with political commitment and funding over the life of the AFSC program will be critical.

NAEW&CF and NAGSF have the potential to deliver more and to satisfy new requirements related to strengthened deterrence and defense. With respect to the NAGSF, NATO needs more platforms and sensor capabilities (such as IMINT/FMV/EO/IR and SIGINT) to enable effective support to its core tasks.

• NATO should integrate national contributions on a permanent or rotational basis into the NAEW&CF and NAGSF based on NATO Force Model force generation to meet C4ISR requirements within NATO plans.
• NATO should authorize and provide the funds for NAEW&CF and NAGSF commanders to leverage AI, ML, and Big Data management and exploitation tools. Such adoption must be in line with DT principles but will exploit the vast opportunities for improving image or signals recognition and classification, database management, maintenance, and planning for NAEW&CF and NAGSF. Such tools could also enable a sense and avoid capability for AGS.
• NATO should upgrade, augment, resource, and fully exploit the NAGSF. The NAGSF has been effective and responsive but is still at Initial Operational Capability. NATO and nations should:
  • Fund and accelerate infrastructure. Provide the required manpower to achieve Full Operational Capability.
  • Fully leverage the analyst and operator training provided by the NAGSF.
  • Fully leverage the NAGSF’s PED potential through full manning and rotation of national analysts as members or augmentees. Experience in the NAGSF provides an opportunity for national analysts to gain expertise for national employment and contribute to NATO intelligence requirements.¹²¹
  • Fund the validated critical modernizations and upgrades required for current operations (especially Link 16, a standardized communications system used by the US military and its NATO allies, and secure communications accreditation).
  • Plan now and fund the acquisition of sensors (IMINT and SIGINT) to upgrade AGS platforms and fill gaps in collection capability.
  • Plan early to replace AGS RQ-4s at the end of their operational life span.
• Fully fund AFSC development, including the fast-track approach, to ensure seamless delivery of the advanced C4ISR capabilities NATO needs for multi-domain warfighting beyond 2030.

(D) APSS needs political commitment and funding and deserves expansion. NATO-owned JISR platforms provide IMINT and measurement and signature intelligence (MASINT).¹²² NATO exploits significant amounts of OSINT to include commercial satellite imagery. The APSS initiative will significantly enhance the ability to receive national and commercial space-based information (imagery, signals, electronic signatures). NATO relies on nations for a greater breadth of IMINT as well as SIGINT, human intelligence (HUMINT), and cyber intelligence (multi-source). Multi-discipline intelligence fusion is critical for confidence in the analysis that enables shared awareness, consensus decision-making, and action. Additional IMINT and SIGINT capabilities (NATO-owned or contributed by nations) are needed now and offer promising prospects for improving NATO C4ISR. NATO should:

• Expand its APSS initiative to include all allies. In support of APSS, NATO should:
  • Encourage national contributions and funding to meet strategic and operational intelligence requirements.
  • Limit bureaucracy by keeping governance simple and lean, ideally supported by existing committee structure.
  • Enable the NIE to fully exploit the multiple intelligence disciplines that space-based assets offer.
  • Consider including national and commercial high-altitude platforms (balloons, airships, aircraft that operate in the stratosphere) that can contribute to persistent surveillance.
  • Ensure space data collection, exchange, and exploitation requirements are part of DT.
  • Ensure the space expertise required to exploit space-based C4ISR capabilities is established within the Strategic Commands (ACO and ACT).
• Integrate IMINT and SIGINT capabilities into NATO C4ISR (multiple options—additional sensor payloads for existing platforms, national contributions augmenting existing forces, and new platforms with IMINT and SIGINT sensor payloads).
• Develop and implement policy to normalize and integrate SIGINT (military and commercial) for operational and tactical use across NATO Command and Force Structures.

(E) Integration of NATO air and missile defense requires additional efforts to close gaps in sensors, Air C2, Ground C2, and Tactical Data Links (TDLs) between sensors, weapons, and C2 platforms. NATO IAMD requires a special focus due to its critical role in protection of NATO C2, forces, and populations. NATO IAMD relies on C4ISR capabilities to ensure operational sensing, decision-making, and action. The ground-based air defense (GBAD) C2 multinational cooperation project supported by the CNAD promises focused solutions to integrating disparate allied GBAD C2 systems at the brigade and battalion level.¹²³

A similar effort is needed to integrate Surface-Based Air and Missile Defense (SBAMD includes land and maritime systems) for area defense of NATO critical assets. NATO TDL standards are particularly important for NATO IAMD, yet not completely implemented by nations.¹²⁴ Select air and missile defense platforms (i.e., fifth-generation aircraft) are becoming more advanced and capable of serving simultaneously as sensors, C2 nodes, and effectors. Yet these advanced platforms cannot seamlessly share tactical data. NATO and national investment in TDL software and hardware is critical. Additional R&D is required for data sharing between fifth-generation aircraft. NATO should:

• Connect existing ground radars and field additional surface or space-based sensors required across the Alliance to close the radar sensor gap for low-flying threats (below 5,000 feet).
• Develop a NATO program for the network of sensors and C2 nodes needed to ensure shared early warning, tracking, and engagement of hypersonic threats.
• Accelerate transition to a future Air C2 system fit for multi-domain warfighting and future threat and friendly capabilities.
• Focus innovation and capability development efforts on integrating sensors, C2, and effectors at the higher tactical (above brigade) level and AOR wide.
  • NATO needs political commitment and national action to ensure its TDL standards are implemented in national and NATO platforms.
  • Nations must follow through with integration of Link 16 capability in appropriate land, maritime, and aerial platforms.
  • NATO needs to prioritize Link 16 capability for the NAGSF in its modernization and upgrade efforts.
  • Nations must follow through with integration of Link 22 in maritime systems to replace Link 11, ensure Link 16 compatibility, and improve overall interoperability.
  • The United States needs to accelerate development of an interoperable TDL network between its fifth-generation aircraft and compatible with NATO TDLs.¹²⁵

(F) EW capabilities are central to modern warfare and a principal focus of peer adversaries due to their potential for asymmetric response to Alliance comparative advantages (i.e., high-performance C4ISR platforms, precision-guided missiles). EW capabilities support intelligence collection and targeting, disrupt or destroy C4ISR, and require specialized C2 for effective employment. EW offensive capabilities can be relatively low-cost and range from radars to jammers to direct energy weapons to missiles guided by electromagnetic (EM) seekers.

Protection from adversary offensive EW capabilities is critical for NATO C4ISR. NATO operational and tactical communication networks must be secure, survivable, and resilient in a contested environment. Low probability of intercept, low probability of detection, directional communications, and autonomous functions can support improved security, survivability, and resilience.¹²⁶ Self-organizing networks should be the aim with autonomous functions supported by AI and next generation network capabilities (i.e., 5G, 6G) and may require new waveforms enabled by new radio and antenna systems.¹²⁷

The NATO EW community is active in promoting policy, doctrine, and capability development, but has not gained the political attention and commitment needed to ensure development of NATO EW capabilities to the level needed for modern warfare.¹²⁸ NATO’s Joint Airpower Competence Center (JAPCC) has developed several recommendations for NATO action related to EW that could enhance NATO C4ISR effectiveness.¹²⁹ Building on JAPCC’s recommendations NATO should:

• Establish a Strategic EW Operations Center to enable NATO C2 of and employment guidance for nationally contributed EW capabilities and assets and assist in doctrine and concept development and training.
• Ensure modern warfare EW capability needs are prioritized in NATO defense planning. Specifically include a focused section in Political Guidance 2023 and ensure the development of appropriate MCR in 2024 (leveraging modern warfare lessons and ambitious wargaming).
• Promote national and multinational capability development and delivery of prioritized EW capabilities that improve security, survivability, and resilience of C4ISR, including through NATO innovation initiatives.
• Integrate EM operations in the Alliance MDO Concept and clarify policy and doctrine on how the electromagnetic spectrum (EMS) fits into existing operational domains. (For example, should the EMS be merged into a single cyberspace-EMS domain?)
• Develop a culture of EM signature awareness among all forces (especially land forces) and integrate EM signature monitoring, control, and mitigation into all (including C4ISR) new systems and capabilities.

(G) NATO recognizes the importance of investing in and promoting innovation and adoption of EDTs to retain its “technological and military edge.”¹³⁰ The DIANA and NATO Innovation Fund initiatives as explained earlier provide great promise in developing the “innovation ecosystem” and collaboration with private sector that is needed to identify, promote, and deliver solutions to NATO’s operational and business challenges.¹³¹ DIANA will focus on leveraging innovation and creative solutions from start-ups and SMEs, but will include the NIAG throughout its processes to ensure wider industry awareness and preparation of defense and aerospace primes for scaling up promising solutions when necessary.

Complementary efforts are needed in three areas to leverage the potential that innovation and EDTs offer. First, clarification of the role of NATO’s military in innovation could empower NMAs to focus on improving the quality and substance of their collective contributions, including NATO Enterprise-wide collaboration. Second, greater agility in common-funded capability development and resourcing is needed to modernize how NATO acquires C4ISR capabilities and services. Third, NCIA as a customer-funded agency should be leveraged by allies to provide greater support to national and multinational capabilities and services related to C4ISR.¹³² NATO should:

• Formalize and improve contributions from NATO’s military to innovation.¹³³ Elements of which follow:
  • NWCC includes future capability considerations that should be refined over time through dialogue with the Armaments Community and STO.
  • The Warfare Development Agenda is meant to drive concept development and influence capability development but must be aligned with the NDPP.
  • Military requirements can be better informed by engagement with industry, the Armaments Community, and the Science & Technology Board.
  • Promotion of innovation challenges to military problem sets should be developed through greater involvement with the NATO Enterprise.
  • Military advice and input into the strategic guidance for DIANA are critical for leveraging DIANA’s potential to address military problems and challenges.
  • Support for testing and experimentation (including warfighter-industry interaction) of maturing technology and applications in NATO training and exercises needs greater focus.
  • Concept development is not yet at pace to leverage maturing technology and applications to enable integration and effective employment.
• Adopt agile capability development and resourcing principles for common-funded C4ISR capabilities and services.
  • Revise how IT components of capabilities are addressed in requirements and acquisition to account ahead of time for cybersecurity, obsolescence replacement, upgrades, and modernization.
  • Reduce complexity in requirements drafting and committee oversight but enforce schedules.
  • Adopt modular approaches to design to enable interchangeability and interoperability among capabilities.
  • Adopt advanced technology that is mature, available, and corresponds to need rapidly.
  • Allow for an approach that includes early prototype testing and experimentation, small-scale purchases, building on success, and scaling up.
  • Allow for the appropriate risk tolerance for failure and revision.
  • Fully leverage NCIA’s potential support to national and multinational capability development and services related to C4ISR. Recent contracts for satellite communications, Strategic Space Situational Awareness System, and APSS are great examples of NCIA’s ability to leverage funding from single allies and groups of allies to provide capabilities and services that benefit the entire Alliance.

5. Continue to invest in NATO C4ISR interoperability, readiness, resilience, innovation, and adaptation

NATO’s value added to allies are its abilities to collectively decide and act, organize, and integrate. NATO provides the structural and digital backbone for nations to plug into, and develops common doctrine, concepts, procedures, and capabilities to enable interoperability and effective collective action. NATO nations have already increased defense spending by the equivalent of $350 billion since making their Defense Investment Pledge in 2014.¹³⁴ More billions of dollars are planned to be spent by 2024 and beyond as additional allies meet or exceed their defense spending goal of 2 percent of their GDP. As of June 30, 2022, eight allies exceed the 2 percent goal.¹³⁵ A total of nineteen allies have plans to do so by 2024 and five more plan to meet the goal shortly after 2024.¹³⁶

NATO-owned C4ISR forces (e.g., NAEW&CF and NAGSF) and capabilities ensure a guaranteed minimum level of shared data and intelligence that is rapidly employable to enable political and military shared awareness. NATO-owned assets have proven their value time and again in crisis and partially compensate for the lack of standing national C4ISR contributions. The C4 elements of NATO-owned C4ISR assets provide secure and interoperable C2 and secure computer and communications networks for political consultation and NATO military operations and activities (strategic to tactical).

NATO-owned C4ISR forces and capabilities are NATO’s added value to the Alliance, providing the interoperable structure and digital backbone into which national contributions plug for collective awareness, decision-making, and action. Investment in NATO-owned C4ISR forces and capabilities can only enhance the Alliance’s capability to observe, orient, decide, and act.

NATO C4ISR will reap the benefits of known and expected increases in defense spending. While the bulk of allied defense spending will go to national defense requirements, spending on increased readiness of national C4ISR forces (personnel, training, equipment, sustainment, and infrastructure), enhanced resilience (especially communications networks and transportation), and delivery of capabilities corresponding to allied C4ISR capability targets will all contribute to the potential of NATO C4ISR.

As this report has highlighted, there are several areas where national defense spending and common funding are needed to ensure NATO C4ISR is fit for modern warfare and the threats and challenges identified in NATO’s 2022 Strategic Concept. The following recommendations are an elaboration of key investment recommendations previously mentioned. Allies should:

• Invest in NATO interoperability and integration.
  • Accelerate development of C4ISR-related equipment and connectivity standards to ensure nations’ disparate C4ISR systems and platforms (all types—C2, communications, computers, and ISR) can talk to each other and share real-time data and intelligence. This effort must address interoperability between national and proprietary cryptographic equipment and software.
  • Ensure adequate NATO staff support to nations in standards development.
  • Implement a NATO assessment mechanism to confirm the adoption of NATO standards by national and NATO C4ISR forces.
  • Review and act on the implications of NATO military assessments of C4ISR interoperability.
  • Leverage and support the potential of NATO’s JISR interoperability trials (United Vision) to test, experiment, and validate C4ISR systems.
  • Adopt dual-use standards whenever possible to accelerate delivery of interoperable C4ISR capabilities or enablers.
• Invest in NATO C4ISR force readiness and resilience. Review manpower and resilience (cybersecurity, communications, and infrastructure) requirements of the NAEW&CF and NAGSF for MDO.
  • Invest in NATO C4ISR innovation and adaptation commensurate with NATO C4ISR’s prominent role in shared awareness, decision-making, and action.
  • Include C4ISR challenges in the strategic guidance developed by nations for DIANA and the NATO Innovation Fund.
  • Invest in human capital development and management of leaders, operators, and intelligence professionals involved in or supporting NATO C4ISR.
• Invest in NATO C4ISR adaptation (and modernization) to meet the needs of the Alliance now and out to 2030 and beyond.
  • Ensure funding for DT requirements that will enable and enhance NATO C4ISR.
  • Plan for and invest in the modernization and future replacement of NAGSF platforms and systems.
  • Ensure funding of NATO commitments to AFSC and a fast-track approach for an advanced platform replacement for AWACS aircraft.

Conclusion

NATO C4ISR capabilities have improved over the past decade but are not projected to meet future Alliance needs. Vulnerabilities and shortfalls persist, which are aggravated by a demanding security environment and an elevated level of NATO ambition agreed at the Madrid Summit. In particular, Russian aggression and other threats and challenges, including from terrorism, China, and climate change, raise requirements for speed and quality in NATO shared awareness, decision-making, and action. The latter are all enabled by NATO C4ISR.

The NATO 2022 Strategic Concept and recent policy decisions will set the context for future NATO C4ISR requirements. Future NATO defense planning and capability development of NATO C4ISR must respond to changing requirements and address critical issues. NATO has a unique window of opportunity over the next few years to leverage a newfound sense of cohesion and urgency among allies along with an agreed vision. Implementing recent NATO decisions, leveraging increases in defense investment, and exploiting proven or promising technologies present multiple opportunities to develop and deliver the C4ISR capabilities NATO forces need.

Five key efforts will maximize NATO’s ability to maintain its comparative military advantage over the coming decade: improving data and intelligence sharing, transforming digitally, clarifying C4ISR architecture and requirements, modernizing or acquiring C4ISR capabilities and enablers, and continuing to invest in the ingredients of NATO’s success for the past seven decades (i.e., interoperability, readiness, resilience, innovation, and adaptation).

Glossary

About the author

Gordon B. “Skip” Davis Jr. is currently a Senior Fellow at the Center for European Policy Analysis. He recently served as NATO’s Deputy Assistant Secretary General for Defense Investment.

Prior to NATO, Skip served 37 years in the U.S. Army retiring as a Major General. Skip’s last military positions were as Director of Operations, U.S. European Command, Commander of Combined Security Transition Command – Afghanistan, and Director of Operations and Intelligence for Allied Command Operations. Skip’s professional life included operational and institutional assignments interspersed with study and practice of international affairs and defense issues, primarily in Europe. Skip participated in operations with U.S., NATO, and UN forces in Europe, Africa, Middle East, and Central Asia. Skip brings practical experience and conceptual understanding of contemporary and emerging defense issues as well as executive-level experience in operations, intelligence, leader development, capability development, and policy development. Skip holds an undergraduate degree in nuclear physics and graduate degrees in international business, defense and military history, and strategic studies.

Mr. Davis and his wife Rita have two daughters, Stefania and Victoria, both of whom completed their undergraduate degrees in Italy. Stefania is a Captain in the U.S. Military Intelligence Corps serving at Fort Bragg, North Carolina, and Victoria is a graduate student completing a MBA in Performing Arts in Paris.

The Transatlantic Security Initiative, in the Scowcroft Center for Strategy and Security, shapes and influences the debate on the greatest security challenges facing the North Atlantic Alliance and its key partners.

Explore more

Related content

Issue Brief Jun 13, 2022

NATO priorities: Initial lessons from the Russia-Ukraine war

By Franklin D. Kramer, Barry Pavel

At the June 2022 NATO summit it will be important to implement four key operational priorities, each derived from initial lessons underscored by the Russia-Ukraine war, to maintain the Alliance’s long-term capacity for defense and deterrence.

Europe & Eurasia National Security

NATO 20/2020 Oct 14, 2020

Digitalize the enterprise

By Jeffrey Reynolds, Jeffrey Lightfoot

If NATO is to unlock new frontiers of innovation and harness emerging technology, digitalizing how it does business is the key.

Defense Technologies Digital Policy

Issue Brief Mar 9, 2022

Defending every inch of NATO territory: Force posture options for strengthening deterrence in Europe

By The Scowcroft Center Task Force on Deterrence and Force Posture

Deterrence in Europe can be enhanced through a range of US and NATO force posture enhancements.

Conflict Defense Policy

The post The future of NATO C4ISR: Assessment and recommendations after Madrid appeared first on Atlantic Council.

Looking at decades of US support and operations in the Gulf and recognizing a continued, arguably growing, air and maritime threat from Iran, the Atlantic Council Gulf Security Task Force developed a framework on how to best protect US and allies’ interests in this sensitive, always relevant region. The report provides US decision-makers with an updated, fact-based strategy for protecting its interests in the air and maritime domain from the Persian Gulf to the Red Sea, while ensuring Gulf partners’ ability to assume this responsibility, with the assistance and leadership of the United States.

In this capstone report, “Improving Gulf Security: A Framework to Enhance Air, Missile, and Maritime Defenses“, the Gulf Security Task Force brings together their cross-section of expertise to address the nature of the threats and provide practical policy solutions for the development of an integrated air, missile, and maritime defense in the Gulf, that provides long-term, reliable protection for the US and our partners’ security in the region.

Competing Security Interests in the Arab Gulf

Authors

Michael S. Bell

Former Special Assistant to the President and Senior Director for Middle East Affairs, National Security Council

Dr. Mike Bell is the Executive Director of the Jenny Craig Institute for the Study of War and Democracy. Commissioned in Armor following graduation from the US Military Academy at West Point, he is a combat veteran, historian, and strategist who has served at every level from platoon through theater army, as well as with US Central Command, the Joint Staff, the West Point faculty, and the National Defense University. As a civilian faculty member at the National Defense University, he also served details to the Office of the Secretary of State and as a National Security Council Senior Director and Special Assistant to the President of the United States. His monograph on the role of the Chairman of the Joint Chiefs of Staff was published by the Strategic Studies Institute.

Clarke Cooper

Nonresident Senior Fellow, Scowcroft Middle East Security Initiative, Middle East Programs, Atlantic Council
Former Assistant Secretary of State for Political-Military Affairs

R. Clarke Cooper recently served as the assistant secretary for political-military affairs at the US Department of State from 2019 to 2021. During his tenure, Cooper implemented reforms to streamline arms export licensing and improve government support to the US defense industry. By enabling security partnerships and through advocacy for burden sharing to counter shared threats, Cooper continued his advocacy for performance measures across United Nations (UN) peacekeeping missions, women in active peacekeeping roles, and accountability measures for troop and police contributing countries. In 2021, Cooper was awarded the Superior Honor Award for interagency coordination and implementation of the security cooperation elements of the Abraham Accords.

Kirsten Fontenrose

Nonresident Senior Fellow, Scowcroft Middle East Security Initiative, Middle East Programs, Atlantic Council
Former Senior Director for the Gulf, National Security Council

Kirsten spent 2018 as Senior Director for the Gulf at the National Security Council, leading the development of U.S. policy toward nations of the GCC, Yemen, Egypt, and Jordan. Prior to this service at the White House, Kirsten spent a year in the private sector consulting on specialized projects in the national security space. Her interagency experience includes five years at the Department of State leading the Middle East and Africa team in the interagency Global Engagement Center. Prior to this, Kirsten worked with a field team studying foreign populations for the US Department of Defense Theater Special Operations Commands.

Greta Holtz

Chancellor, College of International Security Affairs National Defense University
Former US Charge d’Affaires in Qatar and former US Ambassador in Oman

Ambassador (Ret.) Greta C. Holtz enjoyed 35 years as a career diplomat with extensive experience in the Middle East region. She retired in April 2021 with the personal rank of Minister Counsellor. Ambassador Holtz served as Senior United States Coordinator for Operation Allies Refuge in Qatar from August – October 2021 and as Chargé d’affaires in Qatar from June 2020 until April 2021. She was Principal Deputy Assistant Secretary in the State Department’s Bureau of South and Central Asian Affairs, and she was the Senior Foreign Policy Advisor (POLAD) to the Commanding General of U.S. Special Operations Command (SOCOM) from 2017-2019. She served as the United States Ambassador to the Sultanate of Oman from 2012 to 2015 and was the Vice-Chancellor at National Defense University’s College of International Security Affairs from 2016 to 2017. Ambassador Holtz was Deputy Assistant Secretary for Public Diplomacy and Strategic Communication in the Bureau of Near Eastern Affairs, and she ran the United States Provincial Reconstruction teams in Iraq from 2009-2010.

Richard LeBaron

Nonresident Senior Fellow, Middle East programs, Atlantic Council Former US Ambassador to Kuwait

Ambassador (Ret.) Richard LeBaron is a career diplomat with over thirty years of experience abroad and in Washington. His most recent overseas posting was as deputy chief of mission at the US embassy in London from August 2007 to August 2010. Amb. LeBaron served as chargé d’affaires in London from February to August 2009. Previous to his assignment to London, Amb. LeBaron served as the US ambassador to Kuwait (2004 to 2007). From September 2001 to July 2004, Amb. LeBaron served as deputy chief of mission at the Embassy of the United States in Tel Aviv, Israel.

Fozzie Miller

Former Nonresident Senior Fellow, Middle East programs, Atlantic Council Former Commander, US Naval Forces Central Command/Combined Maritime Forces/US Fifth Fleet

In 2015, Vice Admiral (Ret.) John W. “Fozzie” Miller retired from the US Navy after serving as the Commander, US Naval Forces Central Command; Commander, Combined Maritime Forces; and Commander, US Fifth Fleet. Miller spent a considerable amount of his naval career focusing on the Middle East—beyond his role as Commander of the US Fifth Fleet, he also served as Deputy Commander to US Naval Forces Central Command/United States Fifth Fleet; Deputy Director, Strategy, Plans, and Policy (J5); and Chief of Staff of US Central Command. In 2015, Miller received the Navy Distinguished Service Medal.

Daniel Vardiman

Senior US Navy Fellow, Scowcroft Center for Strategy and Security (2021-2022), Atlantic Council *

Commander Daniel Vardiman was the intelligence lead for Expeditionary Strike Group Two from August 2019 through July 2021. In this role, he also served as the acting information warfare commander; supported staff certification, contingency operations, and integration with the Marines; participated in exercises in Europe and off the East Coast of the United States; and assisted with defense support to civil authorities. For his lieutenant commander milestone tour, he was the intelligence lead for Amphibious Squadron Six from June 2014 through June 2016, and on the Bataan Amphibious Ready Group and Wasp Amphibious Ready Group deploying to the US Fifth and Sixth Fleet areas of responsibility.

* The opinions expressed are those of the author and do not reflect those of the U.S. Navy or Department of Defense.

