International Cyber Conflict: an Introduction to Power and Conflict in Cyberspace DHP P249 Classroom Location: Mugar 200 Tuesdays, 3:20-5:20Pm

Version: NOT FINAL (January 10, 2016)

International Cyber Conflict: An Introduction to Power and Conflict in Cyberspace DHP P249 Classroom Location: Mugar 200 Tuesdays, 3:20-5:20pm

Fletcher School of Law and Diplomacy Tufts University Spring 2017

Professor Michele L. Malvesti Office: Cabot 602 Email: [email protected] Office Hours: TBD Teaching Assistant: Matthew Weinberg TA Email: [email protected]

Prerequisite Note: Students are required to have completed DHP P240: The Role of Force prior to enrolling in P249.

Enrollment Restrictions: Kindly note that audits are not permitted in this course.

Fletcher Fields of Study: P249 counts as an elective in the International Security Studies field of study.

Course Description: The 21st century security landscape continues to be defined, in part, by irregular and often asymmetric forms of conflict; the diffusion of global power and authority across multiple state and non-state actors; non-traditional battlespaces that extend into information platforms and networks; and highly interconnected technological environments that facilitate distributed activities in a geographically unconstrained world. Intersecting each of these characteristics is one of the most consequential national security and economic challenges confronting policymakers today: cyber space and the threats that emanate from it. As a domain and instrument of competition and conflict, cyber space enables a range of global actors—including dissidents, terrorist organizations, and states with varying levels of offensive and defensive cyber capabilities—to assert influence, project power, and conduct activities in the increasingly ambiguous areas between war and peace.

Designed as an introductory course for the generalist and non-technologist, this seminar will explore the role of power and conflict in cyber space; examine the various activities that occur in cyber space, including espionage, subversion, sabotage, and the potential for cyber warfare; explore the vulnerability of critical infrastructure and the role of the private sector; and discuss the policies, strategies, and governance structures of key actors that operate within the cyber domain. Underscoring topics throughout the course will be discussions on the role of risk and how policymakers assess threats and adapt to risk in the cyber domain.

1 Version: NOT FINAL (January 10, 2016)

Seminar Requirements and Grading*: *Note: Absent exceptional circumstances, no extensions will be given. Memos will be due in hardcopy at the beginning of class. Memos will be formatted with one inch margins, be written in Times New Roman font size 12 and should have endnotes with full citations. Failure to follow these instructions will result in a penalty. • Individual Policy Memos o 2-page memo #1: 20pts; due at the beginning of class on Tuesday, 28 February. o 2-page memo #2: 25pts; due at the beginning of class on Tuesday, 28 March. • Group Presentation o Group 3-page decision memo: 25pts; due Noon on the day before the presentation o Group presentation: 15pts; presentation time will be assigned § Grade also will reflect team/peer reviews. • Daily attendance and course participation (15pts) o There will be both individual opportunities and group exercises nearly every class session. Course Schedule: This seminar is scheduled for Tuesday afternoons, 3:20 p.m. – 5:20 p.m. Any changes to the schedule or class readings will be announced in advance.

Policy on Laptops, Cell phones, and other Electronic Devices: Except in identified instances, all laptops, cell phones, and other electronic devices shall be silenced and put away during class. Failure to do so will affect your participation grade. No recording devices of any kind are permitted.

Readings: The following books may be bought from either the Tufts bookstore or an online vendor:

• Thomas Rid, Cyber War Will Not Take Place, Oxford University Press, 2013. • Franklin D. Kramer, Stuart H. Starr, and Larry K. Wentz, eds., Cyberpower and National Security, NDU Press, 2009 (also available online). • William A. Owens, Kenneth W. Dam, and Hebert S. Lin, eds. Technology, Policy, Law, and Ethics Regarding US Acquisition and Use of Cyberattack Capabilities, National Research Council, National Academies Press, 2009 (also available online). • Proceedings of a Workshop on Deterring Cyberattacks, National Research Council, National Academies Press, 2010 (also available online). Students unfamiliar with the subject and who would like additional introductory readings might consider acquiring a copy of P.W. Singer and Allan Friedman, Cybersecurity and Cyberwar: What Everyone Needs to Know, Oxford University Press, 2014. This is supplemental reading only.

