Stanford University

Cybersecurity

America’s misbegotten cyber strategy

Authors
Amy Zegart
News Type
Commentary
Date
Paragraphs

 

The Trump administration’s National Cyber Strategy rests on a pair of convenient fictions.

 

I used to think we didn’t have enough strategic documents guiding U.S. cyber policy. Now I think we have at least one too many. In September, the Trump administration published a National Cyber Strategy—proudly declaring that it was the first fully articulated cyber strategy in 15 years. This week, the annual intelligence threat hearing laid bare the fantasy world of that four-month-old document and the cold hard reality of, well, reality.

The National Cyber Strategy paints an aspirational view of how the U.S. is doing in cyberspace and what we should do in the future. To be fair, aspirational isn’t all bad. Strategy documents need to inspire, not depress. And the strategy’s four pillars seem as unobjectionable as motherhood and apple pie: defending the homeland and America’s way of life; promoting American prosperity; preserving peace through strength; and advancing American interests. Who could argue with that? The best strategies articulate a future world, lay out a pathway to get there, generate new ideas, and align the disparate elements of government on a common path to succeed. Given how hard it is to keep the government lights on these days, getting on the same page about anything is a big deal.

Read the rest at The Atlantic.

 

 

Hero Image
zegart amy cropped
All News button
1

Daniel Correa

0
Research Affiliate
dan_correa.jpg

Daniel Correa is a researcher at FSI where he leads the Technology and Public Policy Project. He previously helped shape science and technology policy for the Obama Administration for nearly four years, serving as Assistant Director for Innovation Policy at the White House Office of Science and Technology Policy. At the White House, Correa developed the Administration’s innovation strategy and led government-wide science and technology initiatives that invested hundreds of millions of dollars in government innovation, R&D commercialization, smart cities,entrepreneurship, and more.

Prior to joining the White House, Correa led development of technology, entrepreneurship, and innovation policy proposals at the Information Technology and Innovation Foundation, a Washington, D.C. think tank. He has also held the position of Kauffman Fellow in Law, Economics and Entrepreneurship at Yale Law School. He received a law degree from Yale Law School, a masters degree in economics from Yale University, and a bachelor’s degree from Dartmouth College.

Scholars examine cyber warfare in new book

Authors
News Type
News
Date
Paragraphs

War is changing, and the U.S. military can now use cyber weapons as digital combat power.

When and how that’s done is the subject of a new book, Bytes, Bombs and Spies: The Strategic Dimensions of Offensive Cyber Capabilities, edited by Herb Lin and Amy Zegart at the Center for International Security and Cooperation and the Hoover Institution.

US military doctrine defines offensive cyber operations as operations intended to project power by the application of force in and through cyberspace. This is defined as actions that disrupt or destroy intended targets.

At a time when US cyber policy is taking a new direction, Bytes, Bombs and Spies is one of the first books to examine strategic dimensions of using offensive cyber operations. With chapters by leading scholars, topics include US cyber policy, deterrence and escalation dynamics, among other issues. Many of the experts conclude that research, scholarship, and more open discussion needs to take place on the topics and concerns involved.

Lin and Zegart are senior research scholar and senior fellow, respectively, at Stanford’s Center for International Security and Cooperation. Max Smeets, a CISAC cybersecurity postdoctoral fellow, is also a contributor to the book.

Offensive cyber rising

Examples in recent years of offensive cyber usage include the Stuxnet computer virus that destroyed centrifuges in Iran and slowed that country’s attempt to build a nuclear weapon; cyber weapons employed against ISIS and its network-based command and control systems; and reported cyber incursions against North Korea’s ballistic missiles system that caused launch failures.

“If recent history is any guide, the interest in using offensive cyber operations is likely to grow,” wrote Lin and Zegart.

