Cyberspace as a new battleground

Next steps towards efficient cyber protection, cybersecurity and a cyber defence system in the Republic of Slovenia

Bled Strategic Forum
Sep 6, 2018 · 14 min read

Dobran Božič
Director, Office of the Republic of Slovenia for Protection of Classified Information

Dr. Igor Kotnik
Adviser to the Chief of Defence of the Slovenian Armed Force

Dr. Marko Grobelnik
AI Researcher & Digital Champion of Slovenia at the European Commission

Gregor Lisjak
Slovenian Armed Forces

  • This article was originally published as part of the 2018 edition of Bled Strategic Times, the official gazzette of the Bled Strategic Forum (BSF) international conference. You can access the full version of this and other BSF publications by visiting our official website.

In recent years, there has been an exponential increase in the use of cyber tools to achieve national security, defence, and even military goals; for this reason, NATO declared cyberspace the fifth domain of operations. [1]

The Republic of Slovenia recently adopted the Act on Information Security, which defines a cyber attack as an attack in cyberspace with for purpose of maliciously destroying, exposing, controlling or changing, disabling, collecting, or disrupting any of the parts of cyberspace, including any information that is essential for the state to function without interruptions. Cyberspace is a global information environment created by means of electronic communications networks and information systems.

Due to its characteristics, the cyber domain of operations is the only one that interferes with all other domains and is able to affect the performance of military and defence operations in all other domains. Because it is able to interfere with, and affect, all areas of society, cybernetics is one of the most dangerous tools, and even a weapon for fulfilling national security interests and achieving national goals, both in peace and war. Without using any conventional military resources and without conventional armed forces, such as aircraft, missiles or troops, cybernetics can be used to destroy power, water, and internet supply systems; a transportation collapse can be caused by breaking into transport information systems; floods can be caused by breaking into the control systems of hydro power plant flood gates; financial transactions can be disrupted, blocked, or prevented, and lives can be indirectly threatened by breaking into the information systems of airports and hospitals. Not even the most cutting-edge conventional weapon systems can help a country fight such an all-encompassing and destructive cyberattack, although this does not mean that a country does not need such conventional weapons. [2]

With the internet being free and open, with minimum state control, such risks can be reduced, and possible cyberattacks can be prevented only by ensuring the sufficient cyber resilience of all major stakeholders in modern cyberspace — the head of state, the government, (civil) society, and private companies, as well as interactions among these stakeholders. This will allow us to deal with the crux of the issue — how to ensure a synergy among those actors in democratic states that are motivated by differing interests in the field of cybernetics. The leadership is motivated by the wish to stay popular with voters and to stay in power, some even by way of intensively (ab)using cyberspace. The government is motivated by its interest in maintaining national security by intensively controlling cyberspace and developing new offensive/defensive cyber tools. Civil society has an insatiable desire to expand services and maintain freedom in cyberspace. And private companies wish to maximise the profits generated by activities in cyberspace.

Cyber resilience as a social project led by the government

The general public tend to believe that IT companies and IT services are competent to provide cyberprotection and cybersecurity in cyberspace, and that these companies are responsible for ensuring that information services in a country, in society, public administration, and in companies operate without interruptions. Nowadays, such thinking could not be further from the truth and the needs of national security.

A large percentage of essential activities and structures that could be targets of major cyberattacks on Slovenia is already privately owned, which puts the cyber domain of operation in a unique position compared to other domains. Due to the strategic significance of these activities and structures, even those that are state-owned for the national security of the Republic of Slovenia, it is necessary to revise the national security strategy and seek solutions in the spirit of centralised joint cyber defence of all stakeholders, as this is the only way to effectively prevent, restrict, and mitigate the consequences of a possible cyberattack.

The recently adopted Act on Information Security ensures initial solutions in cyber protection and cybersecurity in the Republic of Slovenia, but the very name of the Act shows that it does not contain comprehensive and ambitious solutions in the field of cyber defence.

