sign in sign up
<<
Home , Cyberwarfare, Live Free or Die Hard, National security, Shock and awe, War studies

Cyber Warfare and US National By Ari Basen

USAF Network Operations Command Center at Lackland Base, Texas Senior Capstone Advisor: Prof Boaz Atzili School of International Service University Honors in International Studies Spring 2014 Table of Contents! Acknowledgements i! Abstract ii! Introduction 2! Scope and Purpose 5 ! Research Design 6! Literature of Cyber Warfare 7! Clausewitz and Cyber 12! Deterrence and Cyber Warfare 17 ! Compellence and Cyber Warfare 20! Cyber as a Strategic 24! Cyber as a Component to 29! Virtual Warfare 35! Principles of Cyber Warfare 41! Conclusions 48 ! Further Reading 49 ! Glossary of Selected Terms 50 ! Works Cited 52! Acknowledgements! ! I would like to thank Professor Davy Banks for his numerous hours of advice and counsel during this project and without whom this Capstone would be far cry from it is today. I would also like to thank Emma Humphreys for her boundless patience in dealing with me through all the long nights as I worked on this project and who also tolerated going through all 24,000 words of this Capstone in order to make sure it was proofread before submission. I want to thank and apologize to Professor Boaz Atzili who certainly did not fully comprehend what he was signing up for when he took on the position as Capstone Advisor. I apologize in advance because this piece is double the length required for a Master’s thesis and nearly 25% of the way towards the length of Doctoral dissertation. I implore you not to hold this against me as you grade this monster of a paper.

i Abstract! Talk of cyber attack and cyber warfare abound within the public discourse. Cases such as ’s cyber attacks on Georgia, the American/Israeli operation, and ’s incessant breaches of US networks are held up as examples of the ongoing ‘war’ within . Senior policy makers from the Departments of Defense and have made dire warnings of a imminent “cyber Pearl Harbor” or “cyber 9/11” yet to date there has yet to be a cyber attack which has killed anyone.1 The purpose of this Capstone is to cut through the bellicose rhetoric and to examine the emergent phenomenon known as “cyber warfare.” This piece uses established strategic thought and doctrine as a foundation to analyze the place of cyber operations within the broader spectrum of military operations. This piece applies a diverse set of military theories from deterrence to strategic airpower to electronic warfare doctrine in order to establish a theoretic understanding of cyber warfare. This Capstone concludes with a set of Principles of which summarizes the observations made and should serve to ground future discussions of the topic.

1 Rid

ii Introduction ! War has been a function of humanity since its inception as a sentient species. Warfare has long served as a catalyst for technological development and a driver of societal change. With every new domain discovered, we have invented new tools to capitalize on this discovery and spread our conquering spirit. From stones and spears to UAVs and ICBMs, humanity has sought to extend the distance of its lethal reach. The technology may have matured exponentially but the primal impulse to use violence to propagate our will has remained eternal. ! What we know today as the was originally conceived by the scientists of the Defense Advanced Researched Project Agency as an open source, self organizing means to build and maintain the military network in the event of a Soviet nuclear attack. This ARPANet or Advanced Research Projects Agency Network, was developed in the early 1970s to connect and process the tremendous amount of data gathered from the hundreds of radar stations spread across the North American continent. This early network fed data into a primary processing and early warning center buried into the Cheyenne Mountain in Colorado Springs, which would become the headquarters of NORAD and today’s US Strategic Command.2 scientists at various began to apply this networking concept to their own work as a means to automatically connect, process, and share their research with other academics spread across the country. This network of academic institutions would evolve in the 1980s into a system maintained by the National Science Foundation known as the NSFNET.3 Outside of this academic environment, the first real commercial application of computer networks was to link together the various banks across the country in order to automate the processing of bank checks.4 These two networks would evolve and grow internationally over the course of the next decade to become the commercial Internet of today, which was not released publicly until 1995.5 The public commercial Internet would go onto grow over the next 20 years to become an integral fixture in lives of 2.5 billion people and it is actively growing still and at an accelerating rate.6 Today, there are roughly 10 billion networked devices in the world and it is projected that by mid-century this number will grow to 50 billion devices, marshaling in an age known as the “Internet of Everything.”7

2 “Public Key Cryptography: What is it?”

3 "The Internet - The Launch of NSFNET."

4 “Public Key Cryptography: What is it?”

5 "The Internet - The Launch of NSFNET."

6 "World Internet Users Statistics Usage and World Population Stats."

7 "The Computer Guy", Eli.

2 The first malicious act launched against the Internet was committed by Robert Morris, a student of Cornell University, in 1988. This worm was originally designed as a test intended to map the Internet. However, as an untended side effect, as it propagated across the numerous machines connected to the Internet, it drained their resources to the point they crashed and became unusable.8 This worm would be the first of billions to have an adverse effect usability of a networked system and the people who use them. As banks, merchants, and entrepreneurs flocked to the open pastures of the Internet, the wolves of the population soon followed. These hackers sought to prey upon a naive public to steal financial information, intellectual property, and even state secrets for their own gain. As individuals, companies, and even nations outsourced their operations and to computer networks, it created a strategic vulnerability which could be exploited by any adversary with sufficient knowledge of computer systems. Thus The original floppy disk which the Morris Worm was launched from the field of cyber security evolved in order to ensure the MIT, Circa. 1988. On Display at the confidentially, integrity, and availability of data and the systems which use it.9 However, this exceptionally broad field comprises everything from a bored teenager defacing some websites to a rival nation-state compromising the integrity US ’s Joint Worldwide Information Communications System (JWICS) which forms the digital backbone for all classified US government communications rated Top Secret and above.10 The US military, and the of any developed country, rely on data networks for everything from command and control to target acquisition for guided munitions. An attack which compromised the US military’s NIPRNet which controls the bulk of the DoD’s logistical routing could significantly degrade the DoD’s operational effectiveness worldwide.11 A scheming adversary could use an attack against the NIPRNet to upend the supply chain to a warzone, sending toothbrushes to troops instead of ammunition.12 Penetrating the SIPRNet which is used to carry classified information like operational orders would allow an adversary to eavesdrop on troop

8 Keyhoe.

9 See Glossary for the meaning and a discussion of these terms. Singer, p. 35

10 Priest. (Kindle Edition) Location 4609.

11 NIPRNet=Non-Secure Internet Protocol Routing Network. See:"NIPRNet Definition from PC Magazine Encyclopedia."

12 Singer p. 131

3 movements and even potentially issue erroneous orders.13 This type of attack on the integrity and confidentiality of these networks would shake the trust of the users reliant on them. Even after the has been removed the system, the commanding officer may decide that he cannot rely on this system and scrap it entirely in favor of “old school” communications methods such as infrared light pulses in morse code or even all the way back to message couriers. The and its NATO allies are not alone in their reliance on computer networks for the continuity of their operations. China, Russia, , and other potential nation-state adversaries all use TCP/IP based networks for their communications and operations as this represents the primary set of rules by which digital information is sent and received across the globe.14 Non-state actors from al Qaeda, the Sinaloa Cartel of , and the Russian Business Network15 all use the Internet to enhance of their operations: be it spreading propaganda, synchronizing the shipments of cocaine, or distributing malware which steals credit card information. The open, free, and ad hoc design of the Internet allows anyone, regardless of their intent or affiliation, to gain access to this domain in order to advance their respective agenda. This creates a constellation of potential adversaries across an incredibly diverse spectrum of intentions and capabilities.

13 SIPRNet= Secret Internet Protocol Routing Network. See: "NIPRNet Definition from PC Magazine Encyclopedia."

14 TCP/IP stands for Transmission Control Protocol and Internet Protocol. It describes a suite of protocols for how packets of information are routed across the globe from the MacBook Pro this paper was written on all the way up to the massive server farms employed by the tech giants of Apple, , and . At the most basic level, TCP/IP represents the universal set of rules by which all send and receive information. For a more in depth explanation of how this protocol suite was developed and how it operates please see: "The Computer Guy", Eli. "TCP/IP and Subnet Masking."

15 The Russian Business Network is a Russian cyber syndicate and described as the “baddest of the bad” when it comes to organized organizations, according to VeriSign. The syndicate generates the majority of its revenues by monopolizing the illicit market of stealing and then reselling financial information such as credit card numbers, bank accounts, etc. See: Krebbs.

4 Scope and Purpose! ! The galaxy which is the field of cyber security comprises everything from petty cyber crime of stealing credit cards, through between economic rivals, up through using the Internet to an nation’s such as the power grid or stock markets. Malicious actions in cyberspace can be generally categorized as ones which conduct theft, espionage, and/or sabotage of data and the infrastructure which it supports at the individual, organizational/firm, national, and international levels. In the cyber domain, the specific data or system which is stolen or broken via malicious software determines the difference between criminal action and a potential act of war against an entire country. The broad nature of the cyber security field produces considerable conceptional ambiguity regarding what constitutes a legitimate threat to US . For alarmists like Clarke or Brenner, everything from SCADA attacks against critical infrastructure to Chinese firms conducting industrial espionage is a critical threat. This research seeks to cut through this hyped up conflation and examine the specific strategic implications for US national security of cyber as a warfighting domain. Although espionage and subversion have always been components to warfare it is important to distinguish these acts from acts of sabotage which directly cause disruption or even destruction as it is these which would acts of war. The most recent cyber warfare strategy document from the Pentagon in July 2011 determined that, “If a cyber attack produces the death, damage, destruction or high-level disruption that a traditional military attack would cause, then it would be a candidate for a "use of force" consideration, which could merit retaliation.”16 The “Department of Defense Strategy for Operating in Cyberspace,” however, fails to define the specific threshold of disruption or level of physical destruction needed to qualify as an act of war.17 The specific threshold was only vaguely alluded too by unnamed Defense official during the press release of the report that, “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”18 This sly threat provides only the vaguest understanding of what constitutes a serious cyber attack and what would be an appropriate response. This vagueness underscores the importance of developing a clear understanding of where this domain falls within the broader spectrum of .

16 Gorman

17 There is a entire classified addendum to DoD Cyber Strategy which may provide such definitions and guidance, but as of April 2014, no such document exists within the open source. See: "Department of Defense Strategy for Operating in Cyberspace."

18 Gorman

5 Research Design! This Capstone will examine the existing literature on and doctrine in order to begin determining what is “cyber war” and what it could look like empirically. Is it possible to have a purely “cyber war” or is it simply just another component of existing modes of warfare such as , electronic warfare, and covert operations? If humanity’s conception of warfare has been the organized application of violent force in order to compel our enemy to submission, what is “warfare” if the very violence it is founded upon is removed from the equation?19 This piece will first look at cyber warfare from the a philosophical standpoint based off the definitions of in order to develop a basic understanding for the nature of war. This section will examine the utility of basic theoretic concepts of conventional conflict as it relates to cyber war. How do classic military concepts such as deterrence, compellence, and disarming the enemy apply in the cyber domain? What new concepts are necessary to understand the cyber domain on a theoretical level? The next section will look at the development of cyber as an extension of previous evolutions in military affairs. This portion will first look at the potential for cyber to be used as a strategic weapon. Is the development cyber a realization of the ideals of Strategic Airpower theory which would allow for swiftly crippling an enemies ability to make war and thus a guarantee of victory? As a comparison, cyber will then be examined under the lens Electronic Warfighting doctrine as a tactical enabler and force multiplier in contrast to a strategic first strike weapon. The final section will look at the fundamental shift in warfighting enabled by global connectivity from centralized, physical armies to ad hoc, shifting networks of like- minded individuals coming together for a cause. How will our enemies organize and wage campaigns in the future? How will the open source nature of the Internet augment an adversary’s ability to respond and adapt to conventional US military force. How will the development of “cyber ” and “cyber blowback” impact the strategic calculus of future interventions. The culmination of this examination is to develop a set of principles in order to structure and situate further discussion of cyber warfare. This piece will hopefully begin to erode the conceptual fog surrounding cyber as a component to future conflicts and provide a clearer understanding of the emerging complexities produced by the future threat environment. As the world grows ever more populated and interconnected, new actors will emerge rapidly to threaten the US and its interests. The cyber domain presents an open field for nefarious activities of all stripes and thus cyber dominance and resilience will form the new high ground of any future conflict.

19 Clausewitz, Ch. 1

6 Literature Review! The nascent field of cyber security, and more specifically cyber warfare, has been been regularly cast in the mainstream media as an apocalyptic revolution in military affairs. A nation-state level cyber attack could render our military and impotent in “as little as 15 minutes,” according to former Clinton-era Counter Terror advisor Richard Clarke.20 Secretary for Homeland Security Janet Napolitano made dire warnings just in the past year of an “imminent” looming “cyber 9/11” which would severely disrupt critical infrastructure such as water, power, and gas.21 The potential for a “cyber 9/11”, or “cyber Pearl Harbor” as termed by former Defense Secretary , “would paralyze and shock the nation and create a new, profound sense of vulnerability.”22 Leon Panetta announced in a 2012 speech on the USS Intrepid in the shadow of Ground Zero that cyber attacks represent just as much of a threat to the nation as the traditional scourges of, “terrorism, nuclear proliferation, and the turmoil we see in the .”23 The Director for National Intelligence even went so far as to testify before the Senate Armed Services Committee that as of March 2013, cyber attacks are the greatest ongoing threat to US National Security, even more so than al Qaeda or Islamic extremism.24 Amongst defense policy circles, the term “cyberwar” was originally coined by RAND scholar in 1993 to refer to a doctrinal and structural change in warfighting which emphasized information dominance over a potential adversary. Twenty-first century conflict, according to Arquilla, would not be won by the conventional notions of mass and maneuver but, “whichever side knows more.”25 The growing sophistication of cyber systems would allow for near perfect intelligence over an adversary, removing the historic “fog of war” and lead to an age of clean, short, and precise warfare.26 Cyberwar was heralded in the early 1990s as fundamentally game changing as was to maneuver warfare in the mid-20th century. Arquilla predicted that in the coming century that warfare would be dominated by networks rather then the hierarchies and bureaucracies of the past. Future would be

20 Note: Richard Clarke served as National Coordinator for Security, Infrastructure Protection, and Counter-terrorism for President Clinton and later as Special Advisor on Cybersecurity to President George W. Bush. Clarke, p. 67

21 "U.S. Homeland Chief: Cyber 9/11 Could Happen Imminently."

