Table of Contents

List of Illustrations xiii

List of Acronyms and Abbreviations xv

Introduction 1

Part I Foundations

Chapter 1 Emblematic Attacks 5

Prototypical Events 5

Cybercrime and Other System Intrusions 8

Advanced Persistent Threat 10

Distributed Denial-of-Service Attacks 14

Disruptive and Destructive Attacks 16

Doxing Attacks 22

Conclusions 23

Chapter 2 Some Basic Principles 24

Cyberwar and Cyberspace 26

Layers 27

How Hacks Work 29

Agoras and Castles 34

Most Cyberattacks Have Transitory Effects 36

Chapter 3 How to Compromise a Computer 41

Abuses by Random External Users 41

Abuses by Authorized Internal Users 43

Altered Instructions via Supply-Chain Attack 45

Malware 47

Conclusions 50

Chapter 4 Cybersecurity as a Systems Problem 51

Applications Are Often the Weak Links in the Security Chain 51

The Role of Input Filtering 52

The Role of Browsers and Operating Systems 53

The Role of People 54

The Role of Cryptography 56

A Role for Firewalls? 57

The Role of Air-Gapping 60

Relationships among Machines, Systems, and Engineering 63

Cybersecunty as a Business Process Problem 64

Measures and Countermeasures 66

Lessons from the OPM Hack 68

Chapter 5 Defending against Deep and Wide Attacks 69

Deep Attacks 69

Identifying Near-Catastrophes to Get Ahead of Catastrophes 71

Hedging to Deal with Exceptions to the Power-Law Rule 72

Attacks of Broad Consequence 73

Scalability Influences How Well a Near-Catastrophe Predicts a Catastrophe 76

Implications for Learning 78

Is Information Sharing a Panacea? 79

Chapter 6 Deterrence by Denial 82

What Is Being Discouraged? 82

Complicating Psychological Factors 85

Dissuading Cyberattack by Defeating Its Strategy 86

Is Deterrence by Denial Transferable? 87

Part II Operations

Chapter 7 Tactical Cyber War 89

Possible Effects 89

Timing Cyberattacks 92

The Role of Surprise 93

A Tactical Cyberwar Scenario 99

Would China Use Tactical Cyberwar the Same Way? 100

Why Supremacy Is Meaningless and Superiority Unnecessary 101

Conclusions 103

Chapter 8 Organizing a Cyberwar Campaign 104

Why a Campaign? 104

Whose Campaign? 106

The Challenge of Skepticism over the Potential of Tactical Cyberwar 108

The Insertion of Tactical Cyberwar into Kinetic Operations 110

Escalation and Tactical Cyberwar 111

Chapter 9 Professionalizing Cyberwar 113

Battle Damage Assessment 113

Collateral Damage 115

Other Weaponization Parameters 120

Should Cyberwar Authority Be Predelegated? 121

A Hacker Way of Warfare 122

Programming and Budgeting for Cyberwar 124

Chapter 10 Is Cybebspace a Warfighting Domain? 127

Cyberwar Operations Are about Usurping Command and Control 128

Cyberspace as Multiple Media 129

Defend the Domain or Ensure Missions? 130

Offensive Operations 130

Cyberspace as a Warfighting Domain and DDOS Attacks 131

Other Errors from Calling Cyberspace a Warfighting Domain 133

No Domain, No Cyber Equivalent of Billy Mitchell 134

Conclusions 136

Chapter 11 Strategic Implications of Tactical Cyberwar 137

Influencing Others against Digitization 137

Cyberattacks and the Correlation of Forces 141

The Challenge of Alliance Defense in Cyberspace 145

Chapter 12 Stability Implications of Tactical Cyberwar 148

Attack Wins 148

Getting the Jump Wins 150

The Risks of Acting Are Reduced 152

The Risks of Not Acting Are Increased 153

A Missing Element of Caution 155

A Quick Comparison to Nuclear Weapons 155

Do Cyberattack Options Reduce Violence? 156

Conclusions 159

Part III Strategies

Chapter 13 Strategic Cyberwar 161

Strategic Cyberwar May Focus on Power Grids and Banks 161

How Coercive Can a Strategic Cyberwar Campaign Be? 164

The Conduct of Strategic Cyberwar 166

Indications and Warnings 168

A Cyber SIOP? 169

Keeping Targets in Reserve 171

Terminating Cyberwar 171

Conclusions 172

Chapter 14 Cyberwar Threats as Deterrence and Compulsion 173

The Anger/Fear Balance 174

The Difficulty of Evaluating a Coercive Campaign 175

A Stalling Strategy for Compulsion 177

A Deterrence Response Window 178

Chapter 15 The Unexpected Asymmetry of Cyberwar 181

The Third World Disadvantage 181

The Particular U.S. Advantage 183

Was This All an Exercise in Nostalgia? 186

A Silver Lining Arising from Kerckhoffs's Principle 187

The Influence of Third Parties on the Balance of Power in Cyberspace 188

Chapter 16 Responding to Cyberattack 190

First-Strike Cyberattacks May Have a Variety of Motives 190

What Looks like an Unprovoked Cyberattack May Not Be 193

Should the Target Reveal the Cyberattack-and When? 193

A Delayed Response 195

Responding without Force 196

Economic Responses 198

Sanctions until the Behavior Ends 199

The Perils of an Easy Response 200

Sub-Rosa Cyberwar 200

A Drawback to Any Response 204

How Will the Attacker Respond to Retaliation? 204

Conclusions 207

Chapter 17 Deterrence Fundamentals 209

Cyberdeterrence Differs from Nuclear and Criminal Deterrence 210

The Rationale for Deterrence 211

What Makes Deterrence Work? 213

