What are some of the challenges that one faces when designing cyber strategy.Lesson Overview:Cyberspace has been defined in many ways, but in simple terms, it is the electronic domain that facilitates communication (Kuehl 2009). This domain allows for a globally connected world, which makes accessing information or performing a task online relatively easy. Cyberspace is critical to national security and the nation’s critical infrastructure due to the interconnected systems used for infrastructure operations. Financial services, emergency services, food and agriculture, transportation, and energy, to name a few, all rely on the interconnectivity of cyberspace. With an increase in the move to online services, more vulnerabilities exist that can be exploited. LessonCyberpower, as defined by Kuehl (2009), is an advantage in the digital world, but also one that might transcend beyond the cyber domain into the physical world. Relating cyberspace to cyberpower, Kuehl (2009) states that “cyberpower is always a measure of the ability to use that environment” (38). The ‘environment’ being cyberspace. From a tactical perspective and to ensure the United States maintains its superpower status, the country needs to maintain cyberpower over their adversaries. This cyberpower advantage is important as it is part of an overall strategic plan and supports national security. Today, a cyber attack by a state actor is not just for a strategic military advantage, but also likely results in an economic gain. Theft of plans to a stealth fighter could be used not only militarily, but also the theft of intellectual property can result in financial loss as a result of a competitive market. Domains, in a military context, were originally contained to those of land and sea. With the advent of manned flight a new domain joined the list, air. After spaceflight was achieved, more specifically the implementation of satellites, a fourth domain, space, was added. With the advent of the Internet and World Wide Web the door opened up for the development of a fifth domain. Because of the rather unique nature of this newcomer, there are arguments for and against the recognition of a cyberspace domain. Lebicki (2012) argues that cyberspace is not similar to that of other domains in that it is very malleable, human composed and lacks an established base construction as do other traditional domains. Lebicki views the tools and abilities of these tools to protect and to provision services and data as actually aids in combat waged in the other traditional domains and not rising to the level of constituting a separate and distinct domain (Lebicki, 2012). While activities within cyberspace do facilitate warfare in other domains this is no less true of activities in other domains such as air which facilitates ground fighting or battle on and under the sea. With the transformation of business, medical, informational, resource distribution (e.g., power and water infrastructure management) it seems only logical that a new battle space would also present itself to nation-states and their adversaries. Crippling of infrastructure during World War II was recognized as a means of crippling military capability and included the strategic targeting of equipment factories and supply chains. If similar results occur due to advance malware/viruses such as Stuxnet or other variations on the same theme and power generation or supply chains are interrupted has warfare goals and objective not been achieved? A possible disconnect between cyberspace-based activity being recognized in a military context may lie in the current definition of an act of warfare. Currently the United Nations Charter recognizes those acts that result in physical damage, such as those effects created by an explosive device, as an act of war (Hauck, 2014). Perhaps, what may be needed is a re-assessment of what constitutes an act of warfare in light of the current battle space and threat landscape. The absence of a kinetic component seems to be an artifact criteria that needs to be reflected upon. Further, the Department of Defense recognized the need for treatment of the cyber battles pace as a proper domain due to progressive development and eventual use of capabilities on the part of adversaries.Although cyberspace is rooted in the domains of land, sea, air, and space, cyber should still be viewed as a domain. Cyberspace differs in that it was created instead of naturally occurring; therefore, it has no set parameters and conceptually can continue to grow (Welch 2011). Cyberspace is flexible and therefore capabilities of each country vary widely based on a variety of factors including knowledge and finances (Libicki 2012). Given this variance, each controls their network and a vast area of cyber still exists. The large, relatively unknown areas makes winning the cyber domain rather subjective. As a domain, it is expected that military resources are utilized for the purpose of defending cyberspace. The challenge lies in the difficulty of actually doing so. Given the expansiveness of cyber and the critical infrastructure sectors it touches, defending each of these becomes an enormous undertaking. Libicki (2011) suggested that warfare is not used appropriately when discussing the cyber domain. While an