Zero Days Negative mi 7

Yüklə 0,71 Mb.

səhifə	9/10
tarix	02.11.2017
ölçüsü	0,71 Mb.
	#27495

1 2 3 4 5 6 7 8 9 10

link – transparency

Establishing transparency undermines deterrence and turns the aff – ambiguity is the only way to maintain cyber dominance

In a strategic environment that has become more volatile, complex, and uncertain, the United States increasingly relies on cyberspace to advance its national interests. Simultaneously, our adversaries, particularly nation states, are afforded more opportunities to undermine our efforts through their own nefarious activities in the digital domain. While not every act in coming years will pose an imminent threat to U.S. national security, economic well-being, or social stability, some will. Because of this, strategists, government leaders, and scholars frequently disagree over whether the United States should establish thresholds (or “red lines”) for responding to such hostile acts. Red-line proponents assert that thresholds can decrease the ambiguity of U.S. policies, bolster deterrence, and facilitate swift, decisive action. Establishing cyber red lines, however, is folly. Given the evolving threat, current strategies, and the challenges of attribution in this domain, the United States is better served by not delineating them. Maintaining ambiguity on when and how U.S. instruments of national power will be used after a cyber attack gives government leaders the flexibility to tailor responses much as they would to threats in the other global domains. Sources of Invisible Threats To properly frame the issue, it is necessary to understand the evolving digital threat environment and current U.S. strategies. Hazards to national security and economic prosperity in cyberspace are multiplying. As the world becomes more interconnected, diverse state and non-state actors will have greater access and operational maneuverability to conduct malicious activities.

Intentional ambiguity is key – provides flexibility and guarantees deterrence

Mowchan 11 [Lieutenant Colonel, member of the staff and faculty at the Center for Strategic Leadership, U. S. Army War College, where he teaches cyber warfare and national intelligence, career Army intelligence officer and holds a master’s degree in strategic intelligence from the National Intelligence University, served for 20 years in a variety of tactical, theater, and strategic intelligence positions and is a member of the U.S. Naval Institute’s Editorial Board, Don’t Draw the (Red) Line,” Proceedings Magazine - October 2011, Vol 137, no 10/1304, http://www.usni.org/magazines/proceedings/2011-10/dont-draw-red-line] //khirn

While DOD’s strategy is defensive in nature, it states that U.S. military power will be used if necessary: “The Department will work with interagency and international partners to encourage responsible behavior and oppose those who would seek to disrupt networks and systems, dissuade and deter malicious actors, and reserve the right to defend these vital national assets as necessary and appropriate.” 12 Both plans lead to several key observations. First, the ISC and DSOC are intentionally ambiguous. Neither defines a hostile act in cyberspace, nor is there language explicitly stating when, how, and to what extent the United States will respond to such acts. Second, both strategies acknowledge that there are no simple solutions to the challenges of the day. Finally, decisions will continue to be shaped by the dynamic interplay of a surfeit of political, economic, military, and social variables in the international environment, and because the world is more “gray” than black-and-white, responses to hostile acts in the digital domain will be determined as strategic responses are in conventional warfare. The Case for Thresholds Red-line advocates believe that creating thresholds will decrease the ambiguity of our policies, bolster deterrence, and facilitate a more timely response. Some pundits criticize the ISC and DSOC, arguing they take ambiguity too far. The DSOC in particular, they think, should outline response thresholds that if crossed, would result in diplomatic or military retaliation. Following the release of DOD’s strategy, Representative Jim Langevin (D-RI) acknowledged the DSOC represented a good start but said it was deficient in several key areas, including its fixation on defense and the identification of acceptable red lines. 13 After the DSOC was published, now-retired Marine Corps General James Cartwright, the former vice chairman of the Joint Chiefs of Staff, remarked that the strategy was too defensive, stating “we are supposed to be offshore convincing people if they attack, it won’t be free . . . [and that] disabling computerized patient records at a hospital such that the patients cannot be treated would be a violation of the law of armed conflict [which could] then [trigger a] proportional response.” 14 General Cartwright went on to emphasize the nation will need stronger deterrents. Although he did not say what the deterrents should be or what instruments of national power would be used, his words lend support to red-line advocates who demand greater specificity in U.S. policies, greater clarity on what constitutes a hostile act, and clear thresholds. Why Ambiguity Is Good Those arguing for establishing red lines fail to comprehend the complexity of the digital domain, in which adaptation and anonymity are the norm. The United States is better served in the long run by not establishing such thresholds, for four reasons. First, not doing so allows government leaders the latitude to tailor response options based on a hostile act, its physical and digital effects, and how it relates to the current state of affairs in the international system. As retired Air Force General Kevin Chilton remarked in 2009 as commander, U.S. Strategic Command, “I don’t think you take anything off the table when you provide [response] options to the president to decide. Why would we constrain ourselves on how we would respond [to hostile acts in cyberspace]?” 15 Such an approach does not differ from the way the United States addresses hostile acts in other domains. If red lines are established, we will be compelled to respond to each threat that crosses the line, which is unrealistic, given that our computer networks are subjected to millions of probes, scans, and attacks on a daily basis. Even if red lines are narrowly focused (e.g., employing military force if a cyber attack results in the deaths of U.S. citizens), the first time the United States fails to respond accordingly, it will undermine the credibility and deterrence effect of our other capabilities. A second reason in favor of ambiguity is that if our adversaries know our response to such acts, they will adjust accordingly. Because neither the national nor the defense strategy explicitly defines a hostile act in cyberspace or exactly how the United States will respond, this leaves it open to interpretation. As one military official remarked, “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.” 16 In addition, hostile actors may perceive a green light for certain acts that do not cross a particular response threshold. While one such act below this threshold may not be harmful to U.S. interests, what if 100 million are? Again, maintaining ambiguity concerning when, how, and to what extent to respond gives the United States greater latitude. Third, because cyberspace is a global domain that emphasizes open access, the free flow of information, and anonymity, it is extremely difficult to determine where the threat or attack originated. For example, U.S. military networks are probed more than six million times a day by assailants operating in one corner of the world using computer networks or servers in another corner. Most perpetrators are never identified, except for a computer Internet protocol address or a one-time user alias. Army General Keith Alexander, commander of U.S. Cyber Command and Director, National Security Agency, emphasized this challenge, saying, “Too often, the military discovers through forensics that network probes have been successful [and] as a consequence, response becomes policing up after the fact versus mitigating it real time.” 17 If red lines demand a timely response and there is no one to pin responsibility on, then how can a response be implemented? Finally, even if the source of the attacks is determined in a timely manner, automatic triggers for a response, particularly those that employ military force, could create negative second- and third-order effects that make a bad situation even worse. Given that nation states pose the greatest threat to U.S. networks, red lines that automatically result in a response could escalate an already volatile situation. For example, in 2009 individuals in China and Russia penetrated computer networks operating parts of the U.S. electrical power grid. 18 They reportedly inserted malware that could destroy infrastructure components. Although their identities or associations with the Russian and Chinese governments were not disclosed, it validates the point that response options must be tailored. If Russia or China, two nuclear powers, were responsible, a U.S. response would be markedly different than if they had they been conducted by a non-nuclear state. Clearly the diplomatic, information, and economic instruments of national power versus military force would receive more emphasis with China or Russia for what could be considered a hostile act in cyberspace. Given the complex and indeterminate 21st century international system and the multitude of current threats, U.S. interests will be better served by not establishing clear thresholds. Ambiguity is a powerful tool to shape our adversaries’ actions in all domains and allows us the maneuverability to respond where, when, and how we choose. Red-line advocates must understand that thresholds only constrain our actions and could undermine credibility and the power to effectively deter our adversaries.