22 Panetta

23 Ibid

24 Martinez; Clapper

25 Arquilla

26 Adapted from 20YY Report See Work, p. 9

7 determined by agile networks of people and cyber systems which would work in concert to produce “significant advantages” on the battlefield.27 Arquilla’s predictions regarding the notions of future conflict have held true in broad part over the course of the twenty years since its publication. While the “fog of war” has proven to be an enduring feature of any conflict, the US military enjoys unprecedented Intelligence, , and Reconnaissance capabilities by virtue of a robust network of UAVs, , and various Signals Intelligence (SIGINT) platforms. Technologies such as GPS-guided cruise missiles, remotely piloted MQ-9 Reaper UAVs, and Command and Control software suites such as Blue Force Tracker have become fixtures of contemporary American conflict over the course of the past decade. These technologies allow the US military to move with rapid, ruthless precision against its foes as and world learned in March 2003 during the opening “ of Operation Iraqi Freedom. The very software, servers, and networks which allow for such unprecedented coordination and speed are vulnerable to malicious hackers. This cyber infrastructure constitutes a strategic liability which could potentially enable an adversary to both degrade US military forces and disrupt civilian utilities and services on the homefront. The fact that computer systems and digital networks control so many vital services from power supply to banking transactions create an incredibly inviting target for those who wish to harm America from nation-states, terrorist organizations, all the way down to a lone begrudged computer scientist. It is this reliance on cyber systems which makes cyberwar “inevitable” according to Cigital executive Gary McGraw.28 This conventional notion of an inevitable looming conflict fought over servers and routers came into vogue around 2010 with the publication of Cyber War by Richard Clarke. The author painted a horrific picture of the potential of a large scale nation-state level cyber attack which would simultaneously disrupt all of the military’s command and control networks, drain the financial system, crash all manner of transportation systems, and leave the nation in darkness.29 In Clarke’s hypothetical near-future scenario, the nation would suffer the worst attack in its history with thousands of casualties and no one in the intelligence community would able to identify with any certainty who conducted the attack.30 The attack scenario and Clarke’s work in general has been sharply criticized as a work amounting to little more than fear mongering. Wired magazine’s review of the book noted that, “So much of Clarke’s evidence is either easily debunked with a Google search, or so defies common sense, that you’d think reviewers of the book would

27 Arquilla

28 McGraw

29 Clarke, pp. 64-69 “When Cyber Attack”

30 Ibid, p. 68

8 dismiss it outright.”31 Clarke’s “obsession” with cyber attacks causing severe disruptions in the power grid due a hostile nation-state installing back doors and infecting them with viruses is based off an an anonymously sourced Journal article.32 The “hacker horror story” of Chinese intelligence services stealing the classified plans of new F-35 Joint Strike Fighter is dismissed by Wired as vastly over exaggerated, stating that the Chinese simply got the plans for the plane’s self-diagnostic software.33 In the opinion of Wired, Clarke’s cyberwar should be “filed under fiction” and should remain confined to the plot lines of and (which Clarke directly alludes too).34 This criticism of apocalyptic cyber attacks did not stop a whole suite of authors to follow in Clarke’s footsteps, eager to cash in on the nation’s cyber anxiety. Former National Inspector General Joel Brenner published his own book entitled, “America the Vulnerable,” in which he warns of the same vulnerabilities to America’s infrastructure. The book discusses at length how Russian, Chinese, and Middle Eastern (read: Iranian) hackers have penetrated our power grid, stole our sub designs, robbed our banks, and compromised the Pentagon’s secure communications.35 As told by Brenner and Clarke, the US defense establishment and the overall US economy is under constant cyber attack by rivals such as China who steal our intellectual property from jet fighter designs to the source code of new video games. Brenner cites the statistic that as of 2011, companies worldwide were losing $5M each to cyber industrial espionage at that China was the primary perpetrator of such attacks.36 Cyber doomsday prophets such as Clarke and Brenner were assisted in their narrative when Deputy Defense Secretary William Lynn penned an article in Foreign Affairs in 2010 detailing the threat in cyberspace and how the Pentagon is working to address the issue. Lynn directly acknowledged the potential threat to cyber attacks against critical infrastructure as well as ongoing espionage against the defense

31 Singel

32 Ibid

33 Note: Neither Clarke nor Wired are particularly meticulous in their citation of sources. According to Congressional testimony by Defense Acquisitions Chief Frank Kendall in 2013, the Chinese did steal unclassified data belonging to the F-35 JSF program along with data pertaining to over two dozen other weapon systems such Blackhawk helicopters and forthcoming missile systems. Kendall reported that he remained confident that only unclassified information was stolen on the program and that the classified information pertaining to the programs remained secure. See: Alexander

34 Note: The plot of Die Hard 4 or is set during a massive cyber “fire-sale” which devastates US commercial and national infrastructure. The envisioned attack follows the script of many doomsday cyber prophets who warn of a lone, disgruntled computer genius who could remotely takedown most of the US infrastructure with a series of cyber attacks. See: "Die Hard 4 Trailer."

35 Brenner

36 Ibid

9 industrial base. Lynn argued that the low barriers to entry inherent to cyber domain, “means that U.S. adversaries do not have to build expensive weapons, such as stealth fighters or aircraft carriers, to pose a significant threat to U.S. military capabilities.”37 Lynn, however, made sure to taper his assessment of the threat, noting that, “the cyberthreat does not involve the same existential implications ushered in by the nuclear age, but there are important similarities.”38 This contrast is important to note given the bellicose and hyperbolic rhetoric used by Cabinet level officials regarding the cyber threat just three years after the article was published. Clarke, Brenner, Lynn and the plethora of officials touting the wide scale threats of cyberwarfare have been assailed by their more moderate critics, such Peter W. Singer, as the “Cult of the Cyber .”39 Members of the cult, in and out of the defense establishment, use the fear of a devastating potential offensive cyber action to press the need to develop our own cyber capabilities, in order to maintain the “first strike” advantage. This era mindset towards cyber threats greatly exaggerates the magnitude of their potential impact and leads to loss of credibility when the only voice in the room is, “screaming about how the cyber sky is going to come crashing down.”40 This offensive disposition towards act of cyber war does little good to protect the nation against the real cyber threats which assail the nation daily. As noted by Singer, it does little good to protect your online glass house by buying a better stone sharpening kit.41 The cyber alarmists are bounded on the other end of the spectrum by traditional scholars such as and Adam Liff who argue that the concept of cyber war is as meaningful to as the “war on drugs” or the “war on obesity.”42 Rid in his novel, “Cyber War Will Not Occur,” argues strongly that politically motivated cyber attacks thus far amount to little more than digital versions of the age old concepts of subversion, espionage, and/or sabotage. Rid directly asserts that the world has never experienced a true act of cyber warfare and that such an act would, by definition, need to result in physical destruction or loss of life. These violent cyber actions must also be waged for more than the express purpose of wrecking havoc but be the means towards a larger political end goal. This stipulation is born out of the Clausewitz's model for conventional conflict that war is nothing more than an extension of political will. Lastly, the act of aggression must be known and publicly attributed. One

37 Lynn.

38 Ibid

39 It should be noted that these cyber fear-mongers all stand to benefit financially from hyping up the threat of cyber attacks in the form of book sales, speaking engagements, or larger budgets. See Singer, Peter. “Cult of the Cyber Offensive” Foreign Policy.

40 Singer, p. 172

41 Singer. “Cult of the Cyber Offensive.”

42 Rid, Thomas.

10 off covert operations due not constitute a war nor due covert campaigns such as US drone program. For Rid, these criterion make it highly unlikely that a state will ever publicly attack another leading to the catastrophic loss of life which the cyber alarmists have made their name advancing.43 Adam Liff of Princeton University echoes Rid in his contribution to the Cyber Warfare Roundtable for the Journal of in an effort to counter the pervasive cyber alarmist narrative. Liff and Rid both believe that the threat of cyber war is exceptionally over hyped and quite detached from grounded International Relations theories and paradigms. Liff differs from Rid, however, in that he directly asserts in his article “The Proliferation of Cyberwarfare Capabilities and Interstate War,” that cyber war will increase the likelihood of interstate war in the international system, but only marginally. He noted that conflicts will not be “purely” cyber but will occur in addendum to ongoing hostilities between states such as what occurred between Russia and Georgia in 2008.44 While offering a well grounded examination of interstate cyber conflict, Liff fails to address the issue of non-state armed groups such as terrorist attacks or other lone actors using such tactics. Rid argues that non-state actors are thus far incapable of waging “actual” cyberwar because such devastating and deadly cyber attacks remain the purview of, “only very few sophisticated strategic actors,” like America, , China, Russia.45 The field of cyber warfare is actively evolving and it is not possible to fully capture the full spectrum of debates occurring in the field. This very limited literature review attempted to show the broad contours of the field and the bipolar nature of the debates between International Relations scholars, policy makers, and private sector executives. The mainstream rhetoric of cyberwarfare found in the media, Congress, and from government officials shows little grounding in the actual models and theories as to why states and groups enter into conflict with one another. This piece will attempt cut through the apocalyptic hypotheticals to develop a grounded working model of what cyber warfare actually is, both involving states and or non-state actors, and whether its possible to have such a conflict at all.

43 Thomas Rid is a Reader at the King’s College of Department. Rid, Thomas. Cyber War Will Not Take Place. Journal of Strategic Studies, 2012.

44 Liff, Adam. “The Proliferation of Cyberwarfare Capabilities and Interstate Conflict, Redux. Liff Responds to Junio.” Journal of Strategic Studies, 2012.

45 Rid

11 Clausewitz and Cyber Warfare! ! Prussian General and military theorist Carl Von Clausewitz’s masterwork was written during the early 1800s yet remains an enduring facet of Western military thought. His most basic tenant is that the nature of war is the violent use of physical force to achieve a political objective against an enemy force.46 War’s very nature is inherently violent, interactive, and political.47 The nature of war may not change but the character of warfare is constantly in flux as technologies evolve and new strategies emerge. Humanity has evolved from using swords and spears fighting over arable land to tanks and ballistic missiles stoping the of dictators and ideologues. The tactics and objectives may change but war has remained an organized use of violence to achieve political goals, to “impose your will on the enemy.”48 Thus in the case of the cyber context, what is a “war” if this violent nature is removed from the system and it becomes an ‘algebraic equation’ devoid of blood and ashes?49 Thomas Rid of the King’s College of London uses this Clausewitzian conception of war as the basis for his argument and book title, “Cyber War Will Not Take Place.” War as defined by Rid based off three main tenets of Clausewitz. The first is the inherently violent nature of war. The actions of the aggressor or defender must result in death and destruction, at least to one side. This violence is therefore the means in achieving a larger political end. Violence for the sake of violence itself is nothing more than mere savagery. War is an inherently political decision to use violent force to achieve a larger goal. It is broadly used to compel an enemy to do something (i.e. surrendering to your demands), to stop an ongoing action (i.e. SEALs killing Somali pirates to end a hostage situation), or to deter hostile action from occurring in the first place (i.e. Cold War). This larger political intention must be communicated to the adversary at some point during the conflict.50 This communication of strategic intent can take any number of forms from formal channels like a speech from the oval office or less conventional forums like a YouTube video from the Taliban taking credit for a suicide bombing.51

46 Clausewitz, Ch.1

47 Mewett

48 Clausewitz, Ch. 1

49 Ibid, 3. Upmost Use of Force

50 Rid

51 For the purposes of this piece, the political ‘actor’ is not limited to nation-states. The political actor may be any state, a clan, tribe, group, network or some hybrid amalgamation with a specific agenda.

12 Rid also notes that the act of force in directly and usually quite immediately results in casualties.52 When the trigger is pulled or the detonator activated, people will die shortly thereafter. In the case of cyber weapons, any casualties which result would generally be indirect and delayed. In the case of an attack on the power grid which results in a , the malicious code itself did not kill anyone. Any cause of death would be secondary to the disrupted power supply, i.e. people freezing to death without heat or patients dying because their ventilators failed. The malware did not cause penetrating trauma or structural collapse like kinetic munitions. Under Rid’s framework, such an attack against the power gird would constitute sabotage rather than open warfare even if the attack did occur during a time of political hostilities.53 A singular attack does not make a war, for war is never an isolated act.54 Even longer term politically inspired campaign of sabotage like the American/Israeli Olympic Games or the suspected Russian-orchestrated attacks against Estonia in 2007 amounted to little more than a disruption of services rather than a campaign of actual destruction. Stuxnet, the poster child of the Olympic Games campaign, did cause physical destruction of the Iranian centrifuges, but whether the action constituted an “act of war” or was simply yet another covert intelligence action is matter of contentious legal debate.55 While Iran may consider this an act of war against its nuclear facilities, it has thus far been treated as simply an expansion into the cyber realm of the ongoing sabotage campaign including the quite conventional assassinations of nuclear scientists and rumored destruction of missile construction facilities.56 Thus far, destructive cyber campaigns are more akin to conventional sabotage operations using Special Forces or spies which may occur during times of both war and in which the actor wishes to remain for any number of politically expedient reasons. Rid concludes that no cyber attack on record has ever directly caused casualties, was instrumental in achieving a stated political objective, and was publicly attributed to a specific actor. According to Rid, all prior cyber attacks of a political nature have thus far fallen into the space between crime and open war; notably as acts of espionage, subversion, or sabotage.57 Unlike warfare, these actions can operate in a vacuum as single standalone operations. If warfare is the orchestra, these acts are the individual instruments.

52 Rid

53 Rid

54 Rid; Clausewitz

55 Zetter

56 See: “Has Israel Been Killing Iran’s Nuclear Scientists?” By Eli Lake It is strongly suspected that the was behind the Nov 12, 2011 explosion at the IRGC missile production facility which housed Shahab-3 ballistic missiles near Tehran. See: Vick

57 Rid

13 Hypothetically speaking, it is possible to devise a cyber attack which would meet Rid’s strict Clausewitzian conception of warfare. A political actor could possibly use a cyber attack to sabotage the autopilot in planes and crash them into cities. The adversary could open the floodgates on and flood vast sections of farmlands. He could also possibly disrupt the track switching on a rail network to cause trains carrying hazardous freight to derail and explode. These are a number of common possible worst case scenarios which are held up by the cyber alarmists as the dangerous potential of cyber warfare. Rid dismisses these types of large scale sabotage operations as remaining to date the work of “science fiction.”58 These hyped up attacks and doomsday scenarios devoid of serious theoretical grounding served as the basis for Rid to publish his own article in order to counterbalance out the bellicose rhetoric.59 The intention of this piece is to find balance between these alarmists and deniers and to look out how cyber matches up to the conventional definitions of war and whether it is possible to even have a ‘cyber war.’ Looking at Clausewitz directly for a framework yields that war is an extension of political will taken to its violent extreme. It is a series of duels, where two hostile forces collide, each trying to impose its will on the other.60 War is not a single death blow, but a series of calculated actions designed to make the opponent worse off such that the price of accepting your terms is better than a continuation of hostilities.61 War is also inherently interactive, where two parties collide in conflict rather than a living force acting on inanimate mass. Thus an actor which uses violent force to achieve an objective against an adversary which cannot muster a defense is not a war but a slaughter according to the Prussian.62 There is the potential for two advanced industrial states to use a series of destructive cyber attacks against one another as a means to avoid the perceived greater destruction resulting from a conventional war. This duel stands in stark contrast to the many “bolt from the blue” doomsday scenarios presented by the cyber alarmists in which a crippling cyber attack disables the country without warning and leaves the entire nation defenseless. In reality, as shown by Rid and other scholars, cyber attacks coincide with or build upon very real world hostilities.

