INTRODUCTION. This book is a way to make you a more intelligent critic of decisions that countries make with respect to threats from cyberspace. It is for those who ask what their country should do about cyberespionage or whether countries should integrate cyberspace into their threat planning, or cyberwar into their war planning, including military power.

PART I. FOUNDATIONS

1. EMBLEMATIC ATTACKS. 13 intrusions took place from 1987’s Cuckoo’s Egg espionage targeting the energy and atomic laboratories to 2013’s Snowden’s espionage to unmask the NSA. These are Prototypical Events. 11 intrusions during 1995-2017 targeted big banking systems, fund wiring, credit rating, and hospitals. These are Cybercrime System Intrusions. 10 intrusions happened during 2005-2015. In 2009, Chinese hacked Lockheed’s F-35 systems. In 2012, NSA declared a dozen groups in China were accountable for most APT attacks. The Mandiant report stated at least 1 group worked for China’s PLA. In 2014, the U.S. indicted 5 PLA members for cyber-espionage, and a Pittsburgh labor union. These are Advanced Persistent Threats (APT). 7 intrusions during 2000-2016 hacked internet servers of Estonia in 2007 and Georgia in 2008; and a large-scale attack on GitHub hosted by China Unicom. These are Distributed Denial-of-Service (DDOS) Attacks. 15 intrusions during 2007-2020, targeted mostly infrastructure and defense systems. In 2017, Ukraine accused Russia of hacking its power grid, financial system, and malware in Kiev airport. These are Disruptive and Destructive Attacks. In 2016, data was released from the Democratic National Committee to malign Sen. Bernie Sanders. The George Soros Foundation hack was linked to Russians. These are Doxing Attacks. In the early 1990s, cyberwar was just a theory on compromising computers. Cyberespionage, cybercrime, DDOS attacks, and cyberattacks are real. Intrusions in 2016 continued and influenced U.S. 2018 elections. Cyberwar has yet to become part of war, but the prospect is nil having no precedent. But Pearl Harbor and 9/11 had no precedent either.
2. SOME BASIC PRINCIPLES. Cyberwar is a systematic cyberattack campaign for political or military ends. Strategic cyberwar can influence or weaken a country. Tactical cyberwar is carried out as part of an integrated military operations. Those authorized to carry out cyberattacks on a country’s behalf are called Cyberwarriors. Cybercrime is the criminal use of a cyberattack or cyberespionage. A cyberattack uses digital information to interfere with a system’s operations, to produce bad information, thus, bad decisions. Cybersecurity is having a secure information system, whereas hat researchers make vulnerabilities known to those who maintain the code. Gray and Black hats hoard vulnerabilities to use or sell. Intelligence agencies are customers of Gray hats. Black hats serve cybercriminals. Noise-tolerant environments are Agoras, and noise-intolerant environments are Castles. With Agoras, the risk from bad information is low, but the benefit of access to information is high (Wall Street). With Castles, the risk from bad information is high, but the benefit of access to external information is low (nuclear plants). Low persistence and high stealth argue for early use. High persistence and low stealth argue for waiting. Cyberattacks argue for “wait in peace and deploy in war.“ If the reusability of an exploit is low, the ability to create exploits remain. If the weapon is the exploit, it is a one-time use. If the weapon can create exploits, it is renewable.
3. HOW TO COMPROMISE A COMPUTER. Systems can be hacked in 4 categories, each with multiple attack modes. Abuses by Random External Users consists of attacks in which external users abuse their privileges. Abuses by Authorized Internal Users consists of attacks by authorized users who abuse their privileges. Altered Instructions via Supply-Chain Attack consists of supply-chain attacks on the coded systems. Finally, Malware is a category of attack that directly alters instructions in the target system. Any one attack may call on more than one category. Two kinds of attacks: (1) exploits a system’s instructions and malware; and (2) inserts their own instruction. The first can only generate unwanted limited effects. Malware can make systems do anything the hardware permits.
