This document discusses the potential escalation of cyber warfare to nuclear warfare and analyzes failures in U.S. cybersecurity policy. It argues that cyber weapons are now part of nation-states' arsenals and that escalation models need to be defined, as cyber attacks could escalate rapidly. It critiques the NIST cybersecurity framework and notes the U.S. government's mystical understanding of cyber warfare. It examines the failure to prevent hacks like the DNC email hack and questions the vague threats of cyber retaliation against Russia, worrying this could further escalate tensions.
The cyber attacks have become most prevalent in the past few years. During this time, attackers have discovered new vulnerabilities to carry out malicious activities on the internet. Both the clients and the servers have been victimized by the attackers. Clickjacking is one of the attacks that have been adopted by the attackers to deceive the innocuous internet users to initiate some action. Clickjacking attack exploits one of the vulnerabilities existing in the web applications. This attack uses a technique that allows cross domain attacks with the help of userinitiated clicks and performs unintended actions. This paper traces out the vulnerabilities that make a website vulnerable to clickjacking attack and proposes a solution for the same.
The cyber attacks have become most prevalent in the past few years. During this time, attackers have discovered new vulnerabilities to carry out malicious activities on the internet. Both the clients and the servers have been victimized by the attackers. Clickjacking is one of the attacks that have been adopted by the attackers to deceive the innocuous internet users to initiate some action. Clickjacking attack exploits one of the vulnerabilities existing in the web applications. This attack uses a technique that allows cross domain attacks with the help of userinitiated clicks and performs unintended actions. This paper traces out the vulnerabilities that make a website vulnerable to clickjacking attack and proposes a solution for the same.
What is the difference between a hacking attack and a cyberwar attack? What do current militaries consider an attack vs. exploitation or just «normal operations»? Kevin will present an overview on the cyber warfare topic and the current understanding of Advanced Persistent Threats in the context of cyber defense.
Referent: Kevin Kirst
Data-Driven Crisis Monitoring: Turning Online Activity into Actionable Insigh...Jon Gosier
The proliferation and adoption of mobile phones and social media technologies presents new ways of capturing conversations surrounding crisis events in real-time. This allows researchers, analysts, and first-responders to explore events by monitoring many media sources (blogs, photos, web feeds, news sources, and tweets) from one environment.
The tragic situation unfolding in South Sudan is complex and evolving rapidly. The rate at which the fledgling state has descended into political and social unrest is distressing and highlights the need for urgent intervention. Thus, having ways to identify and engage influencers and to anticipate and potentially mitigate disastrous scenarios is greatly needed.
Using a combination of the data-analysis products available from D8A Group, we’ve been monitoring the unfolding events in real-time to illustrate ways our technology platforms can be used by NGOs, first-responders, civil society organizations and government agencies make data informed decisions in real-time in crisis scenarios.
To download The Cyber Security Whitepaper for free, visit: www.vTechSolution.com
https://vtechsolution.com/cyber-security-whitepaper-2018/
Small businesses usually neglect Cyber Security as an essential function making their IT infrastructure vulnerable.
IT security issues often cost companies a lot of money and downtime every year. Even if the IT infrastructure consists of couple laptops and Devices, Cyber Security should always be a top priority.
This white paper provides Cyber Security Insights that are a must know for all small to midsize business. It describes the current trends in Cyber Security, do & don’ts, and scenarios. Learn how to protect your computers, networks, programs, and data from unauthorized access or attacks that are aimed for exploitation.
INFOSECFORCE Risk Management Framework Transition PlanBill Ross
7 slide briefing showing the migration from DIACAP to the Risk Management Framework. It also shows the idea and synchronization between RMF and continuou monitoring. PCI should adopt this framework.
Secure by design and secure software developmentBill Ross
This secure lifecycle management process (SLCMP said slickum) defines the basic and most realistic way to develop secure software. While the briefing is a bit dated slide 34 is still a very relevant process. What is below the green line is the security dynamic process that happens supporting the basic development process seen above the green line. SLCMP is supported by building a complementary and excellent information risk framework system security plan or IRASSP. SLCMP is operationally deployed.
What is the difference between a hacking attack and a cyberwar attack? What do current militaries consider an attack vs. exploitation or just «normal operations»? Kevin will present an overview on the cyber warfare topic and the current understanding of Advanced Persistent Threats in the context of cyber defense.
Referent: Kevin Kirst
Data-Driven Crisis Monitoring: Turning Online Activity into Actionable Insigh...Jon Gosier
The proliferation and adoption of mobile phones and social media technologies presents new ways of capturing conversations surrounding crisis events in real-time. This allows researchers, analysts, and first-responders to explore events by monitoring many media sources (blogs, photos, web feeds, news sources, and tweets) from one environment.
The tragic situation unfolding in South Sudan is complex and evolving rapidly. The rate at which the fledgling state has descended into political and social unrest is distressing and highlights the need for urgent intervention. Thus, having ways to identify and engage influencers and to anticipate and potentially mitigate disastrous scenarios is greatly needed.
