SlideShare a Scribd company logo

Cyber_Warfare_Escalation_to_Nuclear_Warfare_Examination

Download as DOCX, PDF
Bill Ross
Bill Ross

This document discusses the potential escalation of cyber warfare to nuclear warfare and analyzes failures in U.S. cybersecurity policy. It argues that cyber weapons are now part of nation-states' arsenals and that escalation models need to be defined, as cyber attacks could escalate rapidly. It critiques the NIST cybersecurity framework and notes the U.S. government's mystical understanding of cyber warfare. It examines the failure to prevent hacks like the DNC email hack and questions the vague threats of cyber retaliation against Russia, worrying this could further escalate tensions.

1 of 17
DRAFT Bill Ross 804-855-4988 bill.ross@infosecforce.com INFOSECFORCE “ Cyber Warfare Escalation to Nuclear Warfare Examination “
DRAFT Table of Contents Cyber Warfare Escalation to Nuclear Warfare? … The White House Cyber Security Failure and The National Institute of Standards (NIST) Cyber Security Framework (CSF) Panacea ….. Threatens National Security..................................................................3 Overview ........................................................................................................................................3 Cyber Security Fumbles over the last 25 years....................................................................3 Executive Summary.....................................................................................................................5 Introduction...................................................................................................................................7 16 December 2016 Situation Report, O’Bama to Conduct Cyber Security Retaliatory Strikes Against Russia. .............................................................................................................10 Doctrine and Analysis Misdirection ........................................................................................11 NIST and the Cyber Security Framework (CSF) Propaganda..........................................15 Conclusion....................................................................................................................................17
DRAFT Cyber Warfare Escalation to Nuclear Warfare? … The White House Cyber Security Failure and The National Institute of Standards (NIST) Cyber Security Framework (CSF) Panacea ….. Threatens National Security Overview Very bluntly, it is a Government and Military failure to not plan for the possibility that Cyber Warfare can escalate to Nuclear Warfare. Cyber Warfare and all Cyber Warfare Weapons are now part of Nation States’ War Fighting Arsenal and Nation States with advanced War Fighting Weapons must define and discuss escalation roadmaps. Likewise, the Executive Branch should NOT indicate to the American Public and the World that the United States National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) can adequately Identify, Predict, Protect, Detect, Respond, and Recover from Cyber Security Attacks in Cyber Space with the level of veracity that the military, government agencies and private sector businesses must practice to prevent successful Cyber Security attacks and proportionally respond before Cyber Security escalation exceeds our ability to controlit. https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity- framework-021214.pdf Editor’s note: I added predict to the above list form CSF as predict is a crucial component of threat intelligence and threat management. Cyber Security Fumbles over the last 25 years In 2000, I was on a Fortune magazine panel in New York City and I was asked if I thought one person sitting at a computer could bring down the internet. I said no.
DRAFT I am still not sure if one person could as we have so many backup and redundancies such as AKAMAI (the hidden internet). But, now, I believe one person could launch a Supervisory Controland Data Acquisition (SCADA) attack and do significant infrastructure damage. Look at what one piece of STUXNET https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/ malware did to Iran’s nuclear power program. I am sure a team of people developed STUXNET but, I suspect it’s configuration was not beyond the skill of a very lethally talented software developer. And, it was delivered simply through an insertion of a thumb drive. https://en.wikipedia.org/wiki/Stuxnet So, in the last 25 years, the United States and the world have experienced relentless Cyber Security attacks. In many ways, the US Government (Executive and Legislative Branches) responded to them first from a mystical reflection on what Information Security Attacks were. And, now, look where we are ….. escalating our response to a possible Russian Cyber Security attack within the vast Cyber Warfare Area of Operations against Russia. What happened to planning for this stuff? A significant quantity of these have been successful attacks. So, why were they successful and why will they be successful? Because …. we as a country, have failed to relentlessly indentify, predict, prevent, detect, and respond to attacks using the vast technical ability that the United States possess. Ironically, except for “predict”, indentify, predict, prevent, detect, and respond are core tenants of the Administration’s CSF. I do not believe the Government has completely grown beyond its mystical reflection and understanding of Cyber Warfare. I believe the military understands it but, it is still coming to grips with how to truly weaponize our Integrated Cyber Security Weapons with all our other conventional weapons and weapons of mass destruction within the Cyber Space Sphere and the Cyber Space Area of Operations (AO). Here is how this paper and its analysis is structured. I believe that I am qualified to freebase this paper with minimal references. I admit I developed this paper as a
DRAFT stream of consciousness as I wrote it very fast. However, I believe that my thesis and conclusions are relevant within the current Cyber Warfare AO which, in essence, is Cyber Space. My justification in writing this quickly is that I am: - A Cyber Security Expert with extensive experience. I have published several white long and short Cyber Security whitepapers to include a short one on the definition of Cyber Space. - I am retired Air Force Intelligence Officer. I wrote extensive classified papers while in the military on such things a nuclear warfare and chemical warfare. - Have worked in Special Operations, Strategic Warfare, Chemical Warfare, Tactical Warfare, Operations Other than War, The Pentagon, Strategic and Tactical Intelligence Reconnaissance Offices, Operational Units and Operational Commands, War fighting Operations Centers and etc - Have had great and interesting Cyber Security jobs in private sector, state and national government jobs - I was on the ground during 9-11, first jet went over my head, saw towers fall in front of me - Have had several papers published on Cyber Security and one on Soviet military Doctrine called “Soviet Military Doctrine a Blueprint for the Future or an Indictment of the Past” http://cua.academia.edu/BillRoss - Presented my “The Invisible Person … the Security Architect” at the University of Houston. This paper downloaded on Internet nearly 3000 times. Executive Summary Cyber Warfare Tools and Nuclear Weapons are both potentially weapons of mass destruction. Despite spending billions of dollars by the United States on Cyber Security, a relatively simple hack like accessing the Democratic National Committee Email
DRAFT Servers has thrown the country into chaos as this hack possibly influenced our election process and has caused a potential serious escalation of Cyber Warfare attacks and ultimately, more serious escalation to the use of other weapons of mass destruction. Not only did attacks on the DNC and Podesta’s personal email accounts wreak havoc on the elections but, the fact the Secretary of State established a private email server in her house that processed United States Secret Information also impacted the 2016 Presidential Elections. This was a significant email hack executed by the State Department against the trust of the American people. These two examples show significant proof that something as simple as the mismanagement of the Cyber Security around emails could have overwhelming effects on the safety of the United States. If we cannot protect email accounts through fundamental Cyber Security management then what about the Cyber Security safety of the United States infrastructure to include nuclear power plants? It is very concerning that the United States’ Cyber Security expert on what is happening in the Global Cyber Space Warfare Spectrum is now a New York Times writer whose article’s title “The Perfect Weapon: How Russia Cyber Power Invaded the United States“ http://www.nytimes.com/2016/12/13/us/politics/russia-hack- election-dnc.html?_r=1 in of itself portrays a lack of Cyber Warfare knowledge. It is an excellent article for the information it compiled but like NIST CSF, it does not offer a pure path to Cyber Threat mitigation. An excellent review of the article for what it really is was written by Tyler Durden http://www.zerohedge.com/news/2016-12-13/new-york-times-explains-how-it- became-instrument-russian-intelligence . And, to ask again, why is a New York Times writer now the Spokes Person for Cyber Warfare? Finally, the government and private sector must recognize the word “Cyber” does not automatically mean Cyber Security. Cyber is more related to Cyber Space and Cyber Security and Cyber Warfare are within the Cyber Space Spectrum. https://www.academia.edu/26547082/Cyber_Security_does_not_just_mean_Cyber _
DRAFT Introduction While it is a possibility, this paper does not state we are escalating to nuclear warfare at this time because of the United States Government’s failed Cyber Security and Cyber Warfare policies. This paper is to somehow start a comprehensive discussion on Cyber Warfare escalation models. The paper starts by first examining the Government’s failure to adequately implement a potent Cyber Space Defense-in-Depth National Cyber Security Process to Identify, Predict, Protect, Detect, Respond, and Recover from Russian and all other global Cyber Security and Cyber Warfare Threats hammering the United States millions of times a day. This paper will examine the fact that the United States and writers of warfare escalation theory and Cyber Security Incident, Threat Management, and Cyber Security Intelligence Risk Management efforts continue to fail in their understanding of what Cyber Security and Cyber Space really are within the context of peacetime and wartime war fighting doctrine tactics and procedures. We must finally understand Cyber Warfare and Cyber Space are now part of a military escalation process and we must now address them as such by military and government doctrine and strategists in the United States. It is hard to find references about Cyber Security escalation processes on the internet. There are some very good “thought” articles but nothing that stands as a call for action. There are some reasonable considerations of how to think about Cyber Warfare escalation such as Martin Libicki’s RAND study. This link will take you to an excellent RAND study http://www.rand.org/pubs/periodicals/rand- review/issues/2013/summer/cyberwar-fears-pose-dangers-of-unnecessary- escalation.html By Martin C. Libicki Mar tin Libicki is a management scientist at the RAND Corporation. “ In their zeal to protect themselves in cyberspace, countries need to ensure that they do not trigger even greater threats beyond cyberspace, particularly military or economic forms of retaliation.
