The Cyber Loop

Georgia’s Cyber Left Hook

Georgian-Russian hostilities in South Ossetia have generated a substantial amount of analysis and speculation regarding the accompanying cyber conflict.5 Most of the focus has centered on identifying the parties who conducted the cyber attacks. The Georgian cyber event provides an intriguing opportunity to examine a more subtle and perhaps overlooked aspect of cyber conflict—the concept of cyber neutrality. The Georgian case raises two fundamental questions: (1) How did the combined actions of the Georgian government and US information technology (IT) companies impact American status as a cyber neutral? (2) Can the United States remain neutral (or cyber neutral) during a cyber conflict?

Read the full article here.

Deterrence Stability in the Cyber Age

Technical and operational realities make it prohibitively difficult to adapt a Cold War paradigm of “deterrence stability” to the new domain of cyber warfare. Information quality problems are likely to forestall the development of a cyber equivalent of the strategic exchange models that assessed deterrence stability during the Cold War. Since cyberspace is not firmly connected to geographic space the way other domains are, modeling is extremely difficult, muddling the neat conceptual distinctions between “counterforce” (military) and “countervalue” (civilian) targets. These obstacles seriously complicate US planning for a credible cyber “assured response” and present substantial challenges to potential adversaries contemplating cyber attacks against US interests. To create a maximally effective deterrent against cyber threats, the United States should seek to maximize the challenges for possible opponents by creating a cyber “strategy of technology,” emphasizing resilience, denial, and offensive capabilities.

Read the full article here.

Tallinn Manual

From Amazon.com

The product of a three-year project by twenty renowned international law scholars and practitioners, the Tallinn Manual identifies the international law applicable to cyber warfare and sets out ninety-five ‘black-letter rules’ governing such conflicts. It addresses topics including sovereignty, State responsibility, the jus ad bellum, international humanitarian law, and the law of neutrality. An extensive commentary accompanies each rule, which sets forth the rule’s basis in treaty and customary law, explains how the group of experts interpreted applicable norms in the cyber context, and outlines any disagreements within the group as to each rule’s application.

Making Strategic Sense of Cyber Power: Why the Sky Is Not Falling

From the Executive Summary:

Cyber is now recognized as an operational domain, but the theory that should explain it strategically is, for the most part, missing. It is one thing to know how to digitize; it is quite another to understand what digitization means strategically. The author maintains that, although the technical and tactical literature on cyber is abundant, strategic theoretical treatment is poor. He offers four conclusions: (1) cyber power will prove useful as an enabler of joint military operationsl; (2) cyber offense is likely to achieve some success, and the harm we suffer is most unlikely to be close to lethally damaging; (3) cyber power is only information and is only one way in which we collect, store, and transmit information; and, (4) it is clear enough today that the sky is not falling because of cyber peril. As a constructed environment, cyberspace is very much what we choose to make it. Once we shed our inappropriate awe of the scientific and technological novelty and wonder of it all, we ought to have little trouble realizing that as a strategic challenge we have met and succeeded against the like of networked computers and their electrons before. The whole record of strategic history says: Be respectful of, and adapt for, technical change, but do not panic.

Read the full book here.

We Are Anonymous

From Amazon.com

WE ARE ANONYMOUS is the first full account of how a loosely assembled group of hackers scattered across the globe formed a new kind of insurgency, seized headlines, and tortured the feds-and the ultimate betrayal that would eventually bring them down. Parmy Olson goes behind the headlines and into the world of Anonymous and LulzSec with unprecedented access, drawing upon hundreds of conversations with the hackers themselves, including exclusive interviews with all six core members of LulzSec.

In late 2010, thousands of hacktivists joined a mass digital assault on the websites of VISA, MasterCard, and PayPal to protest their treatment of WikiLeaks. Other targets were wide ranging-the websites of corporations from Sony Entertainment and Fox to the Vatican and the Church of Scientology were hacked, defaced, and embarrassed-and the message was that no one was safe. Thousands of user accounts from pornography websites were released, exposing government employees and military personnel.

Although some attacks were perpetrated by masses of users who were rallied on the message boards of 4Chan, many others were masterminded by a small, tight-knit group of hackers who formed a splinter group of Anonymous called LulzSec. The legend of Anonymous and LulzSec grew in the wake of each ambitious hack. But how were they penetrating intricate corporate security systems? Were they anarchists or activists? Teams or lone wolves? A cabal of skilled hackers or a disorganized bunch of kids?

WE ARE ANONYMOUS delves deep into the internet’s underbelly to tell the incredible full story of the global cyber insurgency movement, and its implications for the future of computer security.

Cyber Deterrence

How difficult is cyber deterrence? Some theorists argue that it is quite difficult. These skeptics make valid points; the domain of cyberspace does pose unique challenges for an effective deterrence strategy. But treating cyber deterrence only theoretically—that is, ignoring the geopolitical context in which cyber attacks occur—unintentionally exaggerates its difficulty. Cyber deterrence proves easier in practice than it seems to be in theory because cyber attacks are ultimately inseparable from the physical domain, where deterrence has a long-demonstrated record of success.