Brett McGurk sets out the ‘Biden doctrine’ for the Middle East

White House Coordinator for the Middle East and North Africa, Brett McGurk, delivered remarks in support of “enabling an integrated air and maritime defense architecture in the region, something long talked about, which is now happening through innovative partnerships and new technologies,” at the Atlantic Council’s inaugural Rafik Hariri Awards, celebrating the tenth anniversary of the Rafik Hariri Center for the Middle East, in Washington on February 14, 2023.

full remarks

Scowcroft Middle East Security Initiative

The Atlantic Council’s work on Middle East security honors the legacy of Brent Scowcroft and his tireless efforts to build a new security architecture for the region. Our work in this area addresses the full range of security threats and challenges including the danger of interstate warfare, the role of terrorist groups and other nonstate actors, and the underlying security threats facing countries in the region.

Explore More

The post Improving Gulf security: A framework to enhance air, missile, and maritime defenses appeared first on Atlantic Council.

These memorable last words resonated deeply with the Ukrainian public, who responded with a mixture of outrage over the criminal nature of the killing and admiration for the stunning courage of the victim. Within hours of the video’s appearance, Matsievsky was being commemorated across Ukrainian social media with hundreds of portraits and memes paying tribute to his defiant stand. Murals have already appeared on the streets of Ukrainian cities. There is even talk of a monument.

Matsievsky is the latest symbol of Ukraine’s unbreakable resolve in a war which has already produced plenty. From the famous “Russian warship, go f**k yourself” of the Snake Island garrison, to the seemingly superhuman tenacity of the Azovstal defenders, Ukraine has witnessed a large number of iconic moments over the past year capturing the spirit of resistance that has gripped the country since the onset of Russia’s full-scale invasion in February 2022.

Subscribe to UkraineAlert

As the world watches the Russian invasion of Ukraine unfold, UkraineAlert delivers the best Atlantic Council expert insight and analysis on Ukraine twice a week directly to your inbox.

• Name
  First Last
• Email*
• 
  
  
• Email
  This field is for validation purposes and should be left unchanged.

This is not at all what Russia was expecting. When Putin gave the order to invade Ukraine, he had been led to believe the Ukrainian public would welcome his troops and had been assured that organized military resistance would collapse within a matter of days. Billions of dollars had been spent preparing the ground by bribing Ukrainian officials to change sides and back the invasion. The stage was supposedly set for a triumph that would extinguish Ukrainian statehood and confirm Putin’s place among Russia’s greatest rulers.

It is now clear that Putin’s complete misjudgment of Ukrainian morale was one of the most remarkable intelligence failures of the modern era. He appears to have fallen into the trap of many long-serving dictators and surrounded himself with loyalist yes-men intent on telling him what he wanted to hear.

This toxic trend was exacerbated by the enforced isolation of the Covid pandemic, which appears to have further fueled Putin’s Ukraine obsession and strengthened his conviction that the country must be subjugated at all costs. In the increasingly claustrophobic climate of the Putin Kremlin, it is hardly surprising that his intel chiefs chose to reinforce these prejudices and encourage his reckless imperial ambitions. If they had attempted to counsel caution, they would likely have been dismissed.

This sycophancy was to have disastrous consequences. Far from greeting Putin’s invading army with cakes and flowers, the Ukrainian nation rose up and united in defiance against Russian aggression. Tens of thousands flocked to enlist in the Ukrainian military and territorial defense units, while millions more mobilized to support the war effort through fundraising, donations, and the improvised production of essential items such as anti-tank obstacles and Molotov cocktails.

Within weeks of the invasion, a vast network of Ukrainian volunteers was supplying frontline soldiers with everything from food and medicines to drones and jeeps. Despite the horrors of the past year, this steely determination to defy Russia remains firmly intact throughout Ukrainian society. Whatever else today’s Ukraine may lack, morale is certainly not an issue. Quite the opposite, in fact.

The same cannot be said for the Russian army. In response to the catastrophic losses suffered during the first six months of the invasion, Putin announced Russia’s first mobilization since World War II in September 2022. The bulk of the estimated 300,000 men mobilized last year are now in Ukraine, where they are being thrown straight into battle despite being untrained and under-equipped.

Since late January, a steady stream of videos have begun appearing on social media featuring groups of mobilized Russian troops appealing to Putin or their own regional representatives. They typically complain of suicidal tactics and heavy casualties while protesting their role as frontline shock troops and calling for redeployment to rear areas. In some cases, mobilized men have announced that they will directly refuse to follow orders.

Eurasia Center events

Online Event Thu, July 20, 2023 • 8:00 am ET

After Vilnius: What’s next on Ukraine’s path to NATO?

Eastern Europe NATO Security & Defense Ukraine

Growing signs of demoralization within the ranks of the Russian military could become a major issue for the Kremlin at a time when Putin faces no other obvious domestic challenges to his war policy.

At present, there is little sign of significant anti-war sentiment on the home front inside Russia. On the contrary, independent surveys indicate consistently high levels of public support for the invasion, while those who do object have largely chosen to keep quiet or flee the country. While many question the validity of polling data in a dictatorship, the complete absence of any meaningful efforts to protest the war points to a passive acceptance of the invasion at the very least.

The prospects of a Kremlin coup look to be similarly slim. While many within the Russian elite are said to have been appalled by the decision to invade Ukraine, they have since reconciled themselves to the new reality and are for the most part far too personally dependent on Putin to mount any serious challenge to the Kremlin.

This leaves the military as the one potential source of serious opposition to the war. If Russian commanders persist with their human wave tactics and mobilized troops continue to die in large numbers, the current tide of discontent may evolve into outright mutiny, with highly unpredictable consequences for Putin and his regime.

The importance of morale in warfare has long been recognized. Napoleon Bonaparte famously observed that three-quarters of military success is down to morale. This helps explain why the Ukrainian army has over-performed so spectacularly during the first year of the invasion, while Russia itself has struggled to live up to its prewar billing as the world’s second most powerful military.

Crucially, Ukrainians know exactly what they are fighting for. They are defending their homes and families against an enemy intent on committing genocide and wiping their country off the map. Understandably, they need no further motivation. In contrast, Russians have been told they are fighting against everything from NATO expansion and gay parades to Anglo-Saxon Satanists and Ukrainian Nazis.

While Ukrainian soldiers are focused on the clearly defined objective of liberating their country, Russia’s war aims appear to be far more ambiguous and are often subject to sudden revision. Once the cannon fodder approach of the Russian generals is factored in, it is no surprise that morale is becoming such an issue for Putin’s army.

Could collapsing morale decisively undermine the Russian invasion? We should have a better idea regarding the scale of the problem in the coming few months, as both Russia and Ukraine pursue major spring offensives that will test the resilience of their respective armies. At this stage, Putin is preparing for a long war and still hopes to outlast the West. He has a stable home base and sufficient resources to potentially continue the invasion for at least two more years. However, the situation could change dramatically if his demoralized army refuses to fight.

Peter Dickinson is Editor of the Atlantic Council’s UkraineAlert Service.

Further reading

UkraineAlert Feb 20, 2023

‘You cannot outlast us’: Biden’s Kyiv visit sends strong message to Moscow

By Peter Dickinson

US President Joe Biden’s bold surprise visit to wartime Kyiv sent a strong message to Moscow that time is not on Putin’s side and Russia should not pin its hopes on a weakening of Western resolve to stand with Ukraine.

Conflict Freedom and Prosperity

UkraineAlert Jan 28, 2023

Poland is leading Europe’s response to the Russian invasion of Ukraine

By Diane Francis

Poland was the unsung hero of the recent landmark decision by Berlin and Washington to provide Ukraine with tanks as Polish leadership continues to shape the European response to Russia’s genocidal invasion.

Conflict Economic Sanctions

UkraineAlert Mar 8, 2023

Ukrainians will never surrender. How long can they count on the West?

By Serhiy Prytula

Ukraine’s remarkable resistance during the first days of the Russian invasion convinced the democratic world to back the country but with Putin now preparing for a long war, continued Western resolve is vital writes Serhiy Prytula.

Civil Society Conflict

The views expressed in UkraineAlert are solely those of the authors and do not necessarily reflect the views of the Atlantic Council, its staff, or its supporters.

Read more from UkraineAlert

UkraineAlert is a comprehensive online publication that provides regular news and analysis on developments in Ukraine’s politics, economy, civil society, and culture.

The Eurasia Center’s mission is to enhance transatlantic cooperation in promoting stability, democratic values and prosperity in Eurasia, from Eastern Europe and Turkey in the West to the Caucasus, Russia and Central Asia in the East.

Learn more

The post Will morale prove the decisive factor in the Russian invasion of Ukraine? appeared first on Atlantic Council.

On Tuesday, Atlantic Council President and CEO Frederick Kempe participated in a hearing of the House Permanent Select Committee on Intelligence with other leaders of think tanks. Below is an edited version of his written testimony.

Chairman Turner, Ranking Member Himes, esteemed members of the House Permanent Select Committee on Intelligence, thank you for the opportunity to testify on geopolitical threats, how to meet them, and the role of the intelligence community.

It is fitting that the House Permanent Select Committee on Intelligence should be convening this public session four days after the first anniversary of Russian President Vladimir Putin’s criminal and unprovoked invasion of Ukraine. It is also just a week after US President Joe Biden’s brave and potentially historic visit to Ukraine—I will come back to what I mean by “potentially.”

Putin’s war in Ukraine underscores three crucial and interlocking issues worth highlighting today.

• First, we live at a historic inflection point, as crucial as the periods after World War I, World War II, and the Cold War, where US leadership alongside allies and partners—or the failure of US leadership—will have global and generational consequences. In short, we live at the fourth inflection point since World War I. Hence, our actions now should be informed by history’s lessons and thus a conviction that Ukraine’s war is at the same time a battle over what set of actors and principles will shape the global future.
• Second, with the enormity of those stakes in mind, Putin’s ongoing war in Ukraine, along with its failure thus far to have achieved its ends, underscores both the strengths and weaknesses of the US intelligence community in navigating this defining moment. There is an urgent necessity to enhance the strengths and address the weaknesses, as the intelligence community is not appropriately organized or funded for this moment.
• Most important for this committee, and for the United States more generally, is to understand, at such a defining moment, the dramatic and decisive connection between short-term decisions and actions and longer-term commitments and consequences. If the intelligence community has a glaring weakness, alongside the United States government and Congress more generally, it is in providing intelligence-driven, longer-term analytical frameworks within which one can more confidently understand and respond to the wealth of daily intelligence.

So first, let me address each of these three points, starting with the fourth inflection point for the United States since World War I.

The fourth inflection point

Biden was right when he said during his presidential campaign, and frequently since then, that we face an “inflection point” in history, where it will be decided what countries and values will shape the global system for the era ahead. I have been writing an Atlantic Council newsletter since 2016 called “Inflection Points,” having sensed and advocated that point of view before it became more popular.

Putin’s invasion of Ukraine on February 24, 2022, and the ongoing war that followed, brought into sharp relief a new era of strategic competition that had been unfolding for several years already.

How we manage this period now, in the face of external authoritarian threats and internal challenges to democracies worldwide, will be no less critical than US actions alongside allies and partners during the three previous inflection points, moments in history when the US role has had outsized consequences: after World War I, World War II, and the Cold War.

The lessons of history are clear on this.

After World War I—where nine million soldiers and five million civilians died—we collectively squandered a historic opportunity to create a better world through the tragic failure of postwar arrangements (the Versailles Treaty and the League of Nations, among them), through the bitter continuation of European fissures, and through our own misguided isolationism. This resulted in the rise of fascism, the outbreak of World War II, and the Holocaust. World War II would be the deadliest conflict in human history, with an estimated seventy to eighty million fatalities, most of them among civilians.

After World War II, we as a country did something that was until that time aberrational in American history. We remained engaged in Europe and the world despite postwar fatigue and widespread isolationist sentiment. We introduced the Marshall Plan, providing economic assistance to restore the economic infrastructure of postwar Europe, and with our partners we constructed multilateral institutions to secure the future and, if possible, to prevent future great power conflicts: the United Nations, the Bretton Woods Institutions, NATO, and others.

Together with our allies, we constructed what came to be known as the international liberal order of institutions, rules, and practices that expanded democracy, prosperity, and security, and safeguarded our own freedoms and values. It brought us the longest, sustained period of major-power peace, prosperity, and democratic expansion in history.

In many respects, the Cold War was the World War III that never happened. Our triumph in that struggle between two competing ideologies and systems, without a shot being fired, was a credit not only to military deterrence and the remarkable unsung work of our intelligence agencies, but it was at the same time a victory of our national resilience, and our dynamic and magnetic democratic and free-market system and values. It was one of the greatest accomplishments of American international engagement and statecraft.

After the Cold War, our failures were not as dramatic as they were after World War I, but neither were our successes as great or architecturally ambitious as they were after World War II.

Initially, we were able to expand NATO, enlarge the European Union, and increase the number of people and countries who lived outside despotic rule with rising incomes and expanding rights.

It even appeared for a time that China would join the world of moderate and modernizing nations. However, as we see now, that period did not end up being the end of history but rather marked the beginning of a new strategic competition.

So, that leaves us with the post–post­–Cold War period, though we should seek a better description for our era, where a contest is in full flower over who and what principles will define the global future.

Put most simply, there are three alternatives: the reinvigoration and perhaps reinvention of the liberal international order put in place after World War II, the replacement of that order over time by a Chinese-led illiberal order, or global chaos and incoherence, more along the lines of Putin’s law of the jungle than any rule of law.

As we meet today, we have a generational opportunity to shape the future that Putin’s potential failure presents us.

Last year at this time, it seemed democracies were in retreat and authoritarianism was on the rise following sixteen years during which Freedom House has tracked the relative decline of democracy globally. In early February of last year, shortly before the Beijing Winter Olympics, China’s Xi Jinping and Russia’s Putin entered a “no limits” strategic partnership that viewed US and Western leadership in irreversible decline.

The Ukraine war followed.

The past year, however, has been a challenging one for the world’s worst authoritarians: Putin, Xi, and Iranian Supreme Leader Ayatollah Ali Khamenei.

They ended 2022 reeling from self-inflicted wounds, the consequences of hubris, overextension, and a gamble that US alliances would crumble in the face of a challenge. Russia’s war is failing, and its economy is imploding. China’s excessive authoritarianism, thoughtlessly provocative “wolf warrior diplomacy,” and botched COVID-19 response slowed its growth and alarmed international (particularly European) partners. And Iran’s rush to nuclear capability and draconian response to ongoing protests following the death of Mahsa Amini, have shown the ayatollah’s theocracy is on shakier ground than many experts have thought.

At the beginning of my comments, I called Biden’s trip to Kyiv last week “potentially historic.” What I meant by that was that it would be historic depending on what follows now. For Ukraine to prevail would require a “surge” in support to Ukraine now to confront an unfolding Russian offensive.

Biden’s assurance to Ukraine that the United States would support its struggle “as long as it takes” is well-intentioned, but a war of attrition favors Moscow and endangers tens of thousands more Ukrainians and raises the prospect of US, Western, and Ukrainian war fatigue.

If we truly believe that the battle for the global future is being fought in Ukraine and by Ukrainians, then the money spent now from the United States and other allied budgets is a bargain compared to what we will all need to spend if Russian and Chinese ambitions advance.

If Putin prevails, history has taught us that the necessity for other countries’ boots on the ground will grow. As former Secretary of State Condoleezza Rice and former Secretary of Defense Robert M. Gates (both honorary directors on the Atlantic Council’s Board of Directors) wrote in the Washington Post in January, “It is better to stop (Putin) now, before more is demanded of the United States and NATO as a whole.”

Lessons for US intelligence reform

That brings me to what this period tells us about US intelligence strengths and weaknesses—and what we should do to enhance the strengths and urgently address the weaknesses.

The Ukraine war has underscored intelligence triumphs and failures.

The United States did an extraordinary job of highlighting Putin’s war plans and ambitions and warning in advance of the very real danger of invasion. It was a notable break with past US policy and risked exposing US sources and methods. But it paid off spectacularly in robbing Putin of any guise of deniability and hammering home that this was a planned invasion, while allowing Ukraine to prepare. When US predictions proved to be accurate, it bolstered the international credibility of US intelligence. It also highlighted areas where intelligence sharing with US allies needed to be improved.

On the other hand, US intelligence did not foresee Russian military weaknesses and underestimated Ukraine’s defensive capabilities and resilience. Threat assessment is never easy, but it is crucial to prepare for future threats.

One of the questions this committee is seeking to address is whether the intelligence community is organized and funded appropriately to address current and future threats. The short answer is: not by a long shot.

The immediate post–Cold War era proved a difficult adjustment period, but the United States intelligence community successfully transformed itself in the aftermath of 9/11 to meet the needs of the war on terror and support two decades of sustained combat operations.

US intelligence operates at a faster tempo, and its analysis is more integrated with operations than ever before. Furthermore, its ability to find and track threats all over the world, as well as to support military operations, is breathtaking. We see how that applies even outside of a war-on-terror context in the war in Ukraine, where US intelligence has been critical for supporting Ukraine’s military operations and planning.

However, despite this success in the past two decades, the intelligence community must transform again. While potentially useful adaptations and improvements from the post-9/11 era should not be discarded, the intelligence community must adjust and even hearken back to some of its strengths and features during the half-century long competition with the Soviets during the Cold War.

This transformation must begin with human capital, including some fundamental changes in how the intelligence community hires and manages its personnel, as well as the kind of expertise it fosters.

Before I joined the Atlantic Council, I served for more than a quarter of a century as a journalist at the Wall Street Journal. Drawing from that experience, I can tell you that there is a substantial difference between looking for a reporter who is highly skilled at dashing off a few quick lines of breaking news versus one who is a deeply knowledgeable on a subject and capable of conveying ample context and comprehension of a complex issue.

We need more of the latter in the intelligence community. We need more analysts who can think at the strategic level and marshal in-depth knowledge of our adversaries, including long-term trends and drivers of their economies, societies, political systems, militaries, goals, and intentions; and their strengths and weaknesses. 

With that type of analysis, the US government might have been less surprised, for example, by the Russian military’s poor performance in Ukraine. We might have been less surprised by China’s turn from biding its time and hiding its strength to a full-range global competitor that has little interest in human rights, a free press, or respecting democracy in Hong Kong. The immense difficulty of spying in China—where the Central Intelligence Agency (CIA) lost between eighteen and twenty operatives in one disastrous two-year period, from 2010 to 2012—demonstrates this. However, with China becoming ever more ambitious and brazen on the world stage, the need for strong intelligence and deep, thoughtful analysis is more pronounced than ever. We need fewer analysts focusing on rapid reaction to operational and tactical-level issues.

My understanding is that the intelligence community has changed its personnel practices in recent years to emphasize general analytic and writing skills over depth of knowledge or time working on a particular portfolio. I have heard that many intelligence community organizations are actively discouraging people from developing much of a specialty on any particular portfolio or spending too much time developing their experience on one topic, in order to be able to quickly move people around to cover emerging crises and conflicts.

This has even been driving some of the deep experts into early retirement or second careers. I am all for flexibility, but I firmly believe we quickly need to reverse that trend and start growing long-term experts on the key countries and issues for strategic competition—and even hire some external experts in the meantime if that is what it takes to ensure that knowledge base is readily available.

Congress should also work with the director of national intelligence (DNI) to grant greater professional freedom to talented intelligence officers. Toward this end, they should seek to make security clearances completely interchangeable. Family obligations, opportunities for promotion, and a desire to learn new skill sets can drive talented intelligence officers to other intelligence agencies, just as those factors would influence a lawyer, teacher, nurse, or bankers in the same way. That is something we ought to embrace. However, the eighteen intelligence community agencies have varying systems for background checks, no uniform policy on polygraphs, and inconsistent additional requirements, all of which means that officers often cannot easily move to another agency, despite already having access to much of the same information and systems.

It also means that prospective employees, such as recent college graduates, need to have a separate application process for every agency to which they want to apply to work. Here, Congress can help. It should create a single common background check and standardized set of hiring requirements for all intelligence community officers. If an agency, for whatever reason, determines additional requirements are necessary for employment at that agency, it should be required to obtain the DNI’s approval to include them as part of the hiring process.

Moreover, some organizational changes are necessary for this era of strategic competition. Some of them are already happening, with the CIA and Defense Intelligence Agency (DIA) having established centers focused on China. This is a positive development, but we need to start looking beyond the obvious.

For example, my Atlantic Council colleague Jonathan Panikoff, a former intelligence officer, has argued the US Department of Commerce now needs its own intelligence officers to help it keep up with its international trade and export control responsibilities, particularly vis-à-vis China. When the war on terror was our primary focus, it would have seemed foolish to advocate for an intelligence element at the Department of Commerce; today, it should be a top priority, as much of our future security depends on countering China’s threats to our technology and innovation base.

In addition, the intelligence community needs to become more effective at navigating public-private partnerships to address many of the challenges it will face in the years ahead. For example, we saw the impact of COVID-19 on supply chains and the importance of supply chains to US national security, including economic security, given that nowadays we cannot realistically separate the two. But the intelligence community does not have the background or expertise to meaningfully address these challenges in the near or medium term by itself. Instead, the United States should better partner with private-sector companies already deeply involved in this work. Doing so will come at a cost but one whose premium will be far less than trying to reinvent the wheel. There are major corporations, such as Intel, that have over a thousand people just working on supply chain issues. We cannot and should not try to duplicate this effort. We do not have the time to learn or train—it is an issue that must be addressed immediately, and the expertise and knowledge required is extensive. And even if we could recruit on our own, doing so would not be a good use of time or resources as the US government would be competing against the many private-sector companies that can offer both incentives and salaries the government cannot.

As well, we should mitigate the extent to which the director of national intelligence is subject to the whims of politics. To help address that, the DNI should have a fixed, five-year term, renewable once. There is no perfect way to ensure a president will not choose someone who would be unacceptable to a president of a different party in the future if the DNI has a five-year, fixed term—and that is why the president’s prerogative to dismiss the individual should be retained—but the political price for doing so should be high.

The simplest option is to replicate the Federal Bureau of Investigation (FBI) model but for a five-year term, rather than a ten-year term. Only one FBI director has ever completed a full ten-year term, so a five-year renewable term might be more realistic anyways.

We also need to improve cohesion among those involved in intelligence, and the most important step to take toward this end is to strengthen cohesion with our allies on intelligence matters.

Inside the US intelligence community, it appears to me that we have made strides toward improving cohesion. While not perfect, nearly two decades after the Intelligence Reform and Terrorism Prevention Act of 2004 and the establishment of the Office of the Director of National Intelligence that law created, we have organized a true US intelligence community in a way that did not previously exist.

My sense, however, is that we have not matched these important domestic steps to achieve cohesion with similar progress on coordination with allies, even our closest ones. It is essential that the US intelligence community does more to improve cooperation and collaboration with allies. My organization published a paper on this very subject a few months ago, authored by a former US DIA senior executive and a retired British military intelligence officer. Entitled “Beyond NOFORN: Solutions for increased intelligence sharing among allies,” the piece offers several policy recommendations to reduce barriers to cooperation. I will not recount all the details here, but I recommend it to you and your staffs. 

Ultimately, I think what will be necessary is a change in incentives for intelligence leadership and the workforce to make more progress on how we share intelligence with allies. For change to come, it will require engagement from you in the form of oversight, or even legislation, if it is not going to come from within the intelligence community.

In addition, Congress can take action to improve oversight of efforts to strengthen the intelligence community.

Congress should ensure there is a much greater emphasis on sharing unclassified assessments with the public. Decisions relevant to strategic competition are made every day by people without security clearances, in multiple sectors. I humbly ask you to ensure the intelligence community remembers that, and that they see institutions like the Atlantic Council conducting analysis on national security issues not as competitors but as eager audiences and even potential partners in their difficult and important work.

Holding these open hearings in parallel with the intelligence community’s Worldwide Threats hearing is perhaps just one step toward greater engagement between the intelligence community and the public. It would be even more helpful to mandate some form of engagement between the content of Worldwide Threats briefs and non-government assessments. I think there is ample evidence to suggest that think tanks, for example, and the US intelligence community can learn from each other and thereby ensure a better-informed public on key issues pertaining to strategic competition.

Overall, the intelligence community should accelerate and deepen its reorganization and realignment for strategic competition, with a particular focus on revising its approach to human capital and adding an intelligence element to the Department of Commerce. The intelligence community should also be encouraged and enabled to improve cohesion with allies, and oversight efforts should promote more opportunities for intelligence community engagement with experts and analytic institutions outside the government.

Stepping up to strategic competition

In closing, and this was my third point, we need a change of attitude and an acknowledgment that we are facing a historic inflection point where we face a peer authoritarian competitor in the form of China and peer authoritarian disruptor in the form of Russia that is unprecedented in our history. As with any competition, when your opponent changes or improves their game, you need to respond.

There was a period of time where our often-disabling political polarization, when our failures to institute reforms to strengthen our capabilities and address our weaknesses, were the unharmful indulgences of a necessarily messy democratic system.

If the intelligence community has a weakness, alongside the United States government and Congress more generally, it is in providing intelligence-driven, longer term analytical frameworks within which one can more confidently understand and respond to emerging challenges.