DRAFT To manage crises and forestall their escalation in cyberspace, the following seven points may be usefully kept in mind.  understand that the answer to the question —  take the time to think things through.  understand what is at stake —  not to take possession of the crisis unnecessarily.  craft a narrative that can take the crisis where you want it to go.  figure out what norms of conduct in cyberspace, if any, work best.  recognize what a crude tool counter-escalation may be for influencing the other side” To support my point concerning the Intelligence Community requirement to think through Cyber Warfare Doctrine, about a year ago, I attended an AFCEA Intelligence Conference in Washington, DC. All the Chiefs of the Intelligence Community were there. It was an Intelligence professional’s Woodstock if you were in the audience. At the conference, I became very concerned that it seemed very few in the Intelligence Community seemed to understood Soviet and now Russian Military Doctrine. We ignored it for a long time thinking we were making nice with the Russians. On a larger scale, they did not seem to understand the impact of how Doctrine in of itself, especially in the Russian Military, effects Russian military weapon and strength decisions. It is interesting in the early days of Russian Military thought that the Soviets grouped nuclear weapons in the “long range artillery” category. Also, In those days; the Soviets believed nuclear war was fightable and winnable. So, interestingly, Cyber Warfare as a metaphor has become Russai’s “longest range” artillery yet. https://www.academia.edu/9715897/Soviet_Military_Doctrine_..._A_Blueprint_for_ the_Future_or_and_Indictment_of_the_Past_. So, given Cyber Warfare can be used as a weapon of mass destruction as it can have a mass impact on the infrastructure and safety of United States citizens, it would not be surprisingly if the Russians have incorporated Cyber Warfare into its overall military escalation process believing that Cyber Warfare is fightable and winnable.
DRAFT The private sector and the United States government spend billions of dollars to prevent and detect Cyber Security Attacks and they still happen on a grand and lower level scales. The Democratic National Committee (DNC) emails were hacked with now possible overwhelming consequences. Who was protecting those emails? And, to top it off, the entire Russian – United States Cyber Warfare standoff is based on a relatively simple hack which was hacking email accounts. Wonder if instead if the Russians opened the gates of a dam through a SCADA attack and flooded a town through what would be considered a kinetic effect of Cyber Warfare tactics, techniques and procedures. Would the United States respond by performing a similar attack on a Russian Dam or Power Plant? OK, here we have two towns destroyed based on the kinetic effect of Cyber Warfare Weapons. Where would the United States and Russia go from there? In essence, both countries just experienced an attack on their homeland. How do we measure value and counter value in a Cyber Warfare escalation process? If one plays out the scenario, the above example could lead to a nuclear exchange. As indicated above, one would think that if one searched the Internet for Cyber Warfare escalation theories depicting nuclear war originating from Cyber Security Attacks against a Nation State to the use of kinetic weapons of mass destruction that several escalation models or writings would be found. The reason these articles do not exist is because academia does not understand Cyber Warfare and the weaponization of same. One can find theories on escalation for other types of warfare like Chemical Warfare and Nuclear Warfare, but not so much for Cyber Warfare. One example, of past military thinking in the United States that could serve as a role model for a Cyber Warfare escalation road maps was that the United States believed an escalation of war in Europe would start as a conventional war, escalate to the Soviets using chemical weapons, escalate to a tactical nuclear exchange and then to global strategic nuclear warfare. The pundits in those days speculated that the Soviets would transition to employing weapon of mass destruction (WMD) by first using chemical weapons and then transition to tactical nuclear weapons. So, the escalation road map was conventional, chemical, and nuclear. And, the United States planned its military defense and response
DRAFT accordingly. However, it does not appear that the Western Powers have clearly thought the Cyber Warfare escalation process through and how to not let Cyber Warfare escalation “get out of control”. So, where are the escalation models into and out of Cyber Security and Cyber Warfare attacks? We have spent billions of dollars on Cyber Commands, have had untold congressional meetings, laws passed, policy statements, passed Cyber Security Acts, and the Administration published Executive Orders like the Executive Order 13563 -- Improving Critical Infrastructure Cyber Security https://www.whitehouse.gov/the-press-office/2014/02/12/launch-cybersecurity- framework and NIST has created numerous Information Security documents and now, it seems we are making it up (Cyber Warfare Escalation) as we go along. Cyber Warfare saber rattling cannot be considered Power Projection because Cyber Warfare escalation can happen almost at the speed of light or at least the speed of the global network used as an attack conduit. We do not have time within the Cyber Security decision loop to station an aircraft carrier off of a Nation State’s Coast. If we knew Russia was attacking the Democratic National Committee Data base, why did we not block the attacks and make it more public during the campaign? There were some references made by the Administration but it seems we let the political process interfere with our Political response to the hacks. Why did we not levy awesome Cyber Security talent to prevent these attacks? The Secret Service Protects the candidates so why not protect the elections? AND MOST IMPORTANTLY why were these attacks not blocked and mitigated through the massive Cyber Security capabilities the United States has in its Cyber Warfare arsenal? Did NIST or the Executive Branch do a metrics based analyses of the CSF process of Identify, Predict, Protect, Detect, Respond, and Recover. 16 December 2016 Situation Report, O’Bama to Conduct Cyber Security Retaliatory Strikes Against Russia.
DRAFT It is deeply concerning that the headlines on 16 December 2016 indicated the United States is planning a Cyber Warfare retaliatory strike against Russia. The President outlined in the most vague terms how we might respond to the Russian Cyber “attack”. This vague Cyber Security saber rattling could actually cause the “enemy” to escalate the Cyber Security battle to include a preemptive strike decision on Russia’s part. The preemption would be structured to stop the United States ability to do whatever it plans to do. So, the vagueness of our threat could have actually added to the emotion and the escalation process. Most concerning is that Cyber Warfare amateurs in the Executive Branch and the Intelligence Community could be leading us down a Cyber Warfare escalation path which is really not well defined. No matter how you look at it, “retaliation” is an act of war within the lexicon of Cyber Warfare. Retaliation means we are responding to something the US views as an act of war (Cyber War) committed against the US. One would hope that the administration would have followed the RAND advice seen in the above reference. But, given that this escalation or situation stabilization methodology and doctrine is not publically discussed, one is not really sure what the US Government’s Cyber Warfare escalation strategy is. Sometimes, keeping things secret is not the best “deterrent”. One might recall that George Kennan’s “Deterrence Strategy” and McNamara’s “Mutual Assured Destruction “ theories were publically available and those theories significantly deterred a nuclear war. We need better Cyber Warfare escalation strategies that incorporate the Cyber Warfare escalation “reflections” so stated by RAND. Doctrine and Analysis Misdirection Please see the below quote from “Arms Control Now” (ACN) which is blog post from the Arms Control Association (ACA) in 2013 as it is one of the most scariest and misinformed analysis I have read concerning Cyber Warfare escalation theories. And that is Cyber Warfare could not escalate to nuclear warfare. While ACA is not a government official agency and it is composed a dedicated individuals, I believe that given ACA is Headquartered in Washington, DC and that it seem to be mostly focused on nuclear warfare analyses and control that the ACA reflects the “old
DRAFT think” and limitations of understanding Cyber Warfare escalation and Cyber Warfare weapons as WMDs. This is similar to how I suspect many people think about Cyber Warfare within the government and private industry today. Not much has changed in three years. The ACN article minimizes the idea that Cyber Incidents could escalate to nuclear warfare. I suspect the reason the article did not examine this possibility is the author of this article did not have a true understanding of the lethality of a Cyber Warfare weapons and the “kinetic” impact a Cyber Weapon could have. It is my opinion that below ACN quote mistakenly reflects the Cyber Warfare escalation Doctrine and Strategy that exists today across the United States Government. “ the law of armed conflict requires that states respond to aggressive acts of force proportionally “ The quote reflects the greatest of Naïveté’s for Nation States, Military Process and War fighting. How could one ever expect a country TO NOT escalates to more lethal weapons if the strategic advantage might dictate this must be done to achieve military and political objectives? Or, as stated above, the Cyber Warfare aggressor decided to launch a preemptive Cyber attack which would ignore the “law of armed conflict”. Nuclear Warfare in of itself would violate the above assumption concerning the law of armed conflict. We used a nuclear weapon against Japan. ACN continues to reflect a naiveté’s concerning the possible Cyber to nuclear escalation theory when it states: “ However, the threat of using nuclear weapons to respond to cyber attacks by other states against U.S. critical infrastructure is not a realistic nor an effective response to cyber attack because:  Cyber attacks lack the destructive and existential threat of nuclear weapons;  A nuclear response to a cyber attack is not proportional;