In 2017, members of a project group working under the auspices of the Government Office for Protection of Classified Information made constant and adamant efforts to seek such solutions, but were unsuccessful in the process of inter-ministerial coordination. Our views and specific proposals relating to the need to include ‘cyber defence’ in the name of the Act were not heard. This is not just a case of terminology but a more profound, and in our view misguided, perception among key government stakeholders that the use of ‘defence’ could have a disruptive effect on the public. In our view, military and defence are not synonymous.

We presenting numerous EU documents using this key terminology, such as the Cybersecurity Strategy of the European Union of 2013 which states that defence is a synergy of civil and military efforts (pg 11): “Given that threats are multifaceted, synergies between civilian and military approaches in protecting critical cyber assets should be enhanced.” Furthermore, on page 17, it goes on to say: “To address cybersecurity in a comprehensive fashion, activities should span three key pillars — NIS (Network and Information Security), law enforcement and defence– which also operate within different legal frameworks.” Defence at national level encompasses both national defence (in our case, the Ministry of Defence of the Republic of Slovenia) as well as other national security authorities (in our case, the Government Office for the Protection of Classified Information, the Ministry of the Interior, etc.).

Considering the great differences between EU Member States, we want Slovenia to be in the group of leading countries which understand the need for the synergies between military and civilian efforts when managing cyber threats.

However, it is our opinion that the Act on Information Security still has not fulfilled its main purpose, which is to integrate all coordination tasks in the field of information security and cyber defence within one authority, which is the only rational solution in a country of Slovenia’s size. The decentralised nature and complexity of the authorities competent for coordination and operational tasks, as they are currently conceptualised, makes it impossible to operate in a coordinated manner on a daily basis; a great deal of coordination among various authorities located within multiple public authorities and even with the Arnes public institute is required, and this prevents painstaking defence in the case of major cyberattacks.

Considering experience from abroad, namely from Estonia, the results of poor responses are, for example, measured in tens of millions of euros and the country’s potentially damaged reputation in the international community. Furthermore, the fragmentation of competent authorities reduces the possibility of achieving sufficient synergies between resources, causes jobs to be duplicated, and increases the need for educated specialist human resources, of which there is already a lack. The restrictions on employment in public administration additionally exacerbate the human resource problem.

One agency means clear lines of authority

In our opinion, it is therefore necessary to establish a single authority in the form of a government office or agency, which would coordinate the field of information security and cyber defence in a centralised manner. The personnel in public administration who already possess the knowledge required to perform the necessary tasks could be reassigned to this single authority, and the tasks and human resources in the field of cyber defence from the Government Office for the Protection of Classified Information and ARNES could also be reassigned there. The government office or agency would, at the same time, be a single point of contact for the entire field of information security and cyber defence for the EU and NATO.

Adopting normative documents to regulate the field would therefore be carried out smoothly with unified thinking and interests. Additional savings could be generated if human resources from various government bodies are concentrated in this single authority. The government office or agency would also be responsible for maintaining constant and close contacts with all of the main stakeholders, including those in the private sector, and it would coordinate with other authorities within the national security system, such as the Ministry of Defence, the Ministry of Foreign Affairs, the Slovenian Intelligence and Security Agency (SOVA), Intelligence and Security Service (OVS), the Ministry of the Interior, etc.

However, most essentially and most importantly, the centralisation and clear lines of responsibility would exponentially increase responsiveness and the ability to coordinate in the event of an increased cyber threat in Slovenia. The complexity of the lines of responsibility, the large number of competent authorities, and large number of individuals from whom a very quick response is required prevent an immediate, strong, and effective response in the event of increased risk or cyberattack. At the moment of an attack, stress, lack of information, and other factors form “a fog in an emergency situation,” i.e. reduced situational awareness, which makes it difficult to make decisions and to respond, and the above-mentioned structural problems then unnecessarily additionally hinder decision-making and responses.

