Abstract: This paper will demonstrate how the dependence on cyberspace and bad actors' ability to use it to magnify the cumulative effects of certain activities can result in a hybrid effect. The aforementioned phenomenon has the capability to further evolve into a security threat. In particular, the links between cyberspace’s characteristics and the emergence of a hybrid threat consequential enough to constitute of a new type of threat will be assessed. Such an event would additionally complicate the ever advancing security environment.
Comparatively, the similarities as well as the differences between cyber and hybrid threats will be highlighted. One of the main conclusions is that cyber threats are essentially a fragment of hybrid ones. Further along, it will be evidenced that the threats in discussion are best tackled by elaborating and implementing a fully societal/state approach to enhance national security. Finally, by reducing its constituents into simple, non-technical concepts and definitions, this article attempts to clarify the hybrid/cyber threat discussion.
Bottom-line-up-front: The ubiquitous nature of and access to cyberspace is a force multiplier for activities that might, on their own and when viewed discreetly, seem less consequential.
Problem statement: The following questions will be explored in this paper:
How can cyber threats as an element of hybrid attacks and warfare be tackled from a government perspective?
How are cyber and hybrid threats interlinked?
What are the similarities and differences between the two types threats?
The development of a fully societal/state approach
The creation and maintenance of digital resilience
International cooperation as a means to counter threat
The Cyber Dimension plays a special and very specific role as a domain. Everything significant that happens in the real world, including every political and military conflict, will also take place in cyberspace (and has already!). For national security planners, this comprises cybercrime, propaganda, espionage, influencing, terrorism, and even warfare itself. The nature of national security threats has not changed, but cyberspace has provided a new delivery mechanism that can increase the speed, diffusion, and power of an attack - all of which can be done anonymously. Cyberspace’s ubiquitous and unpredictable characteristics mean that the battles fought in cyberspace can be just as important – if not more so – than events taking place on the ground.
For national security planners, this comprises cybercrime, propaganda, espionage, influencing, terrorism, and even warfare itself. The nature of national security threats has not changed, but cyberspace has provided a new delivery mechanism that can increase the speed, diffusion, and power of an attack - all of which can be done anonymously.
Since 2016, NATO and the European Union (EU) have identified countering hybrid threats as a priority for cooperation. The most tangible effects were the establishment of a Hybrid Fusion Cell (HFC) as part of the EU Intelligence and Situation Centre, a Hybrid Analysis Branch (HAB) as part of the NATO and a European Centre of Excellence (CoE) for Countering Hybrid Threats in Helsinki, the only existing EU AND NATO entity.
The combination of Cyber Power and hybrid threats represents an explosive blend of factors that has enabled adversaries to leverage their relatively meagre resources. For Western strategists and decision-makers, that means that the apparently and traditionally weaker adversaries’ part of the adversarial equation has now evolved additional advantages and opportunities through the hybridisation of modern warfare. For several years, the term "hybrid threats" has been increasingly used to explain the nature of threats, including the nature of war. However, the ballooning use of the term also calls into question the meaningfulness of its characterization of the threats we face. Such vagueness is most clearly expressed when the scientific debate speaks of hybrid threats and refers to cyberattacks—attacks which are only one component of a broad spectrum understanding of “hybrid.”
For Western strategists and decision-makers, that means that the apparently and traditionally weaker adversaries’ part of the adversarial equation has now evolved additional advantages and opportunities through the hybridisation of modern warfare.
It is vital to clarify these semantic ambiguities at the strategic level in the event of threats from cyberspace or hybrid threats. Fortunately, there are relatively exact characteristics that differentiate hybrid- from cyber threats.
The threat in general
Cyber threats refer to those activities in cyberspace that have hostile intent or have criminal or destructive consequences. The nature of cyber threats derives from the unique characteristics of cyberspace. Unlike other global domains, cyberspace is the product of deliberate human action. It consists of various hardware and software components that have been woven together in a global network. Cyberspace is a global system of interconnected computer networks that use the standard Internet Protocol Suite (TCP/IP) to serve billions of users worldwide. As such, the cyberspace can change rather rapidly, whereas conditions in the maritime environment, airspace, and space are relatively constant. Nowadays, the cyberspace's seamless functioning has become the most critical prerequisite for operations in all global commons. Cyberspace is both a key enabler for actions in other domains and a domain of its own.