Using a combination of the data-analysis products available from D8A Group, we’ve been monitoring the unfolding events in real-time to illustrate ways our technology platforms can be used by NGOs, first-responders, civil society organizations and government agencies make data informed decisions in real-time in crisis scenarios.
To download The Cyber Security Whitepaper for free, visit: www.vTechSolution.com
https://vtechsolution.com/cyber-security-whitepaper-2018/
Small businesses usually neglect Cyber Security as an essential function making their IT infrastructure vulnerable.
IT security issues often cost companies a lot of money and downtime every year. Even if the IT infrastructure consists of couple laptops and Devices, Cyber Security should always be a top priority.
This white paper provides Cyber Security Insights that are a must know for all small to midsize business. It describes the current trends in Cyber Security, do & don’ts, and scenarios. Learn how to protect your computers, networks, programs, and data from unauthorized access or attacks that are aimed for exploitation.
INFOSECFORCE Risk Management Framework Transition PlanBill Ross
7 slide briefing showing the migration from DIACAP to the Risk Management Framework. It also shows the idea and synchronization between RMF and continuou monitoring. PCI should adopt this framework.
Secure by design and secure software developmentBill Ross
This secure lifecycle management process (SLCMP said slickum) defines the basic and most realistic way to develop secure software. While the briefing is a bit dated slide 34 is still a very relevant process. What is below the green line is the security dynamic process that happens supporting the basic development process seen above the green line. SLCMP is supported by building a complementary and excellent information risk framework system security plan or IRASSP. SLCMP is operationally deployed.
Top Cyber News MAGAZINE February 2022 Chuck D Brooks. Highest Resolution.pdfTopCyberNewsMAGAZINE
Chuck D. BROOKS, President of Brooks Consulting International
Mr. Brooks is a globally recognized thought leader and subject matter expert Cybersecurity and Emerging Technologies. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn.” He was named by Thompson Reuters as a “Top 50 Global Influencer in Risk, Compliance,” and by IFSEC as the “#2 Global Cybersecurity Influencer.” He was featured in the 2020 Onalytica "Who's Who in Cybersecurity" – as one of the top Influencers for cybersecurity issues. He was also named one of the Top 5 Executives to Follow on Cybersecurity by Executive Mosaic. He is also a Cybersecurity Expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, Expert for Executive Mosaic/GovCon, and a Contributor to FORBES.
In government, Chuck has received two senior Presidential appointments. Under President George W. Bush Chuck was appointed to The Department of Homeland Security (DHS) as the first Legislative Director of The Science & Technology Directorate at the Department of Homeland Security. He also was appointed as Special Assistant to the Director of Voice of America under President Reagan. He served as a top Advisor to the late Senator Arlen Specter on Capitol Hill covering security and technology issues on Capitol Hill.
In industry, Chuck has served in senior executive roles for General Dynamics as the Principal Market Growth Strategist for Cyber Systems, at Xerox as Vice President & Client Executive for Homeland Security, for Rapiscan and Vice President of R & D, for SRA as Vice President of Government Relations, and for Sutherland as Vice President of Marketing and Government Relations. He currently sits on several corporate and not-for-profit Boards in advisory roles.
In academia, Chuck is Adjunct Faculty at Georgetown University’s Graduate Applied Intelligence Program and the Graduate Cybersecurity Programs where he teaches courses on risk management, homeland security, and cybersecurity. He was an Adjunct Faculty Member at Johns Hopkins University where he taught a graduate course on homeland security for two years. He has an MA in International relations from the University of Chicago, a BA in Political Science from DePauw University, and a Certificate in International Law from The Hague Academy of International Law.
In media, Chuck has been a featured speaker at dozens of conferences and webinars (Recently, Chuck briefed the G-20 Energy Conference on operating systems cybersecurity). and has published more than 200 articles and blogs on cybersecurity, homeland security and technology issues. His writings have appeared on AT&T, IBM, Microsoft, General Dynamics, Xerox, Cylance, Checkpoint, and many other blogs.
Running Head: cyber security
Emerging Cyber security Technologies
Jacqueline Snyder
CSEC 670
UMUC
2/21/2014
Emerging cyber security Technologies
ii
Table of Contents
Introduction ................................................................................................................................................... 1
Establishment ................................................................................................................................................ 2
Cited Works Survey ...................................................................................................................................... 4
Moving Target Technologies ..................................................................................................................... 4
Govt Support of Moving Target [mt] Technologies ............................................................................. 5
Remote Agent Technologies ..................................................................................................................... 6
Government Support for Remote Agent Technologies ......................................................................... 7
Consistent Forensic Analysis ..................................................................................................................... 8
Government Support of the time period Forensic Analysis .................................................................. 9
Cloud information ................................................................................................................................... 10
Quite Good Privacy ............................................................................................................................. 10
Government Support of superb Privacy .............................................................................................. 11
Fingerprinting and ID Devices on the Network ....................................................................................... 11
Expenses of protective against Cyber Attacks stay High ........................................................................ 14
Danger sagacity is discriminating, however still in unanticipated stages ............................................... 15
With danger debilitating to quantify, protection remains risky ............................................................. 16
Huge learning dissection ......................................................................................................................... 17
Exchange / Results ...................................................................................................................................... 18
Conclusion .................................................................................................................................................. 21
References ..................