One key issue is how to best respond to cyberattacks from abroad, such as the 2015 theft of millions of records from the Office of Personnel Management, the 2016 U.S. election hacking, and the 2017 WannaCry ransomware attack that affected computers worldwide, to name but a few. Those incidents have “provided strong signals to policymakers that offensive cyber operations are powerful instruments of statecraft for adversaries as well as for the United States,” Zegart and Lin wrote.

In September 2018, the White House reportedly issued a directive taking a more aggressive posture toward cyber deterrence. This measure allows the military to engage, without a lengthy approval process, in actions that fall below the “use of force” or a level that would cause death, destruction or significant economic effects. Also, US Cyber Command was elevated to an independent unified command, giving it more independence in conducting offensive cyber operations.

These new policy directions make it all the more imperative that offensive cyber weapons be researched, analyzed and better understood, wrote Lin and Zegart.

Conceptual thinking lags

The 438-page Bytes, Bombs and Spies includes 16 chapters by different authors. Topics include the role and nature of military intelligence, surveillance, and reconnaissance in cyberspace; how should the United States respond if an adversary employs cyberattacks to damage the U.S. homeland or weaken its military capabilities; a strategic assessment of the U.S. Cyber Command vision; and operational considerations for strategic offensive cyber planning; among others.

“Conceptual thinking,” Lin and Zegart noted, lags behind the technical development of cyber weapons. Some issues examined include:

• How might offensive cyber operations be used in coercion or conflict?

• What strategic considerations should guide their development and use?

 • What intelligence capabilities are required for cyber weapons to be effective?

• How do escalation dynamics and deterrence work in cyberspace?

• What role does the private sector play?

Scholars at universities and think tanks need to conduct research on such topics, Zegart said. “Independent perspectives contribute to the overall body of useful knowledge on which policymakers can draw.”

In the chapter Lin wrote on “hacking a nation’s missile development program,” he noted that cyber sabotage relies on electronic access to various points in the life cycle of a missile, from its construction to ultimate use.

“For some points, access is really hard to obtain; in other points, it is easier.  Access can be technical (what might be obtained by hacking into a network) or human (what might be obtained by bribing or blackmailing a technician into inserting a USB thumb drive),” he said. 

One key, Lin said, is the availability of intelligence on the missile and the required infrastructure needed to fabricate, assemble, and launch the missile. 

“Precisely targeted offensive cyber operations generally require a great deal of detailed technical information, and such information is usually hard to obtain, especially if the missile program is operated by a closed authoritarian government that does not make available much information on anything,” he said.

Origins in cyber workshop

The idea for Bytes, Bombs and Spies originated from a 2016 research workshop led by Lin and Zegart through the Stanford Cyber Policy Program. That event brought together researchers from academia and think tanks as well as current and former policymakers in the Department of Defense (DoD) and U.S. Cyber Command.

“We organized the workshop for two reasons,” wrote Lin and Zegart. “First, it was already evident then—and is even more so now—that offensive cyber operations were becoming increasingly prominent in U.S. policy and international security more broadly. Second, despite the rising importance of offensive cyber operations, academics and analysts were paying much greater attention to cyber defense than to cyber offense.”

Herb Lin is the Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution and senior research scholar for cyber policy and security at the Center for International Security and Cooperation, a center of the Freeman Spogli Institute for International Studies.

Amy Zegart is the Davies Family Senior Fellow at the Hoover Institution, where she directs the Robert and Marion Oster National Security Affairs Fellows program. She is founder and co-director of the Stanford Cyber Policy Program, and senior fellow at the Center for International Security and Cooperation, a center of the Freeman Spogli Institute for International Studies.

Media Contacts

Clifton B. Parker, Hoover Institution: 650-498-5205, cbparker@stanford.edu

 

 

 

 

 

 

 

 

 

Hero Image
Byter, Bombs, and Spies - new book by Amy Zegart and Herb Lin
All News button
1

Active cyber defense and interpreting the computer fraud and abuse act

Authors
Herbert Lin
News Type
Commentary
Date
Paragraphs

In the cybersecurity field, the term “active defense” is often used in a variety of ways, referring to any activity undertaken outside the legitimate span of control of an organization being attacked; any non-cooperative, harmful or damaging activity undertaken outside such scope; or any proactive step taken inside or outside that span of control. As most Lawfare readers know, activities outside the legitimate span of control are quite controversial from a policy standpoint, as they can implicate the Computer Fraud and Abuse Act, or CFAA, which criminalizes both gaining access to computers without authorization as well as exceeding authorized access.