Cyberspace is both a key enabler for actions in other domains.
Additionally, cyberspace is hybrid in nature. It is neither owned nor operated exclusively by public or private actors. Because cyberspace is the glue that binds together individuals, states, and companies, everyone has a stake in securing it. Therefore, advancing cybersecurity requires close public-private and civil-military interaction on a whole of government approach (WoGA), because inadequate cybersecurity governance risks ripping away the modern societal benefits of access to the global commons.
Cyber represents both a domain and a tool that has shown both its usefulness and cost-efficiency for many different actors. It represents a domain and a critical infrastructure. Further, it is a tool that can be weaponised to cause damage.
Cyber operations allow an adversary to seek a broad spectrum of actions. These range from small-scale espionage operations to system observation, to larger-scale destruction of physical elements to take control over the C4-system (Command, Control, Communication, and Computers) of the attacked armed forces/society/state.
The Cyber threat toolkit:
The differentiation between the varying fields is smooth because all cyber-attacks tools can be used in all fields, - the distinctive rough features are motivation, goal, available resources, and capabilities, - the common attribute is concealed deniability.
Cybercrime – Crimes occurring in the digital space such as identity theft/fraud and ransomware. In essence, this consists of cyber-attacks against individuals or the private or public sector for financial gain.
In May 2017 thousands of companies worldwide were blackmailed. The ransomware called WannaDecrypt0r 2.0 encrypted the data on the attacked computers and made them and the network unusable. The user/company had to pay € 275 ($ 300) in the internet currency Bitcoin within two days. If no payment was made after seven days, the data would be forever encrypted and unusable. The blackmail letter was written in 28 languages – and infections occurred in 152 countries.
In September and October 2018, the airlines British Airways and Cathay Pacific, as well as the hotel group Mariott Intl., confessed to large-scale data leakage. Personal data, including bank and credit card details, were stolen from around 10 million customers.
Cyberespionage: Operations conducted for information gathering. Targets can include government departments or private sector industries.
In 2010, a hacker stole US Stealth technology (secret data about the US fighter aircraft F-35). A derivative of this fighter aircraft was later “developed” in China, called the Shenyang J-21.
At the end of 2014, the data of 500 million users was stolen from YAHOO.
Many skilled hackers and spies are working to steal research in the crash effort to develop vaccines and treatments for the coronavirus. Cyber-spies are hunting COVID-19 research.
Cyber disinformation/(black) propaganda/fake news: False information imitating “real” news in order to discredit, vilify, embarrass, or misrepresent a target. Fake news on social media is not just a post that has been liked, shared, or followed; instead, it is a powerful multiplying cyber propaganda technique.
During the 1999 war over Kosovo, non-state hacker groups tried to disrupt NATO operations through cyber-attacks, and claimed victories, including denying service to NATO's Balkans-focused website.
In January 2016, a Russian disinformation campaign created the story of “Lisa,” an imagined 13-year-old Russian-German girl who was said to have been captured and raped by migrants in Berlin.
In May of 2016, Russian “trolls” organised both pro- and anti-Muslim protests in Houston/USA concerning the construction of a mosque. A group that called itself the "Heart of Texas (Trolls of St. Petersburg)" had organised the anti-mosque protest on social media — a protest, they said, against the "Islamisation" of Texas.
During COVID-19: From rumors of a five-week incubation period, to an alleged lack of qualified doctors in Europe, to accusations of biological warfare against China, falsehoods about the coronavirus abound. The misinformation has been so widespread that the public has called on internet and media companies to do more to put a stop to it.
Terrorist use of the internet: Cyber-terrorism is a particular form of terrorism that attacks computer systems by Internet technologies to conduct violent acts to achieve political or ideological goals through threat or intimidation.