Other readings will be available on Trunk.

2 Version: NOT FINAL (January 10, 2016)

Seminar Outline: **Note: Students are Expected to Complete Assigned Readings for Each Class Session Prior to Attending Class

Class #1: Tuesday, 24 January: Course Introduction and Overview; Cyberspace Structure; Power and Sovereignty in the Cyber Domain o 1A: Seminar Introduction and Overview

o John Arquilla, “Cyberwar is Already Upon Us,” Foreign Policy 192 (2012).

o Thomas Rid, "Think Again: Cyberwar," Foreign Policy 192 (2012): pp. 80-84.

o Lucas Kello, “The Meaning of the Cyber Revolution: Perils to Theory and Statecraft,” International Security, vol.38, no.2 (Fall 2013), pp. 7-40.

o Joint Statement for the Record to the Senate Armed Services Committee, Foreign Cyber Threats to the United States, January 5, 2017. o 1B: Structure and Scope of Cyberspace

o Clark, Berson, and Lin, eds., At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues, National Research Council, 2014, pp.18-28 (Ch.2) and pp. 29-52 (Ch.3).

o Paul Rosenzweig, Cyber Warfare: How Conflicts in Cyberspace are Challenging America and Changing the World, 2013, pp. 17-29 (Ch.2).

o Craig Timberg, “Net of Insecurity,” Washington Post, May 30-31, June 22, 2015 (Pts.1-3).

o McKinsey Global Institute, “The Internet of Things: Mapping the Value Beyond the Hype,” McKinsey & Company, June 2015. (Read “Executive Summary,” “Introduction” and “Findings” sections)

o Steve Morgan, “Top 5 Cybersecurity Facts, Figures and Statistics for 2017,” CSO Online, December 29, 2016. o 1C: Power and Sovereignty in the Cyber Domain

o John B. Sheldon, “Geopolitics and Cyber Power: Why Geography Still Matters,” American Foreign Policy Interests, November 2014.

o Joseph S. Nye, Jr., Cyber Power, Belfer Center for Science and International Affairs, May 2010.

o Stuart H. Starr, “Toward a Preliminary Theory of Cyberpower,” in Franklin D. Kramer, Stuart H. Starr, and Larry K. Wentz, eds., Cyberpower and National Security, National Defense University, 2009 (also available online), pp. 43-88 (Ch.3).

3 Version: NOT FINAL (January 10, 2016)

Class #2: Tuesday, 31 January: Security Concepts in the Cyber Domain o 2A: Ethics and Just War Theory

o Dipert, Randall, “The Ethics of Cyberwarfare,” Journal of Military Ethics, 2010, Vol. 9, No. 4, pp. 384-410.

o Thomas Rid, Cyber War Will Not Take Place, Oxford University Press, 2013, pp. 11-34 (Ch.2 “Violence”). o 2B: Security Environment

o Eriksson, Johan and Giampiero Giacomello. “The Information Revolution, Security, and International Relations: (IR) Relevant Theory?” International Political Science Review, July 2006, pp. 221-244. o 2C: Functions of Force (Deterrence, Escalation and Coercion)

o Libicki, Martin, “Cyber Deterrence and Cyberwar,” RAND Corporation, 2009, pp. 39-73.

o Libicki, Martin, “Crisis and Escalation in Cyberspace,” RAND Corporation, 2012, pp. 73- 120.

o Jason Healey, “Cyber Deterrence is Working,” Defense News, July 30, 2014.

o Craig Neuman and Michael Poznansky, “Swaggering in Cyberspace: Busting the Conventional Wisdom on Cyber Coercion,” War on the Rocks, June 28, 2016. o 2D: Identity and Attribution

o David D. Clark and Susan Landau. "Untangling Attribution." Harv. Nat'l Sec. J. 2 (2011): pp. 25-40.

o Benjamin Brake, “Strategic Risks of Ambiguity in Cyberspace,” Contingency Planning memorandum no. 24, May 2015.

o Earl W. Boebart, “A Survey of Challenges in Attribution, Proceedings of a Workshop on Deterring Cyberattacks,” National Research Council, 2010, pp. 41-52.