DRAFT  Threatening to respond with a nuclear weapons lacks credibility in adversaries’ eyes;  Cyber deterrence in general is difficult to achieve; and  The policy would provide a new rationale for nuclear proliferators. In March 2013 National Intelligence Director (DNI) James Clapper presented the “Worldwide Threat Assessment” before Congress and said, there is a “remote chance” that over the next two years the United States will see a major cyber attack against its critical infrastructure, producing “long-term, wide-scale disruption of services, such as regional power outage.” However, it also said China and Russia “are unlikely to launch such a devastating attack” outside a “military conflict or crisis.” Second, the law of armed conflict requires that states respond to aggressive acts of force proportionally. If cyber attacks lack the destructive force of nuclear weapons then responding to one with a nuclear weapon is not a proportional response. If China launched a cruise missile and took down a power plant, it would be disproportional to respond with launching a nuclear warhead at China. Now imagine that instead of a cruise missile, a cyber attack is launched against the industrial control mechanism for the power plant and takes it offline. Does that somehow now warrant a nuclear response? No.” https://armscontrolnow.org/2013/05/30/is-there-a-place-for-nuclear-deterrence- in-cyberspace/ “ The DNI Clapper in 2013 discussed a “remote” Cyber Security/Warfare attack against the US critical Infrastructure within two years. Well, he did not predict a Cyber Warfare Attack against the United States political processes that happened three years after his observation. So, now rather than escalating because of an infrastructure attack, we are escalating against the Russians because of an “EMAIL” Cyber Attack that might have influenced the loss of the political party of the outgoing president.
DRAFT Who in the name of heaven truly believes that Russia, China, Iran, North Korea will play nice by some naïve approach to war fighting and escalation? The above reflection in the ACN paper shows a lack of true war fighting and escalation theory knowledge. The rules have changed with Cyber Warfare tools and their ability to inflict massive damage. I think every single policy maker and writer should read an old book called “Essence of Decision: Explaining the Cuban Missile Crisis by Graham Allison and Philip Zelikow. It examined 6 possible ways decisions were made during the Cuban Missile Crises. In essence, thank God that we lucked out during the Cuban Missile Crises as we were somewhat playing a “zero sum game” and ‘making it up as we went along’ during the Cuban Missile crises. Allison’s book and the “shoot from the hip” Cyber Security escalation process indicate that we must determine now how to escalate and how to manage Cyber Security attacks without the escalation process getting out of control. We had time to work the issues during the Cuban Missile crises. And, we had history on our side. Khrushchev was a victim of World War II. The Russian Psych in those days was to prevent anything like the loss of life that happened to them in WWII. Not many Russian experts saw Russian Defensive actions and military development through that lens but, I suspect that Khrushchev was greatly influenced by the fact “Mother Russia should not suffer again like in WWII. I do not think Putin is motivated form the same position. So, while we hope Cyber Warfare will not escalate to a strategic nuclear war, one cannot assume it will not because Cyber Warfare can now kinetically affect the “enemy” as the use of a kinetic nuclear weapon. For example, if a hacker took down a United States nuclear power plant, we would in essence have a Chernobyl in the United States where man and beast could not live for an exceptionally long amount of time. Another example of a cyber attack that could impact the safety of people and environments is the suspected attack on Ukraine’s electrical grid. http://www.reuters.com/article/us-ukraine-crisis-cyber-attacks-idUSKBN1491ZF. In essence, this would be considered a small attack if targeted against the United States. But, the potential is there where a much larger attack could occur.
DRAFT The bottom line to my rant concerning Cyber Warfare escalation is that: - We must assume that Cyber Warfare can unleash a kinetic effect like classical weapons of mass destruction (WMD). We went to war with Iraq because Iraq supposedly had a stockpile of chemical WMDs. - We must develop clear and unmistakable policies and strategies as we did for Nuclear Deterrence - We must accept that we are in a constant 1984 esque like war which will never stop - We must distribute and manage Cyber Warfare strategy, plans, policies, tactics, techniques and procedures within the United States Government and Private sector - Develop and implement extremely aggressive defense-in-depth implementation plans that far surpass the administrations Cyber Security Framework panacea which in essence is an Administration Cyber Security response marketing tool - Develop and distribute Cyber Identify, Predict, Protect, Detect, Respond, and Recover tools that will stop email and all other attacks from escalating from an email data base compromise to a Cyber Security escalation between the world’s nuclear super powers. NIST and the Cyber Security Framework (CSF) Propaganda I have the deepest respect for the NIST Team and for all the extremely hard working men and women in the Cyber Commands and Executive Agencies. They do the absolute best they can. But NIST needs far more Cyber War Fighters and Top Guns that have managed Cyber Security problem in government and corporate trenches. This experience is needed for NIST to understand on how to relentlessly fight the Cyber Security fight and implement programs in the real world that reflect the true meaning of a war fighting based Identify, Predict, Protect, Detect,
DRAFT Respond, and Recover program. NIST Must become part of the mantra that we are at “Cyber War each and every day”. On February 12, 2013 the White House released an Executive Order 13563 – “Improving Critical Infrastructure Cyber Security” . https://www.whitehouse.gov/the-press-office/2013/02/12/executive-order- improving-critical-infrastructure-cybersecurity. To “Improve” Cyber Security, the National Institute of Standards and Technology (NIST) created the Cyber Security Framework (CSF). https://www.nist.gov/cyberframework . CSF was yet another government whack a mole “something or another” to address the 30 year Cyber Security War and our inability to protect the government, military and private sector against successful Cyber Attacks. https://en.wikipedia.org/wiki/NIST_Cybersecurity_Framework The CSF was built in a hurry by NIST to make nice with the EO 13563. The CSF is equivalent to bringing a Pocket Knife to a gun fight. CSF was created by Washington Bureaucrats to show the world Washington was doing “something” to mitigate the threats and risks posed by Cyber Security attacks. CSF is a naive kluge of Cyber Security actions by NIST trying to apply Cyber Security “Old Think” NIST risk control management principles found in the NIST Special Publication 800-53 http://disa.mil/services/dod-cloud- broker/~/media/files/disa/services/cloud-broker/nist-sp80053- securityandprivacycontrols.pdf to a global Cyber Security and Cyber War Fare gun fight. This gun fight is ruled at times by ISIS level Cyber Space thugs who could and would use Cyber Ware Fare to inflict destruction and chaos. CSF does not nearly reflect the type of solution that is needed to fight and win in the ongoing constant Cyber War that we fight each and everyday in the Cyber Space Sphere Area of Operations. All branches of the government (executive, legislative, and judicial) and the private sector need military grade weapons to truly and relentlessly manage the global Cyber Security threats. CSF and Compliance to Federal Informaiton Security Management Act (FISMA)/SANS Top 20/ISO 27001 and etc audits are just not enough to win in the Cyber War.
DRAFT The U-Tube videos seen in the CSF below link are from an April 2016 workshop https://www.nist.gov/news-events/events/2016/04/cybersecurity-framework- workshop-2016. I attended this conference and throughout the meeting, I stressed the absolute importance of NIST developing an implementation processes and procedures and metrics of success for implementing the CSF. I can be seen in some of the videos promoting the absolute need for NIST to weaponize the CSF so it can truly provide the Identify, Predict, Protect, Detect, Respond, and Recover Cyber War fighting tools we need. I also stressed we need to truly make CSF a defense- in-depth tool by adding predict to the CSF focus items. To make this a predict tool, CSF must include all aspects of threat intelligence and threat management and Cyber Risk assessments. Finally, NIST is moving too slow in the Cyber Warfare AO. NIST must get into the trenches with us and determine and outline how to fight the Cyber War. NIST is part of the government. The Government has threatened Cyber Warfare retaliation. Cyber Warfare retaliation is a big deal. NIST must be part of that fight and become strong allies with all the Cyber War fighting Commands and Cyber War fighting Agencies like CIA and NSA and with the private sector. Conclusion The United States must aggressively address Cyber Warfare escalation doctrine and strategies. Cyber Warfare Weapons can inflict mass destruction. Cyber Warfare must be clearly integrated into the escalation roadmaps so we CAN PREVENT escalation. We must not let ourselves ever again need to threaten Cyber Warfare retaliatory escalation because of preventable hacks against email systems. While NISt has done its best to create the CSF, it did so very quickly without considering many core aspects of how to make CSF tenants of Identify, Predict, Protect, Detect, Respond, and Recover a war fighting process and tool. The Cyber Warfare battlefield is not a “nice-nice” environment. It has, can and will have severe consequences.