On August 14, 2003, a power failure in the US and Canada caused public transport to break down. In addition, the water supply and all telephony including fixed-line and mobile failed.. The attack affected about 50 million people in New York, Detroit, Ottawa, and Toronto. 21 power plants were closed because this so-called “Blaster-worm” attack infected Supervisory Control and Data Acquisition (SCADA) Systems. The term SCADA systems describes the computer system or software for monitoring and controlling technical processes. SCADA is based on COM/DCOM for Windows.
On April 27, 2007, attackers attempted to punish Estonia for its decision to remove a WW II Soviet War Memorial from the centre of Tallinn. Russian-generated IT attacks virtually and literally “crashed” Estonia's internet infrastructure for over three days, including the Estonian parliament, banks, ministries and broadcasters. The attacks were mainly denial-of-service attacks using the botnet and virtually paralysing the entire country.
In June 2010, the “Stuxnet worm” was the most sophisticated piece of malware the public had seen to date. It targeted computer systems used to manage major industrial installations such as power grids. It spread by a complex, multi-vector approach that suggested government sponsorship.
In June 2020, the data of the private company Easy Jet was stolen, including the credit card details and other data of approximately 9 million flight guests. The attack was eventually linked to a terror group in the Middle East.
Cyberwarfare: These are military operations by state or non-state actors conducted in cyberspace. This includes attacks on critical infrastructure carried out to achieve political/military aims and/or cyber operations during a conventional war. In Cyber-Space, the attributability of offensive actions can be more easily obscured. Strategic objectives can be achieved with relatively little effort:
In 2007, Syrian air defence was reportedly disabled by a cyber-attack before the Israeli air force destroyed an alleged Syrian nuclear reactor.
The 2008 war between Russia and Georgia was widely perceived to demonstrate a now-established, close connection between cyber and conventional military operations.
In 2011, the global hacker-collective “Anonymous” announced that they were campaigning against the Islamic State (IS). After the terrorist attacks on November 13, 2015, in Paris, the declaration of war was reaffirmed. Since then, Anonymous has become increasingly committed to cyber-attacks on social media accounts and IS-related websites. For example, user accounts on Facebook and Twitter have been hacked, disabled, or taken over by Anonymous. Another battle line ran between Anonymous and the Syrian hacker organisation “Syrian Electronic Army” (SEA). According to their own statements, the attacks of the SEA are mainly directed against news portals such as Al Jazeera or the BBC, which are accused of a "bloody propaganda campaign" against Syria. In addition, the US has succeeded in attacking Syria-related IS networks. In particular, these attacks were tasked with disrupting the communication between IS fighters, leading to changes in the operations and strategy of the terrorists. These modified strategies were easier to intercept and capture. In principle, all actors used all tools of cyber warfare to achieve their goals.
Since Russia annexed Crimea in 2014, Moscow has used Ukraine as a laboratory for hybrid threats using its increasingly belligerent cyber-army and trolls, attacking the country's critical infrastructure and causing losses of billions of dollars. Cyber-attacks were used against the critical infrastructure to intimidate the population and undermine trust in the government and the political system. Electronic weapons systems were also hacked.
SolarWinds-Attacks: The US intelligence community stated on January 5, 2021 that Russia is likely behind a major series of cyber hacks on federal agencies and private companies. The statement by the FBI, NSA, CISA (Cybersecurity and Infrastructure Safety Agency) and ODNI (Office of the Director of National Intelligence) is the first official indication of blame for cyberattacks that were first publicly identified in December but are believed to have started in, at least, March 2020.
Dr. Josef Schröfl, Colonel, Austrian Army, is the Deputy Director CoI Strategy and Defence at the Hybrid Center of Excellence in Helsinki, Finland. His main areas of interest in research are cyber security and cyber defense. Equally, he previously headed the Austrian Cyber Security Strategy working group. It goes without saying that the views contained in this article are the author’s alone and do not aim represent those of the Austrian Ministry of Defense or the Austrian Armed Forces.
 The term ‘cyber’ is used in a wider sense, referring to the use of the internet and computer technologies for operations in the so-called fifth domain. NATO recognized in July 2016, that cyberspace is as a domain of operations in which NATO must defend itself as effectively as it does in the air, on land and at sea (even also space); ‘cyber operations’, ‘cyber war’ and ‘cyber-attacks’ are examples of such operations, depending on their intensity. For a classification of ‘cyber conflicts’, see Michael Schmitt, “Classification of cyber conflict,” Journal of Conflict & Security Law 17/2 (2012): 245–260.