The risks of inaction are growing alongside the urgency for common cause in the face of the fourth inflection point of the period between World War I and today. History has taught us the long-term and tragic cost of our failures and the benefits of constructive, concerted, and intelligence-driven international engagement.

The post The fourth inflection point: Testimony of Frederick Kempe to the House Permanent Select Committee on Intelligence appeared first on Atlantic Council.

On February 16, Scowcroft director Matthew Kroenig was interviewed by Bloomberg’s David Westin on the four unidentified flying objects most recently shot down by the US and Canada. Kroenig provides insight into what the objects may have been, as well as their functions, and discusses the advantages of using a balloon or drone, rather than a satellite, for surveillance or intelligence purposes. The uncertain and classified nature of the situation is also classified, with an emphasis that nothing is certain and that the situation is still evolving.

Staff

Matthew Kroenig

Vice President and Senior Director, Scowcroft Center for Strategy and Security

Scowcroft Center for Strategy and Security

China Defense Policy

The post Kroenig interviewed by Bloomberg discussing the unidentified flying objects shot down appeared first on Atlantic Council.

On February 16, Forward Defense Nonresident Senior Fellow Nicholas Eftimiades published an article in TIME magazine to discuss the reasons China may have deployed a spy balloon over the United States and the implications for the relationship between the two countries. Eftimiades suggested that the balloon may have been designed to intercept high frequency radio communications or satellite downlink data.

Fellow

Nicholas Eftimiades

Nonresident Senior Fellow

Forward Defense Scowcroft Center for Strategy and Security

China Intelligence

Forward Defense, housed within the Scowcroft Center for Strategy and Security, generates ideas and connects stakeholders in the defense ecosystem to promote an enduring military advantage for the United States, its allies, and partners. Our work identifies the defense strategies, capabilities, and resources the United States needs to deter and, if necessary, prevail in future conflict.

Learn more

The post Eftimiades in TIME appeared first on Atlantic Council.

The post Rich Outzen joins WION to discuss the Chinese surveillance balloon appeared first on Atlantic Council.

What is going on?

Conspiracy theories are a part of the human condition. We fill in gaps of knowledge with stories, suspicions, and fears to create a whole understanding of what is happening around us. The government’s delayed notification to the American public early this month about a large balloon, in some instances visible to the naked eye, and the lack of urgency to remove it from US airspace naturally led knowledgeable and unknowledgeable people to fill in the gaps. Perhaps the balloon was for weather observation (as the Chinese government proclaimed) or to collect signals intelligence or to collect imagery intelligence or just a test to see if the United States would identify its presence. All those theories were bandied about, but no one really knew—and US government spokespeople and leaders were unable or unwilling to provide clarity in a timely manner.

The shootdown of three additional flying objects only adds to the growing hysteria, especially since the US government is providing even less information. A basic tenet of the communications profession is to provide information in a timely and accurate manner and to answer questions honestly and as thoroughly as possible. Key US spokespeople’s answers to reasonable questions from journalists have lacked transparency, detail, and timeliness.

Those spokespeople have yet to address concerns about why these objects are suddenly being observed all of a sudden, outside of generic descriptions of turning up the sensitivity of radar systems. And they failed in their responsibility by not immediately and fully discrediting the notion that the three additional flying objects are UFOs made by alien life—allowing the belief to take flight among the public. For spokespeople not to emphasize a far more likely scenario of a foreign or commercial source for these objects is also telling and should be a concern. “What is going on here?” is a valid question and one the US government is obligated to answer.

What’s the threat?

The reality is that every single one of us is tracked as we make our way through daily life. Our mobile phones track our location and digital activities. Our vehicles send back a wide range of information to car manufacturers, including location and maintenance information. Closed-circuit television cameras capture our activities outside of the home. And yes, foreign countries have satellites above our heads that collect imagery, signals, and weather data, among other information. To be fair, the United States collects a vast amount of information on foreigners—far more than can ever be effectively used or analyzed—and it is something that those of us from the intelligence community (as I did during my time in government) use to inform policymakers on potential happenings abroad.

The balloon and three other objects feel different because they are different. Rather than unobtrusive collection that we can neither see nor easily conceptualize, balloons or large drones are something that we can envision over our local areas. We can see and feel the threat. The slow response by US and Canadian officials makes the public question their competence and commitment to keeping the homeland safe. If the balloon was able to go from China to the Montana area, linger for days, and then make its way to the Carolinas, what else is going on? The public is owed an explanation.

In the interim, the additional collection of information about US military facilities, US and Canadian communications, and general imagery of the United States and Canada informs intelligence professionals in China and potentially other adversary countries. After all, if the three yet-to-be-identified flying objects were of a commercial nature, the company that owns them would likely have obtained proper clearances to fly their drone or other object from a regulator such as the US Federal Aviation Administration. One can reasonably deduce that a foreign power is involved.

Is this about us?

So why use a balloon or large drone over North America that was undoubtedly going to be discovered? Because it allows an adversary to see how the United States will respond. Will it sit back and ignore a potential threat? This would provide an adversary some additional avenues for data collection or attack during a time of conflict. Will it simply shoot the items down to remove the threat? That would signal the strength of the US air-defense system and allow adversaries to gauge the response time for military decision-making. The US government response has shown that there may be gaps in airspace defense and intra-government coordination, and a disconnect between how Americans view foreign aircraft overhead versus how Washington may view the encroachment.

It also provides an adversary with insights on how the public will emotionally and politically react. Will politicians on opposite sides bicker and quarrel instead of establishing new requirements for a military response? Will the US president or Canadian prime minister take the issue seriously and implement a severe response on the diplomatic front? We still don’t have the entirety of the story around the three additional flying objects like we do about the surveillance balloon. However, we do know that there was a segment of the population that jumped to irrational conclusions, including that aliens are walking among us. This could be a wonderful conspiracy theory for adversaries to foster in order to divide some segments of North American society against their government and fellow citizens. From an influence or information operations perspective, a simple balloon with likely simple collection capabilities can provide benefits for years to come.

Jennifer A. Counter is a nonresident senior fellow in the Scowcroft Center for Strategy and Security’s Forward Defense practice and a vice president at Orbis Operations, where she advises friendly foreign governments on national-security matters. She previously served in the US State Department and as a US Air Force intelligence officer.

The post <strong>What US adversaries are learning from the balloon and UFO saga</strong> appeared first on Atlantic Council.

False confidence in ballooning undetected

US officials have connected the balloon to the People’s Liberation Army (PLA), calling it “a high-altitude balloon program for intelligence collection.” Only the PLA has the interest, mandate, and capability to acquire and operate a large-scale, long-range reconnaissance platform intended to enter foreign airspace and “monitor sensitive military sites,” as US officials said was its mission. The Chinese Foreign Ministry’s flurry of counteraccusations and claims that multiple civilian research platforms were simultaneously blown off course over the United States and South America lack credibility and suggest an effort to distract attention.

PLA planners misjudged the risk that the United States would track the balloon, but they had reason for false confidence. According to US military officials, the United States failed to detect at least three approaches by these platforms in the past several years. Furthermore, planners may have felt confident that even if the US government were to identify the balloon as a foreign platform, it would be unable to attribute it to China. The PLA would have noted the lack of any protest following previous undetected approaches, and a congressionally mandated intelligence assessment of unidentified aerial phenomena in 2021 suggested that the US was in the dark. The assessment stated only that some aerial phenomena “may be technologies deployed by China, Russia, another nation, or a non-governmental entity.”

Lost in bureaucratic stovepipes

PLA officers may also have failed to take Blinken’s visit into consideration because of stovepipes within the Chinese national security system. The visit was part of a carefully choreographed series of exchanges that both Chinese leader Xi Jinping and the Biden administration had worked assiduously to set up, and for the civilian foreign-affairs bureaucracy it was one of the most important events of the year. But the PLA had little direct involvement, partly due to Beijing’s disinterest in strengthening bilateral military channels, and most senior officers were probably only peripherally aware of the preparations. The balloon’s course may also have been decided before the timing of the visit was confirmed and shared with the PLA, and we do not know how much maneuvering capacity the platform has. A Foreign Ministry spokesman implied in mid-January that Blinken’s itinerary was still being ironed out.

Xi’s absolute control over the PLA and insistence on strict obedience rules out any deliberate attempt by the PLA to defy his intentions or sabotage a diplomatic engagement in which he planned to take part. But the incident does reveal limitations in the effectiveness and scope of the Central National Security Commission (NSC), the main mechanism Xi created to synchronize national security across the civilian and military systems. China’s NSC is one of the few bodies that brings together party, state, and military leaders to address national security affairs. Previously published member lists suggest that Blinken’s counterpart Wang Yi and the chief of the PLA’s Joint Staff Department, who should have had general visibility into the balloon program, sit together on the NSC.

Deconflicting military and foreign-policy initiatives is hard in any system, but the inauspicious timing of the balloon overflight is a useful data point that suggests shortcomings in China’s NSC and other coordination mechanisms. Xi’s nebulous definition of national security to encompass social, ideological, and cultural aspects alongside military, diplomatic, and economic factors may detract from the NSC’s ability to focus on coordinating the external aspects of China’s national-security policies.

Why to expect more missteps

One of the most important underlying drivers of poorly timed and uncoordinated PLA activities is the extraordinarily rapid growth in the scope and scale of its operations. Unlike the US military, the PLA’s leaders and staff officers are frequently operating for the first time in new areas of the world, with novel platforms, and in new domains, some of which involve unexpected political ramifications. Some of their most diplomatically damaging missteps have occurred when operating new platforms in new ways: the 2007 anti-satellite missile test that generated hazardous space debris, the 2011 test flight of the J-20 stealth fighter that marred another cabinet-level visit, and the surveillance balloon.

Most senior PLA officers also have had relatively little experience with operations that involve extensive international political or diplomatic considerations. Joel Wuthnow at National Defense University found in 2021 that no four-star PLA officer had been stationed abroad, compared with 58 percent of US four-stars who had served in a foreign country. PLA army officers also continue to occupy the lion’s share of senior positions and they are less likely to have been involved in politically charged interactions with foreign military forces than their navy and air force colleagues. For example, the PLA’s Joint Staff Department is the natural locus for coordinating its operational activities with overall foreign policies, and current chief Liu Zhenli served almost thirty-nine of the prior forty years of his career in domestic army units and the army headquarters.

Beijing’s botched operation has injected a volatile note into bilateral relations at the beginning of a year that is likely to see further strain given the reported plans of US House Speaker Kevin McCarthy to visit Taiwan. But it may also serve as a useful cautionary lesson for Xi and the rest of China’s leadership. The embarrassing exposure may reinforce concerns in Xi’s mind not only about the capabilities of PLA platforms but about his military’s capacity to correctly gauge the risks of high-stakes operations. It may also bolster his appraisal of US intelligence capabilities a year after Chinese officials were reportedly skeptical of US warnings about Russia’s plans to invade Ukraine. With the prospect of more Sino-US confrontations on the horizon, a reminder of the inherent uncertainties of aggressive military actions could be the silver lining on an otherwise destabilizing incident.

Mark Parker Young is a nonresident senior fellow at the Atlantic Council’s Global China Hub, a principal analyst at Mandiant, and a former US deputy national intelligence officer for East Asia.

The views expressed in this article are solely those of the author.

The post China’s balloon blunder shows the shortcomings of its national security apparatus appeared first on Atlantic Council.

On February 3, Scowcroft Center director Matthew Kroenig spoke with The National Desk on the implications of the Chinese spy balloon.

Staff

Matthew Kroenig

Vice President and Senior Director, Scowcroft Center for Strategy and Security

Scowcroft Center for Strategy and Security

China Defense Policy

The post Kroenig in the National Desk on the Chinese spy balloon appeared first on Atlantic Council.

On October 6, 2022, the Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and National Security Agency released a joint cybersecurity advisory outlining the top Common Vulnerabilities and Exposures that Chinese state-linked hacking groups have been actively exploiting since 2020 to target US and allied networks. Public reporting indicates that, for the better part of the past two decades, China has consistently engaged in offensive cyber operations, and as the scope of the country’s economic and political ambitions expanded, so has its cyber footprint. The number of China-sponsored and aligned hacking teams are growing, as they develop and deploy offensive cyber capabilities to serve the state’s interests—from economic to national security.

We brought together a group of experts to provide insights into China’s cyber behavior, its structure, and how its operations differ from those of other states.

#1 Is there a particular example that typifies the “Chinese” model of cyber operations?

Dakota Cary, nonresident fellow, Global China Hub, Atlantic Council; consultant, Krebs Stamos Group: 

“China’s use of the 2021 Microsoft Exchange Server vulnerability to access email servers captures the essence of modern Chinese hacking operations. A small number of teams exploited a vulnerability in a critical system to collecting intelligence on their targets. After the vulnerability became public and their operation’s stealth was compromised, the number of hacking teams using the vulnerability exploded. China has established a mature operational segmentation and capabilities-sharing system, allowing teams to quickly distribute and use a vulnerability after its use was compromised.” 

John Costello, former chief of staff, Office of the National Cyber Director: 

“No. China’s approach has evolved too quickly; its actors too heterogenous and many. What has remained consistent over time is the principal focus of China’s cyber operations, which, in general, is the economic viability and growth of China’s domestic industry and advancement of its scientific research, development, and modernization efforts. China does conduct what some would call ‘legitimate’ cyber operations, but these are vastly overshadowed by campaigns that are clearly intended to obtain intellectual property, non-public research, or place Chinese interests in an advantageous economic position.” 

Bulelani Jili, nonresident fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council: 

“What is unique is how the party-state promotes surveillance technology and cyber operations abroad. It utilizes diplomatic exchanges, law enforcement cooperation, and training programs in the Global South. These initiatives not only advance the promotion of surveillance technologies and cyber tools but also support the government’s goals with regard to international norm-making in multilateral and regional institutions.” 

Adam Kozy, independent analyst; CEO and founder, SinaCyber; former official with the FBI’s Cyber Team and Crowdstrike’s Asia-Pacific Analysis Team: 

“There is not one typical example of Chinese cyber operations in my opinion, as operations have evolved over time and are uneven in their distribution of tooling, access to the vulnerability supply chain, and organization. However, one individual who typifies how the Chinese Communist Party (CCP) has co-opted domestic hacking talent for state-driven espionage purposes is Tan Dailin (谭戴林/aka WickedRose) of WICKED PANDA/APT41 fame. He first began as a patriotic hacker during his time at university in 2000-2002, conducting defacements during the US-Sino hacker war, but was talent spotted by his local People’s Liberation Army (PLA) branch, the Chengdu Military Region Technical Reconnaissance Bureau (TRB) and asked to compete in a hackathon. This was followed by an “internship” where he and his fellow hackers at the NCPH group taught attack/defense courses and appear to have played a role in the 2003-2006 initial Titan Rain attacks probing US and UK government systems. Tan and his friends continued to do contract work for gaming firms, hacking a variety of South Korean, Japanese, and US gaming firms, which gave them experience with high-level vulnerabilities that are able to manipulate at the kernel level and also afforded them stolen gaming certificates allowing their malware to evade antivirus detection. After a brief period where he was reportedly arrested by the Ministry of Public Security (MPS) for hacking other domestic Chinese groups, he reemerged with several new contracting entities that have been noted to work for the Ministry of State Security (MSS) in Chengdu. Tan has essentially made a very comfortable living out of being a cyber mercenary for the Chinese state, using his legacy hacking network to constantly improve and upgrade tools, develop new intrusion techniques, and stay relevant for over twenty years.” 

Jen Roberts, program assistant, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council: 

“While no one case study stands out to typify a “Chinese” model, Chinese cyber operations blend components of espionage and entrepreneurship and capitalize on China’s pervasiveness in the international economy. One example of this is the Nortel/Huawei example where espionage, at least in part, caused the collapse of the Canadian telecommunications company.”

#2 What role do non-state actors play in China’s approach to cyber operations?

Cary: “Chinese security services still have a marked preference for using contracted hacking teams. These groups often raise money from committing criminal acts, in addition to work on behalf of intelligence agencies. Whereas in the United States, the government may purchase vulnerabilities to use on an offensive mission or hire a few companies to conduct cyber defense on a network, the US government does not hire firms to conduct specific offensive operations. In China, the government may hire teams for both offensive and defensive work, including offensive hacking operations.” 

Costello: “Non-state actors play a myriad number of roles. Most notably, Department of Justice and Federal Bureau of Investigation indictments show clear evidence of contractual relationships between the MSS and non-state actors conducting cyber intelligence operations. Less conventional, Chinese hacktivists have on occasion played a limited but substantive role in certain cases, such as cyberattacks against South Korea’s Lotte group during the US Terminal High Altitude Area Defense (THAAD) system kerfuffle in 2017. Hypothetically, China’s military strategy calls for a cyber defense militia; but the contours or reality of mobilization, training, and reliability are unclear. China’s concept of ‘people’s war’ in cyberspace—a familiar adoption of Maoist jargon for new concepts—has been discussed but has yet to be seen in practice in any meaningful form.” 

Jili: “State investment and procurement of public security systems from private firms are driving the development of China’s surveillance ecosystem. Accordingly, private firm work and collaboration with the state are scaling Beijing’s means to conduct surveillance operations on targeted domestic populations that are perceived threats to regime stability. Crucially, given the financial incentives to collaborate with Beijing, private companies have limited reasons not to support state security prerogatives.” 

Kozy: “This question has the issue of mirroring bias. We tend to view things from a United States and Western lens when evaluating whether someone is a state actor or not, because we have very defined lines around what an offensive cyber operator can do acting on behalf of the US government. China has thrived in this grey area, relying on patriotic hackers with tacit state approval at times, hackers with criminal businesses, as well as growing its domestic ability to recruit talented researchers from the private sector and universities. The CCP has historically compelled individuals who would be considered traditionally non-state-affiliated actors to aid campaigns when necessary. Under an authoritarian regime like the CCP, any individual who is in China or ethnically Chinese can become a state actor very quickly. Actors like Tan Dailin do constitute a different type of threat because the CCP effectively co-opts their talents, while turning a blind eye to their criminal, for-profit side businesses that are illegal and have worldwide impact.” 

Roberts: “Chinese non-state actors are very involved in Chinese cyber operations. A wide variety of non-state entities, such as contractors and technology conglomerates (Alibaba, Huawei, etc.), have worked in tandem with the CCP on a variety of research, development, and execution of cyber operations. This relationship is fortified by Chinese disclosure laws and repercussions of violating them. While Russia’s relationship with non-state actors relies on the opaqueness of non-state groups’ relationships with the government, China’s relationship with non-state entities is much more transparent.”

#3 How do China’s cyber operations differ from those of other states in the region?

Cary: “China has the most hackers and bureaucrats on payroll in Asia. Its operations are not different in kind nor process, but scale. While Vietnam’s or India’s cyber operators are able to have some effect in China, they are not operating at the scale at which China is operating. The most significant differentiator—which is still only speculation—is that China likely collects from the backbone of the Internet via agreements or compromise of telecommunication giants like Huawei, China Unicom, etc., as well as accessing undersea cables.” 

Costello: “Scale. The scale of China’s cyber operations dwarfs those of other countries in the region—the complexity and sheer range of targeting, and the number of domestic technology companies whose increasingly global reach may be utilized for intelligence gain and influence. As China’s influence and global reach expands, so too does its self-perceived need to protect and further expand its interests. Cyber serves as a low-risk and often successful tool to accomplish this in economic and security realms.” 

Jili: “While most regional and global players’ cyber operations have a domestic bent, Beijing also actively promotes surveillance technology and practices abroad through diplomatic exchanges, law enforcement cooperation, and training programs. These efforts not only advance the proliferation of Chinese public security systems, but they also support the government’s goals concerning international norm-making in multilateral and regional institutions.” 

Kozy: “China is by far the most aggressive cyber power in its region. It can be debated that Russian cyber operatives are still more advanced in terms of sophistication, but China aggressively conducts computer network exploitations against all of its regional neighbors with specific advanced persistent threat (APT) groups across the PLA and MSS having regional focuses. Some of its neighbors such as India, Vietnam, Japan, and South Korea have advanced capabilities of their own to combat this, but there are regular public references to successful Chinese cyber campaigns against these countries despite significant defensive spending. Regional countries without cyber capabilities likely have long-standing compromises of critical systems.” 

Roberts: “China has a talent for extracting intellectual property and conducting large-scale espionage. While other threat actors in the region, like North Korea, also conduct espionage operations, North Korea’s primary focus is on operations that prioritize fiscal extraction to fund regime activity, while China seems much more intent on collecting data for a variety of purposes. Despite differing capacities, sophistication, and types of operations, the end goals for both states are not all that different—political survival.”

More from the Cyber Statecraft Initiative:

China’s surveillance ecosystem and the global spread of its tools

The 5×5—Russia’s cyber statecraft

The 5×5—The state of cybersecurity in the Middle East

#4 How have China’s offensive cyber operations changed since 2018?

Cary: “China’s emphasis on developing its domestic pipeline of software vulnerabilities is paying off. China has passed policies that co-opt private research on behalf of the security services, support public software vulnerability competitions, and invest in technology to automate software vulnerability discovery. Together, as outlined by Microsoft’s Threat Intelligence Center’s 2022 analysis, China is combining these forces to use more software vulnerabilities now than ever before.”

Costello: “China’s cyber operations have unsurprisingly grown in scale and sophistication. Actors are less ‘noisy’ and China’s tactical approach to cyber operations appears to have evolved towards more scalable operations, namely supply-chain attacks and targeting service providers. These tactics have the advantage of improving the return on investment for an operation or campaign, as they allow compromise of all customers who use the product or service while minimizing risk of discovery. Supply chain attacks or compromise through third-party services can also be more difficult to detect and identify. China’s cyber landscape is not homogenous, and there remains great variability in sophistication across the range of Chinese actors.

As reported by the Director of National Intelligence in the last few years, China has increasingly turned towards targeting US critical infrastructure, particular natural gas pipelines. This is an evolution, though whether it is ‘learning by doing,’ operational preparation of the battlespace, or nascent ventures by a more operationally-focused Strategic Support Force (reorganization into a Space and Cyber Corps from 2015-17) is unclear. Time will most certainly tell.”

Jili: “Since 2018, the party-state has been more active in utilizing platforms like BRICS (Brazil, Russia, India, China, and South Africa), an emerging markets organization, and the Forum on China-Africa Cooperation (FOCAC) to promote digital infrastructure products and investments in the Global South. Principally, through multilateral platforms like FOCAC, Beijing has promoted resolutions to increase aid and cooperation in areas like cybersecurity and cyber operations.”

Kozy: “Intrusions from China have continued unabated since 2018, with a select number of Chinese APTs having periods of inactivity due to COVID-19 shutdowns. The Cyber Security Law and National Intelligence Law, both enacted in 2017, provided additional legal authority for China’s intelligence services to access data and co-opt Chinese companies for use in vaguely worded national security investigations. Of note is China’s efforts to increase the number of domestic cybersecurity conferences and nationally recognized cybersecurity universities as part of ongoing recruitment pipelines for cyber talent. Though there was increased focus from the Western cybersecurity community on MSS-affiliated contractors after the formation of the PLA Strategic Support Force (PLASSF) in 2015, more PLA-affiliated APT groups have emerged since the pandemic with new tactics, techniques, and procedures. The new PLASSF organization means these entities may be compromising high-value targets and then assessing them for use for offensive cyber operations in wartime scenarios or cyber espionage operations.”

Roberts: “Since 2018, Chinese offensive cyber operations have increased in scale. China has reinvigorated its workforce capacity-building efforts to increase the overall quantity and quality of workers. It has tightened its legal regime, cracking down on external vulnerability disclosure. It has also begun significantly investing in disinformation campaigns, especially against Taiwan. This is evident by the Chinese influence in Taiwan’s 2018 and 2020 elections.”

#5 What domestic entities, partnerships, or roles exist in China’s model of cyber operations model that are not present in the United States or Western Europe?

Cary: “China’s emphasis on contracted hackers coincides with divergent levels of trust between the central government and some provincial-level MSS hacking teams. Some researchers maintain that one contracted hacking team pwns targets inside China to do internal security prior to visits by central government leaders. While there is scant evidence that these attitudes and beliefs make their way into operations against foreign targets, they do likely impact the distribution of responsibilities and operations in a way not seen in mature democracies. The politicization of intelligence services is particularly risky in China’s political system.”

Costello: “The extralegal influence of the CCP cannot be overstated. Though the National Security Law, National Intelligence Law, and other laws ostensibly establish a legal foundation for China’s security apparatus, the reality is that the party is not bound strictly to these laws—and they only demonstrate a public indicator of what power it may possess. The lack of any independent judiciary suggests unchecked power of the CCP to co-opt or compel assistance from any citizen or company for which it almost certainly has near-total leverage. While the suspicion of Chinese organizations can be overblown, the idea that the CCP has the power to utilize not each but any organization is sobering and the root of many of these concerns. The lack of rigorous rule of law, in these limited circumstances, is certainly a competitive advantage in the intelligence sphere.”

