Warfighting for cyber deterrence: a strategic and moral imperative

Theories of cyber deterrence are developing rapidly. However, the literature is missing an important ingredient—warfighting for deterrence. This controversial idea, most commonly associated with nuclear strategy during the later stages of the Cold War, affords a number of advantages. It provides enhanced credibility for deterrence, offers means to deal with deterrence failure (including intrawar deterrence and damage limitation), improves compliance with the requirements of just war and ultimately ensures that strategy continues to function in the post-deterrence environment. This paper assesses whether a warfighting for deterrence approach is suitable for the cyber domain. In doing so, it challenges the notion that warfighting concepts are unsuitable for operations in cyberspace. To do this, the work constructs a conceptual framework that is then applied to cyber deterrence. It is found that all of the advantages of taking a warfighting stance apply to cyber operations. The paper concludes by constructing a warfighting model for cyber deterrence. This model includes passive and active defences and cross-domain offensive capabilities. The central message of the paper is that a theory of victory (strategy) must guide the development of cyber deterrence

Cyber resiliency for digital enterprises: A strategic leadership perspective

As organizations increasingly view information as one of their most valuable assets, which supports the creation and distribution of their products and services, information security will be an integral part of the design and operation of organizational business processes. Yet, risks associated with cyber attacks are on the rise. Organizations that are subjected to attacks can suffer significant reputational damage as well as loss of information and knowledge. As a consequence, effective leadership is cited as a critical factor for ensuring corporate level attention for information security. However, there is a lack of empirical understanding as to the roles strategic leaders play in shaping and supporting the cyber security strategy. This study seeks to address this gap in the literature by focusing on how senior leaders support the cyber security strategy. The authors conducted a series of exploratory interviews with leaders in the positions of Chief Information Officer, Chief Security Information Officer, and Chief Technology Officer. The findings revealed that leaders are engaged in both transitional, where the focus is on improving governance and integration, and transformational support, which involves fostering a new cultural mindset for cyber resiliency and the development of an ecosystem approach to security thinking. Managerial relevance statement Our findings provide interesting insights for managers particularly those in the role of Chief Information Officers (CIOs), Chief Security Information Officers (CSIOs), and Chief Technology Officers (CTOs). We propose a Cyber Security Strategy Framework (CSSF) which can be used by these information/technology managers to design an effective organizational strategy to develop cyber resilience in their organization. Our framework suggests that managers should focus on transitional and transformational support. The transitional support focuses on improving governance and integration whereas transformational support focuses on the emphasis of fostering a new cultural mindset for cyber resiliency and the development of an ecosystem approach to security thinking. Our findings provide good evidence showing how leaders can support more effective cyber security initiatives

WE ARE ALL GONNA DIE: HOW THE WEAK POINTS OF THE POWER GRID LEAVE THE UNITED STATES WITH AN UNACCEPTABLE RISK

Federal regulations aim to ensure grid reliability and harden it against outages; however, widespread outages continue. This thesis examines the spectrum of regulations to evaluate them. It outlines their structure, the regulations’ intent, and weighs them against evolving cyber and physical threats and natural disaster risks. Currently, the regulatory structure is incapable of providing uniform security. Federal standards protect only the transmission portion of the grid, leaving the distribution section vulnerable to attack due to varying regulations from state to state, or county to county. The regulations cannot adapt quickly enough to meet dynamic threats, rendering them less effective. Cyber threats can be so agile that protectors are unaware of vulnerabilities, and patching requirements are too lengthy, which increases the risk exposure. No current weather mitigation or standard is capable of protecting the grid despite regular natural disasters that cause power shutdowns. The thesis concludes that bridging these gaps requires not increasing protection standards, but redundancy. Redundancy, mirrored after the UK's infrastructure policy, is more likely to reduce failure risk through layered components and systems. Microgrids are proven effective in disasters to successfully deliver such redundancy and should be implemented across all critical infrastructure sectors.Civilian, Department of Homeland SecurityApproved for public release. Distribution is unlimited