The Core Message of Deterrence 215

Tailored Deterrence 217

The Problematic Nature of Cyberdeterrence 217

Chapter 18 The Will to Retaliate 218

The Risks of Reprisals 218

Third-Party Cyberattacks 219

Retaliation May Be Stymied by Bigger Issues on the Table 219

Credibility May Not Be Easy to Establish 221

The Signals Associated with Carrying Out Reprisals May Get Lost in the Noise 222

The Impact of Good Defenses on Credibility Is Mixed 222

Can Extended Deterrence Work in Cyberspace? 224

A Baltic Cyberspace Alliance? 225

Conclusions 228

Chapter 19 Attribution 230

What Will Convince Others of Your Attribution? 230

How Good Would Attribution Be? 233

What Could Make Attribution So Hard? 234

When Attribution Seems to Work 235

When Can Countries Be Blamed for What Starts within Their Borders? 237

Why Credibility Makes Attribution an Issue 240

Will the Attacker Always Avoid Attribution? 241

Why an Attacker May Favor Ambiguous Attribution over None at All 243

What Should Be Revealed about Attribution? 244

Attribution in a Post-Truth World 246

Conclusion 246

Chapter 20 What Threshold for Response? 247

A Zero-Tolerance Policy? 247

Non-Zero Thresholds 249

Did NotPetya Cross What Would Be a Reasonable Threshold? 251

Should Pulled or Failed Punches Merit Retaliation? 252

Compulsion versus Deterrence 253

Threshold Issues Complicate Retaliating against Cyberespionage 254

Chapter 21 A Deterministic Posture 255

Advantages of Determinism 255

Advantages of a Probabilistic Deterrence Posture 257

The Choice to Retaliate under Uncertainty 259

Chapter 22 Punishment and Holding Targets at Risk 261

The Lack of Good Targets for Intradomain Deterrence 261

The Temptations of Cross-Domain Deterrence 263

Will Targets Actually Hit Back at All? 264

Can Secondary Deterrence Address the Problems of Primary Deterrence? 265

Persistent Engagement qua Deterrence 267

Summary Observations on Cyberdeterrence 268

Chapter 23 Cyberwar Escalation 271

The Purpose and Risks of Escalation 271

Escalation in Strategic Cyberwar 272

The Difficulties of Tit-for-Tat Management 273

Escalation into Kinetic Warfare 278

Escalation Risks from Proxy Cyberwar 279

Proxy Cyberattacks 282

Conclusions 283

Chapter 24 Brandishing Cyberattack Capabilities 284

What Brandishing Is 284

Your Power or Their Powerlessness? 285

How to Brandish Cyberattack Capabilities 285

Brandishing Implants 287

Escalation Dominance and Brandishing 289

Counter-Brandishing 290

Caveats and Cautions 292

Chapter 25 Narratives and Signals 294

Narratives to Facilitate Crisis Control 294

A Narrative Framework for Cyberspace 295

Narratives as Morality Plays 296

Narratives to Walk Back a Crisis 297

Narrative, Attribution, and Response 298

Signaling 299

What Can We Say with Signals That Would Come as News to Others? 300

Ambiguity in Signaling 302

Why Narratives Matter to Signals 303

Chapter 26 Cyberattack Inferences from Cyberespionage 305

Inferring Cyberattacks from Cyberespionage 305

Inferences from the Fact of Cyberespionage Alone 307

How to Continue with Cyberespionage with Less Risk 308

Stick with Attacks on Offensive Systems? 308

The Defender's Options 309

Deliberate Signaling, Both Friendly and Hostile 310

Conclusions 311

Chapter 27 Strategic Stability 312

Would Nuclear Dilemmas Echo in Cyberspace? 312

Misperception as a Source of Crisis 315

Excessive Confidence in Attribution or Preemption 316

Can There Be a Cuban Missile Crisis in Cyberspace? 317

Conclusions 318

Part IV Norms

Chapter 28 Norms for Cyberspace 319

Unilateral Red Lines and Multilateral Norms 320

Red Lines versus Norms 320

The Criminalization of Hacking 323

Norms on Attribution 324

Arms Control 325

Normalization 326

Law of Armed Conflict: Jus in bello 329

Law of Armed Conflict: Jus ad bellum 331

From, the Tallinn Manual to Las Vegas Rules 333

What the Tallinn Manual Says 333

Viva Las Vegas 335

But Not So Fast 337

Why Not Las Vegas Rules for Outer Space as Well? 338

Conclusions 339

Chapter 29 The Rocky Road to Cyberespionage Norms 340

Norms against Economically Motivated Cyberespionage 340

The Cybercrime Markets Norm 341

The No-Political-Doxing Norm 342

Prohibiting Certain Targets to Prohibit Unwelcome Uses of Purloined Information 344

Cyberespionage against Critical Infrastructure 344

Getting to Norms 346

Chapter 30 Sino-American Relations and Norms in Cyberspace 347

The United States Advocates Its Norms 347

Can We Trade? 349

The Deal That Was Struck 351

Chapter 31 The Enigma of Russian Behavior in Cyberspace 354

The Early Years 354

After Maidan 354

What Happened to Cyberwar in the Russo-Ukraine Conflict? 355

Cyberattacks to Support Narratives 357

Conclusions 357

Chapter 32 Cybersecurity Futures 359

Better Offense 359

A Larger Attack Surface 360

Better Defense 363

Artificial Intelligence 365

A Three Mile Island in Cyberspace 366

Chapter 33 Cyberwar: What Is It Goob For? 370

Notes 373

Bibliography 425

Index 481