Jili: “Beijing has nurtured a tech industry and environment that actively support the party-state’s aims to bolster government surveillance and cyber capabilities. From large firms to startups, many companies work with the state to conduct vulnerability research, develop threat detection capabilities, and produce security and intelligence products. While these private firms rely on Chinese venture capital and state loans, they have grown to service a global customer base.”

Kozy: “Starting with the 2015 control of WooYun, China’s largest vulnerability site, the CCP has gained an incredible amount of control of the vulnerability supply chain within China, which affords its cyber actors access to high-value vulnerabilities for use in their campaigns. The aforementioned 2017 laws also made it easier for Chinese authorities to prevent domestic researchers from competing in cyber conferences overseas and improved access to companies doing vulnerability research in China. The CCP’s public crackdowns on Jack Ma, Ant Financial, and many others have shown that the CCP fears the influence its tech firms have and has quickly moved to keep its tech giants loyal to the party; a stark contrast to the relationships that the United States and European Union have with tech giants like Google, Facebook, etc.”

Roberts: “While corporate-government partnerships exist everywhere, what separates the United States and Western Europe from China is the scope and scale of the connective tissue that exists between the two entities. In China, this relationship has more explicit requirements in the cyber domain, especially when it comes to vulnerability disclosure.”

Simon Handler is a fellow at the Atlantic Council’s Cyber Statecraft Initiative within the Digital Forensic Research Lab (DFRLab). He is also the editor-in-chief of The 5×5, a series on trends and themes in cyber policy. Follow him on Twitter @SimonPHandler.

The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

learn more

The post The 5×5—China’s cyber operations appeared first on Atlantic Council.

A hidden web of power revealed itself to Internet users in early 2022. Following a brutal government crackdown in Kazakhstan in January, anyone using open-source flight-tracking websites could watch kleptocratic elites flee the country on private jets.

A little more than a month later, Russia’s invasion of Ukraine brought a new spectacle: social media users were able to track various oligarchs’ superyachts as they jumped from port to port to evade Western sanctions. These feeds captured a national security problem in near real time: In Eurasia and beyond, kleptocratic elites with deep ties to the West were able to move themselves and their assets freely despite a host of speeches by senior officials, sanctions, and structures designed to stop them.

Kleptocratic regimes—kleptocracy means “rule by thieves”—have exploited the lax and uneven regulatory environments of the global financial system to hide their ill-gotten gains and interfere in politics abroad, especially in the United States, the United Kingdom, and the European Union. They are aided in this task by a large cast of professional enablers within these jurisdictions. The stronger these forces get, the more they erode the principles of democracy and the rule of law. Furthermore, the international sanctions regime imposed on Russia in response to its invasion of Ukraine has little hope of long-term success if the global financial system itself continues to weaken.

The West still has a long way to go to rein in the authoritarian kleptocrats who have thrived on the institutional dysfunction, regulatory failure, and bureaucratic weakness of the transatlantic community for far too long. We need to rethink not just how we combat kleptocracy, but also how we define it. Policy makers need to understand that authoritarian regimes that threaten transatlantic security are closely linked to illicit financial systems. As it stands, our thinking about how foreign corruption spreads is too constrained by stereotypes about kleptocratic goals and actions.

Outdated mental images of kleptocracy hobble the West’s response

Most transatlantic policy makers have in mind the first wave of kleptocracy, which primarily flourished in the late twentieth century. Its rise was intertwined with that of transatlantic offshore finance, which prompted a race to the bottom in financial regulation and a rise in baroque forms of corruption across the post-independence “Third World.”

The corrupt autocrats of the Cold War era flaunted the wealth they stole from their own people. These kleptocrats, many of whom are still spending large today, usually did not weaponize their corruption to influence the foreign policies of the United States or its allies. They were content to offshore their ill-gotten gains in US, UK, and EU jurisdictions with lax oversight over these types of transactions.

But this mental image of the kleptocrat is outdated: These kinds of kleptocratic leaders are not extinct, but they are curtailed. It is no longer a simple matter for first-wave kleptocrats to access the global financial system. Many of the regulatory loopholes exploited by these classic kleptocrats have either already been addressed or are in the process of being closed.

The second wave of kleptocracy, which emerged since the 2000s, is more sophisticated, authoritarian, and integrated into the global financial system than its predecessor. Second-wave kleptocrats intend to use the global financial system for strategic gains—either for self-gain and/or to reshape it in their image—instead of just hiding or securing the money they have stolen. Most notably, this evolution accelerated in Russia under President Vladimir Putin before February 2022, with the agendas of oligarchs and kleptocrats being subordinated to and intertwined with the plans of an ambitious state authoritarian.

Alongside this weaponized corruption, there has arisen in the West a coterie of enablers among the policy makers targeted by second-wave kleptocrats.

The second wave of kleptocracy is more sophisticated, more authoritarian—and more dangerous

Though our understanding of the threat posed by illicit finance has grown ever more sophisticated, our conception of a kleptocrat remains frozen in the mid-to-late 2000s: halfway between David Cronenberg’s 2007 London Russian gangster movie Eastern Promises, which depicted ties between the Russian state and overseas mafia groups, and the 2011 case of Teodoro Nguema Obiang Mangue, vice president of Equatorial Guinea, in which the US Justice Department seized a Gulfstream jet, yachts, cars, and Michael Jackson memorabilia. Both depictions—one fictional, one real—describe the world of ten years ago, when the second wave of kleptocracy was still relatively new.

So what does kleptocracy look like today?

The natural resources tycoon

The tycoon is a figure who has “assimilated” into the global financial system and been recognized as a legitimate businessperson because they provide a consistent source of fossil fuels to the United States and its allies. They view the transatlantic world above all as a market, but they cannot deviate too far from loyalty to the regime in the country from which they extract natural resources. As a result, the kleptocrat as natural resources tycoon has a strongly supportive relationship with the regime, which turns a blind eye to their criminal techniques. These tycoons often “donate” parts of their revenue to leadership figures. Several Russian oligarchs would seem to fit this typology, such as Gennady Timchenko, if many of the allegations against him are true.

The private corporation subordinated to authoritarian objectives

Private corporations can be a vector for state-sponsored weaponized corruption, especially if the state is controlled by a one-party authoritarian regime at odds with the United States, its allies, and the liberal international order. US officials remain suspicious of one private corporation’s connections to the Chinese Communist Party. Even though the corporation is officially privately owned, 98.99 percent of this corporation’s stock is officially owned by a trade union committee representing employees (with the remainder held by the corporation’s founder). However, all trade unions in China are required to be part of a CCP-run labor federation. A British parliamentary inquiry into the potential security risks of Chinese technology companies noted that, even if they were not directly led by the CCP, they tended to maintain very strong links, including receiving billions of dollars’ worth of funding from the Chinese government.

The Western enablers

A respected mainstream democratic politician was the leader of a major bloc in the Parliamentary Assembly of the Council of Europe (PACE). In this capacity, he led other PACE members to vote down a resolution based on a 2013 Council of Europe report that condemned Azerbaijan’s human rights record. However, it was later revealed that the enabler’s actions had been influenced by extravagant bribes from Ilham Aliyev’s regime in Azerbaijan.

These cases of second-wave kleptocracy show why, despite a decade of transatlantic anti-corruption activism and the sanctions imposed on the Kremlin’s cronies and war chest, the kleptocrats are still winning even as their objectives have evolved.

Chronically underregulated industries fuel the problem

As regulations have caught up to the first wave of kleptocracy, foreign kleptocrats are increasingly switching to different channels for illicit finance. 

Central to both the failure of transatlantic regulation and the strategies of second-wave kleptocrats are chronically underregulated financial industries: private investment firms, art dealerships, real estate agents, and luxury goods providers. The global arts trade industry was estimated to be worth $65 billion in 2021, with the United States, the UK, and the EU accounting for at least 70 percent ($45.5 billion) of worldwide sales.

As of 2020, the total value of assets under management in the global private investment industry was estimated at $115 trillion, more than $89 trillion of which was in the US, UK, and EU.

In 2020, the global value of residential real estate was an estimated $258.5 trillion, with North America and Europe together composing at least 43 percent of that value (approximately $111.155 trillion).

The cryptocurrency market is the newest. It is also less stable than other financial industries, so its relative size and value fluctuates more dramatically.

Weaponized corruption in action

The 1Malaysia Development Berhad (1MDB) scandal was the largest political scandal in Malaysian history and the most publicly known case of kleptocracy in the world before the release of the Panama Papers in 2016.

Photos: Reuters

A large amount of the stolen wealth remains in US real estate and fine art, which the Department of Justice is continuing to recover on behalf of Malaysia. As of August 2021, more than $1.2 billion had been recovered. Yet, given the number of private investment firms, real estate traders, film producers, and arts dealers that were involved in the 1MDB-related illicit finance, it is highly likely the stolen funds have been dispersed across a variety of industries. With better financial intelligence sharing between US, UK, and Dutch authorities, these suspicious dark money flows might have been identified before the money was moved across US financial institutions.

What needs to happen to take on the second-wave kleptocrats?

The US, UK, and EU need a more structured relationship to develop anti-corruption policies. We propose a new mechanism for the transatlantic community to harmonize its necessary response: a Transatlantic Anti-Corruption Council to coordinate anti-corruption policies between the United States, the UK, and the EU. It could connect the various US, UK, and EU agencies and directorates that work on corruption and kleptocracy-related issues, and organize them into expert groups focused on illicit finance, tax evasion, acquisition of luxury goods, and more. Recent cases of weaponized corruption have exploited the lack of regulatory coordination and financial intelligence sharing between transatlantic jurisdictions to evade detection and to corrupt transatlantic democratic and financial institutions. The TACC can work on closing these gaps—but it is only the beginning of a larger transatlantic strategy against weaponized corruption.

The anti-corruption policy to-do list

United States

In the United States, much of the problem stems from a lack of legislation enabling more comprehensive law enforcement and regulatory compliance within these underregulated industries. The United States should:

• Follow through on the US legislative national anti-corruption strategy. Many of the existing flaws in the US regulatory sphere were correctly identified and should be addressed accordingly. This includes the strategy’s commitment to increasing regulation on the private investment industry, including on firms managing assets totaling less than $100 million.
• FinCEN, the US FIU, is chronically understaffed, underbudgeted, and relies on outdated technology. Even if legislative reform was passed and/or executive action taken to extend BSA/AML obligations to more financial institutions, FinCEN would be hard-pressed to fully investigate reports it received and to enforce its authority in cases in which financial crime was present.

United Kingdom

The UK, on the other hand, already has much of the legislation it needs to address anti-money-laundering (AML) deficiencies and sanctions evasion occurring in its jurisdictions. It needs to implement that legislation—and address the close connections between the City of London and British Overseas Territories and Crown Dependencies. The UK should:

• Share legalistic principles and good practices of unexplained wealth orders (UWOs) with allies. UWOs have already proven to be very effective in bringing more investigative power to bear on to foreign kleptocrats based in the United Kingdom
• Reduce regulatory mismatches between the primary UK jurisdictions and the Crown Dependencies and Overseas Territories, especially with beneficial ownership registries and sanctions compliance
• Improve verification standards for companies registered in Companies House to identify shell companies
• Fully implement and enforce existing transparency and national security laws, especially the National Security and Investment Act

European Union

Much like the UK, many of the EU’s problems stem less from a lack of legislation than from the implementation of those policies. The EU faces additional hurdles in ensuring that all its member states harmonize their AML policies. The EU should:

• Increase compliance requirements for private investment firms managing assets totaling less than €100 million
• Fully implement the 6th Anti-Money Laundering Directive (6AMLD) across EU jurisdictions. The establishment of an EU Anti-Money Laundering Authority will be essential for harmonizing regulations across the European Union (EU).
• 6AMLD measures should also be applied to overseas autonomous territories like Aruba.
• Increase enforcement of laws that prohibit the spread of corruption in foreign territories, particularly for cases that involve spreading corruption to fellow EU member states

Transatlantic community

The transatlantic community should:

• Work closely with the United States in its national anti-corruption strategy. The strategy’s success will be heavily dependent on the degree of cooperation between US allies and the Biden administration in its implementation.
• Match regulatory legislation on both sides of the Atlantic. This will permit better coordination of sanctions between allies and reduce tensions between the United States and its allies when the United States relies on extraterritorial action.
• Create channels for financial intelligence units and private sector actors in transatlantic jurisdictions to share information about suspicious clients, transactions, and transfers. The Europol Financial Intelligence Public Private Partnership (EFIPPP) may be a good platform for increased intelligence sharing.
• Establish the Transatlantic Anti-Corruption Council (TACC). Its main purpose would be to coordinate legislation on improving anti-money laundering/Know Your Customer (AML/KYC) policies, share good governance policies (such as beneficial ownership registries) to harmonize regulations, crack down on sanctions evasion, and share financial intelligence on transnational financial criminals to shut down their operations.
• The TACC should also regularly convene expert working groups on, at a minimum:
• trade-based illicit finance,
• market-based illicit finance,
• bribery and other enabling forms of corruption,
• acquisition of luxury goods by kleptocrats,
• asset returns,
• tax evasion,
• terrorist financing, and
• future threats.
• Financial intelligence working groups should similarly cover individual cases of financial crime at the tactical level. At the executive level, primary stakeholders in the TACC should be
• the Departments of State, Treasury, and Justice, and USAID on the US side,
• the Foreign, Commonwealth & Development Office (FCDO); His Majesty’s Treasury; and the Home Office on the UK side, and
• the Directorate-General for Economic and Financial Affairs; Directorate-General for Financial Stability, Financial Services and Capital Markets Union; and Directorate-General for Justice and Consumers on the EU side

The late United Nations secretary-general Kofi Annan once said: “If corruption is a disease, transparency is a central part of its treatment.” Annan spoke in a time before the crisis of weaponized corruption rose to prominence, but his words ring clearer now that foreign kleptocrats are spreading their malign influence by means of the money they stole from their own people. The United States and its allies must choose the partners with which it engages more carefully. Otherwise, it may find that some of its partners are in fact proxies for strategic competitors of the transatlantic community who will undermine the West’s security and the integrity of its democracies from the inside.

Related content

New Atlanticist Nov 9, 2021

How to get Biden’s democracy summit right

By Daniel Fried, Rose Jackson

Two of the Council’s democracy experts say the upcoming Summit for Democracy needs to take aim at autocrats’ tools by focusing on anti-corruption and tech standards, and elevating civil society.

Civil Society Corruption

New Atlanticist Apr 5, 2022

How the world’s parliaments can team up against Russian aggression

By Francis Shin and Riho Terras

An interparliamentary alliance against Kremlin aggression would maximize global efforts to coordinate sanctions and keep the pressure on Moscow.

Corruption Economic Sanctions

UkraineAlert Oct 26, 2022

The West needs a more united approach to sanctioning Putin’s elite

By David Clark

With Russia’s invasion of Ukraine now in its ninth month, it is time for a coordinated approach to sanctioning Putin’s elite that reflects the seriousness of the threat they pose to global security, writes David Clark.

Conflict Corruption

The post Authoritarian kleptocrats are thriving on the West’s failures. Can they be stopped? appeared first on Atlantic Council.

Security

Russian forces claim control of strategic Soledar

Tracking narratives

Russian hacker wanted by the FBI reportedly wins Wagner hackathon prize

Frenzy befalls French company accused of feeding Russian forces on New Year’s Eve

Former head of Russian space agency injured in Donetsk, mails shell fragment to French ambassador

Sputnik Lithuania’s former chief editor arrested

International response

New year brings new military aid for Ukraine

Ukrainian envoy to Georgia discusses deteriorating relations between nations

Russian forces claim control of strategic Soledar

Russia said on January 13 that its forces had taken control of the contested city of Soledar. Recent fighting has been concentrated in Soledar and Bakhmut, two cities in the Donetsk region that are strategically important to Ukrainian and Russian forces. Moscow has been trying to take control of the two cities since last summer. Over the past week, Russia has increased its presence on the fronts with the support of Wagner units. Russia wants control of the Soledar-Bakhmut axis to cut supply lines to the Ukrainian armed forces.  

On January 10, Russian sources claimed that Wagner forces had advanced into Soledar. Interestingly, Wagner financier Yevgeny Prigozhin denied the claim and said the forces were still engaged in fighting. Wagner’s presence was established in a camp near Bakhmut. Soldiers from the Wagner Group and other special forces deployed to Bakhmut after other military units had failed to break through the Ukrainian defense.  

On January 11, Ukrainian Deputy Defense Minister Anna Malyar said that heavy fighting was taking place in Soledar and that Russian forces had replaced the unit operating in the city with fresh troops and increased the number of Wagner soldiers among them. The same day, Prigozhin claimed that Wagner forces had taken control of Soledar. The Ukrainian defense ministry denied the allegation. On January 12, Ukrainian sources shared unconfirmed footage of soldiers driving on the main road connecting Bakhmut and Soledar with Sloviansk and Kostyantynivka to as evidence that the area remained under Ukrainian control.  

Elsewhere, on January 11, the Kremlin announced that Valery Gerasimov would replace Sergei Surovikin as commander of Russian forces in Ukraine. The unexpected move could be interpreted as evidence of a struggle for influence in Russian military circles. Surovikin is considered close to Prigozhin’s entourage, which has criticized senior officers recently, including Gerasimov. Some analysts believe that the change signals a possible military escalation from Russia. 

Furthermore, on January 8, Ukrainian forces repelled a Russian offensive the vicinity of Makiyivka and Stelmakhivka. Further north of Lysychansk, on January 11, Ukraine also repelled an attack on the city of Kreminna. In the neighboring Kharkiv region, aerial threats remain high. On the southern front, the city of Kherson and several cities across the Zaporizhzhia region remain targets of Russian attacks.  

Lastly, a new Maxar satellite image from nearby Bakhmut exemplifies the brutality of war on the frontline in Donetsk. The image shows thousands of craters, indicating the intensity of the artillery shelling and exchange of fire between Ukrainian and Russian forces.

—Valentin Châtelet, Research Associate, Brussels, Belgium

—Ruslan Trad, Resident Fellow for Security Research, Sofia, Bulgaria

Russian hacker wanted by the FBI reportedly wins Wagner hackathon prize

In December 2022, the Wagner Group organized a hackathon at its recently opened headquarters in St. Petersburg, for students, developers, analysts, and IT professionals. Wagner announced the hackathon on social media earlier that month. Organizers created the promotional website hakaton.wagnercentr.ru, but the website went offline soon after. A December 8 archive of the website, accessed via the Internet Archive Wayback Machine, revealed that the objective of the hackathon was to “create UAV [unmanned aerial vehicle] positioning systems using video recognition, searching for waypoints by landmarks in the absence of satellite navigation systems and external control.” Hackathon participants were asked to complete the following tasks: display the position of the UAV on the map at any time during the flight; direct the UAV to a point on the map indicated by the operator; provide a search for landmarks, in case of loss of visual reference points during the flight and returning the UAV to the point of departure, in case of a complete loss of communication with the operator.   

On December 9, Ukrainian programmers noticed that hakaton.wagnercentr.ru was hosted by Amazon Web Services and asked users to report the website to Amazon. Calls to report the channel also spread on Telegram, where the channel Empire Burns asked subscribers to report the website and provided instructions on how to do so. Empire Burns claims hakaton.wagnercentr.ru first went offline on December 9, which tallies with archival posts. However, there is no evidence that reporting the website to Amazon resulted in it being taken offline.   

Snapshots of hakaton.wagnercentr.ru from the Wayback Machine show the website was created in a Bitrix24 online workspace. A snapshot captured on December 13 shows an HTTP 301 status, which redirects visitors to Wagner’s main website, wagnercentr.ru. The Wagner website appears to be geo-restricted for visitors outside Russia. 

On December 23, a Wagner Telegram channel posted about the hackathon, claiming more than 100 people applied. In the end, forty-three people divided into twelve teams attended. The two-person team GrAILab Development won first place, the team SR Data-Iskander won second place, and a team from the company Artistrazh received third place. Notably, one of Artistrazh’s co-founders is Igor Turashev, who is wanted by the FBI for his connection to computer malware that the bureau claims infected “tens of thousands of computers, in both North America and Europe, resulting in financial losses in the tens of millions of dollars.” Artistrazh’s team comprised four people who won 200,000 Russian rubles (USD $3,000). OSINT investigators at Molfar confirmed that the Igor Turashev who works at Artistrazh is the same one wanted by the FBI.  

Wagner said that one of the key objectives of the hackathon was the development of IT projects to protect the interests of the Russian army, adding that the knowledge gained during the hackathon could already be applied to clear mines. Wagner said it had also invited some participants to collaborate further. The Wagner Center opened in St. Petersburg in early November 2022; the center’s mission is “to provide a comfortable environment for generating new ideas in order to improve Russia’s defense capability, including information.”

– Givi Gigitashvili, DFRLab Research Associate, Warsaw, Poland

Frenzy befalls French company accused of feeding Russian forces on New Year’s Eve

A VKontakte post showing baskets of canned goods produced by the French company Bonduelle being distributed to Russian soldiers on New Year’s Eve has sparked a media frenzy in France. The post alleges that Bonduelle sent Russian soldiers a congratulatory package, telling them to “come back with a win.” The post quotes Ekaterina Eliseeva, the head of Bonduelle’s EurAsia markets. According to a 2019 Forbes article, Eliseeva studied interpretation at an Russian state security academy.  

Bonduelle has issued several statements denying the social media post and calling it fake. However, Bonduelle does maintain operations in Russia “to ensure that the population has access to essential foodstuff.”  

French broadcaster TV 5 Monde discovered that Bonduelle’s Russia division participated in a non-profit effort called Basket of Kindness, sponsored by the Fund of Presidential Grants of Russia. Food and supplies were gathered by food banks to be delivered to vulnerable segments of the population. However, during the collection drive, Dmitry Zharikov, governor of the Russian city of Podolsk, posted on Telegram that the collections would also serve military families.   

The story was shared on national television in France and across several international outlets. The Ukrainian embassy in France criticized Bonduelle for continuing to operate in Russia, claiming it was “making profits in a terrorist country which kills Ukrainians.”

—Valentin Châtelet, Research Associate, Brussels, Belgium

Former head of Russian space agency injured in Donetsk, mails shell fragment to French ambassador

Dmitry Rogozin, former head of the Russian space agency Roscosmos, said he was wounded in Ukrainian shelling on December 21, 2022, at the Shesh hotel in Donetsk while “celebrating his birthday.” In response, Rogozin sent a letter to Pierre Lévy, the French ambassador to Russia, with a fragment of the shell.   

In the letter, Rogozin accused the French government of “betraying [Charles] De Gaulle’s cause and becoming a bloodthirsty state in Europe.” The shell fragment was extracted from Rogozin’s spine during surgery and allegedly came from a French CAESAR howitzer. Rogozin requested the fragment be sent to French President Emmanuel Macron. His message was relayed by Russian news agencies, and on Telegram by pro-Russian and French-speaking conspiracy channels.  

At the time of the attack, Rogozin was accompanied by two members of his voluntary unit, “Tsar’s wolves,” who were killed in the attack, according to reporting from RT, RIA Novosti, and others.  

– Valentin Châtelet, Research Associate, Brussels, Belgium

Sputnik Lithuania’s former chief editor arrested

On January 6, Marat Kasem, the former chief editor of Sputnik Lithuania, was arrested in Riga, Latvia, on suspicion of “providing economic resources” to a Kremlin propaganda resource under EU sanctions.  

The following day, pro-Kremlin journalists held a small demonstration in support of Kasem in front of the Latvian embassy in Moscow. Russian journalist Dmitry Kiselyov and politician Maria Butina attended the event. 

The demonstration was filmed by Sputnik and amplified with the Russian hashtag  #свободуМаратуКасему (#freedomForMaratKasem) on Telegram channels operating in the Baltic states, including the pro-Russian BALTNEWS, Своих не бросаем! | Свободная Балтика!, and on Butina’s personal channel. The news of Kasem’s arrest also reached the Russian Duma’s Telegram channel, which re-shared Butina’s post. 

– Valentin Châtelet, Research Associate, Brussels, Belgium

New year brings new military aid for Ukraine

International efforts in support of Ukraine are continuing in full force in 2023. On January 4, Norway announced it had sent Ukraine another 10,000 155mm artillery shells. These shells can be used in several types of artillery units, including the M109 self-propelled howitzer. On January 5, Germany confirmed it would provide Ukraine with Marder fighting vehicles and a Patriot anti-aircraft missile battery. German news outlet Spiegel also reported that talks are underway to supply Ukraine with additional Gepard anti-aircraft guns and ammunition. 

In addition, UK Foreign Secretary James Cleverly said the British government would supply Ukraine with military equipment capable of delivering a “decisive” strike from a distance. At the end of 2022, UK Defense Secretary Ben Wallace discussed the possibility of transferring Storm Shadow cruise missiles, with a range of up to 250 kilometers. Finland also reported that it is preparing its twelfth package of military assistance to Ukraine.  