4. CYBERSECURITY AS A SYSTEMS PROBLEM. Cybersecurity is attained by limiting what apps consider valid. Equipment from hackers can be easily made secure by limiting what commands it will accept. One way to prevent corrupted content taken from websites is to include a sandbox In the browser. Cybersecurity is a technology and people problem. The wiser path to attaining a permanent improvement lies in technology. Symmetric encryption uses the same key to encrypt plain text into cipher, and decrypt cipher into plain text. Asymmetric encryption uses different keys for both operations. A cyberattack is a penetration, thus the first defense must be a barrier against penetration. Firewalls were created to filter out harmful messages but may not detect malware. Air-gapping can secure networks by isolating systems, giving an option to keep off the internet. Literal air-gapping has no electronic connection. Virtual air-gapping runs over connected networks but only accepts encrypted packets within the network. The more machines use the Internet, the greater the attack surface for hackers. If the cyberattack is coercive, a threat to one sector can threaten all sectors. An automated patch is a powerful measure. Always minimize risk. Database managers must log data requests and transfers. Compromises on massive data must reinforce security-mindedness.
5. DEFENDING AGAINST DEEP AND WIDE ATTACKS. Against an impatient foe, one who will quit if a compromise takes too long, a system with more barriers is far more secure. It takes a great deal of time and energy in finding vulnerabilities to generate a set of usable tools. Once they work, hackers tend to reuse or recycle them with variations. A scalable attack need only hit one electric power company, but if the attack leads to a cascading failure, the effects may be regional or nearly national in scale. An attack can infiltrate multiple systems and be undetectable until activated. If hackers understand how defenders detected them, they can take steps to make activities look like every day ebbs and flows and evade detection. Watching how defenders react teaches hackers what to do next; watching hackers work teaches defenders what step to take next. Signatures of cyberattacks can be circulated to organizations to better prepare themselves, by inputting these signatures into prevention/detection systems against cyberattacks using the same signatures.
6. DETERRENCE BY DENIAL. The softer the target, the more effort for general investment in broad-scale attack tools and less to defenses of any target. The harder the target, its vulnerabilities are unique, and more attention is paid to target-specific operations. The larger and more political the attacker’s organization, the more the psychology of discouragement merits attention. The hackers may be discouraged if the goal of the cyberwar bureaucracy is at risk from bad news. Without bad news, the attacker has no way of knowing if their investment is futile. A cyberattacker can be defeated if it did not penetrate the system; or having penetrated the system, failed to attain goal of disruption; or having achieved the goal, failed to extract serious costs as the target was capable of recovering faster than the attacker believed. A unit’s ability to fend off intrusions will make the attacker think twice. Other attackers are discouraged by what they hear or conclude about failed attempts by others.

PART II. OPERATIONS

7. TACTICAL CYBERWAR. A Cyberattack against military targets carried out at war can be a decisive force multiplier if employed carefully. Tactical cyberwar involves injection of fog and friction into enemy military operations. Corrupted information makes foes doubt data they hold. Fog and friction increase the gap between war in theory and war in practice. The possible effects of cyberwar are: Disruption –taking military systems down; Corruption –a missile that fails to point in the right direction; Eruption –an intense virtual illumination on the battlefield; and Interception –the collection of real-time intel on enemy targets which can be more powerful than cyberwar. Avoid creating a large spike in activity within the target network. Coordinate cyberattack and cyberespionage when using the same penetration techniques. Discovery will unravel all attacks, and will be cleaned up. A cyberattack entails deception and surprise. A surprise cyberattack can eradicate defense and offense. And cyberattackers can limit scope to get less attention. It can time an attack when pressure is greatest; find your vulnerability; make penetration hard to find; and appear to exploit a vulnerability but strike another. The U.S. art of war is a merciless overwhelming force. Chinese war strategy is small scale but if well-timed is capable of catching the adversary unprepared. This is called Assassin’s Mace. Cyberwar’s use of an adversary’s computer against them is a Chinese tactic called “attacking with a borrowed sword.” China will spend to hold U.S. superiority at bay. However, supremacy Is useless and superiority is unnecessary in cyberwar.
