By Andreas Haggman
It is not every day your thesis topic makes front-pages headlines, so when the Sunday Times leader on 7 October 2018 read ‘UK war-games cyber attack on Moscow’, I naturally took notice.
In short, the article states that the UK has ‘war-gamed’ (more on vocabulary later) using cyber capabilities to turn out the lights in Moscow in retaliation for offensive Russian activity elsewhere, such as capturing islands off the coast of Estonia or sinking Britain’s aircraft carrier. Quoting ‘senior security sources’, the article asserts that Britain has a capability gap wherein offensive cyber capabilities offer the only response short of deploying nuclear weapons. The majority of the article is then devoted to exercise Saif Sareea 3, involving 5,550 British personnel, 200 armoured vehicles, and six naval ships in Oman. The exercise is designed to test British ability to fight ‘peer-plus’ adversaries, of which Russia is one, including combating Russian hybrid warfare tactics.
Having recently submitted my thesis on cyber wargaming, I feel it prudent to offer a few reactive comments on the piece.
Firstly, I wonder whether the story deserved such sensationalist coverage (three columns on the front page plus the entirety of page seven). The military, security and intelligence services, emergency response agencies, and senior political leaders regularly wargame and exercise a whole range of possible scenarios, including cyber attacks. That such games include offensive cyber capabilities should not surprise anyone who follows this topic, and that offensive capabilities target Moscow should not even surprise lay readers who have been following the news: the current geopolitical climate places Russia firmly at the top of the UK’s state-based threats. What, therefore, is different about the current wargames? There is nothing in the article to suggest that these wargames are out of the ordinary for military planners. It might be argued that the headline forms a part of UK Government’s public rhetoric against Russia, but given that Russia already knows that it is the target of UK wargames, this seems an unnecessary step (unless the Sunday Timeshas a particularly large Moscow readership).
Secondly, without commenting on the character of the UK’s capability gap, I want to stress that using cyber and nuclear rhetoric in the same breath is misplaced. The thinking which has underpinned nuclear doctrine since the 1960s does not readily translate to cyber strategy. Where strategic nuclear weapons were built around assumptions of mutually assured destruction, cyber capabilities are ideally more surgical and specifically targeted. I say ideally because examples like WannaCry and NotPetya have demonstrated how cyber attacks can cause indiscriminate damage across wide geographical areas, though this damage is likely to have been an unintended consequence. Nonetheless, to publicly state, as the senior UK officials in the article do, that nuclear is the next step up from cyber, with no intermediaries, is unnecessarily escalatory and does not consider the full DIME (diplomatic, information, military, economic) spectrum of responses.
Thirdly, traditional military exercises, such as Saif Sareea 3, do not simulate hybrid warfare. The article correctly characterises Russia’s hybrid warfare as including ‘cyber-attacks, fake news and “little green men”’, yet an exercise based around mobile armoured warfare and amphibious landings does nothing to tackle these problems. A large part of the hybrid warfare approach is to target the civilian populace by sowing discontent, causing confusion, and undermining trust. Driving some tanks around a 155-mile strip of desert in the Middle East is not going to test the resilience of the UK population in withstanding Russian influence operations.
Finally, let me make a few remarks on the vocabulary in the article. The term “wargames” is contentious and comes in several flavours, including the joined version (preferred by me), hyphenated “war-games” (as used in the article), and spaced “war games” (preferred by many in the military). There is often a reluctance by military professionals to use the joined “wargames” because of its frivolous connotations. By joining the serious “war” with the unserious “games”, some see the serious matter being trivialised. This, I would argue, is nonsense because games can be used for entirely serious purposes. Indeed, we should recall that the Prussians who firsts pioneered modern wargaming did so for military training, and in the original German, “Kriegsspiel”was a joined word. Furthermore, some professionals may be reticent about being associated with hobby wargaming (which most often uses the joined version). However, to ignore the contributions of hobby gaming to the professional sphere would be unjust, with the former often providing innovations, sometimes even entire games, that have been adopted for professional use. The article’s use of the hyphenated “war-games” seemingly attempts to straddle the fence between the other two, yet somehow manages to satisfy neither.
And that sentiment sort of summarises the whole article for me. Aside from inviting debate about the UK’s capability gap (which I have purposefully avoided here), there is little in the article that is surprising or ground breaking. Nevertheless, I am pleased to see my thesis topic gain mainstream coverage, because cyber security is important and wargames can be a useful tool for tackling the problem.
Andreas Haggman is a recently submitted PhD researcher in the Centre for Doctoral Training in Cyber Security at Royal Holloway. He is now the Emerging Risks Research Analyst at Willis Towers Watson. You can follow him on Twitter at: Follow @Andreas_Haggman