Comprehensive U.S. Cyber Framework Final ReportLandon Harrell
This project is a product of the Class of 2019 Bush School of Government and Public Service, Texas A&M University Capstone Program. The project lasted one academic year and involved eight second-year master students. It intends to synthesize and provide clarity in the realm of issues pertaining to U.S. Internet Protocol Space by demonstrating natural partnerships and recommendations for existing cyber incident response. The project was produced at the request of PointStream Inc., a private cybersecurity contractor.
ArticlesPublic-Private CybersecurityKristen E. Eichens.docxrossskuddershamus
Articles
Public-Private Cybersecurity
Kristen E. Eichensehr*
Calls fo r public-private partnerships to address U.S. cybersecurity failures
have become ubiquitous. But the academic literature and public debate have not
fully appreciated the extent to which the United States has already backed into a
de facto system o f “public-private cybersecurity. ” This system is characterized
by the surprisingly important, quasi-governmental role o f the private sector on
key cybersecurity issues, and correspondingly by instances in which the federal
government acts more like a market participant than a traditional regulator. The
public-private cybersecurity system challenges scholarly approaches to privati
zation, which focus on maintaining public law values when governmentfunctions
are contracted out to private parties. The informal and complicated structure o f
public-private relationships in cybersecurity renders concerns about public law
values at once more serious and more difficult to remedy.
This Article fir s t explores the line between public and private functions and
provides a descriptive account o f the public-private cybersecurity system. It
highlights the relative roles o f the U.S. government and private sector in fo u r
important contexts related to international cybersecurity threats: (1) disrupting
networks o f infected computers used by transnational-criminal groups ( “botnet
takedowns ”), (2) remediating software vulnerabilities that can be used fo r crime,
espionage, and offensive operations ( “zero-day vulnerabilities ”), (3) attributing
cyber intrusions to state-sponsored attackers, and (4) defending privately-owned
systems and networks from sophisticated, nation-state-sponsored attackers.
The Article then uses the public-private cybersecurity system to challenge
and complicate existing scholarship on privatization. Procedurally, the public-
* Assistant Professor, UCLA School o f Law. For helpful conversations and comments on
earlier drafts, I am grateful to Tendayi Achiume, Sam Bray, Fred Cate, Anupam Chander, Beth
Colgan, Sharon Dolovich, Mark Grady, Jennifer Granick, Duncan Hollis, Herb Lin, Jon Michaels,
Paul Ohm, Ted Parson, Kal Raustiala, Condoleezza Rice, Richard Re, Sidney Tarrow, Amy Zegart,
and participants in the Hoover Institution Summer Security Fellows Workshop, Cornell
International Law/Intemational Relations Workshop, American Society o f International Law
Midyear Research Forum, and AALS National Security Law Section Works-:n-Progress session.
Thanks to UCLA School o f Law and the Hoover Institution for research support and to Andrew
Brown, Danielle Hesse, Vincent Marchetta, and Kevin Whitfield for excellent research assistance.
This Article reflects developments through January 2017, when it was finalized for publication.
468 Texas Law Review [Vol. 95:467
private cybersecurity system differs from traditional privatization because pri
vate actors—not the government—d.
051309 Federal Interest And Social Security Metanomics TranscriptRemedy Communications
Metanomics is a weekly Web-based show on the serious uses of virtual worlds. This transcript is from a past show.
For this and other videos, visit us at http://metanomics.net.
Security architecture analyses brief 21 april 2015Bill Ross
This brief defines problems with security architecture development, security architecture methodologies, and how to implement a security architecture briefing. This brief was created to define the themes stated in the INFOSECFORCE llc paper called the "Inviible Person ... the Security Architect"
2. DRAFT
Table of Contents
Cyber Warfare Escalation to Nuclear Warfare? … The White House Cyber Security
Failure and The National Institute of Standards (NIST) Cyber Security Framework
(CSF) Panacea ….. Threatens National Security..................................................................3
Overview ........................................................................................................................................3
Cyber Security Fumbles over the last 25 years....................................................................3
Executive Summary.....................................................................................................................5
Introduction...................................................................................................................................7
16 December 2016 Situation Report, O’Bama to Conduct Cyber Security Retaliatory
Strikes Against Russia. .............................................................................................................10
Doctrine and Analysis Misdirection ........................................................................................11
NIST and the Cyber Security Framework (CSF) Propaganda..........................................15
Conclusion....................................................................................................................................17
3. DRAFT
Cyber Warfare Escalation to Nuclear Warfare? …
The White House Cyber Security Failure and The
National Institute of Standards (NIST) Cyber
Security Framework (CSF) Panacea ….. Threatens
National Security
Overview
Very bluntly, it is a Government and Military failure to not plan for the possibility
that Cyber Warfare can escalate to Nuclear Warfare. Cyber Warfare and all Cyber
Warfare Weapons are now part of Nation States’ War Fighting Arsenal and Nation
States with advanced War Fighting Weapons must define and discuss escalation
roadmaps. Likewise, the Executive Branch should NOT indicate to the American
Public and the World that the United States National Institute of Standards and
Technology (NIST) Cyber Security Framework (CSF) can adequately Identify,
Predict, Protect, Detect, Respond, and Recover from Cyber Security Attacks in
Cyber Space with the level of veracity that the military, government agencies and
private sector businesses must practice to prevent successful Cyber Security
attacks and proportionally respond before Cyber Security escalation exceeds our
ability to controlit.
https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-
framework-021214.pdf
Editor’s note: I added predict to the above list form CSF as predict is a crucial component of threat
intelligence and threat management.
