Project 6: Global Approaches to Cybersecurity Start Here As a cybersecurity professional, it is important for you to not only understand the organizational and national human and technical factors, bu
Project 6: Global Approaches to Cybersecurity Start Here As a cybersecurity professional, it is important for you to not only understand the organizational and national human and technical factors, but because you will encounter international threats and concerns, it’s also important to be able to recognize threats from other countries. This is the last of six sequential projects. In this project, you are tasked with creating a chart that depicts your recommendations regarding the assessment and evaluation of the cybersecurity threats and policies that can be linked to origins in the Middle East, Europe, Africa, and other regions, including the relevant cultural differences in global security outlooks across these regions. You will base your findings from the view of a consultant to an international company looking to expand in those geographical areas. Generally, what kind of cybersecurity climate will the company encounter? In your research, focus on a malicious cyber technology or capability (malware) that is specific to the global environment, i.e., Trojans, rootkits, worms, spyware, keystroke loggers, or advanced persistent threats (do not select botnets, as they will be studied separately in this project). Along with your country threat assessments, you must also assess and evaluate the evolution of this malware and recommend how global cybersecurity policies might be used to counter the effects. You will review the characteristics of your chosen malware by discussing six specific characteristics (purpose, size, attack method, attribution, etc.) and describe how these characteristics have emerged, changed, or evolved over the past five to 10 years. Also discuss what contributing factors may cause these characteristics to change, and how these characteristics may change over the next 10 years. How might these technologies be countered by global cybersecurity policy controls (do not describe technology controls) in the future? Support your position with policy, security practice, theories, principles, and recommendations based on your own thoughts, examples, and cited references. Finally, you will study botnets, which are a specific and particularly pervasive type of malware. You will learn about the global nature of botnets and the emerging security issues associated with botnets, to include their impact on the formulation of global cybersecurity policies. There are 13 steps in this project. Begin with the information below to review your project scenario. Transcript Competencies Your work will be evaluated using the competencies listed below. 2.1: Identify and clearly explain the issue, question, or problem under critical consideration. 7.2: Evaluate international cybersecurity policy. 8.2: Evaluate specific cybersecurity threats and the combination of technologies and policies that can address them. Step 1: Project Practice – SIMTRAY Cyber Policy for a Small World: Day 1 As a consultant to a global risk mitigation company, you will need an overview of global cybersecurity issues and related policies. The global connections that characterize modern cyberspace and catalyze near-instantaneous communication and productivity are also the Achilles’ heel of governments. Cybernetworks, like their physical counterparts, are prone to being used as instruments of sabotage, espionage, disruption, and war. In order to familiarize yourself with these types of global issues and relevant terminology and concepts, open the SIMTRAY titled “Cyber Policy for a Small World.” NOTE: To view some SIMTRAY modules in this project, Flash must be enabled in your browser. A quick internet search for “enable flash” in IE, Edge, Chrome, Firefox, or Safari will yield instructions if you need them. SIMTRAY is a simulation that will give you a sense of the need for cybersecurity personnel to maintain a global perspective. There are no local incidents in cyberspace, but more importantly, you will reflect on US policy on cybercrime and cyberwarfare. Some of the issues and topics addressed in this exercise include EMP attack, the role of state actors, and attacks using technologies such as botnets. The SIMTRAY will provide you with scores to give you a sense on how well you are grasping the concepts. The sections are timed for 30 minutes; however, you can run the SIMTRAY as many times as you need. Record your best score and at least one lesson learned from the exercise to include in your report at the end of the three-day simulation. Step 2: Project Practice – SIMTRAY Cyber Policy for a Small World: Day 2 In the previous step, you started to examine the SIMTRAY, “Cyber Policy for a Small World.” In this step, continue to focus on SIMTRAY, but document the specific technologies and policies that you believe could be better addressed in the global scene. You may encounter the following topics in this exercise: EMP Attack, the role of state actors, and attacks using technologies such as botnets. The SIMTRAY will provide you with scores to give you a sense on how well you are grasping the concepts. The sections are timed for 30 minutes; however, you can run the SIMTRAY as many times as you need. Record your best score and at least one lesson learned from the exercise to include in your report at the end of the three-day simulation. Step 3: Project Practice – SIMTRAY Cyber Policy for a Small World: Day 3 In this step, you should continue to explore the scenarios within SIMTRAY, “Cyber Policy for a Small World.” If you have not already, you will most likely encounter the following topics in this exercise: EMP Attack, the role of state actors, and attacks using technologies such as botnets. Document events that you experience in the exercise that might affect the global cybersecurity policy. Think about threats brought about by new technologies and how these threats are or could be handled by global policy. The SIMTRAY will provide you with scores to give you a sense on how well you are grasping the concepts. The sections are timed for 30 minutes; however, you can run the SIMTRAY as many times as you need in order to have a firm grasp of the concepts. Compile your recorded scores, lessons learned and documented technologies and policies into a one-page report. Submit your report for feedback. Submission for Cyber Policy for a Small World Simtray Report Previous submissions Step 4: Review Malicious Cyber Technology Now that you have practiced the SIMTRAY to familiarize yourself