Taming cyber warfare: lessons from preventive arms control

Journal of Cyber Security Technology, 2020

This article is designed to outline the lack of international rules of engagement in cyberspace, and how traditional practices and laws of war are applicable to cyberwarfare and how it is not. If there are any legal implications for cyberwarfare, there are very few. Any reasonable anticipation of reprisal after an initial cyberattack by a nation-state upon another is minimum. The problem of attributing a cyberattack to a source remains an enormous challenge for cyberdiplomacy, leading to critics who do not see cyberwarfare as a standalone danger to national security. Regardless of the critics, the Department of Defense (DoD) has established cyber operations as weaponized entities in its Law of War Manual, and there are historical examples that prove cyberwarfare can act as a dangerous weapon against critical infrastructure and exposed populations. If there continues to be a deficiency of understanding on the part of essential decisionmakers regarding the nature of cyberspace in policy, and a sustained escalation of nation-state on nation-state cyberattacks, without proper rules of engagement in this space with universal axioms of proportionality, the international community could end up in error with an unwanted conventional or nuclear war.

Comparative Strategy, 2019

Society has become dependent on cyber systems across the full range of human activities, including commerce, finance, health care, energy, entertainment, communications, and national defense. "The globally-interconnected digital information and communications infrastructure known as 'cyberspace' underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety, and national security." 1 The U.S. is especially vulnerable to cyber insecurity because it depends on cyber systems more heavily than most other states. But cyber insecurity is a worldwide problem, potentially affecting all cyber systems and their dependent infrastructure. Cyber insecurity can result from the vulnerabilities of cyber systems, including flaws or weaknesses in both hardware and software, and from the conduct of states, groups, and individuals with access to them. It takes the forms of cyber warfare, espionage, crime, attacks on cyber infrastructure, and exploitation of cyber systems. Virtually all aspects of cyber insecurity have a transnational component, affecting users of cyber systems throughout the world. Nonetheless, current U.S. efforts to deter cyberattacks and exploitation-though formally advocating international cooperation-are based almost exclusively on unilateral measures. 2 Whether cyberdeterrence through these methods can provide an adequate level of cyber security for U.S. users is, in the view of the NRC Committee on Deterring Cyberattacks (hereinafter "Committee"), an open question. Proposals for the U.S. to consider additional, unilateral measures to deter cyberattacks through prevention and retaliation have been presented to the NRC Committee for 1 The White House, "Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure," May 2009, iii. 2 A recent example is the comprehensive and influential "Securing Cyberspace for the 44 th Presidency," A Report of the CSIS Commission on Cybersecurity for the 44 th Presidency (Washington, D.C. 2008), which contains numerous, sweeping recommendations to restructure government agencies and adopt national programs to secure various aspects of the U.S. cyber infrastructure, while proposing virtually no program of international engagement. This follows from the Report's premise that the activities of foreign states are the source of cyber insecurity in the U.S. (p.11): "Foreign opponents, through a combination of skill, luck, and perseverance, have been able to penetrate poorly protected U.S. computer networks and collect immense quantities of valuable information."

Cherian Samuel & Munish Sharma (eds.), Securing cyberspace. International and Asian perspectives (Pentagon Press, New Delhi 2016) pp. 95-105., 2016

Predicting the future is hardly possible, but stating that cyber aggression – be it espionage, sabotage or even warfare – will be a continuing threat to international security and stability in the coming years seems a safe forecast. This chapter deals with the question of how states can cope with this forecast from a foreign policy perspective, focussing on cyber aggression conducted or sponsored by state actors. Defence and deterrence, which could be labelled passive deterrence and active deterrence as well, are probably the most ‘obvious’ counter-measures to international cyber aggression that a state could implement. This chapter especially analyses why defence and deterrence look like promising policies, but in practice face some difficulties in the cyber realm. Diplomatic efforts to create Confidence Building Measures (CBMs) and international accepted norms regarding cyberthreats could be more effective in actively addressing the core problems of international cyber aggression, but are little successful so far. The chapter argues that such multilateral diplomatic efforts are crucial for long-term cybersecurity and stability. Instead of an on-going ‘cyber arms race’, efforts could better be focussed on building mutual confidence and respect as well.