Cyber Security Fumbles over the last 25 years
In 2000, I was on a Fortune magazine panel in New York City and I was asked if I
thought one person sitting at a computer could bring down the internet. I said no.
4. DRAFT
I am still not sure if one person could as we have so many backup and
redundancies such as AKAMAI (the hidden internet). But, now, I believe one
person could launch a Supervisory Controland Data Acquisition (SCADA) attack and
do significant infrastructure damage. Look at what one piece of STUXNET
https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/ malware did to
Iran’s nuclear power program. I am sure a team of people developed STUXNET
but, I suspect it’s configuration was not beyond the skill of a very lethally talented
software developer. And, it was delivered simply through an insertion of a thumb
drive. https://en.wikipedia.org/wiki/Stuxnet
So, in the last 25 years, the United States and the world have experienced
relentless Cyber Security attacks. In many ways, the US Government (Executive
and Legislative Branches) responded to them first from a mystical reflection on
what Information Security Attacks were. And, now, look where we are …..
escalating our response to a possible Russian Cyber Security attack within the vast
Cyber Warfare Area of Operations against Russia. What happened to planning for
this stuff? A significant quantity of these have been successful attacks. So, why
were they successful and why will they be successful? Because …. we as a country,
have failed to relentlessly indentify, predict, prevent, detect, and respond to attacks
using the vast technical ability that the United States possess. Ironically, except for
“predict”, indentify, predict, prevent, detect, and respond are core tenants of the
Administration’s CSF.
I do not believe the Government has completely grown beyond its mystical
reflection and understanding of Cyber Warfare. I believe the military understands it
but, it is still coming to grips with how to truly weaponize our Integrated Cyber
Security Weapons with all our other conventional weapons and weapons of mass
destruction within the Cyber Space Sphere and the Cyber Space Area of Operations
(AO).
Here is how this paper and its analysis is structured. I believe that I am qualified to
freebase this paper with minimal references. I admit I developed this paper as a
5. DRAFT
stream of consciousness as I wrote it very fast. However, I believe that my thesis
and conclusions are relevant within the current Cyber Warfare AO which, in
essence, is Cyber Space.
My justification in writing this quickly is that I am:
- A Cyber Security Expert with extensive experience. I have published several
white long and short Cyber Security whitepapers to include a short one on
the definition of Cyber Space.
- I am retired Air Force Intelligence Officer. I wrote extensive classified papers
while in the military on such things a nuclear warfare and chemical warfare.
- Have worked in Special Operations, Strategic Warfare, Chemical Warfare,
Tactical Warfare, Operations Other than War, The Pentagon, Strategic and
Tactical Intelligence Reconnaissance Offices, Operational Units and
Operational Commands, War fighting Operations Centers and etc
- Have had great and interesting Cyber Security jobs in private sector, state
and national government jobs
- I was on the ground during 9-11, first jet went over my head, saw towers fall
in front of me
- Have had several papers published on Cyber Security and one on Soviet
military Doctrine called “Soviet Military Doctrine a Blueprint for the Future or
an Indictment of the Past” http://cua.academia.edu/BillRoss
- Presented my “The Invisible Person … the Security Architect” at the
University of Houston. This paper downloaded on Internet nearly 3000
times.
Executive Summary
Cyber Warfare Tools and Nuclear Weapons are both potentially weapons of mass
destruction.
Despite spending billions of dollars by the United States on Cyber Security, a
relatively simple hack like accessing the Democratic National Committee Email
6. DRAFT
Servers has thrown the country into chaos as this hack possibly influenced our
election process and has caused a potential serious escalation of Cyber Warfare
attacks and ultimately, more serious escalation to the use of other weapons of
mass destruction.
Not only did attacks on the DNC and Podesta’s personal email accounts wreak
havoc on the elections but, the fact the Secretary of State established a private
email server in her house that processed United States Secret Information also
impacted the 2016 Presidential Elections. This was a significant email hack
executed by the State Department against the trust of the American people. These
two examples show significant proof that something as simple as the
mismanagement of the Cyber Security around emails could have overwhelming
effects on the safety of the United States. If we cannot protect email accounts
through fundamental Cyber Security management then what about the Cyber
Security safety of the United States infrastructure to include nuclear power plants?