58 While Rid may dismiss the destructive potential for cyber attacks, the Information Design Assurance (IDART) at the Sandia National Laboratories has connected at least 50 cyber war games involving large scale infrastructure disruption. While the exact results remain classified, the war games prove that there is sufficient ground to fear a potential attack of this magnitude. See: Parks

59 Ibid

60 Clausewitz, Ch. 1

61 Ibid - Upmost Use of Force

62 Ibid

14 China and Japan, for example, are both advanced industrial actors with significant cyber capabilities who are locked in a pitched confrontation over the Seyayou/Dekaku Island chain in the South China Sea.63 It is foreseeable that the conflict over these islands could potentially become violent. Both parties may employ increasingly destructive cyber attacks against the infrastructure of their rival in order to compel them and achieve their objective of controlling the islands and the vast mineral wealth which comes with them. This hypothetical series of cyber attack would fit the definition of a using cyber means to force adversary into submission. If the OBJECT of war is to impose one’s will then the AIM of war is to disarm the enemy. Clausewitz postulated that in order to disarm one’s enemy than it was imperative to conquer his territory, destroy the military force, and break his will to fight. In conventional warfare, the territory of a state is fixed and demarcated with known international boundaries. The territory of a particular state may grow or shrink with conquest but the total amount of land and sea on Earth is finite. The artificial domain of cyberspace, however, is growing exponentially. Today there are 10 billion networked devices which access the Internet and it is predicted by Cisco that by 2020 this number will grow to 50 billion.64 The physical sovereign land which the United States has to defend not grown since the addition of Hawaii in 1950 but the area which the United States military has to defend on the Internet is growing exponentially. National borders are meaningless for packets of data circle the globe over fiber optics at the speed of light. This speed of action in the cyber realm fundamentally shifts the classical concept of friction for the conventional limitations of time and space do not apply in cyberspace. The Internet may be virtual but the physical routers, switches, and servers reside with the sovereign territory of existing nation-states. The Manual on the Applicable to Cyber Warfare established as Rule 1 that states have sovereign control over all cyber infrastructure which resides in their territory.65 But is it even possible to invade the sovereign territory of a nation’s cyberspace as one would violate its airspace or territorial waters? As general rule, data packets, both malicious and benign, constantly pass through any number of routers and switches to get to their destination. Thus for an actual ‘’ to occur a malicious actor would have to seize control of a server or router. But physically seizing infrastructure in the cyber realm does not hold nearly the same value as it does in the physical world. Controlling the server which routes all the data for networks on the east coast is not equivalent to having a naval force take control of east coast .66 Simply seizing control of some type of networked machine holds

63 For in depth reporting on Chinese Cyber Forces see: Stokes For background on Japanese Cyber Forces see: Peck

64 Dorrier

65 Schmidt, pg. 15-16

66 Rid

15 little value in and of itself. A of a million computers holds no utility until it is actually put to some task.67 Thus, compromising a system is simply a means to an end, not the end in and of itself as physically conquering a real piece of territory would be. Even if a specific system or network were to be compromised, the aggressor would be loathe to advertise it for this would alert the network administrator to simply quarantine the infected machine from the rest of the network and install new routers to bypass the intrusion. There is no good analogy for this ability to disconnect compromised cyber infrastructure from the real world as physical territory cannot be disconnected from reality. Conquering territory just does not work as a concept when dealing with cyber warfare. Clausewitz’s second prescription was to ‘destroy the military power’ of the state in order to disarm the enemy. He defined this as reducing the enemy’s military strength to such a weakened state that they are no longer able to conduct . Conquering the territory was integral to destroying the military power for controlling the land denied the enemy the ability to use its manpower and factories to create a new military force. While a well programmed virus may disrupt operations and communications for a brigade it does negate the fact that there is still a battalion of trained soldiers waiting to respond. Until such day that some force deploys cyborg soldiers, humans are not susceptible to computer viruses. However, as America increasingly outsources its logistics, ISR, and even strike platforms to robots, it increases the potential for its military power to be disrupted or even co-opted as discussed in detail in the later section on Electronic Warfare. The primary potential for cyber within a conventional battle is to sabotage the computers and communications networks which adversary relies on to function as a coherent fighting force. An army which is used to having an absolute technological superiority would be caught in the blind if it were to suddenly lose its radars, avionics, logistical, and GPS systems in the heat of a battle. This army would be at a severe disadvantage against a potential adversary, especially one which knows how to operate in the absence of modern technology. Thus the cyber domain is poised to become the new high ground in modern conflict.68 If one can gain information superiority over an adversary, it could lead to victory if the enemy is rendered combat ineffective by their loss of computer networks as seen in the section on Strategic Weapons. This loss of information dominance may be so demoralizing to the opposing force that it breaks their will to fight because they do not know how to function without their networks. In 2006, when an crewman was asked during a simulation what would happen if the network were to go down, he responded that, “we would have to stop flying missions.”69 Even if the physical planes are still intact, there is

67 See Glossary for explanation of botnet; Singer p. 111

68 Work

69 Andress Location 1423 Kindle

16 the psychological impact that these systems cannot be trusted after a network breach and they are discarded entirely. A cunning adversary thus would do well to invest in cyber PSYOPS capabilities which convinces a future air component commander to ground his air wing for fear the F-35s would fall out of the sky. A cyber attack may have such a profound psychological effect that it breaks the will to fight without ever a shot being fired. This would result in a strong deterrent effect if an actor can make his enemy believe his military force is degraded such that he is not willing to risk further aggression. Deterrence and Cyber Warfare! Deterrence as a shaped the environment of the Cold War by producing a multi-decade standoff as a result of mutually assured destruction. This idea of deterrence by punishment had a very simply logic: you will not stand to gain anything from destroying my country for you will be killing yourself as well. In the context of cyber conflicts, deterrence through denial or punishment works at the tactical level but not the strategic, at least in the classical sense. Imagine a firm which had intellectual property it wanted to protect. The CIO of the firm could deny the rival any benefit from conducting cyber espionage by manipulating its own files such that they were laced with a ‘homing beacon’ and/or ‘self destruct’ mechanism. This tactical decision would allow the firm to publicly shame its competitor as conducting industrial espionage by being able to positively identify it as the source of the attack while also denying it any benefit from the encrypted files (the cyber equivalent of shredding and then burning sensitive documents).70 If the attacker were to attempt to subvert these methods of attribution by working through a third party such as Anonymous or another hacker cell, then the and self destruct code still denies them the benefit of the files. If this rival was repetitive in his attempted espionage against this hypothetical firm, then the targeted firm could possibly escalate my retaliation through what is known as ‘active cyber defense’ and thus constituting deterrence through punishment. Google ‘hack backed’ against the Chinese into a server in Taiwan to identify the controllers of the 2010 Aurora attack but stopped short of leveraging any direct cyber attacks of their own.71 A firm hypothetically could go further and block the rival from receiving the file or even lacing the stolen file with a virus such that it fills the adversary’s workstation with pornography or disables it outright with a .72 These types of aggressive hack back strategies would nominally be illegal for a standard firm but is well within the

70 Note: There are many ways a cyber attacker can obfuscate his identity and intention, such as hiring proxy attackers from Anonymous. However, the files would have to eventually get to the rival firm for them to make use of them.

71 Zetter, Kim. “"Google Hack Attack Was Ultra Sophisticated, New Details Show."

72 See Glossary

17 jurisdiction of a government agency or department. The NSA’s Tailored Access Operations unit could (and probably already has) gone so far as to lay out “honey pots” of desirable files for the Chinese PLA to steal from which then contains modified versions of cyber espionage toolkits such as the or Gauss APT which would then go through and map the Chinese cyber warfare division Unit 61398 in Shanghai.73 If the NSA really wanted to send a statement they could activate backdoors in this unit’s servers and disrupt their operations with logic bombs rendering their computers useless. The issue with this aggressive tactic is that is that it is a single barreled weapon. Once a cyber weapon is used against a target it generally cannot be used again. Generally, highly sensitive government systems and infrastructure is protected by intelligent network administrators who would do whatever they could to patch whatever zero-days or backdoors were exploited in the attack. are coding errors which even the original programmers are unaware of and thus provide zero days to prepare for an attack against this vulnerability. The strategic value of a cyber weapon lies with its inherent surprise and this is the precise reason why cyber weapons are exceptionally poor as a basis of strategic deterrence. Deterrence relies on an inherent fear before the fact of the enemy’s weapons system and the defender’s inability to counter them. In a contemporary conventional context, Ukraine is deterred from responding to Russia’s invasion of Crimea due to the build up of tanks, troops, and fighter jets on its borders. In a cyber context, however, a nation cannot flaunt its hard-won logic bombs or zero days because this would neutralize their strategic utility and give the enemy advance warning. Quite simply, these are covert tools which won’t be on display in a military parade any time soon. Thus, the most which can be offered is vague threats such as “turning off your lights” or broad threats against critical infrastructure or government services. The true magnitude of the possibilities of a nation-state offensive cyber action remains hypothetical and the stuff of Hollywood fiction. How can our adversaries fear something which only exists in theory or they do not even know exists as a possibility? This was the same argument made by Marine General James Cartwright in his criticism of current DoD Cyber security doctrine. “The Pentagon needs to say to the attacker, 'If you do this, the price to you is going to go up, and it's going to ever escalate,’” Cartwright said.74 In order to develop a cyber deterrent strategy, inasmuch as that is even practical, the United States would need to ‘test’ their weapons in such a way that the world could see their potential but did not give away their mechanism of action. When a was detonated as a test the Soviets could infer certain capabilities by looking at thermal and radioactive signatures, flight trajectories, etc. But with a cyber weapon, when it is released, the actor is concurrently releasing the blueprints for it, known as the source code, to the entire world. Imagine if every time that

73 For an in depth analysis of China’s elite cyberwarfare unit see: "APT1: Exposing One of China's Cyber Espionage Units.” The TAO is reportedly the most elite of the NSA’s offensive cyber warfare units and most likely is the unit which developed the Stuxnet virus. For more information on the unit see: Aid

74 Rashid

18 the US or the Soviets tested a new nuclear device that the other side was also given the blueprints necessary to understand its exact workings. This is one of the main strategic issues with cyber weapons which are completely unique to this new domain.75 When President Obama made the decision to use the Stuxnet virus, he had to accept that it was no longer under his control. The virus accidentally spread well past Iranian centrifuges and attacked industrial control processes across the region and was captured “in the wild by Kaspersky Labs.76 This characteristic actually introduces a reverse mechanism of deterrence where the state and not the adversary could be deterred from using such a weapon due to its potential to spread uncontrollably, or worse, for the source code to fall into the wrong hands. It was recently leaked by David Sanger of , that President Obama chose not to use cyber weapons against the Assad regime in Syria in 2011.77 The plan was to use sophisticated cyber weapons to target Syria’s integrated air defense systems, air combat control, and missile production facilities in order to turn the tide of battle from afar. The Obama administration, however, was expressly concerned that to intervene into the Syrian conflict with cyber weapons would be considered an act of war rather than that of just an act of covert sabotage such as in the case of Stuxnet. Would such an action then open the United States to retaliatory cyber attacks against our own critical infrastructure?78 These hypotheticals ultimately deterred Obama for fear of punishment by the opposition rather than Assad shivering in fear at the thought of our carefully cultivated viruses and . Countries are continuing to rapidly develop cyber warfare capabilities and DoD’s just released Quadrennial Defense Review highlighted such capabilities as the main development and acquisition priority for the next four years.79 However, the US and other countries may be deterred in the future from ever employing such weapons for fear of an inability to control the effects of such weapons. These nations may also be deterred for far more pecuniary concerns such as wasting billions in developing an exploit toolkit for it to be used for free by the whole world. This financial pressure presents similar risks to artists who rise up in arms against digital content piracy. What incentive do these artists have to continue to produce their songs and movies if its distributed for free across the world? It may become similarly futile to develop cyber weapons if an enemy can gain perfect knowledge of its workings any time it is used and

75 Diamond

76 This means that the code is openly available amongst the Internet and can be reused by any sufficiently competent actor. See: Albanesius.

77 Sanger, David E. "Syria War Stirs New U.S. Debate on ."

78 Ibid

79 Weisgerber

19 perhaps even reverse engineers it to be used against one’s own infrastructure or that of an ally.80 Compellence and Cyber Warfare ! Compellence as conceived by is the “threat of force to make an enemy do something.”81 This is opposite to the concept of deterrence where the implied threat of force keeps an adversary from from conducting an action in the first place. In a contemporary example, Israel compels the militants in Gaza to cease rocket attacks by threatening a massive aerial . On the northern front, however, Israel does not need to actively threaten force against because they are sufficiently deterred from the aftermath of the 2006 war.82 This deterrence is passive and indefinite in timeframe while compellence is by definition active and time-sensitive. Compellence requires the active threat of physical violence to stop an action in progress or to compel an adversary to take a preferred action by a certain amount of time.83 On an individual level, a criminal who brandishes a weapon in order to rob a pedestrian of his wallet is compelling the unlucky chap to hand over his wallet now or die. It is a specific threat with a very specific deadline. The victim will most likely be deterred from ever setting foot in that neighborhood again as a result of this use of force for fear of being robbed again. Cyber attacks do not match up well with conventional theories of compellence for such attacks are purposely obfuscated acts of sabotage engineered to effect an objective while providing the upmost plausible deniability. Compellence requires the public threat of force to achieve and objective. Compellence is Ambassador Robert Oakley threatening Habr Gidr elders in Mogadishu in 1993 to release 160th SOAR Pilot Mike Durant or, “This whole part of the city will be destroyed, men, women, children, camels, cats, dogs, goats, donkeys, everything…”84 This was an explicit threat by the United States to an adversary to take a particular action with the span of a “couple of weeks.”85 The United States directly threatened the Somalis with physical death and destruction if their conditions were not met. To date, no country has ever made such an explicit threat using cyber weapons in order to compel an enemy to accept their will.

80 This is precisely what happened with Stuxnet in 2012 when Iran was able to repurpose the Wiper.exe module of the virus in the attacks which severely disrupted the networks at and Qatar’s RasGas. The attack left close to 30,000 work stations inoperable by using the same code the US and Israelis developed to wipe the data from Iran’s enrichment computers. See: Carr

81 Schelling.

82 Williams

83 Ibid

84 Kilcullen p. 76

85 Ibid

20 The true potential for the destructive or disruptive effects of a nation-state cyber attack is the subject of significant debate within the literature. Within the US government there is significant talk of the potential for a cyber “pearl harbor” or “cyber 9/11” as noted by Defense Secretary Panetta and Homeland Security Secretary Napolitano.86 However, as scholar Thomas Rid notes quite clearly in is article, “Cyber War Will Not Take Place,” “No cyber offense has ever caused the loss of human life. No cyber offense has ever injured a person. No cyber attack has ever damaged a building.”87 This dichotomy between perception and empirics creates considerable uncertainty regarding the potential of cyber weapons. This presents a critical question regarding offensive cyber actions. As with the aforementioned issues regarding deterrence, how do you threaten an adversary with a weapon whose capabilities have have yet to be proven in combat? This was one of the ancillary benefits of the leak of Stuxnet is that it showed the world, and America’s adversaries in particular, that America has the capability to engage and destroy hardened targets at will via cyber means. However, the Stuxnet virus only disrupted operations at Natanz and did not outright destroy the facility as a conventional air strike would. The nuclear program in Iran continues as do the threats of conventional military force should this latest round of fail.88 If America or Israel wanted to explicitly compel Iran to shut down their nuclear program via cyber attacks then it would have to go in and actively disrupt critical infrastructure such as the power grid, command and control networks, telecom, etc. Simply threatening the use of untested cyber weapons on vague swaths of infrastructure would do little to compel Iran because what would they have to fear from an unknown piece of malware until it causes physical disruption, destruction, or death. The United States would then have to hold these services and networks hostage until such time that the nuclear program was dismantled. Any prior threat, however, would provide the Iranians the opportunity to shore up the cyber defenses of their networks and thus serious compromise integrity and success of the operation. This aggressive move would also most likely be viewed as a dangerous escalation and possibly an act of war. This possibility of escalation is what prevented the Obama administration from attacking Bashar al-Assad’s command and control infrastructure for fear it would prompt a retaliation, either electronic or kinetic, on American interests or those of its allies.89 Even if this attack were technologically possible and the President were willing to conduct such a course of action, maintaining access and control of the systems would not be easy. Potential adversaries such Iran, China, and Russia all have significant cyber forces.90 Thus, even if there were vulnerabilities for the NSA to exploit, maintaining an attack once it had begun while the adversary’s own cyber forces are

86 “U.S. homeland chief: cyber 9/11 could happen imminently”; Panetta

87 Rid

88 "Israeli PM Threatens to Strike Iran."

89 Sanger. “Syria War Stirs New U.S. Debate on Cyberattacks"

90 Andress

21 doing their upmost to seal off the attack would be exceedingly challenging. It therefore behooves the attacker not to give any lead time on the potential attack vector or target in order to maximize the element of surprise. The main goal of Exploitation is to identify vulnerabilities and flaws in the code of programs and networks known as ‘Zero Day Exploits.’ Zero Days are coding errors which even the original programmers are unaware of and thus provide zero days to prepare for an attack against this vulnerability. But once such a vulnerability is used, the attacker has shown his hand and will most likely be unable to use this attack method again because the very act of using this zero day would call attention to this flaw and the rational actor would have it promptly patched. After Stuxnet, Iran invested over a billion dollars in cyber warfare capabilities so they would not be caught off guard again.91 The Olympic Games cyber campaigns showed Iran the potential disruption which a cyber weapon could cause and now they have developed their own cyber warfare capability targeting the United States and Israel.92 Another aspect of compellence which does not match up with cyber is the need for strategic assets which can be threatened via cyber means. In conventional compellence, physical violence can be used to threaten anyone because all humans have a life to lose. But in the cyber realm, not everyone has critical infrastructure which is connected to the Internet or is run by computer systems. Cyber attacks are only effective against those who rely on functional computers and networks for their operation. This presents an obvious asymmetrical advantage to the low tech adversary who can conduct their operations without modern communications equipment against a state like the United States, , or Estonia. The United States has significant assets connected to the cyber realm from the financial market, power generation, and communications networks which a low tech adversary could threaten without fear of symmetrical retribution (i.e without fear that their own cyber systems would be attacked in kind). Al Qaeda could potentially one day threaten our banking infrastructure with cyber attacks but what assets of al Qaeda could America target of al Qaeda’s with cyber if their command cells only use human couriers? Non-state adversaries have the advantage because they can divest themselves from cyber vulnerabilities much more readily than a state like the United States could just one day ‘unplug’ itself from the Internet. However, this then opens the question of when does cyber attack warrant a kinetic response? When would the United States hunt down a hacker with the same prejudice as it currently hunts terrorists? If they cannot be harmed via cyber, then the US maintains the option of responding with lethal force from conventional weapons systems.93

91 “Iranian Threat to US Homeland”

92 Siboni

93 Gorman

22 Given that such cyber actions could be potentially considered acts of war, how does an actor signal their intentions in the cyber realm? In the physical realm, a state engages in ‘costly signaling’ by moving their assets into position to show the level of commitment to the threat. Moving a carrier battle group off the coast of adversary is a well understood signal which reinforces the threat of force should the adversary not comply. But in the cyber realm, how does an actor signal their intentions when the tools of cyber espionage and cyber attack are identical? A potential example is if backdoors were found in a network controlling air battle management on a carrier in the Pacific that were traced to China at the same time that there was heated rhetoric coming out of Beijing to stay out of the South China Sea. This ‘signal’ could be easily be misinterpreted and overhyped as sign of hostile intentions from the Chinese even if these backdoors had been present in the network for years prior and by sheer luck they were discovered during this tense exchange. There is also the potential that during such a heated exchange that the analyst’s bias leads them to conclude that it was China as the most likely culprit when it could have been placed by another actor like Russia. Probing network vulnerabilities and installing remote access trojans are basic parts of cyber espionage but during a crisis such “intelligence preparation of the battlefield.”94 These actions, however, even ones conducted years prior, could be viewed as hostile acts and lead to a dangerous escalation as the true intentions of the actions and even the identity of the actor are obfuscated. Clear signaling by an actor would require perhaps turning off the power for an hour as a “warning shot” in a city of an adversary to compel them to take a particular action. However, this opens up the potential that the advisory will be able to find and patch the potential vulnerability in the time between the warning shot and the ultimatum, and thus renders the coercive thrust of the main cyber attack impotent. This is unique to cyber because with aerial , it is highly unlikely that a state will be able to procure and field an anti- air capability in a matter of hours like you can with patching a cyber system. A open use of a cyber attack against an adversary also denies the aggressor the benefit of the covert action and presents a clear ‘return address’ for retaliatory cyber action. One of the main benefits of cyber is the inherent issue with attribution and potential lack of a physical return address and thus a direct threat would negate this shield of plausible deniability. In conclusion, it is extraordinary impractical to use cyber attacks as the primary means to compel an enemy because the true effects of a cyber attack are unknown. Once a piece of weaponized malware is released, its strategic value sharply degrades because it give the adversary and the rest of the world the ability to capture, analyze it, and then field patches for their systems. Thus, because by definition compellence requires a prior threat of force to stop an ongoing action or to compel a specific action a cyber attack would hold little strategic value because it neutralizes the inherent surprise of the weapon. Cyber weapons can also only be used against those who have assets which are reliant on functional computer systems. A low-tech non-state actor could

94 See Ch 9 “Computer Network Exploitation” of Cyber Warfare: Techniques, Tactics, and Tools for the Security Practitioner for a full discussion of the techniques and tools involved

23 potentially use a cyber attack to coerce America to release all the prisoners at Guantanamo but the US would have few cyber targets to choose from when it decides to retaliates if the enemy does not use computers. As a final note, it is nearly impossible to discern cyber espionage activities from cyber warfare, as the predatory actions such as installing backdoors and remote viruses could be used for either or both purposes. Cyber warfare or in this case, cyber sabotage activities, require espionage in order to infect the system with the proper virus. Thus how would a cyber defender identify cyber recon toolkits intended simply to exfiltrate mission plans and those intended fry the entire system? This dual use conundrum is one of the many strategic obscurities which are inherent to cyber systems and will only increase as additional actors aside from states engage in cyber warfare activities. Cyber as a Strategic Weapon! A strategic weapon is one which by itself has the capability to destroy an enemy’s military, political, or economic power such that they are reduced to a point where they are no longer a threat.95 General Carl Spaatz, father of the US Air Force, defined strategic weapons as weapon systems, “capable of stopping the heart mechanism of a great industrialized enemy. It paralyzes his military power at the core.”96 General Spaatz was referring specifically to the advent of strategic bombing first unleashed during WW2 and then expanded with the invention the atomic bomb and the subsequent intercontinental ballistic missile. Strategic nuclear forces allowed a country to launch a missile from its home territory and destroy an entire nation. As the Japanese learned first hand, nuclear weapons introduced a weapon so powerful that it could replace all other military forces. The doomsday scenarios expounded upon by Beltway pundits have played up the potential use of cyber attacks as a similarly catastrophic first strike weapon which could leave the economy in shambles, the nation in darkness, and the military paralyzed.97 As noted earlier, however, “No cyber offense has ever caused the loss of human life. No cyber offense has ever injured a person. No cyber attack has ever damaged a building.”98 So how do we rectify this dichotomy between hypotheticals and empirical fact? Can the use of cyber weapons replace current conventional weapon systems? Can it destroy the “heart” of the enemy and win the the day? Does cyber have the potential to be weapon system with its own distinct mission separate from supporting the physical branches of the US military?

95 “Strategic Weapon System”

96 Spaatz

97 See Richard Clarke’s doomsday scenario in Cyber War on pg. 63-68

98 Rid, Thomas. “Cyber War Will Not Take Place.”

24 Upon first look, the concept of a strategic weapon could mean very different things to different people. The US Air Force describes a “Strategic Weapon System” as one which is designed to be launched from outside a to strike a target (ie: an intercontinental ballistic missile) as opposed to a tactical weapon system like the BGM-109 Tomahawk Cruise missile.99 The US developed numerous ‘strategic’ platforms as part of Strategic Air Command such as long range bombers, ballistic missile submarines, and missile forces which formed the basis of the US nuclear ‘triad’. Nuclear weapons, while operated by ‘Strategic Air Command’ could be classified as either strategic or tactical dependent on the range of their launch platforms.100 This tactical/ strategic dichotomy is not limited to offensive weapon systems but also applies to airlift systems. The C-17 Globemaster III and C-5 Galaxy are both considered ‘strategic’ airlift platforms as opposed to the C-130 which is a tactical airlift platform which is limited to transportation within a specific theater of operations. A ‘strategic weapon’ in contrast to a ‘strategic weapon system’ is that the strategic nature of weapon has nothing to do with range. As aforementioned in the introductory paragraph, a strategic weapon is one which attacks the heart of the enemy’s such as destroying its factories, communications, command centers, and airfields. In this case, entirely conventional weapons can be used for strategic purposes. The concept of strategic air power developed by General Spaatz during WW2 was to attack the German industrial base which supported the war machine as opposed to the conventional doctrine of close air support to support advancing forces. General Spaatz argued in 1946 in Foreign Affairs that it was a strategic failure of the Germans not to adopt a policy of strategic bombing against the British.101 The allied forces used “peculiarity of the third domain” to rapidly mass fires against a limited number of vital Axis targets and thus were able to have a disproportionate effect against the enemy.102 As opposed to the limited employment of , air power provided the ability to strike deep behind enemy lines with tremendous force against the “heart and arteries of , so that the enemy's will to resist is broken through nullification of his means.”103 In such a way, an otherwise conventional weapon through proper force employment can be used to destroy an enemy’s war making capability. This incredible potential of strategic bombing to attack the very heart of the enemy led to the idea that air power is a revolution in military affairs such that it could usurp the use of armies and navies in achieving political objectives. Conventional air

99 Stout

100 The division between tactical and strategic weapon system in terms of range is defined at 3500 miles. See: “Strategic Weapon System”

101 Spaatz

102 Ibid

103 Ibid

25 power theory, as developed by Office Hugh Trenchard, realized that it was now possible to attack targets well beyond the immediate battle lines and deep at the heart of the enemy’s territory. From this realization he theorized that the constant bombardment made possible by strategic airpower would so demoralize the population that it would lead to a national . Italian General and air power theorist Giulio Douhet expanded upon this and found that air power provided a dominant strategy by allowing for a swift and comparably clean victory against the enemy.104 Douhet triumphantly asserted that “to have command of the air is to have victory!”105 The following 70 years of conflicts has shown that air superiority is not an end unto itself nor a guarantor of swift victory. The Japanese only surrendered after the use nuclear weapons despite the thousands of tonnage of ordnance already dropped on Tokyo which left the city in ruins. Squadrons of B-29s in Korea and B-52s in did not prevent our defeat. More recently, the US enjoyed total air superiority in both and yet found little strategic advantage against a guerrilla enemy which provides few fixed installations to hit. Even in the NATO air campaigns in Yugoslavia and Libya, there were local forces on the ground which were being supported by these strikes. As decisive as air superiority was in these limited engagements, they did not occur in a vacuum. Air power remains best employed as part of a combined arms formation, supporting the advance of conventional or irregular troops acting on an objective.106 Cyber is exceptionally similar to the development of strategic air power in that it can be used to strike targets deep within an enemy’s territory. Given that space and time are irrelevant constructs when dealing with cyber weapons, a cyber weapon could be far superior than a conventional bomber or even a missile. An instantaneous strike against all of the communications, transportation, government, intelligence, and military networks would in theory be a paralyzing strike, if for nothing else on a psychological level. Applying Trenchard’s hypothesis about , such a strike at the heart of all the national systems could in theory lead to a swift surrender. This would therefore be the ideal weapon of Douhet and Chinese strategist who theorized about the art of winning without fighting. This idea of a perfect cyber storm works well in theory but as of the time of this writing has yet to be seen empirically. The most physically devastating cyber attack to date remains the 2010 Stuxnet virus which destroyed 986 centrifuges at the Natanz uranium enrichment plant in Iran.107 While the extent to which the Iranian nuclear program was delayed as result of this virus is debatable, it was certainly not a death blow. In secrecy akin to the original Manhattan project, the Olympic Games cyber campaign assembled the most sophisticated series of malware the world had ever

104 Clark

105 Douhet. p. 53.

106 Clark

107 For a full account of the Olympic Games program see: Davd Sanger’s Confront and Conceal Ch. 8

26 seen, according to Kaspersky Labs.108 Yet the real world impact of this code did little more than any old conventional explosive. What made this weapon strategically unique, however, is that it proved that one no longer needs to send physical special forces or spies to sabotage an enemy’s most hardened facilities, which in and of itself is a major development. For a cyber campaign to have a truly strategic impact, it would need to hit multiple sensitive targets either simultaneously or in succession in order disrupt the larger workings of the government or the general public. A cyber weapon need not be physically destructive to be effective if one’s goal is to terrorize the public or its government into submission. A true act of cyber war though needs to have lasting, tangible impact either by virtue of service disruption, infrastructure destruction, or physical death. There are any number of systems from autopilots to the switches on rail tracks which would be susceptible to cyber attacks and could directly cause casualties. Other high level disruptions may include cutting off cellphone service or access to credit cards or online banking. Despite the hype in the media, however, the US has yet to face large scale attacks which caused tangible damage. Iran is suspected of using a denial of service attack against US banks in January 2013 which targeted PNC, BBT, and SunTrust Banks.109 This high profile attack however led to only modest disruption of ATM availability for customers and the nation carried on unperturbed.110 The Iranians are also believed to be responsible for the Shamoon attacks on August 15, 2012 which targeted the corporate computers at Saudi ARAMCO and Qatar’s RasGas. Both of these companies represent vital strategic interests both the Gulf monarchies and the United States. When Iraq invaded in 1990, the US and its allies went to war with a principle aim of securing world oil markets threatened by the conflict. This cyber attack, despite rendering 30,000 computers useless by wiping their master boot record, did not have any discernible impact on overall petroleum operations.111 The day the news broke of the attack, the oil markets barely blinked.112 The most tangible impact of the event were congressional hearings on the matter.113

108 Ibid; Broad; Kaspersky

109 Gorman. “Banks Seek U.S. Help on Iran Cyberattacks."

110 Ibid

111 Mele; Carr

112 Brent Sweet Crude Oil futures only rose a matter of cents in August 2012 as opposed to $3 rise in prices in late August 2013 when Obama was threatening Syria with cruise missile strikes. Computed with WolframAlpha See: "Oil Prices August 2012 vs August 2013."

113 “Iranian Cyber Threat to US Homeland”

27 The world has yet to see a truly debilitating cyber attack from a nation-state or non-state actor. There remains great fear that that one day, out of the blue, there will be an attack which cripples transportation, financial, and electrical networks. While economically disruptive, the loss of these services would not necessarily result in direct casualties like and aerial bombing campaign would. With a conventional explosive, one needs only basic physics to calculate the blast radius and the potential casualties of the weapon. With an attack on networked systems, however, it is not necessarily possibly to calculate all the second and third order effects that the loss of certain data systems would have. Given the lack of empirical evidence, the full strategic potential for a cyber attack remains unknown. As seen from the Stuxnet example, even the most well designed malware, may not be possible to control once released into the wild. The Stuxnet virus was only discovered when an unsuspecting Iranian scientist uploaded the bug to his personal laptop which he then connected to his home network. The worm traveled across the open Internet and would go on to infect industrial control processes using Siemens programmable controllers across the world with a high number of infections in and Indonesia, and even traces of it within US nuclear facilities.114 This presents a strategic level of uncertainty when a policymaker considers the use of a cyber weapon as it could very come back to attack their own networks and infrastructure which uses the same basic hardware. In conclusion, cyber weapons can be used strategically as they allow an actor to attack the critical infrastructure of an adversary from anywhere in the world. The electrons of malware move at the speed of light and can therefore, in theory, hit any target instantly in world. The attacker should focus on such systems which the enemy relies for day to day operation such as communication and logistical networks in order to have greatest impact. However, it is unlikely that even a massive loss of various networks is unlikely to cause the full defeat of an adversary as there will always remain a measure of uncertainty as to how disruptive a given piece of malware will be. With a cyber weapon, there is also no guarantee that any particular target is necessarily susceptible to a cyber attack as opposed to universal vulnerability to kinetic explosives. The cyber weapon must also be specifically tailored such that it cannot come back to be used against its creator, either by means of self destruct or other programming techniques. Therefore, cyber is not the political godsend nor revolution in military affairs as some of its proponents would like world to believe. It is, however, a highly useful tool which can be used to create a new set of strategic options when diplomacy fails and kinetic military force is not warranted. The most useful application of cyber, like airpower before it, however, will be integrated amongst the other branches of the armed services supporting and augmenting their axes of maneuver.

114 Lucarelli.

28 Cyber as a Component to Electronic Warfare ! Electronic warfare is defined as using electronic or kinetic means to deny an adversary the use of the electromagnetic spectrum in his operations while maintaining unimpeded friendly freedom of operations.115 This may involve using high-power jamming aircraft such as the EA-6B Prowler or the new EA-18G Growler which jams enemy radars and communications or use anti-radiation missiles such as the AGM-88 HARM which homes in on electromagnetic signals of radar stations and command vehicles to directly destroy these assets. Weaponized malware can also jam communications or shut down a radar station as shown by the Israeli attack on Syria in 2007.116 In this context, then, cyber warfare may be viewed as an augment to existing EW in support of operational objectives. The need to maintain a technological advantage has led to a constant within EW amongst electronic attack and electronic protection. When radars and radio communications were first utilized during WW2 they were primarily used to detect incoming aircraft and then direct flak cannons or other fighter aircraft to intercept incoming bombers.117 The RAF set up the first battle network in WW2 to link spotters, radar operators, and fighter squadrons by radio in order to coordinate their defense against the Germans during . The vastly outnumbered British air forces during the 1940 Battle of Britain were able to mass their forces and swarm incoming bomber squadrons. For military planners who have grown up in generations since WW2, these tactics probably seem abundantly obvious but at the time it was absolutely revolutionary.118 This first tactical command and control network replaced the necessity of stationary radio telegraph operators using morse code which then had to be translated. Given the speed of airpower it became imperative to have a widespread surveillance network and the ability to disseminate this information in near real time. During the Cold War, air (and now space) early warning systems became the primary means of defense against a surprise attack from an adversary. Highly advanced air defense networks were developed which combined mobile radar installations and missile platforms which could be deployed by a defender to provide an asymmetric advantage against a superior air force. Surface to air missile such as Russian S-300 or the US MIM-103 Patriot allow defensive denial of airspace at a fraction of the cost of maintaining a fighter interceptor fleet. For example, a Boeing F/A-18E/F Super Hornet costs in the neighborhood of $65M yet is threatened by the $1M interceptor fired by the S-300.119 For the cost of 2 F/A-18s ($120M) an adversary can field a full S-300 battery

115 JP 3-13.1 Electronic Warfare

116 Clarke. Ch. 1 -Trial Runs

117 "Radar during II.”

118 Work

119 "How Dangerous Is the S-300 Syria Is About to Receive?"; Aircraft Procurement FY2013.

29 which (depending on the model) can actively engage between 6 to 36 targets.120 Thus for the cost of 2 fighters (not including the costs of training, fuel, and missiles) a adversary could potentially down between half to 3 full fighter squadrons. The threat posed by enemy air defense led to the development of the “Suppression of Enemy Air Defense” (SEAD) mission set, known by its NATO codename “Wild Weasel.” Few nations have air forces which could seriously challenge US air power and thus adversaries have been investing in rapidly advancing air defense capabilities. Since 1991, all US air combat fatalities have been a result of enemy air defenses. The last time a US fighter was shot down by an enemy fighter was on January 17, 1991 by an Iraqi MiG-25 with the other 22 air losses during Desert Storm were a result of surface air defenses.121 The US currently fields the AGM-88 High-speed anti radiation missile (HARM) to lock onto enemy radar stations and destroy their command and control hubs in order to defeat this threat.122 The first anti radiation missiles were developed in the 1960s with the AGM-45 Shrike which was used against Soviet supplied air defenses during the . The US Navy and Marine Corps developed the EA-6 Prowler electronic warfare aircraft specifically to deploy these missiles to defeat enemy air defenses in last days of the Vietnam War in the face of the thousands of aircraft being lost.123 This electronic warfare aircraft jammed enemy radars, intercepted their communications, and destroyed their SAM sites. EW aircraft such as the EA-6B provide the commander a level of information dominance over the battlefield by denying the enemy the ability to coordinate his defense in the face of superior US air forces. Maintaining freedom of action within the aerial domain has become inextricably linked to maintaining dominance of the electromagnetic spectrum. Suppression of Enemy Air Defenses has become the primary mission set before any other can take place. During Operation Desert Storm, General Norman Schwarzkopf committed a majority of his combat sorties to defeating Iraqi air defenses.124 A CRS report to Congress found that SEAD missions over the past 20 years have represented a full 20-30% of all combat sorties.125 With the advent of cyber capabilities, it is no longer necessary to rely on dedicated EW aircraft for SEAD. In 2007, the Israeli air force flew across the Syrian border to take out a suspected nuclear facility. The Syrians maintain a sophisticated integrated air defense system designed to down the US made fighters such as the F-15 and F-16 which the IAF fields. But despite flying a squadron of unstealthy strike fighters clear across Syria to the Al Kibar Complex near the Iraqi

120 Ibid

121 Grant

122 Bolkcom

123 Grant

124 Clarke p. 9

125 Bolkcom p.5

30 border, not a single fighter was lost. The Israelis are suspected of using advanced EW jammers or malware to spoof the the Syrian air defenses. As F-15I’s flew over Syria the radar screens across the country remained blank as they were replayed a loop of “normal” operations.126 To date the Israelis have never acknowledged how they specifically took out the Syrian IADS, but if true it would represent the first use of cyber for SEAD operations. The idea of using cyber capabilities to take out enemy air defenses did not first arise in Jerusalem. During planning for the Operation Desert Storm, Special Operations Command proposed using hackers from the US Air Force to take control of the Iraqi radar and missile launch centers. The idea was to cause the Iraqi Air Force’s command and control computers to constantly crash and reboot and thus render them unusable. General Schwarzkopf was deeply suspicious of these virtual weapons and believed that the only way to guarantee that the air defense capabilities stayed down was to destroy them outright.127 Flash forward 20 years, President Obama actively considered using cyber weapons against the Syrian air force as a low cost, low casualty option to degrade the operational effectiveness of Syrian fighters and missiles without having to commit US forces.128 US offensive cyber warfare capabilities remain highly classified and thus until such a weapon is actually released it it is not possible to gauge the true potential of such weapons with any type of specificity. The cyber attack on Syria was never ordered for fear of opening the United States to cyber retribution by Syria or its allies against US civilian infrastructure.129 If the attack had gone through, it would have provided an excellent empirical example of what is capable in the cyber domain with regards using cyber weapons to deny a tactical capability such as air defense. Aside from the Israeli example, there are few empirical examples in the open source of cyber capabilities being used for tactical electronic warfare. The Russians during the 2008 invasion of Georgia engaged in a concurrent cyber campaign which used massive bonnets in a denial of service campaign against government websites, media outlets, and other pro-Tbilisi sites.130 This campaign of cyber vandalism followed the model used a year earlier against Estonia when it moved a bronze statute honoring the fallen soldiers of the Red Army during WW2. The cyber attacks targeted the public facing websites of the Estonian and Georgian government and denied access for several days.131 While these Russian attacks are held up as

126 Clarke p. 6-9

127 Clarke p.8

128 Sanger, David. “Syria War Stirs New U.S. Debate on Cyberattacks"

129 Ibid

130 Singer p.111

131 Singer p. 98

31 some of the first act of cyber warfare between states neither actually attacked the military capabilities of the state nor degraded their military operational effectiveness. These cyber attacks were designed as acts of political subversion keeping the populations of these nations in the dark in a coordinated information operations campaign. The end net effect of these attacks had little tangible effect on the lives of the average Estonian or Georgian, especially compared to the real threat of a Russian military invasion.132 The Russians used electronic means, in this case denial of service attacks via botnets, to deny their adversary the advantage of using a specific electromagnetic capability (ie: the public Internet). Therefore, these attacks would be in line with the definition of electronic warfare as the defined by established US in JP 3-13.1.133 However, neither of these cyber campaigns were instrumental in achieving any type of tactical objective. The Georgian forces were unaffected by the cyber campaign and surrendered in the face of conventional Russian mechanized battalions. In the Estonia campaign there were no discernible tactical objectives other than political protest.134 The Estonian Prime Minister likened the DDoS attacks which blocked his nation’s access to the Internet to a naval of a harbor.135 This analogy is misguided as noted by Rid for a naval blockade involves physical violence or the imminent threat thereof. A denial of websites does not kill anyone and at most would lead to economic disruption if the attack was able to be sustained. The DDoS attacks on Estonian and Georgian attacks lasted on average for about two hours and the longest lasted six hours.136 The better analogy to make would be ask, “What is the difference between blocking websites and a protest movement like Occupy blocking government buildings?” These attacks much more closely constitute information/psychological operations through an electronic attack as defined as “by degrading the adversary’s ability to see, report, and process information and by isolating the target audience from information.”137 Blocking websites does not win wars in the same way dropping leaflets over Iraq did not topple Saddam. For cyber EW to move out of the realm of IO/PSYOPS it must not only produce a tangible result but achieve a tactical military objective. While there have been numerous documented uses of cyber attacks by nation- states for the purposes of espionage, subversion, and sabotage; the only use of cyber EW to deny a military capability remains very limited. The US/Israeli use of cyber weapons known as Stuxnet on Iran constituted a strategic use of cyber weapons as it directly attacked the critical infrastructure of the Iranian nuclear program rather than

132 Ibid

133 JP 3-13.1 Electronic Warfare

134 Rid

135 Ibid

136 Ibid

137 JP 3-13.1 Electronic Warfare p.x

32 attacking a specific military asset or capability. Tactical cyber EW as opposed to strategic cyber EW targets military capabilities such radar installations, fighter jets, and command and control networks. It does not directly attack the seat of national power or the overall ability of nation to wage war as a strategic weapon does. One of the few other direct uses of cyber EW in a tactical setting was the downing of a US RQ-170 stealth drone as it was flying over Iran. The Iranians reportedly used a hacking technique known as “GPS spoofing” to fool the drone into landing in Iranian territory where it could then be captured.138 Iraqi insurgents also took advantage of the unencrypted data feed of US Predator drones and siphoned off the video streams in order to turn the tables on their US adversaries. By hacking into the video feed, the drones which were meant to provide continuous surveillance of insurgent positions were being used to coordinate insurgent attacks on US forces.139 As the technical sophistication grows of US adversaries, it could very well become possible to not only crash drones into the ground but to co-opt their lethal capabilities against their former owners. In mid-2011, a key logger bug was found inside the control stations at Creech Air Force Bas in Nevada where the drones are flown from which actively recorded all the commands used to fly the aircraft.140 A scheming adversary could use a bug like this to reverse engineer how to fly a US drone and then use the GPS spoofing technique to capture a drone for their own use. Robots, unlike humans, have no conception of loyalty or honor and thus will fight for whoever is controlling the joystick. With all the discourse concerning the various possible ways an adversary could use cyber EW to degrade US forces during a time of war, it is very important to remember that the only items which are susceptible to a cyber attack are those connected to a computer, and even here there is quite a range in vulnerability. Fifth generation fighter jets such as the forthcoming F-35 JSF and the F-22 Raptor would be particularly susceptible to cyber sabotage as they rely on their computers to be able to fly. Both fighter jets require millions of lines of code for everything from their avionics, to power management, to weapons systems to be able to function properly.141 An attack which crashed the fire control computer on an M1A2 Abrams in comparison, would degrade its target acquisition capabilities but it would not cause it to fall out of the sky.142 Cyber EW may take out GPS or BlueForce Tracker but it has only a limited ability to physically destroy US military capabilities. The real threat from cyber EW is for an adversary to deny the US its enabling capabilities such as ISR from drones and satellites, to include erroneous targeting information sent to guided bombs. As the Iranian example showed, the GPS systems which the US military has come to rely upon

138 "Scientists 'hack' Flying Drone."

139 Kilcullen p. 175

140 Ibid p. 176

141 Kopp

142 "M1 Abrams ."

33 for rapid, precision strikes is quite vulnerable to cyber attack. While such an attack does not negate the US ability to put effect on target it would significantly hamper operations by having to rely on “dumb bombs” and artillery. Cyber EW therefore is ideally suited for increasing the friction and fog of war for an adversary. By denying the enemy the use of radar and other surveillance platforms an attacking force can strike a hardened target without having to invest in expensive stealth capabilities. Cyber EW could be used in an IO function to plant false orders on a battle network or to simple turn off the capability entirely. If soldiers no longer can trust the orders they are receiving the discipline and organization of a military force would become significantly degraded perhaps to a point that they are no longer operationally effective. If a commander is too focused on just maintaining control of his forces he cannot mount an effective defense against follow on kinetic operations. Thus such an operation would realize the ideal of electronic warfare in which one side has total situation awareness and the other drowns within the fog of war. Cyber capabilities represent an augmentation to existing EW platforms which target the electronic assets of an enemy. Cyber based EW allows for targeting an adversary's assets from any point on the planet and may no longer require a dedicated EW aircraft to be directly above a battlefield. As US EW and Cyber Electromagnetic activities (CEMA) doctrine evolves, it is foreseeable that the US will come to trust its offensive cyber capabilities to take on an increasing share of EW missions. If offensive cyber operations can reliably conduct SEAD operations and degrade enemy C4ISR platforms it would significantly free up strike platforms to hit other sensitive targets. Given the potential for offensive cyber operations, the primary tenet of operational planning may become knocking out any cyber defenses and take control of an enemy’s electronic networks similar to current SEAD operations used to to achieve air superiority. But just like air power before it, having total cyber superiority will most likely not be the ultimate key to victory but will serve more as significant force multiplier and force enabler. However, the true potential of cyber weapons in a military conflict remains hypothetical until they are unleashed either by nation-state or by some skilled group of hackers fighting for their cause.

34 Virtual Warfare ! ! War since the dawn of time occurred in fixed geographical locations where soldiers met to do battle, ie: a battlefield. Humanity's notion of warfare has evolved around the concept that armies need to move to a theater of operations in order for war to occur. Perhaps the most fundamental disruption which cyber introduces to the conventional conception of warfare is the fact that in essence it is no longer necessary for armies to physically clash and do violence towards one another in order to wage war. A signals officer in Ft. Meade Maryland can take out the air defenses of or Syria from behind a keyboard and a hacker in Jeddah can crash the Israeli stock market in Tel Aviv.143 This notion of virtual warfare flies in the face of the conventional theories of warfare espoused by Clausewitz as war is always two violent bodies in collision attempting to force their will upon the other. But if war is only by other means than cyber attacks are yet another means of political expression aimed at a larger cause. Cyber is but one domain in which conflict can waged by various actors in their duel of wills. ! A major distortion made by the media regarding cyber war, is that it is generally presented in terms of actions by nation-states. Headlines like “Iran renews Cyberattacks on U.S. Banks” or “Chinese hackers steal US weapon designs” or even more recently, “Ukraine (cyber) war in full swing” flood the airwaves and feeds but distorts the reality of conflict utilizing the cyber domain.144 Richard Clarke even went so far as to define cyber war as, “actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.”145 This is an incredibly narrow lens for which to look at conflict in the cyber domain and precludes all other political actors which are not nation-states. The relatively low barriers to entry in the cyber domain allow anyone with a computer, Internet connection, and reliable electricity to join into the fray. There are 2 billion Internet users in the world today and this number is only expanding as opposed to relatively fixed number of sovereign nations.146 The Internet was designed to be a free and open forum of discussion and connection. The Internet is replete with an innumerable amount of forums for various issues and points of contention. The Internet was designed to be used by anyone, whether its Anonymous protesting the Stop Online Act or al Qaeda sharing videos of Abu Grahib in order to recruit new adherents to inane items like forums as to “Why everyone should love cats.” The Internet should be viewed as an open political forum where anyone can voice their grievances and connect with those who share common ideologies. The phenomenon of ad hoc networking for affecting political change derives its theoretical basis more from the literature of social movements than that of warfare. One

143 Adhikari

144 Ibid; "Ukraine (cyber) War in Full Swing."; Gorman, Siobhan. "Iran Renews Cyber Attacks Against US Banks."

145 Clarke p. 5

146 "World Internet Users Statistics Usage and World Population Stats.”

35 such author who connected the two was Audrey Kurth Cronin in her piece “Electronic Levee en masse,” which she argued that cyberspace enabled, “a mass networked mobilization that emerges … with a direct impact on physical reality.”147 This represents a profound evolution away from the centralized, nation-centric warfare which emerged with the modern state system over the course of the 18th and 19th century. Cronin observes that the “modern system” of warfare emerged from the French revolution and the subsequent Napoleonic in which dynastic wars of succession were usurped by wars of mass participation in nationalistic causes.148 The deregulation and democratization of the press during the time allowed for widespread circulation of once censored texts and allowed the ordinary working Frenchman to become a stakeholder in larger French society, as holders of the “popular sovereignty” and a crucial part of the popular army.149 The peasants were able to shift away from being the property of French nobility dying for their various conquests and merge into a single nationalistic identity with a unified purpose.150 Today’s proliferation of digital communications technologies allow for widespread dissemination of ideas and mass mobilization around popular causes resulting in a similar revolution of popular warfare to that seen during the age of revolutionary nationalism. Cronin notes that it is, “no accident that mass warfare coincided with the explosion in the means of communication,” for mass mobilizations predicated upon such communications as the means to galvanize the public for the cause.151 Today’s Twitter, , and Youtube are to the revolutionaries of today as literary pamphlets, journals and newspapers were to the revolutionaries of the late 18th century. Today’s digital connectivity allows non-state actors to coordinate globally, in realtime, against actual or perceived foes. This democratization of warfare enabled by the Internet is not exclusive to attacking cyber assets but also those who use cyber means to coordinate and control attacks within the physical realm. Al Qaeda and other Islamist insurgents are but one oft cited example of a non-state armed group which makes heavy use of this global connectivity. Islamic extremism thrives upon the open fields of the Internet as they spread their virulent ideology and recruit new adherents to their cause. The Internet, and such YouTube in particular, allow al Qaeda to distribute propaganda of injustices against the Muslim Ummah. Those who may not have access to a mosque can now download Bin Laden’s or Awlaki’s sermons via podcast.152 The decentralized and ad-hoc nature of this distribution provide no

147 Cronin

148 Ibid p. 78

149 Ibid p.80

150 Ibid

151 Ibid p. 79

152 Ibid p. 83

36 centralized “brain” to be targeted by conventional forces, as America is still learning three years after the death of Osama bin Laden.153 The recent Arab Spring protests and resultant conflicts provide clear empirical example of Cronin’s “electronic levee en masse” in which social media was used to coordinate political actors and cause tangible change. As the conflicts turned violent in Libya and Syria, citizens used Skype, cell phones, Facebook, and Twitter to coordinate their counterattack. Unlike the propaganda battle of the Tunisian or Egyptian revolutions, cyberspace became the command and control backbone for disparate rebel forces operating in Libya against the Qaddafi regime. This “networked enabled ,” as it was termed by David Kilcullen, allowed small bands of rebel forces across several coastal towns to operate with a clear operational picture and operate in unison towards their objective.154 Tactical battle networks are nothing new, as documented earlier with the RAF interceptor network used from the Battle of Britain. What was truly remarkable about this ad hoc, social network enabled revolution was that it allowed direct, realtime, global involvement. Transnational support for guerrilla movements is anything from new. The which erupted during the Arab Spring, however, incorporated support from actors all across the globe as the battle were ongoing, rather than just receiving funds or guidance from disconnected third party. Social media such as Twitter allowed actors in the United States and Europe to directly assist and participate in the insurgencies such as providing technical advice on how best to counter certain weaponry or instructions on how to build better grad rockets.155 Steen Kirby, an American high schooler in Georgia, pulled together friends on Twitter in 2011 to assemble weapons guides on everything from AK47s to rocket manufacture which was then disseminated to fighters on the ground in Benghazi.156 A team of insurgents staring down regime rocket artillery was able to Skype-in a rocket expert before their attack in order to develop their battle plan.157 This global connectivity allows for rapid processing and dissemination of information and allows for high levels of tactical agility. During the , insurgents operating against American forces would actively crowdsource the design of IEDs. The insurgents would study American Counter-IED tactics and then innovate through numerous generations of designs until they found that worked.158 Once a successful design was found it was rapidly communicated across the

153 Kilcullen p. 207

154 Ibid p.205

155 Ibid p. 204

156 Ibid p. 205

157 Ibid p. 170

158 Schmidt p. 153

37 disparate network of insurgents to be replicated across Iraq.159 The enemy was unhampered by a centralized bureaucratic procurement pipeline and was thus able to produce various different avenues of bomb design for every single new Counter-IED technology which the Americans fielded. The IED networks in Iraq presented a viral, crowdsourced capability to consistently out-innovate American forces.160 This ability to form ad-hoc networks which enable crowdsourced capability provide a rapid scalability to future conflicts. As causes gain in popularity, it allows movement entrepreneurs to harness this popular sentiment for swift and large scale mobilization. One such organizer has been the online collective known as Anonymous. Anonymous is a globally diverse network of so-called “hacktivists” who come together around various causes using social media and DDoS attacks to shame and harass those, who in the consensus of the collective, have wronged the . Anonymous has no central leadership nor a specific established mission set. Hacktivists opt-in to participate on causes they wish to support and lend their computing resources to the larger cause. The chat rooms used by Anonymous are open forums which anyone can use to propose various protest targets from the Church of Scientology to the private intelligence company Stratfor. If a target is notorious enough it will likely gain enough support to garner a large network of hacktivists willing to participate.161 The Arab Spring marked a sea change for the collective as it shifted away from pranks and vandalism with little purpose other than generating “lulz” or entertainment. The uprising in Tunisia marked the first of Anonymous’ “FreedomOps” which focused on supporting the popular uprisings across the Middle East. Members of Anonymous assisted citizens on the ground maintain their Internet connectivity through open source software patches and proxy servers which enabled the street mobilizers to continue coordinating their revolution. From Tunisia to and Libya to Syria, Anonymous assisted the rebels in maintaining their connectivity.162 In November 2012, Anonymous switched tactics from providing moral and technical support for besieged populations to taking the fight directly to an enemy. Israel had just began its Operation Pillar of Defense in response to rocket attacks from the Gaza Strip. Anonymous rallied supporters from across the globe in #OpIsrael which disrupted Israeli websites for its bombing of Gaza. In a YouTube declaration of intent, Anonymous announced that they, “… will strike any and all websites that we deem to be in Israeli Cyberspace in retaliation for the mistreating of people in Gaza and other areas…The further assault on the people of Gaza, people of Palestine or any other group will be treated as a violation of the Anonymous Collectives intent to protect the

159 McClure

160 Carrigan

161 Coleman

162 Kilcullen p. 187

38 people of the World. Israel, it is in your best interest to cease and desist any further military action or your consequence will become worse with each passing hour.”163 The #OpIsrael campaign has evolved into an annual protest of Israel’s perceived abuses towards the Palestinian people which now occurs every April 7th on the eve of Holocaust Remembrance Day. Anonymous and its allies use denial of service attacks, leaks, and other cyber attacks to “terminate the Israeli cyberspace.”164 Despite the bellicose rhetoric, however, the end effects of this massive hacking campaign have been marginal at best. The campaigns thus far have only caused minor delays and inconveniences as consumers were unable to access certain Israeli government websites such as the Ministry of and published some personal data on Israeli government officials.165 Anonymous may have intended to wage a cyber war to knock Israel offline and force its hand on the Palestinian issue but the group was able to do little more then stage Internet vandalism. Although #OpIsrael only produced marginal results, it is noteworthy as a case in which a non-state actor sought to shape the behavior of a via cyber means. There was a direct statement of intent by the group which linked its actions as a response Israeli state behavior. Thomas Rid argued that cyber war will not take place because there have not been a publicly attributable use of cyber in a politically instrumental manner. In Rid’s construct of cyber war, there also has to be imminent threat of physical violence as a result of a cyber attack. It is this violent character which determines the difference between acts of cyber protest and cyber warfare.166 Yet this case shows that a political actor, Anonymous, sought to use cyber means to affect a political end. If Anonymous were able to harm Israel through cyber attacks such that it was compelled to withdraw from the West Bank, how is this act of coercion different than HAMAS’ rocket barrages in terms of intent? Thus far, however, no actor, state or non-state, has been able to harm a state in a direct, tangible means with cyber such that their behavior was bent to an adversary's will. Acts of cyber terrorism like the one intended by Anonymous will likely increase as they provide a low cost, low risk means to achieve a political end. At present, it remains unlikely that such a group will be successful in such endeavors as cyber capabilities amongst non-state groups remain primitive compared to nation-states such as Israel.167 However, as cyber knowledge increases and nation-state developed cyber weapons like Stuxnet proliferate, the ability of non-state groups to harm state adversaries will increase. Ad-hoc networks of cells and individuals will come together to attack cyber

163 For a full transcript of the #OpIsrael declaration see: "Anonymous #OpIsrael."

164 Ibid

165 Elis

166 Rid

167 Compare Stuxnet to Anonymous knocking webpages offline. See: Singer p. 152

39 infrastructure or perhaps physical infrastructure through cyber means. Cyberspace provides an open forum for political protests which can evolve and radicalize into acts of cyber terrorism as non-state groups seek to use malware to coerce an opponent. Cyber enables a parallel dimension by which actors can operate in conjunction with physical events. Future terrorism campaigns, therefore, will likely involve both kinetic and cyber means to affect their objective. The Internet allows for rapid mobilization and organization allowing actors to iterate though numerous tactics and weapons designs before implementing them. The hacking community makes extensive use of crowdsourcing designs and building upon open architectures such as the Tor Browser or Backtrack exploitation kit.168 These programs, along with numerous other hacking tools, are available for free on the open Internet. These projects have a dedicated community of developers and programmers which are constantly modifying with the code to improve its functionality and security. Groups like Anonymous or its cousin LulzSec may take the source code of Stuxnet and modify it continuously to produce a product which produces very serious tangible effects. Such an attack would present similar issues as with classical physical terrorism as there is no clear return address, and in the case of Anonymous, not even a clear organization to target. The future of terrorism may very well be determined by ad-hoc groups of like minded individuals who come together only briefly to plan and execute an attack but then disappear into the ether.169 These sporadic attacks take advantage of anonymous Internet chat rooms to coordinate the larger campaign and use YouTube and Twitter to disseminate their mobilizing narrative. Thus the world may entering an age dominated by virtual, open source warfare in which globally dispersed, rapidly innovative, small groups consistently outpace their sluggish state adversaries.

168 See https://www.torproject.org/projects/torbrowser.html.en; http://www.backtrack-linux.org/

169 For a more complete discussion see Ch. 5 “Future of Terrorism” of New Digital Age and Brave New War by John Robb

40 Principles of Cyber Warfare! The preceding sections of this piece have looked at the development of cyber warfare through various historical and theoretical lenses in an attempt to discern its place within . This final section seeks to summarize the observations and analyses into a coherent picture of what cyber warfare is and what it is not. The following list of principles is not meant to be exhaustive nor absolute as this field is constantly shifting. What may be standard practice today may become obsolete a year from now. Thus these principles should serve as a broad strategic framework to be consulted when considering the use of cyber in modern battle, both against state adversaries and non state actors. Cyber is a constantly growing, inherently artificial, and globally utilized domain! ! The cyber domain is a global commons which is shared and used by everyone yet there is no clear authority responsible for its maintenance or protection. States have carved out specific fiefdoms amongst their own national networks which they can control and protect while leaving the overall architecture unprotected.170 Given the vastness of the cyber domain the government can only protect a very small portion of it and thus focuses on critical sectors like the defense industrial base and communications networks. This leaves vast swaths of the private sector unprotected and these firms must fend for themselves to protect their data and networks. Unlike the physical domains of air, land, sea, and space which are relatively fixed; the overall cyber domain is growing and doing so at an exponential rate. The Internet has grown from a mere 16 million users when it was released in 1995 to nearly 3 billion as of March 2014, representing 40% of the world’s population.171 Cisco Systems predicts that within just three years that this number will increase by another 600 million people and include nearly half the world’s population.172 The number of devices connected to the Internet is also expected to grow significantly from 10 billion today to over 50 billion.173 The US government is already unable to provide protection for all networks within its domain and this capacity will likely shrink further as the domain grows increasing the opportunity for private sector involvement in providing security. The United States, unable to provide adequate protection, may have to cede cyber sovereignty to private sector actors like Google or Verizon in protecting US networks. This creates a legal ambiguity in the monopoly on the use of whereby corporations may

170 This phenomenon of walling off national segments of the Internet is known as the “balkanization of the Internet” which is discussed in detail in the New Digital Age p. 83-95

171 "World Internet Users Statistics Usage and World Population Stats."

172 Dorrier

173 Ibid

41 eventually be permitted to “hack back" against opponents because the US government is unwilling or unable to protect them.174 Like sea, air, and space before it, actors only control a fraction of the cyberspace they rely on.175 States, however, have an advantage in that international law gives nation-states sovereignty to control all of the physical infrastructure which the Internet relies on which falls within their physical domain.176 This gives the United States a unique advantage as 9 out of 14 Tier 1 ISP backbones which all of the world’s Internet traffic utilizes, resides within the sovereign control of the United States.177 This advantage, however is far from fixed, unlike when British controlled of the Straits of Malacca or Gibraltar. States and companies can add new servers and switches which allow them to bypass the United States and have already begun to do so. Since 2008, the world’s Internet traffic has been shifting away from the US and Canada and towards the rapidly developing Asia-Pacific region.178 This shift will degrade the home field advantage which the US intelligence community has thus far enjoyed with respect to cyber capabilities and will likely increase the friction of the US attempting to use offensive cyber capabilities in future conflicts. The Internet being an entirely artificial domain can be simply “turned off” by the state as seen during the Egyptian Revolution or preemptively before a conflict to guard against a cyber attack as China reportedly is prepared to do.179 This control over Internet infrastructure is not absolute and can be bypassed as seen by the numerous workaround technologies like Tor routers and proxy servers employed in countries with highly restrictive Internet . This creates an Internet arms race between states using censoring technologies like deep packet inspection and citizens utilizing the ad- hoc nature of the Internet to bypass centralized control.180 The decentralized and democratic architecture of the Internet favors the individual yearning to breathe free over state hegemony as there is no real central control point for the Internet.181

174 Fisher

175 Parks

176 See Tallinn Manual on International Law Applicable to Cyber Warfare p. 15

177 Winther Note: 9 out of the 14 are in the United States and all but one are in NATO allies.

178 Markhoff

179 Moore; Killcullen p. 191

180 For full discussions of Internet freedom vs state control see: Ch. 4 of Out of the Mountains and Ch. 3 of the New Digital Age

181 Markhoff

42 Cyber is inherently a covert weapon! ! The fundamental principle of malware is to identify and exploit vulnerabilities in network configurations, programming errors, or simple human naiveté to gain access to a system and use it for purposes other than the user intended. These attacks may attack the confidentiality, integrity, or the accessibility of data, system, or network.182 As Thomas Rid notes, these attacks which are political and not criminal in nature fall into the category of espionage, subversion, or sabotage.183 In this way, cyber is simply a parallel means to achieving political ends which have been aspect of warfare since the beginning. As described by one NSA official involved in designing Stuxnet, “The most elegant cyber attacks are a lot like the most elegant bank frauds, they work best when they victim doesn’t know he is being robbed.”184 Cyber attacks rely on unpatched or unknown vulnerabilities to execute their mission. If a defender knows where and what to look for it significantly degrades the operational effectiveness of a piece of malware which may have taken years and millions of dollars to develop. Once the malware is launched, it exposes its mechanism of action which negates its future utility like a spy having their cover blown. They are inherently one shot weapons and thus must be closely guarded such that the defender does not have the ability to develop defenses before it can be used. Therefore it is not possible to have a cyber deterrence or compellence strategy as both require threatening an adversary with a capability which will produce sufficient fear. How do you threaten an adversary with a capability which he cannot know exists? Going forward, cyber capabilities may function something akin to special forces which an adversary understands as a broad construct but the specific capabilities remain secret thus preserving the tactical advantage. However, as previously mentioned, a state may be deterred from using its own weapons because its leaders do not want to release this capability to the world and potentially open their own nation to attack as seen with the case with Syria in 2011.185 It is therefore plausible that nation-states agree sometime in the future not to develop truly debilitating cyber weapons for fear they will end up in the hands of non-state actors who have no such qualms with their deployment. However, the current cyber arms race is far from abating anytime soon as cyber provides a low cost, low casualty alternative to traditional military and espionage operations.

182 See Glossary

183 Rid

184 Sanger p.190

185 Sanger. “Syria War Stirs Debates on Cyberattacks”

43

Cyber is akin to deploying biological weapons! ! Computer viruses like their biological equivalents must constantly evolve to evade detection and remain effective. Given the rapid pace of technological development, entire classes of cyber weapons may become outmoded with a simple browser upgrade while new vulnerabilities may now become !available. A remote access trojan which took advantage of a specific flaw in Internet Explorer in Windows 8 may be patched over in due course with Windows 8.1. This continual fluctuation means that cyber agencies like the NSA must work constantly to maintain their access to target systems even without a defending cyber force working against it.186 The previous discussion on the inherent covert nature of cyber weapons may also viewed in these terms of biology. When states developed biological weapons they needed to take care to protect the actual identity of the specific strains developed as the opposing state could develop vaccines to inoculate its population. Thus if a defender knows the specific vector in a cyber attack he can develop a specific patch for that subsystem. Therefore, if an actor is inclined to threaten the use of cyber it behooves them to threaten a broad industry or system like the cellphone network as the defender needs to be strong across the whole front while the attacker needs only one hole with sufficient access. But by doing so, the attacker runs the risk that the defender may bring up the base level of the defense across the whole system (like air-gapping it from the open Internet) which would block anything but very sophisticated multi-vector threats.187 When a contagious biological pathogen is released, the actor relinquishes control of the weapon and it will spread uncontrollably and (somewhat) unpredictably through a population. It may even come back to harm its own troops or populations if they are not sufficiently inoculated. The Stuxnet example shows that even the most carefully designed computer viruses may also get loose and cause damage well beyond their original intentioned target sets and attack systems even within your own country.188 The true extent of the damage and overall spread of Stuxnet remains unknown and it is possible that it will infect any system using a common model of Siemens programable logic controller.189 Cyber weapons therefore present significant unknowns with regards to their use and operation which must be accounted for before they are deployed. The actor must accept that it can and will spread uncontrollably and that its end net effects will not be possible to predict. The end effect of biological weapons are fairly straightforward when

186 Hayden

187 For a full discussion on cyber-hygiene and cyber resilience in terms of defense in depth an the immune system see Part III of Cyber Security and Cyber War by PW Singer

188 The Stuxnet virus disrupted operations at several US nuclear sites. See Stevenson

189 Ibid

44 compared to malware. Pathogens sicken and kill people. The strategic unknown is the physical spread of the pathogen and the total number of casualties. Malware, by contras,t may interact with systems in unpredictable ways to produce effects not even intended by the attacker as seen with Stuxnet. The true disruptive potential of malware remains unknown and purely hypothetical as the world has yet to see a large scale cyber attack against vast swaths of national or military infrastructure. The nature of a cyber attack is governed by the intent of the attacker, the specific data system which is compromised, and its potential for tangible disruption! ! Malware may be programmed to attack any computer or networked system from computers storing library records all the way up to the command and control server for nuclear weapons. Given that the Internet is an open domain, the specific identity of an actor does not automatically make an intrusion an attack on the country. If Iran’s cyber warfare unit compromised Facebook but did nothing more than bombard its users with cat videos it would be absurd to consider this an act of war. Even though this is a hostile action by an adversary’s cyber warfare unit it would not produce any real effects. However, if a group of hackers from Anonymous were to penetrate the military communication network such the SIPRNet or JWICs and published it to WikiLeaks this would be a serious matter of national security. However, while this would undoubtedly have very grave, tangible consequences and may lead to US forces being killed; this remains an act of espionage and subversion, not war. It is important to be mindful of the analogous physical act and intent of actor when classifying cyber acts. Intercepting and subsequently leaking military plans and operations is an act of espionage regardless of whether it is done via a human source (ie: Snowden and Manning) or via cyber means. When dealing with cyber actions and warfare, it is useful to look past acts of espionage and subversion and those of sabotage. Current US military doctrine vaguely defines an act of cyber war as an act of sabotage via cyber means which produces high-level tangible disruption akin to that of a traditional military attack.190 This definition should be refined to those acts of sabotage which directly degrade the military’s operational effectiveness or have widespread disruption to civilian life on the home- front. This could take the form of disrupting or disabling air defense networks, air traffic control, communication networks, or manipulating financial information. There are any number of computer systems, which if compromised, which would be highly disruptive to civilian or military operations. As Thomas Rid notes, a disruption in and of itself does not make an act of war, for war is inherently a political act designed to further a larger goal. The disruption needs to be tied to a larger political goal and thus represents the means of coercion designed to induce submission.191 !

190 “Department of Defense Strategy for Operations in Cyberspace.”

191 Rid

45 The difference between traditional means of political coercion and those using cyber is that cyber is not inherently violent. Anonymous attempted to coerce Israel into withdrawing from Palestinian lands and halt ongoing military operations via nonviolent cyber means, namely denial of service attacks and data dumps. The cyber attacks used, however, amounted to little more than a protest and were ineffective in achieving their goal. Many hypothetical attack scenarios have included attacks against power systems, financial networks, and communication systems which would produce widespread civilian disruption but do not directly kill nor destroy.192 It remains a strategic unknown what level of systematic disruption would be necessary to shape a state’s behavior or whether the attacks would need to produce physical casualties to be effective. Cyber weapons are best employed as asymmetric force enablers in conjunction with traditional kinetic forces rather than alone as strategic weapons! ! Cyber, in theory, provides the ability to target the critical electronic networks of an adversary and render them defenseless, unable to see or able to communicate amongst themselves. Cyber allows for specific capabilities like AWACs, GPS, and communications to be disrupted which would significantly degrade the operational effectiveness of a modern military. Cyber, hypothetically, could also sever communication between a government and its military and potentially disrupt financial markets However, cyber does not outright the destroy the military, political, or financial centers of state power like a nuclear strike of Washington, DC or New York would accomplish. If Obama had chosen to unleash the US offensive cyber capabilities and disrupted the Syria’s air defense systems, air command and control networks, and missile production facilities; it would have degraded Assad’s ability to wage war but not ended the war in and of itself. Therefore, cyber degrades adversaries, it does not destroy them. Cyber capabilities, as discussed earlier, are well suited to increase the fog of war and friction for an adversary while augmenting the situational awareness and operational efficiency of one’s own forces, in accordance with strategic intent of electronic warfare. In this way, cyber represents a new suite of tools within the broader field of electronic warfare which can be used against a plethora of tactical targets from radars to command facilities to SAM sites. Ideally, cyber could be used to one day “turn off” many of these capabilities such that strike fighters or other EW platforms do not have to be used for SEAD, jamming, or interception missions. This would reduce the footprint of expeditionary forces and allow a more streamlined strike force to focus on those targets which are not susceptible to electronic attack.

192 Parks

46 Global connectivity allows anyone join in on the action producing a decentralized, ad hoc network of loosely affiliated threats, mirroring the structure of the Internet itself! ! Today’s battlefields are no longer fixed nor finite. As seen with the migration of foreign fighters into Mali, Libya, and Syria; internal conflict will increasingly become “internationalized” as sympathetic actors enabled by modern communications technologies are informed of the battle and join in, either physically or virtually. It is no longer necessary for those wishing to harm America to migrate to a declared war zone and physically join a jihadi brigade. The Internet provides the potential for jihadi sympathizers or other malicious actors to attack the US home front directly by attempting to disrupt the infrastructure and services of the general public. Perhaps more unsettling, is the possibility that ad hoc networking would allow for rapid scalability of an adversary’s capabilities. Traditionally, it took a certain measure of time for a defender to develop and field a new capability be it MRAPs against IEDs or long range fighter escorts for bombers. The Internet allows combatants to reach out across the world and become instantly connected with those with the tactical knowledge potentially necessary to defeat an adversary. A sympathizer may also take it upon himself to become involve without any coordination with the combatants in the field. A hacker in may watch a video of drone strikes on YouTube and then take it upon himself to disrupt US drone operations by hacking the satellites which the Predators rely on to communicate to their ground stations. In example of open source DIY warfare, this hacker could disrupt a main component of the US counter terrorism campaign without any type of formal command or control.193 This development has profound implications for future military interventions as increases the strategic uncertainty associated with using US military forces. After Iraq and Afghanistan, it became a central point to consider whether intervening into country X would produce combatants who would migrate to engage US forces. Going forward, the potential for cyber blowback will increasingly need to be weighed before engaging in the world’s next hotspot

193 As noted earlier, hackers have already proven able to use low tech hacks to stream the feeds of US drones and researchers at the University of Texas recently demonstrated the ease of the GPS spoof attack used agains the US RQ-170 over Iran. See: "Scientists 'hack' Flying Drone."

47 CONCLUSIONS! ! The purpose of this piece was to explore cyber as an emerging warfighting domain and where it fits into the larger spectrum of military operations. The cyber domain is endowed with a number of unique features which present policymakers with new options to engage adversaries without having to commit to kinetic violence. The very openness of the Internet which enables these new vectors is also what makes it uncontrollable by any single nation-state. The incredibly low barriers to entry allow anyone with sufficient knowledge to engage their perceived foes with malware or to assist fighters on the ground with tactical knowledge. This domain is likely to become ever more chaotic as more users log on and the knowledge of cyber warfare proliferates, raising stakes for any future US . Cyber operations allow for the surgical targeting of specific enemy networks and systems but the unpredictability of malware creates a number of strategic uncertainties. It also must be remembered that cyber operations are limited to targeting only those systems which are connected to or controlled by a computer system. Cyber operations therefore are most effective against an enemy which makes pervasive use of networked system to enable operations but will be of only marginal utility against adversaries with minimal technological competence. Cyber operations should therefore be viewed as an additional suite of tools to be used in conjunction with conventional military force rather than some holy grail to replace all other weapons. This research is only the beginning of what is hopefully a diverse body of literature examining the strategic implications of a domain which will likely come to dominate the 21st battlefield. There remains a very serious deficit in scholarship which is able to combine a deep technical knowledge of this domain with a high level strategic thought into a cohesive cyber doctrine. This research primarily looked at the cyber from the standpoint of a state fighting in this domain. There is ample opportunity for further scholarship to explore the role of non-state actors, especially the power of private sector actors like Verizon, Google, and AT&T to actually control and shape the Internet. Given that the Internet and technologies which access it are driven by private sector development, how does this impact things like the future of arms control? Does the decentralized and ad-hoc nature of the Internet set the stage for a future of globally disparate yet hyper connected threat actors? As computer systems continue to shrink they will likely vanish into ubiquity, surrounding and permeating society. The continued growth in areas such as wearables, augmented and , and even Brain Computer Interfaces creates additional subdomains within the context of cyber warfare. As computer systems become ever more embedded in our lives and even within our bodies, cyber attacks may actually be able to one day kill directly.194!

194 It has already been shown that cardiac pacemakers with wireless connections can be erroneously discharged, inducing a heart attack. If this is possible today, what happens when we have brain chips in our head? See: Arizmendi

48 Further Reading ! The following list of publications is by no means exclusive but will provide a much more comprehensive background and discussion of cyber warfare than can be found here. I highly recommend these works for anyone wishing to further understand the strategic and political implications of cyber as a warfighting domain. Cyber War will Not Take Place! Thomas Rid, 2013. ! This book lays out a theoretic model for analyzing and categorizing cyber attacks of a political nature as either works of espionage, subversion, or sabotage. Cyberwar and Cyber Security: What Everyone Needs to Know ! Peter Singer, 2014.! This question and answer style books provides a broad yet comprehensive overview of the cyber domain and its implications for both the private and public sector. This book is noteworthy for situating the cyber threat amongst the much broader continuum of threats posed by non-state actors. Cyber Warfare: Techniques, Tactics, and Tools for Security Practitioners! Jason Andress and Steve Winterland, 2013.! This book provides a detailed examination of the technical infrastructure and tools used to conduct cyber attacks. Excellent for those looking develop their technical literacy regarding IT security systems. “Defending a New Domain” in Foreign Affairs! Deputy Secretary of Defense William Lynn, 2010.! This short article provides one the first direct and public discussion of the Pentagon’s strategic thinking regarding the cyber domain and the threats America faces. It is useful to compare this 2010 piece with later, more “alarmist” policy speeches made by cabinet officials as the change in rhetoric illustrates the perceived growth of the threat posed by the cyber domain. New Digital Age: Reshaping the Future of People, Nations, and Business! Erich Schmidt and Jared Cohen, 2013. ! A cooperative work by Google and the Council of Foreign Relations looking at how globalized interconnectivity will impact the global order and shape the future of states, terrorism, warfare, and revolutions.! The Tallinn Manual on the International Law Applicable to Cyber Warfare ! NATO Cooperative Cyber Defense Center of Excellence, 2013.! This manual is the most authoritative assessment of the Laws of Armed Conflict as it relates to fighting within the cyber domain. It provides a detailed legal framework for discussing and planning operations within the cyber domain with regard to the broader field of international conflict. A updated and revised version of the manual is set to be released in 2016.

49 Glossary of Selected Terms! (For a more complete glossary of terms relating to cyber warfare see the glossary starting on p.293 of P.W. Singer’s Cyber War and Cyber Security: What Everyone Needs to Know) • Advanced Persistent Threat (APT): An attack which incorporates significant reconnaissance of a target system and often employs multiple vectors such as zero days, , and social engineering to gain and maintain access. ! • Availability: Can I access the Internet? Can I call 911 when I need too? Will my credit cards work? Availability attacks have the potential to severely disrupt military operations when they are used to deny access to data systems which the military relies on (GPS systems, Joint Tactical Radio System, SIPRNET, etc) • Botnet: A group of computers which have been compromised by a third party turning them into “” machines which can be slaved together to perform operations requiring large amounts of processing power in a poor man’s version of a . Botnets are regularly used to generate the large amounts of traffic used in DDoS and may involve over a million separate compromised computers.195 • Confidentiality: Is the data private from unauthorized disclosure. Is someone reading my email, viewing my bank records, or listening to my phone calls. The NSA is notorious for violating the confidentiality of users’ systems.196! • Domain Name System (DNS): This is the routing system which translates a website’s english address (ex: https://www.google.com) to its IP address (ex: 192.72.68.10) and forms the basis for the interconnectivity of the web.! • DDoS: Distributed Denial of Service. A Denial of Service attack is a very simplistic attack against the availability of a service such as a website. At its most basic level, a denial of service attack uses a computer or a large group of computers (see Botnet) to generate large volume of data packets which “ping” the server repeatedly which overwhelms its ability to process the requests and causes the server to crash and website to no longer be able to accessible. A Distributed Denial of Service attack utilizes many different machines to generate erroneous packets from multiple vectors making the attack far more difficult to stop. • Integrity: Is the data which I am viewing true? Are these figures in my bank account accurate? Are the orders which I am receiving over the radio actually from my superior? Integrity attacks have the potential to cause mass panic and thus are exceptionally useful in IO/PSYOPs

195 http://www.cnet.com/news/symantec-takes-on-one-of-largest-botnets-in-history/

196 http://www.theguardian.com/world/2014/apr/01/nsa-surveillance-loophole-americans-data

50 • IP Address: The identifying number of a specific “address” of a device or site connected to the internet. Every computer, iPad, website, and server has its own unique IP address which is used to route data to that specific machine. • (ex: 192.168.72.10) • Logic Bomb: A piece of malware which is designed to disrupt the normal operations of a computer system when certain conditions are met. A logic bomb may inject infinite loops into a processor to cause it to crash, delete files, or even corrupt the entire hard drive rendering the system unusable. ! • Phishing: A type of attack which preys upon the integrity and trust of users have with another actor, i.e.: a bank, close friend, etc. A phishing attack usually takes the form of an email which solicits the victim to follow a link to input passwords, credit card information, or otherwise secure information similar other fraud schemes like the Nigerian check fraud. The term Spear Phishing is when the attacker specifically designs the email to appear to be coming from a trusted associate of the victim such as a close friend sharing photos from a vacation together which are actually laced with virus. • Remote Access Trojan (RAT): A piece of malware which hides in an otherwise benign file like mp3 music file, Powerpoint, or PDF document which the user unsuspectingly loads onto his system. A Remote Access Trojan, once it implants on the system gives a third party access to the infected machine for any number of purposes from data exfiltration to turning the computer into a zombie to be used in a botnet.! • TCP/IP Protocol Suite: Transfer Control Protocol/Internet Protocol. The series of algorithms which govern how data is addressed, transmitted, received, and processed across the Internet. This suite of protocols is the underlying system which allows computers to “talk” to one another and forms the basis of what we know as the Internet.197 • Zero Day Exploit: A programming error unknown to even the original developers which leave “zero days” to prepare a defense. In the cyber security field, finding zero days is extremely lucrative as the vulnerabilities can sell for hundred of thousands of dollars on the black market.198

197 See the following video by Eli the Computer Guy for an in depth of explanation of TCP/IP and how it works: http://www.youtube.com/watch?v=EkNq4TrHP_U

198 Greenberg

51 Works Cited! Adhikari, Richard. "'Nightmare' Hackers Take Swipe at Israeli Stock Exchange, Airline." TechNewsWorld. N.p., 16 Jan. 2012. Web. 25 Apr. 2014. . Aid, Matthew M. "Inside the NSA's Ultra-Secret China Hacking Group." Foreign Policy. N.p., 10 June 2013. Web. 25 Apr. 2014. . Aircraft Procurement FY2013. Department of the Navy, Feb. 2012. Web. 25 Apr. 2014. . Albanesius, Chloe, and Larry Seltzer. "Report: Stuxnet Worm Attacks Iran, Who Is Behind It?" PC Magazine. N.p., 27 Sept. 2010. Web. 25 Apr. 2014. . Alexander, David. "Theft of F-35 Design Data Is Helping U.S. Adversaries -Pentagon." . Thomson Reuters, 19 June 2013. Web. 25 Apr. 2014. . Andress, Jason, Steve Winterfeld, and Russ Rogers. Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners. Amsterdam: Syngress/Elsevier, 2011. Kindle. "Anonymous #OpIsrael." YouTube. YouTube, 17 Nov. 2012. Web. 25 Apr. 2014. . "APT1: Exposing One of China's Cyber Espionage Units." Intelligence Corporation, Feb. 2013. Web. 25 Apr. 2014. . Arizmendi, Clint, and Chloe Diggins. "Hacking the Human Brain: The Next Domain of Warfare." Wired.com. Wired Magazine, 09 Dec. 2012. Web. 25 Apr. 2014. . Arquilla, John, and David Ronfeldt. "Cyber War Is Coming!" RAND Corporation, 1993. Web. 25 Apr. 2014. . Bolkcom, Christopher. "Military Suppression of Enemy Air Defenses (SEAD): Assessing Future Needs." of American Scientists. CRS Report to Congress, 24 Jan. 2005. Web. 25 Apr. 2014. . Brenner, Joel. America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare. New York: Penguin, 2011. Kindle.

52 Broad, William J., John Markoff, and David E. Sanger. "Israel Tests Called Crucial In Iran Nuclear Setback." The New York Times. The New York Times, 15 Jan. 2011. Web. 25 Apr. 2014. . Carr, Jeffery. ": Who's Responsible for the Saudi Aramco Network Attack?" Digital Dao. N.p., 27 Aug. 2012. Web. 25 Apr. 2014. . Carrigan, Sophia. "Improvised Response." Bulletin of the Atomic Scientists. Bulletin of the Atomic Scientist, 7 Oct. 2013. Web. 25 Apr. 2014. . Clark, Paul L. "Has “Strategic” Airpower Failed to Live up to Its Promise?" E- International Relations. N.p., 20 Jan. 2013. Web. 25 Apr. 2014. . Clarke, Richard A., and Robert K. Knake. Cyber War: The next Threat to National Security and What to Do about It. New York: Ecco, 2010. Print. Clausewitz, Carl Von, and Anatol Rapoport. On War. Harmondsworth, Eng.: Penguin, 1982. Kindle. Coleman, Gabriella. "Anonymous in Context: The Politics and Power behind the Mask." Centre for International Innovation, 23 Sept. 2013. Web. 25 Apr. 2014. . "The Computer Guy", Eli. "Introduction to the Internet of Everything." YouTube. YouTube, 09 July 2013. Web. 25 Apr. 2014. .No last name provided. "The Computer Guy", Eli. "TCP/IP and Subnet Masking." YouTube. YouTube, 12 Dec. 2010. Web. 25 Apr. 2014. . Cronin, Audrey Kurth. "Cyber-Mobilization: The NewLevée En Masse." N.p., 2006. Web. 25 Apr. 2014. . "Department of Defense Strategy for Operating in Cyberspace." Department of Defense, July 2011. Web. 25 Apr. 2014. . Diamond, Johnathon. "Blowback: Will Stuxnet Be Turned Against Its Makers?" Center for Strategic and International Studies. N.p., 30 July 2012. Web. 25 Apr. 2014. .

53 "Die Hard 4 Trailer." YouTube. YouTube, 07 June 2007. Web. 25 Apr. 2014. . Dorrier, Jason. "Is Cisco's Forecast of 50 Billion Internet-Connected Things by 2020 Too Conservative?" Singularity Hub. N.p., 30 July 2013. Web. 25 Apr. 2014. . Douhet, Giulio, In, O’Connell, John F., The Effectiveness of Airpower in the 20th Century Part Three (1945-2000), Lincoln: IUniverse, 2006, P. 53. Elis, Niv, and Ariel Zilber. " Says 'Anonymous' Hackers Inflict Minor Damage on Israeli Web Sites." Www.JPost.com. Jerusalem Post, 7 Apr. 2014. Web. 25 Apr. 2014. . Fisher, Max. "Should the U.S. Allow Companies to ‘hack Back’ against Foreign Cyber Spies?" Washington Post. , 23 May 2013. Web. 25 Apr. 2014. . Gorman, Siobhan, and Danny Yadron. "Banks Seek U.S. Help on Iran Cyberattacks." The Wall Street Journal. Dow Jones & Company, 16 Jan. 2013. Web. 25 Apr. 2014. . Gorman, Siobhan, and Julian Barnes. "Cyber Combat: Act of War." The Wall Street Journal. Dow Jones & Company, 31 May 2011. Web. 25 Apr. 2014. . Gorman, Siobhan. "Iran Renews Cyber Attacks Against US Banks." The Wall Street Journal. Dow Jones & Company, 17 Oct. 2012. Web. 25 Apr. 2014. . Grant, Rebecca. "The Crucible of Vietnam." Air Force Magazine 96.2 (2013): n. pag. Web. 25 Apr. 2014. . Greenberg, Andy. "Shopping For Zero-Days: A Price List For Hackers' Secret Software Exploits." Forbes. Forbes Magazine, 23 Mar. 2012. Web. 25 Apr. 2014. .

54 Hayden, Michael, and Barton Gellman. "NSA Data Collection and Surveillance." AUSG Kennedy Political Union Presents Gen. . American University, Washington, D.C. 14 Apr. 2014. Address.Gen. Hayden was the D/CIA from 2006-2009 and D/NSA from 1999-2005 "How Dangerous Is the S-300 Syria Is About to Receive?" Defense Update. N.p., 18 May 2013. Web. 25 Apr. 2014. . "The Internet - The Launch of NSFNET." The Internet - Changing the Way We Communicate. National Science Foundation, n.d. Web. 25 Apr. 2014. . IRANIAN CYBER THREAT TO THE U.S. HOMELAND, 112th Cong. (2012). Print.Joint Hearing before Subcommittee on Counterterrorism and Intelligence and the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the House Homeland Security Committee http://www.gpo.gov/fdsys/pkg/ CHRG-112hhrg77381/html/CHRG-112hhrg77381.htm "Israeli PM Threatens to Strike Iran." Al Jazeera English. N.p., 17 July 2013. Web. 25 Apr. 2014. . JP 3-13.1 Electronic Warfare. Federation of American Scientists, 25 Jan. 2007. Web. 25 Apr. 2014. . Kaspersky, Eugene. "The Man Who Found Stuxnet – Sergey Ulasen in the Spotlight." 's Official Blog. Kaspersky, 2 Nov. 2011. Web. 25 Apr. 2014. . Keyhoe, Brendan. "The Robert Morris Internet Worm." Zen and the Art of the Internet. Massachusetts Institute of Technology, Jan. 1992. Web. 25 Apr. 2014. . Kilcullen, David. Out of the Mountains: The Coming Age of the Urban Guerrilla. Oxford: Oxford UP, 2013. Kindle. Kopp, Carlo. "Carlo Kopp Interviews F-22 Chief Test Pilot, Paul Metz." Air Power Australia. N.p., Sept. 1998. Web. 25 Apr. 2014. . Krebbs, Brian. "Shadowy Russian Firm Seen as Conduit for Cybercrime." Washington Post. The Washington Post, 13 Oct. 2007. Web. 25 Apr. 2014. .

55 Lake, Eli. "Has Israel Been Killing Iran’s Nuclear Scientists?" The Daily Beast. Newsweek/Daily Beast, 13 Jan. 2012. Web. 25 Apr. 2014. . Liff, Adam P. "The Proliferation of Cyberwarfare Capabilities and Interstate Conflict, Redux. Liff Responds to Junio." Journal of Strategic Studies 36.1 (2012): 134-38. Web. 25 Apr. 2014. . Lucarelli, Fosco. "Stuxnet: Anatomy of the First Weapon Made Entirely out of Code." SOCKS. N.p., 17 July 2012. Web. 25 Apr. 2014. Lynn, William J., III. "Defending a New Domain." Foreign Affairs, Sept. 2010. Web. 25 Apr. 2014. . "M1 Abrams Main Battle Tank." Military Analysis Network. Federation of American Scientists, n.d. Web. 25 Apr. 2014. . Markoff, John. "Internet Traffic Begins to Bypass the U.S." The New York Times. The New York Times, 29 Aug. 2008. Web. 25 Apr. 2014. . Martinez, Luis. "Intel Heads Now Fear Cyber Attack More Than Terror." ABC News. ABC News Network, 13 Mar. 2013. Web. 25 Apr. 2014. . McClure, Matthew. "FoW (No. 21): To Succeed, We Need to Act Less like Dinosaurs and More like Bacteria." Foreign Policy. N.p., 25 Mar. 2014. Web. 25 Apr. 2014. http://ricks.foreignpolicy.com/posts/2014/03/25/ fow_no_21_to_succeed_we_need_to_act_less_like_dinosaurs_and_more_like_bacteria Published as part of a series on the Future of War under Rick's Best Defense Channel on Foreign Policy McGraw, Gary. "Cyber War Is Inevitable (Unless We Build Security In)." Journal of Strategic Studies 36.1 (2012): 109-19. Web. 25 Apr. 2014. . Mele, Stefano. "Cyber Weapons: Strategic and Legal Implications." Italian Strategic Studies Institute, June 2013. Web. 25 Apr. 2014. .

56 Mewett, Christopher. "Understanding War's Enduring Nature Alongside Its Changing Character." War on the Rocks. N.p., 21 Jan. 2014. Web. 25 Apr. 2014. . Moore, Malcolm. "China Cuts off Internet Access in Bid to Exert Control." The Telegraph. Telegraph Media Group, 12 Apr. 2012. Web. 25 Apr. 2014. . Clapper, James R. "Worldwide Threat Assessment of the United States Intelligence Community." Prepared Testimony To Senate Select Committee on Intelligence, 12 Mar. 2013. Web. 25 Apr. 2014. . "NIPRNet Definition from PC Magazine Encyclopedia." NIPRNet Definition from PC Magazine Encyclopedia. PC Magazine, n.d. Web. 25 Apr. 2014. . "Oil Prices August 2012 vs August 2013." WolframAlpha, n.d. Web. 25 Apr. 2014. . Panetta, Leon. "Remarks by Secretary Panetta on Cybersecurity to the Business Executives for National Security." Department of Defense, 11 Oct. 2012. Web. 25 Apr. 2014. . Parks, Raymond C., and David P. Duggan. "Principles of Cyber Warfare." Penn State University, 6 June 2001. Web. 25 Apr. 2014. .Proceedings of the 2001 IEEE Workshop on Information Assurance and Security United States , West Point, NY, 5-6 June, 2001 Peck, Michael. "Japan Considers Cyberwarfare Capabilities." C4ISR & Networks. N.p., 6 Jan. 2014. Web. 25 Apr. 2014. . Priest, Dana, and William M. Arkin. Top Secret America: The Rise of the New American Security State. New York: Little, Brown, 2011. Kindle. "Public Key Cryptography: What Is It?" Journey into Cryptography. Khan Academy, n.d. Web. 25 Apr. 2014. . "Radar during World War II." IEEE Global History Network. IEEE, n.d. Web. 25 Apr. 2014. .

57 Rashid, Fahmida Y. "Marine General Calls for Stronger Offense in U.S. Cyber-Security Strategy." EWeek, 15 June 2011. Web. 25 Apr. 2014. . Rid, Thomas. Cyber War Will Not Take Place. Oxford: Oxford UP, 2013. Print. Robb, John. Brave New War: The next Stage of Terrorism and the End of Globalization. Hoboken, NJ: John Wiley & Sons, 2007. Print. Sanger, David E. Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power. New York: Crown, 2012. Kindle. Sanger, David E. "Syria War Stirs New U.S. Debate on Cyberattacks." The New York Times. The New York Times, 24 Feb. 2014. Web. 25 Apr. 2014. . Schelling, Thomas C. Arms and Influence. New Haven: Yale UP, 1966. Print. Schmidt, Eric, and Jared Cohen. The New Digital Age: Reshaping the Future of People, Nations and Business. N.p.: Random House, 2013. Kindle. Schmitt, Michael N. Tallinn Manual on the International Law Applicable to Cyber Warfare. Tallinn, Estonia: NATO Cooperative Cyber Defence Centre of Excellence, 2013. Print. "Scientists 'hack' Flying Drone." BBC News. N.p., 29 June 2012. Web. 25 Apr. 2014. . Siboni, Gabi, and Sami Kronenfeld. "Iran's Cyber Warfare." Institute for National . Tel Aviv University, 15 Oct. 2012. Web. 25 Apr. 2014. . Singel, Ryan. "Richard Clarke’s Cyberwar: File Under Fiction." Wired.com. Wired Magazine, 20 Apr. 2010. Web. 25 Apr. 2014. . Singer, Peter W., and Allan Friedman. Cyber Security and Cyber War: What Everyone Needs to Know. Oxford: Oxford UP, 2014. Kindle. Singer, Peter W. "Cult of the Cyber Offensive." Foreign Policy. Foreign Policy Magazine, 15 Jan. 2014. Web. 25 Apr. 2014. .

58 Spaatz, Carl. "Strategic Air Power." Foreign Affairs, Apr. 1946. Web. 25 Apr. 2014. . Stevenson, Alaistar. "Stuxnet: UK and US Nuclear Plants at Risk as Malware Spreads outside Russia." V3 News. N.p., 11 Nov. 2013. Web. 25 Apr. 2014. . Stokes, Mark A., and Russell Hsiao. "Countering Chinese Cyber Forces." Project 2049 Institute, 29 Oct. 2012. Web. 25 Apr. 2014. . Stout, Mark. "The Tactical versus Strategic Distinction: It’s A Big Deal, Right?" Air University. National Space Studies Center of the Air University, United States Air Force, 13 May 2010. Web. 25 Apr. 2014. . "Strategic Weapon System." Encyclopedia Brittanica. N.p., n.d. Web. 25 Apr. 2014. . "Ukraine (cyber) War in Full Swing." News24. N.p., 17 Mar. 2014. Web. 25 Apr. 2014. . "U.S. Homeland Chief: Cyber 9/11 Could Happen Imminently." Reuters. Thomson Reuters, 24 Jan. 2013. Web. 25 Apr. 2014. . Vick, Karl. "Was Israel Behind a Deadly Explosion at an Iranian Missile Base?" Time. Time Inc., 13 Nov. 2011. Web. 25 Apr. 2014. . Weisgerber, Marcus. "QDR Emphasizes Cyber, Science and Technology." Defense News. N.p., 4 Mar. 2014. Web. 25 Apr. 2014. . Williams, Dan. "Hoping to Deter Hezbollah, Israel Threatens Lebanese ." Reuters. Thomson Reuters, 29 Jan. 2014. Web. 25 Apr. 2014. . Winther, Mark. "Tier 1 ISPs: What They Are and Why They Are Important." International Data Corporation. NTT Communications, May 2006. Web. 25 Apr. 2014. .

59 Work, Robert O., and Shawn Brimley. "20YY: Preparing for War in the Robotic Age." Center for New American Security, Jan. 2014. Web. 25 Apr. 2014. . "World Internet Users Statistics Usage and World Population Stats." Internet World Stats. N.p., n.d. Web. 23 Apr. 2014. . Zetter, Kim. "Google Hack Attack Was Ultra Sophisticated, New Details Show." Wired.com. Wired Magazine, 12 Jan. 0010. Web. 25 Apr. 2014. . Zetter, Kim. "Legal Experts: Stuxnet Attack on Iran Was Illegal ‘Act of Force’." Wired.com. Wired Magazine, 23 Mar. 0013. Web. 25 Apr. 2014. .

60