8. ORGANIZING A CYBERWAR CAMPAIGN. Operating a campaign requires attention to how the enemy reacts. Operating a Call-for-Fires Model settles in at the tactical level: what was done, what worked, and how much did it help the kinetic effort. Cyberwar may not be effective in war. Digitization and networking may add complexity to warfighting. With complexity, attack surface rises faster than its size as complexity creates vulnerabilities in system connections. Thus, militaries are likely to be more susceptible to tactical cyberwar. Planners of kinetic attacks worry of counterattacks. If hacking the enemy’s command and control can create confusion and delay the counterattack, the mission may have a better chance of succeeding with lower casualties. If the target thinks the attacker went after its nuclear site, infers the attacker set up a disabling nuclear strike, nuclear escalation will ensue. If the target thinks the attacker did not intend to strike its nuclear site or had no inkling of the damages, it may choose not to react.
9. PROFESSIONALIZING CYBERWAR. Attacks could be tested in vivo. Probes can check whether codes remain. The brave may run an attack just before the point where they create effects noticeable to the target’s defenders. Implants can be pinged to see if they respond to test signals. But too much testing will alert defenders and may prompt patching the vulnerabilities. Any attempt to create wanted effects on the battlefield risks creating collateral damage. Training inculcates a set of skills and shows the few who are really good at hacking. It provides a winnowing function, a drop-out ratio similar to Special Forces. Time and connectivity are features of cyberspace. Both suggest the value of careful contingency rules of engagements apply only in a valid need for an instant response. Only few risks arise from limiting the president to adopt cyberattacks to contingencies. But neither time nor connectivity vouches for predelegation of cyberattack authority. Cyberwar is no substitute for an armed force but it can be a force multiplier. There is a larger principle at work: complexity gives rise to vulnerabilities, whose discovery and exploitation can leverage small units to a large effect.
10. IS CYBERSPACE A WARFIGHT DOMAIN? The U.S. military has a real need with a serious capability to shape its information systems. DOD’s foes have a clear interest in preventing its operations. NSA has hired some of the world’s smartest in cybersecurity. It has more scope to shape its cyberspace, and uses this vigorously. Information assurance is about how militaries minimize threats but it works in service of Mission Assurance. Offensive cyberwarriors do reconnaissance. In no other military endeavor is intelligence so integral to warfighting; and their reconnaissance is not simply to observe and report. The only harm from DDOS (distributed denial-of-service) attacks is making public network access unavailable. Systems have to be penetrated well before they are attacked, and the choice has to be well made before the upcoming conflict is clear. The desire to see cyberspace as a warfighting domain is a deeply ingrained doctrine in the minds of those who carry out the doctrine. The concept is misleading and pernicious. If the U.S. military calls cyberspace a domain, it is to organize, train, and equip forces for combat in that medium. Militaries do this for electronic warfare without even being elevated on a separate domain.

11.STATEGIC IMPLICATIONS OF TACTICAL CYBERWAR. If foreign governments believe that adherence to Windows/Intel is the root of U.S. ability to hack their systems, they may have common cause with other countries to build a network foundation of codes that the U.S. cannot control. Iran has disconnected its internet from the rest of the world and has replaced Windows. Countries have adversaries enamored with tactical cyberwar thinking it can shift the correlation of forces. The best way to persuade them is not demonstrating tactical cyberwar can be defeated on its own terms but that its consequences can be managed. NATO has taken the challenge of information system security to heart. The notion of collective defense includes both attack and defense. A collective effort can disarm an enemy more effectively than a single effort. Because defenders can’t disarm cyberattackers, collective defense is just defense.

12. STABILITY IMPLICATIONS OF TACTICAL CYBERWAR. A strong first-mover advantage may tempt one to move first to disarm the adversary. Because nuclear confrontation is thought to favor the first mover, strategists urge building a survivable second-strike capability for stability. Introducing an influential and fragile military system may spur a foe to knock it out first. If the cyberattacker believes he can fail but The attacker could bring down the enemy’s systems ahead of the conflict. The downside is expending zero-day vulnerabilities reduces the cyberwarrior’s better weapons. Cyberattacks are not vulnerable to a first strike; not accident prone; unreliable early warning systems; unreliable due to rogue hackers; attackers fearing access is imperiled; not for rapid decision making; low value in predelegation; and reliant on surprise. A country can carry out a cyberattack, and deny it. It is attractive because it promises release without risk and may avoid external critique. Tactical cyberwar provides a way to get the jump on an enemy as the first strike with reduced risk. But cyberespionage affects International relations.