4 Version: NOT FINAL (January 10, 2016)

Class #3: Tuesday, 7 February: Espionage and Subversion in Cyberspace o 3A: Conceptual Issues:

o Thomas Rid, Cyber War Will Not Take Place, Oxford University Press, 2013, pp. 81-112 (“Espionage”) and pp. 113-138 (“Subversion”).

o Dransfield, Wagner and Waltzman, “Creating Influence through Information,” in Richard M. Harrison and Trey Herr, ed., Cyber Insecurity, pp. 329-343.

o Bruce Schneier, “There’s No Real Difference Between Online Espionage and Online Attack,” The Atlantic, March 2014. o 3B: Cases and Discussion: Nation-State Activities

China

o Jon R. Lindsay, “The Impact of China on Cybersecurity: Fiction and Friction,” International Security, vol.39, no.3 (Winter 2014/2015): pp. 7-47.

o Amy Chang, “Warring State: China’s Cybersecurity Strategy,” Center for a New American Security, December 3, 2014.

o Adam Segal, “Why China Hacks the World,” Christian Science Monitor, January 31, 2016.

o Kristin Finklea et al, “Cyber Intrusion into U.S. Office of Personnel Management: In Brief,” Congressional Research Service, July 17, 2015.

Russia

o Ben Buchanan and Michael Sulmeyer, “Russia and Cyber Operations: Challenges and Opportunities for the Next U.S. Administration,” Carnegie Endowment for International Peace, December 13, 2016.

o Eric Lipton, David Sanger and Scott Shane, “The Perfect Weapon: How Russian Cyberpower Invaded the US,” New York Times, December 13, 2016.

o Thomas Rid, “How Russia Pulled Off the Biggest Hack in U.S. History,” Esquire, October 20, 2016.

o Andrew Kramer, “How Russia Recruited Elite Hackers for Its Cyberwar,” New York Times, December 29, 2016.

5 Version: NOT FINAL (January 10, 2016)

Class #4: Tuesday, 14 February: Critical Infrastructure and Sabotage in Cyberspace o 4A: Conceptual Issues:

o Thomas Rid, Cyber War Will Not Take Place, Oxford University Press, 2013, pp. 55-79 (Ch.4 “Sabotage”).

o Thomas Rid, “Cyber-Sabotage is Easy,” Foreign Policy, July 23, 2013.

o Robert M. Lee, “Protecting Industrial Control Systems in Critical Infrastructure,” in Richard M. Harrison and Trey Herr, eds, Cyber Insecurity, Rowman & Littlefield, 2016, pp. 31-42. (Ch.13)

o David M. Upton and Sadie Creese, “The Danger from Within,” Harvard Business Review, September 2014 o 4B: Case Studies: Saudi Aramco, Ukraine Power Grid, and the Hack on Sony Pictures

o Christopher Bronk and Eneken Tikk-Ringas, “The Cyber Attack on Saudi Aramco,” Survival, Vol. 55 Issue 2 (2013), pp. 81-96.

o Kim Zetter, “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid,” Wired, March 3, 2016.

o Peter Elkind, “Sony Pictures: Inside the Hack of the Century,” Parts 1, 2 and 3, Fortune, June 25, 2015.

o James A. Lewis and Victor Cha, “North Korea’s Cyber Operations: Strategy and Responses,” Center for Strategic and International Studies, December 2015, pp. 11-34 (Ch.1) o 4C: Case Study: Stuxnet

o Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, Crown, 2014, pp. 52-68 (Ch.4).

o Jon R. Lindsay, "Stuxnet and the Limits of Cyber Warfare," Security Studies, 22.3 (2013): pp. 365-404.

o Students who would like to explore more technical details of Stuxnet, see: Nicolas Falliere, Liam O Murchu, and Eric Chien “W32.Stuxnet Dossier”, Symantec, 2011. See also: Ralph Langner, “To Kill a Centrifuge: A Technical Analysis of What Stuxnet’s Creators Tried to Achieve,” Arlington, Virginia: The Langner Group, November 2013, pp. 3-36.