 See also Kenneth Geers, “Demystifying Cyber Warfare,” in Hybrid and Cyber War as consequence of asymmetry, ed. Josef Schröfl, https://www.peterlang.com/search?f_0=author&q_0=Bahram+M.+Rajaee" and Dieter Muhr (Wien: Peter Lang, 2011), 119.
 Answer given by Ms Bieńkowska on behalf of the Commission concerning a parliamentary question in European parliament on Jan. 12, 2018: “The EU supports the Steering Board of the Centre of Excellence for Countering Hybrid Threats and is assessing ways and looking for projects to which it can provide concrete support.
The EU Hybrid Fusion Cell has an ongoing staff-to-staff cooperation (1) with both the Centre of Excellence and the North Atlantic Treaty Organisation (NATO) Hybrid Analysis Branch, including sharing information and lessons learnt. The Cell played a key role in the recent EU-NATO Parallel and Coordinated Exercise (EU PACE 17).
Countering hybrid threats is one of the 7 areas of cooperation under the EU-NATO Joint Declaration. The June 2017 progress report on implementation of the common set of proposals (3) includes the following specific actions: cooperation within the European Centre of Excellence for Countering Hybrid Threats, interaction between the Hybrid Fusion Cell and the Hybrid Analysis Branch, collaboration between strategic communications teams, testing coordinated response to a hybrid scenario (4), cross-briefings and workshops on resilience (5) and NATO participation in the European Defence Agency (EDA) Steering Board. Staff-to-staff cooperation on bolstering resilience is ongoing as well.”
 Greg Rattrey, Chris Evans, and Jason Healey, “American Security in the Cyber Commons,” in Contested Commons, ed. Abraham Denmark and James Mulvenon, (Washington D.C.: CNAS, 2010), 143.
 For this reason, within the US armed forces it is also a "Functional Combatant Command". Contrary to the Geographical Combatant Commands (CENTCOM, AFRICOM etc.), CYBERCOM and STRATCOM are active in a "functional space" and are supporting the Geo Combatant Commands in all phases in their domains.
 Heiko Borchert, “Securing the Cyberspace - Building Blocks for a Public-Private Cooperation Agenda,” in Hybrid and Cyber War as consequence of asymmetry, ed. Josef Schröfl, Bahram M. Rajaee and Dieter Muhr (Wien: Peter Lang, 2011), 155.
 Rough classification according to INCYDER (periodical of the CCDCoE/Tallinn), 2/2016
 “Definition,” accessed January 21, 2021, https://www.slideshare.net/RobSentseBc/cyber-probing-2010
 “Definition,” accessed January 21, 2021, https://www.slideshare.net/RobSentseBc/cyber-probing-2010.
 Explanation by Sascha-Dominik Bachmann “Hybrid threats, cyber warfare and NATO´s comprehensive approach for countering 21st century threats,” mapping the new frontier of global risk and security management.
 “Description,” accessed January 21, 2021, https://www.slideshare.net/RobSentseBc/cyber-probing-2010.
 “Description,” accessed January 21, 2021, https://www.vice.com/en_us/article/bjqe8m/inside-the-massive-cyber-war-between-russia-and-ukraine.
 “Description,” accessed January 21, 2021, https://www.securityweek.com/continuous-updates-everything-you-need-know-about-solarwinds-attack.
Figure 1: A closer look on the complexity of the threat: What this chart visualizes is the growing interrelationship between complexity of attacks, increasing degree of crosslinking paired with a decreasing understanding of system architecture. Together with the production of malware on an industrial scale its visible that by the time (horizontal axis) the danger is always rising and - what makes this even worse - all of these tools can be used not only for criminal purposes – mostly for financial enrichment – but also in a concerted and coordinated manner in a cyber war, as they are not different in peacetime or wartime. That chart was developed as part of a KIRAS-project together from AIT (Austrian Institute for Technology) and AUT MoD. Thank you AIT and AUT MoD!