US aid to Ukraine is also being reaffirmed with a $2.85 billion package on top of weapon deliveries. Additionally, the US plans to deliver fourteen vehicles equipped with anti-drone systems as part of its security assistance package. The company L3Harris is part of the Pentagon’s contract to develop anti-drone kits. This equipment would help protect Ukrainian civil infrastructure, which has been a frequent Russian target since October 2022.  

On January 6, French President Emmanuel Macron announced that France would supply Ukraine with units of the light AMX-10RC armored reconnaissance vehicle. These vehicles were produced in 1970 and have been used in Afghanistan, the Gulf War, Mali, Kosovo, and Ivory Coast. The French defense ministry also announced that the country was to deliver twenty units of ACMAT Bastion armored personnel carriers. 

On January 11, Ukrainian President Volodymyr Zelenskyy met with Presidents Andrzej Duda of Poland and Gitanas Nauseda of Lithuania in Lviv. During the visit, Duda announced that Poland would deliver fourteen units of the much-awaited German Leopard combat tanks, and Nauseda announced that his country would provide Ukraine with Zenit anti-aircraft systems. 

Meanwhile, the largest manufacturer of containers for the transport of liquified natural gas has ceased operations in Russia. French engineering group Gaztransport & Technigaz (GTT) said it ended operations in Russia after reviewing the latest European sanctions package, which included a ban on engineering services for Russian firms. The group said its contract with Russian shipbuilding company Zvezda to supply fifteen icebreakers to transport liquefied natural gas was suspended effective January 8.

—Valentin Châtelet, Research Associate, Brussels, Belgium

—Ruslan Trad, Resident Fellow for Security Research, Sofia, Bulgaria

Ukrainian envoy to Georgia discusses deteriorating relations between nations

On January 9, Andrii Kasianov, the Ukrainian Chargé d’Affaires in Georgia, published an article discussing the deteriorating relationship between the two countries. The article stated that the top issues affecting relations were military aid to Ukraine, bilateral sanctions against Russia, visa policies for fleeing Russians, and the legal rights of Mikheil Saakashvili, the imprisoned third president of Georgia, who is also a Ukrainian citizen. 

Kasianov noted that Tbilisi declined Kyiv’s request for military help, specifically for BUK missile systems, which were given to Georgia by Ukraine during Russia’s 2008 invasion. The diplomat said that the weapons request also included Javelin anti-tank systems supplied to Georgia by the United States.  

“Despite the fact that the Georgian government categorically refused to provide military aid, Ukraine opposes the use of this issue in internal political disputes and rejects any accusations of attempts to draw Georgia into a war with the Russian Federation,” Kasianov said. 

Since the Russian invasion of Ukraine, the Georgian Dream-led government has accused Ukraine, the US, and the EU of attempting to drag Georgia into a war with Russia.  

—Eto Buziashvili, Research Associate, Tbilisi, Georgia

The post <strong>Russian War Report: Russian hacker wanted by the FBI reportedly wins Wagner hackathon prize</strong>  appeared first on Atlantic Council.

The post Webster in China-Russia Report: Special report: Russian intelligence’s very bad year appeared first on Atlantic Council.

On November 16, Forward Defense nonresident senior fellow Marc Polymeropoulos appeared on MSNBC to discuss the significance of the missile strike that hit Poland.

Fellow

Marc Polymeropoulos

Nonresident Senior Fellow

Forward Defense Scowcroft Center for Strategy and Security

Afghanistan Europe & Eurasia

Forward Defense, housed within the Scowcroft Center for Strategy and Security, generates ideas and connects stakeholders in the defense ecosystem to promote an enduring military advantage for the United States, its allies, and partners. Our work identifies the defense strategies, capabilities, and resources the United States needs to deter and, if necessary, prevail in future conflict.

Learn more

The post Polymeropoulos on MSNBC discussing missile strike in Poland appeared first on Atlantic Council.

On September 21, the Scowcroft Center for Strategy and Security’s Nonresident Senior Fellow William Evanina testified before the Senate Select Committee on Intelligence. In his testimony, Evanina discussed the growing cyber threat posed to US business and academic institutions.

Former fellow

William R. Evanina

Former Nonresident Senior Fellow

Scowcroft Center for Strategy and Security

Cybersecurity Disinformation

Forward Defense, housed within the Scowcroft Center for Strategy and Security, generates ideas and connects stakeholders in the defense ecosystem to promote an enduring military advantage for the United States, its allies, and partners. Our work identifies the defense strategies, capabilities, and resources the United States needs to deter and, if necessary, prevail in future conflict.

Learn more

The post Evanina testifies to Senate Select Committee on Intelligence appeared first on Atlantic Council.

Approximately one year ago, on November 3, 2021, the US Commerce Department added four companies, including Israel-based NSO Group, to its Entity List for supporting cyber surveillance and access-as-a-service activities, “that are contrary to the national security or foreign policy interests of the United States.” Foreign governments used NSO Group’s products, notably its Pegasus spyware, to target individuals, such as journalists and activists, and suppress dissent. Just one month later, reporting indicated that Apple tipped off the US Embassy in Uganda that an undisclosed foreign government had targeted the iPhones of eleven embassy employees. 

A New York Times report published on November 12 reveals how close the United States was to using Pegasus for its own investigative purposes. The FBI, which previously acknowledged having acquired a Pegasus license for research and development, contemplated use of the tool in late 2020 and early 2021 and developed guidelines for how federal prosecutors would disclose its use in criminal proceedings. The FBI ultimately decided not to buy from NSO, amid the many stories of abuse of the tool by foreign governments, but the revelation underscores the double-edged nature of cyber surveillance technologies designed to support law enforcement and intelligence missions. 

There are dozens of firms in the Access-as-a-Service industry developing and proliferating a powerful class of surveillance technologies. We brought together a group of experts to discuss the rise of cyber surveillance and the impact of this industry on the United States and its allies. 

#1 What implications can foreign governments’ domestic cyber surveillance programs have on US national security?

Siena Anstis, senior legal advisor, Citizen Lab, Munk School of Global Affairs & Public Policy, University of Toronto: 

“The proliferation of spyware presents a national security risk to the United States. These technologies facilitate not only the targeting of human rights defenders and civil society, but also provide an across-the-board opportunity to undertake acts of espionage through their ability to exploit vulnerabilities in popular applications and operating systems that impact everyone. This was well-illustrated by the targeting of US diplomats in 2021 with NSO Group’s Pegasus spyware. No one is safe from being targeted with this highly intrusive, silent, and increasingly hard to detect technology. This risk extends to the US government.” 

Winnona DeSombre, nonresident fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council: 

“We live in an increasingly interconnected world when it comes to data and surveillance. From an individual perspective, US citizens who work on national security regularly interface with relatives and friends abroad who may be surveilled. US military service members use Tiktok, an app whose data flows back to China. Domestic surveillance in another country does not just touch that country’s citizens, but it also touches any US national who interfaces with that country’s people and corporations.” 

Lars Gjesvik, doctoral research fellow, Norwegian Institute of International Affairs: 

“Way back in ancient 2013, the US intelligence community warned that private companies were developing tools that aided foreign states in targeting US systems. Clearly, this has been of some concern for a decade and has some implications for national security. There is no doubt that such commercially available tools have done great harm when it comes to human rights and targeting civil society, and you have some reported cases like Project Raven where commercial tools start to become a national security problem as well.” 

Kirsten Hazelrig, policy lead, The MITRE Corporation: 

“There are absolutely direct threats to US interests from the use of cyber surveillance abroad—any newspaper will relay confirmed reports of US officials being targeted abroad by tools such as Pegasus. However, this is simply a new tool for an age-old game of espionage. Perhaps more insidious is how tools and programs can be abused to enable the spread of authoritarianism, degrade human rights, and erode democratic values. I am not sure if anyone fully understands the implications to national security if these capabilities are allowed to spread unchecked.” 

Ole Willers, postdoctoral researcher, Department of Organisation, Copenhagen Business School:  

“Within the context of cyber surveillance programs, the distinction between domestic and foreign operations is not always as clearcut. Domestic campaigns oftentimes target individuals located in other jurisdictions, including the United States. The targeting of Canadian-based activist Omar Abdulaziz by Saudi Arabian surveillance operations is a prominent example.”

#2 Where do cyber capabilities fit into the spectrum of surveillance technologies?

Anstis: “Spyware technology provides governments with the ability to undertake highly intrusive surveillance. Sophisticated versions of this technology provide complete entry into targeted devices, including the contents of encrypted communication apps, camera, microphone, documents stored on the phone, and more. This impacts not only targeted individuals, but also exposes those who communicate with these people such as friends, family, and colleagues. Governments have a variety of surveillance technologies at their disposal, and spyware is undoubtedly one of the most stealthy and intrusive tools on the market that makes it difficult, if not impossible, for journalists, human rights defenders, activists, and other members of civil society critical of the government to do their work.” 

DeSombre: “Cyber capabilities that feed into offensive cyber operations are usually far more tailored than surveillance technology writ large, especially compared to dragnet surveillance technologies. The little bit of overlap occurs when governments want to surveil targets who they believe are of higher value or harder to get to, in which case authoritarian governments will break out the more expensive capabilities like zero-days or purchase expensive spyware licenses like those offered by NSO and Candiru.” 

Gjesvik: “The term ‘surveillance technologies’ is quite broad, and it depends greatly on how you define it. But if you think about the capabilities and services provided to intelligence, law enforcement, or military agencies, then it is a question of how sophisticated they are and their scope. The most sophisticated cyber capabilities offered by the top-tier companies probably equal the capabilities of most intelligence agencies, and there is no real difference functionally in them being used domestically or against strategic adversaries.” 

Hazelrig: “Surveillance technologies are broad sets of tools that enable a human actor to achieve an objective, be it to improve traffic, indict a criminal, track terrorist movements, stalk a partner, or steal a competitor’s data. Cyber capabilities can range as widely as these objectives and their targets. They may range from low-end spyware to extremely sophisticated technology, and are almost always paired with additional tools and tradecraft that make them impossible to evaluate devoid of operational context.” 

Willers: “If we define cyber capabilities in terms of the various activities oriented towards gaining stealth access to digital information, their importance for surveillance operations can hardly be overstated. Whereas traditional surveillance technologies continue to play a role, cyber capabilities offer forms of access that are much more comprehensive. Access to a smartphone is fundamentally different from the traditional wiretap and allows for the real-time surveillance of location patterns, communications, web searches, financial transactions, and more.”

#3 What is the Access-as-a-Service industry and what kind of relationship should the United States and its allies have with it?

Anstis: “The Access-as-a-Service industry describes companies that provide services to different actors—often states—to access data or systems. In the past few years, we have seen an acceleration in human rights abuses associated with this industry and a growing formalization of the sector with private investors and states increasingly interested in the growth of these companies. Considering the litany of human rights abuses that follows the growing availability of the technologies and services offered by this industry, the United States and other states have an obligation to regulate and limit the availability of these technologies and the industry’s business practices.” 

DeSombre: “The Access-as-a-Service industry makes offensive cyber operations incredibly simple to pull off—aggregating disparate capabilities that take years of investment to make (zero-days, malware, training, infrastructure, processes) into a single solution that a government can purchase off the shelf and use easily. It is not necessarily a bad industry—the United States and its allies also rely on privatized talent to conduct cyber operations. However, the United States and its allies must be proactive about shaping responsible behavior within the industry to ensure these services are not purchased en masse by authoritarian regimes and adversaries.” 

Gjesvik: “Simply put, it is an industry that sells access to digital data and systems. A wide swathe of technologies and services fits into this definition. Considering what relationship Western states should have with it should start with acknowledging that most states rely on private contractors and capabilities to some extent. There are clear problems of democratic oversight and misuse, but having their intelligence agencies and law enforcement lose access to digital evidence and data is probably not something governments would accept, and smaller states would struggle to develop the capabilities themselves. It is hard to decide on a relationship with a surveillance industry without deciding on the role of surveillance in modern societies, and I do not think we have done that.” 

Hazelrig: “Access-as-a-Service, or the related but more colorfully named “hacker-for-hire” industry, are loose terms for the criminal actors that sell the information, capabilities, and services necessary to conduct cyber intrusions. These actors sell their wares with little regard as to impact and intent, enabling ransomware and other attacks.” 

Willers: “The Access-as-a-Service industry is a niche market that sells data access to state agencies, and it has repeatedly been singled out for facilitating the proliferation of offensive cyber capabilities to authoritarian states. The United States and its allies face a dilemma in that they rely on the Access-as-a-Service industry to provide domestic law enforcement and intelligence agencies with cutting edge technology. Simultaneously, they have a strong incentive to limit the availability of these technologies to other customers. Balancing these interests has proven extremely difficult, which is why I see a need to limit our dependency on the private sector within this context.” 

More from the Cyber Statecraft Initiative:

A primer on the proliferation of offensive cyber capabilities

Surveillance Technology at the Fair: Proliferation of Cyber Capabilities in International Arms Markets

China’s surveillance ecosystem and the global spread of its tools

#4 In what ways does government surveillance compare and contrast with corporate surveillance?

Anstis: “Government surveillance is similar to corporate surveillance in that both exploit the fact that we increasingly live our lives on internet-connected devices. The data we generate in our daily interactions, which is then collected by companies and governments, can be used for a variety of purposes that target and exploit us—from the crafting of targeted advertising to location tracking to the mapping of a human right activist’s network. However, government surveillance differs in at least one important respect: governments have the power to not only surveil, but also to detain, torture, kidnap, or otherwise enact acts of violence against an individual. Spyware technologies facilitate the government’s ability to engage in these activities.” 

DeSombre: “The podcast I help run just made an episode on this! Effectively, corporate surveillance and government surveillance have two separate goals: corporations collect your data to sell (usually to advertisers who then target you with personalized advertisements), while the government collects data for law enforcement or national security purposes. US government surveillance has hard rules it must follow for collecting on US citizens, although some of this is circumvented by buying corporate data. US and EU companies are now getting increasingly constrained by data privacy laws as well. But these types of regulations on both companies and governments differ vastly from country to country.” 

Gjesvik: “When you think about who conducts the surveillance, the big difference would be the extent to which government surveillance is supposedly in the end about protecting its citizens while corporate surveillance is mainly about the interests of the corporation. If it is about who actually does the surveillance then the distinction between governments and private actors can be pretty blurry, as can the level of capabilities.” 

Hazelrig: “The technical aspects of government and commercial surveillance are similar, and often share tools and techniques. However, the practices around their use are widely different. For a large part, democratic states limit surveillance through public opinion and law. There is admittedly misuse and abuse, but an intent and organizational structure to ‘do good.’ This is not necessarily true of commercial capabilities that may be sold without understanding of or care about intended use. As the opaque commercial market evolves, we are just beginning to understand the full spectrum of uses and impacts. Democratic states need to develop norms for law enforcement and other acceptable uses of cyber intrusion and surveillance capabilities, and to enforce actions against those that violate these norms and the industry that supplies them.”

Willers: “Both can be problematic considering that privacy is a fundamental human right in the European Union. Access to personal information has become a key asset across many industries, but the gathering of this information is a purely private and for-profit undertaking, however problematic it may be. State surveillance derives from a desire to provide public safety, which can be a good thing as long as it remains proportional and rooted in democratic norms—conditions that cannot be taken for granted.”

#5 How has the Access-as-a-Service industry evolved over the past two decades and where do you see it going from here?

Anstis: “The Access-as-a-Service industry has become increasingly formalized in the past two decades, with growing interest from investors and states in terms of funding the industry, as well as accessing the services and technologies offered. I see the next few years as a critical turning point in the industry’s development. Countless human rights abuses have brought increased awareness that the services and technologies offered by the Access-as-a-Service industry have serious human rights ramifications—as well as national security concerns—that need to be addressed. With ongoing investigations in the European Parliament, the United States, and elsewhere into companies that participate in this industry, I hope that we will see more specific steps aimed at curbing and controlling it.” 

DeSombre: “Like every part of the cybersecurity ecosystem since the early 2000s, the Access-as-a-Service industry has grown, professionalized, and turned towards mobile, embedded, and other non-desktop systems. Your laptop is not the only place with interesting data!” 

Gjesvik: “This is a pretty opaque industry, and there is not a ton of structured encompassing data available that I am aware of, but there are some broad trends. The first is globalization, a quite substantive expansion of tools and technologies available, and a lot more money to be made as well. Going forward, I am probably most interested in the extent to which the industry is controllable by any state actor. Will recent efforts by the United States and the European Union succeed in limiting the worst excesses? Or will it just accelerate the diversification of suppliers?” 

Hazelrig: “So long as there have been criminal hackers, there have been ways for those with the right connections to procure intrusion services. However, about a decade ago, we started to see the emergence of professional firms that sold these services commercially, primarily to governments around the globe. The past couple of years has brought casual proliferation and a booming ‘consumer’ market—shady companies advertise euphemistically-phrased services on mainstream platforms such as LinkedIn, and many online criminal marketplaces have whole sections of specialty products and services from which to choose.” 

Willers: “The origins of the Access-as-a-Service industry can be traced back to a combination of privatization dynamics in the telecommunication sector during the 1990s, the rise of digital communication systems, and the political focus on surveillance in the aftermath of the September 11 terrorist attacks. Since then, the industry has developed at the speed of technology, and there is good reason to doubt that the United States remains in a position to control it. Limiting access to technology is difficult, especially when it is as mobile as spyware technology. This is why I doubt that the United States or any other country alone can control the operations of the market.” 

Simon Handler is a fellow at the Atlantic Council’s Cyber Statecraft Initiative within the Digital Forensic Research Lab (DFRLab). He is also the editor-in-chief of The 5×5, a series on trends and themes in cyber policy. Follow him on Twitter @SimonPHandler.

The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

learn more

The post The 5×5—The rise of cyber surveillance and the Access-as-a-Service industry appeared first on Atlantic Council.

Executive summary

Cyberspace as a domain of conflict often creates an asymmetric advantage for comparably less capable or under-resourced actors to compete against relatively stronger counterparts.¹ As such, a panoply of non-state actors is increasingly acquiring capabilities and integrating offensive cyber operations into their toolkits to further their strategic aims. From financially driven criminal ransomware groups to politically inspired patriot hacking collectives, non-state actors have a wide range of motivations for turning to offensive cyber capabilities. A number of these non-state actors have histories rooted almost entirely in armed kinetic violence, from professional military contractors to drug cartels, and the United States and its allies are still grappling with how to deal with them in the cyber context.² Militant and terrorist organizations have their own specific motivations for acquiring offensive cyber capabilities, and their operations therefore warrant close examination by the United States and its allies to develop effective countermeasures.

While most academic scholarship and government strategies on counterterrorism are beginning to recognize and address the integral role of some forms of online activity, such as digital media and propaganda on behalf of terrorist organizations, insufficient attention has been given to the offensive cyber capabilities of these actors. Moreover, US strategy,³ public intelligence assessments, and academic literature on global cyber threats to the United States overwhelmingly focuses on the “big four” nation-state adversaries—China, Russia, Iran, and North Korea. Before more recent efforts to address the surge in financially driven criminal ransomware operations, the United States and its allies deployed policy countermeasures overwhelmingly designed for use against state actors.

To the extent that US counterterrorism strategy addresses the offensive cyber threat from terrorist organizations, it is focused on defending critical infrastructure against the physical consequences of a cyberattack. Hamas, despite being a well-studied militant and terrorist organization, is expanding its offensive cyber and information capabilities, a fact that is largely overlooked by counterterrorism and cyber analysts alike. Overshadowed by the specter of a catastrophic cyberattack from other entities, the real and ongoing cyber threats posed by Hamas prioritize espionage and information operations.

This report seeks to highlight Hamas as an emerging and capable cyber actor, first by explaining Hamas’s overall strategy, a critical facet for understanding the group’s use of cyber operations. Next, an analysis will show how Hamas’s cyber activities do not indicate a sudden shift in strategy but, rather, a realignment that augments operations. In other words, offensive cyber operations are a new way for Hamas to do old things better. Finally, the policy community is urged to think differently about how it approaches similar non-state groups that may leverage the cyber domain in the future. This report can be used as a case study for understanding the development and implementation of cyber tools by non-state entities.

As the title of this report suggests, Hamas is like a green hat hacker—a term that is not specific to the group but recognized in the information security community as someone who is relatively new to the hacking world, lacking sophistication but fully committed to making an impact and keen to learn along the way.⁴ Hamas has demonstrated steady improvement in its cyber capabilities and operations over time, especially in its espionage operations against internal and external targets. At the same time, the organization’s improvisation, deployment of relatively unsophisticated tools, and efforts to influence audiences are all hallmarks of terrorist strategies. This behavior is in some ways similar to the Russian concept of “information confrontation,” featuring a blend of technical, information, and psychological operations aimed at wielding influence over the information environment.⁵

Understanding these dynamics, as well as how cyber operations fit into the overall strategy, is key to the US development of effective countermeasures against terrorist organizations’ offensive cyber operations.

“Pwn” goal

In the summer of 2018, as teams competed in the International Federation of Association Football (FIFA) World Cup in Russia, Israeli soldiers followed the excitement on their smartphones from an Israel Defense Forces (IDF) base thousands of miles away. Like others in Israel, the soldiers were using a new Android application called Golden Cup, available for free from the Google Play store. The program was promoted in the lead up to the tournament as “the fastest app for live scores and fixtures for the World Cup.”⁶ The easy-to-use application delivered as advertised—and more.

Once installed, the application communicated with its command-and-control server to surreptitiously download malicious payloads onto user devices. The payloads infected the target devices with spyware, a variety of malware that discreetly monitors the target’s device and steals its information, usually for harmful use against the target individual.⁷ In this particular case, the spyware was intentionally deployed after the application was downloaded from the Google Play store in order to bypass Google’s security screening process.⁸ This allowed the spyware operator to remotely execute code on user smartphones to track locations, access cameras and microphones, download images, monitor calls, and exfiltrate files.

Golden Cup users, which included Israeli civilians and soldiers alike, did not realize that their devices were infected with spyware. As soldiers went about their daily routines on bases, the spyware operators reaped reams of data from the compromised smartphones. In just a few weeks of discreet collection, before discovery by IDF security, the adversary successfully collected non-public information about various IDF bases, offices, and military hardware, such as tanks and armored vehicles.⁹

The same adversary targeted Israeli soldiers with several other malicious Android applications throughout the summer of 2018. A fitness application that tracks user running routes collected the phone numbers of soldiers jogging in a particularly sensitive geographic location. After collecting these numbers, the adversary targeted the soldiers with requests to download a second application that then installed spyware. Additional targeting of Israeli soldiers that same summer included social engineering campaigns encouraging targets to download various spyware-laced dating applications with names like Wink Chat and Glance Love, prompting the IDF to launch the aptly named Operation Broken Heart in response.¹⁰

Surprisingly, this cyber espionage campaign was not the work of a nation-state actor. Although the clever tradecraft exhibited in each operation featured many of the hallmarks of a foreign intelligence service, neither Israel’s geopolitical nemesis Iran nor China,¹¹ an increasingly active Middle East regional player, was involved.¹² Instead, the campaign was the work of Hamas.

1. Introduction

The asymmetric advantage afforded by cyberspace is leading a panoply of non-state actors to acquire and use offensive cyber capabilities to compete against relatively stronger counterparts. The cyber threat from criminal ransomware organizations has been well documented, yet a range of other non-state actors traditionally involved in armed kinetic violence, from professional military contractors to drug cartels, is also trying their hand at offensive cyber operations, and the United States and its allies are still grappling with how to respond. Each actor has a discreet motivation for dabbling in cyber activities, and lumping them all into one bucket of non-state actors can complicate efforts to study and address their actions. The operations of militant and terrorist organizations in particular warrant close examination by the United States and its allies in order to develop effective countermeasures.

A robust online presence is essential for modern terrorist organizations. They rely on the internet to recruit members, fund operations, indoctrinate target audiences, and garner attention on a global scale—all key functions for maintaining organizational relevance and for surviving.¹³ The 2022 Annual Threat Assessment from the US Intelligence Community suggests that terrorist groups will continue to leverage digital media and internet platforms to inspire attacks that threaten the United States and US interests abroad.¹⁴ Recent academic scholarship on counterterrorism concurs, acknowledging the centrality of the internet to various organizations, ranging from domestic right-wing extremists to international jihadists, and their efforts to radicalize, organize, and communicate.