6 Version: NOT FINAL (January 10, 2016)

Class #5: Tuesday, 21 February: Cyber Warfare and the Role of the Military in Cyberspace (**Guest Speaker: BG Jennifer Buckner, Deputy Commander of Operations, Cyber National Mission Force) o 5A: Cyber War

o Thomas Rid, Cyber War Will Not Take Place, Oxford University Press, 2013, pp. 1-10 (Ch.1 “What is Cyber War”).

o Erik Gartzke, “The Myth of Cyberwar: Bringing War in Cyberspace Back Down to Earth,” International Security, vol.38, no.2 (Fall 2013), pp. 41-73.

o Gregory Rattray and Jason Healey, “Categorizing and Understanding Cyber Capabilities and Their Use,” Proceedings of a Workshop on Deterring Cyberattacks, National Research Council, 2010, pp. 77-97.

o Martin Libicki, “The Cyber War that Wasn’t,” in Kenneth Geers, ed., Cyber War in Perspective: Russian Aggression Against Ukraine, NATO CCD COE Publications, Tallinn 2015, pp. 49-54. (Ch.5) o 5B: The Role of the Military in Cyber Space

o U.S. Department of Defense, The DoD Cyber Strategy, April 2015.

o Trey Herr and Drew Herrick, “Understanding Military Cyber Operations,” in Richard M. Harrison and Trey Herr, eds, Cyber Insecurity, Rowman & Littlefield, 2016, pp. 259-273. (Ch.16)

o Shane Harris, @War: The Rise of the Military-Internet Complex, Houghton Mifflin Harcourt, 2014, pp. 3-68 (Chs.1-3).

o David E. Sanger, “U.S. Cyberattacks Target ISIS in a New Line of Combat,” New York Times, April 24, 2016.

o Warren Strobel, “Obama Prepares to Boost U.S. Military’s Cyber Role: Sources,” Reuters, August 7, 2016.

o Ellen Nakashima, “Obama Moves to Split Cyberwarfare Command from the NSA,” Washington Post, December 23, 2016.

7 Version: NOT FINAL (January 10, 2016)

Class #6: Tuesday, 28 February: Decision-Making and Governmental Response (**Guest Speaker: Kiersten Todt, Executive Director at the Presidential Commission on Enhancing National Cyber Security) o 6A: Conceptual Issues:

o Rose McDermott, “Decision Making Under Uncertainty,” Proceedings of a Workshop on Deterring Cyberattacks, National Research Council, 2010, pp. 227-242.

o David Clark, Thomas Berson, and Herbert S. Lin, eds., At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues, National Research Council, 2014, pp. 5-17 (Ch.1).

o Thomas Rid, Cyber War Will Not Take Place, Oxford University Press, 2013, pp. 163-174 (Ch.8 “Beyond Cyber War”). o 6B: Government Response

o White House Commission on Enhancing National Cybersecurity, Report on Securing and Growing the Digital Economy, December 1, 2016.

o Presidential Policy Directive – United States Cyber Incident Coordination (PPD-41), Presidential Memoranda, July 26, 2016.

o Lior Tabansky, Cybersecurity in Israel. Springer, 2015, chapter 2, 3, 9 and 10.

o Ye Zhen, “From Cyberwarfare to Cybersecurity in the Asia-Pacific and Beyond,” in Jon R. Lindsay, Tai Ming Cheung, and Derek S. Reveron, eds., China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain, Oxford University Press, 2015, pp.123-137 (Ch.5).

o Michael Hayden, Playing to the Edge, Penguin Press, 2016, pp.127-152 (Ch.8 “Life in the Cyber Domain”).