2018

of the Thesis Presented in Partial Fulfillment of the Requirements for the Degree of Master of Arts (in Global Policy) May 2018 Research into the international agreements that increase cooperation over cybersecurity challenges is severely lacking. This is a necessary next step for bridging diplomatic challenges over cybersecurity. This work aspires to be push the bounds of research into these agreements and offer a tool that future researchers can rely on. For this research I created, and made publicly available, the International Cybersecurity Cooperation Dataset (ICCD), which contains over 350 international cybersecurity agreements and pertinent metadata. Each agreement is marked per which subtopics within cybersecurity related agreements it covers. These typologies are: Discussion and Dialogue  Research  Confidence Building Measures  Incident Response  Crime  Capacity Building  Activity Limiting  Defense  Terrorism Drawing on ICCD and R for summary statistics and significance tests, as well as some quantitative insights, this research explores the relationship between different agreements, organizations, and other possibly related factors. The most significant takeaways from this research are: Dr. Seth Singleton -Professor Singleton has a robust academic background, having served as the dean of institutions in the US and Vietnam, and having taught at a much broader range of institutions spanning everywhere from Tanzania, to Russia, and more. Beyond his teaching, he has held grants from the National Council on Soviet and East European Research, the Rockefeller Foundation, the Fulbright program, and more. Professor Singleton graciously accepted to serve as my committee chair. As a long time security studies expert with a deep familiarity of nuclear arms control and U.S.-Soviet relations, his willingness to approach the new age security challenge of cyber security and serve as the head of my thesis committee was much appreciated. Our collaboration over this project was a bit of a 'melding of generations', applying conventional wisdom, knowledge, and experience to the dynamic and novel topic of cybersecurity as an international security concern. He guided this manuscript through multiple iterations and helped take what was originally a fledgling idea and frame it as a practical research project that can offer actionable results for policy makers. Without his attentive guidance and support, ICCD and this research would not have been possible. Dr. Frank Appunn -Dr. Appunn is an educator on computer security and information technology at Thomas College. He is also a Certified Information Systems Security Professional (CISSP) and is highly active in the security community, volunteering his time at public/private partnerships actively contributing within the security community towards helping tackle some of the nation's most daunting cybersecurity challenges. His interdisciplinary and cross-institutional role in this project is exemplary of the exact types of v solutions that are needed to amply address cybersecurity as an international security concern moving forward. His oversight and technical fluency provided this research with a technical attunement that many similar projects all too often lack. Kenneth Hillas -Professor Hillas is an accomplished, now retired, Senior Foreign Service officer. He has previously worked on special assignments involving conflict resolution, as well as having served in Prague, Moscow, Rome, Pretoria, Warsaw, and Washington; among many places. Beyond his career in the State Department he has taught courses on foreign policy at the National War College and continues to teach at the University of Maine.

Strategic Studies Quarterly, 2011

What is the strategic purpose of cyberpower? All too many works on cyberspace and cyberpower are focused on the technical, tactical, and operational aspects of operating in the cyber domain. These are undoubtedly important topics, but very few address the strategic purpose of cyberpower for the ends of policy. Understanding its strategic purpose is important if policy makers, senior commanders, and strategists are to make informed judgments about its use. Cyberpower does indeed have strategic purpose relevant to achieving policy objectives. This strategic purpose revolves around the ability in peace and war to manipulate perceptions of the strategic environment to one's advantage while at the same time degrading the ability of an adversary to comprehend that same environment. While it is proper to pay attention to the technological, tactical, and operational implications, challenges, and opportunities of cyberspace, this article concerns itself with its use-"the ability to use cyberspace to create advantages and influence events in all the operational environments and across the instruments of power"-for achieving the policy objectives of the nation. 1 Transforming the effects of cyberpower into policy objectives is the art and science of strategy, defined as "managing context for continuing advantage according to policy" (emphasis in original). 2 The definition provides the overall strategic impetus for the use of cyberpower. To fully understand the power of cyber, one must acknowledge the character of cyber-power and cyberspace. The linkage between strategic context, strategy, and