with global issues, you will focus on a specific malicious cyber technology or capability (malware) that is specific to the global environment. Select one technology or capability and post a brief description on the discussion board of the technology, its intended use, and how it is being used maliciously. Include a brief discussion of how your selected technology has evolved and how global cybersecurity policies might be used to counter its effects. Possible choices include, but are not limited to: Trojans, rootkits, worms, spyware, keystroke loggers, or advanced persistent threats (APTs). Do not select botnets. Step 5: Review International Cybersecurity Threats Due to the vast differences in culture, leadership, laws, and policies of countries around the globe, cybersecurity threats are handled differently. These differences result in various approaches to cybersecurity economic issues, different tolerances for cybersecurity cultural issues, and different responses to cyberterrorism. Ultimately, global perspectives on international cybersecurity legal issues have broad impact as different nations attempt to both thrive in the global economic environment and survive in light of global cyberthreats. Organizations that desire to expand into foreign nations must consider these differences, particularly when they are not relevant when operating in the United States. For this step, you will evaluate global cybersecurity threats coming from a minimum of three different regions; for example, the Middle East, Europe, Africa, Russia, or other regions. More specifically, think about networked computing systems being critical to businesses, commerce, education, and governments. Keeping them secure is no longer solely the concern of corporate entities and the relevant regulatory environments. Global governments must also work to ensure the security of their networks. Also consider your selected technology from the previous step. Complete the International Cybersecurity Threat Matrix for at least three countries or regions, aside from the United States and North America. Step 6: Review NATO and United Nations Complete the Andrew Bowers NATO Intern eLearning Module for an overview of the NATO cybersecurity stance. NOTE: To view some modules in this project, Flash must be enabled in your browser. A quick internet search for “enable flash” in IE, Edge, Chrome, Firefox, or Safari will yield instructions if you need them. Evaluate its effectiveness as well as the effectiveness of the United Nations cybersecurity stance in helping to contribute to cybersecurity international policy over the next decade. For more information, read about international cybersecurity approaches. Update the International Cybersecurity Threat Matrix from the previous step, based on your findings in this step. Submit your matrix for feedback. This matrix will be included in your final report. Submission for International Cybersecurity Threat Matrix Previous submissions Step 7: Compile International Cybersecurity Environmental Scan Findings Compile all of the information you found in the previous two steps and write a two-page summary. Use the International Cybersecurity Environmental Scan Template to guide your summary, which should include descriptions of the regions and of the cybersecurity threats prevalent in the regions selected. Address the role of international bodies (NATO and United Nations) in influencing and contributing to international cybersecurity policies. Submit your summary for feedback. This summary will be included in your final report. Submission for International Cybersecurity Environmental Scan Summary Step 8: Create Regional Fact Sheet on Identification and Implication of Cybersecurity Threats To illustrate the impact of cybersecurity threats, develop a one-page fact sheet using one of the regions from your matrix. Explain the cybersecurity threat experienced in one region, the evolution of the associated malware, the implications (e.g., economic, political, national security, etc.) of it to that region and how global cybersecurity policies might be used to counter the effects. You will discuss six specific characteristics (purpose, size, attack method, attribution, etc.) of the malware and describe how these characteristics have emerged, changed, or evolved over the past five to 10 years. Also discuss what contributing factors may cause these characteristics to change, and how these characteristics may change over the next 10 years. How might these technologies be countered by global cybersecurity policy controls (do not describe technology controls) in the future? Support your position with policy, security practice, theories, principles, and recommendations based on your own thoughts, examples, and cited references. Submit your regional fact sheet for feedback. Submission for Regional Fact Sheet Previous submissions Step 9: Review Global Cybersecurity Threats: Deep Dive on Botnets A botnet is a particular type of cyberthreat in which a network of computers is infected with malware and then co-opted and controlled by one entity. Botnets are globally pervasive and used in many modern-day cyber intrusions. It’s important to understand how they operate and their impact to global security. Review the learning content modules listed below and create notes using the Botnet Research Template. Learning Content Modules: Botnets Creating Profit Global Botnets and Emerging Issues Botnet Attack at Westwood Mutual NOTE: To view some modules in this project, Flash must be enabled in your browser. A quick internet search for “enable flash” in IE, Edge, Chrome, Firefox, or Safari will yield instructions if you need them. The notes in the research template will be used for your evaluation of the international concerns of botnets in the next step. Submission for Botnet Evaluation Previous submissions Step 10: Evaluate Botnets Evaluate the issues associated with botnets and with formulating global cybersecurity policy. Identify the characteristics of botnets, and how they have evolved over the past five to 10 years. Research the key technical features of botnets and determine the factors that contribute to botnet characteristics to change. Your Botnet Evaluation should be one-and-a-half to two pages in length. Submit your Botnet Evaluation for feedback. Submission for Botnet Evaluation Previous submissions Step 11: Discuss Botnets In a two-page document, Discuss six specific characteristics of the global nature of botnets (such as purpose, size, attack method, attribution, etc.). Describe how these characteristics have emerged, changed, or evolved over the past five