brink – no cyberwar now

No cyber war now --- but on the brink

Singer 15 [Peter Singer, strategist at New America think tank, interview with Passcode] initial article: [ Sara Sorcher, “Peter Singer: How a future World War III could be a cyberconflict,” Passcode, 6/24/15, http://www.csmonitor.com/World/Passcode/2015/0624/Peter-Singer-How-a-future-World-War-III-could-be-a-cyberconflict]//eugchen

It's simple: The reason there is no cyber war right is that there is no actual wars right now between states with cybercapacities. The reason we have seen this restraint in cyber operations between say the US and China, or the US and Iran, is the very same reason they aren’t dropping actual bombs on each other: Because the two sides are not at war. But if they did go to war, which could happen for any number of reasons, accidental or by choice, of course you would see cyberoperations against each other that would be of a different kind of scale and impact than we’ve seen so far. The first Cyber Pearl Harbor might happen from a decision to reorder the global politics in the 2020s, or it could happen just because two warships accidentally scrape paint over some reef in the South China Sea no one can find on a map.

internal link – china war

Offensive cyber responses key to deter China from aggressive military moves

Schmitt 13 [Gary, co-directs the Marilyn War Center for Security Studies at the American Enterprise Institute, “How to meet the threat from China's army of cyber guerrillas” June 6, 2013, Fox News] //khirn

When President Obama meets woth Chinese President Xi Jinping Friday and Saturday in Southern California, a major topic of conversation between the two will be Chinese cyber-attacks and cyber-espionage against American commercial and government targets. According to U.S. counterintelligence officials, billions upon billions of dollars worth of information has been “lifted” out of American computers and servers in recent years. In fact, only last week, newspapers were reporting that an internal Defense Department review had concluded that China had used cyber attacks to gather data on more than three dozen key U.S. military programs, including the country’s most advanced missile defense systems, naval warships and even the F-35 Joint Strike Fighter—the stealthy, fifth-generation jet that will be the backbone of the American military’s ability to sustain air superiority in the decades ahead. As one might expect, the Chinese government has denied any complicity in these attacks. And it is doubtful, given how successful Chinese efforts have been, that even “blunt” talk by the president to the new Chinese leader, will have much effect on Chinese practices. The reality is, the Chinese government is engaged in a form of warfare—new to be sure in its technological aspects but not new in the sense that cyber attacks harm our relative military strength and damage the property (intellectual and proprietary) of citizens and companies alike. So far, the American government’s response has largely been defensive, either talking to the Chinese about establishing new, agreed-upon “rules of road” for cyberspace or working assiduously to perfect new security walls to protect government and key private sector computer systems. Although neither effort should be abandoned, they are no more likely to work than, say, before World War II, the Kellogg-Briand Pact could outlaw war and the Maginot Line could protect France from an invading Germany. This last point is especially important. When it comes to cyberspace, according to Cyber Command head and director of the National Security Agency, General Keith Alexander, those on the offensive side of the computer screen–that is, those hacking into or compromising computer systems–have the advantage over those on the defensive side who are trying to keep systems secure. Walls have always been breached and codes broken. Moreover, attempts to beef up security are complicated by the fact that our own cyber warriors are undoubtedly reluctant to provide those charged with protecting systems here at home with the latest in their own capabilities. In addition to increasing the chance such information might leak by expanding the number of persons in the know, efforts to use that information to plug our own vulnerabilities can inadvertently alert a potential adversary on the very backdoors American would want to save for using in a future crisis or conflict. All of which leads to the conclusion that to stem the tide of harmful cyber attacks by the Chinese (or, for that matter, Iran, Russia or North Korea), there has to be a cyber response on America’s part that deters continued cyber aggression. Reprisals that are proportionate, in self-defense and designed to stop others from such behavior falls well within the bounds of international law as traditionally understood. Nor is it the case that such reprisals should be limited to responding to government-on-government cyber attacks. The U.S. government has always understood that it has an affirmative duty to protect the lives and property of its citizens from foreign aggression and, in times both past and current, this has meant using American military might. That need not be the case here, however. Indeed, one advantage of the cyber realm is the wide variety of options it offers up for reprisal that can inflict economic harm without causing loss of life or limb. The good news is that the U.S. government has been gradually beefing up its offensive cyber capabilities. Indeed, a little over a month ago in open testimony before the House Armed Services Committee, Gen. Alexander said that he created thirteen new teams that would go on the offensive if the nation were hit by a major cyber attack. And new reports coming out of the Pentagon indicate that the Joint Chiefs would like to empower geographic combatant commanders to counter cyber attacks with offensive cyber operations of their own. These are necessary steps if we hope to create a deterrent to Chinese cyber aggression; however, they are not sufficient. The threat posed by China’s army of cyber “guerrillas” is constant, is directed at both the U.S. government and the private sector, and ranges from the annoying to the deadly serious. A truly adequate response would require meeting the Chinese challenge on all these fronts. And no amount of summitry between the American and Chinese leaders is likely to substitute for the cold, hard fact that, when it comes to Chinese misbehavior, upping the cost to Beijing is a necessary first step to reclaiming the peaceful potential of the newest of the “great commons,” cyberspace.