It is very concerning that the United States’ Cyber Security expert on what is
happening in the Global Cyber Space Warfare Spectrum is now a New York Times
writer whose article’s title “The Perfect Weapon: How Russia Cyber Power Invaded
the United States“ http://www.nytimes.com/2016/12/13/us/politics/russia-hack-
election-dnc.html?_r=1 in of itself portrays a lack of Cyber Warfare knowledge. It
is an excellent article for the information it compiled but like NIST CSF, it does not
offer a pure path to Cyber Threat mitigation. An excellent review of the article for
what it really is was written by Tyler Durden
http://www.zerohedge.com/news/2016-12-13/new-york-times-explains-how-it-
became-instrument-russian-intelligence . And, to ask again, why is a New York
Times writer now the Spokes Person for Cyber Warfare?
Finally, the government and private sector must recognize the word “Cyber” does
not automatically mean Cyber Security. Cyber is more related to Cyber Space and
Cyber Security and Cyber Warfare are within the Cyber Space Spectrum.
https://www.academia.edu/26547082/Cyber_Security_does_not_just_mean_Cyber
_
7. DRAFT
Introduction
While it is a possibility, this paper does not state we are escalating to nuclear
warfare at this time because of the United States Government’s failed Cyber
Security and Cyber Warfare policies. This paper is to somehow start a
comprehensive discussion on Cyber Warfare escalation models. The paper starts by
first examining the Government’s failure to adequately implement a potent Cyber
Space Defense-in-Depth National Cyber Security Process to Identify, Predict,
Protect, Detect, Respond, and Recover from Russian and all other global Cyber
Security and Cyber Warfare Threats hammering the United States millions of times
a day. This paper will examine the fact that the United States and writers of
warfare escalation theory and Cyber Security Incident, Threat Management, and
Cyber Security Intelligence Risk Management efforts continue to fail in their
understanding of what Cyber Security and Cyber Space really are within the context
of peacetime and wartime war fighting doctrine tactics and procedures.
We must finally understand Cyber Warfare and Cyber Space are now part of a
military escalation process and we must now address them as such by military and
government doctrine and strategists in the United States. It is hard to find
references about Cyber Security escalation processes on the internet. There are
some very good “thought” articles but nothing that stands as a call for action. There
are some reasonable considerations of how to think about Cyber Warfare escalation
such as Martin Libicki’s RAND study. This link will take you to an excellent RAND
study http://www.rand.org/pubs/periodicals/rand-
review/issues/2013/summer/cyberwar-fears-pose-dangers-of-unnecessary-
escalation.html
By Martin C. Libicki
Mar tin Libicki is a management scientist at the RAND Corporation.
“ In their zeal to protect themselves in cyberspace, countries need to ensure that
they do not trigger even greater threats beyond cyberspace, particularly military or
economic forms of retaliation.
8. DRAFT
To manage crises and forestall their escalation in cyberspace, the following seven
points may be usefully kept in mind.
understand that the answer to the question —
take the time to think things through.
understand what is at stake —
not to take possession of the crisis unnecessarily.
craft a narrative that can take the crisis where you want it to go.
figure out what norms of conduct in cyberspace, if any, work best.
recognize what a crude tool counter-escalation may be for influencing the
other side”
To support my point concerning the Intelligence Community requirement to think
through Cyber Warfare Doctrine, about a year ago, I attended an AFCEA
Intelligence Conference in Washington, DC. All the Chiefs of the Intelligence
Community were there. It was an Intelligence professional’s Woodstock if you were
in the audience. At the conference, I became very concerned that it seemed very
few in the Intelligence Community seemed to understood Soviet and now Russian
Military Doctrine. We ignored it for a long time thinking we were making nice with
the Russians. On a larger scale, they did not seem to understand the impact of
how Doctrine in of itself, especially in the Russian Military, effects Russian military
weapon and strength decisions. It is interesting in the early days of Russian Military
thought that the Soviets grouped nuclear weapons in the “long range artillery”
category. Also, In those days; the Soviets believed nuclear war was fightable and
winnable. So, interestingly, Cyber Warfare as a metaphor has become Russai’s
“longest range” artillery yet.
https://www.academia.edu/9715897/Soviet_Military_Doctrine_..._A_Blueprint_for_
the_Future_or_and_Indictment_of_the_Past_.
So, given Cyber Warfare can be used as a weapon of mass destruction as it can
have a mass impact on the infrastructure and safety of United States citizens, it
would not be surprisingly if the Russians have incorporated Cyber Warfare into its
overall military escalation process believing that Cyber Warfare is fightable and
winnable.
9. DRAFT
The private sector and the United States government spend billions of dollars to
prevent and detect Cyber Security Attacks and they still happen on a grand and
lower level scales. The Democratic National Committee (DNC) emails were hacked
with now possible overwhelming consequences. Who was protecting those emails?
And, to top it off, the entire Russian – United States Cyber Warfare standoff is
based on a relatively simple hack which was hacking email accounts. Wonder if
instead if the Russians opened the gates of a dam through a SCADA attack and
flooded a town through what would be considered a kinetic effect of Cyber Warfare
tactics, techniques and procedures. Would the United States respond by
performing a similar attack on a Russian Dam or Power Plant? OK, here we have
two towns destroyed based on the kinetic effect of Cyber Warfare Weapons. Where
would the United States and Russia go from there? In essence, both countries just
experienced an attack on their homeland. How do we measure value and counter
value in a Cyber Warfare escalation process? If one plays out the scenario, the
above example could lead to a nuclear exchange.