to 10 years. Describe the key technical features of six example botnets. Discuss what contributing factors may cause botnet characteristics to change, and how these characteristics may change over the next 10 years. Submit your Botnet Discussion for feedback. Submission for Botnet Discussion Previous submissions Step 12: Consider the Future of Botnets Create a one-page document that answers the following questions, taking into consideration your country research and botnet reviews. How might future botnets be countered by global cybersecurity policy controls (do not describe technology controls) in the future? What impact could global cybersecurity policies have on the eradication of botnets? Submit your Botnet Conclusion for feedback. Submission for Botnet Conclusion Previous submissions Step 13: Compose Global Cybersecurity Environment Report Throughout this project, you have researched and considered global cybersecurity issues, technologies, and related policies. You have evaluated various countries and international organizations. It is now time to compose your consultant’s report to GlobalOutreach documenting your findings. Refer to the instruction for the Global Cybersecurity Environment Report for additional guidelines. Submit your completed report. Check Your Evaluation Criteria Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them. To view the complete grading rubric, click My Tools, select Assignments from the drop-down menu, and then click the project title. 2.1: Identify and clearly explain the issue, question, or problem under critical consideration. 7.2: Evaluate international cybersecurity policy. 8.2: Evaluate specific cybersecurity threats and the combination of technologies and policies that can address them. Submission for Global Cybersecurity Environment Report Previous submissions
Project 6: Global Approaches to Cybersecurity Start Here As a cybersecurity professional, it is important for you to not only understand the organizational and national human and technical factors, bu
Cybersecurity Economic Issues The growing threats and occurrences of cybersecurity incidents have resulted in potentially significant economic effects. These impacts arise first from the cost of both implementing cybersecurity measures consistent with an entity’s risk tolerance and with maintaining an appropriate security posture to guard against future threats. Next, given the potential for successful cyberattacks in spite of best efforts to protect against them, entities must be prepared to protect assets and plan for associated liability issues. According to Gartner, an IT research and technology company, in 2018 organizations spent $114 billion worldwide on information security, and that figure was projected to increase to $124 billion by the end of 2019, representing an 8.7 percent expected growth (Gartner, 2018). While these costs largely do not represent a significant percentage of total IT budgets, they do reflect a recognition that security does have a cost, and these costs must be considered as a key business decision. The cost of information security is one consideration, but a growing concern is also the financial impact of losing sensitive corporate or customer personal information due to a breach. Ponemon Institute’s 2019 Global Cost of Data Breach study reports that the average total costs for such losses is about $8.9 billion. Ponemon reports health care and financial services information breaches are considerably more costly than those in other industries (Bluefin, 2019). These economic impacts have raised the profile for cybersecurity liability insurance. The lack of actuarial data specific to cybersecurity, however, has made the risk of cyber losses difficult for insurance underwriters to quantify. Therefore, cyber insurance policies are more specialized and as a result, more expensive. Factors that are considered in developing an organization’s insurance profile include the attributes (e.g., size, scope) of business needing to be protected, the number of customers, and the type of data collected and stored (NAIC, 2016). References Gartner. (2018, August 15). Gartner forecasts worldwide information security spending to exceed $124 billion in 2019. https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to-exceed-124-billion-in-2019 Bluefin. (2019). Highlights from IBM Security and the Ponemon Institute’s 2019 Cost of Data Breach Study [Blog post]. https://www.bluefin.com/bluefin-news/highlights-ibm-security-ponemon-institutes-2019-cost-data-breach-study/ National Association of Insurance Commissioners (NAIC). (2016, July 20). The national system of state regulation and cybersecurity. http://www.naic.org/cipr_topics/topic_cyber_risk.htm Cybersecurity Cultural Issues The cultural implications of cybersecurity include history, religion, economic structure, government structure, and societal values and norms. Together, they form the foundation for both understanding a culture’s response to cybersecurity (including actors, incidents, policies and laws) and determining how best to engage with a given culture on issues of cybersecurity importance. “Differences in approaches to cybersecurity are not limited to privacy but also extend to patterns of national historical governance…and to regional cooperation” (Palmer et al., 2016). History, particularly on issues of privacy and intelligence, have significant influence over cybersecurity approaches. For example, since the 1970’s, Brazil’s Doctrine of National Security emphasizes Brazil’s independence and autonomy from a technology and security perspective, respectively (Palmer et al., 2016) This historical perspective has influenced subsequent decisions on a separate and independent email infrastructure for government communications. Across Europe, the prevailing view is that the protection of privacy is a human right. This perspective is now reflected in the EU’s NIS Directive, adopted in 2016. This directive on the security of network and information systems has a strong emphasis on privacy protection (European Commission, 2016). Government structures also affect approaches to cybersecurity, particularly in whether and even how nations legislate, issue policies, and consider responsibilities and penalties. Democratic nations are more likely to approach cybersecurity from a perspective of determining how existing laws might either apply or be modified to accommodate changes, and by using existing legislative and executive processes. Such nations are more likely to have higher regard for personal privacy, as reflected in their societal norms and behaviors. Countries run by a single party or entity (e.g., Communist countries) are more likely to have more restrictive, punitive, and less transparent approaches to cybersecurity. Consistent with their governing practices, punishments are likely to be swift and severe, but such countries are also more likely to use rogue malicious cyberactors to work on behalf of their national interests. From a perspective of societal values, these countries also generally have less regard for personal privacy. References Palmer, A., Martins de Almeida, G., Breteau, L., Hoare, O., Liew, S., Le Toquin, J., & Rickert, T. (2016, May/June). A global perspective on cybersecurity:Cultural and regional views that influence cybersecurity policy. Minority Corporate Counsel Association.  