Recommended

Flashpoint hacking forisis_april2016
Flashpoint hacking forisis_april2016Flashpoint hacking forisis_april2016
Flashpoint hacking forisis_april2016
Andrey Apuhtin
 
So692 cyber security-document
So692 cyber security-documentSo692 cyber security-document
So692 cyber security-document
Subhadeep Chakraborty
 
Full Sail University, Graphic Design BS — 01 Digital Literacy — 2.5: Research...
Full Sail University, Graphic Design BS — 01 Digital Literacy — 2.5: Research...Full Sail University, Graphic Design BS — 01 Digital Literacy — 2.5: Research...
Full Sail University, Graphic Design BS — 01 Digital Literacy — 2.5: Research...
ctcalhoun
 
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015Mark Raduenzel
 
Eset trends report_2018
Eset trends report_2018Eset trends report_2018
Eset trends report_2018
malvvv
 
Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015
Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015
Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015Mark Raduenzel
 
Clickjacking Attack: Hijacking User’s Click
Clickjacking Attack: Hijacking User’s ClickClickjacking Attack: Hijacking User’s Click
Clickjacking Attack: Hijacking User’s Click
Eswar Publications
 
How Safe is your Data?
How Safe is your Data?How Safe is your Data?
How Safe is your Data?Michael Soltys
 

Recommended

Flashpoint hacking forisis_april2016
Flashpoint hacking forisis_april2016Flashpoint hacking forisis_april2016
Flashpoint hacking forisis_april2016
Andrey Apuhtin
 
So692 cyber security-document
So692 cyber security-documentSo692 cyber security-document
So692 cyber security-document
Subhadeep Chakraborty
 
Full Sail University, Graphic Design BS — 01 Digital Literacy — 2.5: Research...
Full Sail University, Graphic Design BS — 01 Digital Literacy — 2.5: Research...Full Sail University, Graphic Design BS — 01 Digital Literacy — 2.5: Research...
Full Sail University, Graphic Design BS — 01 Digital Literacy — 2.5: Research...
ctcalhoun
 
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015Mark Raduenzel
 
Eset trends report_2018
Eset trends report_2018Eset trends report_2018
Eset trends report_2018
malvvv
 
Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015
Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015
Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015Mark Raduenzel
 
Clickjacking Attack: Hijacking User’s Click
Clickjacking Attack: Hijacking User’s ClickClickjacking Attack: Hijacking User’s Click
Clickjacking Attack: Hijacking User’s Click
Eswar Publications
 
How Safe is your Data?
How Safe is your Data?How Safe is your Data?
How Safe is your Data?Michael Soltys
 
Cyber war netwar and the future of cyberdefense
Cyber war netwar and the future of cyberdefense Cyber war netwar and the future of cyberdefense
Cyber war netwar and the future of cyberdefense
David Sweigert
 
Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)
Digicomp Academy AG
 
Modernizing Dept of Homeland Security for CFAA investigations
Modernizing Dept of Homeland Security for CFAA investigationsModernizing Dept of Homeland Security for CFAA investigations
Modernizing Dept of Homeland Security for CFAA investigations
David Sweigert
 
Web Attack Survival Guide
Web Attack Survival GuideWeb Attack Survival Guide
Web Attack Survival Guide- Mark - Fullbright
 
Data-Driven Crisis Monitoring: Turning Online Activity into Actionable Insigh...
Data-Driven Crisis Monitoring: Turning Online Activity into Actionable Insigh...Data-Driven Crisis Monitoring: Turning Online Activity into Actionable Insigh...
Data-Driven Crisis Monitoring: Turning Online Activity into Actionable Insigh...
Jon Gosier
 
FINAL: San Francisco Cyber TTX exercise -- ESF 18 drill
FINAL: San Francisco Cyber TTX exercise -- ESF 18 drillFINAL: San Francisco Cyber TTX exercise -- ESF 18 drill
FINAL: San Francisco Cyber TTX exercise -- ESF 18 drill
David Sweigert
 
NS Civil Liberties & Security Supplement Sept 2014
NS Civil Liberties & Security Supplement Sept 2014NS Civil Liberties & Security Supplement Sept 2014
NS Civil Liberties & Security Supplement Sept 2014Dominic Rae LION (Open Networker)
 
Cyber Security Whitepaper 2018 | vTech Solution
Cyber Security Whitepaper 2018 | vTech SolutionCyber Security Whitepaper 2018 | vTech Solution
Cyber Security Whitepaper 2018 | vTech Solution
Simrat Singh
 
INFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition PlanINFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition Plan
Bill Ross
 
INFOSECFORCE llc security services
INFOSECFORCE llc security servicesINFOSECFORCE llc security services
INFOSECFORCE llc security services
Bill Ross
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software development
Bill Ross
 
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
James W. De Rienzo
 
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
James W. De Rienzo
 
NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)
James W. De Rienzo
 
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
James W. De Rienzo
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow Chart
James W. De Rienzo
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
timmcguinness
 
Risk Management
Risk ManagementRisk Management
Risk Management
cgeorgeo
 
Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk Assessment
Steve Bishop
 
Risk Management Framework
Risk Management FrameworkRisk Management Framework
Risk Management Framework
Anand Subramaniam
 
Kurnava+Book+Review (1)
Kurnava+Book+Review (1)Kurnava+Book+Review (1)
Kurnava+Book+Review (1)Matthew Kurnava
 
The Hacked World Order By Adam Segal
The Hacked World Order By Adam SegalThe Hacked World Order By Adam Segal
The Hacked World Order By Adam Segal
Leslie Lee
 

More Related Content

What's hot

Cyber war netwar and the future of cyberdefense
Cyber war netwar and the future of cyberdefense Cyber war netwar and the future of cyberdefense
Cyber war netwar and the future of cyberdefense
David Sweigert
 
Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)
Digicomp Academy AG
 
Modernizing Dept of Homeland Security for CFAA investigations
Modernizing Dept of Homeland Security for CFAA investigationsModernizing Dept of Homeland Security for CFAA investigations
Modernizing Dept of Homeland Security for CFAA investigations
David Sweigert
 
Data-Driven Crisis Monitoring: Turning Online Activity into Actionable Insigh...
Data-Driven Crisis Monitoring: Turning Online Activity into Actionable Insigh...Data-Driven Crisis Monitoring: Turning Online Activity into Actionable Insigh...
Data-Driven Crisis Monitoring: Turning Online Activity into Actionable Insigh...
Jon Gosier
 
FINAL: San Francisco Cyber TTX exercise -- ESF 18 drill
FINAL: San Francisco Cyber TTX exercise -- ESF 18 drillFINAL: San Francisco Cyber TTX exercise -- ESF 18 drill
FINAL: San Francisco Cyber TTX exercise -- ESF 18 drill
David Sweigert
 
Cyber Security Whitepaper 2018 | vTech Solution
Cyber Security Whitepaper 2018 | vTech SolutionCyber Security Whitepaper 2018 | vTech Solution
Cyber Security Whitepaper 2018 | vTech Solution
Simrat Singh
 

What's hot (8)

Cyber war netwar and the future of cyberdefense
Cyber war netwar and the future of cyberdefense Cyber war netwar and the future of cyberdefense
Cyber war netwar and the future of cyberdefense
 
Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)
 
Modernizing Dept of Homeland Security for CFAA investigations
Modernizing Dept of Homeland Security for CFAA investigationsModernizing Dept of Homeland Security for CFAA investigations
Modernizing Dept of Homeland Security for CFAA investigations
 
Web Attack Survival Guide
Web Attack Survival GuideWeb Attack Survival Guide
Web Attack Survival Guide
 
Data-Driven Crisis Monitoring: Turning Online Activity into Actionable Insigh...
Data-Driven Crisis Monitoring: Turning Online Activity into Actionable Insigh...Data-Driven Crisis Monitoring: Turning Online Activity into Actionable Insigh...
Data-Driven Crisis Monitoring: Turning Online Activity into Actionable Insigh...
 
FINAL: San Francisco Cyber TTX exercise -- ESF 18 drill
FINAL: San Francisco Cyber TTX exercise -- ESF 18 drillFINAL: San Francisco Cyber TTX exercise -- ESF 18 drill
FINAL: San Francisco Cyber TTX exercise -- ESF 18 drill
 
NS Civil Liberties & Security Supplement Sept 2014
NS Civil Liberties & Security Supplement Sept 2014NS Civil Liberties & Security Supplement Sept 2014
NS Civil Liberties & Security Supplement Sept 2014
 
Cyber Security Whitepaper 2018 | vTech Solution
Cyber Security Whitepaper 2018 | vTech SolutionCyber Security Whitepaper 2018 | vTech Solution
Cyber Security Whitepaper 2018 | vTech Solution
 

Viewers also liked

INFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition PlanINFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition Plan
Bill Ross
 
INFOSECFORCE llc security services
INFOSECFORCE llc security servicesINFOSECFORCE llc security services
INFOSECFORCE llc security services
Bill Ross
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software development
Bill Ross
 
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
James W. De Rienzo
 
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
James W. De Rienzo
 
NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)
James W. De Rienzo
 
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
James W. De Rienzo
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow Chart
James W. De Rienzo
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
timmcguinness
 
Risk Management
Risk ManagementRisk Management
Risk Management
cgeorgeo
 
Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk Assessment
Steve Bishop
 
Risk Management Framework
Risk Management FrameworkRisk Management Framework
Risk Management Framework
Anand Subramaniam
 

Viewers also liked (12)

INFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition PlanINFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition Plan
 
INFOSECFORCE llc security services
INFOSECFORCE llc security servicesINFOSECFORCE llc security services
INFOSECFORCE llc security services
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software development
 
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
 
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
 
NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)
 
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow Chart
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk Assessment
 
Risk Management Framework
Risk Management FrameworkRisk Management Framework
Risk Management Framework
 

Similar to Cyber_Warfare_Escalation_to_Nuclear_Warfare_Examination

The Hacked World Order By Adam Segal
The Hacked World Order By Adam SegalThe Hacked World Order By Adam Segal
The Hacked World Order By Adam Segal
Leslie Lee
 
Asymmetric threat 5_paper
Asymmetric threat 5_paperAsymmetric threat 5_paper
Asymmetric threat 5_paperMarioEliseo3
 
