2. Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015
Mark Raduenzel Page 1 of 9
Summary
A recent cyber-attack occurred where a botnet type attack targeted a major U.S. defense
firm. No physical damage occurred to the firm’s network, but significant technological secrets
about a new surveillance and targeting system from the firm, Defense Applications International
(DAI), appear to have been compromised. Incidental, but nonetheless as a result of the attack, the
virus also infected a software program that DAI was testing at electrical plant in
Pennsylvania. The plant had to be shut down for 12 hours while repairs were made. The NSA
believes it has credible evidence that the attack had a direct connection to the elite cyber unit
Department 2112, of the country of Redistan, an adversary of the United States, although the
attack itself appears to include private citizens of Redistan. The attack however, was routed
through several third countries including Bluelandia, an ally of the United States.
Key Issues and Analysis
Possible Responses
According to Dr. Clay Wilson, Program Director for Cybersecurity Studies at the American
Military/Public University, botnets consist of “vast numbers of computers that are infected and
remotely controlled to operate, in concert, through commands sent via the Internet” (Wilson
2009, 420). An attack of this type is difficult to prevent and to defend against which makes it an
attractive technique for criminals and is reminiscent of the Distributed Denial of Service (DDoS)
attacks against Estonian sites in 2007. While no significant damage occurred as a result of this
particular attack, the United States Department of Justice (DOJ) routinely views such attacks as a
criminal activity.
3. Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015
Mark Raduenzel Page 2 of 9
Further complicating matters is that the virus also infected the electrical plant in Pennsylvania. It
is possible that the software program Defense Applications International (DAI) was testing
enlisted one or more computers in the electrical plant as part of the same attacking botnet. Even
though the repairs were made over a 12 hour timeframe, the risk remains that security experts did
not find and eradiate all traces of the software virus and that the systems at the electrical plant
could still be remotely controlled via the Internet. This is a risk to the United States critical
infrastructure, and therefore national security, with the capability to impact more than just the
Pennsylvania area.
Even more troublesome is that the DDoS attack was used as a cover to compromise the
technological secrets regarding a new surveillance and targeting system being developed by
DAI. This unauthorized viewing or copying of data files is classified as cyber espionage whether
it was conducted by a state or an industrial competitor (Wilson 2009, 423). The use of
cyberspace to conduct espionage is hardly new. In 2003, for instance, a series of computer
attacks against the Department of Defense (DoD) systems, code named Titan Rain, succeeded in
copying large amounts of data containing sensitive information which is subject to U.S. export
control laws (Wilson 2009, 424). Since DAI is a defense contracting firm, the same export
control laws apply to DAI and its data and justify classifying the attacks as espionage.
Neither the DDoS attack nor the case of cyber espionage can be considered an act of war under
current international norms. According to Michael N. Schmitt, Director of the Stockton Center
for the Study of International Law, United States Naval War College; Professor of Public
International Law at Exeter University; and Senior Fellow at the NATO Cyber Defence Centre
of Excellence, cyber operations which do not cause damage do not qualify as an act of war
(Schmitt 2014, 191). This “effects-based” approach does not classify attacks on computer
4. Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015
Mark Raduenzel Page 3 of 9
systems as long as there is no loss of life which may be directly associated with the attack and
any resulting damage is not permanent.
The United States should respond to these attacks by hardening its existing computer systems
and continuing to improve upon its security infrastructure and monitoring capabilities in order to
keep pace with current technology changes, vulnerabilities, risks and threats. This is not an easy
solution to a challenging problem which is due to the rapid changes experienced in by cyber
domain. With these changes come evolving and proliferating attack methods and techniques
which are difficult to defend against as in the case of the DDoS attack experienced by DAI.
It is also recommended that the U.S. work with our ally Bluelandia in order to try and confirm
that the attacks originated with the elite cyber unit Department 2112 of Redistan. The
confirmation of attribution is particularly challenging even though the NSA believes it has
credible evidence the attacks were conducted by this unit. The difficulties of attribution typically
prevent forensic investigators from conclusively identifying the perpetrators of the attack. Since
the evidence against Redistan is inconclusive, retaliation at this time is inadvisable. If Redistan
did not direct the attacks and had no fore-knowledge of them, retaliation against the nation would
be targeting the wrong party and the United States could very well be fighting on two cyber-
fronts. Additionally, since cyber-attacks are mainly invisible to outsiders and lack clear evidence
to display on the nightly news, the United States could be painted as aggressors by retaliating
and find international opinion solidly against the U.S. (Lin 2012, 55).