http://www.diversityandthebardigital.com/datb/may_june_2016?pg=26#pg26 European Commission. (2016, July 28). The directive on security of networks and information systems (NIS directive). https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive Cyberterrorism Cyberterrorism is a politically motivated act that uses cyberspace to cause widespread fear, uncertainty, violence, intimidation, loss of life, and economic damage. A distinction should be made between cybercrime and cyberterrorism. Actual cyberterrorism results in widespread violence. Examples might include hacking into the control system of a dam to cause loss of life and destruction of property, or hacking into the cockpit controls of an aircraft to cause it to crash.       Media coverage of cyberterrorism, particularly in mainstream outlets, is constantly evolving. What remains consistent is that in cyberterrorism, as in so many other realms, perceptions can profoundly influence reality. In order for cyberterrorism to be perceived by the general public as a threat to security, it must be presented as one. Thus, the reporting on cyberterrorism has become the subject of scrutiny by experts in the field. Constructing Cyberterrorism as a Security Threat: A Study of International News Media Coverage Abstract This article examines the way in which the English language international news media has constructed the threat of cyberterrorism. Analyzing 535 news items published by 31 different media outlets across seven countries between 2008 and 2013, we show that this coverage is uneven in terms of its geographical and temporal distribution and that its tone is predominantly apprehensive. This article argues that, regardless of the “reality” of the cyberterrorism threat, this coverage is important because it helps to constitute cyberterrorism as a security risk. Paying attention to this constitutive role of the news media, we suggest, opens up a fresh set of research questions in this context and a different theoretical approach to the study of cyberterrorism. Introduction This article reports findings of a research project on media constructions of cyberterrorism. Examining a total of 535 English language items published in 31 different news outlets across seven countries between 1 January 2008 and 8 June 2013, the project sought to examine a range of issues, including the volume and tone of media coverage of cyberterrorism; the geographical and temporal spread of this coverage; the imagery used; the level at which the coverage was pitched (e.g., was background knowledge needed?); whether sources were quoted, and if so which; the portrayal of cyberterrorists (e.g., as professionals, hackers, etc.); whether the coverage made reference to past (cyber or noncyber) events, and if so which; and who or what is said to be threatened by cyberterrorism (Chen et al., 2014). The aims of the research project were, first, to add empirical depth to conceptual accounts of the importance of media reportage within cyberterrorism discourse (see, amongst others, Conway, 2005; Weimann, 2004; Stohl, 2006) and, second, to explore the processes by which the term cyberterrorism is constructed and given meaning within the mainstream news media. In this article—the first of three reporting our findings—our focus is the volume and tone of the media coverage, and its geographical and temporal distribution. The article will show unevenness in terms of both the temporal spread of the news items (with a marked increase in coverage from October 2010 onwards) and their geographical distribution (with a greater number of items published in UK outlets than those located within other countries). By contrast, our research identified far greater consistency in the tone of this coverage, with many more items manifesting concern over the cyberterrorism threat than skepticism toward it. The article concludes by arguing that, by demonstrating the role the news media plays in constructing a discourse that presents cyberterrorism as a security threat, our findings open up a range of fresh research questions in this area. Cyberterrorism and the International News Media Recent scholarship on cyberterrorism has focused largely on questions of definition, threat assessment and response (Examples include Chen et al., 2014; Jarvis et al., 2014; Jarvis & Macdonald, 2014). Whilst each of these issues has generated diverse opinions, these debates share a common underlying assumption: that claims about cyberterrorism should be assessed or critiqued for the accuracy with which they reflect or represent reality. In this article we point to a different theoretical approach— one which recognizes that news media has a constitutive rather than correspondential relationship to the “reality” of cyberterrorism. Instead of asking whether media coverage of cyberterrorism accurately reflects reality, our concern is instead to explore the role of the news media in constructing cyberterrorism as a real security threat. Methodology This project is the first systematic study of this size that focuses specifically on cyberterrorism (the study by Bowman-Grieve [2015] examined a selection of 100 Anglo-American media sources published between 1996 and 2013, using the concept of moral panics). The 31 news outlets examined in our research were of three sorts: broadsheet newspapers, tabloid newspapers, and the websites of media corporations (the 31 sources selected were ABC News, Al Jazeera, The Australian, Australian Financial Review, The Australian Telegraph, BBC, Boston Globe, Channel 4 News, China Daily, CNN, Daily Mail, Financial Times, Fox News, The Guardian, The Herald Sun, The Independent, LA Times, The New York Times, Reuters, Russia Today, Sky News, South China Morning Post, The Straits Times, The Sun, The Sydney Morning Herald, The Telegraph, The Times of India, USA Today, The Wall Street Journal, The Washington Post, The