8 Version: NOT FINAL (January 10, 2016)

Class #7: Tuesday, 7 March: Non-State Actor Activities in Cyberspace o 7A: Hacktivism and Online Resistance

o David Kushner, “The Masked Avengers: How Anonymous Incited Online Vigilantism from Tunisia to Ferguson,” The New Yorker, September 8, 2014.

o Dorothy Denning, “The Rise of Hacktivism,” Georgetown Journal of International Affairs, September 8, 2015.

o Madawi al-Rasheed, “No Saudi Spring: Anatomy of a Failed Revolution,” Boston Review, vol.37, no.2 (2012): pp. 22-39.

o Zeynep Tufekci and Christopher Wilson,” Social Media and the Decision to Participate in Political Protest: Observations from Tahrir Square,” Journal of Communication, vol.62 (2012): pp. 363-379.

7B: Terrorist Use of the Internet

o Irving Lachow, “Cyber Terrorism: Menace or Myth?” in Franklin Kramer, Stuart Starr, and Larry Wentz, eds., Cyberpower and National Security, pp. 437-464 (Ch.19).

o Lorenzo Vidino and Seamus Hughes, “ISIS in America: From Retweets to Raqqa,” The George Washington University: Project on Extremism, December 2015.

o Aaron Y. Zelin, “The State of Global Jihad Online,” New America Foundation, January 2013.

o Emerson T. Brooking and P.W. Singer, “War Goes Viral,” The Atlantic, November 2016.

9 Version: NOT FINAL (January 10, 2016)

Class #8: Tuesday, 14 March: The Security Debate: State Surveillance and Privacy o 8A: State Surveillance and Privacy

o Liberty and Security in a Changing World, Report and Recommendations of the President’s Review Group on Intelligence and Communications Technologies (Read “Executive Summary” and “Recommendations”), December 2013.

o Michael Hayden, Playing to the Edge, Penguin Publishers, 2016, (Ch. 5 “Stellarwind”).

o Ellen Nakashima and Barton Gellman, “As Encryption Spreads, U.S. Grapples with Clash Between Privacy, Security,” Washington Post, April 10, 2015.

o Simon Denyer, “China’s Scary Lesson to the World: Censoring the Internet Works,” Washington Post, May 23, 2015. o 8B: Cases: The Snowden Affair and the Apple vs. FBI Debate

o Matt Olsen, Bruce Schneier, and Jonathan Zittrain, Don’t Panic: Making Progress on the Going Dark Debate, February 1, 2016.

o Katrina vanden Heuvel, “Justice for Edward Snowden,” Washington Post, October 24, 2014.

o Editorial Board, “No Pardon for Edward Snowden,” Washington Post, September 17, 2016.

o House Permanent Select Committee on Intelligence, “Review of the Unauthorized Disclosures of former National Security Agency Contractor Edward Snowden,” September 15, 2016 (Declassified for release on December 22, 2016).

NO CLASS: Tuesday, 21 March: Spring Break

10 Version: NOT FINAL (January 10, 2016)

Class #9: Tuesday, 28 March: Governance (*Guest Speaker: Zachary Goldman, Executive Director of the Center on Law and Security, New York University) o 9A: Law

o “Talinn Manual on the International Law Applicable to Cyber Warfare,” Cambridge University Press, 2013, pp. 1-11 and the rest for reference.

o Matthew C. Waxman, “Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4),” Yale Journal of International Law, vol. 36, no. 421 (2011): pp. 421-459.

o Harold Hongju Koh, “International Law in Cyberspace,” Remarks to USCYBERCOM Inter- Agency Legal Conference, as prepared for delivery, September 18, 2012. o 9B: Norms and Ethics

o Roger Hurwitz, "The Play of States: Norms and Security in Cyberspace," American Foreign Policy Interests, 36.5 (2014): pp. 322-331.

o John Steinbrunner, “Prospects for Global Restraints on Cyberattack,” Arms Control Today, 2011, pp. 21-26.

o Jack Goldsmith, “Cybersecurity Treaties: A Skeptical View,” Hoover Institution, 2013.

