Cyberspace and National Security Selected Articles II Edited by Gabi Siboni המכון למחקרי ביטחון לאומי THE INSTITUTE FOR NATIONAL SECURITYc STUDIES INCORPORATING THE JAFFEE b d CENTER FOR STRATEGIC STUDIES Cyberspace and National Security Selected Articles II Edited by Gabi Siboni THE INSTITUTE FOR NATIONAL SECURcITY STUDIES INCORPORATING THE JAFFEE b d CENTER FOR STRATEGIC STUDIES Institute for National Security Studies THE INSTITUTE FOR NATIONAL SECURcITY STUDIES INCORPORATING THE JAFFEE b d CENTER FOR STRATEGIC STUDIES Graphic design: Michal Semo-Kovetz The Institute for National Security Studies (INSS), incorporating Printing: Elinir the Jaffee Center for Strategic Studies, was founded in 2006. The purpose of the Institute for National Security Studies Institute for National Security Studies is first, to conduct basic research that meets the highest (a public benefit company) academic standards on matters related to Israel’s national 40 Haim Levanon Street security as well as Middle East regional and international POB 39950 security affairs. Second, the Institute aims to contribute to Ramat Aviv the public debate and governmental deliberation of issues Tel Aviv 6997556 that are – or should be – at the top of Israel’s national security agenda. Tel. +972-3-640-0400 INSS seeks to address Israeli decision makers and Fax. +972-3-744-7590 policymakers, the defense establishment, public opinion makers, the academic community in Israel and abroad, and E-mail: [email protected] the general public. http://www.inss.org.il INSS publishes research that it deems worthy of public attention, while it maintains a strict policy of non-partisanship. © All rights reserved. The opinions expressed in this publication are the author’s March 2014 alone, and do not necessarily reflect the views of the Institute, its trustees, boards, research staff, or the organization and ISBN: 978-965-7425-59-6 individuals that support its research. Contents Foreword | 5 A Blueprint for Cyber Deterrence: Building Stability through Strength | 7 Frank J. Cilluffo, Sharon L. Cardash, and George C. Salmoiraghi Duqu’s Dilemma: The Ambiguity Assertion and the Futility of Sanitized Cyberwar | 29 Matthew Crosston The Strategic Uses of Ambiguity in Cyberspace | 43 Martin C. Libicki An Interdisciplinary Look at Security Challenges in the Information Age | 51 Isaac Ben-Israel and Lior Tabansky Cyber Warfare and Deterrence: Trends and Challenges in Research | 69 Amir Lupovici In Defense of Stuxnet | 83 James A. Lewis Unraveling the Stuxnet Effect: Of Much Persistence and Little Change in the Cyber Threats Debate | 95 Myriam Dunn Cavelty The Threat of Terrorist Organizations in Cyberspace | 105 Gabi Siboni, Daniel Cohen, and Aviv Rotbart The INSS Cyber Program | 133 Foreword Israel’s rapid development as a leading player in the cyber realm is one of several factors that have spurred research in Israel in general, and at the Institute for National Security Studies (INSS) in particular, on cyber-related issues. In order to broaden the scope of the research underway at INSS, the INSS Cyber Program has long promoted international cooperation in the field, reflected, for example, in the INSS conference on defensive operations and intelligence in cyberspace, held with the Cyber Security Forum Initiative (CSFI), a large and important organization in the United States cyber community. This year’s conference is also held in collaboration with various entities in Israel, including the Ministry of Intelligence, the National Cyber Staff, the IDF Computer Service Directorate, and the chief scientist in the Ministry of the Economy. The conference’s focus on defensive operations and intelligence allows INSS to highlight its work in this field, which complements a variety of related professional activities underway in Israel and around the world. This year’s conference has several important objectives, among them: to deepen cooperation among government agencies and organizations in the cyber field in Israel and the United States; to enhance exposure of the Israeli cyber market among American technology companies that seek to develop business in Israel or to lend exposure to Israeli capabilities and technologies abroad; and to expand international cooperation in the cyber field with other countries. As with previous conferences, we have compiled several articles written by researchers at INSS and institutions elsewhere around the world. These articles were prepared within the framework of the Institute’s Cyber Program, and were first published in the INSS journalMilitary and Strategic Affairs. Gabi Siboni Director, Cyber Program, INSS 5 Cilluffo, Cardash, and Salmoiraghi A Blueprint for Cyber Deterrence: Building Stability through Strength Frank J. Cilluffo, Sharon L. Cardash, and