Competition and Conflict 
in the Grey Zone

Government Insights
The ever changing demands of competing and winning in the grey zone requires situational awareness, adaptability and collaboration
The grey zone, that conceptual area between conflict and peace, is increasingly entering the public discourse in recent years.
 
It reflects the fact that while countries may not be at war in the traditional kinetic sense, they most certainly are not at peace. Of course, it’s not new that nation states are continually competing internationally in business, politics and economics. But what is different is that confrontation is occurring in a more targeted and stealthy way than had previously been known.
 
 

Engaging in cyberspace


We’ve been long aware of state based cyber-attacks and organised cybercrime. We’ve long been aware of propaganda. We’ve perhaps more recently seen misinformation operations and manipulation of sentiment via the internet. It is now recognised that these tactics are often part of a broader strategy pursued by our adversaries. We’ve also now inferred the intent behind this strategy; to disable and weaken, without escalating into physical military conflict.
 
This brings into focus issues of sub-threshold conflict and escalation. Another characteristic of the grey zone is the inherent uncertainty and deniability of operations in cyberspace – the ability to remain covert, difficulties in attribution, false flags, and deception often means the absence of a smoking gun. Escalation, therefore, becomes a challenge – balancing the risk of starting to escalate too early with the risk of recognising too late the early stages of conflict.
“A characteristic of the grey zone is the inherent uncertainty and deniability of operations in cyberspace – the ability to remain covert, difficulties in attribution, false flags, and deception often means the absence of a smoking gun”

Miriam Howe, Cyber Security Consultant at BAE Systems Applied Intelligence

In the same way as we might hold back from attributing a cyber-attack to preserve an economic or a diplomatic relationship, being explicit about escalation also draws our red lines for our opponents – something we may or may not want to do, depending on whether we are trying to stage global norms or hold our cards close.
 
There’s a lot to consider, but as difficult as it is to establish global norms in cyberspace, an occasional strong stance helps us move towards establishing some rules of the road. For example, a number of hospitals battling COVID-19 and companies pursuing vaccines were attacked with ransomware in 2020, and several national cyber agencies1234 have taken a vocal and assertive stance in response.
 
So I think there is now greater commitment to compete more effectively (and win) below the threshold as well as above it.
 
 

Whole of society response


Society icon In thinking through how government, industry and society can be best organised for this challenge, a City Forum discussion series on the topic touched on the concept of Total War – which is when all of government resources and the whole population needs to contribute to the war effort.
 
Well, there are similarities with conflict and competition in the grey zone, if not so drastic. We don’t want private enterprises to divert their entire business operations and we don’t want all civilians to change their entire lifestyles – indeed this would all be accepting our adversaries’ terms of engagement. However we do need to co-opt the public into adapting themselves and playing their part.
 
A better parallel is the idea that all civilian resources and assets are legitimate targets, which our adversaries consider to be the case in cyberspace. People and society are the new front line in this conflict zone; as we see in election interference, in referendums, radicalisation. The first step to getting individuals to protect themselves, and as a result become less vulnerable, is simply by making them aware of what’s actually happening.
 
The good news is this should be achievable. Some parts of the media have actually been quite helpful in articulating some of the challenges which are relevant to the grey zone – an informed population is also one that’s going to be more resilient. Part of building resilience should be a bold and open position on what we’re facing and what we’re doing and this should be a public discussion.
 
 

The role of industry


In the UK and across the globe there is increasingly an acceptance that industry should share the burdens associated with national cyber defence – and safeguarding the internet. This reflects not only the breadth of engagement in the grey zone but also the fact that the skills and technologies to counter the threat effectively are too broad and deep for government or military to maintain in-house.
 
Of course, industry isn’t one homogenous entity. The need for a rainbow of skills draws in small and medium enterprises, as well the niche specialisms of new tech start-ups. So while government needs industry and industry is ready to help, diversity is critical. We have to work together to deal with different clearances, facilities and domain knowledge, and there are likely to be different degrees of trust, which requires a clear and decisive position on taking risk and security. These things take time and effort but they can be achieved. This is the long game.
“The grey zone is constantly changing, and we must recognise that our understanding of the threat and what we see as critical national infrastructure, will constantly need to evolve”

Miriam Howe, Cyber Security Consultant at BAE Systems Applied Intelligence

It is well understood that there is more to cyber power than technology - it’s a socio-technical challenge and relies on lots of non-technical skills – but we need to make sure we understand the technology and master it. The extent of those different routes for an attack is getting broader and so is the range of skills we will need to draw on to defend ourselves.  
 
This means that industry and government need to work together to understand the demand roadmaps and create that pipeline of expertise coming from schools and universities and getting experience in industry.
 
 

Persistent evolution


Evolution icon Following on from societal and industrial changes, the final point concerns the readiness of the government agencies leading the engagement in cyberspace – getting the people and decision-making framework in place for agile decision making about integration solutions and their acceptance into use.
 
Moving suppliers closer to the requirement and to the end user (in the spirit of ‘agile’) is a transformation journey. We have experienced this with some of our key customers, and two benefits really seem to be game changers. Firstly, developing new capabilities in an agile fashion enables us to scale to the growing need. Second, bringing engineers closer to the end user means they can produce in context, building the domain knowledge that is so important to outputs that meet the requirement.
 
The grey zone is constantly changing, and we must recognise that our understanding of the threat and what we see as critical national infrastructure, will constantly need to evolve. The organisations at the frontline will need to be organisations that are agile, can achieve a change of pace, work with each other, and can partner with industry in a way that encourages collaborative working, changes of direction and continuous improvement. Enabling that proximity and feedback between government and industry will help us address the ever changing demands of competing and winning in the grey zone.
 
 

About the author 
Miriam Howe is a Cyber Security Consultant at BAE Systems Applied Intelligence
Miriam.howe@baesystems.com

 
 
 
 

Footnotes:


  1. The untold story of a cyberattack, a hospital and a dying woman: www.wired.co.uk/article/ransomware-hospital-death-germany
  2. UK condemns Russian Intelligence Services over vaccine cyber attacks: www.gov.uk/government/news/uk-condemns-russian-intelligence-services-over-vaccine-cyber-attacks
  3. The United States Concerned by Threat of Cyber Attack Against the Czech Republic’s Healthcare Sector: 2017-2021.state.gov/the-united-states-concerned-by-threat-of-cyber-attack-against-the-czech-republics-healthcare-sector/index.html
  4. On the offensive against COVID-19 cyber criminals: www.minister.defence.gov.au/minister/lreynolds/media-releases/offensive-against-covid-19-cyber-criminals