Cyber Warfare - Jamie Reece Moore
Cyber Warfare - Jamie Reece MooreCyber Warfare - Jamie Reece Moore
Cyber Warfare - Jamie Reece Moore
Jamie Moore
 
A Cyber Security Review
A Cyber Security ReviewA Cyber Security Review
A Cyber Security Review
Simon Moffatt
 
WRIGHT_JEREMY_1000738685-1
WRIGHT_JEREMY_1000738685-1WRIGHT_JEREMY_1000738685-1
WRIGHT_JEREMY_1000738685-1Jeremy Wright
 
Honeypots in Cyberwar
Honeypots in CyberwarHoneypots in Cyberwar
Honeypots in Cyberwar
Mehdi Poustchi Amin
 
Top Cyber News MAGAZINE February 2022 Chuck D Brooks. Highest Resolution.pdf
Top Cyber News MAGAZINE February 2022 Chuck D Brooks. Highest Resolution.pdfTop Cyber News MAGAZINE February 2022 Chuck D Brooks. Highest Resolution.pdf
Top Cyber News MAGAZINE February 2022 Chuck D Brooks. Highest Resolution.pdf
TopCyberNewsMAGAZINE
 
Cybersecurity and-cyberwar-singer-en-22186
Cybersecurity and-cyberwar-singer-en-22186Cybersecurity and-cyberwar-singer-en-22186
Cybersecurity and-cyberwar-singer-en-22186
Avirot Mitamura
 
Dni cyberwar, netwar, cyberdefense
Dni cyberwar, netwar, cyberdefenseDni cyberwar, netwar, cyberdefense
Dni cyberwar, netwar, cyberdefenseRepentSinner
 
Dni cyberwar, netwar, cyberdefense
Dni cyberwar, netwar, cyberdefenseDni cyberwar, netwar, cyberdefense
Dni cyberwar, netwar, cyberdefenseAnonDownload
 
Cybersecurity, Emerging Technologies, and Homeland Security - Chuck Brooks
Cybersecurity, Emerging Technologies, and Homeland Security - Chuck Brooks Cybersecurity, Emerging Technologies, and Homeland Security - Chuck Brooks
Cybersecurity, Emerging Technologies, and Homeland Security - Chuck Brooks
Chuck Brooks
 
Running Head cyber security Emerging Cyber security T.docx
Running Head cyber security Emerging Cyber security T.docxRunning Head cyber security Emerging Cyber security T.docx
Running Head cyber security Emerging Cyber security T.docx
charisellington63520
 
Comprehensive U.S. Cyber Framework Final Report
Comprehensive U.S. Cyber Framework Final ReportComprehensive U.S. Cyber Framework Final Report
Comprehensive U.S. Cyber Framework Final Report
Landon Harrell
 
ArticlesPublic-Private CybersecurityKristen E. Eichens.docx
ArticlesPublic-Private CybersecurityKristen E. Eichens.docxArticlesPublic-Private CybersecurityKristen E. Eichens.docx
ArticlesPublic-Private CybersecurityKristen E. Eichens.docx
rossskuddershamus
 
Crim cybersecurity_jarno_limnéll
Crim cybersecurity_jarno_limnéllCrim cybersecurity_jarno_limnéll
Crim cybersecurity_jarno_limnéll
Jarno Limnéll
 
051309 Federal Interest And Social Security Metanomics Transcript
051309 Federal Interest And Social Security Metanomics Transcript051309 Federal Interest And Social Security Metanomics Transcript
051309 Federal Interest And Social Security Metanomics Transcript
Remedy Communications
 
Northrop Grumman Prc Cyber Paper Final Approved Report 16 Oct2009
Northrop Grumman Prc Cyber Paper Final Approved Report 16 Oct2009Northrop Grumman Prc Cyber Paper Final Approved Report 16 Oct2009
Northrop Grumman Prc Cyber Paper Final Approved Report 16 Oct2009Jose Gonzalez
 
Katherine Neal_Written Brief 2
Katherine Neal_Written Brief 2Katherine Neal_Written Brief 2
Katherine Neal_Written Brief 2Kate Neal
 

Similar to Cyber_Warfare_Escalation_to_Nuclear_Warfare_Examination (20)

Kurnava+Book+Review (1)
Kurnava+Book+Review (1)Kurnava+Book+Review (1)
Kurnava+Book+Review (1)
 
The Hacked World Order By Adam Segal
The Hacked World Order By Adam SegalThe Hacked World Order By Adam Segal
The Hacked World Order By Adam Segal
 
Asymmetric threat 5_paper
Asymmetric threat 5_paperAsymmetric threat 5_paper
Asymmetric threat 5_paper
 
Cybersecurity - Cooperation or Proliferation
Cybersecurity - Cooperation or ProliferationCybersecurity - Cooperation or Proliferation
Cybersecurity - Cooperation or Proliferation
 
Cyber Warfare - Jamie Reece Moore
Cyber Warfare - Jamie Reece MooreCyber Warfare - Jamie Reece Moore
Cyber Warfare - Jamie Reece Moore
 
A Cyber Security Review
A Cyber Security ReviewA Cyber Security Review
A Cyber Security Review
 
WRIGHT_JEREMY_1000738685-1
WRIGHT_JEREMY_1000738685-1WRIGHT_JEREMY_1000738685-1
WRIGHT_JEREMY_1000738685-1
 
Honeypots in Cyberwar
Honeypots in CyberwarHoneypots in Cyberwar
Honeypots in Cyberwar
 
Top Cyber News MAGAZINE February 2022 Chuck D Brooks. Highest Resolution.pdf
Top Cyber News MAGAZINE February 2022 Chuck D Brooks. Highest Resolution.pdfTop Cyber News MAGAZINE February 2022 Chuck D Brooks. Highest Resolution.pdf
Top Cyber News MAGAZINE February 2022 Chuck D Brooks. Highest Resolution.pdf
 
Cybersecurity and-cyberwar-singer-en-22186
Cybersecurity and-cyberwar-singer-en-22186Cybersecurity and-cyberwar-singer-en-22186
Cybersecurity and-cyberwar-singer-en-22186
 
Dni cyberwar, netwar, cyberdefense
Dni cyberwar, netwar, cyberdefenseDni cyberwar, netwar, cyberdefense
Dni cyberwar, netwar, cyberdefense
 
Dni cyberwar, netwar, cyberdefense
Dni cyberwar, netwar, cyberdefenseDni cyberwar, netwar, cyberdefense
Dni cyberwar, netwar, cyberdefense
 
Cybersecurity, Emerging Technologies, and Homeland Security - Chuck Brooks
Cybersecurity, Emerging Technologies, and Homeland Security - Chuck Brooks Cybersecurity, Emerging Technologies, and Homeland Security - Chuck Brooks
Cybersecurity, Emerging Technologies, and Homeland Security - Chuck Brooks
 
Running Head cyber security Emerging Cyber security T.docx
Running Head cyber security Emerging Cyber security T.docxRunning Head cyber security Emerging Cyber security T.docx
Running Head cyber security Emerging Cyber security T.docx
 
Comprehensive U.S. Cyber Framework Final Report
Comprehensive U.S. Cyber Framework Final ReportComprehensive U.S. Cyber Framework Final Report
Comprehensive U.S. Cyber Framework Final Report
 
ArticlesPublic-Private CybersecurityKristen E. Eichens.docx
ArticlesPublic-Private CybersecurityKristen E. Eichens.docxArticlesPublic-Private CybersecurityKristen E. Eichens.docx
ArticlesPublic-Private CybersecurityKristen E. Eichens.docx
 
Crim cybersecurity_jarno_limnéll
Crim cybersecurity_jarno_limnéllCrim cybersecurity_jarno_limnéll
Crim cybersecurity_jarno_limnéll
 
051309 Federal Interest And Social Security Metanomics Transcript
051309 Federal Interest And Social Security Metanomics Transcript051309 Federal Interest And Social Security Metanomics Transcript
051309 Federal Interest And Social Security Metanomics Transcript
 
Northrop Grumman Prc Cyber Paper Final Approved Report 16 Oct2009
Northrop Grumman Prc Cyber Paper Final Approved Report 16 Oct2009Northrop Grumman Prc Cyber Paper Final Approved Report 16 Oct2009
Northrop Grumman Prc Cyber Paper Final Approved Report 16 Oct2009
 
Katherine Neal_Written Brief 2
Katherine Neal_Written Brief 2Katherine Neal_Written Brief 2
Katherine Neal_Written Brief 2
 

More from Bill Ross

Cyber Security Command, Control, Communications, Computers Intelligence Surve...
Cyber Security Command, Control, Communications, Computers Intelligence Surve...Cyber Security Command, Control, Communications, Computers Intelligence Surve...
Cyber Security Command, Control, Communications, Computers Intelligence Surve...
Bill Ross
 
Cyber_Space_is_not_Cyber_Security
Cyber_Space_is_not_Cyber_SecurityCyber_Space_is_not_Cyber_Security
Cyber_Space_is_not_Cyber_SecurityBill Ross
 
Infosecforce security services
Infosecforce security servicesInfosecforce security services
Infosecforce security services
Bill Ross
 
Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015
Bill Ross
 
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of..." Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
Bill Ross
 
Cyber Intelligence Operations Center
Cyber Intelligence Operations CenterCyber Intelligence Operations Center
Cyber Intelligence Operations Center
Bill Ross
 
" The Invisible Person ... the Security Architect "
" The Invisible Person ... the Security Architect "" The Invisible Person ... the Security Architect "
" The Invisible Person ... the Security Architect "
Bill Ross
 
Security Lifecycle Management Process
Security Lifecycle Management ProcessSecurity Lifecycle Management Process
Security Lifecycle Management Process
Bill Ross
 

More from Bill Ross (8)

Cyber Security Command, Control, Communications, Computers Intelligence Surve...
Cyber Security Command, Control, Communications, Computers Intelligence Surve...Cyber Security Command, Control, Communications, Computers Intelligence Surve...
Cyber Security Command, Control, Communications, Computers Intelligence Surve...
 