2015

s the Department of Defense (DOD) formulates strategy and doctrine for operating in cyberspace, it is vital to understand the domain and how it relates to the traditional domains of land, sea, air, and space. While cyberspace has distinct technologies and methods, it shares many characteristics with the traditional domains, and some of the conventional wisdom about how cyberspace differs from them does not hold up under examination. These similarities are especially relevant when it comes to strategies for deterrence. Just as any attempt to develop a single deterrence strategy for all undesirable activity across the traditional domains would be fraught with difficulty, so too for cyberspace. Yet this is how many authors have approached the topic of deterrence in cyberspace. Instead, by focusing on particular cyber weapons that are amenable to deterrence or drawing

Orbis, 2017

This paper will try to answer this question, posed by the title. But, we want to start with the idea that cyber-warfare may be construed to be more than it is. The psychological effects of cyber-warfare may be greater than the real issue, particularly as its interpreted by the media. Another question that comes up is how do we begin to examine a question of law, where little information exists? Now that we’re in the 21st century, it’s long overdue to fully examine this issue. Although, more than a decade has passed since discussion of this issue began, there are still many questions. What if this thought, this idea, is being “psychologically built” into the minds of people; manipulation? What happens when it becomes a self-fulfilling prophecy?

European Security, 2015

Some 30 years since the release of the Hollywood blockbuster War Games, the possibility that hackers might break into nuclear command and control facilities, compromise early warning or firing systems, or even cause the launch of a nuclear weapon has become disturbingly real. While this challenge will impact all nuclear-armed states, it appears particularly acute for the USA and Russia given their large, diverse, and highly alerted nuclear forces. The fact that east-west relations have deteriorated to a nadir perhaps not seen since the 1980s, strategic instability has increasedparticularly in the wake of the Ukraine and now Syria crisesand that the nuclear arms reductions agenda appears to have reached a standstill makes this challenge particularly pressing. In this discouraging milieu, new cyberthreats are both exacerbating the already strained US-Russia strategic balanceparticularly the perceived safety and security of nuclear forcesand at the same time creating new vulnerabilities and problems that might be exploited by a third party. Taken together, these dynamics add another major complication for current arms control agreements and possible future nuclear cuts, and also seem likely to increase the possibility of accidents, miscalculation, and potential unauthorised nuclear use, especially given the large number of nuclear weapons that remain on "hair-trigger" alert.

In spite of absence of war declaration or any conclusive evidence of the attacker, some scholars refer the cyber-attack on Estonia in 2007 as the first cyber-war and Estonia accused Russia that was behind it. No doubt that our increasing reliance on the networked systems is creating a high security risk through the cyber domain on the states (critical infrastructure, military), industry (economy, companies) and individuals (privacy, safety) that interconnected globally in cyberspace. To make it worse than nuclear or conventional weapons, cyber weapons are easy to access, inexpensive, difficult to track and identified and evolving much faster than its laws and legal policies nationally and internationally. In this paper, I will try to identify the conceptual and technical challenges between Conventional Deterrence (nuclear and conventional weapons) and Cyber Deterrence (cyber weapons offensive/defensive) and showing limited cyber deterrence effectiveness comparing to the conventional deterrence. Despite its huge anticipated impact on the future of cyber weapons/wars, this short essay will not examine the influence of artificial intelligence and internet of things on the future of cyber weapons/wars.