o Robert Belk and Matthew Noyes, “On the Use of Offensive Cyber Capabilities: A Policy Analysis on Offensive Cyber Policy,” Kennedy School of Government (March 20, 2012), pp. 75-110.

o Gary D. Brown and Andrew O. Metcalf, "Easier Said Than Done: Legal Reviews of Cyber Weapons,” 2014.

o “2015 UN GGE Report: Major Players Recommending Norms of Behaviour, Highlighting Aspects of International Law,” August 31, 2015. o Readings Requested by Guest Speaker:

o Judith Germano, “Proposed NY Cybersecurity Regulation: A Giant Leap Backward?” Forbes, December 2, 2016.

o Randal Milch and Zachary Goldman, “From the War Room to the Board Room? Effectively Managing Cyber Risk Without Joining the Front Lines,” Center on Law and Security, NYU School of Law, June 2015.

o Orin Kerr, “What is ‘Cybersecurity Law’?” Washington Post, May 14, 2015.

11 Version: NOT FINAL (January 10, 2016)

Class #10: Tuesday, 4 April: Private Sector Solutions and Partnerships (**Guest Speaker: Root9B TBD) o 10A: Overview of the Industry

o “Cybersecurity: Time for a Paradigm Shift,” Morgan Stanley, June 15, 2016.

o Steve Morgan, “The Cybersecurity Industry Will be Fiercely Competitive in 2017,” CSO Online, December 8, 2016.

o Cybersecurity Ventures 500 for company listing (Website: http://cybersecurityventures.com/cybersecurity-500/) o 10B: Issues in the Industry

o Amitai Etzioni, “The Private Sector: A Reluctant Partner in Cybersecurity,” Georgetown Journal of International Affairs, December 19, 2014.

o Jason Healey et al., “Confidence-Building Measures in Cyberspace - A Multistakeholder Approach for Stability and Security,” Atlantic Council, 2014.

o Paul Rosenzweig, Cyber Warfare: How Conflicts in Cyberspace Are Challenging America and Changing the World, Praeger: Santa Barbara, 2013, pp.157-184 (Ch.14 “The Economics of Cybersecurity;” Ch.15 “The Role of Government in Regulating the Private Sector;” Ch.16 “Protecting America’s Critical Infrastructure.”). o 10C: Network Security in the Private Sector

o Readings Requested by Guest Speaker: TBD

o Vicky Ward, “The Russian Expat Leading the Fight to Protect America,” Esquire, October 24, 2016.

Class #11: Tuesday, 11 April: First Round of Group Presentations

Class #12: Tuesday, 18 April: Second Round of Group Presentations

12 Version: NOT FINAL (January 10, 2016)

Class #13: Tuesday, 25 April: Considerations for the Future o 13A: Conceptual Issues: Ransomware, Internet of Things, Autonomous Vehicles, Artificial Intelligence and Machine Learning

o Joshua Corman and Beau Woods, “Safer at Any Speed: The Roads Ahead for Automotive Cyber Safety Policy,” in Richard M. Harrison and Trey Herr, eds, Cyber Insecurity, Rowman & Littlefield, 2016, pp. 47-66. (Ch. 4)

o Brian Heater, “The Growing Threat of Ransomware,” PC Magazine, April 13, 2016.

o Lauren Zanolli, “Welcome to Privacy Hell, Also Known as the Internet of Things,” Fast Company, March 23, 2016.

o Bruce Schneier, “The Internet of Things is Wildly Insecure – And Often Unpatchable,” Wired, January 6, 2014.

o Enn Tyugu, “Artificial Intelligence in Cyber Defense,” NATO Cyber Center for Defense Center of Excellence, 2011.

o Ben Dickson, “Exploiting Machine Learning in Cybersecurity,” TechCrunch, July 1, 2016. o 13B: Cases: Murai Botnet and the 2016 IoT Attacks

o Bruce Schneier, “We Need to Save the Internet from the Internet of Things,” Motherboard, October 6, 2016.

o Brian Krebs, “KrebsOnSecurity Hit with Record DDoS,” KrebsOnSecurity, September 21, 2016.