PART III. STRATEGIES

13. STRATEGIC CYBERWAR. The art of a cyberattack lies not in destroying but in confusing target systems. If hackers penetrate the electric grid and tamper with voltage levels, the overloaded circuits can take down entire systems. Although infrastructure and banks are privately owned, the ultimate object of coercion is the government. In a cyberattack, governments will redirect the ire to private infrastructure owners whose poor defenses allowed the public to suffer the inconveniences of cyberwar. In almost every classified Pentagon study on how a confrontation with Russia and China, or Iran and North Korea may play out, the adversary’s first strike against the U.S. is a cyber barrage aimed at civilians. It will fry power grids, stop trains, silence cellphones, overwhelm the internet; stall food and water supplies; and close hospitals. A SIOP is a single integrated operating plan. In a SIOP, the target list reflects demand while a cyberwar’s target lists real targets. The coercive effects of cyberattacks are speculative. Better targets are harder to penetrate. Damage is temporary and not repeatable. As a threat, strategic cyberwar may be unbelievable; as a reality, it may not cause enough damage. And once both sides engage, it is hard to terminate.
14. CYBERWAR THREATS AS DETERRENCE AND COMPULSION. Anger is an emotion with a large retrospective view. Fear is emotional and rational, a function of what may happen. If fear dominates anger, then coercion will work. If anger dominates fear, then coercion will backfire. The pressure of a threat in the long run is no greater than the costs in labor time, resources, and decreased usability of managing the risk to networks and systems to tolerable levels. If the threat is sufficiently fearsome, a rational country would pay upfront for cybersecurity and resilience. The unknowns are larger in cyberspace, and the victim may profit from calling the coercer’s bluff or stalling for time to boost defense. The uncertainties of cyberspace underpin the narrowness of a retaliation window. If leaders are uncertain about the effects of a retaliatory cyberattack, they may not judge with confidence within the deterrence window, and revenge may fail to impress, or may be an overkill.
15. THE UNEXPECTED ASYMMETRY OF CYBERWAR. Many have argued less-developed countries could become as fearsome as highly developed ones as they bootstrap their offensive cyberwar capabilities by exploiting markets for malware and zero days. Small countries can buy digital espionage services, enabling them to conduct operations like electronic spying or influence campaigns that were once the purview of major powers like U.S. and Russia. Russian cybercriminals actively supply countries with malware. An Iranian tool surfaced in the attack on Ukraine in 2015 when Russian hackers shut down parts of Ukraine’s power grid. FireEye found out Iran’s Triton malware was built by Russia. Chinese have envied the popularity of U.S. software and content, and that so much internet traffic goes through U.S. routers. Its attempt to internationalize internet governance by praising the International Telecommunication, and pushing down major U.S. Internet firms while lifting up local Chinese firms reflects its anti-U.S. attitude. China is developing more engineers and raising funds for research although it is unclear whether all these will translate into the cutting edge that U.S. companies have. Huawei and ZTE have been blacklisted in much of the U.S. and Western markets. The move from Cisco to Huawei was at the expense of China’s cybersecurity.
16. RESPONDING TO CYBERATTACK. Cyberattack-retaliations in cyberspace remain weak. The closest there has been to retaliatory cyberattacks were the late 2012 DDOS attacks on U.S. banks by Iran, which had discovered 2 years earlier that its nuclear program was set back by the Stuxnet worm; and the 2020 Israeli cyberattack on an Iranian port in response to the Iranian attempt on Israeli water works. In the end, a country may retaliate immediately in response to a cyberattack. But the victim country should consider the attacker’s motives in attacking before retaliating in order to ensure that it is defeating the attacker’s strategy as well as altering the attacker’s calculus. Even if it retaliates, it need not do so immediately. And there are responses other than state-on-state retaliation. The country needs to consider how the target of retaliation will respond.