As indicated above, one would think that if one searched the Internet for Cyber
Warfare escalation theories depicting nuclear war originating from Cyber Security
Attacks against a Nation State to the use of kinetic weapons of mass destruction
that several escalation models or writings would be found. The reason these articles
do not exist is because academia does not understand Cyber Warfare and the
weaponization of same. One can find theories on escalation for other types of
warfare like Chemical Warfare and Nuclear Warfare, but not so much for Cyber
Warfare. One example, of past military thinking in the United States that could
serve as a role model for a Cyber Warfare escalation road maps was that the United
States believed an escalation of war in Europe would start as a conventional war,
escalate to the Soviets using chemical weapons, escalate to a tactical nuclear
exchange and then to global strategic nuclear warfare. The pundits in those days
speculated that the Soviets would transition to employing weapon of mass
destruction (WMD) by first using chemical weapons and then transition to tactical
nuclear weapons. So, the escalation road map was conventional, chemical, and
nuclear. And, the United States planned its military defense and response
10. DRAFT
accordingly. However, it does not appear that the Western Powers have clearly
thought the Cyber Warfare escalation process through and how to not let Cyber
Warfare escalation “get out of control”.
So, where are the escalation models into and out of Cyber Security and Cyber
Warfare attacks? We have spent billions of dollars on Cyber Commands, have had
untold congressional meetings, laws passed, policy statements, passed Cyber
Security Acts, and the Administration published Executive Orders like the Executive
Order 13563 -- Improving Critical Infrastructure Cyber Security
https://www.whitehouse.gov/the-press-office/2014/02/12/launch-cybersecurity-
framework and NIST has created numerous Information Security documents and
now, it seems we are making it up (Cyber Warfare Escalation) as we go along.
Cyber Warfare saber rattling cannot be considered Power Projection because Cyber
Warfare escalation can happen almost at the speed of light or at least the speed of
the global network used as an attack conduit. We do not have time within the
Cyber Security decision loop to station an aircraft carrier off of a Nation State’s
Coast. If we knew Russia was attacking the Democratic National Committee Data
base, why did we not block the attacks and make it more public during the
campaign? There were some references made by the Administration but it seems
we let the political process interfere with our Political response to the hacks. Why
did we not levy awesome Cyber Security talent to prevent these attacks? The
Secret Service Protects the candidates so why not protect the elections? AND
MOST IMPORTANTLY why were these attacks not blocked and mitigated through the
massive Cyber Security capabilities the United States has in its Cyber Warfare
arsenal?
Did NIST or the Executive Branch do a metrics based analyses of the CSF process of
Identify, Predict, Protect, Detect, Respond, and Recover.
16 December 2016 Situation Report, O’Bama to Conduct
Cyber Security Retaliatory Strikes Against Russia.
11. DRAFT
It is deeply concerning that the headlines on 16 December 2016 indicated the
United States is planning a Cyber Warfare retaliatory strike against Russia. The
President outlined in the most vague terms how we might respond to the Russian
Cyber “attack”. This vague Cyber Security saber rattling could actually cause the
“enemy” to escalate the Cyber Security battle to include a preemptive strike
decision on Russia’s part. The preemption would be structured to stop the United
States ability to do whatever it plans to do. So, the vagueness of our threat could
have actually added to the emotion and the escalation process. Most concerning is
that Cyber Warfare amateurs in the Executive Branch and the Intelligence
Community could be leading us down a Cyber Warfare escalation path which is
really not well defined. No matter how you look at it, “retaliation” is an act of war
within the lexicon of Cyber Warfare. Retaliation means we are responding to
something the US views as an act of war (Cyber War) committed against the US.
One would hope that the administration would have followed the RAND advice seen
in the above reference. But, given that this escalation or situation stabilization
methodology and doctrine is not publically discussed, one is not really sure what
the US Government’s Cyber Warfare escalation strategy is. Sometimes, keeping
things secret is not the best “deterrent”. One might recall that George Kennan’s
“Deterrence Strategy” and McNamara’s “Mutual Assured Destruction “ theories were
publically available and those theories significantly deterred a nuclear war.
We need better Cyber Warfare escalation strategies that incorporate the Cyber
Warfare escalation “reflections” so stated by RAND.
Doctrine and Analysis Misdirection
Please see the below quote from “Arms Control Now” (ACN) which is blog post from
the Arms Control Association (ACA) in 2013 as it is one of the most scariest and
misinformed analysis I have read concerning Cyber Warfare escalation theories.
And that is Cyber Warfare could not escalate to nuclear warfare. While ACA is not a
government official agency and it is composed a dedicated individuals, I believe
that given ACA is Headquartered in Washington, DC and that it seem to be mostly
focused on nuclear warfare analyses and control that the ACA reflects the “old
12. DRAFT
think” and limitations of understanding Cyber Warfare escalation and Cyber Warfare
weapons as WMDs. This is similar to how I suspect many people think about Cyber
Warfare within the government and private industry today. Not much has changed
in three years.