Cyber_Space_is_not_Cyber_Security
Cyber_Space_is_not_Cyber_SecurityCyber_Space_is_not_Cyber_Security
Cyber_Space_is_not_Cyber_Security
 
Infosecforce security services
Infosecforce security servicesInfosecforce security services
Infosecforce security services
 
Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015
 
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of..." Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
 
Cyber Intelligence Operations Center
Cyber Intelligence Operations CenterCyber Intelligence Operations Center
Cyber Intelligence Operations Center
 
" The Invisible Person ... the Security Architect "
" The Invisible Person ... the Security Architect "" The Invisible Person ... the Security Architect "
" The Invisible Person ... the Security Architect "
 
Security Lifecycle Management Process
Security Lifecycle Management ProcessSecurity Lifecycle Management Process
Security Lifecycle Management Process
 

Cyber_Warfare_Escalation_to_Nuclear_Warfare_Examination

  • 1. DRAFT Bill Ross 804-855-4988 bill.ross@infosecforce.com INFOSECFORCE “ Cyber Warfare Escalation to Nuclear Warfare Examination “
  • 2. DRAFT Table of Contents Cyber Warfare Escalation to Nuclear Warfare? … The White House Cyber Security Failure and The National Institute of Standards (NIST) Cyber Security Framework (CSF) Panacea ….. Threatens National Security..................................................................3 Overview ........................................................................................................................................3 Cyber Security Fumbles over the last 25 years....................................................................3 Executive Summary.....................................................................................................................5 Introduction...................................................................................................................................7 16 December 2016 Situation Report, O’Bama to Conduct Cyber Security Retaliatory Strikes Against Russia. .............................................................................................................10 Doctrine and Analysis Misdirection ........................................................................................11 NIST and the Cyber Security Framework (CSF) Propaganda..........................................15 Conclusion....................................................................................................................................17
  • 3. DRAFT Cyber Warfare Escalation to Nuclear Warfare? … The White House Cyber Security Failure and The National Institute of Standards (NIST) Cyber Security Framework (CSF) Panacea ….. Threatens National Security Overview Very bluntly, it is a Government and Military failure to not plan for the possibility that Cyber Warfare can escalate to Nuclear Warfare. Cyber Warfare and all Cyber Warfare Weapons are now part of Nation States’ War Fighting Arsenal and Nation States with advanced War Fighting Weapons must define and discuss escalation roadmaps. Likewise, the Executive Branch should NOT indicate to the American Public and the World that the United States National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) can adequately Identify, Predict, Protect, Detect, Respond, and Recover from Cyber Security Attacks in Cyber Space with the level of veracity that the military, government agencies and private sector businesses must practice to prevent successful Cyber Security attacks and proportionally respond before Cyber Security escalation exceeds our ability to controlit. https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity- framework-021214.pdf Editor’s note: I added predict to the above list form CSF as predict is a crucial component of threat intelligence and threat management. Cyber Security Fumbles over the last 25 years In 2000, I was on a Fortune magazine panel in New York City and I was asked if I thought one person sitting at a computer could bring down the internet. I said no.
  • 4. DRAFT I am still not sure if one person could as we have so many backup and redundancies such as AKAMAI (the hidden internet). But, now, I believe one person could launch a Supervisory Controland Data Acquisition (SCADA) attack and do significant infrastructure damage. Look at what one piece of STUXNET https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/ malware did to Iran’s nuclear power program. I am sure a team of people developed STUXNET but, I suspect it’s configuration was not beyond the skill of a very lethally talented software developer. And, it was delivered simply through an insertion of a thumb drive. https://en.wikipedia.org/wiki/Stuxnet So, in the last 25 years, the United States and the world have experienced relentless Cyber Security attacks. In many ways, the US Government (Executive and Legislative Branches) responded to them first from a mystical reflection on what Information Security Attacks were. And, now, look where we are ….. escalating our response to a possible Russian Cyber Security attack within the vast Cyber Warfare Area of Operations against Russia. What happened to planning for this stuff? A significant quantity of these have been successful attacks. So, why were they successful and why will they be successful? Because …. we as a country, have failed to relentlessly indentify, predict, prevent, detect, and respond to attacks using the vast technical ability that the United States possess. Ironically, except for “predict”, indentify, predict, prevent, detect, and respond are core tenants of the Administration’s CSF. I do not believe the Government has completely grown beyond its mystical reflection and understanding of Cyber Warfare. I believe the military understands it but, it is still coming to grips with how to truly weaponize our Integrated Cyber Security Weapons with all our other conventional weapons and weapons of mass destruction within the Cyber Space Sphere and the Cyber Space Area of Operations (AO). Here is how this paper and its analysis is structured. I believe that I am qualified to freebase this paper with minimal references. I admit I developed this paper as a
  • 5. DRAFT stream of consciousness as I wrote it very fast. However, I believe that my thesis and conclusions are relevant within the current Cyber Warfare AO which, in essence, is Cyber Space. My justification in writing this quickly is that I am: - A Cyber Security Expert with extensive experience. I have published several white long and short Cyber Security whitepapers to include a short one on the definition of Cyber Space. - I am retired Air Force Intelligence Officer. I wrote extensive classified papers while in the military on such things a nuclear warfare and chemical warfare. - Have worked in Special Operations, Strategic Warfare, Chemical Warfare, Tactical Warfare, Operations Other than War, The Pentagon, Strategic and Tactical Intelligence Reconnaissance Offices, Operational Units and Operational Commands, War fighting Operations Centers and etc - Have had great and interesting Cyber Security jobs in private sector, state and national government jobs - I was on the ground during 9-11, first jet went over my head, saw towers fall in front of me - Have had several papers published on Cyber Security and one on Soviet military Doctrine called “Soviet Military Doctrine a Blueprint for the Future or an Indictment of the Past” http://cua.academia.edu/BillRoss - Presented my “The Invisible Person … the Security Architect” at the University of Houston. This paper downloaded on Internet nearly 3000 times. Executive Summary Cyber Warfare Tools and Nuclear Weapons are both potentially weapons of mass destruction. Despite spending billions of dollars by the United States on Cyber Security, a relatively simple hack like accessing the Democratic National Committee Email
  • 6. DRAFT Servers has thrown the country into chaos as this hack possibly influenced our election process and has caused a potential serious escalation of Cyber Warfare attacks and ultimately, more serious escalation to the use of other weapons of mass destruction. Not only did attacks on the DNC and Podesta’s personal email accounts wreak havoc on the elections but, the fact the Secretary of State established a private email server in her house that processed United States Secret Information also impacted the 2016 Presidential Elections. This was a significant email hack executed by the State Department against the trust of the American people. These two examples show significant proof that something as simple as the mismanagement of the Cyber Security around emails could have overwhelming effects on the safety of the United States. If we cannot protect email accounts through fundamental Cyber Security management then what about the Cyber Security safety of the United States infrastructure to include nuclear power plants? It is very concerning that the United States’ Cyber Security expert on what is happening in the Global Cyber Space Warfare Spectrum is now a New York Times writer whose article’s title “The Perfect Weapon: How Russia Cyber Power Invaded the United States“ http://www.nytimes.com/2016/12/13/us/politics/russia-hack- election-dnc.html?_r=1 in of itself portrays a lack of Cyber Warfare knowledge. It is an excellent article for the information it compiled but like NIST CSF, it does not offer a pure path to Cyber Threat mitigation. An excellent review of the article for what it really is was written by Tyler Durden http://www.zerohedge.com/news/2016-12-13/new-york-times-explains-how-it- became-instrument-russian-intelligence . And, to ask again, why is a New York Times writer now the Spokes Person for Cyber Warfare? Finally, the government and private sector must recognize the word “Cyber” does not automatically mean Cyber Security. Cyber is more related to Cyber Space and Cyber Security and Cyber Warfare are within the Cyber Space Spectrum. https://www.academia.edu/26547082/Cyber_Security_does_not_just_mean_Cyber _