This logic suggests to many that “hacking back”—which might well be defined as a counter-cyberattack on an attacker’s computer—would violate the CFAA. That is, even if A gains unauthorized access to B’s computer, any action taken by B on A’s computer would violate the CFAA since A would not have given B authorization for access. This article will offer some technical commentary on the implications of interpreting the CFAA that way.

Read the rest at Lawfare

 

Hero Image
gettyimages 546179676 Getty Images
All News button
1

Bytes, Bombs, and Spies The Strategic Dimensions of Offensive Cyber Operations

-

Offensive cyber operations have become increasingly important elements of U.S. national security policy. From the deployment of Stuxnet to disrupt Iranian centrifuges to the possible use of cyber methods against North Korean ballistic missile launches, the prominence of offensive cyber capabilities as instruments of national power continues to grow. Yet conceptual thinking lags behind the technical development of these new weapons. How might offensive cyber operations be used in coercion or conflict? What strategic considerations should guide their development and use? What intelligence capabilities are required for cyber weapons to be effective? How do escalation dynamics and deterrence work in cyberspace? What role does the private sector play?

In this volume, edited by Herbert Lin and Amy Zegart—co-directors of the Stanford Cyber Policy Program—leading scholars and practitioners explore these and other vital questions about the strategic uses of offensive cyber operations. The contributions to this groundbreaking volume address the key technical, political, psychological, and legal dimensions of the fast-changing strategic landscape.

 

ABOUT THE EDITORS

Dr. Herb Lin is senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University. He is chief scientist emeritus for the Computer Science and Telecommunications Board at the National Academies. He served on President Barack Obama’s Commission on Enhancing National Cybersecurity.

 

Dr. Amy Zegart is the Davies Family Senior Fellow at the Hoover Institution, senior fellow at the Center for International Security and Cooperation, and professor of political science, by courtesy, at Stanford University. Her previous books include Political Risk: How Businesses and Organizations Can Anticipate Global Insecurity, with Condoleezza Rice; and Spying Blind: The CIA, the FBI, and the Origins of 9/11.

 

ABOUT THE EDITORS

Dr. Sameer Bhalotra is the Co-founder & Executive Chairman of StackRox, and is a CISAC affiliate. He is also affiliated with the Center for Strategic and International Studies (CSIS), UC Berkeley’s Center for Long-Term Cybersecurity (CLTC), and Harvard University’s Kennedy School of Government. He previously worked in cybersecurity at Google and as COO at Impermium (acquired by Google). In government, he served as Senior Director for Cybersecurity on the National Security Council staff at the White House, Cybersecurity & Technology Lead for the Senate Select Committee on Intelligence, and in various roles in the Intelligence Community.

 

Herb Lin & Amy Zegart Stanford University

The divide between Silicon Valley and Washington is a national-security threat

Authors
Amy Zegart
News Type
Commentary
Date
Paragraphs

Closing the gap between technology leaders and policy makers will require a radically different approach from the defense establishment.

A silent divide is weakening America’s national security, and it has nothing to do with President Donald Trump or party polarization. It’s the growing gulf between the tech community in Silicon Valley and the policy-making community in Washington.

