Executive Summary
NATO defines manoeuvre as ‘Employment of forces on the battlefield through movement in combination with fire, or fire potential, to achieve a position of advantage in respect to the enemy to accomplish the mission’. But how does this definition apply to a nascent cyberspace domain? The objective of this paper is to help warfighters better understand cyberspace operations and explore what might constitute Freedom of Manoeuvre (FoM) in cyberspace. NATO has no doctrinal definitions for FoM in cyberspace. Therefore, this paper proposes that manoeuvre in cyberspace can be interpreted as the methods and processes employed to attack and defend systems and information resources to give one actor a competitive advantage over another.
To achieve its objective, this paper introduces the reader to cybersecurity and cyber defence fundamentals. To prevail in cyberspace, three components must be preserved: The confidentiality of the data, the integrity of data and systems, and the availability of data and systems. This is commonly referred to as the CIA Triad. In order to preserve the CIA triad, we must maintain cyberspace Situational Awareness (SA) to understand the space we operate in, including the infrastructure and the data within it. Next, we must develop adequate risk management models to identify and mitigate threats and vulnerabilities. Finally, we need a defensive cyberspace operation mechanism capable of dealing with breaches whenever the mitigation measures are overcome.
Cyberspace permeates our everyday lives. It was introduced to automate and expedite repetitive tasks and help humans deal with increasingly complicated problems. OODA loops are particularly well suited to allow automation of repetitive tasks that do not require human judgment; whomever can iterate through their descision processes the fastest gains a decisive advantage on any competitive endeavour, including warfare. Therefore, the system of systems that are OODA loops were early adopters of cyberspace technologies and continue to push the boundaries of the possible by adopting Emerging and Disruptive Technologies (EDTs) to automate tasks once considered unsuitable for computers. Adoption of computers and EDTs brings a suite of challenges including the risks of failing to fully secure and defend them, in accordance with the cybersecurity fundamentals discussed earlier. Russian’s quick deployment of a new cryptophone shortly prior to the start of the Ukrainian invasion and it’s almost instantaneous failure at the war’s onset is such an example. While EDTs should not be considered a cure-all, it does provide us with new opportunities and threats. Therefore, chapter 5 is dedicated to EDTs and will cover the impact on FoM in cyberspace brought about by EDTs such as 5G, Artificial Intelligence (AI), and Quantum Computing (QC).
With a basic appreciation of cybersecurity fundamentals and how OODA loops are enhanced through the effective use of cyberspace, it becomes possible to tease out the unique characteristics of cyberspace. Speed and operational reach can very quickly deliver effects against a great number of geographically separated targets. Rapid concentration and distribution becomes possible through automation to overwhelm a single target through fires coming in from innumerable points of origins across the world. Dynamic evolution plays a disproportionate role in evolving and transforming cyberspace at a rate never experienced by mankind before. Finally stealth and associated difficulties in attribution significantly complicates established international laws and norms regarding the proportionality and scope of a response.
Another key element to any manoeuvre is the identification of terrain, particularly key terrain. Because of the unique characteristics of cyberspace listed previously, it is often hard to identify relevant key terrain at any one time. However, there is one constant that transcends all recorded failures to defend in cyberspace: All attackers managed to circumvent or overcome authorization and authentication measures, making these the highest of high grounds regardless of the circumstances. It is also the reason why the cybersecurity industry as a whole is moving toward a ‘zero trust’ model where authorization and authentication takes centre stage.
The zero trust model is especially applicable to NATO as the organization is taking a data-centric approach to multi-domain operations where data sharing, data exchange, data appreciation, and data exploitation become the nexus to enable fully synchronized cross-domain and cross-nation military operations in the ultimate instantiation of the OODA loop. This vision for MDO will only be achievable if FoM in cyberspace can be preserved while being denied to our adversaries.
Finally, as we increasingly rely on technologies to enhance military capabilities, soldiers will be increasingly reliant on equipment and weapons platforms that depend on cyberspace to fulfil its function. Therefore, they will no longer simply be frontline fighters in their respective domain (air, land, sea, space); these conventional physical assets simultaneously occupy the frontline of cyberspace and their operators may be the first to observe attacks directed at them (or their equipment) through cyberspace. Therefore, military personnel of all branches will need to be adequately trained to deal with threats and attacks emanating from cyberspace and strongly supported by organic cyberspace capabilities such as incident response and hunt teams intended to blunt any such attacks. The concept of cyber FoM provides the lexicon and framework to make this vision a reality.