advantage in cyber comes from locating and exploiting vulnerabilities of an adversary, offensive operations take on a new meaning. Instead these operations are exploratory and seek to answer questions about the ‘target’ environment and what can be learned from such explorations. This information can be used to not just understand the capabilities of the adversary, but also the growing nature of cyber itself. DefinitionsCyberspace is a global domain within the information environment whose distinctive and unique character is framed by the use of electronics and the electromagnetic spectrum to create, store, modify, exchange, and exploit information via interdependent and interconnected networks using information-communication technologies (Kramer, 2009).Cyberpower is the ability to use cyberspace to create advantages and influence events in all the other operational environment and across the instruments of power (Kramer, 2009).Cyberstrategy is the development and employment of strategic capabilities to operate in cyberspace, integrated and coordinated with the other operational domains, to achieve or support the achievement of objectives across the elements of national power in support of national security strategy (Kramer, 2009).The use and management of cyberspace is constantly being evaluated and adjusted. What started out as an open commons of free information change is now being managed by state and non-state groups (Deibert & Crete-Nishihata, 2013). Countries such as China and Russian, to name a few countries, manage control over the cyberspace through monitoring, filtering and the advocating for sovereign control managed through the United Nations (Deibert & Crete-Nishihata, 2013). Non-state groups such as the Internet Engineering Working Group and the International Telecommunications Union also play a role in governance of the components of cyberspace. Cyberpower, on the other hand, also utilizes cyberspace and all of its capabilities in an effort to wield authority and control in the other domains or environments of power as well.Cyberpower is most commonly associated with military endeavors and traditional environments associated with power. These environments commonly include air, land and sea combat domains where cyberpower can provide added benefit and strength. These benefits could include advanced communications providing real time transfer of command and control data for air operations involving remotely operated vehicles or other instruments of power (Lee, 2013). When examining cyberstrategy and how the term is translated into an actionable plan by the United States we will look at the five strategic initiatives of the cyber strategy, published 2013 by the Department of Defense. The strategy concentrates on five strategic goals:Building and maintain ready forces and capabilities to conduct cyberspace operations;Defend the DoD information network, secure DoD data, and mitigate risks to DoD missions;Be prepared to defend the U.S. Homeland and U.S vital interests from disruptive or destructive cyberattacks of significant consequence;Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages; andBuilding and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability. (DoD, 2015)As can be seen from the above five strategic goals cyberspace is front and center, it is the domain or environment in which the operations and efforts associated with meeting these goals takes place. Cyberpower is clearly displayed in and is especially visible in goals numbers three and four. As you can see cyberstrategy is the development and use of cyberpower in cyberspace. With increased methods for determining attack attribution or executing cyberattacks with more detrimental results cyberstrategy, deterrence and warfare will more than likely change as well.It is also important to keep in mind that cyber-attacks may be perpetrated by nation-states and non-nation-state entities. A cyber-attack is often times misclassified as an act of cyber-terrorism or cyber-warfare when after all it might be a case of cyber-espionage or hacktevisim. Unlike the broad definition that cyber-attacks possesses cyber-crime may consist of money laundering, theft of information for criminal or monetary gain. The key differentiating factors which distinguish cyber-crime from cyber-espionage or cyber-terrorism is the motivation which is primarily monetary gain in nature. It is important to understand when an act in cyberspace constitutes cyberwar or when it is considered cybercrime. According to Major General Dunlap (2011), “an act of war is a political phrase, not a legal term” (84). Thus, the legal requirements should remain flexible as cyberspace is constantly growing and technological advancements continue. Cyberwarfare can take many forms. One such form is information warfare. Information warfare is the dissemination of distorted or false information. It is similar to propaganda, but information warfare differs in the purpose of the dissemination of information. Propaganda is often used to persuade others into accepting a cause, whereas information warfare could be used in an attempt to change a political outcome. It is not always clear the intention of a cyber action, and therefore, it can be challenging to determine an event as either