West Australian). A keyword search was conducted around the terms cyber terrorism, cyberterrorism, and cyber terror for each news outlet, generating a total of 535 relevant items. These items included a wide and varied spread of content, ranging from news stories relating to current affairs in the country of origin or abroad, technology news and discussion thereof, opinion pieces and editorial reflections, items related to culture and the arts—including reviews of movies with fictional representations of cyberterrorism (for instance, cyberterrorism featured prominently in discussion and reviews on the 23rd film in the James Bond franchise–Skyfall–that was released in cinemas internationally at the end of 2012)—and special reports or other features using this terminology. While all of the news stories generated from this keyword search referred explicitly to cyberterrorism, it was not uncommon for other elements of the cybersecurity lexicon—cyberwar, cyberespionage, cybercrime, etc.—also to be present. Where such examples are cited in this article, this is not meant to imply they are synonyms for cyberterrorism. Instead, this reflects the lack of clear distinction between said concepts and the flexible manner in which many of these media outlets employed such terms. The study focused on items published between 1 January 2008 and 8 June 2013. These dates were selected for two reasons. First, because this provided sufficient data through which to explore developments in reportage on cyberterrorism: a total of 1986 days of media content. And second, because this period incorporated key events of potential relevance to cyberterrorism and media coverage thereof. These included the 2008 cyberattacks on Georgia, the 2010 revelations of the Stuxnet attack, the 2010 publication of the UK’s National Security Strategy, and the November 2011 release of the UK’s Cyber Security Strategy: Protecting and Promoting the UK in a Digital World.The 31 news outlets were selected for this research for reasons of accessibility and pluralism. These included: the provision of a searchable online archive; diversity of political perspective and type of media company; diversity of geographical origin to facilitate comparison across and beyond the Anglosphere; and reasons of language, such that the news content was provided in the medium of English. Table 1 shows the total number of news items that appeared in each of the news outlets over the course of our research time frame. As this indicates, there was significant variation in the coverage given to this topic by each of these outlets. The top eight on the list accounted for 258 of the 535 items (equivalent to 48 percent of the total). The bottom eight, in contrast, account for just 35 items (7 percent). Also significant is the geographical distribution across this period of time: Of the top eight outlets, four were UK broadsheet newspapers and another was the British Broadcasting Corporation’s (BBC’s) online news site. The same trend is apparent in Table 2, which shows the number of news items published in each of the US, UK, and Australian newspapers in our sample. A total of 313 items appeared in these 18 newspapers (61 percent of the total). Of these, more than half were published in a UK newspaper (55 percent). Table 1: Number of News Items by News Outlet Outlet Total number of items that mentioned cyberterrorism   The Guardian 50   The Telegraph 43   Fox News 39   Reuters 28   BBC 26   The Washington Post 25   The Independent 24   Financial Times 23   Russia Today 22   The Australian 21   CNN 20   The Sun 20   The Times of India 20   Australian Telegraph 19   Australian Financial Review 18   The New York Times 16   China Daily 15   The Wall Street Journal 14   The Sydney Morning Herald 14   Daily Mail 12   The Straits Times 11   Channel 4 News 10   Al Jazeera 10   Sky News   ABC News   LA Times   South China Morning Post   USA Today   Boston Globe   The West Australian   The Herald Sun   Total 535   Table 2(a): Anglophone Newspaper Items by Country of Publication (UK) Newspaper Total number of items The Guardian 50 The Telegraph 43 The Independent 24 Financial Times 23 The Sun 20 Daily Mail 12 Total 172 Table 2(b): Anglophone Newspaper Items by Country of Publication (Australia) Newspaper Total number of items   The Australian 21   Australian Telegraph 19   Australian Financial Review 18   The Sydney Morning Herald 14   The West Australian   The Sun Herald   Total 75   Table 2(c): Anglophone Newspaper Items by Country of Publication (US) Newspaper Total number of items   The Washington Post 25   The New York Times 16   The Wall Street Journal 14   LA Times   USA Today   Boston Globe   Total 66   The geographical focus of media coverage of cyberterrorism was as uneven in its distribution as in its origin. As Table 3 shows, more items focused on the US than any other country. Indeed, the number of items that focused on the US, UK, and Australia was more than double the number concentrating on all other countries combined (353 compared to 174). Table 4 probes this unevenness further by asking what proportion of the news items focused on their country of publication. So, for example, all seven of the news items that focused on Singapore were published in the Singaporean The Straits Times. Similarly, only one of the 39 news items that focused on Australia was not published in Australia. Yet while 87 percent of the items that focused on the UK were published there, only 52 percent of the items that focused on the US were published in the US. And the majority of items relating to cyberterrorism that focused on China (69 percent) and Russia (83 percent) were not published in these countries. (Several news items within our sample had a strong focus on more than one country. Where this was the case, both countries have been included.) Content Analysis: Focus and Apprehensiveness of News Coverage Our analysis of the tone of the coverage across this diverse media content began by examining the extent to which each story focused specifically on cyberterrorism. A threefold classification was employed, with items categorized according to whether cyberterrorism was their primary focus, their secondary focus, or a topic mentioned in passing without any detailed discussion or analysis. As chart 1 shows, a total of 83 items (16 percent of the dataset) had cyberterrorism as their primary focus, with a further 317 (59 percent) having it as their secondary focus. There were 135 items (25 percent) that mentioned cyberterrorism without examining the concept in detail. Table 3: News Items by Primary Geographical Focus Geographic