Beyond all the acrimonious headlines, Democrats and Republicans share a growing alarm over the return of great-power conflict. China and Russia are challenging American interests, alliances, and values—through territorial aggression; strong-arm tactics and unfair practices in global trade; cyber theft and information warfare; and massive military buildups in new weapons systems such as Russia’s “Satan 2” nuclear long-range missile, China’s autonomous weapons, and satellite-killing capabilities to destroy our communications and imagery systems in space. Since Trump took office, huge bipartisan majorities in Congress have passed tough sanctions against Russia, sweeping reforms to scrutinize and block Chinese investments in sensitive American technology industries, and record defense-budget increases. You know something’s big when senators like the liberal Ron Wyden and the

In Washington, alarm bells are ringing. Here in Silicon Valley, not so much. “Ask people to finish the sentence, ‘China is a ____ of the United States,’” said the former National Economic Council chairman Keith Hennessey. “Policy makers from both parties are likely to answer with ‘competitor,’ ‘strategic rival,’ or even ‘adversary,’ while Silicon Valley leaders will probably tell you China is a ‘supplier,’ ‘investor,’ and especially ‘potential market.’”

Read the rest at The Atlantic.

 

 

Hero Image
zegart amy cropped
All News button
1

An outcome-based analysis of US cyber strategy of persistence and defense forward

Authors
Herbert Lin
News Type
Commentary
Date
Paragraphs

This piece originally appeared at Lawfare.

U.S. Army Cyber Command (Source: U.S. Army)
 

The new U.S. Cyber Command (USCYBERCOM) vision and the Department of Defense Cyber Strategy embody a fundamental reorientation in strategic thinking.

With the publication of these documents, as well as 2017 National Security Strategy and the 2018 National Defense Strategy, there is a general conception among expertsthat the U.S. has, for the first time, articulated a strategy that truly appreciates the unique “symptoms” of cyberspace. The documents recognize that there is a new structural set of dynamics associated with the new domain of cyberspace that has incentivized a new approach to power competition—in particular, that hostile or adversarial behavior below the threshold of armed attack could nevertheless be strategically meaningful (that is, change the balance of power).

Yet most cyber experts have also argued that the ‘medicine’ prescribed by the Defense Department  and USCYBERCOM should be further scrutinized. Indeed, the side effects of the strategy of “persistent engagement” and “defense forward” are still ill-understood. As we have argued elsewhere, a United States that is more powerful in cyberspace does not necessarily mean one that is more stable or secure. More research is required to better understand adversarial adaptive capacity and escalation dynamics.

We should note that the Department of Defense lexicon has not yet provided a formal definition of “defending forward.” We suspect the formal definition that is ultimately adopted will be similar to the earlier concept of “counter cyber,” though with an emphasis on adversarial cyber campaigns (instead of ‘activities’): “A mission that integrates offensive and defensive operations to attain and maintain a desired degree of cyberspace superiority. Counter-cyber missions are designed to disrupt, negate, and/or destroy adversarial cyberspace activities and capabilities, both before and after their employment.”

Scholarship to date has mainly pointed out that this new U.S. strategic thinking could be escalatory, but it has not sought to spell out the specific causal mechanisms and scenarios as to how the consequences of the strategic shift may unfold.

In a forthcoming article, part of an edited volume on offensive cyber operations published by the Brookings Institution (entitled “Bytes, Bombs, and Spies: Strategic Dimensions of Offensive Cyber Operations”), we systematically address some of these conflict outcomes. Specifically, we consider the four general outcomes possible over time with two outcome variables: a more (or less) powerful U.S. and a more (or less) stable cyberspace.

 

 

 U.S. power relative to adversaries

 

 

More

Less

Stability

More

More powerful & More stability

Less Powerful & More stability

Less

More powerful & less stability

Less powerful & less stability

 

The Optimal Outcome

From the U.S. standpoint, the optimal outcome is a United States that is more powerful in cyberspace along with a more stable cyberspace. Indeed, from the U.S. standpoint, the former will lead to the latter. A more stable cyberspace will involve norms of acceptable behavior, less conflict and so on.

One path towards this rosy outcome is that the strategy does what it is said to do: Creates significant friction and makes it hard for adversaries to operate effectively. Adversaries realize that the U.S. strategy of persistent engagement makes it more difficult to conduct various offensive cyber operations, and they have no strong incentives to escalate as it may trigger a U.S. response in the conventional domain. USCYBERCOM has the advantage from the beginning.

