Deterring Malicious Behavior in Cyberspace

Recent incidents reveal cyberattacks are being employed and honed in a systematic, coordinated fashion to achieve the objectives of malicious actors. Deterrence of the wide array of actors in cyberspace is difficult, since deterrence has to work in the mind of the attacker. Each attacker will weigh the effort of the attack against the expected benefit under their own criteria or rationality. This article analyzes whether the contemporary and complementary deterrence strategies of retaliation, denial, and entanglement are sufficient to deter malicious cyber actors or if the alternative of active cyberdefense is necessary and viable

A STUDY ON EFFECTIVE COUNTERMEASURES AGAINST CYBER ATTACKS IN SOUTH KOREA

Based on U.S. cybersecurity policy, this thesis proposes effective countermeasures for the Republic of Korea (ROK) to prepare for, deter, and recover from cyber threats posed by North Korea. This study identifies the most dangerous North Korean cyber strikes facing South Korea by reviewing several cases of North Korean cyberattacks, the ROK’s countermeasures, and the severity of the damage caused by the attacks. The study builds on the writings of academics and subject matter experts as well as publicly available government policy documents, although specifics on policy are limited due to national security concerns. In addition, the study acknowledges how the cybersecurity paradigm has shifted as a result of U.S. planning, reaction to, and establishment of follow-up measures for an attack of a similar type by a cyber superpower. The strategy of deterring an opponent's operations based on the past has evolved into a strategy of preparing for enemy attacks through information sharing and preemptive defense measures, and counterattack by rapid recovery and identification of the enemy through resilience and with tracking technologies. Although the ROK is a country with well-developed information technology, its cybersecurity knowledge, systems, and technology remain weak in comparison to North Korea's abilities. Consequently, it is conceivable that the ROK can respond effectively to North Korea’s cyber threats by applying the lessons learned from the United States.Major, Republic of Korea Air ForceApproved for public release. Distribution is unlimited

Evaluation of the 2015 DoD Cyber Strategy: Mild Progress in a Complex and Dynamic Military Domain

In 2011, the Department of Defense (DoD) released its Strategy for Operating in Cyberspace, which officially recognized cyberspace as an operational domain akin to the traditional military domains of land, sea, air, and space. This monograph examines the 2015 DoD Cyber Strategy to evaluate how well its five strategic goals and associated implementation objectives define an actionable strategy to achieve three primary missions in cyberspace: defend the DoD network, defend the United States and its interests, and develop cyber capabilities to support military operations. This monograph focuses on events and documents from the period of about 1 year before and 1 year after the 2015 strategy was released. This allows sufficient time to examine the key policies and guidance that influenced the development of the strategy as well as follow-on activities for the impacts from the strategy. This inquiry has five major sections that utilize different frameworks of analysis to assess the strategy: 1. Prima Facie Analysis: What is its stated purpose and key messages? 2. Historical Context Analysis: What unique contributions does it introduce into the evolution of national security cyberspace activities? 3. Traditional Strategy Analysis: Does it properly address specific DoD needs as well as broader U.S. ends in a way that is appropriate and actionable? 4. Analysis of Subsequent DoD Action: How are major military cyberspace components—joint and Service—planning to implement these goals and objectives? 5. Whole of U.S. Government Analysis: Does it integrate with the cyberspace-related activities of other U.S. Government departments and agencies? The monograph concludes with a section that integrates the individual section findings and offers recommendations to improve future cyberspace strategic planning documents.https://press.armywarcollege.edu/monographs/1401/thumbnail.jp

Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1)

In 2014 NATO’s Center of Excellence-Defence Against Terrorism (COE-DAT) launched the inaugural course on “Critical Infrastructure Protection Against Terrorist Attacks.” As this course garnered increased attendance and interest, the core lecturer team felt the need to update the course in critical infrastructure (CI) taking into account the shift from an emphasis on “protection” of CI assets to “security and resiliency.” What was lacking in the fields of academe, emergency management, and the industry practitioner community was a handbook that leveraged the collective subject matter expertise of the core lecturer team, a handbook that could serve to educate government leaders, state and private-sector owners and operators of critical infrastructure, academicians, and policymakers in NATO and partner countries. Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency is the culmination of such an effort, the first major collaborative research project under a Memorandum of Understanding between the US Army War College Strategic Studies Institute (SSI), and NATO COE-DAT. The research project began in October 2020 with a series of four workshops hosted by SSI. The draft chapters for the book were completed in late January 2022. Little did the research team envision the Russian invasion of Ukraine in February this year. The Russian occupation of the Zaporizhzhya nuclear power plant, successive missile attacks against Ukraine’s electric generation and distribution facilities, rail transport, and cyberattacks against almost every sector of the country’s critical infrastructure have been on world display. Russian use of its gas supplies as a means of economic warfare against Europe—designed to undermine NATO unity and support for Ukraine—is another timely example of why adversaries, nation-states, and terrorists alike target critical infrastructure. Hence, the need for public-private sector partnerships to secure that infrastructure and build the resiliency to sustain it when attacked. Ukraine also highlights the need for NATO allies to understand where vulnerabilities exist in host nation infrastructure that will undermine collective defense and give more urgency to redressing and mitigating those fissures.https://press.armywarcollege.edu/monographs/1951/thumbnail.jp