internal link/impact – korea war

Credible cyberdefensive posture gives the US coercive leverage to deescalate North Korean nuclear brinksmanship --- speed is key

Libicki 13 [Martin C., Senior Management Scientist @ RAND and adjunct fellow @ Georgetown’s Center for Security Studies, 2013, “Brandishing Cyberattack Capabilities,” RAND, http://www.rand.org/pub s/research_reports/RR175.html] //khirn

Our inquiry is therefore more humble. Could a U.S. threat that it might interfere with a rogue state’s nuclear weapon delivery help shape a nuclear confrontation? For this question, assume a rogue nuclear power with a handful of weapons capable of hitting nearby countries (but generally incapable of hitting the continental United States). The United States has a robust cyberattack capability (in general terms), from which the rogue state’s nuclear arsenal is not provably immune. Although the United States enjoys escalation dominance, the rogue state is far more willing to go to the nuclear brink than the United States is. The rogue state (thinks it) has more at stake (i.e., regime survival). Furthermore, it may act in ways that are irrational by Western perspectives. We first model a two-state confrontation, then later introduce a friendly state on whose behalf the United States has intervened. The United States enters this scenario facing the choice of acting when doing so risks the rogue state releasing a nuclear weapon. Whether the threat is explicit or implicit is secondary. The usual calculus applies. The rogue state is better off if its threat leads the United States to stop. The United States is better off ignoring the threat and going ahead with what it would have done in the absence of the threat if the threat can be nullified but cannot know that it will be for certain. The rogue state understands that if it does use nuclear weapons, it could face great retaliation.1 If the United States acts (successfully) in the face of warning and if the rogue state does not use nuclear weapons, the United States achieves its objectives and wins the overall confrontation.2 If the United States flinches, the rogue state wins. If the rogue state uses its nuclear weapons and if, as is likely, the United States responds likewise, the rogue state loses greatly, but the United States is also far worse off.3 Two-Party Confrontations In a confrontation in which disaster would result from both sides carrying out their threats, each must ask: Are such threats credible? If one side thinks the other will yield, it pays to stand firm. If it thinks, however, that the other is implacable, it may have no good choice but to yield itself. The projection of implacability is beneficial, but the reality of implacability is frequently suicidal. Note that the basis for the implacability can also be entirely subjective, which is to say, unfounded on the facts of the matter. If one party is convinced that it will never pay a high price for being implacable, communicates as much, and acts as if it were so, the other cannot take any comfort from the fact that the first has no technical basis for the belief. The only consideration is whether the first party actually believes as much, is willing to act accordingly, and can ignore the logic that whispers that no one can possibly be completely confident on the basis of iffy information. To one party, the willingness to act on the basis of the impossible seems like cheating. To use an analogy, imagine a game of “chicken” in which the driver of one of the two oncoming cars throws the steering wheel out the window. This cheat forces the opponent to choose between a certain crash or veering away (and thus losing). However, when the consequences of a crash are far greater than the benefits of winning, this strategy is irrational if there is a nontrivial likelihood that the other side will be intent on punishing cheaters at the cost of all other values. In the analogy, the second driver might rather crash than lose to a cheater.4 But in general, a strategy of implacability, can, if credible, do well, as long as the other side is not equally implacable. So, the United States creates the belief (whether by saying so, hinting, or letting others draw their own conclusion) that the rogue state cannot carry out its nuclear threat. That is, the United States acts as though a flaw somewhere in the nuclear command-and-control cycle, probably an induced flaw, prevents immediate nuclear use. A lesser case is that the command and control is less certain, the weapon is weaker, and/or the delivery system is far less accurate than feared.5 Although permanently disabling a nuclear command-and-control system is quite a stretch for cyberwar, it is less fantastic to imagine that the United States could delay a weapon’s use. A temporary advantage, though, may still give the United States time to cross the red line and thereby attain a fait accompli. So posturing, the United States prepares to cross the red line, while communicating its confidence that the rogue state will not retaliate. This confidence stems from a combination of its own nuclear deterrence capability plus its ability to confound the rogue state’s nuclear capability: The rogue nuclear state probably will not decide to retaliate, and if it did decide to, probably cannot retaliate. The combination, in this case, is what reduces the odds of a nuclear response to a sufficiently low level, if the rogue state is at all rational. Even if it later assures itself and others that its nuclear capacity is intact, but the United States has already acted, the onus then falls on the rogue nuclear state to respond to what could well be a done deal. If the rogue state understands the logic before brandishing its own nuclear weapons, it may choose not to ratchet up tensions in advance of the U.S. crossing red lines.

impact – china war

US-China tensions are rising – makes conflict and miscalc likely

Zenko 14 [Micah, Douglas Dillon Fellow – Council on Foreign Relations, “How to Avoid a Naval War With China,” Foreign Policy, 3-24, http://www.foreignpolicy.com/articles/2014/03/24/how_ to_avoid_a_naval_war_with_china] //khirn