Some argued at the first USCYBERCOM symposium that persistent engagement may first lead to a worsening situation before it gets better. This outcome is possible under one of two conditions. First, USCYBERCOM could initially be unable to seize the initiative from a capacity perspective, but become increasingly better at it in the future. This may well be true: USCYBERCOM is still continuing to develop its cyber capacity. Even though the Cyber Mission Force (CMF) has achieved full operational capability, it will take time for the new workforce to operate capably and ensure the effective coordination of all units.

The second condition is that other actors could increase their hostile cyber activity in the short term, but become less hostile in the long run. This condition is much less likely to be true: Other actors are likely to adapt to U.S. activities over time rather than to reduce their own activities, and the expected number of actors with hostile intent in this space is likely to increase over time.  For example, FireEye recently reported on the “rise of the rest,” arguing that the world has seen a growing number of advanced persistent threat (APT) groups attributed to countries other than Russia or China.

Another more powerful and more stable situation analyzed in the paper could—perhaps paradoxically—be described as “deterrence through a strategy of persistence.”  In this particular outcome, the main threat actors are initially cautious to act, following the release of U.S. new strategy. However,  this is unlikely: Other actors will probably not exhibit caution to see which way the wind blows before acting. An excerpt from Lt. Gen. Nakasone’s nomination hearing to serve as director of the NSA is telling:

            Sen. Sullivan: They [our adversaries] don’t fear us.

            Gen.Nakasone: They don’t fear us.

            Sen. Sullivan: So, is that good?

            Gen. Nakasone: It is not good, Senator.

As a follow-up to Sen. Dan Sullivan’s question, Sen. Ben Sasse asked: “Is there any response from the United States Government that’s sufficient to change the Chinese behavior?... Do you think there’s any reason the Chinese should be worried about U.S. response at the present?” Lt. Gen. Nakasone responded: “Again, I think that our adversaries have not seen our response in sufficient detail to change their behavior.” In line with this notion, it is unlikely that the publication of the strategies alone will be sufficiently threatening to lead to this optimal outcome.

Less Optimal Outcomes

One path towards escalation involves adversaries becoming more aggressive and conducting attacks that are highly disruptive to society—in other words, adversary activity leads to a less stable cyberspace. This could be the result of either an adversary’s increased willingness to conduct attacks using existing capacities or increased capacities of the adversary. Indeed, with respect to the latter, the U.S. vision—and associated changed course of action—may encourage other actors to grow their budgets to conduct offensive cyber operations. The proliferation literature on weapons of mass destruction has extensively covered the role of special interests in stimulating demand for weapon development. This makes it a strong possibility that the new U.S. vision can be used by those groups within a given country favoring a growing cyber command to justify and lobby for increased military spending.

A second possibility is that increased U.S. offensive cyber activity that operates below the threshold of armed attack activity reduces the value of cyber norms of behavior that support a more stable cyberspace.  Even today, some observers believe that the high level of offensive activity in cyberspace today demonstrates quite forcefully that nations find value in conducting such activity, and that such activity points to the difficulty of establishing a more peaceful cyber norms regime. These observers argue that there is no reason to expect that increasing the U.S. contribution to such activity worldwide will make it easier to establish such a regime. Finally, a third possibility is that increased U.S. offensive cyber activity will complicate diplomatic relations with allies and other nations whose cyber infrastructures are used in support of such activity.

Increased aggressiveness by adversaries could also result from growing incentives to conduct offensive cyber operations of a highly disruptive nature. In this case, heightened aggressiveness might be a symptom of the U.S. strategy actually being effective in making the U.S. more powerful. Consider, for example, the current war against the  Islamic State: losing territory and grip in the Middle East, the terrorist organization is said to be keen to recruit followers in Europe and other places in the world to conduct attacks outside of Iraq and Syria. These attempted mass killings are a way  to show that the group still needs to be feared and potentially to help recruiting—but they do not change the balance of power in the region. Actors in cyberspace might become more noisy and aggressive purely to increase friction, gain attention and so on —and perhaps also to influence international public opinion in ways that drive the United States toward changing its strategy.