17. DETERRENCE FUNDAMENTALS. The 4 key prerequisites of a deterrence policy are Credibility –the will to retaliate; Attribution –the ability to determine who to retaliate against; Thresholds –the distinction between acts that merit retaliation and acts that do not; and the Capability to punish. Retaliation in cyberspace cannot disarm. Therefore, retaliation has no other rationale but deterrence to fall back on. Cyberdeterrence is symmetric and repeatable because to credibly signal threats and create deterrence requires assured repeatability. It differs from criminal deterrence, which is asymmetric; and nuclear deterrence, which may not be repeatable. One purpose of a deterrence is to reduce the likelihood of future attacks and the expenses on defenses. The case for Cyberdeterrence –the threat or retaliation following a cyberattack– rests on the premise that damage from a cyberattack could be intolerable and defense may not be cost-effective. Deterrence is a form of behavior modification that rule of law was invented to do. Any tailored threshold or punishment may be communicated to potential attackers. This implies willingness to tolerate public disclosure and different attackers are treated differently.
18. THE WILL TO RETALIATE. An important purpose of a deterrence policy is not only to ward off further cyberattacks but also to maintain a reputation for not being trifled with. Maintaining a reputation may help ward off a physical attack on an interest the attacker is not sure the U.S. would defend. Everyone thinks the U.S. would respond to an attack on its homeland. The attacker would presumably be looking at the U.S. response to a cyberattack as a way of determining how strongly the U.S. would defend a peripheral interest A strong response to a cyberattack should indicate a feisty U.S., raising the odds that the U.S. would mount a response to a physical and cyberattack on what might seem not worth fighting over. But this should be analyzed carefully. No cyberattack prefatory to a kinetic campaign has ever taken place. Russian cyberattacks on Georgia were carried out to hinder Georgia’s media response to the invasion, not to test Georgia or facilitate a subsequent kinetic attack. The enemy’s interpretation of a vigorous U.S. response to a cyberattack, say on the U.S. banking system, is not evidence that the U.S. would also militarily defend a miniscule Asian island –it is not particularly obvious – but not hollow either.
19. A dozen years ago, the primary argument against Cyberdeterrence was the difficulty of making good attribution after a cyberattack. In response to that belief, both government agencies and commercial cybersecurity companies improved their ability to attribute. Thus, attribution improved considerably. It is doubtful however that the Chinese would have agreed to stop their industrial espionage if they did not think an unrestricted industrial espionage campaign could be conducted without leaving enough fingerprints to merit U.S. sanctions. Attribution is not a sure thing. Repeated intrusions by known actors are more likely to be caught than one-time cyberattacks by unknown actors. Because the consequences to countries of seeing their cyberwar organization caught have not been decisive, their Operations Security (OPSEC) falls short of where it could be. Once consequences matter, OPSEC will rise to complicate attribution –albeit neither fast nor cheap. Finally, if attribution must be proven rather than simply asserted, difficult trade-offs are needed between making a credible case or protecting sources and methods.
20. WHAT THRESHOLD FOR RESPONSE? One advantage of a zero-threshold policy is it allows the target country to show its will to retaliate for large attacks. A cat’s-paw maneuver can follow if the enemy does retaliate, inviting counter-retaliation. There is another strategy called salami slicing, which is a series of small moves, none of which seem like sufficiently actionable departures from accepted practice, but makes a big difference cumulatively, and crosses the threshold. The failure of the U.S. to respond to China’s claims over reefs in the South China Sea emboldened China’s next ploy of building underwater reefs into islands, which further emboldened it to claim and enforce sovereignty claims. China would thereby exercise control over the entire South China Sea, yet surely would have invited retaliation without the veil of salami slicing. A defense that damage is unintended is a weak defense. The downing of Malaysian Airlines Flight MH17 over Ukraine skies by Russian insurgents may have thought it was a Ukrainian military aircraft. The point of deterrence is to influence the enemy’s Will rather than its Competence. Past U.S. administrations did not respond to failed North Korean missile launches in the physical world. A country can yield to deterrence by denying any intention to carry out the act, but reversing means admitting it was done. To compel a country to stop assumes the activity has taken place and thus may have been acceptable prior. The law of armed conflict does not recognize espionage as a casus belli. A case for changing this has yet to be made.