The US government has taken major steps in recent years to counter terrorist organizations in and through cyberspace. The declassification of documents on Joint Task Force Ares and Operation Glowing Symphony, which began in 2016, sheds light on complex US Cyber Command efforts to combat the Islamic State in cyberspace, specifically targeting the group’s social media and propaganda efforts and leveraging cyber operations to support broader kinetic operations on the battlefield.¹⁵ The latest US National Strategy for Counterterrorism, published in 2018, stresses the need to impede terrorist organizations from leveraging the internet to inspire and enable attacks.¹⁶

Indeed, continued efforts to counter the evolving social media and propaganda tools of terrorist organizations will be critical, but this will not comprehensively address the digital threat posed by these groups. Counterterrorism scholarship and government strategies have paid scant attention to the offensive cyber capabilities and operations of terrorist organizations, tools that are related but distinct from other forms of online influence. Activities of this variety do not necessarily cause catastrophic physical harm, but their capacity to influence public perception and, potentially, the course of political events should be cause for concern.

Several well-discussed, politically significant non-state actors with histories rooted almost entirely in kinetic violence are developing, or otherwise acquiring, offensive cyber capabilities to further their interests. More scrutiny of these actors, their motivations, and how they strategically deploy offensive cyber capabilities in conjunction with evolving propaganda and kinetic efforts is warranted to better orient toward the threat.

Hamas, a Palestinian political party and militant terrorist organization that serves as the de facto governing body of the Gaza Strip, is one such actor. The group’s burgeoning cyber capabilities, alongside its propaganda tactics, pose a threat to Israel, the Palestinian Authority, and US interests in the region—especially in tandem with the group’s capacities to fund, organize, inspire, and execute kinetic attacks. This combination of capabilities has historically been the dominion of more powerful state actors. However, the integration of offensive cyber capabilities into the arsenals of traditionally kinetic non-state actors, including militant organizations, is on the rise due to partnerships with state guarantors and the general proliferation of these competencies worldwide.

This report seeks to highlight the offensive cyber and information capabilities and behavior of Hamas. First, a broad overview of Hamas’s overall strategy is provided, an understanding of which is key for evaluating its cyber activities. Second, this report analyzes the types of offensive cyber operations in which Hamas engages, showing that the adoption of cyber capabilities does not indicate a sudden shift in strategy but, rather, a realignment of strategy and an augmentation of operations. In other words, offensive cyber operations are a new way to do old things better. Third, this report aims to push the policy community to think differently about its approach to similar non-state groups that may leverage the cyber domain in the future.

2. Overview of Hamas’s strategy

Principles and philosophy

Founded in the late 1980s, Harakat al-Muqawamah al-Islamiyyah, translated as the Islamic Resistance Movement and better known as Hamas, is a Palestinian religious political party and militant organization. After Israel disengaged from the Gaza Strip in 2005, Hamas used its 2006 Palestinian legislative election victory to take over militarily from rival political party Fatah in 2007. The group has served as the de facto ruler of Gaza ever since, effectively dividing the Palestinian Territories into two entities, with the West Bank governed by the Hamas-rejected and Fatah-controlled Palestinian Authority.¹⁷

Hamas’s overarching objectives are largely premised on its founding principles—terminating what it views as the illegitimate State of Israel and establishing Islamic, Palestinian rule.¹⁸ The group’s grand strategy comprises two general areas of focus: resisting Israel and gaining political clout with the Palestinian people. These objectives are interconnected and mutually reinforcing, as Hamas’s public resistance to Israel feeds Palestinian perceptions of the group as the leader of the Palestinian cause.¹⁹

Despite Hamas’s maximalist public position on Israel, the organization’s leaders are rational actors who logically understand the longevity and power of the State of Israel. Where the group can make meaningful inroads is in Palestinian politics, trying to win public support from the more secular, ruling Fatah party and positioning itself to lead a future Palestinian state. Looming uncertainty about the future of an already weak Palestinian Authority, led by the aging President Mahmoud Abbas, coupled with popular demand for elections, presents a potential opportunity for Hamas to fill a leadership vacuum.²⁰

To further these objectives, Hamas attracts attention by frequently generating and capitalizing on instability. The group inflames already tumultuous situations to foster an environment of extremism, working against those who are willing to cooperate in the earnest pursuit of a peaceful solution to the Israel–Palestine conflict. Hamas uses terror tactics to influence public perception and to steer political outcomes, but still must exercise strategic restraint to avoid retaliation that could be militarily and politically damaging. Given these self-imposed restraints, Hamas seeks alternative methods of influence that are less likely to result in blowback.

Terrorism strategy

Hamas’s terror tactics have included suicide bombings,²¹ indiscriminate rocket fire,²² sniper attacks,²³ incendiary balloon launches,²⁴ knifings,²⁵ and civilian kidnappings,²⁶ all in support of its larger information strategy to project a strong image and to steer political outcomes. Through these activities, Hamas aims to undermine Israel and the Palestinian Authority²⁷ and challenge the Palestine Liberation Organization’s (PLO)²⁸ standing as the “sole representative of the Palestinian people.”

Terrorism forms the foundation of Hamas’s approach, and the organization’s leadership openly promotes such activities.²⁹ While the group’s terror tactics have evolved over time, they have consistently been employed against civilian targets to provoke fear, generate publicity, and achieve political objectives. Israeli communities targeted by terrorism, as well as Palestinians in Gaza living under Hamas rule, suffer from considerable physical and psychological stress,³⁰ driving Israeli policymakers to carry out military operations, often continuing a vicious cycle that feeds into Hamas’s information campaign.

These terrorist tactics follow a coercive logic that aligns with Hamas’s greater messaging objectives. Robert Pape’s “The Strategic Logic of Suicide Terrorism” specifically names Hamas as an organization with a track record of perpetrating strategically timed suicide terrorist attacks for coercive political effect.³¹ In 1995, for example, Hamas conducted a flurry of suicide attacks, killing dozens of civilians in an attempt to pressure the Israeli government to withdraw from certain locations in the West Bank. Once negotiations were underway between Israel and the PLO, Hamas temporarily suspended the attacks, only to resume them against Israeli targets when diplomatic progress appeared to stall. Israel would eventually partially withdraw from several West Bank cities later that year.³²

Similarly, just several months before Israel’s 1996 general election, incumbent Labor Party Prime Minister Shimon Peres led the polls by roughly 20 percent in his reelection bid against Benjamin Netanyahu and the Likud Party. However, a spate of Hamas suicide bombings cut Peres’s lead and Netanyahu emerged victorious.³³ The attacks were designed to weaken the reelection bid of Peres, widely viewed as the candidate most likely to advance the peace process, and strengthen the candidacy of Netanyahu. Deliberate terror campaigns such as these demonstrate the power Hamas wields over Israeli politics.³⁴

The Israeli security establishment has learned lessons from the phenomenon of suicide terrorism, implementing countermeasures to foil attacks. Since the mid-2000s, Hamas has shifted its focus to firing rockets of various ranges and precision from the Gaza Strip at civilian population centers in Israel.³⁵ The rocket attacks became frequent after Israel’s disengagement from Gaza in 2005, ebbing and flowing in alignment with significant political events.³⁶ For instance, the organization targeted towns in southern Israel with sustained rocket fire in the lead up to the country’s general election in 2009 to discourage Israelis from voting for pro-peace candidates.³⁷

Strategic restraint

Each of these terror tactics has the powerful potential to generate publicity with Israelis, Palestinians, and audiences elsewhere. However, unrestrained terrorism comes at a cost, something Hamas understands. Hamas must weigh its desire to carry out attacks with the concomitant risks, including an unfavorable international perception, military retaliation, infrastructure damage, and internal economic and political pressures.

Hamas addresses this in a number of ways. First, it limits its operations, almost exclusively, to Israel and the Palestinian Territories. Hamas has learned from the failures of other Palestinian terrorist organizations, whose operations beyond Israel’s borders were often counterproductive, attracting legitimate international criticism of these groups.³⁸ Such operations also run the risk of alienating critical Hamas benefactors like Qatar and Turkey.³⁹ These states, which maintain important relationships with the United States—not to mention burgeoning ties with Israel—could pressure Hamas to course correct, if not outright withdraw their support for the organization.⁴⁰ The continued flow of billions of dollars in funding from benefactors like Qatar is critical, not just to Hamas’s capacity to conduct terror attacks and wage war,⁴¹ but also to its efforts to reconstruct infrastructure and provide social services in the Gaza Strip, both key factors for building its political legitimacy among Palestinians.⁴²

Second, with each terrorist attack, Hamas must weigh the potential for a forceful Israeli military response. The cycle of terrorism and retaliation periodically escalates into full-scale wars that feature Israeli air strikes and ground invasions of Gaza. These periodic operations are known in the Israeli security establishment as “mowing the grass,” a component of Israel’s strategy to keep Hamas’s arsenal of rockets, small arms, and infrastructure, including its elaborate underground tunnel network, from growing out of control like weeds in an unkempt lawn.⁴³ Hamas’s restraint has been apparent since May 2021, when Israel conducted Operation Guardian of the Walls, a roughly two-week campaign of mostly airstrikes and artillery fire aimed at slashing the group’s rocket arsenal and production capabilities, crippling its tunnels, and eliminating many of its top commanders. Hamas is thought to be recovering and restocking since the ceasefire, carefully avoiding engaging in provocations that could ignite another confrontation before the group is ready.

Third, and critically, since mid-2021, the last year-plus of the Israel–Hamas conflict has been one of the quietest in decades due to the Israeli Bennett–Lapid government’s implementation of a sizable civil and economic program for Gaza.⁴⁴ The program expands the number of permits for Palestinians from Gaza to work in Israel, where the daily wages of one worker are enough to support an additional ten Palestinians.⁴⁵ Israel’s Defense Ministry signed off on a plan to gradually increase work permit quotas for Palestinians from Gaza to an unprecedented 20,000, with reports suggesting plans to eventually increase that number to 30,000.⁴⁶ For an impoverished territory with an unemployment rate of around 50 percent, permits to work in Israel improve the lives of Palestinians and stabilize the economy. The program also introduced economic incentives for Hamas to keep the peace—conducting attacks could result in snap restrictions on permits and border crossing closures, leading to a public backlash, as well as internal political blowback within the group. The power of this economic tool was evident throughout Israel’s Operation Breaking Dawn in August 2022, during which Israel conducted a three-day operation to eliminate key military assets and personnel of the Palestinian Islamic Jihad (PIJ), another Gaza-based terrorist organization. Israel was careful to communicate its intention to target PIJ, not Hamas. Ordinarily a ready-and-willing belligerent in such flare-ups, Hamas did nothing to restrain the PIJ but remained conspicuously on the sidelines, refraining from fighting out of its interest in resuming border crossings as quickly as possible.⁴⁷

Searching for alternatives

Given these limitations, blowbacks, and self-imposed restraints, Hamas is finding alternative methods of influence. Under the leadership of its Gaza chief Yahya Sinwar, Hamas is endeavoring to inspire Arab Israelis and West Bank Palestinians to continue the struggle by taking up arms and sparking an intifada while the group nurses itself back to strength.⁴⁸ To further this effort, Hamas is turning to more insidious means of operating in the information space to garner support and ignite conflagrations without further jeopardizing its public reputation, weapons stockpiles, infrastructure, or the economic well-being of the Palestinians living under its control. Like many state actors working to advance strategic ambitions, Hamas has turned to offensive cyber operations as a means of competing below the threshold of armed conflict.

Deploying offensive cyber capabilities involves exceptionally low risks and costs for operators. For groups like Hamas that are worried about potential retaliation, these operations present an effective alternative to kinetic operations that would otherwise provoke an immediate response. Most national cyber operation countermeasures are geared toward state adversaries and, in general, finding an appropriate response to non-state actors in this area has been challenging. Many state attempts to retaliate and deter have been toothless, resulting in little alteration of the adversary’s calculations.⁴⁹

3. Hamas’s cyber strategy

The nature of the cyber domain allows weak actors, like Hamas, to engage and inflict far more damage on powerful actors, like Israel, than would otherwise be possible in conventional conflict.⁵⁰ This asymmetry means that cyberspace offers intrinsically covert opportunities to store, transfer, and deploy consequential capabilities with far less need for organizational resources and financial or human capacity than in industrial warfare. Well-suited to support information campaigns, cyber capabilities are useful for influencing an audience without drawing the attention and repercussions of more conspicuous operations, like terrorism. In these ways, cyber operations fit into Hamas’s overall strategy and emphasis on building public perception and influence. Making sense of this strategy allows a greater understanding of past Hamas cyber operations, and how the group will likely operate in the cyber domain going forward.

Hamas’s cyber capabilities, while relatively nascent and lacking the sophisticated tools of other hacking groups, should not be underestimated. It comes as a surprise to many security experts that Hamas—chronically plagued by electricity shortages in the Gaza Strip, with an average of just ten to twelve hours of electricity per day—even possesses cyber capabilities.⁵¹ Israel’s control over the telecommunications frequencies and infrastructure of the Gaza Strip raises further doubts about how Hamas could operate a cyber program.⁵² However, in 2019, Israel deemed the offensive cyber threat to be critical enough that after thwarting an operation, the IDF carried out a strike to destroy Hamas’s cyber headquarters,⁵³ one of the first acknowledged kinetic operations by a military in response to a cyber operation. However, despite an IDF spokesperson’s claim that “Hamas no longer has cyber capabilities after our strike,” public reporting has highlighted various Hamas cyber operations in the ensuing months and years.⁵⁴

This dismissive attitude toward Hamas’s cyber threat also overlooks the group’s operations from outside the confines of the Gaza Strip. Turkish President Recep Tayyip Erdoğan and his AKP Party share ideological sympathies with Hamas and have extended citizenship to Hamas leadership.⁵⁵ The group’s leaders have allegedly used Turkey as a base for planning attacks and even as a safe haven for an overseas cyber facility.⁵⁶ Hamas maintains even more robust relationships with other state supporters, namely Iran and Qatar, which provide financing, safe havens, and weapons technology.⁵⁷ With the assistance of state benefactors, Hamas will continue to develop offensive cyber and information capabilities that, if overlooked, could result in geopolitical consequences.

For at least a decade, Hamas has engaged in cyber operations against Israeli and Palestinian targets. These operations can be divided in two broad operational categories that align with Hamas’s overall strategy: espionage and information. The first category, cyber espionage operations, accounts for the majority of Hamas’s publicly reported cyber activity and underpins the group’s information operations.

Espionage operations

Like any state or non-state actor, Hamas relies on quality intelligence to provide its leadership and commanders with decision-making advantages in the political and military arenas. The theft of valuable secrets from Israel, rival Palestinian factions, and individuals within its own ranks provides Hamas with strategic and operational leverage, and is thus prioritized in its cyber operations.

The Internal Security Force (ISF) is Hamas’s primary intelligence organization, comprised of members of the al-Majd security force from within the larger Izz al-Din al-Qassam Brigades, a military wing of Hamas. The ISF’s responsibilities range from espionage to quashing political opposition and dissent from within the party and its security apparatus.⁵⁸ The range of the ISF’s missions manifests through Hamas’s cyber operations.

Tactical evolution

Naturally, Israel is a primary target of Hamas’s cyber espionage. These operations have become commonplace over the last several years, gradually evolving from broad, blunt tactics into more tailored, sophisticated approaches. The group’s initial tactics focused on a “spray and pray” approach, distributing impersonal emails with malicious attachments to a large number of targets, hoping that a subset would bite. For example, an operation that began in mid-2013 and was discovered in February 2015 entailed Hamas operators luring targets with the promise of pornographic videos that were really malware apps. The operators relied on their victims—which included targets across the government, military, academic, transportation, and infrastructure sectors—withholding information about the incidents from their workplace information technology departments, out of shame for clicking on pornography at work, thereby maximizing access and time on the target.⁵⁹

Later, Hamas operations implemented various tactical updates to increase their chances of success. In September 2015, the group began including links rather than attachments, non-pornographic lures such as automobile accident videos, and additional encryption of the exfiltrated data.⁶⁰ Another campaign, publicized in February 2017, involved a more personalized approach using social engineering techniques to target IDF personnel with malware from fake Facebook accounts.⁶¹ In subsequent years, the group began rolling out a variety of smartphone applications and marketing websites to surreptitiously install mobile remote access trojans on target devices. In 2018, the group implanted spyware on smartphones by masquerading as Red Alert, a rocket siren application for Israelis.⁶² Similarly in 2020, Hamas targeted Israelis through dating apps with names like Catch&See and GrixyApp.⁶³ As previously mentioned, Hamas also cloaked its spyware in a seemingly benign World Cup application that allowed the group to collect information on a variety of IDF military installations and hardware, including armored vehicles. These are all areas Hamas commanders have demonstrated interest in learning more about in order to gain a potential advantage in a future kinetic conflict.⁶⁴

According to the Israeli threat intelligence firm Cybereason, more recent discoveries indicate a “new level of sophistication” in Hamas’s operations.⁶⁵ In April 2022, a cyber espionage campaign targeting individuals from the Israeli military, law enforcement, and emergency services used previously undocumented malware featuring enhanced stealth mechanisms. This indicates that Hamas is taking more steps to protect operational security than ever.⁶⁶ The infection vector for this particular campaign was through social engineering on platforms like Facebook, a hallmark of many Hamas espionage operations, to dupe targets into downloading trojanized applications. Once the malware is downloaded, Hamas operators can access a wide range of information from the device’s documents, camera, and microphone, acquiring immense data on the target’s whereabouts, interactions, and more. Information collected off of military, law enforcement, and emergency services personnel can be useful on its own or for its potential extortion value.

As part of its power struggle with the Palestinian Authority and rival Fatah party, Hamas targets Palestinian political and security officials with similar operations. In another creative cyber espionage operation targeting the Palestinian Authority, Hamas operators used hidden malware to exfiltrate information from the widely used cloud platform Dropbox.⁶⁷ The same operation targeted political and government officials in Egypt,⁶⁸ an actor Hamas is keen to surveil given its shared border with the Gaza Strip and role brokering ceasefires and other negotiations between Israel and Hamas.

Other common targets of Hamas’s cyber espionage campaigns are members of its own organization. One of the ISF’s roles is counterintelligence, a supremely important field to an organization that is rife with internecine political rivalries,⁶⁹ as well as paranoia about the watchful eyes of Israeli and other intelligence services. According to Western intelligence sources, one of the main missions of Hamas’s cyber facility in Turkey is deploying counterintelligence against Hamas dissenters and spies.⁷⁰ Hamas is sensitive to the possibility of Palestinians within its ranks and others acting as “collaborators” with Israel, and the group occasionally summarily executes individuals on the suspicion of serving as Israeli intelligence informants.⁷¹

Information operations

While the bulk of Hamas’s cyber operations place a premium on information gathering, a subset involves using this information to further its efforts to influence the public. This broadly defined category of information operations comprises everything from hack-and-leaks to defacements to social media campaigns that advance beneficial narratives.

Hack-and-leak operations, when hackers acquire secret or otherwise sensitive information and subsequently make it public, are clear attempts to shift public opinion and “simulate scandal.”⁷² The strategic dissemination of stolen documents, images, and videos—potentially manipulated—at critical junctures can be a windfall for a group like Hamas. In December 2014, Hamas claimed credit for hacking the IDF’s classified network and posting multiple videos taken earlier in the year of Israel’s Operation Protective Edge in the Gaza Strip.⁷³ The clips, which were superimposed with Arabic captions by Hamas,⁷⁴ depicted sensitive details about the IDF’s operation, including two separate instances of Israeli forces engaging terrorists infiltrating Israel—one group infiltrating by sea en route to Kibbutz Zikim and one group via a tunnel under the border into Kibbutz Ein HaShlosha—to engage in kidnappings. One of the raids resulted in a fight that lasted for roughly six hours and the death of two Israelis.⁷⁵ By leaking the footage, including images of the dead Israelis, Hamas sought to project itself as a strong leader to Palestinians and to instill fear among Israelis, boasting about its ability to infiltrate Israel, kill Israelis, and return to Gaza. These operations are intended to demonstrate Hamas’s strength on two levels: first, their ability to hack and steal valuable material from Israel and second, their boldness in carrying out attacks to further the Palestinian national cause.

Defacement is another tool in Hamas’s cyber arsenal. This sort of operation, a form of online vandalism that usually involves breaching a website to post propaganda, is not so much devastating as it is a nuisance.⁷⁶ The operations are intended to embarrass the targets, albeit temporarily, and generate a psychological effect on an audience. In 2012, during Israel’s Operation Cast Lead in the Gaza Strip, Hamas claimed responsibility for attacks on Israeli websites, including the IDF’s Homefront Command, asserting that the cyber operations were “an integral part of the war against Israel.”⁷⁷ Since then, Hamas has demonstrated its ability to reach potentially wider audiences through defacement operations. Notably, in July 2014 during Operation Protective Edge, Hamas gained access to the satellite broadcast of Israel’s Channel 10 television station for a few minutes, broadcasting images purportedly depicting Palestinians injured by Israeli airstrikes in the Gaza Strip. The Hamas hackers also displayed a threat in Hebrew text: “If your government does not agree to our terms, then prepare yourself for an extended stay in shelters.”⁷⁸

Hamas has conducted defacement operations itself and has relied on an army of “patriotic hackers.” Patriotic hacking, cyberattacks against a perceived adversary performed by individuals on behalf of a nation, is not unique to the Israeli–Palestinian conflict. States have turned to sympathetic citizens around the world for support, often directing individual hackers to deface adversaries’ websites, as Ukraine did after Russia’s 2022 invasion.⁷⁹ Similarly, Hamas seeks to inspire hackers from around the Middle East to “resist” Israel, resulting in the defacement of websites belonging to the Tel Aviv Stock Exchange and Israel’s national airline El Al by Arab hackers.⁸⁰

In tandem with its embrace of patriotic hackers, Hamas seeks to multiply its propaganda efforts by enlisting the help of Palestinians on the street for less technical operations. To some extent, Hamas uses social media in similar ways to other terrorist organizations to inspire violence, urging Palestinians to attack Jews in Israel and the West Bank, for instance.⁸¹ However, the group goes a step further, encouraging Palestinians in Gaza to contribute to its efforts by providing guidelines for social media posting. The instructions, provided by Hamas’s Interior Ministry, detail how Palestinians should post about the conflict and discuss it with outsiders, including preferred terminology and practices such as, “Anyone killed or martyred is to be called a civilian from Gaza or Palestine, before we talk about his status in jihad or his military rank. Don’t forget to always add ‘innocent civilian’ or ‘innocent citizen’ in your description of those killed in Israeli attacks on Gaza.” Other instructions include, “Avoid publishing pictures of rockets fired into Israel from [Gaza] city centers. This [would] provide a pretext for attacking residential areas in the Gaza Strip.”⁸² Information campaigns like these extend beyond follower indoctrination and leave a tangible mark on international public discourse, as well as structure the course of conflict with Israel.

Hamas’s ability to leverage the cyber domain to shape the information landscape can have serious implications on geopolitics. Given the age and unpopularity of Palestinian President Mahmoud Abbas—polling shows that 80 percent of Palestinians want him to resign—as well as the fragile state of the Palestinian Authority,⁸³ the Palestinian public’s desire for elections, and general uncertainty about the future, Hamas’s information operations can have a particularly potent effect on a discourse that is already contentious. The same can be said, to some extent, for the information environment in Israel, where political instability has resulted in five elections in just three and a half years.⁸⁴ When executed strategically, information operations can play an influencing, if not deciding, role in electoral outcomes, as demonstrated by Russia’s interference in the 2016 US presidential election.⁸⁵ A well-timed hack-and-leak operation, like Russia’s breach of the Democratic National Committee’s networks and dissemination of its emails, could majorly influence the momentum of political events in both Israel and Palestine.⁸⁶ Continued failure to reach a two-state solution in the Israeli–Palestinian conflict will jeopardize Israel’s diplomatic relationships,⁸⁷ as well as stability in the wider Middle East.⁸⁸

4. Where do Hamas’s cyber operations go from here?

As outlined in its founding charter, as long as Hamas exists, it will place a premium on influencing audiences—friendly, adversarial, and undecided—and mobilizing them to bend political outcomes toward its ultimate objectives.⁸⁹ Terrorism has been a central element of the group’s influence agenda, but cyber and information operations offer alternative and complementary options for engagement. It stands to reason that as Hamas’s cyber capabilities steadily evolve and improve, those of similar organizations will do the same.

Further Israeli efforts to curb terrorism through a cocktail of economic programs and advancements in defensive technologies, such as its integrated air defense system, raise questions about how Hamas and similar groups’ incentive structures may change their calculi in light of evolving state countermeasures. There is no Iron Dome in cyberspace. Militant and terrorist organizations are not changing their strategies of integrating cyber and information operations into their repertoires. Instead, they are finding new means of achieving old goals. Important questions for future research include:

• If states like Iran transfer increasingly advanced kinetic weaponry to terrorist organizations like Hamas, PIJ, Hezbollah, Kata’ib Hezbollah, and the Houthis, to what extent does this assistance extend to offensive cyber capabilities? What will this support look like in the future, and will these groups depend on state support to sustain their cyber operations?

• What lessons is Hamas drawing from the past year of relative calm with Israel that may influence the cadence and variety of its cyber operations? How might these lessons influence similar organizations around the world?

• What sorts of operations, such as financially motivated ransomware and cybercrime, has Hamas not engaged in? Will Hamas and comparable organizations learn from and adopt operations that are similar to other variously motivated non-state actors?