focus Number of news items   US 170   UK 144   Australia 39   China 29   South Korea 28   India 21   Israel 18   North Korea 18   Iran 10   Singapore   Russia   Pakistan   Mexico   Europe   Japan   Estonia   Ireland   Middle East   Algeria   Georgia   Hong Kong   Indonesia   Morocco   Palestine   Saudi Arabia   Somalia   Spain   Zimbabwe   General international focus 56   No geographical focus 12   Table 4: Geographical Focus of News Items by Country of Publication Country Total number of items primarily focused on this country Percentage of these items that were published in this country US 170 52% UK 144 87% Australia 39 97% China 29 31% India 21 86% Singapore 100% Russia 17% Chart 1: Proportion of News Stories With Cyberterrorism as Their Primary or Secondary Focus The next stage of the analysis concentrated on the 400 news items that had cyberterrorism as either their primary or secondary focus. Each story was coded and placed into one of the following six categories: concerned; concerned with elements of skepticism; balanced; skeptical; skeptical with elements of concern; or neither (there were various reasons for placing a story in the last of these categories, such as the type of piece, with purely descriptive pieces not corresponding to any of the prior five categories). The results of this analysis are displayed in Chart 2. Chart 2: Proportion of News Stories That Were Concerned, Skeptical, Balanced, or Neither A total of 268 news items—two-thirds of those with a primary or secondary focus on cyberterrorism—evidenced a marked concern with the threat posed by cyberterrorism. A further 33 items (8 percent) demonstrated concern with elements of skepticism: the second most fearful category within our schema. Equally striking are the small numbers of items that were skeptical about cyberterrorism posing any threat at all—only eight (or 2 percent) of the 400 analyzed—skeptical with elements of concern (four in total; 1 percent) or balanced (26 in total; 7 percent). As this suggests, news coverage—at least within our sample—was predominantly apprehensive in tone throughout the five-year period on which we focused. Table 5 investigates the tone of the news media coverage further by showing a breakdown of the items we explored by news outlet, by type of news outlet and by their origin in the Anglosphere or otherwise. Table 5: Concerned, Sceptical, Balanced or Neither, by News Outlet News Outlet Total number of news items which had cyberterrorism as a primary or secondary focus Concerned Concerned with elements of scepticism Balanced Skeptical Skeptical with elements of concern Neither The Guardian 43 24 (56%) (21%) (9%) (7%) (7%) Fox News 39 28 (72%) (3%) (8%) (18%) The Telegraph 30 21 (70%) (23%) (3%) (3%) The Washington Post 25 14 (56%) (4%) 10 (40%) BBC 23 15 (65%) (4%) (9%) (22%) The Independent 23 18 (78%) (22%) Financial Times 22 16 (73%) (5%) (23%) CNN 20 (45%) (10%) (10%) (35%) The New York Times 16 (44%) (56%) The Australian 14 13 (93%) (7%) Russia Today 13 (31%) (15%) (31%) (15%) (8%) The Wall Street Journal 13 10 (77%) (8%) (8%) (8%) Daily Mail 12 (75%) (8%) (8%) (8%) Reuters 11 (73%) (9%) (9%) (9%) The Sydney Morning Herald 11 (45%) (36%) (18%) Australian Financial Review 10 (90%) (10%) The Sun 10 (70%) (10%) (10%) (10%) Channel 4 News (89%) (11%) China Daily (67%) (33%) The Straits Times (89%) (11%) Australian Telegraph (100%) ABC News (50%) (33%) (17%) LA Times (67%) (17%) (17%) Sky News (80%) (20%) The Times of India (100%) Aljazeera (33%) (33%) (33%) USA Today (67%) (33%) Boston Globe (100%) The West Australian (100%) South China Morning Post N/A N/A N/A N/A N/A N/A The Herald Sun N/A N/A N/A N/A N/A N/A   Tabloids 31 25 (81%) (6%) (6%) (6%) Broadsheets 240 163 (68%) 21 (9%) 11 (5%) (3%) (0%) 37 (15%) News channels 129 80 (62%) 10 (8%) 13 (10%) (1%) (2%) 22 (17%)   Anglophone 362 245 (68%) 31 (9%) 21 (6%) (2%) (0%) 57 (16%) Non-Anglophone 38 23 (61%) (5%) (13%) (3%) (8%) (11%)   Overall total 400 268 (67%) 33 (8%) 26 (7%) (2%) (1%) 61 (15%) A number of interesting points arise from this data. First, the five tabloid newspapers included in the sample were responsible for just 31 of the items identified in our research: a very modest average of 6.2 items per outlet over this period. This compares to averages of 14.1 items per broadsheet newspaper and 14.3 items per broadcaster. This indicates that if there is a dominant news media discourse on cyberterrorism, it is not solely the product of tabloid hyperbole. At the same time, however, whilst the predominant tone of the entire sample was apprehensive, this tone was particularly acute in the tabloid newspapers. Of their 31 items, 25 (81 percent) were concerned and a further two (6 percent) were concerned with elements of skepticism. Moreover, none of the 31 tabloid items was skeptical or skeptical with elements of concern. Third, the proportion of items that were classified as concerned or concerned with elements of skepticism was lower for the broadcasters than for the broadsheet newspapers. In total, 70 percent of the items from broadcasters fell into one of these two categories, compared to 77 percent of those from the broadsheets. Moreover, the broadcasters had a higher proportion of balanced items (10 percent, compared to 6 percent for the tabloids and 5 percent for the broadsheets). Fourth, the non-Anglophone sources had a lower proportion of items that were concerned or concerned with elements of skepticism (66 percent in total), a higher proportion of items that were balanced (13 percent) and a higher proportion that were skeptical or skeptical with elements of concern about the threat posed by cyberterrorism (11 percent). The cumulative import of these findings is that Anglophone newspapers—particularly tabloids but broadsheets too—tended to strike a more apprehensive tone than broadcasters and non-Anglophone sources. Chronological Analysis Moving on to the temporal spread of the dataset, Chart 3 shows the number of news items that were published each month, from January 2008 to June 2013. As the chart shows, a far greater number of items were published in October 2010 (35 in total) than in any of the other months covered by our study. There were two factors that contributed to this large number of items. The first was the release of the UK’s National Security Strategy on 18 October 2010, which identified international terrorism and cyberattack as two of the top-tier threats facing the UK (HM Government, 2010). This was accompanied by the associated decision to invest an additional £650 million in cybersecurity at a time when cuts where being made to other aspects