War between the United States and China is not preordained. But tensions are high, especially in the fiercely contested waters of the East and South China seas -- and even further into the Pacific. Communication is the best medicine: the United States should be explicit with what it needs to know about China's behavior in the waters near its coast. Unfortunately, the intentions and supporting doctrine for Beijing's growing naval capabilities are unclear, specifically regarding disputes with China's Exclusive Economic Zone (EEZ). Most countries, including the United States, agree that territorial waters extend 12 nautical miles from a nation's coastline, while EEZs extend much further -- usually up to 200 nautical miles. There is also consensus that while the United Nations Convention on the Law of the Sea (UNCLOS) established EEZs as a feature of international law and gives coastal states the right to regulate economic activities within them, it does not provide coastal states the right to regulate foreign military activities in their EEZs beyond their 12-nautical-mile territorial waters. However, China and some other countries like North Korea interpret UNCLOS as giving coastal states the right to regulate all economic and foreign military activities within their EEZs. There are numerous international agreements that regulate interactions at sea. The United States and Soviet Union signed the Incidents at Sea Agreement (INCSEA) in 1972 after Soviet warships collided with a U.S. destroyer. While INCSEA allowed for U.S. and Russian commanders to communicate directly, and ultimately avoid an escalation of force between warships, it really functioned as a stopgap between the 1972 signature and 1977 implementation of the International Regulations for Preventing Collisions at Sea (COLREGS). And while the 2000 Code for Unalerted Encounters at Sea (CUES) is not an international agreement or legally binding, it does offer safety measures and procedures, and a means to limit mutual interference and uncertainty when warships, submarines, public vessels, or naval aircraft are in close proximity. The fundamental difference of interpretation between China and most of the world exists on parts IV (archipelagic states) and V (EEZ) of the UNCLOS. The disagreement between China and the United States centers on three issues: First, China asserts that military activities in the EEZ are subject to coastal state approval. Second, excessive maritime claims of territorial sovereignty are a significant sticking point between China and many other nations operating in the East China Sea and the South China Sea. And third, China's demarcation line in the South China Sea, commonly referred to as the "nine-dashed line," is nebulous and defined as neither a territorial sea nor EEZ. Beijing appears to purposefully leave this description vague. Until China agrees that its EEZ is not to be treated as territorial waters, COLREGS, CUES, and any INCSEA-like agreement offers only a partial solution to avoiding dangerous interactions on the high seas. While there are a growing number of U.S.-China military exchanges among senior uniformed officers, these efforts must be bolstered by China's willingness to operate appropriately within their EEZ, thus helping to prevent conflict at sea. The United States and China must also agree that all of its government-controlled ships, including those of the State Oceanic Administration (SOA) and Fisheries Law Enforcement Command (FLEC), must operate in accordance with COLREGS and CUES, because many encounters between the United States and China -- outside China's territorial waters but within its EEZ -- have been between U.S. ships and those of the FLEC and SOA. The United States could be drawn into a conflict over a territorial dispute involving China, especially since the United States has bilateral defense treaties with Japan and the Philippines. Clear and unambiguous understanding of expected actions in the EEZs by China and the United States has both near and long-term implications. The immediate effect could be safer, more professional, and more respected interactions between Chinese and non-Chinese ships. Clearly agreed upon interpretations of what are appropriate actions within this body of water would immediately improve transparency and predictability, and hopefully prevent military conflict. In the longer-term, this effort could serve as a springboard to resolving other U.S.-China diplomatic, military, and economic issues.

High risk of China war—no defense

Miller 11 [Paul, assistant professor of international security studies at National Defense University, December 16, 2011, Foreign Affairs, http://shadow.foreignpolicy.com/posts/2011/12/16/how_dangerous_is_the_world_part_ii] //khirn

China in 2011 is even more clearly a danger equal to or greater than the danger it posed during the Cold War. We went through two phases with China: from 1950 to 1972 the United States and China were declared enemies and fought to a very bloody stalemate in the Sino-America battles of the Korean War, but the overt hostility was less dangerous because of China's crippling economic weakness. From 1972 to 1989, the U.S. and China lessened their hostility considerably, but China's power also began to grow quickly as it liberalized its economy and modernized its armed forces. In other words, in phase one, China was hostile but weak; in phase two, more friendly but also more powerful. We have never faced a China that was both powerful and hostile.

That is exactly the scenario that may be shaping up. China's economic and military modernization has clearly made it one of the great powers of the world today, including nuclear weapons, a ballistic-missile capability, and aspirations for a blue-water navy. At the same time, Chinese policymakers, like their Russian counterparts, continue to talk openly about their intent to oppose American unipolarity, revise the global order, and command a greater share of global prestige and influence. There are several flashpoints where their revisionist aims might lead to conflict: Taiwan, the Korean Peninsula, the South China Sea, etc. And U.S. relations with China are prone to regular downward spikes (as during the Tiananmen Square Massacre in 1989, the 1996 cross-straits crisis, the accidental embassy bombing in 1999, the EP3 incident in 2001, the anti-satellite missile test in 2007, and the current trade and currency dispute, to say nothing of our annual weapons sales to Taiwan). A militarized conflict with China is more likely today, with greater consequences, than at almost any point since the Korean War.