• What restrictions and incentives can the United States and its allies implement to curb the transfer of cyber capabilities to terrorist organizations?

Cyber capabilities are advancing rapidly worldwide and more advanced technologies are increasingly accessible, enabling relatively weak actors to compete with strong actors like never before. Few controls exist to effectively counter this proliferation of offensive cyber capabilities, and the technical and financial barriers for organizations like Hamas to compete in this domain remain low.⁹⁰ Either by obtaining and deploying highly impactful tools, or by developing relationships with hacking groups in third-party countries to carry out operations, the threat from Hamas’s cyber and information capabilities will grow.

Just like the group’s rocket terror program, which began with crude, short-range, and inaccurate Qassam rockets that the group cobbled together from scratch, Hamas’s cyber program began with rather unsophisticated tools. Over the years, as the group obtained increasingly sophisticated, accurate, and long-range rockets from external benefactors like Iran, so too have Hamas’s cyber capabilities advanced in scale and sophistication.

Conclusion

Remarking on Hamas’s creative cyber campaigns, a lieutenant colonel in the IDF’s Cyber Directorate noted, “I’m not going to say they are not powerful or weak. They are interesting.”⁹¹ Observers should not view Hamas’s foray into cyber operations as an indication of a sudden organizational strategic shift. For its entire existence, the group has used terrorism as a means of garnering public attention and affecting the information environment, seizing strategic opportunities to influence the course of political events. As outside pressures change the group’s incentives to engage in provocative kinetic operations, cyber capabilities present alternative options for Hamas to advance its strategy. Hamas’s cyber capabilities will continue to advance, and the group will likely continue to leverage these tools in ways that will wield maximum influence over the information environment. Understanding how Hamas’s strategy and incentive structure guides its decision to leverage offensive cyber operations can provide insights, on a wider scale, about how non-state actors develop and implement cyber tools, and how the United States and its allies may be better able to counter these trends.

About the author

Fellow

Simon Handler

Nonresident Fellow

Cyber Statecraft Initiative Digital Forensic Research Lab

Cybersecurity Middle East

Acknowledgements

The author would like to thank several individuals, without whose support this report would not look the same. First and foremost, thank you to Trey Herr and Emma Schroeder, director and associate director of the Atlantic Council’s Cyber Statecraft Initiative, respectively, for helping from the start of this effort by participating in collaborative brainstorming sessions and providing extensive editorial feedback throughout. The author also owes a debt of gratitude to several individuals for generously offering their time to review various iterations of this document. Thanks to Ambassador Daniel Shapiro, Shanie Reichman, Yulia Shalomov, Stewart Scott, Madison Cullinan, and additional individuals who shall remain anonymous for valuable insights and feedback throughout the development of this report. Additionally, thank you to Valerie Bilgri for editing and Donald Partyka and Anais Gonzalez for designing the final document.

The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

learn more

The post The cyber strategy and operations of Hamas: Green flags and green hats appeared first on Atlantic Council.

The post Sipher quoted in Business Insider on why Putin’s KGB past is key appeared first on Atlantic Council.

Enhancing intelligence sharing is a perennial issue, so why the focus now? The war in Ukraine has proven an inflection point not just for the transatlantic community, but also for the sharing of intelligence within that community. As the US-led counterterrorism response after the 9/11 attacks also demonstrated, political will and a shared threat assessment can spur states to surge intelligence sharing—even with non-traditional partners. As an entity that exists to provide strategic warning, the US intelligence community can no longer afford to wait for crises to remove critical barriers to information sharing.

Simultaneously, technological advances in information management are changing the way the intelligence community must function if it is to remain relevant. Emerging disruptive technologies like artificial intelligence (AI) and machine learning, coupled with the sheer volume of data now available, mean there is a great opportunity to automate the foreign disclosure process.

With the right political will, there are steps the intelligence community and intelligence officers can take to revamp their policies, processes, and culture in order to share more intelligence with allies and partners.

1. Remove the NOFORN caveat for Five Eyes representatives in US agencies.
   
   For personnel from Five Eyes (FVEY) allies—Australia, Canada, New Zealand, and the United Kingdom—who are working in US intelligence agencies, the removal of the NOFORN caveat would ensure that they have full access to as much information as possible and thus that they can fulfill their responsibilities completely and efficiently.
   
2. Adopt “Releasable to FVEY” as the default classification for finished intelligence products.
   
   Empower the US director of national intelligence with greater authority to oversee the intelligence sharing process across the intelligence community, and create a centralized clearinghouse function within the Office of the Director of National Intelligence. Similarly empower the undersecretary of defense for intelligence and security within the Department of Defense. By centralizing authority in these positions and releasing intelligence to the other Five Eyes allies, the intelligence community can begin to make sharing information, not classifying it, the default.
   
3. Devise a template to define and standardize intelligence sharing classifications.
   
   This process could be streamlined through a template attached to every finished intelligence product that notes the question the intelligence answers, specifies which allies to share the intelligence with, and includes any caveats.
   
4. Classify single-source reporting at the NOFORN level on rare occasions, and adopt a common referencing system for single-source intelligence reports.
   
   Currently, single-source reporting—such as intelligence gathered by satellite or human assets—is often classified at the NOFORN level by default. This should be the exception, not the rule, and only occur when actually needed to protect sources and methods.
   
5. Develop joint intelligence requirements with allies.
   
   Developing requirements together would result in releasable collection plans and shareable finished intelligence. It would also contribute to more even burden-sharing and optimize collection capabilities.
   
6. Explore AI and machine learning applications to automate the foreign disclosure process.
   
7. Maximize the use of open-source intelligence to enable increased sharing with allies without risking sources and methods.
   
   This will require greater integration of open-source intelligence (and resources committed to it) by US intelligence agencies.
   
8. Establish and sustain a network of officers committed to facilitating intelligence sharing.
   
   Increase embeds, liaisons, and exchange personnel. A formalized cadre of officers in senior grades in the intelligence community and across Five Eyes agencies could ease information sharing. Requiring intelligence professionals to attend a Five Eyes officer certification program as a prerequisite to promotion would instill these values early.
   
9. Change the risk calculus of intelligence sharing at the analytical level.
   
   Analysts at the working level assume most of the risk for deciding which intelligence to share, a heavy burden that discourages release because of the potential for serious penalties both for the individual analyst (who could lose their security clearance or job) and US national security (if information that shouldn’t be released is). Enhanced education and training, greater risk assumption at the leadership level, and the support of a greater network of foreign disclosure professionals would remedy this.
   
10. Undertake a comprehensive review of policy guidance to remove policy constraints, encourage intelligence sharing, and ensure a uniform approach.

The difficulties—bureaucratic, cultural, and legal—of sharing information plague not only the intelligence community but also other government agencies and private industry. Similar barriers prevent government agencies from sharing classified military information with each other or with private industry. Companies struggle to share commercially sensitive information. Moreover, these barriers are slowing the pace of Western technological innovation. This has wide-ranging defense implications, and some of the recommendations above could be applied in this scope as well.

Intelligence is at its core about trust. For the recommendations above to be implemented, both intelligence providers and consumers must prove they can protect the information itself and, even more critically, the sources and methods required to obtain it. A comprehensive counterintelligence strategy, more frequent security training and education, and more consistent protocols will go a long way in ensuring the success of the policies outlined above.

Like what you read? Dive deep into our full report.

Issue Brief

Oct 31, 2022

Beyond NOFORN: Solutions for increased intelligence sharing among allies

By AVM Sean Corbett, CB MBE and James Danoy

Intelligence sharing is a perennial issue, but modern solutions exist to balance enhancing cooperation with key allies with providing decision advantage to policymakers.

Defense Policy Europe & Eurasia

Related program

The Transatlantic Security Initiative, in the Scowcroft Center for Strategy and Security, shapes and influences the debate on the greatest security challenges facing the North Atlantic Alliance and its key partners.

Explore more

Subscribe for more content

The post In brief: A ten-step guide to transforming intelligence sharing with US allies appeared first on Atlantic Council.

Foreword

As any good policymaker, planner, or military commander will tell you, the formulation and execution of an effective national security strategy is dependent on the availability of sound intelligence. Today’s complex security environment requires the cooperation and collaboration of like-minded nations to deal with a multitude of challenges. Facilitating the timely and robust sharing of intelligence among allies and partners therefore is critical to the development of a common understanding of global threats and a common approach to address those threats.

Governments quite rightly protect their intelligence sources, methods, and collection capabilities as critical national assets, but this must be balanced against the need to share high quality intelligence with allies and partners to ensure a compelling and united imperative to act. This dilemma has posed an enduring challenge to both policymakers and the intelligence community within the United States, as well as its allies and partners. With a federated approach to intelligence and an emphasis above all on protecting national capabilities, the priority has remained firmly on risk aversion. This has been a source of frustration for the United States’ most trusted international allies, some of which have adopted a more pragmatic approach. Where the political will is great enough, workarounds do exist. The Russian invasion of Ukraine has prompted a small revolution in better intelligence sharing, but unfortunately, this circumstance is the exception to the rule and not the norm. Even where there has been a desire at the leadership level to increase and enhance sharing, it has not translated into the instigation of a new systemic approach where information can be shared properly, and with the requisite sense of urgency.

This issue brief unpacks why intelligence sharing is so difficult and why, despite senior level attention, progress has been limited. It explores the factors inhibiting intelligence sharing at an unprecedented level of detail, importantly offering practical solutions. Co-written by a British former senior intelligence officer who spent two years within the US intelligence community enhancing intelligence sharing with close allies, and a former US national intelligence manager for Europe, the paper analyzes how policy, processes, and people can be addressed to deliver constructive, practical solutions without compromising sources and methods.

Leveraging a series of interviews and conversations with distinguished senior leaders from within the community, the Atlantic Council is breaking new ground with this issue brief and the overall message is this: a comprehensive approach that balances the vested interests and unique constraints of the US intelligence community with the real-time benefits of intelligence sharing will only make us collectively stronger, more unified and more secure as an alliance. But this can only be accomplished by revising Cold War-era sharing policies and practices, removing outdated classification caveats, and changing institutional cultures, while simultaneously protecting sources and methods and fostering sound counterintelligence and security. While there is always a risk involved in sharing intelligence, the greater risk lies in failing to develop a common intelligence picture of the threats of the twenty-first century. The future path is clear: increasing intelligence sharing among trusted allies and partners on security issues of common concern is in the best interest both of the United States and its allies and partners.

Lt Gen James Clapper, USAF (Ret.)

Former Director of National Intelligence

Read our in-brief summary of this report

Executive Summary

Nov 3, 2022

In brief: A ten-step guide to transforming intelligence sharing with US allies

By Transatlantic Security Initiative

The Atlantic Council presents ten practical recommendations to enhance intelligence sharing with US allies, improve strategic warning, and bolster collective security.

Defense Policy Defense Technologies

Introduction: The challenge

In an increasingly connected world in which threats to global and national security are diverse, complex, and intensifying, information sharing among trusted allies and partners is essential to the formulation and implementation of any coordinated strategy. Despite this reality, national policy, security, process, and cultural considerations continue to limit the ability to optimize these relationships. One critical area in which efforts are underway to formalize and maximize information sharing between trusted allies is the US intelligence community (IC). Intelligence sharing between trusted allies and partners provides a critical component of international relationships, as it enables a common and more complete appreciation of a given environment or crisis, supports coalition coherence on operations, enables collaboration on capability development, and facilitates strategic and military planning. It also fosters fundamental trust between like-minded nations, where the provision of intelligence can be a highly effective tool of diplomacy. However, the secretive nature of intelligence, the need to protect sources and methods, and the federated approach within US IC elements continue to frustrate efforts to optimize the ability to share intelligence, even with the closest of allies. Many of the existing relevant policies and processes are dated, constructed in the pre-digital age, and inadequate for addressing contemporary global security challenges. With few exceptions, and despite the best of intentions, intelligence sharing is uneven, remains the exception rather than the norm, and the prospect of simultaneity at the point of need is remote. At the organizational level, local initiatives have made progress at the edges, particularly where leadership is supportive, but all efforts are constrained by policy, process, and regulation. Risk aversion, resource limitations, competing priorities, and cultural inertia further act as disincentives. Changing this status quo will require significant cross-community prioritization, starting with direction from the very top. It will need a coherent and integrated cross-IC effort, particularly with respect to policy revision, a different approach to risk, and a parallel, bottom-up approach where personal risk is reduced, and initiatives rewarded.

The current Ukraine crisis and the US-led counterterrorist response to 9/11 have both demonstrated an ability to surge intelligence sharing, even with non-traditional partners, where political will exists at the highest level and it is imperative to address a serious contemporary security challenge. This indicates that restrictive information-sharing practices and policies are not immutable but rather self-imposed and malleable. Policymakers should not wait until a crisis or conflict erupts to remove impediments to information sharing. For the IC, whose main mission is to predict and warn of potential crises to provide decision-support to policymakers, planners, and operators, this reactive approach is inadequate. Best practices must be identified, systemic and procedural constraints assessed, and measures adopted to ensure they contribute to an enduring strategic inflection.

Knowledge is a rare thing. You gain by giving it away.”

Ivan Sutherland

The time is right to address this issue, for two reasons. First, enhanced situational awareness among allies is needed to ensure a comprehensive, collaborative approach to addressing serious security challenges at a global inflection point. Second, technological advances in the way information is handled are changing the way the IC must function if it is to remain relevant. The sheer volume of data now available, both classified and unclassified, requires a progressive approach to information handling, using artificial intelligence (AI) and machine learning (ML) techniques, often involving direct machine-to-machine interfacing. As these tools develop and mature, they must also accommodate an increasingly automated approach to information sharing.

The aim

Noting that intelligence is only one form of information, the aim of this paper is to capture the impediments to optimizing intelligence sharing between the United States and its closest allies and make practical recommendations as to how these impediments can be overcome. In doing so, it also addresses many issues surrounding the sharing of more generic but sensitive information.

The methodology

The methodology included a review of historical and current literature and publicly available policy documents, as well as a series of discrete individual interviews with several senior former executives from the US intelligence community (IC), all of whom have had distinguished careers in the full spectrum of IC activities and organizations. A policy workshop with very senior US and UK policy, IC, and defense leaders was also held, and identified challenges were banded into three broad themes that accommodate the complexity of the issue: policy (including regulatory), processes (including technological), and people (institutional and organizational culture), recognizing there are clear and significant overlap and dependencies existing between them, and none can be considered in isolation.

The issue

The challenges and why they matter

The 9/11 Commission Report identified several systemic deficiencies that prevented the totality of relevant data from being combined to predict the terrorist attacks. Included among these were structural, procedural, and human factors that prevented terrorist-related intelligence from being shared internally between agencies and externally with allies and partners. The report noted that “the problem is nearly intractable because of the way government is currently structured. Lines of operational authority run to the expanding executive departments, and they are guarded for understandable reasons.” Several of the major recommendations have been implemented, but many challenges endure and remain intractable. Some progress has been made around intelligence sharing in the years since 9/11, particularly in the context of counterterrorism and the duty to warn of potential terrorist attacks, but even local initiatives to enhance intelligence sharing with trusted allies and partners are hamstrung by many of these same issues. They impact a broad range of intelligence-related and intelligence-informed protocols such as strategic and operational planning, achieving common situational awareness, exchanging sensitive technology, and joint capability development initiatives. This has resulted in a general frustration that extant policies and processes do not support the intent and result in a risk averse approach. Many of these issues were reflected in the conversations with interviewees and it became clear while there are still steps that can be taken within extant regulations, major institutional hurdles will remain unless addressed in a strategic and coherent manner, with sufficient direction and prioritization at the highest policy level.

All interviewees were strongly in favor of intelligence sharing among allies and partners.

One interviewee stated they were, “not sure there is such a thing as too much intelligence sharing, as long as the appropriate security conditions are met.”

There were, however, nuanced perspectives of how much progress has been made, and how far intelligence sharing should be taken. Considering the example of the Five Eyes¹ (FVEY) Sensitive Compartmented Information Facility (SCIF) in the Pentagon, one interviewee lamented the protracted bureaucracy that delayed its full establishment, noting administrative impediments remain at a time when the Ukraine conflict requires extended working hours and constant dialogue with incumbents’ home capitals. There were also differing views as to where the impediments to intelligence sharing were most keenly felt, depending on individual backgrounds and previous roles. Some felt intelligence sharing was optimized at the operational and tactical level, where there exists the greatest imperative, force integration, and familiarity with cooperation, while others experienced serious impediments to operating effectively in a coalition environment.

Which model?

While a generic intelligence sharing model was recognized as the most efficient, it would be extremely challenging to implement. Alliances and partnerships are often complex, based on trust, geopolitical consideration, and mutual need. At their tightest, in exceptional circumstances, bilateral arrangements even remain applicable where exquisite collection capabilities are hosted on a second party’s territory, or to address discrete, sensitive bilateral security challenges. Each bilateral relationship looks different however, and enabling necessary resources and bureaucracy involved can be a significant lift. The FVEY alliance has become the most visible allied intelligence sharing process and policy, providing the benchmark against which other intelligence sharing relationships are measured. It is worth noting that each of the non-US FVEY member nations also maintain discrete bilateral intelligence-related relations with the United States, based around issues of mutual national interest, geopolitical priorities, and hosted intelligence collection capabilities.

All interviewees defaulted to the FVEY as the optimum model for intelligence sharing, predominantly due to shared values, standards, national interests, and language, but also because the muscle memory already exists—the FVEY relationship has developed over a considerable period.² The geographical spread of the FVEY partners also facilitates greater access to intelligence collection opportunities not readily available to all and, through far-flung regional alliances and partnerships, FVEY members can enable broader coalitions and intelligence sharing to address specific issues. There is an additional clear recognition of the need to share some intelligence with individual nations and coalitions beyond the FVEY, depending on security requirements and levels of trust. Small ad hoc groupings, or mini-laterals (such as with some Asia-Pacific nations), will become increasingly important as global security challenges evolve with a new emphasis on China, and there needs to be a way to adapt any intelligence sharing mechanisms to new coalitions and partners as situations dictate. The disparate challenges and requirements, therefore, pointed all those interviewed toward a tiered model (as opposed to a one-size-fits-all solution) as the best approach from a national security perspective. However, the policy implication and resource challenges of this approach were noted, and it was also highlighted that reviewed policies and processes should always accommodate a flexible model. One interviewee underscored the sensitivities of nations not in the club, particularly at the operational level, where it can be obvious when select nations have an intelligence advantage. They noted that, “as the circle grows, it becomes more challenging, with haves and have nots, and the risks increase. It’s not just about sharing the appropriate information, it’s who’s left on the outside. In coalition environments, people find out about small group meetings, etc. and feelings become hurt, trust is lost.”

Policy

Policy constraints were recognized as primary impediments to intelligence sharing at all levels, although this is a complex and multi-faceted issue. It was further noted that policy directly impacts both processes and culture. Get the policy right and the rest follows. However, the federated and distributed nature of authorities within the IC and defense, as well as the sheer number of applicable policies and directives, made this extremely challenging. Several examples below illustrate the scale of the challenge.

Intelligence Community Directives

US policies regarding intelligence sharing are primarily articulated in Intelligence Community Directives (ICD), the custodian of which is the Office of the Director of National Intelligence (ODNI). The primary ICD quoted when considering intelligence sharing policy is ICD 403, Foreign Disclosure and Release of Classified National Intelligence. This is supported by subordinated Intelligence Policy Guidance 403.1 (Criteria for Foreign Disclosure and release of Classified National Intelligence) and 403.2 (Procedures for Foreign Disclosure and Release Requiring Interagency Coordination, Notification and DNI Approval). Additional ICDs apply, however, including ICD 208 (Maximizing the Utility of Analytical Products), ICD 209 (Tearline Production and Dissemination), and ICD 710 (Classification Management and Control Markings System), supported by ICPG 710.2/403.5 (Application of Dissemination Controls: Foreign Disclosure and Release Markings).³

While the authority for ICDs is clear,⁴ policy development and coordination in practice is a collaborative process through the Intelligence Community Policy Review Board (IC-PRB), an advisory body to inform the development of policy and ensure an inclusive and collaborative process comprising deputy leaders from IC elements, and the Intelligence Policy Advisory Group (IPAG), comprising senior policy representatives from each IC element.

A common thread throughout the interviews was the extent to which authority lies within a single body for each of the FVEY nations. As one interviewee noted, “within the [United States] it’s a federated process. The DNI can write policies across the board, but can only go so far unless given more authority. They encourage and inform team activity rather than direct. In military terms, there is no OPCON [Operational Control] inside ODNI, which instead provides commander’s intent—information sharing policy is aspirational. All sorts of other policies surround it, technical, personnel, which makes it very difficult. It has to take all of these into account and is a jumbled mess.” Another interviewee put it more starkly: “the [United States] does not have any info sharing policies at all. It has information security policies and information sharing exceptions to those policies.”

IC policy development therefore requires consensus and the IC elements (i.e., IC agencies) play the critical role. This matters as some IC elements are significantly less comfortable with sharing intelligence than others and thus prioritize control of their source material over shareability. ICD 403, for example, last reviewed in March 2013, explicitly states that “Foreign disclosure and release actions can provide crucial support to national and foreign policy objectives. The production of intelligence reports and products at a level suitable for foreign disclosure and release supports both the IC and US policy makers. IC elements, therefore, in accordance with US national security and foreign policy objectives, should produce intelligence products and reports marked for foreign disclosure or release.” However, it also states that “US intelligence is a national asset to be conserved and protected and will be shared with foreign entities only when consistent with US national security and foreign policy objectives and when an identifiable benefit can be expected to accrue to the [United States].” It further states that “the authority within IC elements to make foreign disclosure and release decisions rests with IC element heads, SFRDAs [Senior Foreign Disclosure Officers] and FDROs [Foreign Disclosure and Release Officers].” Therefore, policy in this area is qualified, open to interpretation, and, in some places, contradictory. For those more risk-averse IC elements, the policy as it stands can be interpreted to support a default setting to NOFORN.

Fools ignore complexity. Pragmatists suffer it. Some can avoid it. Geniuses remove it.”

Alan Perlis

The 9/11 Commission Report is illustrative here, articulating that “too many agencies now have an opportunity to say no to change.” It recommended the establishment of a National Intelligence Director (NID) to “set information sharing and IT policies to [maximize] data sharing, as well as policies to protect the security of information.” This balance between optimizing intelligence sharing and ensuring that information is suitably protected is the nexus of the challenge. The aforementioned recommendation led to the creation of the ODNI, but the authorities required to direct IC elements were not implemented as envisaged by the report.

As long as the IC elements have responsibility for authorizing foreign disclosure, they will maintain associated resource calculations. Formal, senior-level decision-making processes and procedures to authorize foreign disclosure and the guidance are needed. ICD 403 states that “generally, originating agencies shall respond to routine foreign disclosure and release authorization requests with seven working days.” While this may appear rapid in strategic terms, intelligence reporting requirements are often time-sensitive, and the time necessary to approve disclosure does not encourage analysts to seek that approval. This is linked both to extant processes and organizational culture, which are discussed later.

Department of Defense policy

For the DoD, policy for the release of intelligence to trusted allies and partners is even more complex and federated. Given that DoD intelligence agencies constitute nine of the eighteen US IC entities and over half the IC budget, this presents a significant challenge to enhancing intelligence sharing. The release of multi-source finished intelligence, such as that produced by the Defense Intelligence Agency (DIA), in which source material from national intelligence agencies is used, is subject to ICDs. However, where intelligence is derived exclusively from organic defense assets or is qualified as classified military information (CMI), DoD policy applies under National Disclosure Policy (NDP). NDP governs the disclosure of US classified military information to foreign governments and international organizations and is subordinate to the National Security Decision Memorandum (NSDM) 119, for which responsibility is jointly assigned to the secretaries of state and defense. NDP-1 implements this policy and is issued by the secretary of defense with the concurrence of the secretaries of state and energy and the director of national intelligence. Department of Defense Directives (DoDD) implement the NDP within the DoD. DoDD 5143.01 details the responsibilities and functions, relationships, and authorities of the under secretary of defense for intelligence and security (USD(I&S)) and was, importantly, revised in April 2020 to transfer authority for the development of DoD personnel security policy and guidance and the DoD Information Security Program. This matters since, as articulated by two of the interviewees, a key impediment to intelligence sharing within the DoD was that while USDI&S was responsible for DoD intelligence policy, USDP was responsible for how that intelligence was handled, leading to a degree of confusion and inconsistency. The April 2020 review appears to have partly resolved this issue by bringing security policy under the renamed USD(I&S), although some relevant issues, including information security and foreign disclosure, remain under USDP authority. DoDD 5240.01, DoD Intelligence Activities was revised in November 2020 to reflect these changes and provide policy guidance for intelligence sharing within the US Defense Intelligence and DoD components, as well as with other government agencies, the IC, and external partners. It is worded in the most definitive manner of all the policy guidance reviewed by the authors of this paper as follows:

4.5.2. The broadest possible sharing of intelligence with coalition and approved partner countries shall be accomplished unless otherwise precluded from release by law, explicit direction, or policy.