cyberwarfare, cybercrime, or potentially as a protected right. Information warfare could be used by a terrorist organization in ways that might cause the US to reveal secret information. The potential of revealing secret information poses many threats and thus this action would be considered cyberwarfare; however, because jurisdictional issues exist in cyberspace, the event must be recognized first before those responsible for investigation and prosecution can be determined. Jurisdiction is just one of the many issues in cyberspace. When there is still debate on cyber as a domain and who is responsible for protecting it, it seems reasonable that there would be debate as to whether a cyber action meets the definition of war.Acts of Cyber-warWhen speaking of acts that cross the threshold from a small scale cyber-attack to that of an act of cyber-warfare several long standing laws and governing documents, which are used in gauging traditional acts of war, are utilized. The United Nations (UN) Charter and Hague/Geneva Conventions are just two of such documents. Traditional acts of war usually encompass a loss of life, grave injury or substantial destruction to property (Schmitt, 2012). Additionally, Article 2(4) of the UN Charter prohibits an attack on a sovereign nation without justification. In order to understand what constitutes a cyber-based act of war we will examine Dr. Michael Schmitt’s decision model (Kraemer, Starr & Wentz, 2009). The model is comprised of seven questions, or conditions, with three levels or types of response for each. Schmitt’s decision model, in brief, examines the properties ofSeverity: Were people killed, injured or not at all?Immediacy: Did the act happen abruptly with little notice or chance to address?Directness: Was the action the direct cause of impact or was it a partial cause with other factors or acts contributing to the overall impact?Invasiveness: Was the sovereign space violated physically, electronically or not at all?Measurability: Are the effects obvious and readily measurable as with a bomb blast?Presumptively legitimate: Was the act prohibited by law or rule (e.g., UN Charter on a kinetic-based attack) or was it not prohibited (e.g., cyberattack with no physical damage, death or injury)?Responsibility: How strong is the level of attribution to a nation state? ((Kraemer, Starr & Wentz, 2009)Other commonly accepted policies and guidelines such as the Tallinn Manual try to align themselves with nationally accepted conventions and laws when equating cyber events to acts of warfare and terrorism. If an act is determined to be an act of war, the level and type of retaliation must take into consideration several factors as well. Proportionality and attribution are salient points, among others, that must be addressed when considering a response to an act of cyber-warfare.Proportionality, when speaking of retaliatory attacks, addresses the concept of the level and type of response as appropriate to the initial attack and in order to accomplish an intended lawful military objective. Of immediate concern is the impact on the civilian population in the form of death, injury and destruction (Schmitt, 2012). An un-proportional attack can garner a negative response from other nation-states and relevant organizations (e.g, United Nations). In addition to proportionality, attribution of an attack to a specific aggressor is important as well and must be established to a satisfactory degree prior to a retaliatory response. A common problem with attribution and acts of cyber-aggression have been a lack of attribution. This can be seen in the instance of the Stuxnet virus, assumed to be launched by the United States and possibly Israel, and many of the malware instances utilized by China. Attribution of attacks may be substantially established through analysis of attack method, approximate location and malware coding (Lee & Lim, 2016). Coding conventions and styles as well as attack methods can often indicate repeated activities by a known group. An example of such analysis and resultant attribution is a cyber-attack perpetrated by the North Korean government against a nuclear power plant in South Korea (Lee & Lim, 2016). Attribution may also be complicated due to the use of non-state actors. This does not necessarily exclude the hosting nation state from responsibility if it can show enough causal support and involvement (e.g. providing equipment and training) on their part (Schmitt, 2012).Acts of Cyber-terrorismThe use of the term cyber-terrorism is very common and often misapplied. Very often cyber-attacks perpetrated by groups such as Anonymous or even those associated with established and recognized terrorist groups have resulted in a degradation of online services for retailers or online bankers. Although inconveniencing, these acts do not meet the base criteria of an act of cyber-terrorism. A cyber-attack that meets the level of an act of cyber-terrorism will possess the criteria of:An intent of a political, religious or social goalBe generated from a computer system,Contain and element of physical violence, andPsychological coercion (Kennedy, 2014).Taking these criteria into consideration it is relatively safe to say there has yet to be a true case of cyber-terrorism. However, attacks on control