of the defense budget in the name of austerity. These developments generated a total of 22 news items mentioning cyberterrorism from October 17-20, 2010. As table 6 shows, although most of these were published in the UK (17, 77 percent), there was also some media coverage from the US and Australia. Chart 3: Number of News Items, by Month of Publication Table 6: News Items 17-20 October 2010, by News Outlet News Outlet Number of news items   Channel 4 News   The Telegraph   The Guardian   Al Jazeera   Daily Mail   The Sun   ABC News   BBC   Fox News   The Independent   The Wall Street Journal   Total 22   The general tone of these items is also significant. As Table 7 shows, of the 16 that discussed cyberterrorism in sufficient detail to enable classification within October 2010, none demonstrated a skeptical or balanced view of the threat posed by this phenomenon. On the contrary, a total of 13 items (81 percent) were classified as concerned and a further 2 (13 percent) as concerned with elements of skepticism. In fact, the tone of some of this coverage was dramatic. One headline published in the UK’s most widely read newspaper warned of the need to “Fight cyber war before planes fall out of sky” (Wilson, 2010). Another— headlined “Why Britain is desperately vulnerable to cyber terror”—presented a detailed description of a digital “Pearl Harbor” in which: Power cuts scythed through Britain, plunging cities into darkness … The nationwide panic meant supermarket shelves emptied and petrol stations ran out of fuel … There was no TV, no radio, and no mobile networks. After a fortnight, there were riots, and the military, which was itself crippled by mysterious communications glitches, was called in. (Hanlon, 2010) Table 7: News Items 17–20 October 2010, by Concerned, Skeptical, Balanced, or Neither Tone Number of news items   Concerned 13   Concerned with elements of skepticism   Balanced   Skeptical   Skeptical with elements of concern   Neither   Did not discuss cyberterrorism in detail   Total 22   This was followed by the foreboding statement that “This terrifying scenario may seem like a science fiction movie. But it is exactly the sort of possibility currently being considered at the highest levels in government as part of the National Security Strategy” (Hanlon, 2010). The second factor that contributed to the large number of items mentioning cyberterrorism in October 2010 was the revelations concerning Stuxnet. Stuxnet is of particular importance as one of the first known malwares to cause physical damage to critical infrastructure (Farwell & Rohozinski, 2011; Langner, 2013). Allegedly developed by the CIA in cooperation with the Israeli government, Idaho National Laboratory, and other US agencies (Gorman, 2012), it was introduced to the Natanz uranium enrichment plant in Iran by USB flash drive, causing 1,000 centrifuges to fail. The first mention of Stuxnet in the 31 news outlets in our study came on 23 September 2010 in a piece published in the UK’s Financial Times, headlined “Warning over malicious computer worm.” In October 2010 there were a total of 11 news items that specifically mentioned this attack. As with coverage of the UK’s National Security Strategy, discussion of Stuxnet was also characterized by considerable apprehensiveness of tone. A story on 1 October —headlined “Security: A code explodes”— warned that Stuxnet had taken worries about cyberwarfare to a different plane. The image accompanying this story was a picture of a grenade (Blitz et al., 2010). Three days later the same newspaper warned that comparing the cyberthreat to the nuclear arms race was, if anything, “a little too comforting” (Rachman, 2010). The story continued; this was because “Anyone can play at cyberwarfare. The tools can be bought on a local high street and the command-and-control bunker can be a spare bedroom” (Rachman, 2010). This time the accompanying image was a picture of three military tanks resembling computer mice. During the same period, another newspaper published in Australia stated that half of all companies running critical infrastructure systems have reported politically motivated cyberattacks, adding, “A global survey of such attacks—rarely acknowledged in public because of their potential to cause alarm—found companies estimated they had suffered an average of 10 instances of cyberwar or cyberterrorism in the past five years at a cost of US $850,000 … a company” (Walters, 2010). Two days later this newspaper also quoted Eugene Kaspersky, who described Stuxnet as a “turning point,” arguing, “I am afraid this is the beginning of a new world” (Welch, 2010). The South China Morning Post, meanwhile, even lamented the fact that “Unlike Britain and the United States, neither the mainland nor Hong Kong has an established multiagency government structure that could coordinate various agencies to react quickly to cyberterrorism” (South China Morning Post, 2010). In fact, the first news item in our sample that specifically mentioned Stuxnet and was classified as balanced was not published until June 2011: a story by the UK’s BBC on the possible “hacking” of the International Monetary Fund (BBC News, 2011). Up to that point, a total of 21 items had mentioned the attack in Iran, all of which were concerned (18 items) or concerned with elements of skepticism (three items) about the threat posed by cyberterrorism. While there were far more news items that mentioned cyberterrorism in October 2010 than any other month in the period of our study, the events reported during this month had a lasting impact on news media coverage of cyberterrorism. The change is twofold. First, as chart 3 shows, following October 2010 there was a marked increase in the general level of items mentioning cyberterrorism. In the 33 months prior to October 2010 there was an average of 4.8 items per month. This more than doubled in the 32 months that followed, during which there was an average of 10.6 items per month. Second, in the period following October 2010 there was a marked increase in the number of news items published that demonstrated a concern with the threat of cyberterrorism. This is shown in chart 4. As chart 4 demonstrates, in the 33 months prior to October 2010 there were a total of 73 items that were concerned, an average of 2.2 per month. By contrast, in the 32 months that followed there were a total of 174 items that were concerned, an average of 5.4 per month. Chart 4: Number of Concerned, Sceptical, Balanced and Neither News Items Before and After October 2010 Conclusion The above discussion sketches some of the key developments within the coverage—or