  • 7. DRAFT Introduction While it is a possibility, this paper does not state we are escalating to nuclear warfare at this time because of the United States Government’s failed Cyber Security and Cyber Warfare policies. This paper is to somehow start a comprehensive discussion on Cyber Warfare escalation models. The paper starts by first examining the Government’s failure to adequately implement a potent Cyber Space Defense-in-Depth National Cyber Security Process to Identify, Predict, Protect, Detect, Respond, and Recover from Russian and all other global Cyber Security and Cyber Warfare Threats hammering the United States millions of times a day. This paper will examine the fact that the United States and writers of warfare escalation theory and Cyber Security Incident, Threat Management, and Cyber Security Intelligence Risk Management efforts continue to fail in their understanding of what Cyber Security and Cyber Space really are within the context of peacetime and wartime war fighting doctrine tactics and procedures. We must finally understand Cyber Warfare and Cyber Space are now part of a military escalation process and we must now address them as such by military and government doctrine and strategists in the United States. It is hard to find references about Cyber Security escalation processes on the internet. There are some very good “thought” articles but nothing that stands as a call for action. There are some reasonable considerations of how to think about Cyber Warfare escalation such as Martin Libicki’s RAND study. This link will take you to an excellent RAND study http://www.rand.org/pubs/periodicals/rand- review/issues/2013/summer/cyberwar-fears-pose-dangers-of-unnecessary- escalation.html By Martin C. Libicki Mar tin Libicki is a management scientist at the RAND Corporation. “ In their zeal to protect themselves in cyberspace, countries need to ensure that they do not trigger even greater threats beyond cyberspace, particularly military or economic forms of retaliation.
  • 8. DRAFT To manage crises and forestall their escalation in cyberspace, the following seven points may be usefully kept in mind.  understand that the answer to the question —  take the time to think things through.  understand what is at stake —  not to take possession of the crisis unnecessarily.  craft a narrative that can take the crisis where you want it to go.  figure out what norms of conduct in cyberspace, if any, work best.  recognize what a crude tool counter-escalation may be for influencing the other side” To support my point concerning the Intelligence Community requirement to think through Cyber Warfare Doctrine, about a year ago, I attended an AFCEA Intelligence Conference in Washington, DC. All the Chiefs of the Intelligence Community were there. It was an Intelligence professional’s Woodstock if you were in the audience. At the conference, I became very concerned that it seemed very few in the Intelligence Community seemed to understood Soviet and now Russian Military Doctrine. We ignored it for a long time thinking we were making nice with the Russians. On a larger scale, they did not seem to understand the impact of how Doctrine in of itself, especially in the Russian Military, effects Russian military weapon and strength decisions. It is interesting in the early days of Russian Military thought that the Soviets grouped nuclear weapons in the “long range artillery” category. Also, In those days; the Soviets believed nuclear war was fightable and winnable. So, interestingly, Cyber Warfare as a metaphor has become Russai’s “longest range” artillery yet. https://www.academia.edu/9715897/Soviet_Military_Doctrine_..._A_Blueprint_for_ the_Future_or_and_Indictment_of_the_Past_. So, given Cyber Warfare can be used as a weapon of mass destruction as it can have a mass impact on the infrastructure and safety of United States citizens, it would not be surprisingly if the Russians have incorporated Cyber Warfare into its overall military escalation process believing that Cyber Warfare is fightable and winnable.
  • 9. DRAFT The private sector and the United States government spend billions of dollars to prevent and detect Cyber Security Attacks and they still happen on a grand and lower level scales. The Democratic National Committee (DNC) emails were hacked with now possible overwhelming consequences. Who was protecting those emails? And, to top it off, the entire Russian – United States Cyber Warfare standoff is based on a relatively simple hack which was hacking email accounts. Wonder if instead if the Russians opened the gates of a dam through a SCADA attack and flooded a town through what would be considered a kinetic effect of Cyber Warfare tactics, techniques and procedures. Would the United States respond by performing a similar attack on a Russian Dam or Power Plant? OK, here we have two towns destroyed based on the kinetic effect of Cyber Warfare Weapons. Where would the United States and Russia go from there? In essence, both countries just experienced an attack on their homeland. How do we measure value and counter value in a Cyber Warfare escalation process? If one plays out the scenario, the above example could lead to a nuclear exchange. As indicated above, one would think that if one searched the Internet for Cyber Warfare escalation theories depicting nuclear war originating from Cyber Security Attacks against a Nation State to the use of kinetic weapons of mass destruction that several escalation models or writings would be found. The reason these articles do not exist is because academia does not understand Cyber Warfare and the weaponization of same. One can find theories on escalation for other types of warfare like Chemical Warfare and Nuclear Warfare, but not so much for Cyber Warfare. One example, of past military thinking in the United States that could serve as a role model for a Cyber Warfare escalation road maps was that the United States believed an escalation of war in Europe would start as a conventional war, escalate to the Soviets using chemical weapons, escalate to a tactical nuclear exchange and then to global strategic nuclear warfare. The pundits in those days speculated that the Soviets would transition to employing weapon of mass destruction (WMD) by first using chemical weapons and then transition to tactical nuclear weapons. So, the escalation road map was conventional, chemical, and nuclear. And, the United States planned its military defense and response
  • 10. DRAFT accordingly. However, it does not appear that the Western Powers have clearly thought the Cyber Warfare escalation process through and how to not let Cyber Warfare escalation “get out of control”. So, where are the escalation models into and out of Cyber Security and Cyber Warfare attacks? We have spent billions of dollars on Cyber Commands, have had untold congressional meetings, laws passed, policy statements, passed Cyber Security Acts, and the Administration published Executive Orders like the Executive Order 13563 -- Improving Critical Infrastructure Cyber Security https://www.whitehouse.gov/the-press-office/2014/02/12/launch-cybersecurity- framework and NIST has created numerous Information Security documents and now, it seems we are making it up (Cyber Warfare Escalation) as we go along. Cyber Warfare saber rattling cannot be considered Power Projection because Cyber Warfare escalation can happen almost at the speed of light or at least the speed of the global network used as an attack conduit. We do not have time within the Cyber Security decision loop to station an aircraft carrier off of a Nation State’s Coast. If we knew Russia was attacking the Democratic National Committee Data base, why did we not block the attacks and make it more public during the campaign? There were some references made by the Administration but it seems we let the political process interfere with our Political response to the hacks. Why did we not levy awesome Cyber Security talent to prevent these attacks? The Secret Service Protects the candidates so why not protect the elections? AND MOST IMPORTANTLY why were these attacks not blocked and mitigated through the massive Cyber Security capabilities the United States has in its Cyber Warfare arsenal? Did NIST or the Executive Branch do a metrics based analyses of the CSF process of Identify, Predict, Protect, Detect, Respond, and Recover. 16 December 2016 Situation Report, O’Bama to Conduct Cyber Security Retaliatory Strikes Against Russia.
  • 11. DRAFT It is deeply concerning that the headlines on 16 December 2016 indicated the United States is planning a Cyber Warfare retaliatory strike against Russia. The President outlined in the most vague terms how we might respond to the Russian Cyber “attack”. This vague Cyber Security saber rattling could actually cause the “enemy” to escalate the Cyber Security battle to include a preemptive strike decision on Russia’s part. The preemption would be structured to stop the United States ability to do whatever it plans to do. So, the vagueness of our threat could have actually added to the emotion and the escalation process. Most concerning is that Cyber Warfare amateurs in the Executive Branch and the Intelligence Community could be leading us down a Cyber Warfare escalation path which is really not well defined. No matter how you look at it, “retaliation” is an act of war within the lexicon of Cyber Warfare. Retaliation means we are responding to something the US views as an act of war (Cyber War) committed against the US. One would hope that the administration would have followed the RAND advice seen in the above reference. But, given that this escalation or situation stabilization methodology and doctrine is not publically discussed, one is not really sure what the US Government’s Cyber Warfare escalation strategy is. Sometimes, keeping things secret is not the best “deterrent”. One might recall that George Kennan’s “Deterrence Strategy” and McNamara’s “Mutual Assured Destruction “ theories were publically available and those theories significantly deterred a nuclear war. We need better Cyber Warfare escalation strategies that incorporate the Cyber Warfare escalation “reflections” so stated by RAND. Doctrine and Analysis Misdirection Please see the below quote from “Arms Control Now” (ACN) which is blog post from the Arms Control Association (ACA) in 2013 as it is one of the most scariest and misinformed analysis I have read concerning Cyber Warfare escalation theories. And that is Cyber Warfare could not escalate to nuclear warfare. While ACA is not a government official agency and it is composed a dedicated individuals, I believe that given ACA is Headquartered in Washington, DC and that it seem to be mostly focused on nuclear warfare analyses and control that the ACA reflects the “old
  • 12. DRAFT think” and limitations of understanding Cyber Warfare escalation and Cyber Warfare weapons as WMDs. This is similar to how I suspect many people think about Cyber Warfare within the government and private industry today. Not much has changed in three years. The ACN article minimizes the idea that Cyber Incidents could escalate to nuclear warfare. I suspect the reason the article did not examine this possibility is the author of this article did not have a true understanding of the lethality of a Cyber Warfare weapons and the “kinetic” impact a Cyber Weapon could have. It is my opinion that below ACN quote mistakenly reflects the Cyber Warfare escalation Doctrine and Strategy that exists today across the United States Government. “ the law of armed conflict requires that states respond to aggressive acts of force proportionally “ The quote reflects the greatest of Naïveté’s for Nation States, Military Process and War fighting. How could one ever expect a country TO NOT escalates to more lethal weapons if the strategic advantage might dictate this must be done to achieve military and political objectives? Or, as stated above, the Cyber Warfare aggressor decided to launch a preemptive Cyber attack which would ignore the “law of armed conflict”. Nuclear Warfare in of itself would violate the above assumption concerning the law of armed conflict. We used a nuclear weapon against Japan. ACN continues to reflect a naiveté’s concerning the possible Cyber to nuclear escalation theory when it states: “ However, the threat of using nuclear weapons to respond to cyber attacks by other states against U.S. critical infrastructure is not a realistic nor an effective response to cyber attack because:  Cyber attacks lack the destructive and existential threat of nuclear weapons;  A nuclear response to a cyber attack is not proportional;