The Federal Information Security Management Act of 2002: A Potemkin Village

Due to the daunting possibilities of cyberwarfare, and the ease with which cyberattacks may be conducted, the United Nations has warned that the next world war could be initiated through worldwide cyberattacks between countries. In response to the growing threat of cyberwarfare and the increasing importance of information security, Congress passed the Federal Information Security Management Act of 2002 (FISMA). FISMA recognizes the importance of information security to the national economic and security interests of the United States. However, this Note argues that FISMA has failed to significantly bolster information security, primarily because FISMA treats information security as a technological problem and not an economic problem. This Note analyzes existing proposals to incentivize heightened software quality assurance, and proposes a new solution designed to strengthen federal information security in light of the failings of FISMA and the trappings of Congress’s 2001 amendment to the Computer Fraud and Abuse Act

What Ukraine Taught NATO about Hybrid Warfare

Russia’s invasion of Ukraine in 2022 forced the United States and its NATO partners to be confronted with the impact of hybrid warfare far beyond the battlefield. Targeting Europe’s energy security, Russia’s malign influence campaigns and malicious cyber intrusions are affecting global gas prices, driving up food costs, disrupting supply chains and grids, and testing US and Allied military mobility. This study examines how hybrid warfare is being used by NATO’s adversaries, what vulnerabilities in energy security exist across the Alliance, and what mitigation strategies are available to the member states. Cyberattacks targeting the renewable energy landscape during Europe’s green transition are increasing, making it urgent that new tools are developed to protect these emerging technologies. No less significant are the cyber and information operations targeting energy security in Eastern Europe as it seeks to become independent from Russia. Economic coercion is being used against Western and Central Europe to stop gas from flowing. China’s malign investments in Southern and Mediterranean Europe are enabling Beijing to control several NATO member states’ critical energy infrastructure at a critical moment in the global balance of power. What Ukraine Taught NATO about Hybrid Warfare will be an important reference for NATO officials and US installations operating in the European theater.https://press.armywarcollege.edu/monographs/1952/thumbnail.jp

Was the Colonial Cyberattack the First Act of Cyberwar Against the U.S.? Finding the Threshold of War for Ransomware Attacks

(Excerpt) On May 7, 2021, “DarkSide,” a foreign hacker group, conducted a ransomware attack against the Colonial Pipeline (“Colonial”). That morning, Colonial discovered a “ransom note demanding cryptocurrency.” The attack forced the shutdown of the Colonial Pipeline, stopping the daily delivery of 2.5 million barrels (MMBbls) of “gasoline, jet fuel and diesel” to the East Coast. The shutdown created fuel shortages, impacted financial markets, and panicked the public. The resulting fuel shortages and economic impacts “triggered a comprehensive federal response” on May 11, 2021. On May 12, CEO Joseph Blount paid a ransom of nearly $5 million in bitcoin to restore control. The federal government treated the attack as a cybercrime, ultimately seizing and returning some of the ransom payment. Ransomware attacks, like the attack against Colonial, are the leading type of cyberattack. Norton Security estimated that in 2021, “there [would] be a ransomware attack on businesses every 11 seconds.” While a majority of cyberattacks are treated as matters for law enforcement, critical questions arise when the attack is a matter of national security. At what point does a cybercrime become more than a cybercrime? At what point is the attack an act of war? Here, the Colonial cyberattack provides a case study for analyzing whether a ransomware attack on critical infrastructure constitutes an act of war. Creating a threshold for acts of cyberwar is critical to developing future strategies to deter cyberattacks and avoid a so-called “Cyber–Pearl Harbor.” This Note argues that the Colonial cyberattack was an act of cyberwar because the attack crossed a six-factor threshold developed from both domestic and international “laws of war.” Therefore, the federal government can respond to the Colonial cyberattack with military force as authorized under 10 U.S.C. § 394 and subsequent presidential policy directives (“PPDs”). Under this statute, a military response could have been led by U.S. Cyber Command (“USCYBERCOM”) or conventional military forces. Part I of this Note discusses ransomware and the current domestic and international legal frameworks behind cybercrime and cyberwarfare. Part II creates a six-factor threshold for cyberwar developed from the law and argues that the Colonial cyberattack crossed that threshold into cyberwar. Further, this Part describes what a military response under 10 U.S.C. § 394 would look like. Finally, while this Note identifies the ability to use military force, such force should only be used proportionally and as a means of self-defense or deterrence