21. A DETERMINISTIC A policy of determinism has its advantage –It creates a serious penalty for stepping over the threshold. The U.S. has been edging toward a more deterministic policy over the last few years. China lacks one. A probabilistic deterrence posture has many advantages: (1) establishes no safe zone; (2) does not make the world safe for cyberwar; (3) does not reassure unpredictable allies; (4) weakens counter-deterrence; (5) creates less need to explain; (6) permits tailored deterrence; (7) permits time for contemplating a proper response; (8) permits a sub-rosa response; (9) does not risk over-commitment to a force-on-force framing; and (10) does not jeopardize where deterrence postures really mater. The costs and benefits of declaring a threshold are strongly related to the choice of retaliation under ambiguous conditions. Israel, which is in a far more hostile neighborhood may fear for its survival if considered a patsy, but figures that its hostile neighbors already deem them a jerk and thus Israel is always ready to retaliate. U.K. threatened to retaliate against Italian submarines, suspecting they were sinking Republican ships during the Spanish Civil War. The Italians stopped.
22. PUNISHMENT AND HOLDING TARGETS AT RISK. One problem with cross-domain retaliation is ensuring the other side understands what the retaliation is for. If one single cyberattack draws another in rapid response from the other side, the correlation is clear. If the response is outside cyberspace, the initial violation is unclear. The retaliator can be explicit, but may be lying. It may have been another violation that really triggered retaliation. Risks may be limited by a combination of: Implicit deterrence against catastrophic attacks; Primary deterrence against the use of force; Criminal deterrence against non-state attacks; and Secondary deterrence against follow-on attacks. CYBERCOM’s adoption of “persistent engagement” is now moot as an alternative to deterrence-by-punishment. Rather than wait for cyberattacks to reach friendly (BLUE space) networks, CYBERCOM intends to elucidate the attack infrastructure of hostile hackers, disrupting their plans in neutral (GRAY space) networks, and the hackers’ own networks (RED space). Tools and techniques of persistent engagement are rightfully highly classified and have precedents. CYBERCOM has made its intentions and its success known. The U.S. should retaliate a cyberattack because punishment is a cost-effective way to limit risk from future cyberattacks.
23. CYBERWAR ESCALATION. Each side may escalate the cyberspace component of their confrontation in order to find the most advantageous level of conflict. One side could stop escalating not out of fear of the other side’s escalation but because it has few cost-effective opportunities at higher levels. The various uncertainties that prevent one side from knowing exactly where the penetration is, or where the other side is on the escalation ladder, trashes any notion of precision. Escalation in cyberspace is likely to be bumpy. There will be only one escalation phase –from unproblematic cyberattacks on military targets to problematic cyberattacks against civilian targets. Countries may escalate by successively widening the set of what they deem licit targets rather than increasing intensity. Cyberattacks cannot disarm the enemy’s ability to respond in kind. The timing of a response ought to be predicated on what they are to accomplish in the context of one’s warfighting strategy. Each country should understand the reaction of the other side and third parties to escalation and understanding of cyberwar norms. In cyberspace, the defender may not realize how threatening his behavior seems to the enemy.
24. BRANDISHING CYBERATTACK CAPABILITIES. Countries brandish to make threats or to counter threats. Brandishing is a capability like any cyberattack which can spur countermeasures, thus, should not be done casually. Those who brandish should first determine whether the point of doing so is to look powerful, or to make the other side look powerless. The DNC hack was an attempt to gain recognition for Russian cyber capabilities and prestige on the world stage. Simply declaring a capability without demonstration proves nothing. But a demonstration would have to be shaped to accommodate the risk it would itself constitute an attack. If the other side reacts with its own cyberattack, then the whole point of escalation dominance, which is to inhibit the other side from taking action –is lost. States may brandish offensive cyberwar capabilities to give teeth to a deterrence policy. Its success as a policy option depends on what other countries conclude about the motive for the timing of such brandishing. A country that threatens retaliation in cyberspace could use brandishing to give substance to a threat. Absent a threat, what is the need for retaliation?