Small conflicts with China could escalate into a nuclear conflict – err on the side of caution

Fisher 11 [Max, Associate Editor at the Atlantic, Editor of the International Channel, “5 Most Likely Ways the US and China Could Spark Accidental Nuclear War”] //khirn

There's a near-infinite number of small-scale conflicts that could come up between the U.S. and China, and though none of them should escalate any higher than a few tough words between diplomats, it's the unpredictable events that are the most dangerous. In 1983 alone, the U.S. and Soviet Union almost went to war twice over bizarre and unforeseeable events. In September, the Soviet Union shot down a Korean airliner it mistook for a spy plane; first Soviet officials feared the U.S. had manufactured the incident as an excuse to start a war, then they refused to admit their error, nearly pushing the U.S. to actually start war. Two months later, Soviet spies misread an elaborate U.S. wargame (which the U.S. had unwisely kept secret) as preparations for an unannounced nuclear hit on Moscow, nearly leading them to launch a preemptive strike. In both cases, one of the things that ultimately diverted disaster was the fact that both sides clearly understood the others' red lines -- as long as they didn't cross them, they could remain confident there would be no nuclear war. But the U.S. and China have not yet clarified their red lines for nuclear strikes. The kinds of bizarre, freak accidents that the U.S. and Soviet Union barely survived in 1983 might well bring today's two Pacific powers into conflict -- unless, of course, they can clarify their rules. Of the many ways that the U.S. and China could stumble into the nightmare scenario that neither wants, here are five of the most likely. Any one of these appears to be extremely unlikely in today's

at: cyberdefense

Cyber defense methods are insufficient to combat zero day vulnerabilities

The classic defense methods employed throughout the world in recent decades are proving unsuccessful in halting modern malware attacks that exploit unknown (and therefore still unsolved) security breaches called “zero-day vulnerabilities.” Viruses, worms, backdoor, and Trojan horses (remote management/access tools – RATs) are some examples of these attacks on the computers and communications networks of large enterprises and providers of essential and critical infrastructure and services. The classic defense methods, which include firewall-based software and hardware tools, signatures and rules, antivirus software, content filters, intruder detection systems (IDS), and the like, have completely failed to defend against unknown threats such as those based on zeroday vulnerabilities or new threats. These sophisticated and stealth threats impersonate reliable and legal information and data in the system, and as a result, the classic defense methods do not provide the necessary defense solution. The current defensive systems usually protect against known attacks, creating heuristic solutions based on known signatures and analysis that are already known attacks,1 but they are useless against the increasing number of unfamiliar attacks that lack any signature.

Cyber defense fails for both broadcast and targeted attacks

Averbuch and Siboni 13 [Amir Averbuch, professor of computer science at Tel-Aviv university, and Gabi Siboni, Senior Research Fellow, head of the Program on Military and Strategic Affairs and Program on Cyber Security @ the Institute for National Security Studies, “The Classic Cyber Defense Methods Have Failed – What Comes Next?” Military and Strategic Affairs, Volume 5 - No. 1, p. 47-48, May 2013, < http://www.inss.org.il/uploadImages/systemFiles/MASA5-1Eng5_Averbuch%20and%20Siboni.pdf>]//eugchen

The realm of attack in cyberspace can be divided into two types of attacks that exploit numerous weaknesses, including zero-day vulnerabilities: a. Broadcast attacks are attacks that try to damage computers indiscriminately. They also feature extensive infection of software agents in order to create an entire network of computers (Botnet), with the aim of making these computers execute independent commands at a later stage or retrieve commands from a control server. As noted above, when information about new threats reaches the antivirus companies, they identify the signature or investigate them heuristically. By means of regular updates, the computers can be protected against these attacks. Given the extensive target community, the information about such threats will undoubtedly reach the relevant companies rapidly and be inserted into future versions of their products. In some cases, the goal of an attack of this kind is to reach a large number of computers – for example, employees (in the case of an attack against an organizational network) or customers (in the case of an attack against a financial institution, an attempt to steal credit cards via the internet, and so on). After the computer is infected, a Trojan horse is installed on it, making it possible to steal information or access the computer from a remote location. These attacks include various types of malicious code, even codes that vary from one infection to another in order to render identification through a signature more difficult (polymorphic viruses). There is still no complete defense since Trojan horse developers regularly check whether the antivirus software programs have already identified the hostile code and created the signature or group of heuristic rules to intercept it. In most cases, if the detection systems manage to identify the hostile code, the developers change the way it spreads or the way it operates in order to prevent its detection. In this way, many Trojan horses consistently succeed in evading detection by the leading defensive software. b. Targeted attacks are planned especially for a specific need, and exploit unknown weaknesses in the operating systems or widely known software packages while independently spotting new weaknesses. The vast majority of antivirus software, which is by nature based on signature defense, is incapable of identifying and preventing this type of attack, and the limited target community enables such attacks to evade the “radar” of antivirus manufacturers. It should be noted that threats are rapidly developing in the direction of focused attacks on high caliber targets.

Cyber defense can’t detect unknown threats, malware appears to be legal, and operating systems can’t deal with multiple types of attacks

at: cyberoffense bad

Cyber offense prevents cyber war

Harris 13 [Chandler, “Hacking for Change – Could Revealing Cyber Capabilities Prevent Cyber War?” 6/26/13 < http://news.clearancejobs.com/2013/06/26/hacking-for-changing-could-revealing-cyber-capabilities-prevent-cyber-war/>]//eugchen

Revealing the capabilities of the U.S. nuclear arsenal is a key part of the U.S. nuclear deterrence strategy. So when it comes to the U.S. cyber warfare capabilities, the same tactic could be used to deter cyber war, claims a new paper by the Rand Corporation. Offisive cyber operations may be a legitimate deterrence strategy. The paper, Brandishing Cyberattack Capabilities, was prepared for the Office of the Secretary of Defense, and seeks to identify if demonstrations, or “brandishing” cyberwar capabilities, serve as effective deterrents to a potential cyber war. The paper says that brandishing cyberattack capabilities would accomplish three things: declare a capability, suggest the possibility of its use in a particular circumstance, and indicate that such use would really hurt. “The most obvious way to demonstrate the ability to hack into an enemy’s system is to actually do it, leave a calling card, and hope it is passed forward to national decision-makers,” the report says. “This should force the target to recalculate its correlation of forces against the attacker.” “Advertising” cyberwar capabilities may be helpful as a backup a deterrence strategy by dissuading other countries from performing harmful activities. Plus, it could limit a country’s confidence in the reliability of its information, command and control, or weapon systems, the paper says.