Ensuring cooperation of private sector

Due to the fact that a large proportion of significant infrastructure and companies that are important for defence are privately owned, it is necessary to establish relationships with all stakeholders, which will not be primarily based on laws and coercion, but mainly on trust and cooperation. A single authority, government office, or agency with all of the necessary authorisations in the field of information security and cyber defence could credibly establish and foster relationships with stakeholders, thus more easily involving them in cooperation. In particular, it should be understood that when ensuring information security and cyber security, the regulatory function of the government is a necessary, but not a sufficient condition — cyber resilience is based on a cybersecurity culture, which cannot be guaranteed by the regulatory function of the government, but can be promoted and positively sanctioned.

In a free society, it is difficult to coerce companies into fruitful cooperation, so we propose a two-tier system of establishing standards in the field of information security and cyber defence. According to the currently valid Act on Information Security, companies that provide essential or digital services must meet minimum security standards, which will be presented soon. In our opinion, all of these companies should be subject to penetration tests once or twice a year, performed by a third, independent authority, which would in practice verify the level of the company’s protection. At the same time, higher standards for company protection would be established, which companies could meet voluntarily.

In addition to penetration tests, these companies would also be subject to certification, whereby they would acquire a certificate of excellence in the field of cyber protection. For the sake of comparison, we would just like to state the field of confidential data protection. The companies that currently meet all the conditions for handling confidential data and that are verified by the Government Office for the Protection of Classified Information are seen as more credible and professional by local and foreign partners. A similar system would also be established in the field of cyber protection. Certified companies would also be given some tax relief, as their high level of protection directly contributes to Slovenia’s greater national security. For certified entities that pass penetration tests and meet a higher level of security standards, the government could potentially act as an insurance undertaking or reinsurance undertaking in the event of hacks into their information systems, thus additionally encouraging investments in development and preventive measures by the entities involved.

What happens if the target of a cyberattack is the society as a whole?

Every society is a conglomerate of various social sub-groups, layers, interest groups, and sub-cultures which are connected into a whole by various connective elements, values, tradition, identities, religion, culture, etc. Social stability as a whole is inversely proportional to the number of social sub-groups and proportional to the strength of the connective elements. Because the number of social sub-groups is difficult to change in the short term, the quickest and most effective way to reduce the social stability of society as a whole is to undermine the strength of its connective elements.

In recent years, the world has witnessed the development of what is known as hybrid warfare, which, in addition to conventional methods, also applies indirect and softer methods of affecting the enemy by weakening his internal structure and willingness to resist and defend, with the goal of his collapse, defeat, and subordination. In this context, cyber tools and social networks have been increasingly used to cause division and polarisation in target societies. At first glance, this is nothing new, but what is new is the difference in the resources used. From the past, we are familiar with the strategy of non-conventional warfare (hybrid warfare), but the effects were more difficult to achieve than now, when, in addition to applying conventional means, cyberspace and social networks can also be used to achieve the same goals. Such methods are no longer used only in wars and in crisis hotspots, but, without being aware of the fact, we are increasingly exposed to them in completely peaceful times as well. Something similar was tested in the period ahead of the American presidential elections in 2016, the objective result of which is the currently deeply politically split and polarised American society.

If we imagine that there is an enemy who wishes to weaken the internal coherence of NATO and/or the EU, then this enemy’s targets would probably be one of the smaller, more fragile, or weaker links in this chain. The enemy would attack this link by using fake news and other methods to additionally polarise society on the basis of currently polarising social topics or events or something similar arising from the recent history of the target country/society. A split and polarised society is, historically, much more vulnerable to a physical attack or at least to influences on democratic, economic, and other processes in society. These are very serious methods that have been proven to work, i.e. “society hacking,” even against well established democracies, so small countries and young democracies in particular should seek effective measures and solutions to increase the resilience of our society to such influences.

Why is “society hacking” now possible and can potentially be very dangerous?