Public vs. Private Sector Responsibilities
It is further recommended that U.S. Cyber Command immediately begin to determine how best
to protect and defend key infrastructure entities, regardless of whether they belong to the public
or private sectors. Wilson has noted that individual companies normally rely on the internet in
5. Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015
Mark Raduenzel Page 4 of 9
order to conduct business and that fighting cyber-crime effectively will require the cooperation
of government entities and the private sector, including academia (Wilson 2009, 428).
However, government cannot and must not have sole responsibility for securing the internet and
critical infrastructure. If the private sector does not have a high enough stake in protecting their
own systems, the tendency could be to overly rely on the government for security and absolve
themselves of any responsibility. This would place too much of a burden on the federal
government. A better approach is for the federal government to encourage the private sector to
implement proper security measures of their systems. This can be done through legislation
passed by Congress combined with required security audits conducted by the NSA.
There may be some complications with the Department of Defense (DoD) and the National
Security Agency (NSA) interfacing with the private sector in the implementation of this effort.
As Major General Charles J. Dunlap has noted, the NSA “possesses extraordinary technical
expertise and experience, unmatched in the government, in exploring and exploiting computer
and telecommunication systems” (Dunlap 2011, 93). This expertise could be invaluable in
helping the private sector to protect its systems.
In spite of this proficiency, it may be wise to place more responsibility on the development of
fully civilian security measures for networks while at the same time discouraging involvement
by the Department of Defense and its agencies such as the NSA. Involving the NSA may seem
to conflict with the direction of American values even if the effort has a legal basis. Public
attitudes must be taken into account moving forward because Americans are becoming
increasingly uncomfortable with a “national-security state [that] now touches every aspect of
American life, even when seemingly unrelated to terrorism” (Dunlap 2011, 94). This general
discontent with intrusive government activity could cause the private sector to become unwilling
6. Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015
Mark Raduenzel Page 5 of 9
to work with the federal government on protecting the nations systems and allow the systems to
remain vulnerable to cyber-attacks.
International cyber agreements
The United States should immediately lead the effort to obtain an international cyber agreement
because there are many areas of mutual interest with countries which have an internet presence.
The United States’ policy on information security is remarkably similar to Chinese policy and
the Russian Federation’s Information Security Doctrine (Thomas 2009, 480). These policies
include the creation of national programs in order to prevent threats and mitigate vulnerabilities,
the development of awareness to cyber threats, protecting government networks which are part
of the cyber domain and cooperating in international cyber security. These policies are critical to
each nation’s national security interests and an international cyber agreement could begin with
this commonality.
Another facet which facilitates an international cyber agreement is that cyberspace can be
considered a common property resource to which everyone may be able to benefit from without
needing to specifically paying for it (Fosyth 2013, 95). Overexploitation is normally avoided in
common property resources by every nation becoming aware of the necessity of cooperation in
order to continue using it.
An additional aspect which may facilitate international norms is the rising power of Brazil,
Russia, India and China (the BRICs). These four economies are well positioned to become the
four most dominant economies in the world within the next 40 years (Forsyth 2013, 98). As the
BRIC nations increase their political cooperation, the structure of international politics changes
from a unipolarity to multipolarity thereby decreasing the costs of governing the global
commons and increasing international cooperation and security.
7. Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015
Mark Raduenzel Page 6 of 9
However, having areas of mutual interest regarding cyberspace security may not foster an
international cyber agreement in the near future. States have often disagreed on “whether
international laws of war and self-defense should apply to cyber attacks, the right to block
information from citizens, and the roles that private or quasi-private actors should play in
Internet governance” (Hurwitz 2012, 21). These differences in ideologies could be a significant
barrier to international agreements.
The concept of the right to block information from citizens may be a challenge too difficult to
overcome for an international agreement. The United States has deep-rooted values regarding
freedom of the press and expression and a free and open internet promotes these values. Other
societies like Russia and China, however, do not share the same values. When creating or
negotiating the terms of international cyber norms, care must be taken to not infringe upon the
rights of American citizens for the sake of security. Russia or China’s insistence on including
limits on freedom will jeopardize any potential agreement.
An alternative to leading a new international cyber agreement could be to instead begin with
NATO’s Cooperative Cyber Defence Centre in Tallinn, Estonia. This center was established in
2008 with the intention of developing standards and “key directions for NATO’s cyber
protection system and carry out expert analyses of suspected cyber attacks” (Thomas 2009, 476).
The United States is still a member of NATO and should have direct input to the standards and
key directions developed by the Defence Centre. It could prove beneficial to officially publish
the center’s findings and use diplomacy to prompt the international community to agree to the
standards and directions.
8. Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015
Mark Raduenzel Page 7 of 9
U.S. Cyber Policy Recommendations
Finally, existing United States cyber policy should be strengthened by adding more explicit
policies focused on deterrence of cyber-attacks against the United States. This will not be easy
to achieve since a “one-size-fits-all approach to deterrence will not work because of the
multiplicity and diversity of potential adversaries and cyber-attacks, and because U.S. goals and
actions may shift from one situation to the next” (Kugler 2009, 310). This means that any cyber
deterrence strategy which is implemented should be specifically tailored to fit the adversary and
particular type of attack.
Comprehensive cyber deterrence strategies which lead to concrete cyber deterrence policies
should be comprised of declaratory policy, defensive cyber security, deterrence metrics, internal
and external interagency cooperation, situational awareness, command and control, and
retaliatory cyber capabilities. Collectively, these measures provide a solid foundation towards
preventing cyber-attacks, reducing overall vulnerabilities to attack and minimizing the amount of
damage incurred as well as recovery time in the event of an attack (Kugler 2009, 311). Existing
cyber policy must be revised immediately to include these elements.
The most basic challenge to deterrence is the difficulty in reliably attributing the attacks to a
specific party and whether the attacking party is a state or non-state actor. Because of the
technical limitations of attribution, retaliation in the form of counter-attacks or diplomacy is
nearly impossible which means the attackers have not been deterred as in the recent attacks
against DAI. The NSA believes the country of Redistan is responsible, but the evidence has not
yet shown to be conclusive. Even if solid proof is obtained, a secondary consideration to
retaliation is that counter-attacking against Redistan may hold no value. Furthermore, counter-
attacks may do nothing to prevent Redistan from conducting further attacks. Any retaliation
9. Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015
Mark Raduenzel Page 8 of 9
against Redistan could seem provocative and may not be worth the time and effort to respond to.
The advantages gained by counter-attacks should be weighed against the possibility that entities
outside of the original conflict could become involved and keep the conflict brewing, even if the
supposed reasons for Redistan’s attack are removed.
Another element of policy which should be contemplated is the framing of cyber-attacks as acts
of war, especially when aimed at critical infrastructure as in the case of the DAI attacks. To
accomplish this, it will be necessary to further analyze the implications of cyberwar, “what it
means, what it entails, and whether threats can deter it or defense can mitigate its effects”
(Libicki 2009, 15). As Libicki indicates, the point of deterrence policy is to add another
consideration to the attacker’s calculus. This calculus is a function of whether the attacker
believes that the targeted entity will carry out a retaliation and significant damage would be
sustained in the case of retaliation.
The concept of deterrence as policy is not new. In fact, Kugler notes that “the entire U.S.
conventional military posture is viewed as a major contributor to deterrence” (Kugler 2009, 325).
Cyber capabilities are a natural extension of that defensive posture. Well-implemented cyber
defense can add creditability to this posture as well. If the United States’ defenses are adequate
and the policy includes a strategy for counterattacks, the threat in the mind of attackers of
retaliation could dissuade them from attacking in the first place, which is the essence of
deterrence (Libicki 2009, 73).
10. Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015
Mark Raduenzel Page 9 of 9
References
Dunlap, Charles J. 2011. “Perspectives for Cyber Strategists on Law for Cyberwar.” Strategic
Studies Quarterly (Spring):81-99.
Forsyth, James W. “What Great Powers Make of It: International Order and the Logic of
Cooperation in Cyberspace.” Strategic Studies Quarterly 7:1 (2013): 93-113.
Hurwitz, Roger. “Depleted Trust in the Cyber Commons.” Strategic Studies Quarterly 6:3
(2012): 20-45l
Kugler, Richard L. 2009. "Deterrence of Cyber Attacks". In Cyberpower and National Security.
Washington D.C.: National Defense University Press, 2009:309-340.
Libicki, Martin C. 2009. "Cyberdeterrence and Cyberwar". RAND Report. Santa Monica: Rand
Corp.
Lin, Herbert. 2012. “Escalation Dynamics and Conflict Termination in Cyberspace.” Strategic
Studies Quarterly vol. 6 no. 3:46-70.
Schmitt, Michael N. 2014. "Rewired warfare: rethinking the law of cyber attack." International
Review of the Red Cross 96, no. 893: 189-206.
Thomas, Timothy L. 2009. "Nation-state Cyber Strategies: Examples from China and Russia". In
Cyberpower and National Security. Washington D.C.: National Defense University Press,
2009:465-488.
Wilson, Clay. 2009. "Cyber Crime". In Cyberpower and National Security. Washington D.C.:
National Defense University Press, 2009:415-436.