This article relates US efforts to develop strategic ‘cyber deterrence’ as a means to deter adversarial actions in and through global cyberspace. Thus far, interests-based cyber deterrence theory has failed to translate into effective US policy and strategy, due to a divergence between the operational idiosyncrasies of cyberspace and an over-reliance on Cold War models of deterrence. Even whilst explicit cyber deterrence strategy falters, the US is pursuing a norms-based approach to cyber strategy generally, and hopes to derive deterrent effects from its attempts to broker international agreements pertaining to the ‘rules of the road’ for the proper and productive use of cyberspace. The US is not the only norm entrepreneur in this policy space, however, and this article examines how a range of other state and non-state actors are complicating efforts to develop normative regimes that might reduce risks to and from cyberspace. The article concludes that a norms-based approach to cyber deterrence might engender deterrent effects at the state level but is unlikely to do so in the case of ‘rogue’ states and many non-state actors. States will continue, therefore, to develop punitive deterrence capabilities to respond to these actors.

2009

Information has always been a key element of national power and influence. However, now enabled by modern digital technologies, worldwide communications and information networks have fundamentally reshaped patterns of international trade, finance, and global intercourse, affecting not only economic but also political and social relationships as well. Under these circumstances, few countries, even those with authoritarian systems, can or choose to retain the closed autarchic economies as they did in the past because of economic and financial interdependencies. Moreover, new actors, many of them entities other than states, now play important roles in the international system and interact in novel ways. As a consequence, these forces have helped to refashion international relations after the collapse of the bipolar structure and in the wake of the Cold War. Because they possess particular strengths and weaknesses, we now clearly recognize that modern digital information systems (what are commonly called "cyber systems") are powerful tools and weapons on the one hand as well as sources of great potential vulnerability on the other, affecting not only our economic and social patterns, but also our national security. Digital information-and the cyber infrastructure that processes and carries it-has its own special characteristics; and these qualities are sufficiently different than those of analogue information that many consider "cyber" to be a distinct medium or domain. Considering both the benefits and vulnerabilities of our cyber dependency, together these factors have created a powerful interest in better securing our information and the cyber infrastructures through which it is processed and transmitted. As part of an overall strategy to protect our information resources and cyber capabilities, applying the lessons and tools of deterrence to the cyber domain merits attention as one important component of a comprehensive security strategy.

Journal of Homeland Security and Emergency Management, 2000

How should the United States organize itself to deal with the threat of cyberaggression? The initial effort of the Obama Administration, released in May 2009, focuses attention on the organizational and bureaucratic decisionmaking infrastructure necessary for cybersecurity and provides some general guidelines about goals and means. It does not address the more fundamental question of strategic approach. This article suggests the time has come to resolve the core issue of what organizing principle should drive national cybersecurity policy. Specifically, we argue that an offense-defense strategic framework must be adopted to think about and organize against cyber threats in the 21 st century. This means that the United States must set aside deterrence-the dominant strategic anchor of the past fifty-plus years-and adopt a full war-fighting posture. What has worked in the nuclear realm, and remains relevant for homeland security against WMD terrorism, will not work in cyberspace.

2017

Jonah Feldman Ming Chow COMP-116 6 December 2017 The Internet’s Security Dilemma: Why Cyber-Weapons Beget Instability Abstract This paper analyzes interstate cyberwarfare through the lens of Robert Jervis’s offense/defense paradigm. In this paradigm, two factors are important in determining technology’s impact on global stability: whether a technology favors offensive or defensive strategy, and whether offensive technology can be distinguished from defensive technology. This paper argues that cybersecurity exemplifies Jervis’s “third world,” where offense has the advantage while offensive and defensive technologies are easily distinguishable. The case for offense/defense distinguishability is straightforward: defensive tactics like encryption, firewalls, and air gapping have little offensive utility. Thus, this paper will focus primarily on cybersecurity’s offensive advantages and its implications for the international system.

Text of Presentation to Einstein Forum, Berlin, 15 Nov 2005. Changes in the nature of warfare, military technology, and the global strategic environment pose new challenges for arms control. The article critically examines new forms of strategic warfare, cyber-war, so-called “precision” conventional warfare, global conventional strike weapons, and less-lethal weaponry.