Social processes and interactions are now traceable much more than in the past, and at significantly lower cost. The devices that we use or even just carry around (smart phones, computers) leave digital traces of people’s living habits and lifestyles. Furthermore, those who collect and aggregate such traces left by individuals also see the digital footprint left by social sub-groups and society as a whole, its internal cohesion and mainly the dynamics that can show or even predict where the society as a whole is headed. If we take into account that society can be affected through the media (traditional or social), there is a full circle (closed loop), which enables people’s mentality to be manipulated and the situation in a society to be directed.

In other words — to operate a complex device, such as a car, two types of levers are needed: a steering wheel to change directions and a pedal to accelerate/stop the vehicle. It is similar in society — it can be managed with a relatively small number of levers. By maliciously taking over social levers, it is possible, for example, to exacerbate the polarisation of opinions in a society and encourage the process of the disintegration of social structures.

The development of analytical techniques for collecting and analysing social data experienced a significant upsurge after 2001 (due to major investments in such technologies after 11 September 2001). In part, this development also affected the emergence of the social media industry, which requires the management of (typically) smaller segments of society in order to function. However, the techniques and methodologies to understand and control larger or smaller parts of a society are the same (due to ‘scale free’ nature of social dynamics). So, what is the current situation? Those who have information on how a society operates (there are quite a few such actors — from industry to intelligence services) and possess the technology necessary to monitor and influence society (which is mostly available for free) can monitor the movement of social flows in an unimposing and quite inconspicuous manner. The tools used to change society, however, also have counter-tools, which must be used; but to do so, there has to be some awareness, knowledge, and access to data. It appears that at present there is a lack of awareness of the fact that such malicious changes to people’s mentality pose a major potential threat.

Similarly, due to the fast spread of digitalisation and artificial intelligence in all of the developed industrial countries, discussions should be had on the topic of what is known as digital communism, i.e. a period in which most of our work will be taken over by robots and we will gradually be rendered useless in conventional work processes and roles. How can we prepare for this situation, which will most likely be unavoidable, and how can we maintain a high level of social cohesion and resilience? Certainly, it will be difficult, unpredictable, and risky; however, it will be much easier with an adequate system and a suitable level of cyber protection, cybersecurity, and cyber defence.

Cyber defence is our responsibility

In society at large, there should be an awareness of the fact that information protection and security as well as cyber defence are our common responsibility — of the government and of every individual and, of course, companies that are publicly or privately owned. Leaving information protection and security and cyber defence exclusively to IT experts is wrong and short-sighted, as this approach fails to take into sufficient consideration broader and more complex national security aspects.

Despite positive shifts in information protection and security and cyber defence in the Republic of Slovenia in the past two years, there has been a great dispersal of interests in drafting legislation as well as many inadequacies, due to which our normative regulations currently prevent quick, effective, financially and HR-optimal responses to more intensive threats in cyberspace. By amending the legislation in the field of information security, centralised coordination of the information security and cyber defence system should be established, which would define clear lines of responsibility, establish a clear system of standards, and optimise the functioning of the government and society in this field with regard to operations, human resources, and finances. Furthermore, the resilience of society to hybrid warfare and other forms of cyberspace abuses must be increased, and in the long term, preparations should be made for a gradual, unimposing, and safe transition to a period known as digital communism.


[1] The other four are land, sea, air, and space.

[2] This means that cybertools and cyberweapons will not replace conventional military resources, but will only complement them. For this reason, it would be wrong to abandon the future development of conventional military defence capabilities; in the context of the development of the defence capabilities of the Republic of Slovenia, the relationship between conventional and cyber means of defence is perforce complementary.


You can also follow #BSF on Twitter, Facebook, and Instagram. Full versions of past panel discussions are available on our official YouTube channel.

Bled Strategic Forum

Written by

A platform for high-level strategic dialogue among leaders from private & public sector. Organised by Slovenian MFA & Centre for European Perspective (CEP).

Bled Strategic Forum

The official Medium publication of Bled Strategic Forum (BSF) — a platform for high-level strategic dialogue among leaders from private & public sector. Organised by the Slovenian Ministry of Foreign Affairs & Centre for European Perspective (CEP).

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade