Cyber Conflict History Authors: Max Smeets and Jason Healey 1 Series Editor: Justin Key Canfil Executive Editor: Jason Healey

Total Page:16

File Type:pdf, Size:1020Kb

Cyber Conflict History Authors: Max Smeets and Jason Healey 1 Series Editor: Justin Key Canfil Executive Editor: Jason Healey CCSA Cyber Conflict Studies Association Cyber Conflict History authors: Max Smeets and Jason Healey 1 series editor: Justin Key Canfil executive editor: Jason Healey Introduction About the State of the Field Series The study of cyber history can provide insight into This article is part of the 2017 Cyber Conflict State of the often complex and obscure dynamics of cyber the Field (SOTF) paper series, under the auspices of conflict. An exclusive focus on the present unneces- the Cyber Conflict Studies Association and Columbia sarily handicaps efforts to understand, categorize and University’s School of International and Public Affairs. qualify past behavior. Cyber history provides a store- house of information on past cyber activity, including The conference, held annually since 2016, brings case studies and datasets that can fuel the formula- together experts from various academic disciplines, tion of theories and testable hypotheses. In addition including political science, law, economics, and policy research, to define key questions and map the research to serving as a laboratory — however imperfect — to frontier in the emerging field of cyber conflict studies. explain cyber behavior, the study of cyber history also The conference is cumulative: each year builds upon helps academics, policy makers, and practitioners to past discussions. As a result, discussions have necessarily interpret ongoing developments. To understand why matured at different rates as new topics are added. a cyberattack — like the 2016 Democratic National Committee (DNC) email hack2 — occurred, it is nec- The papers in this series are meant to capture the essary to examine the historical context in light of findings of the 2017 conference. Together, the papers present conditions. Was the targeting of the DNC represent the conference attendees’ understanding of espionage, an escalatory attack or criminal behav- the present state of the field in the academic study of ior? Was it a continuation of long-standing practices? cyber conflict. Have similar methods been utilized in the past? Why did the attacker conduct this activity? A relatively recent history often suffices to explain key cyber con- of raw data, case study reports, and other documents flict events and trends, but in some cases, it is neces- still await analysis and therefore leave much research sary to delve further back in time to fully understand left to be undertaken. the underlying causes. It is hardly surprising that SOTF devoted a panel to There is simultaneously too much and not enough cyber history, given its importance and the work that cyber history. The secrecy surrounding government remains to be done. SOTF first included a cyber his- organizations and their capabilities as well as the ano- tory panel, with Jason Healey moderating, in 2016. nymity of attackers complicate the documentation of Karl Grindal summarized the key views of the panel- cyber history. Moreover, the recent and rapid growth of ists and provided a comprehensive overview of canon- the field means the subject has yet to receive adequate ical works in the field.4 The 2017 panel built on that attention from professional historians.3 Vast amounts of the previous year with only minor changes. The _________________________________________ 2017 Cyber Conflict State of the Field Series: Economic Dimensions of Cyber Conflict | 1 table below provides an overview of the topics on the I. Conceptual History agenda at the State of the Field conferences in 2016 and 2017. QUESTION(S): GAP(S): • How has our perception • The relationship TOPICS of cyber-related between the prefix STATE OF THE FIELD 2016 STATE OF THE FIELD 2017 concepts changed? “cyber” and other • How does conceptual terms (e.g., “info,” I Origins of the Conceptual History “computer,” etc.). Cyber Domain ambiguity affect governance? II Development of History of Cyber the Field Conflict Discourse The workshop session started with a discussion on III Eras in Cyber Eras in Cyber the historical semantics of cyber-related terms. The Conflict History Conflict History term “cyberspace” has long been attributed to Wil- IV Organizational History Organizational History liam Gibson, who first used it in the 1982 short story “Burning Chrome” and again in his 1984 novel Neu- V Operational History Operational and romancer.6 However, it has now been traced back to an Strategic History* earlier etymology. An article in a Norwegian art mag- VI History of azine suggests the term may have first appeared, with- Non-State Actors out gaining currency, in a painting collage produced by Susanne Ussing and Carsten Hof between 1968– * On agenda but not discussed during workshop due to lack of time. 1970.7 John Perry Barlow is credited with introducing “cyberspace” to political discourse in 1996.8 Major Takeaways from SOTF 2017 Regardless of its origins, the term has been interpreted Discerning the continuities and discontinuities of in numerous ways and embodied a variety of meanings cyber conflict formed the central and overarching over the years. In assessing the history of cyber-related theme of the panel. Although the two perspectives concepts,9 panelists identified two primary questions: were not explicitly compared, elements of each came up throughout the discussion. Participants discussed • How has our understanding of cyber-related several “turning” and “tipping” points throughout concepts changed? cyber history as potential points of discontinuity. • How does conceptual ambiguity affect governance? These tipping points also offer potential qualita- Following the discussion, panelists made the key obser- tive shifts and likely differ across countries/regions, vation that it is only possible to understand the nature of making periodization complex and inherently spa- cyberspace by assessing its pre-history. They referenced tially bounded. Complicating matters further, cyber a brief history by several chief architects of the Internet events (e.g., the Morris Worm, Stuxnet, and Opera- on the technical foundation of the Advanced Research tion Orchard) and non-cyber events (e.g., the Okla- Projects Agency Network (ARPANET).10 This account homa City Bombing, the Asian Financial Crisis, and emphasizes the decentralized, trust-based nature of the the November 2015 Paris terrorist attacks) alike were project. The panelists also reiterated a point raised in identified as potential roots of decisive change in this 2016, that the prefix “cyber” is still often conflated with field.5 But beyond the many spatial and temporal other terms, such as “info,” “computer,” or “the Inter- discontinuities identified were signs of remarkable net.” This ongoing conflation and ambiguity of terms continuity in the nature of cyber conflict, including hinders policy efforts to establish “rules of the road.” an ever-evolving relationship between “cyber” and “info” warfare. One participant noted the importance of understand- ing how “cyber” became a military domain, guiding our organizational and strategic thinking. In 2011, the U.S. military forces officially expanded the traditional 2 | SIPA: School of International and Public Affairs _________________________________________________________________________ domains of warfare — air, sea, land, and space — to lighted the November 2015 Paris attacks as a poten- include cyber.11 A number of countries have sub- tially interesting case warranting analysis. Historically, sequently adopted a similar approach, and in 2016 the primary focus of cyber conflict has centered on NATO also officially declared cyberspace a warfare attacks originating in Russia and China. The 2015 ter- domain.12 Both the historical origins and the impli- rorist attacks in Paris, while not cyber conflict, cata- cations of conceptualizing cyberspace in this manner pulted “cyber terrorism” back into focus as a key threat remain ill understood. to the general public. Finally, participants noted that the conceptualization In addition, participants noted that the ongoing discus- of cyberspace and its relevant terminology varies sion of the nature of cyber conflict — often post-cyber across countries. For example, a report from the East- incident — takes place in a number of different forums. West Institute states, “Unlike Americans, Russians They pointed out that many excellent insights on saw cybersecurity as an inextricable part of a larger recent cyber activity have appeared on Twitter instead discussion on information security.”13 Regional differ- of in the mainstream media. The research community ences are also evident in the interpretation of “cyber needs to think carefully about how best to capture these sovereignty,” which describes a government’s goal views to ensure that they will not be lost to reports pub- of exercising control over cyber activities within its lished in future case studies. 14 own borders. Finally, participants noted that the tendency to attach the prefix “cyber” to other terms, though ongoing, II. History of Cyber may slow or cease in the future. As one participant Conflict Discourse observed, we no longer talk about the “digital econ- omy” — it’s just the “economy.” “Cyber warfare” may QUESTION(S): GAP(S): someday mirror this trend; “cyber” will come to seem • How has the discourse • U.S.-centric. inherent to, and implicit in, “warfare.” surrounding cyber • Limited group of conflict (and the cyber actors analyzed. threat) developed III. Eras in Cyber Conflict History over time? QUESTION(S): GAP(S): The study of discourse and narratives is becoming • How can we divide
Recommended publications
  • Jason Healey Robert Jervis the Escalation Inversion and Other Oddities of Situational Cyber Stability
    The Scholar Texas National Security Review: Volume 3, Issue 4 (Fall 2020) Print: ISSN 2576-1021 Online: ISSN 2576-1153 The Escalation Inversion and Other Oddities of Situational Cyber Stability Jason Healey Robert Jervis The Escalation Inversion and Other Oddities of Situational Cyber Stability As the United States shifts to a new military strategy of defending forward against adversaries in cyberspace, research into the role of cyber capabilities in crisis stability is especially relevant. This paper introduces the concept of situational cyber stability, suggesting the key question is not “whether” cyber capabilities are escalatory but rather how they are escalatory under certain geopolitical conditions. We identify four key mechanisms: Pressure Release, Spark, Pull Out the Big Guns, and the Escalation Inversion. Optimists (believing that “No, cyber conflict is not escalatory”) and pessimists (“Oh, yes it is”) have each touched on parts of these mechanisms. This paper integrates research from both views to better understand crisis stability in cyberspace across the range of geopolitical contexts, from relative peace to impending war. We examine the role of surprise in cyber conflict and introduce policy recommendations to reduce the chances of crises escalating. t is one of the most important and debat- companies (Iran’s attacks on U.S. banks or the ed questions for policymakers and schol- North Korean dismembering of Sony)2; disrupted ars of cyber conflict: Are cyber capabilities national healthcare systems (North Korea’s Wan- escalatory? naCry, which disrupted the U.K. National Health IThe pessimists, in whose camp we normally re- Service),3 electrical grids in wintertime (Russia’s side, observe a two-decade trend of increasing cy- takedown of the Ukrainian grid),4 and national elec- ber aggression acting like a ratchet, not a pendulum.
    [Show full text]
  • 2013 Year in Review
    Cyber Statecraft Initiative 2013 Year in Review: Saving Cyberspace During 2013, the Atlantic Council’s Cyber Statecraft Initiative cemented its position as the most forward-leaning think tank on cyber policy issues in Washington, DC and perhaps the world. The goal of the program is “saving cyberspace” as this most transformative technology since Gutenberg is under threat, putting at risk the national security of the United States and the economic security of the world. Our program also became very well known for taking a strong position against overly aggressive spying by the National Security Agency and related cyber covert attacks, like Stuxnet. On this and other important issues, we held more than sixty events, from private dinners with senior international policymakers to large conferences like the Cyber 9/12 project with hundreds of people attending in person or online. The highlight of the Initiative’s publications was the release of A Fierce Domain, Conflict in Cyberspace, 1986 to 2012, which as the first military history of cyberspace received widespread praise, including in the Economist magazine. Led by an ideas-driven approach on these issues, this year experts had twenty broadcast interviews and the Cyber Statecraft Initiative has been mentioned in major national news outlets including National Public Radio, the Washington Post, the New York Times, the Wall Street Journal, Foreign Policy, Bloomberg News, Newsweek, CNN, the Atlantic, the Financial Times, the Economist, Deutsche Welle, and more. Director Jason Healey is a regular op-ed contributor to US News & World Report’s “World Report” section and Foreign Policy’s online “National Security” blog.
    [Show full text]
  • Testimony of Jason Healey Before the United States House Of
    Testimony of Jason Healey Before the United States House of Representatives Committee on Financial Services, Subcommittee on Financial Institutions and Consumer Credit Hearing on “Protecting Critical Infrastructure: How the Financial Sector Addresses Cyber Threats” 19 May 2015 Chairman Neugebauer, Ranking Member Clay, and distinguished Members of the Committee, thank you for the honor of testifying before you on the finance sector’s response to cyber threats. Over the past nearly twenty years, I have been involved in cyber operations and policy in the military and Intelligence Community, the White House, and finance sector. I created the first cyber incident response capability at Goldman Sachs and was an early Vice Chairman of the Financial Services Information Sharing and Analysis Center. Now as an academic, serving both as a Senior Research Scholar at Columbia University’s School of International and Public Affairs and as Senior Fellow at the Atlantic Council, I may be less involved in the day-to-day cyber tumult than my colleagues here today, but with a bit more freedom to analyze where we have come from and what might be next. Regarding the cyber threat, it is surprising how little has changed. We've been concerned about the same basic threats – nation-states’ warriors and spies, hactivists, terrorists, insiders, and criminals -- for twenty, thirty, even forty years. It has been clear that banks are in the crosshairs since at least 1994 when Vladimir Levin took Citibank for over $10 million. But of course the massive expansion of those threats, and the myriad way come at the sector, is astounding.
    [Show full text]
  • America's Cyber Future Security and Prosperity in the Information
    America’s Cyber Future JUNE 2011 Security and Prosperity in the Information Age VOLUME II Edited by Kristin M. Lord and Travis Sharp Contributors: Robert E. Kahn, Mike McConnell, Joseph S. Nye, Jr. and Peter Schwartz (co-chairs); Nova J. Daly, Nathaniel Fick, Martha Finnemore, Richard Fontaine, Daniel E. Geer Jr., David A. Gross, Jason Healey, James A. Lewis, Kristin M. Lord, M. Ethan Lucarelli, Thomas G. Mahnken, Gary McGraw, Roger H. Miksad, Gregory J. Rattray, Will Rogers, Christopher M. Schroeder and Travis Sharp Acknowledgments The authors would like to thank the more than 200 people who generously contributed their time and expertise to this proj- ect. We are especially indebted to our co-chairs Bob Kahn, Mike McConnell, Joe Nye and Peter Schwartz for their tremendous support and guidance over the past year. We also thank our contributing authors for producing such insightful essays. We are particularly grateful to the many people who reviewed drafts of the papers included in this volume, including Irv Lachow, James Mulvenon, Charles Dunlap, Eric Rosenbach, Jeff Lord, Tom Gjelten, Greg Rattray, David Asher, Jeff Pryce, Andrew Lewman, Daniel Calingeart, David Gross, Nova Daly and several anonymous reviewers. In addition, we wish to thank the dozens of dedicated professionals in the U.S. government, armed services and private sector who candidly shared their perspectives. We also thank Global Business Network for hosting a workshop in San Francisco in February 2011, as well as the many technologists and other experts who attended. Peter Schwartz, David Babington and Audrey Plonk deserve special recognition for making the workshop a success.
    [Show full text]
  • Success of Persistent Engagement in Cyberspace
    STRATEGIC STUDIES QUARTERLY - POLICY FORUM Success of Persistent Engagement in Cyberspace he US Department of Defense’s 2018 cyber strategy is the most important development in this arena in the past 20 years.1 It rec- ognizes that states are continuously engaged in cyber operations Tand prescribes an imperative to “persistently contest” adversaries “in day- to- day competition” by, among other things, “defending forward to inter- cept and halt cyber threats.”2 Persistent engagement is straightforward yet subtle. Countering malicious cyber activity below the level of armed conflict requires daily interaction and competition to “expose adversaries’ weaknesses, learn their intentions and capabilities, and counter attacks close to their origins.”3 US Cyber Command (USCYBERCOM) must consistently conduct operations to impose just enough friction on adver- saries to moderate their behavior but not such disruption as to induce further attacks. Academics and policy makers have debated the merits of persistent engagement, and perhaps it is indeed the correct strategy to deal with cyber conflict. However, as with the introduction of any new strategy, de- veloping it is trivial compared to implementing it effectively against a competent adversary. At a minimum, persistent engagement requires (1) strong and sustained military and civilian leadership that embraces the strategy; (2) an organized, trained, and equipped force; (3) clear signaling to adversaries; (4) the trust of international and domestic partners; and (5) a robust interagency process. While the DOD might have the leader- ship and forces required to succeed, it is far from clear that the interagency process, the trust of partners, and signaling are or will be in place soon given the current political climate.
    [Show full text]
  • Cyber Operations As Imperfect Tools of Escalation
    STRATEGIC STUDIES QUARTERLY – PERSPECTIVES Cyber Operations as Imperfect Tools of Escalation ERICA D. BORGHARD SHAWN W. LONERGAN* Abstract here are important empirical reasons to suspect that the risks of cyber escalation may be exaggerated. If cyberspace is in fact an environment that generates severe escalation risks, why has cyber Tescalation not yet occurred? We posit that cyber escalation has not oc- curred because cyber operations are poor tools of escalation. In particular, we argue that this stems from key characteristics of offensive cyber capa- bilities that limit escalation through four mechanisms. First, retaliatory offensive cyber operations may not exist at the desired time of employ- ment. Second, even under conditions where they may exist, their effects are uncertain and often relatively limited. Third, several attributes of of- fensive cyber operations generate important tradeoffs for decision-­­­­­­makers that may make them hesitant to employ capabilities in some circumstances. Finally, the alternative of cross-do­­­­­­ main escalation—responding to a cyber incident with noncyber, kinetic instruments—is unlikely to be chosen ex- cept under rare circumstances, given the limited cost-­­­­­­generation potential of offensive cyber operations. ***** There is a widespread view among practitioners and scholars that cyber- space is defined by an inherent potential for dangerous escalation dynamics between rivals.1 On the practitioner side, for example, senior US intelligence and military leaders expressed concerns about first-­­­­­­strike incentives leading to escalation in a 2017 joint statement to Congress, testifying that “adversaries equipped with [offensive cyber capabilities] could be prone to preemptive attack and rapid escalation in a future crisis, because both sides would *The views of the authors are personal and do not reflect the policy or position of the Army Cyber Institute, United States Military Academy, 75th Innovation Command, Army Futures Command, Department of the Army, Department of Defense, or US government.
    [Show full text]
  • Rough-And-Ready: a Policy Framework to Determine If Cyber Deterrence Is Working Or Failing
    2019 11th International Conference on Cyber Conflict: Permission to make digital or hard copies of this publication for internal use within NATO and for personal or educational use when for non-profit or Silent Battle non-commercial purposes is granted providing that copies bear this notice T. Minárik, S. Alatalu, S. Biondi, and a full citation on the first page. Any other reproduction or transmission M. Signoretti, I. Tolga, G. Visky (Eds.) requires prior written permission by NATO CCD COE. 2019 © NATO CCD COE Publications, Tallinn Rough-and-Ready: A Policy Framework to Determine if Cyber Deterrence is Working or Failing Jason Healey Neil Jenkins Senior Research Scholar Chief Analytic Officer Columbia University, SIPA Cyber Threat Alliance New York, NY USA Arlington, VA USA [email protected] [email protected] Abstract: This paper addresses the recent shift in the United States’ policy that emphasizes forward defense and deterrence and to “intercept and halt” adversary cyber operations. Supporters believe these actions should significantly reduce attacks against the United States, while critics worry that they may incite more adversary activity. As there is no standard methodology to measure which is the case, this paper introduces a transparent framework to better assess whether the new U.S. policy and actions are suppressing or encouraging attacks.1 Determining correlation and causation will be difficult due to the hidden nature of cyber attacks, the veiled motivations of differing actors, and other factors. However even if causation may never be clear, changes in the direction and magnitude of cyber attacks can be suggestive of the success or failure of these new policies, especially as their proponents suggest they should be especially effective.
    [Show full text]
  • Strategic Culture and Cyberwarfare Strategies: Four Case Studies Sipa Capstone Workshop
    MAY 7, 2018 STRATEGIC CULTURE AND CYBERWARFARE STRATEGIES: FOUR CASE STUDIES SIPA CAPSTONE WORKSHOP CLIENT ORGANIZATION: UNITED STATES CYBER COMMAND FACULTY ADVISOR: PROF. GREGORY RATTRAY ABDULRAHMAN YAAQOB AL-HAMADI; DANIEL NICHOLAS BOCCIO; ERIK KORN; RASHIDE ASSAD ATALA; SCOTT SCHER; AND STEVEN JUN SIC PARK Disclaimer: This report was prepared by graduate students for a SIPA Capstone Workshop. The insights and opinions expressed are their own and do not reflect the view of the United States Cyber Command. ACKNOWLEDGMENTS The Strategic Cultures and Cyberwarfare Strategies team would like to express its deepest gratitude to Prof. Gregory Rattray, Dr. Emily O. Goldman and Dr. Michael Warner for their dedicated knowledge-based support for the project. We are also deeply thankful to Erica Borghard, Jenny Jun, Jack Snyder, JD Work, Jason Healey, Sean Kanuck, Adam Segal, and Nadiya Kostyuk for their time and invaluable insights. 1 ABSTRACT This report presents the U.S. Cyber Command with a cross-case study based on the examination of China’s, Russia’s, Iran’s, and the Democratic People’s Republic of Korea’s history, geography, politics, economy, religion, and philosophy in order to understand how each differing strategic culture guides the state’s motivations and behaviors. This includes each country’s employment of non-state actors and proxies, legal framework, and military-civilian relations. The strategic culture lens provides a deeper understanding of each state’s cyberwarfare strategies. By examining how current factors are shaping the most likely future trajectory and what the most dangerous trajectory could look like, we provide lessons that the U.S.
    [Show full text]
  • Strategic Studies Quarterly, Spring 2020
    SPRING 2020 Vol. 14, No. 1 Time for a Counter- AI Strategy M. A. Thomas Success of Persistent Engagement in Cyberspace Jason Healey Stuart Caudill FEATURE ARTICLE Artificial Intelligence: A Threat to Strategic Stability James S. Johnson Three- Way Power Dynamics in the Arctic Rebecca Pincus Strategic Choice and the Orbital Security Dilemma LTC Brad Townsend, USA Strategic Contours of China’s Arms Transfers Michael Raska Richard A. Bitzinger Strategy in the New Era of Tactical Nuclear Weapons COL Joseph D. Becker, USA Strategic Studies SSQ Quarterly Chief of Staff, US Air Force Gen David L. Goldfein, USAF Commander, Air Education and Training Command Lt Gen Marshall B. Webb, USAF Commander and President, Air University Lt Gen James B. Hecker, USAF Director, Academic Services Mehmed Ali, PhD Director, Air University Press Lt Col Darin Gregg, USAF Editor Col W. Michael Guillot, USAF, Retired Managing Editor Illustrator Jeanne K. Shamburger Daniel M. Armstrong Print Specialist Webmaster Megan N. Hoehn Kevin V. Frey Advisors Contributing Editors Gen Michael P. C. Carns, USAF, Retired David C. Benson, PhD James W. Forsyth, PhD Mark J. Conversino, PhD Christina Goulter, PhD Kelly A. Grieco, PhD Robert P. Haffa, PhD Michael R. Kraig, PhD Jay P. Kesan, PhD Col Kristi Lowenthal, USAF, PhD Charlotte Ku, PhD Dawn C. Murphy, PhD Benjamin S. Lambeth, PhD David D. Palkki, PhD Martin C. Libicki, PhD Nicholas M. Sambaluk, PhD Allan R. Millett, PhD https://www.af.mil/ https://www.aetc.af.mil/ https://www.airuniversity.af.edu/ Strategic Studies Quarterly An Air Force–Sponsored Strategic Forum on National and International Security SPRING 2020 VOL.
    [Show full text]
  • Cybersecurity: Emerging Issues, Trends, Technologies and Threats in 2015 and Beyond
    CYBERSECURITY: EMERGING ISSUES, TRENDS, TECHNOLOGIES AND THREATS IN 2015 AND BEYOND Edited Volume Edited by March 2016 Caitriona Heinl and Eugene EG Tan Cybersecurity Emerging Issues, Trends, Technologies and Threats in 2015 and Beyond Edited by: Caitriona Heinl and Eugene EG Tan Centre of Excellence for National Security (CENS) This edited volume presents preliminary articles to stimulate comment and discussion. The views expressed in the articles are entirely those of the authors, and do not represent the official position of the S. Rajaratnam School of International Studies. Foreword This collection of short commentaries presents views on many of the on-going debates relating to cybersecurity policy. The authors include government practitioners and leading academics who addressed the Centre of Excellence for National Security workshop on “Cybersecurity: Emerging Issues, Trends, Technologies and Threats in 2015 and Beyond” on 20-21 July 2015. The workshop focused on the possible implications of these debates on countries like Singapore and the wider Southeast Asia/Asia Pacific region, particularly in terms of the regulatory, operational and governance domains. The quality of contributions at the workshop led to the decision to publish them here. These edited commentaries which are based on the workshop presentations have been expanded to provide greater depth to those arguments originally made in the presentations. Table of Contents A New Cybersecurity Paradigm 3 Daniel Castro, Vice President, Information Technology & Innovation Foundation
    [Show full text]
  • The U.S. Government and Zero-Day Vulnerabilities Intelligence Purposes Did Not Put U.S
    November 2016 In August 2016, a group calling itself Shadow Brokers released a cache of top secret cyber spying ca- pabilities almost certainly belonging to the U.S. National Security Agency (NSA). Out of the fifteen exploits in the cache, several appear to be previously unknown vulnerabilities (a so-called zero day or 0day vulnerability).1 Worryingly, these vulnerabilities were in security products produced by Cisco, Juniper, and Fortinet, each widely used to protect U.S. companies and critical infrastructure, as well as other systems worldwide. As of this writing, the Shadow Brokers are still revealing new vulnera- bilities and there may be more zero days discovered. The existence of these capabilities begs many questions critical to the future of cyberspace: 1. Should the NSA have told vendors like Cisco about these vulnerabilities? 2. What is the process for determining whether to retain or disclose them to vendors? 3. Do these revelations mean this process is broken? 4. How many does the U.S. government retain every year? 5. How big is the U.S. arsenal of such capabilities? 6. What should be done next? This report, based on research over the past six months from Jason Healey, senior research scholar at Columbia University’s School of International and Public Affairs (SIPA) and a class of graduate students, provides the best current answers for these questions. Based on numerous interviews and the U.S. government’s own public statements about its policies, the NSA almost certainly should have disclosed these vulnerabilities to Cisco, Juniper, and Fortinet (just as the Federal Bureau of Investigation (FBI) should have told Apple about the vulnerability it used in April 2016 to access the iPhone of the San Bernardino murderers).2 In January 2014, Presi- dent Obama made it government policy to disclose by default any new vulnerability.
    [Show full text]
  • Jason Healey
    Jason Healey Nonresident senior fellow for the Cyber Statecraft Initiative of the Atlantic Council Jason Healey is a nonresident senior fellow for the Cyber Statecraft Initiative of the Atlantic Council and senior research scholar at Columbia University's School of International and Public Affairs, focusing on international cooperation, competition, and conflict in cyberspace. From 2011 to 2015, he worked as the director of the Council's Cyber Statecraft Initiative. Under his leadership, the Initiative made its mission "Saving Cyberspace" to help create a more sustainable Internet that remains as open and free for future generations as it was for its pioneers. He guided the Initiative's work with Fortune 500 companies, governments, and other stakeholders to examine the overlap of national security, international relations, and economic security issues and to promote thought leadership in cyber statecraft. Mr. Healey is also the editor of the first-ever history of cyber conflict, A Fierce Domain: Conflict in Cyberspace, 1986 to 2012 and coauthor of the book Cyber Security Policy Guidebook by Wiley. Additionally, his ideas on cyber topics have been widely published in over a hundred articles and essays published by the Atlantic Council; the National Research Council; academic journals such as those from Brown and Georgetown Universities; along with the Aspen Strategy Group and other think tanks. Mr. Healey is also the president of the Cyber Conflict Studies Association. Mr. Healey has unique experience working issues of cyber conflict and security spanning fifteen years across the public and private sectors. As director for Cyber Infrastructure Protection at the White House from 2003 to 2005, he helped advise the President and coordinated US efforts to secure US cyberspace and critical infrastructure.
    [Show full text]