4.5.3. Original classifiers shall draft intelligence products with a presumption of release
and in such a manner as to allow the widest dissemination to allies, coalitions, and international organizations.

However, it still provides a get out clause by deferring to policy, although it is not explicit as to what that policy is. Furthermore, disclosure of Classified Military Information (CMI) to foreign governments and international organizations is covered through a separate directive, DoDD 5230.11, currently under the authority of USD(P). CMI is defined in the DoDD as “information originated by or for the Department of Defense or its Agencies . . . may be in oral, visual or material form.” It further subdivides CMI into eight categories, one of which is Category 8 – Military Intelligence, defined as “information of a military character pertaining to foreign nations. This category of information does not include national intelligence or sensitive compartmented information under the purview of the Director of Central Intelligence.” The fact that DoDD still references the DCI (replaced in 2005 by the DNI) demonstrates how dated the policy is.

The depth of policy analysis detailed above may have dissuaded the casual reader from reading any further, but it highlights a fundamental reason why intelligence sharing with trusted allies and partners is suboptimal. Only the most avid policy expert would be able to reconcile the various policy documents that apply to intelligence sharing and, even then, the degree of ambiguity leaves significant scope for interpretation. The busy analyst is therefore far more likely to opt for the safe option of defaulting to NOFORN, particularly within the processes and culture that exist within their working environment.

One of the more radical but potentially impactful proposals put forward by a distinguished former very senior IC leader was to eliminate the NOFORN caveat altogether for FVEY representatives embedded in each other’s intelligence footprint. This would be achieved by extending dual-citizenship privileges and obligations to those involved for the duration of their assignment, with an expectation that the other FVEY members introduce reciprocal arrangements.

Policy recommendations

Process

The challenge

Process⁵ is closely linked to policy, in that processes are adopted according to the understanding of the policies within which they operate. As detailed above, where policies are open to interpretation, processes are likely to be risk averse. Within the IC, the primary end state is generally associated with providing the best possible intelligence outputs to key decisionmakers in a timely and efficient manner. Timeliness is a key factor, but intelligence sharing is uneven across the community. The collection agencies are, understandably, highly protective of the material they produce, and are reluctant to lose control of their output. Multi-source intelligence producing agencies, such as the DIA, are heavily dependent on single-source collection agencies for their source material and therefore they must abide by each agency’s individual sharing protocols. This makes it difficult for them to write for release, as they invariably need to revert to the appropriate source agency for release authority. This requires time and resources, and is therefore extremely inefficient—by the time release authority is provided, or tearlines produced, it is often too late to be of use.

NOFORN to YESFORN

The default setting for most source material, particularly signals intelligence (SIGINT) and clandestine human intelligence (HUMINT), is NOFORN. As noted in the 9/11 Commission Report, “each intelligence agency has its own security practices. Current security requirements nurture over-classification and excessive compartmentation of information among agencies.” Anecdotal 2015–2018 evidence from DIA HQ indicated that most requests for downgrading single-source reporting to a releasable level were either approved or tearlines were provided, which suggests that the issues are, to an extent, more related to overprotection and process than genuine source protection. It should also be noted, however, that many of these requests were not actioned in time to be of use, further indicating a resource and prioritization issue.

Ironically, where allied inter-agency cooperation, coordination, and even integration is long established (such as between the FVEY SIGINT organizations), it is often easier to share within the same discipline of the partner nations than to share across agencies within the same nation. One of the reasons for this is the priority afforded by each of the agencies to ORCON (Originators Control), highlighted by one of the interviewees as a key impediment to intelligence sharing. For example, at DIA, permission to share or even discuss a US Central Intelligence Agency (CIA) HUMINT or US National Security Agency (NSA) SIGINT report within FVEY had to go to each agency to determine if they had already shared it with a FVEY partner. Sometimes they had not, and the process to secure permission for the future was often long and bureaucratic. Even when it had been previously shared, confirmation would still often take weeks. The tracking numbering system for reports is changed at each stage of the process and could be streamlined by standardizing the referencing system to at least provide a consistent awareness of what was being shared. To secure disclosure for display to intelligence services outside the FVEY consortium was even more arduous and time consuming.

A consistent theme during the interviews was Write for Release versus Collect for Release. As one interviewee noted, “collect for release is a good approach, but should start at the beginning of the process, in which collection requirements are produced at a releasable level. Coordinating the collection effort by engaging early with allies and partners will both determine what they already have and ensure economy of effort. Setting collection requirements at a Higher Classification should only occur for particularly sensitive collection capabilities and sources. Protecting your intelligence gaps from partners will not allow them to fill those gaps.” Establishing intelligence requirements and collection plans with trusted partners and then filtering source reporting to remove only the most sensitive material would negate the need for analytic organizations to retrospectively request downgrades, since material collected should already be at a releasable classification. This model has worked well at the operational level, for example in Afghanistan, where coalition partners declared organic collection assets and allowed them to be tasked against agreed priority information requirements. This approach would be more challenging for nationally controlled strategic assets whose capabilities are more sensitive, however.

The provision of single-source reporting at a releasable level by IC elements would clearly be fundamental to improved intelligence sharing. There will always be exceptions, dependent on the sensitivity and fragility of the source. In the counterterrorism (CT) role, for example, analysts often need more detail on the source to provide high value insights, but this should become the norm. Defaulting to a releasable level would likely be a highly unpopular proposition, but addressing the classification issue as close to the start of the collection process as possible would negate much of the bureaucracy involved in retrospectively downgrading source reporting, and the entire report writing process would be more efficient. Instead of having to write a report multiple times, depending on the audience, the analyst would only have to write one version. It would, however, place additional resource burden on the originating organization, which would have to invest more heavily in their own clearance procedures and foreign disclosure expertise. A more palatable alternative to putting the onus for downgrading source material on IC collection elements would be to develop a centralized clearinghouse under DNI to review material to maximize releasability. It would still need to be fully resourced, likely with IC element representatives, and would require the compliance and support of IC elements and the DoD, but would provide a single focal point to increase efficiency.

Foreign disclosure professionals

Within the DoD, a foreign disclosure officer (FDO) cadre is maintained both to enable release of single-source reports to allies and partners and to facilitate the release of multi-source reporting. Each of the other IC elements are believed to have professionals filling a similar role. Within the DoD, there is internal friction over the numbers and role of FDOs, as they are seen to take numbers otherwise dedicated to the analytical workforce. Consequently, analysts are often tasked with an FDO role as an additional duty, with minimal training and often with no real capacity to take on the duty, to the detriment of the process. There is inconsistency in how the foreign disclosure process is implemented and there is not sufficient critical mass and dedication to maintain a professional FDO workstream. This is an enduring issue and was identified in the Inspector general evaluation of intelligence sharing in Operation Inherent Resolve as a key finding; “The DoD Foreign Disclosure Officer Program lacks a tracking management system, professionalization structure and standardized training, which inhibits sharing information with OIR PN [Operation Inherent Resolve partner nations].” Since then, some progress has been made in improving FDO training and establishing a handful of additional dedicated FDO positions within the DoD, however progress has been piecemeal, under-resourced, and does not appear to have made a demonstrable impact. As one interviewee put it, “education about where the help lies is important, but people forget about FDOs. The process needs to be industrialized and standardized. It all depends on leadership priorities—if leadership puts the priority at the right level needed to invest (e.g., FDOs), then we have a chance.” Associated with this is the requirement to better articulate and delegate the authorities and responsibilities of the FDO, and therefore better empower them. For example, the RELIDO (Releasable by an Information Disclosure Officer) marking, widely used by the IC, has not been adopted by the DoD.

Perfection has to do with the end product, but excellence has to do with the process.”

Jerry Moran

The dependency on single-source IC element reporting and a dearth of foreign disclosure capability within the DoD combined significantly reduce the ability to share their products. This contrasts with the Australian Defence Intelligence Organisation (DIO) model, which, as agreed by all interviewees, demonstrates best practice and merits further investigation. Here, the default classification for every finished intelligence product is Releasable FVEY. Anything written for release at a higher classification level requires strong justification and very senior level sign-off.

The technology challenge

Advances in technology, such as AI and ML, are strongly considered by all stakeholders as potentially game changing for intelligence sharing, particularly given the huge amount of data now being collected. As one put it, “faster decision making will be needed, informed by voluminous data sets. Today’s way of doing business (manual FDO process, tear lines, and reviews) isn’t going to cut it when you have massive data lakes, advanced data processing, and AI/ML tools to help make sense of that data at machine speed.” It will become unrealistic to manually vet each piece of data, and confidence levels will need to shift from individual data-points (which could comprise billions of files at a time) to the process and the data source. The question as to where the foreign disclosure process fits within a machine-to-machine environment will need to be addressed, particularly with true AI where the algorithm self-learns. Therefore, while all those interviewed considered technology to be an opportunity rather than a threat, it was nevertheless recognized that it would be extremely challenging to apply AI techniques to the disclosure process and there was a long way to go before machine-to-machine interfacing algorithms would be sufficiently trusted and able to automate this process in toto. Lessons could be learned from commercial big data and social media platforms, however, many of which address similar challenges. Media companies, for example, were struggling to identify risks across their platforms and started to use AI to flag information that looks suspicious—highlighting areas for humans to triage. If trained correctly, ML is very good at pattern matching, although applying it to intelligence will require an incremental approach and be subject to trial and error in a controlled environment. The level of risk would need to be calibrated and probably not appropriate for highly sensitive compartments. All the interviewees believed that a bounded, small-scale test case would present the best initial approach, and one opined that the twenty- and fifty-year review cycles for releasability of classified IC documents may be an appropriate start point. Once this has been trialed successfully, it could be adopted for a low-risk subset of current intelligence, such as non-traditional issues like the arctic or climate change, which would have reduced risk and could potentially be widely shared. A higher visibility, more strategically relevant example, such as the exchange of information required to enable the Australia, United Kingdom, United States (AUKUS) security partnership, may attract more support and resources, but with greater risk. Ultimately, AI methodology will need to be applied throughout the community, from the strategic to theatre level time-sensitive intelligence challenges, such as the joint all-domain command and control (JAD C2) missile tracking case, where a networked approach to sharing near-real time information between platforms and allies will be useful.

Not embracing technology is a significant risk to intelligence sharing. As national information integration strategies drive the adoption of cloud computing and human-machine interfacing, associated mutual protocols and controls and accreditation must be developed in parallel to accommodate an ability to share systemically. Without this capability, intelligence sharing in any meaningful way may become impossible.

Information exchange mechanisms

There are pragmatic impediments to increased intelligence sharing, caused by myriad platforms and information technology (IT) systems maintained by nations and agencies that were developed in isolation and often deliberately configured not to communicate with each other. Within the UK, for example, there is a deliberate policy to air-gap defense intelligence from the Single Intelligence Account (UK intelligence agencies), which therefore limits the amount of source material able to be shared and disseminated. A similar arrangement exists in the United States, where each agency maintains its own system despite huge efforts to develop a single Desk Top Environment within the IC. The situation is compounded by the different accreditation processes and standards, for example between the United States and the United Kingdom, where national versions of STONEGHOST (the jointly sponsored FVEY Above Secret Defense IT system), are not fully aligned. As the US IC moves to a Public Key Infrastructure (PKI) approach, this may address the technical information exchange challenge, although the technology currently lags behind the intent and even searching for e-mail addresses online, live chat, and sending e-mails between partners is difficult. A shift to zero trust architectures should help. One positive regarding information exchange mechanisms is the recognition and acceptance, between the FVEY partners, of each other’s security clearance standards and practices. Even here though, existing process and bureaucracy impede the efficient passing of clearances to facilitate meetings and dialogue. Clearances have to be manually forwarded on a case-by-case basis well in advance of events and it is not unusual for delays to the process to prevent attendees from actually participating. Typically, clearance passing is required six weeks in advance, which often precludes short-notice meetings, for example in support of joint contingency planning. A regularly updated, common FVEY database in which all FVEY cleared personnel are maintained with their respective clearances would go a long way in addressing this issue. This may not be as simple as it sounds due to different standards adopted by individual agencies and would require dedicated resources to keep current by each FVEY partner, but it would likely be more efficient than the current individual push-pull process.

Open Source Intelligence

Leveraging insights and analyses derived from publicly available information (PAI) and commercially available information (CAI) was also considered a potentially valuable tool in facilitating intelligence sharing at the more classified level. The development of very high-quality commercial sensors, the explosion of data accessed through the Internet, and the ability to curate and filter that data has changed the intelligence landscape and while there will always be a need for highly classified government intelligence derived from exquisite sources, OSINT can often now facilitate information sharing without compromising sources and methods, as evidenced with the war in Ukraine. As the IC becomes more comfortable with and explores the benefits of OSINT and the relationship with open source providers matures, this trend is likely to continue and become increasingly important.

Process recommendations

People

The burden

As one interviewee described it, culture is “where the rubber hits the road” and is very personality driven, with differences arising, for instance, between people who are and are not risk averse. “While [people cannot be standardized], setting a tone from the top for risk acceptance is the key.” Another opined that, “culture needs to be fully encompassing; workplace and institutional culture are important, but they are woven into policies and processes, and we can’t delink the three.” There are very few within the IC who still do not philosophically believe in sharing intelligence outside of national boundaries. The greatest individual impediment, agreed by all those interviewed, is simply the additional burden on the analyst to go the extra mile, particularly as they tend to be extremely busy and working within tight deadlines. For this reason, middle level management often discourages writing for release and analysts feel disincentivized. An additional element is risk aversion, in which analysts are indoctrinated about the consequences of accidental breaches by security specialists. There is also an educational and training element, which does not adequately both underscore the mutual benefits of intelligence sharing and increase awareness of processes that must be followed and the help that is available, for example through empowered foreign disclosure experts.

The frozen middle level of management was often highlighted as a particular challenge when pursuing increased intelligence sharing. This was considered to be in part due to risk aversion and resource limitation, but there also exists an issue with education and training. As one of those interviewed opined, “we bring in senior leaders from industry and academia at the cutting edge of technology and we criticize the frozen middle, but what are we doing to help them? We are not sending them to Silicon Valley or out on op rotation or to foreign LO appointments. We should be offering these opportunities at the GG 14 & 15 level.”

Risk vs. reward

Taken together, these issues ensure a climate in which analysts often consider costs of intelligence sharing to outweigh benefits. What is in it for them? Culture takes a long time to evolve and can only be fully achieved through an alignment of policies, processes, education, and incentivization over a sustained period, and genuine buy-in from leadership at all levels.

Proper incentivization is particularly critical. But more work is needed to pinpoint how that can be achieved. As one interviewee observed, “the ‘atta boy’ for sharing comes nowhere near close to the hammer that comes if you mess up.”

This challenge was reflected in the 9/11 Commission Report and the risk aversion culture does not appear to have changed since its publication; “Each agency has its own security practices. Current security requirements nurture over classification and excessive compartmentation of information among agencies. Each agency’s incentive structure opposes sharing, with risks (criminal, civil, and internal administrative sanctions) but few rewards for sharing information.” While guidance and encouragement can come from the very top, behaviors will not be changed without mechanisms that protect individuals at the functional level. There is a huge difference between espionage and inadvertent disclosure and, for the latter, mitigation and punishment need to be regularized. It is currently a very much personality- and organization-driven approach. As argued by one of the interviewees, “leadership must be involved here. Someone has to assume the risk; it won’t work at an individual level without someone with the authority to protect the analyst. It is a personality-driven process right now.” An ability to quantify risk is an associated issue. Finished intelligence, by definition, has been through a rigorous editing and approval process, and the chances of a serious disclosure breach are minimal. Additionally, FVEY partners take their responsibilities to protect extremely seriously and even in the event of an inadvertent disclosure, damage is likely to be minimal.  

Reverse engineering

There is often a perception that the higher the classification marking, the better the report (or at least the greater credibility and attention it is afforded). Both authors have personally witnessed this, including deliberate re-classifications of releasable reporting to NOFORN in misguided attempts to increase credibility. In some cases, the opposite is true, in that allies and partners can fill intelligence gaps and provide unique context to a given problem set. To an extent, this issue relates to the interpretation of analytical tradecraft, which requires all relevant source material to be considered and referenced when compiling a report. This results in the overall classification of any report in which NOFORN material has even been considered, but not used, to default to NOFORN. Underpinning any intelligence sharing process is trust: trust in the data, analysis, and partner. A key enabler therefore is partners adopting common analytical standards and tradecraft. Using common terminology, definitions, and techniques ensures shared reporting can be trusted, and its value understood. While some progress has been made in this area within the FVEY, there has been a reluctance to completely adopt a fully integrated approach.

Culture makes people understand each other better. And if they understand each other better in their soul, it is easier to overcome the economic and political barriers. But first they have to understand that their neighbor is, in the end, just like them, with the same problems, the same questions.”

Paolo Coelho

Working together

The disproportionately positive value of routinely working in collaboration with allies and partners, either virtually or, even better, in the same workspace (embeds, liaisons, and exchange personnel), was highlighted by all those interviewed, each of whom had filled one or more of those roles in the past. Some IC elements were better than others at facilitating this collaboration and some over-interpreted the policy to the extent that even embeds were not afforded the access they needed to become fully integrated and included. The trend towards establishing FVEY centers within DoD organizations as a mechanism to encourage intelligence sharing is very much a double-edged sword. They demonstrate a positive and proactive intent by leaders, provide a helpful clearing house and information conduit, and perform an advisory role. However, as discrete entities often physically dislocated from the rest of the organization in which they sit, they can actually prevent the normalization of working with allies and inculcate an attitude among analysts of intelligence integration being conducted somewhere else. Familiarization, dedicated trust building, and fostering a sense that members are a valued part of a wider team where each partner has skin in the game and genuinely contributes, was considered a strong force multiplier, both at the strategic HQ and deployed levels.

Culture recommendations

Other considerations

Classified military information (CMI)

Although outside the direct scope of this study, the ability to share commercially sensitive information and CMI, between both defense and industry and business to business, suffers from similar policy challenges to intelligence sharing and has a significant impact on technological collaboration. At the leadership level, all are being encouraged to collaborate with emerging technological capabilities, but US export control policy, as it stands, is incompatible and restrictive. The issue is similar to that of intelligence sharing as a dispersed inter-agency issue. The State Department has responsibility for International Traffic in Arms Regulations (ITAR) policy, the Commerce Department has export relations, and ODNI and IC elements review all requests to share tech and data with allies. CMI policy constraints have further implications for defense planning, exercising, war-gaming, and capability development.

Counterintelligence

Finally, any consideration for increased intelligence sharing must be accompanied by a comprehensive and integrated counterintelligence (CI) strategy. Related to issues of trust and risk management, one of the most widely expressed concerns of US intelligence officials associated with the issue of intelligence sharing beyond the FVEY was the ability of partners to protect intelligence being shared. In order to proceed with a more robust intelligence sharing regime, it must be demonstrated that both provider and receiver of shared intelligence are committed to implementing sound counterintelligence and security measures to ensure shared intelligence does not come into the possession of adversaries. This will require increased focus on CI and security training and education, certification protocols, and constant monitoring, particularly as it pertains to the establishment of new intelligence partnerships.

Conclusion

Impediments to sharing intelligence between trusted allies and partners have both political and practical implications well beyond the confines of the IC. They prevent a common understanding of global, regional, and national security risks; impede strategic and operational planning between the United States and its allies; impact crisis response; and impede both force and capability development and technology and industrial collaboration. They also undermine trust. Existing policies and processes related to intelligence sharing are inadequate, engender a highly risk averse attitude, and are often ultimately unable to address time-sensitive or dynamic issues. Simply put, NOFORN, as the default classification of the US IC, is no longer a viable policy and practice to address the fast-moving and complex global security challenges which require greater collaboration between the United States and its allies and partners to solve. While there has been laudable effort conducted at local levels to optimize intelligence exchange, progress has been largely piecemeal and is approaching the limits of what can be interpreted within the existing framework. As national information management and integration strategies embrace and adopt transformative technologies, including cloud computing, AI/ML, machine-to-machine interfacing, and eventually quantum computing in order to cope with the huge amounts of data now available, the current, heavily human-centric way of sharing intelligence will become obsolete and may even actively prevent the ability to share information in the future.

The paper identifies many of the systemic constraints present in intelligence sharing and identifies several solutions—some of which will be culturally and institutionally unpalatable, but without which real progress will be unachievable. Many of these constraints were identified in the 9/11 Commission Report, which, while heavily focused on internal intelligence sharing, also reflected many challenges of broader intelligence sharing. Senior stakeholders engaged in the development of the paper revealed that several of the impediments identified in that report remain valid today.

Real progress is dependent on two critical factors. The first factor is the need for sufficient political will and high-level direction to address the issue in an institutional manner, affording it the priority and resources needed. Intelligence sharing is often seen as an IC-exclusive issue, but, as described above, has much wider implications and is often a critical enabler for work on strategically important issues. Successful execution of the AUKUS security partnership, for example, will be highly dependent on an ability to share sensitive information, which is currently proving extremely challenging. Without direction from the highest level and authority to act vested in a single individual or organization, the incentive for change will remain limited. As queried in the 9/11 Commission Report, “who is the Quarterback”? In a highly federated model such as the US IC, buy-in and leadership from the IC elements will be essential to a collaborative approach. But this collaboration must adopt a position of forward-thinking ambitious intent that avoids doing the bare minimum. The second factor is the need to address the issue in a holistic manner, which encompasses policy, process, and mindset, within both the IC and DoD. It is not enough to review individual ICDs or DoDDs in isolation, and cross-departmental cooperation and coherence is essential. In an environment in which changing policy is often seen as an anathema, the importance of the key roles of cultural evolution and dedicated resources in adopting this approach should not be underestimated.

Lastly, while this paper focused almost exclusively on what needs to be done within the US intelligence establishment, US allies and partners have a similar role to play in optimizing intelligence sharing. They need to reciprocate with their own resources, as well as cohere and adapt their own information management capabilities and mechanisms to accommodate the new model of information exchange, earning the enduring trust of the United States by demonstrating a rigorous process to protect US-derived intelligence in an appropriate manner. In taking a proactive approach to intelligence sharing, the genuine concerns of inadvertent disclosure must be addressed, and the proper protection of critical national capabilities, methods, and sources must be afforded the attention they merit.

Acknowledgements

This publication was produced in part with support from the United Kingdom under the auspices of a project focused on rethinking alliances for the 21st century. The views expressed within are those of the authors and do not represent the official positions of His Majesty’s Government or the Atlantic Council.

About the authors

AVM Sean Corbett, CB MBE is the CEO of InSight Global and is retired from a 30-year career as a professional intelligence officer with the UK Royal Air Force.

James Danoy is a nonresident senior fellow with the Atlantic Council’s Scowcroft Center for Strategy and Security and a former US defense intelligence executive with the Defense Intelligence Agency.

This issue brief is written and published in accordance with the Atlantic Council Policy on Intellectual Independence. The authors are solely responsible for its analysis and recommendations. The Atlantic Council and its donors do not determine, nor do they necessarily endorse or advocate for, any of this issue brief’s conclusions.

_{Icon acknowledgements: Policy icon made by Kiranshastry from www.flaticon.com; Process icon made by Freepik from www.flaticon.com; People icon made by photo3idea_studio from www.flaticon.com.}

The post Beyond NOFORN: Solutions for increased intelligence sharing among allies appeared first on Atlantic Council.

Online Event Wed, October 19, 2022 • 10:00 am ET

How will the US Navy navigate an uncertain security environment? A conversation with ADM Mike Gilday

US Chief of Naval Operations Admiral Mike Gilday discusses how the Navy will build, maintain, train, and equip a dominant naval force as a part of Forward Defense’s Commanders Series.

China Defense Industry Defense Policy Defense Technologies

Online Event Thu, October 6, 2022 • 1:00 pm ET

How can we deter China in the 2020s? A conversation with Michèle Flournoy

Michèle Flournoy discusses how the United States can maintain a credible deterrent against China in the next decade and beyond as part of the Council’s Forward Defense Forum.

China Conflict Defense Industry Defense Policy

Public Event Tue, October 4, 2022 • 10:00 am ET

Intelligence community and intelligence committee reform

Ranking Member Michael Turner of the House Intelligence Committee moderates an event on intelligence reform with a distinguished panel of experts and former officials.

China Defense Policy Intelligence National Security

Forward Defense, housed within the Scowcroft Center for Strategy and Security, generates ideas and connects stakeholders in the defense ecosystem to promote an enduring military advantage for the United States, its allies, and partners. Our work identifies the defense strategies, capabilities, and resources the United States needs to deter and, if necessary, prevail in future conflict.

Learn more

The post AC Selects: China’s 20th Party Congress, the Indo-Pacific theatre & the intelligence community appeared first on Atlantic Council.