Finally, worst-case outcomes—that is, a United States that is less powerful in cyberspace along with a less stable cyberspace—could stem from a multitude of sources. One possibility is that the United States could overplay its hand in terms of cyber capabilities. The USCYBERCOM is operating in a space in which it has to seize the initiative against a large and ever-growing number of actors. The dangers of fighting on multiple fronts—even for the most capable actors—are well known from conventional warfare. As the number of potential cyber “fronts” is much higher compared to conventional warfare, the risks of overextension have become much higher as well. The Defense Department vision’s explicit focus on Russia and China, following the USCYBERCOM vision’s silence on the issue of priorities, makes us less concerned about this scenario —though it is still a possibility.

Final Word

After initial, prompt analysis from the scholarly community of the strategies, the country now needs systematic research on how persistent engagement and defense forward may play out. We believe that outcome-based analysis is one desired form of research which could be expanded. (One important limitation of our analysis is that we do not pay sufficient detail to risks of the U.S. not changing its course of action.)

Other research in this field is would be helpful as well—consider case study analyses. Russia conducts very different cyber campaigns to affect U.S. sources of power than does China, and defense forward will thus look very different in both cases. But how the U.S. should defend forward  for each specific case, in order to optimize power gains and reduce escalation, has not yet been addressed. This work is needed.

Also, the question is not just how adversaries will respond to the change in U.S. strategy. It is equally important to analyze the behavior of allies. With the implementation of this strategy, will allies follow? Or will they stick to the general deterrence-type strategies?

The bottom line?  More research is needed—let’s get to it.

 

All News button
1

For election hackers, a new and more dangerous tool

News Type
Commentary
Date
Paragraphs

"The election interference tactics originally deployed by Russia against the United States and Europe are now global. Hackers across the democratic world have exploited weaknesses in campaign email servers; probed electronic voting machines for vulnerabilities; set up troll farms to spread highly-partisan narratives; and employed armies of bots to distort the truth online. Tech experts in countries such as Iran and Venezuela have borrowed these tactics and joined efforts toward the same goals: to erode confidence in electoral processes and in democratic governance itself," writes Eileen Donahoe. Read here.

Hero Image
computer 1591018 1920
All News button
1

Eloise Duvillier

0
Eloise Duvillier

Eloise Duvillier is the Program Manager of the Program on Democracy and the Internet at the Cyber Policy Center. She previously was a HR Program Manager and acting HR Business Partner at Bytedance Inc, a rapidly-growing Chinese technology startup. At Bytedance, she supported the globalization of the company by driving US acquisition integrations in Los Angeles and building new R&D teams in Seattle and Silicon Valley. Prior to Bytedance, she led talent acquisition for Baidu USA LLC’s artificial intelligence division. She began her career in the nonprofit industry where she worked in foster care, HIV education and emergency response during humanitarian crises, as well as helping war-torn communities rebuild. She graduated from University of California, Berkeley with a bachelor’s degree in Development Studies, focusing on political economics in unindustrialized societies.

Program Manager, Program on Democracy and the Internet

Midterm Election Hacking Concerns

News Type
News
Date
Paragraphs

Midterm elections pose an opportunity for hackers interested in disrupting the democratic process

Voter registration systems provide an additional target for hackers intending to disrupt the US midterm elections; if voting machines themselves are too disperse or too obvious a target, removing voters from the rolls could have a similar effect. in Esquire, Jack Holmes explains that election security experts consider this one of many nightmare scenarios facing the American voting public—and thus, American democracy itself—on the eve of the 2018 midterm elections. (Allison Berke, Executive Director of the Stanford Cyber Initiative, quoted.)

All News button
1
Subscribe to Cybersecurity