at: deterrence impossible

Deterrence is possible – but only with decision-making flexibility

Alperovitch 11 [Dmitri, “Towards Establishment of Cyberspace Deterrence Strategy,” 2011, 3rd International Conference on Cyber Conflict, http://www.ccdcoe.org/publications/2011proceedings/TowardsEstablishmentOfCyberstapeDeterrenceStrategy-Alperovitch.pdf] //khirn

Advanced defensive tactics, technologies and highly trained personnel will contribute to the shrinking of the detection and classification gap. Separation of defensive and offensive resources, such as storage of offensive cyberweapons in offline locations which are less vulnerable to virtual targeting and distributing the retaliatory information systems and networks across wide virtual and physical space will help to build credible resilience to the counter-strike force. This can reduce the reliance on rapid detection and classification of inbound attack by providing the means for the decision makers to retaliate even after suffering a devastating first strike, minimizing the chance that the adversary can count on taking out all of the counter-strike assets in a single attack. Second, is the need to preserve a rapid C2 decision-making and execution of a counter-strike option when facing a devastating cyber attack. This can be accomplished by preserving the resiliency and integrity of command chain communications by instituting or preserving offline communications channels that are less likely to be impacted by cyber attacks, such as dedicated traditional secure POTS (plain old telephone service) lines and encrypted radio and satellite communications that are physically separated from virtual networks which can carry attack codes. Third, the counter-strike itself must be capable of instituting devastating damage on the attacker’s own virtual and physical infrastructure to make the first-strike prohibitively expensive. Limited public demonstrations of cyber offensive capabilities can serve a useful purpose in alerting potential opponents to what they may face should they decide to attack. However, this part of the deterrence equation presents the biggest challenge to developed nation-states with advanced cyber defensive and offensive capabilities but who face developing nation-state adversaries with dangerous offensive cyber weapons but are themselves not reliant on cyberspace for their national economic or military interests. It is hard to cause 92 prohibitively devastating damage on your opponent through cyber means alone if his vital infrastructure is completely disconnected from the network. This problem presents a serious conundrum to policy makers, who face the unappealing choice of rising up the escalatory ladder and retaliating with conventional or perhaps even nuclear weapons in response to a cyber-only attack, in the process risking violations of international norms of proportional response, or absorbing the attack without a response and looking weak to their enemies, friends and populations alike. Yet, while this is a significant unresolved policy problem today, it is reasonable to expect that its consequences will lessen with time, as more and more developing countries rapidly increase their reliance on cyberspace in order to reap the economic, efficiency and force-multiplier benefits it affords.

at: deterrence doesn’t apply to cyber

Deterrence is a state of mind – making our capabilities appear more robust linearly decreases the chances of use

Beidleman 9 [Lieutenant Colonel Scott W., Director, Development Planning, Space and Missile Systems Center (SMC) Los Angeles Air Force Base, California, January 6, 2009, “Defining and Deterring Cyber War,” Strategy Research Project] //khirn

In general, deterrence is a state of mind. It is the concept of one state influencing another state to choose not to do something that would conflict with the interests of the influencing state. Similarly, the central idea of deterrence from the perspective of the Department of Defense is “to decisively influence the adversary’s decision-making calculus in order to prevent hostile actions against U.S. vital interests.” Deterred states decide not to take certain actions because they perceive or fear that such actions would produce intolerable consequences. The idea of influencing states’ decisions assumes that states are rational actors “willing to weigh the perceived costs of an action against the perceived benefits, and to choose a course of action” logically based on “some reasonable cost-benefit ratio.” Thus the efficacy of cyber deterrence relies on the ability to impose or raise costs and to deny or lower benefits related to cyber attack in a state’s decision-making calculus. Credible cyber deterrence is also dependent on a state’s willingness to use these abilities and a potential aggressor’s awareness that these abilities, and the will to use them, exist. While a state’s ability to deter cyber attacks is a subset of its overarching defense strategy comprised of all instruments of national power, this paper focuses on states’ actions to deter cyber attack within the cyberspace domain. Effective cyber deterrence in cyberspace will employ a comprehensive scheme of offensive and defensive cyber capabilities supported by a robust international legal framework. Offensive capabilities are the primary tools used to impose or raise costs in deterrence. Offensive cyber capabilities and operations provide a state the means and ways for retaliation and enhance the perceived probability that aggressors will pay severely for their actions. A more robust capability translates to a more credible imposition of costs. Until recently, U.S. efforts to develop offensive cyber capabilities have lagged efforts on the defensive side. The daily onslaught of attacks on U.S. networks, coupled with the likelihood that potential U.S. adversaries will be less dependent on electronic networks than the U.S., has prioritized intelligence gathering and defending U.S. capabilities over disrupting enemy capabilities.

And, deterrence is the only way to solve

Schreier 12 [Fred, consultant for the DCAF, a retired colonel, has served in various command and general staff positions and in different functions in the Swiss Ministry of Defense as a senior civil servant, “On Cyberwarfare,” DCAF Horizon, 2015 Working Paper Series, The Geneva Centre for the Democratic Control of Armed Forces (DCAF) is one of the world’s leading institutions in the areas of security sector reform and security sector governance] //khirn

Nonetheless, cyber attacks loom on the horizon as a threat that is best understood as an extraordinary means to a wide variety of political and military ends, many of which can have serious national security ramifications. For example, computer hacking can be used to steal offensive weapons technologies, including weapons of mass destruction technology. Or it could be used to render adversary defenses inoperable during a conventional military attack.As long as secure passive cyber defense is impossible, deterrence seems the only feasible path. In that light, attempting proactively to deter cyber attacks may become an essential part of national strategy. However, deterrence is pointless without attribution. Attribution means knowing who is attacking you, and being able to respond appropriately against the actual place that the attack is originating from.Attribution as it relates to cyber warfare is also defined as “determining the identity or location of an attacker or an attacker’s intermediary.”In the case of a cyber attack, an attacker’s identity may be a name or an account number, and a location may be a physical address or a virtual location such as an IP address.But if retaliation does not hit the attacker, he will not be deterred. And it is of legal importance as well. Retaliation against the wrong actor is unjust and a crime of war. Thus attribution is a necessary condition for the law of war. An attacker has to be identified and, to make it an armed attack and not just a criminal act, the attacker has to be a state actor or those acting on behalf of a state. At the level of the nation-state, there are two possible deterrence strategies: denial and punishment.