The ACN article minimizes the idea that Cyber Incidents could escalate to nuclear
warfare. I suspect the reason the article did not examine this possibility is the
author of this article did not have a true understanding of the lethality of a Cyber
Warfare weapons and the “kinetic” impact a Cyber Weapon could have. It is my
opinion that below ACN quote mistakenly reflects the Cyber Warfare escalation
Doctrine and Strategy that exists today across the United States Government.
“ the law of armed conflict requires that states respond to aggressive acts of force
proportionally “
The quote reflects the greatest of Naïveté’s for Nation States, Military Process and
War fighting. How could one ever expect a country TO NOT escalates to more
lethal weapons if the strategic advantage might dictate this must be done to
achieve military and political objectives? Or, as stated above, the Cyber Warfare
aggressor decided to launch a preemptive Cyber attack which would ignore the “law
of armed conflict”. Nuclear Warfare in of itself would violate the above assumption
concerning the law of armed conflict. We used a nuclear weapon against Japan.
ACN continues to reflect a naiveté’s concerning the possible Cyber to nuclear
escalation theory when it states:
“ However, the threat of using nuclear weapons to respond to cyber attacks by
other states against U.S. critical infrastructure is not a realistic nor an effective
response to cyber attack because:
Cyber attacks lack the destructive and existential threat of nuclear weapons;
A nuclear response to a cyber attack is not proportional;
13. DRAFT
Threatening to respond with a nuclear weapons lacks credibility in adversaries’
eyes;
Cyber deterrence in general is difficult to achieve; and
The policy would provide a new rationale for nuclear proliferators.
In March 2013 National Intelligence Director (DNI) James Clapper presented the
“Worldwide Threat Assessment” before Congress and said, there is a “remote
chance” that over the next two years the United States will see a major cyber
attack against its critical infrastructure, producing “long-term, wide-scale disruption
of services, such as regional power outage.” However, it also said China and Russia
“are unlikely to launch such a devastating attack” outside a “military conflict or
crisis.”
Second, the law of armed conflict requires that states respond to aggressive acts of
force proportionally. If cyber attacks lack the destructive force of nuclear weapons
then responding to one with a nuclear weapon is not a proportional response. If
China launched a cruise missile and took down a power plant, it would be
disproportional to respond with launching a nuclear warhead at China. Now imagine
that instead of a cruise missile, a cyber attack is launched against the industrial
control mechanism for the power plant and takes it offline. Does that somehow now
warrant a nuclear response? No.”
https://armscontrolnow.org/2013/05/30/is-there-a-place-for-nuclear-deterrence-
in-cyberspace/ “
The DNI Clapper in 2013 discussed a “remote” Cyber Security/Warfare attack
against the US critical Infrastructure within two years. Well, he did not predict a
Cyber Warfare Attack against the United States political processes that happened
three years after his observation. So, now rather than escalating because of an
infrastructure attack, we are escalating against the Russians because of an “EMAIL”
Cyber Attack that might have influenced the loss of the political party of the
outgoing president.
14. DRAFT
Who in the name of heaven truly believes that Russia, China, Iran, North Korea will
play nice by some naïve approach to war fighting and escalation? The above
reflection in the ACN paper shows a lack of true war fighting and escalation theory
knowledge. The rules have changed with Cyber Warfare tools and their ability to
inflict massive damage.
I think every single policy maker and writer should read an old book called “Essence
of Decision: Explaining the Cuban Missile Crisis by Graham Allison and Philip
Zelikow. It examined 6 possible ways decisions were made during the Cuban Missile
Crises. In essence, thank God that we lucked out during the Cuban Missile Crises
as we were somewhat playing a “zero sum game” and ‘making it up as we went
along’ during the Cuban Missile crises. Allison’s book and the “shoot from the hip”
Cyber Security escalation process indicate that we must determine now how to
escalate and how to manage Cyber Security attacks without the escalation process
getting out of control. We had time to work the issues during the Cuban Missile
crises. And, we had history on our side. Khrushchev was a victim of World War II.
The Russian Psych in those days was to prevent anything like the loss of life that
happened to them in WWII. Not many Russian experts saw Russian Defensive
actions and military development through that lens but, I suspect that Khrushchev
was greatly influenced by the fact “Mother Russia should not suffer again like in
WWII. I do not think Putin is motivated form the same position.
So, while we hope Cyber Warfare will not escalate to a strategic nuclear war, one
cannot assume it will not because Cyber Warfare can now kinetically affect the
“enemy” as the use of a kinetic nuclear weapon. For example, if a hacker took
down a United States nuclear power plant, we would in essence have a Chernobyl
in the United States where man and beast could not live for an exceptionally long
amount of time. Another example of a cyber attack that could impact the safety of
people and environments is the suspected attack on Ukraine’s electrical grid.
http://www.reuters.com/article/us-ukraine-crisis-cyber-attacks-idUSKBN1491ZF.
In essence, this would be considered a small attack if targeted against the United
States. But, the potential is there where a much larger attack could occur.
15. DRAFT
The bottom line to my rant concerning Cyber Warfare
escalation is that:
- We must assume that Cyber Warfare can unleash a kinetic effect like
classical weapons of mass destruction (WMD). We went to war with Iraq
because Iraq supposedly had a stockpile of chemical WMDs.