systems software in power and chemical plants could very well result in large-scale physical destruction, death and injury. We should guard from falling into a sense of complacency in regards to the protection of our critical infrastructure and related data systems.Strategic Cyber-warfareLibicki (2009) goes on to define strategic acts of cyber-warfare as “A campaign of cyber-attacks launched by one entity against a state and its society, primarily but not exclusively for the purpose of affecting the target state’s behavior…” The pronounced difference between strategic and operational cyber-warfare lies in the intention and target of the attack. These attacks could take many forms and include the analysis of cyber or military capabilities in preparation for an operational attack whether it be cyber or kinetic in nature. With the advent of purposeful attacks, whether strategic or operational, one can draw the conclusion that deterrence, both defensive and offensive, were either not effective or perhaps even considered. Strategic attacks may provide enough incentive to de-escalate or quit altogether. If vulnerabilities of the target nation are exposed to a point where vital systems to the economy or continued operation of essential functions and processes relied upon by the citizenry are degraded or limited it might provide a pause for further consideration as to whether an attack is worth executing. Another possible result of low scale attacks which do not publicly display inherent weaknesses of an adversary’s networks and data systems may serve as a quite warning, a form of sub-rosa cyber-warfare (Libicki, 2009). However, risk associated with cyber-attacks in general such as attribution and perception of the target nation are often times hard to determine or predict which might ultimately lead to escalation. While strategic acts of cyber-warfare may concentrate on non-military targets operational acts focus on military-related targets and are more aggressive in nature.Operational Cyber-warfareOperational cyber-warfare involves cyber-attacks against military assets that utilize and rely, directly or indirectly, on data systems and networks. Unlike strategic attacks which may include probing and degradation of non-military systems operational attacks aim at degrading the military capabilities of a foe. Altering aiming capabilities of a missile system or tactical communication system are examples of operational attacks in the cyber-domain. Knocking out the acquisition radar capabilities of an anti-aircraft site prior to a military attack would provide enough surprise and military advantage to possibly result in a major advantage for the attacker. Due to the rather fluid nature of the cyber-domain these advantages are usually momentary and fleeting at times due to rapid discovery and patching/repairing of related data systems. This is unlike the more traditional domains in which recovery from a battle is time consuming and potentially impossible. The ability to conduct effective operational attacks takes considerable resources when pitted against formidable nation-states with extensive financial and technical resources.References/Works Sited: Deibert, R. J., & Crete-Nishihata, M. (2012). Global governance and the spread of cyberspace controls. Global Governance: A Review of Multilateralism and International Organizations, 18(3), 339-361.Department of Defense (2015). The Department of Defense cyber strategy. Washington, DCDaniel Kuehl, “From Cyberspace to Cyberpower.,” in Cyberpower and National Security, eds. Franklin Kramer, Stuart Starr, & Larry Wentz (Dulles VA: Potomac Books Inc., 2009), 24-42.. From cyberspace to cyberpower: Defining the problem. Cyberpower and national security, 26-28.Dunlap Jr., Charles J. Maj Gen (Ret). “Perspectives for Cyber Strategists on Law for Cyber War.” Strategic Studies Quarterly, (2011): 81-99, http://www.au.af.mil/au/ssq/2011/spring/dunlap.pdf (accessed May 29, 2016).Libicki, Martin C. “Cyberspace is Not a Warfighting Domain.” I/S A Journal of Law and Policy for the Information Society 8:2 (2012): 325-40, http://moritzlaw.osu.edu/students/groups/is/files/... (accessed May 29, 2016).Welch, Larry D. " Cyberspace: The Fifth Operational Domain." Ida.org, 2011, https://www.ida.org/~/media/Corporate/Files/Public... (accessed May 15, 2016).Lee, R. M. (2013). The interim years of cyberspace. AIR UNIV MAXWELL AFB AL AIR FORCE RESEARCH INST.Kenney M. (2014). Cyber-terrorism in a post-stuxnet world. Foreign Policy Research Institute, 111-128. doi:10.1016/j.orbis.2014.11.2009,Kramer, Franklin D., Stuart H. Starr, and Larry K. Wentz Eds. From Cyberspace to Cyberpower: Cyberpower and National Security, Dulles VA: Potomac Books Inc., 2009.Lee, K. B., & Lim, J. I. (2016). The Reality and Response of Cyber Threats to Critical Infrastructure: A Case Study of the Cyber-terror Attack on the Korea Hydro & Nuclear Power Co., Ltd. KSII Transactions on Internet and Information Systems, 10(2), 857-880.Libicki, Martin C. “Cyberspace is Not a Warfighting Domain.” I/S A Journal of Law and Policy for the Information Society 8:2 (2012): 325-40.Schmitt, Michael N. “International Law in Cyberspace: The Koh Speech and the Tallinn Manual Juxtaposed,” Harvard International Law Journal, 54 (2012)
Europe(Continental)