25. NARRATIVES AND SIGNALS. An important narrative is how countries wish to describe cyberspace. It helps if cybersecurity is not seen as a zero-sum game –not as two battle fleets lined up against one another but more of a mutual assistance on the rough high seas. Retaliation is a challenge where coordination among narrative, attribution, and response is expected. If a cyberattack is harmful enough to deserve a response, leaders must present a compelling case for who did it and respond in ways that should deter repeats. This is called the critical-proven-harsh combination: the cyberattack is critical; the attribution has been proven; and the response is harsh. Signals are actions meant for the leader of a country’s adversary. Narratives are meant for the public. Japan and China both claim Senkaku. Japan arrested a Chinese fisher in 2010 for coming too close to Senkaku, and ramming Japanese vessels. Under Chinese pressure, Japan released the fisher and refused to apologize. China tested Japan’s resolve to back its territorial claims in East China Sea. Showing certainty in the face of doubt can matter more than showing courage in the face of fear. Signaling without narrative is intense as signals may not be read correctly.
26. CYBERATTACK INFERENCES FROM CYBERESPIONAGE. In a crisis, countries will be looking at indicators. But, as with all things cyberspace, intrusions into networks are likely to garner greater importance over time. As long as the methods of cyberespionage, notably implants, look like the methods of cyberattack, the discovery of one will raise fears about the others. Discovery may or may not happen –but it is more likely to happen in a crisis when systems are being scrubbed more diligently. Figuring out when the intrusion took place is a forensic art. The target’s reaction may be shaded by its understanding of the security dilemma in cyberspace. If so, the wiser course of action may be to counter with one’s own deterrent signals. Signaling through the manipulation of cyberespionage traces may be misread. The lesson is knowing what message you want your cyberespionage to carry if caught. To prevent inflamed tensions, double down on operational security and do not assume success. Avoid adding military targets when in crisis; approach them with techniques different from those used in cyberattacks. When brandishing capabilities or signaling intent, generate a narrative assuming discovery.
27. STRATEGIC STABILITY. Does cyberwar lead to strategic instability? There are no first-strike advantages, the indications and warnings of use is defensive rather than offensive, and the arms race in cyberspace is not as damaging as their physical world counterparts. However, countries may react to events out of fear and ignorance. What one side may find normal another finds menacing. A covert move might be discovered and needs to be explained. A move with only tactical implication could be viewed through a strategic lens; agitation may follow. Cyberwar is heir to all these risks, engendering worry. There is little track record of what it can do. Attribution is difficult. Espionage, crime, and attack look very similar to one another at first glance. Nonstate actors can simulate state actors and vice versa. Everything is done in great secrecy, so what one state does must be interpreted by others. Mistakes in cyberspace do not have potential for physical catastrophe as in the nuclear arena. Unfortunately, this may lead people to ignore the role of uncertainty in assessing the risk of inadvertent crisis.

PART IV. NORMS

28. NORMS FOR CYBERSPACE. Writing norms can be challenging when certain behaviors are deemed reprehensible. Writing is the easy part. Due attention must be paid to whether countries able to violate such norms agree to abide by them. More attention is needed to work out mechanisms that can get violators to concede or not contest judgments that such norms have been violated. If these mechanisms can be established, existing norms can be placed on firmer footing and further norms can be generated with confidence that agreement implies compliance. The punishment for violating cyberspace norms ought to be consistent with the treatment of other norms violations. The West may want to punish Russia for a cyberattack on Ukraine’s electric grid in 2015 and 2016. But to punish Russia while not punishing much more lethal norm violations would be absurd. There are difficulties of mounting an instant response in cyberspace. Las Vegas rules state what starts in cyberspace stays in cyberspace. NO attack from cyberspace, whether it causes substantial damage -even death- merits a kinetic response.
29. THE ROCKY ROAD TO CYBERESPIONAGE NORMS. Norms against Economically Motivated Cyberespionage (EMCE) were initially against going after certain targets. The U.S. position was mainly not to spy on commercial companies. But Snowden made it difficult to deny U.S. spied on commercial companies. China argued no one could prove they carried out EMCE. The February 13 Mandiant Report made this argument moot. An avalanche of similar cases by U.S. cybersecurity firms followed. Few in Beijing pretended China did not carry out EMCE. In 2018, U.S. trade action against China cited instances where Chinese hackers went after intellectual property. China’s EMCE was not normative cyberspace behavior but rather trade behavior. The second norm relates to cybercrime: state-sponsored is understandable unless results are converted to criminality. U.S. reaction to the DNC hack brings a third norm: cyberespionage is understandable unless results are used for political influence operations. Norms prohibiting attacks on infrastructure bans cyberespionage on each other’s infrastructure. Seeking norms than red lines to curb unwanted behavior means negotiations, which take time.