- We must develop clear and unmistakable policies and strategies as we did for
Nuclear Deterrence
- We must accept that we are in a constant 1984 esque like war which will
never stop
- We must distribute and manage Cyber Warfare strategy, plans, policies,
tactics, techniques and procedures within the United States Government and
Private sector
- Develop and implement extremely aggressive defense-in-depth
implementation plans that far surpass the administrations Cyber Security
Framework panacea which in essence is an Administration Cyber Security
response marketing tool
- Develop and distribute Cyber Identify, Predict, Protect, Detect, Respond,
and Recover tools that will stop email and all other attacks from escalating
from an email data base compromise to a Cyber Security escalation between
the world’s nuclear super powers.
NIST and the Cyber Security Framework (CSF) Propaganda
I have the deepest respect for the NIST Team and for all the extremely hard
working men and women in the Cyber Commands and Executive Agencies. They do
the absolute best they can. But NIST needs far more Cyber War Fighters and Top
Guns that have managed Cyber Security problem in government and corporate
trenches. This experience is needed for NIST to understand on how to relentlessly
fight the Cyber Security fight and implement programs in the real world that reflect
the true meaning of a war fighting based Identify, Predict, Protect, Detect,
16. DRAFT
Respond, and Recover program. NIST Must become part of the mantra that we
are at “Cyber War each and every day”.
On February 12, 2013 the White House released an Executive Order 13563 –
“Improving Critical Infrastructure Cyber Security” .
https://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-
improving-critical-infrastructure-cybersecurity. To “Improve” Cyber Security, the
National Institute of Standards and Technology (NIST) created the Cyber Security
Framework (CSF). https://www.nist.gov/cyberframework . CSF was yet another
government whack a mole “something or another” to address the 30 year Cyber
Security War and our inability to protect the government, military and private
sector against successful Cyber Attacks.
https://en.wikipedia.org/wiki/NIST_Cybersecurity_Framework
The CSF was built in a hurry by NIST to make nice with the EO 13563. The CSF is
equivalent to bringing a Pocket Knife to a gun fight. CSF was created by
Washington Bureaucrats to show the world Washington was doing “something” to
mitigate the threats and risks posed by Cyber Security attacks.
CSF is a naive kluge of Cyber Security actions by NIST trying to apply Cyber
Security “Old Think” NIST risk control management principles found in the NIST
Special Publication 800-53 http://disa.mil/services/dod-cloud-
broker/~/media/files/disa/services/cloud-broker/nist-sp80053-
securityandprivacycontrols.pdf to a global Cyber Security and Cyber War Fare gun
fight. This gun fight is ruled at times by ISIS level Cyber Space thugs who could
and would use Cyber Ware Fare to inflict destruction and chaos. CSF does not
nearly reflect the type of solution that is needed to fight and win in the ongoing
constant Cyber War that we fight each and everyday in the Cyber Space Sphere
Area of Operations. All branches of the government (executive, legislative, and
judicial) and the private sector need military grade weapons to truly and
relentlessly manage the global Cyber Security threats. CSF and Compliance to
Federal Informaiton Security Management Act (FISMA)/SANS Top 20/ISO 27001
and etc audits are just not enough to win in the Cyber War.
17. DRAFT
The U-Tube videos seen in the CSF below link are from an April 2016 workshop
https://www.nist.gov/news-events/events/2016/04/cybersecurity-framework-
workshop-2016. I attended this conference and throughout the meeting, I stressed
the absolute importance of NIST developing an implementation processes and
procedures and metrics of success for implementing the CSF. I can be seen in
some of the videos promoting the absolute need for NIST to weaponize the CSF so
it can truly provide the Identify, Predict, Protect, Detect, Respond, and
Recover Cyber War fighting tools we need. I also stressed we need to truly make
CSF a defense- in-depth tool by adding predict to the CSF focus items. To make this
a predict tool, CSF must include all aspects of threat intelligence and threat
management and Cyber Risk assessments.
Finally, NIST is moving too slow in the Cyber Warfare AO. NIST must get into the
trenches with us and determine and outline how to fight the Cyber War. NIST is
part of the government. The Government has threatened Cyber Warfare
retaliation. Cyber Warfare retaliation is a big deal. NIST must be part of that fight
and become strong allies with all the Cyber War fighting Commands and Cyber War
fighting Agencies like CIA and NSA and with the private sector.
Conclusion
The United States must aggressively address Cyber Warfare escalation doctrine and
strategies. Cyber Warfare Weapons can inflict mass destruction. Cyber Warfare
must be clearly integrated into the escalation roadmaps so we CAN PREVENT
escalation. We must not let ourselves ever again need to threaten Cyber Warfare
retaliatory escalation because of preventable hacks against email systems. While
NISt has done its best to create the CSF, it did so very quickly without considering
many core aspects of how to make CSF tenants of Identify, Predict, Protect,
Detect, Respond, and Recover a war fighting process and tool.
The Cyber Warfare battlefield is not a “nice-nice” environment. It has, can and will
have severe consequences.