at: deterrence fails (attribution)

Deterrence via attribution is effective – actual threats will self report

Glaser 11 [Charles L., Professor of Political Science and International Affairs Elliot School of International Affairs, George Washington University, “Deterrence of Cyber Attacks and U.S. National Security,” Report GW-CSPRI-2011-5, June 1, 2011, http://www.offnews.info/downloads/2011-5CyberDeterrenceGlaser.pdf] //khirn

Many experts are quite pessimistic about the feasibility of attribution. For example, William Lynn, the U.S. Deputy Secretary of Defense recently wrote, “The forensic work necessary to identify an attacker may take months, if identification is possible at all.” Cyber deterrence and the attribution problem 4 Richard Clarke reports that a leading group of cyber experts concluded that it is “fruitless” to try to attribute the source of cyber attacks.5 This view, however, may exaggerate the attribution problem by overlooking either the purposes of the attacker or the scenario in which the attack occurs.6 A state that launches a “countervalue” attack against the United States’ economic infrastructure, economy and/or society is likely to have a political purpose. Possible purposes could include compelling the United States to make political concessions during a crisis before a war starts, compelling the United States to stop fighting a war, and reducing the U.S. ability to fight a war by weakening its economy and industrial infrastructure. For these compelling threats to be effective, the state would have to make demands and spell out its threat. In addition, it would have to provide the United States with some confidence that attacks would stop if the United States meets that attacker’s demands. These communication requirements would largely eliminate the attribution problem. For the scenario of attacking to weaken the U.S. ability to fight, the country the United States was fighting would be immediately identified as the likely suspect; the possibility that the United States would likely come to this conclusion could be sufficient to deter the adversary’s cyber attack. Alternatively, the attacker might not be deterred because the costs of U.S. retaliation were not large compared to the costs of the on-going war; but in this case the failure of deterrence would not result from the attribution problem but instead from the size of the retaliatory costs the United States was threatening. Of course, actors that lack political objectives are not covered by this argument. Terrorist groups are therefore a natural concern, as they are often viewed as motivated simply by the desire to damage the United States. A very different perspective disagrees, however, arguing that terrorist groups, including al Qaeda, are motivated by political goals and use terror attacks as a means to achieve their political ends.7 The attribution issue for “counterforce” attacks—those directed against U.S. capabilities—is quite different, but may be even less of a problem than with counter value attacks launched by states. This type of attack is most likely to occur during a crisis or war, with the adversary employing the cyber attack to gain a military advantage. Attribution will likely not be a problem, because the United States will know which state it is involved within a conflict. This is not to say that deterring this type of attack will not be difficult; it might be for reasons other than attribution. This is a separate issue that we deal with briefly below. If this is the case, a terrorist group will find itself facing communication requirements that are not unlike those facing states. A terrorist group might be hard to deter by retaliation because there are no good targets to hit in retaliation, and almost certainly no important cyber targets, but again the difficulty of deterrence would not result from attribution problems, but the more familiar problem of threatening attacks that would inflict sufficiently high costs on a terrorist group. Another type of actor that might be of concern here are hackers who are motivated by the technical challenge of undermining U.S. cyber systems and not by political objectives. All of this said, the difficulty of attribution does create a variety of potential dangers. One possibility is dangerous mischief: a third party—country, terrorist group, or hacker—could launch a cyber attack against the United States while it was involved in a crisis or war with another state. Based on the logic sketched above, this could lead to misattribution, because the United States’ first inclination would likely be to attribute the attack to the country it was already fighting. Consequently, the third party could use such an attack to generate escalation in the on-going conflict, with the goal of increasing the damage that the United States and/or its adversary would suffer. Another problem is that the inability to attribute attacks undermines the U.S. ability to deter (and otherwise respond) to much lower level cyber attacks, including data stealing, espionage, and disruption of commerce. At a minimum, attribution would enable the United States to try to deter these types of attacks by promising to pursue legal actions. But for the most part, these types of attacks do not threaten vital U.S. national security interests, so from a security perspective the attribution problem does not generate large risks.

at: no retaliation

Retaliation can happen

Cushing 14 (Seychelle, Cushing, SFU Vice President of Research, November 11th 2014,” Leveraging Information as Power: America’s Pursuit of Cyber Security”, Simon Fraser University Summit Intstitutional Repository, http://summit.sfu.ca/item/14703,CE)

If the United States revealed what retaliation would look like in cyberspace, it would, in effect, expose part of its cyber capabilities. One of China’s longest intrusions, taking place over the better part of a decade, was within America’s military networks and systems. Information on American weapons systems and other military technology was accessed according to a classified Defense Science Board report.132 Assume for a moment that the United States makes its retaliation strategy explicit. For every instance of Chinese infiltration into Department of Defense networks to steal information, for example, the US will hack back into Chinese military networks to deny access to information. In this theoretical example, public disclosure reveals two things about American capabilities: (1) that it has access to Chinese military networks and, (2) that it has the capability to launch availability attacks. In doing so, the United States has essentially told the Chinese what part of its cyber capabilities are and the extent of penetration into Chinese networks. With this knowledge, the Chinese could shore up their networks and create better cyber strikes to circumvent an American retaliatory response.133 American disclosure thus limits the usefulness of such retaliatory capabilities in the future.134

at: other agencies solve

NSA is the only agency that can solve

McConnell 10 [Mike McConnell was the director of the National Security Agency in the Clinton administration and the director of national intelligence during President George W. Bush's second term. A retired Navy vice admiral, he is executive vice president of Booz Allen Hamilton, which consults on cybersecurity for the private and public sector. 2/28/10,”Mike McConell on How to Won the Cyber War We’re Losing” http://www.washingtonpost.com/wp-dyn/content/article/2010/02/25/AR2010022502493.html] //khirn