Read the full article here.

Countdown to Zero Day

From Amazon.com

Top cybersecurity journalist Kim Zetter tells the story behind the virus that sabotaged Iran’s nuclear efforts and shows how its existence has ushered in a new age of warfare—one in which a digital attack can have the same destructive capability as a megaton bomb.

In January 2010, inspectors with the International Atomic Energy Agency noticed that centrifuges at an Iranian uranium enrichment plant were failing at an unprecedented rate. The cause was a complete mystery—apparently as much to the technicians replacing the centrifuges as to the inspectors observing them.

Then, five months later, a seemingly unrelated event occurred: A computer security firm in Belarus was called in to troubleshoot some computers in Iran that were crashing and rebooting repeatedly.

At first, the firm’s programmers believed the malicious code on the machines was a simple, routine piece of malware. But as they and other experts around the world investigated, they discovered a mysterious virus of unparalleled complexity.

They had, they soon learned, stumbled upon the world’s first digital weapon. For Stuxnet, as it came to be known, was unlike any other virus or worm built before: Rather than simply hijacking targeted computers or stealing information from them, it escaped the digital realm to wreak actual, physical destruction on a nuclear facility.

In these pages, Wired journalist Kim Zetter draws on her extensive sources and expertise to tell the story behind Stuxnet’s planning, execution, and discovery, covering its genesis in the corridors of Bush’s White House and its unleashing on systems in Iran—and telling the spectacular, unlikely tale of the security geeks who managed to unravel a sabotage campaign years in the making.

But Countdown to Zero Day ranges far beyond Stuxnet itself. Here, Zetter shows us how digital warfare developed in the US. She takes us inside today’s flourishing zero-day “grey markets,” in which intelligence agencies and militaries pay huge sums for the malicious code they need to carry out infiltrations and attacks. She reveals just how vulnerable many of our own critical systems are to Stuxnet-like strikes, from nation-state adversaries and anonymous hackers alike—and shows us just what might happen should our infrastructure be targeted by such an attack.

Propelled by Zetter’s unique knowledge and access, and filled with eye-opening explanations of the technologies involved, Countdown to Zero Day is a comprehensive and prescient portrait of a world at the edge of a new kind of war.

Cyber Defense: An International View

From the Summary:

Despite the history of offensive cyber activity being much longer than is commonly thought, cyber defense is still considered a new discipline. It is only relatively recently that states have established formal structures to provide for cyber defense, and cyber security more broadly. In this context, each nation has developed its own mix of public, private, and military organizations active in the field.

The relationships between these organizations are based on the nation’s unique circumstances, determining the overall shape of relations between the state and business, the approach to e-government, civilian control of the military, threat perception, and much more. The United States is no exception and has developed its own approach to organizing cyber defense based on factors specific to it. But the wide range of organizational approaches to reaching a “best fit” template for successful cyber defense raises the possibility that other nations may have developed approaches that could be usefully adopted in a U.S. context.

This Paper introduces four different foreign approaches to cyber defense, each very different from the U.S. model. In surveying the cyber defense organizations of Germany, Sweden, Norway, and Estonia, the Paper aims not only to provide baseline information on overseas structures and planning in order to facilitate U.S. cooperation with international partners, but also to provide policymakers with an overview of effective alternative approaches that may be applicable in a U.S. context.

Read the full book here.

Cybersecurity for Executives

From Amazon.com
Practical guide that can be used by executives to make well-informed decisions on cybersecurity issues to better protect their business

Emphasizes, in a direct and uncomplicated way, how executives can identify, understand, assess, and mitigate risks associated with cybersecurity issues
Covers ‘What to Do When You Get Hacked?’ including Business Continuity and Disaster Recovery planning, Public Relations, Legal and Regulatory issues, and Notifications and Disclosures
Provides steps for integrating cybersecurity into Strategy; Policy and Guidelines; Change Management and Personnel Management
Identifies cybersecurity best practices that executives can and should use both in the office and at home to protect their vital information

World Gone Cyber MAD

Many cyber experts say the United States is woefully ill prepared for a sophisticated cyber attack and that each passing day brings it one step closer to a potential virtual Armageddon. While the problems hindering the development of an effective and comprehensive cyber deterrence policy are clear (threat measurement, attribution, information-sharing, legal codex development, and poor infrastructure, to name several), this article focuses on one aspect of the debate that heretofore has been relatively ignored: that the futility of governmental innovation in terms of defensive efficacy is a relatively constant and shared weakness across all modern great powers, whether the United States, China, Russia, or others. In other words, every state that is concerned about the cyber realm from a global security perspective is equally deficient and vulnerable to offensive attack; therefore, defensive cyber systems are likely to remain relatively impotent across the board.

Read the full article here.