30. SINO-AMERICAN RELATIONS AND NORMS IN CYBERSPACE. The state of Sino-American relations could spell the difference between global peace and strife. Cyberspace is blurry in their relationship and the bad feelings produced by differences in cyberspace can reduce strategic trust and complicate the resolution to other conflicts, e.g., the South China Sea. Although cyberspace is among the top 5 issues the U.S. has with China, it does not make the top 10 list in China. Presidents Obama and Xi on 25-September-2015 struck a deal. Xi committed China to adhere to norms of cyberespionage that disallowed none of what U.S. did, yet forbade much of what China did. Surprisingly, China kept its end of the agreement with drastically less cyberespionage attacks for a year. By Spring 2016, a Chinese group was suspected of penetrating the U.S., Canada, and Euro petrochemical companies; another Chinese group (APT10) hacking U.S.–managed services to access victim companies. China’s state-employed hackers had likely been covering their tracks by using English or Russian to write embedded codes.
31. THE ENIGMA OF RUSSIAN BEHAVIOR IN CYBERSPACE. Russians are quite competent at compromising systems, and have deep expertise in espionage such that U.S. Intelligence considers Russian hackers far more skilled than Chinese. Its electronic warfare capabilities are first rate, having sophisticated tools for a sophisticated cyberwar strategy. Russia is exploring the integration of psychological warfare and cyber. Having met considerable success, Russia is likely to proceed. They are in a try-and-see mode regarding cyberspace. And most of Russia’s bad behavior consists of sheltering cybercriminals. Russia and China equate cyberespionage with Information Warfare. While Russia seems hostile in cyberspace, the Russians did sign a deal with the U.S. in 2013 providing a hotline to defuse control of cyberspace weapons, but the U.S. tilted more towards prosecuting cybercrime. Does Russia have a cyberwar strategy? Why is Russia accused as the source of so many hacks? Why did Russia not use more cyberattacks vs Ukraine? If Russia is using cyberattacks to signal the West, why is there no narrative with its signaling? Probably, Russia is still groping.
32. CYBERSECURITY FUTURES. Measures can beget countermeasures that beget more counter-countermeasures. Techniques morph rapidly in cyberspace. Cyberattackers are cracking increasingly sophisticated countermeasures, but not obstacles to entry. Then comes popular legitimation of cyberattacks by going after the arrogant (HB GARY) or the obnoxious (Westboro Baptist Church). A military battlefield of devices that took orders only from warfighters now take them from one another. The problem with machines taking cues from one another is in confounding the source of unwanted behavior. Architecture more than coding explains why systems are subject to remote malware. Complexity is the main reason of unwanted responses of programs to carefully manipulated inputs. Cybersecurity has the attributes of confidentiality, integrity, availability. More information is circulating widely and entrusted to more hands. Secrets are harder to keep. Adding monitors to control logic can facilitate maintaining control, or knowing controls have been hacked. Fundamental solutions may arise: Trusted Distribution; Intensified Air-Gapping; Conformance monitoring; and 1-touch System Restoration.
33. CYBERWAR: WHAT IS IT GOOD FOR? The surprise element helps offense win battles, but the limitations of surprise suggest that defense wins wars. It may be that the most important event in cybersecurity in recent years was composed of absolutely nothing that were feared to happen. The Russians had exercised discretion in carrying out major cyberattacks in confronting Ukraine. The originators of WannaCry made little money. China’s restraint in commercial cyberespionage suggests the benefits of intellectual property theft may be overstated.

RECOMMENDATION. The book Cyberspace in Peace and War, authored by Dr. Martin C. Libicki, and published by USNI is a comprehensive analysis of cyberwar, cyber offense, cyber defense, and cyberspace. The current and prospective cyberwarriors and students in the cyber realm will find this literature quite useful and much deeper than just computer hacking as it elaborates much on political and cultural dynamics behind the cybercrimes. They will pick up new and important points on defense policy, strategy, and tactics in the cyber arena from this edition. Cybersecurity is an imperative. Even Navy flagships are subject to cyberattack which may involve jamming the revered GPS.