There are many organizations (including al-Qaeda) that are not motivated by greed, as with criminal organizations, or a desire for geopolitical advantage, as with many states. Rather, their worldview seeks to destroy the systems of global commerce, trade and travel that are undergirded by our cyber-infrastructure. So deterrence is not enough; preemptive strategies might be required before such adversaries launch a devastating cyber-attack. We preempt such groups by degrading, interdicting and eliminating their leadership and capabilities to mount cyber-attacks, and by creating a more resilient cyberspace that can absorb attacks and quickly recover. To this end, we must hammer out a consensus on how to best harness the capabilities of the National Security Agency, which I had the privilege to lead from 1992 to 1996. The NSA is the only agency in the United States with the legal authority, oversight and budget dedicated to breaking the codes and understanding the capabilities and intentions of potential enemies. The challenge is to shape an effective partnership with the private sector so information can move quickly back and forth from public to private -- and classified to unclassified -- to protect the nation's critical infrastructure.

at: transparency solves war

Disclosing posture fails – encourages enflaming arms races

Goldsmith 11 [Jack, Professor, Harvard Law, “General Cartwright on Offensive Cyber Weapons and Deterrence,” Nov 8, 2011, http://www.lawfareblog.com/2011/11/general-cartwright-on-offensive-cyber-weapons-and-deterrence/] //khirn

One cannot read too much into snippets of an interview, but of course matters are more complex than this. First, talking about offensive cyber-capabilities is a tricky business. Merely talking about the weapons in general terms, without revealing and perhaps demonstrating their capabilities, cannot advance deterrence very much. But on the other hand, too much detail about what the weapons can do make it easier, and potentially very easy, for adversaries to defend against these weapons by (among other things) closing the vulnerabilities that the weapons exploit. Moreover, openly demonstrating or even discussing cyber capabilities would further enflame the cyber arms race in ways that might be self-defeating. Second, revealing the circumstances in which these weapons will be used might invite infiltrations just short of those circumstances. “As soon as you declare a red line, you’re essentially telling people that everything up to that line is OK,” noted former Pentagon official Eric Sterner in the Reuters story. Third, and to my mind most fundamental, revealing the weapons capabilities and the (possible) circumstances of their use will not go far toward establishing deterrence unless the United States can credibly commit to using the weapons. This, I think, is hard to do. The main threat today is cyber-exploitation (i.e. espionage, theft, copying) that does not violate international law and that would not warrant any use of force under international law. I have a hard time understanding how a law-sensitive DOD will credibly commit to ever using cyber-weapons, or kinetic weapons for that matter, in response to even the most devastating cyber-exploitations.

at: treaties solve

Legal restrictions will only constrain America – maintaining military control of OCO’s crucial to prevent global cyberwar

Baker 11 [Stewart, former official at the U.S. Department of Homeland Security and the National Security Agency, “Denial of Service,” Foreign Policy, Sept. 30, http://www.foreignpolicy.com/articles/2011/09/30/denial_of_service] //khirn

American lawyers' attempts to limit the scope of cyberwar are just as certain to fail as FDR's limits on air war -- and perhaps more so. It's true that half a century of limited war has taught U.S. soldiers to operate under strict restraints, in part because winning hearts and minds has been a higher priority than destroying the enemy's infrastructure. But it's unwise to put too much faith in the notion that this change is permanent. Those wars were limited because the stakes were limited, at least for the United States. Observing limits had a cost, but one the country could afford. In a way, that was true for the Luftwaffe, too, at least at the start. They were on offense, and winning, after all. But when the British struck Berlin, the cost was suddenly too high. Germans didn't want law and diplomatic restraint; they wanted retribution -- an eye for an eye. When cyberwar comes to America and citizens start to die for lack of power, gas, and money, it's likely that they'll want the same. More likely, really, because Roosevelt's bargain was far stronger than any legal restraints we're likely to see on cyberwar. Roosevelt could count on a shared European horror at the aerial destruction of cities. The modern world has no such understanding -- indeed, no such shared horror -- regarding cyberwar. Quite the contrary. For some of America's potential adversaries, the idea that both sides in a conflict could lose their networked infrastructure holds no horror. For some, a conflict that reduces both countries to eating grass sounds like a contest they might be able to win. What's more, cheating is easy and strategically profitable. America's compliance will be enforced by all those lawyers. Its adversaries' compliance will be enforced by, well, by no one. It will be difficult, if not impossible, to find a return address on their cyberattacks. They can ignore the rules and say -- hell, they are saying -- "We're not carrying out cyberattacks. We're victims too. Maybe you're the attacker. Or maybe it's Anonymous. Where's your proof?" Even if all sides were genuinely committed to limiting cyberwar, as they were in 1939, history shows that it only takes a single error to break the legal limits forever. And error is inevitable. Bombs dropped by desperate pilots under fire go astray -- and so do cyberweapons. Stuxnet infected thousands of networks as it searched blindly for Iran's uranium-enrichment centrifuges. The infections lasted far longer than intended. Should we expect fewer errors from code drafted in the heat of battle and flung at hazard toward the enemy? Of course not. But the lesson of all this for the lawyers and the diplomats is stark: Their effort to impose limits on cyberwar is almost certainly doomed. No one can welcome this conclusion, at least not in the United States. The country has advantages in traditional war that it lacks in cyberwar. Americans are not used to the idea that launching even small wars on distant continents may cause death and suffering at home. That is what drives the lawyers -- they hope to maintain the old world. But they're being driven down a dead end. If America wants to defend against the horrors of cyberwar, it needs first to face them, with the candor of a Stanley Baldwin. Then the country needs to charge its military strategists, not its lawyers, with constructing a cyberwar strategy for the world we live in, not the world we'd like to live in.