George C. Salmoiraghi “In many ways, deterrence in cyberspace is eminently more complicated than deterrence in the Cold War. The nature of the domain makes it so. Even the most sophisticated theo- ries behind nuclear deterrence will prove inadequate for dealing with the complexities of a man-made domain with a virtually infinite number of constantly changing actors, mo- tivations, and capabilities.”1 Cyber threats pose a real and growing problem, and to date, United States efforts to counter them have lagged. While the ability to defend against an attack or intrusion must be maintained, the US, like any country, would be well served by deterring its adversaries from acting in the first place – at least when it comes to the most serious of actions, namely cyber warfare. Clearly not all hostile behavior can be deterred, but it is important to identify priorities in this regard and determine how best to address those that lead the list. Despite animated discussions, development of a grand unified solution has remained elusive, in part because the complexity and crosscutting nature of cyber deterrence requires a comprehensive and cohesive solution that encompasses stakeholders in both the private and public sectors. In order to help structure the debate and advance toward the goal, we propose a framework that examines the issue critically and looks to Frank J. Cilluffo is director of the George Washington University Homeland Security Policy Institute (HSPI) and co-director of GW’s Cyber Center for National & Economic Security (CCNES). Sharon L. Cardash is associate director of HSPI and a member of CCNES. George C. Salmoiraghi is an attorney and advisor to HSPI in Washington, D.C. This article was first published in Military and Strategic Affairs 4, no. 3 (2012): 3-23. 7 Cilluffo, CardasH, AND SalmoiragHI | A BLUEPRINT FOR CYBER DETERRENCE dissuade, deter, and compel both state and non-state hostile actors. Placing potential threats into conceptual relief this way helps clarify the sources of danger and serves as a starting point for determining and attaching responsibility for hostile action(s) against a country or its allies. This then allows the relevant players who have been targeted by hostile actors to proceed with necessary discussions and action as both a precursor to, and actual execution of, appropriate and effective response measures. The rubric thus yields a further corollary benefit by aiding to identify areas that would benefit from or even require cooperation among affected/targeted entities. In short, this framework provides a starting point to explore ways to deter hostile actors, and as such offers a conceptual lens that can be of value to the US and its allies alike. Neither the range of actors nor their potential activities detailed below is meant to be exhaustive. It is instead a snapshot, and a rough one at that, intended to help convey a sense of who, what, how, why, and so on, as a prelude to a more in-depth discussion of strategy and policy in the area of cyber deterrence. State Actors Foreign militaries may engage in computer network attack/computer network exploitation (CNA/CNE) to limit, degrade, or destroy another country’s abilities, in furtherance of a political agenda. Foreign militaries are increasingly integrating CNA and CNE capabilities into their war fighting and military planning and doctrine.2 Such efforts have conventional battlefield applications (i.e., enhancing one’s own weapon systems and platforms, and/or stymieing those of others); and unconventional applications, as cyberspace extends the battlefield to incorporate broader civilian and societal elements. Cyber domain activity may cover intelligence preparation of the battlefield, to include the mapping of critical infrastructures of perceived adversaries.3 Foreign intelligence and security services: Exploits may include political, military, economic, and industrial espionage; theft of information from or about another government; or theft of intellectual property, technology, trade secrets, and so on in the hands of private corporations and universities. Many foreign intelligence services are engaged in industrial espionage in support of private companies.4 Ultimate aims of activities by this actor category include the desire to influence decisions, and affect the balance of power (regionally, internationally, and so on). Convergence of human and 8 Cilluffo, CardasH, AND SalmoiragHI | A BLUEPRINT FOR CYBER DETERRENCE technical intelligence is especially notable in this category, and includes the “insider” threat.5 Hybrid aspects: Elements of state capability may be integrated to achieve a whole that is greater than the sum of its parts. Alliances (state-to-state) may be invoked for a similar effect. Joint activity in