  • 13. DRAFT  Threatening to respond with a nuclear weapons lacks credibility in adversaries’ eyes;  Cyber deterrence in general is difficult to achieve; and  The policy would provide a new rationale for nuclear proliferators. In March 2013 National Intelligence Director (DNI) James Clapper presented the “Worldwide Threat Assessment” before Congress and said, there is a “remote chance” that over the next two years the United States will see a major cyber attack against its critical infrastructure, producing “long-term, wide-scale disruption of services, such as regional power outage.” However, it also said China and Russia “are unlikely to launch such a devastating attack” outside a “military conflict or crisis.” Second, the law of armed conflict requires that states respond to aggressive acts of force proportionally. If cyber attacks lack the destructive force of nuclear weapons then responding to one with a nuclear weapon is not a proportional response. If China launched a cruise missile and took down a power plant, it would be disproportional to respond with launching a nuclear warhead at China. Now imagine that instead of a cruise missile, a cyber attack is launched against the industrial control mechanism for the power plant and takes it offline. Does that somehow now warrant a nuclear response? No.” https://armscontrolnow.org/2013/05/30/is-there-a-place-for-nuclear-deterrence- in-cyberspace/ “ The DNI Clapper in 2013 discussed a “remote” Cyber Security/Warfare attack against the US critical Infrastructure within two years. Well, he did not predict a Cyber Warfare Attack against the United States political processes that happened three years after his observation. So, now rather than escalating because of an infrastructure attack, we are escalating against the Russians because of an “EMAIL” Cyber Attack that might have influenced the loss of the political party of the outgoing president.
  • 14. DRAFT Who in the name of heaven truly believes that Russia, China, Iran, North Korea will play nice by some naïve approach to war fighting and escalation? The above reflection in the ACN paper shows a lack of true war fighting and escalation theory knowledge. The rules have changed with Cyber Warfare tools and their ability to inflict massive damage. I think every single policy maker and writer should read an old book called “Essence of Decision: Explaining the Cuban Missile Crisis by Graham Allison and Philip Zelikow. It examined 6 possible ways decisions were made during the Cuban Missile Crises. In essence, thank God that we lucked out during the Cuban Missile Crises as we were somewhat playing a “zero sum game” and ‘making it up as we went along’ during the Cuban Missile crises. Allison’s book and the “shoot from the hip” Cyber Security escalation process indicate that we must determine now how to escalate and how to manage Cyber Security attacks without the escalation process getting out of control. We had time to work the issues during the Cuban Missile crises. And, we had history on our side. Khrushchev was a victim of World War II. The Russian Psych in those days was to prevent anything like the loss of life that happened to them in WWII. Not many Russian experts saw Russian Defensive actions and military development through that lens but, I suspect that Khrushchev was greatly influenced by the fact “Mother Russia should not suffer again like in WWII. I do not think Putin is motivated form the same position. So, while we hope Cyber Warfare will not escalate to a strategic nuclear war, one cannot assume it will not because Cyber Warfare can now kinetically affect the “enemy” as the use of a kinetic nuclear weapon. For example, if a hacker took down a United States nuclear power plant, we would in essence have a Chernobyl in the United States where man and beast could not live for an exceptionally long amount of time. Another example of a cyber attack that could impact the safety of people and environments is the suspected attack on Ukraine’s electrical grid. http://www.reuters.com/article/us-ukraine-crisis-cyber-attacks-idUSKBN1491ZF. In essence, this would be considered a small attack if targeted against the United States. But, the potential is there where a much larger attack could occur.
  • 15. DRAFT The bottom line to my rant concerning Cyber Warfare escalation is that: - We must assume that Cyber Warfare can unleash a kinetic effect like classical weapons of mass destruction (WMD). We went to war with Iraq because Iraq supposedly had a stockpile of chemical WMDs. - We must develop clear and unmistakable policies and strategies as we did for Nuclear Deterrence - We must accept that we are in a constant 1984 esque like war which will never stop - We must distribute and manage Cyber Warfare strategy, plans, policies, tactics, techniques and procedures within the United States Government and Private sector - Develop and implement extremely aggressive defense-in-depth implementation plans that far surpass the administrations Cyber Security Framework panacea which in essence is an Administration Cyber Security response marketing tool - Develop and distribute Cyber Identify, Predict, Protect, Detect, Respond, and Recover tools that will stop email and all other attacks from escalating from an email data base compromise to a Cyber Security escalation between the world’s nuclear super powers. NIST and the Cyber Security Framework (CSF) Propaganda I have the deepest respect for the NIST Team and for all the extremely hard working men and women in the Cyber Commands and Executive Agencies. They do the absolute best they can. But NIST needs far more Cyber War Fighters and Top Guns that have managed Cyber Security problem in government and corporate trenches. This experience is needed for NIST to understand on how to relentlessly fight the Cyber Security fight and implement programs in the real world that reflect the true meaning of a war fighting based Identify, Predict, Protect, Detect,
  • 16. DRAFT Respond, and Recover program. NIST Must become part of the mantra that we are at “Cyber War each and every day”. On February 12, 2013 the White House released an Executive Order 13563 – “Improving Critical Infrastructure Cyber Security” . https://www.whitehouse.gov/the-press-office/2013/02/12/executive-order- improving-critical-infrastructure-cybersecurity. To “Improve” Cyber Security, the National Institute of Standards and Technology (NIST) created the Cyber Security Framework (CSF). https://www.nist.gov/cyberframework . CSF was yet another government whack a mole “something or another” to address the 30 year Cyber Security War and our inability to protect the government, military and private sector against successful Cyber Attacks. https://en.wikipedia.org/wiki/NIST_Cybersecurity_Framework The CSF was built in a hurry by NIST to make nice with the EO 13563. The CSF is equivalent to bringing a Pocket Knife to a gun fight. CSF was created by Washington Bureaucrats to show the world Washington was doing “something” to mitigate the threats and risks posed by Cyber Security attacks. CSF is a naive kluge of Cyber Security actions by NIST trying to apply Cyber Security “Old Think” NIST risk control management principles found in the NIST Special Publication 800-53 http://disa.mil/services/dod-cloud- broker/~/media/files/disa/services/cloud-broker/nist-sp80053- securityandprivacycontrols.pdf to a global Cyber Security and Cyber War Fare gun fight. This gun fight is ruled at times by ISIS level Cyber Space thugs who could and would use Cyber Ware Fare to inflict destruction and chaos. CSF does not nearly reflect the type of solution that is needed to fight and win in the ongoing constant Cyber War that we fight each and everyday in the Cyber Space Sphere Area of Operations. All branches of the government (executive, legislative, and judicial) and the private sector need military grade weapons to truly and relentlessly manage the global Cyber Security threats. CSF and Compliance to Federal Informaiton Security Management Act (FISMA)/SANS Top 20/ISO 27001 and etc audits are just not enough to win in the Cyber War.
  • 17. DRAFT The U-Tube videos seen in the CSF below link are from an April 2016 workshop https://www.nist.gov/news-events/events/2016/04/cybersecurity-framework- workshop-2016. I attended this conference and throughout the meeting, I stressed the absolute importance of NIST developing an implementation processes and procedures and metrics of success for implementing the CSF. I can be seen in some of the videos promoting the absolute need for NIST to weaponize the CSF so it can truly provide the Identify, Predict, Protect, Detect, Respond, and Recover Cyber War fighting tools we need. I also stressed we need to truly make CSF a defense- in-depth tool by adding predict to the CSF focus items. To make this a predict tool, CSF must include all aspects of threat intelligence and threat management and Cyber Risk assessments. Finally, NIST is moving too slow in the Cyber Warfare AO. NIST must get into the trenches with us and determine and outline how to fight the Cyber War. NIST is part of the government. The Government has threatened Cyber Warfare retaliation. Cyber Warfare retaliation is a big deal. NIST must be part of that fight and become strong allies with all the Cyber War fighting Commands and Cyber War fighting Agencies like CIA and NSA and with the private sector. Conclusion The United States must aggressively address Cyber Warfare escalation doctrine and strategies. Cyber Warfare Weapons can inflict mass destruction. Cyber Warfare must be clearly integrated into the escalation roadmaps so we CAN PREVENT escalation. We must not let ourselves ever again need to threaten Cyber Warfare retaliatory escalation because of preventable hacks against email systems. While NISt has done its best to create the CSF, it did so very quickly without considering many core aspects of how to make CSF tenants of Identify, Predict, Protect, Detect, Respond, and Recover a war fighting process and tool. The Cyber Warfare battlefield is not a “nice-nice” environment. It has, can and will have severe consequences.