construction—of cyberterrorism and its threat in the English language international news media between 2008 and 2013. Two broad findings of importance to contemporary discussions of cyberterrorism emerge from this research. The first finding is that—in purely quantitative terms—there is a considerable amount of international media content that focuses on cyberterrorism: a phenomenon that some (although not all) academic researchers argue has yet to occur (Conway, 2004). In the deliberately narrow parameters of our research—whereby some variant of cyber and terrorism or terror had to be present in the story for its inclusion in our sample—an average of one story making reference to cyberterrorism was published every 3.7 days. As we have seen, the distribution of this coverage was far from uniform and many of the items we explored only mentioned cyberterrorism in passing. That said, this clearly evidences a significant amount of media interest in this new form of terrorism. The second core finding is that much of the media coverage considered in our research expresses real concern over the current or future threat posed by this phenomenon. This concern contrasts with some of the more skeptical academic perspectives which frequently question whether would-be cyberterrorists have the means, motive, or opportunity to engage in this type of activity (Conway, 2014; Denning, 2012; Giacomello, 2004; Lewis, 2002). It does, however, correspond rather more closely to a recent survey of researchers working on this topic in which 70 percent of those surveyed stated that cyberterrorism either does constitute, or potentially constitutes, “a significant threat” (Macdonald, Jarvis, Chen, & Lavis, 2013). This is important, we argue, because news coverage has a constitutive rather than corresponding relationship to the “reality” of cyberterrorism: It is actively involved in the production of this potential security threat. Danger, as David Campbell wrote, “is not an objective condition” (Campbell, 1998, p. 1). It is a product of framing and interpretation, in which meaning is given to the world via language, images and other discursive practices: be they pictures of hand grenades, discussion of hypothetical “doomsday” scenarios, or headlines about “malicious computer worms.” Thus, whether or not there exists a “real” threat of cyberterrorism (if such a question could ever even be answered), media (and other) depictions thereof are important in their own right. This is, not least, because when they become widely circulated and reproduced, dominant narratives of threat—around cyberterrorism, and, indeed, anything else —can, very quickly, take on the appearance of, “an external ‘reality’ which seems to confirm it as truth and commonsense” (Jackson, Jarvis, Gunning, & Breen-Smyth, 2011, p. 144). In our future research, we will seek to build on the analysis presented here by exploring more specific aspects of findings from this project. This will include, first, looking at the voices of authority cited in news coverage of cyberterrorism in order to ask who is seen to speak the “truth” about this threat and how such voices work to augment or mitigate it; second, investigating how the figure of the “cyberterrorist” is represented and what types of target cyberterrorists are seen to threaten; and, third, looking at the use of historical and other metaphors in media attempts to make sense of this security challenge and how these connect to visual images in this coverage. Our hope in this article, however, is that by charting some of the ways in which English language news media has constructed cyberterrorism as a security threat we have demonstrated the importance of such a research agenda. About the Authors Lee Jarvis is senior lecturer in international security at the University of East Anglia (UEA) and director of the UEA’s Critical Global Politics research group. His recent books include Counter-Radicalisation: Critical Perspectives (Routledge, 2015, edited with Christopher Baker-Beall and Charlotte Heath-Kelly); Critical Perspectives on Counter-terrorism (Routledge, 2015, edited with Michael Lister) and Security: A Critical Introduction (Palgrave, 2015, with Jack Holland). Stuart Macdonald is associate professor in law and deputy director of the Centre for Criminal Justice and Criminology at Swansea University. He is coeditor of Cyberterrorism: Understanding, Assessment, and Response (New York, NY: Springer, 2014), with Lee Jarvis and Thomas Chen. His recent project on security and liberty was funded by the British Academy. He has held visiting scholarships at Columbia University Law School, New York, and the Institute of Criminology at the University of Sydney. Andrew Whiting lectures in the Department of Criminology at Swansea University. He is currently completing his PhD, which investigates the construction of cyberterrorism within Internet security industry discourse. Since undertaking his doctorate he has had his work published on a range of topics that reflect his research interests, including terrorism, cyberterrorism, and radicalization. Acknowledgments We would like to thank Swansea University’s College of Law and the Bridging the Gaps program for their support for the research upon which this article is based. We gratefully acknowledge Jordan McErlean and Alicia Payne for their excellent research assistance, and David Mair and Lella Nouri for their helpful suggestions throughout the project. References BBC News. (2011, June 12). IMF hit by “very major” cyber security attack. http://www.bbc.com/news/world-us-canada-13740591 Blitz, J., Menn, J., & Dombey, D. (2010, October 1). Security: A code explodes. Financial Times. https://www.ft.com/content/fcce9b76-cd8c-11df-9c82-00144feab49a Bowman-Grieve, L. (2015). Cyberterrorism and moral panics: A reflection on the discourse of cyberterrorism. In T. Chen, L. Jarvis, & S. Macdonald (Eds.), Terrorism online: Politics, law and technology (pp. 86–106). Routledge. Broccoli, B., Wilson, M. G. (Producers), & Mendes, S. (Director). (2012). Skyfall [Motion picture]. United Kingdom: Eon Productions. Campbell, D. (1998). Writing Security: United States Foreign Policy and the Politics of Identity (Revised ed.). University Press. Chen, T., Jarvis, L., & Macdonald, S. (Eds.). (2014). Cyberterrorism: Understanding, assessment, and response. Springer. Chen, T., Jarvis, L., Macdonald, S., & Whiting, A. (2014). Cyberterrorism and the news media. Cyberterrorism Project research report No. 3. Swansea, UK: The Cyberterrorism Project. http://www.cyberterrorism-project.org Conway, M. (2004). Cyberterrorism: Media myth or clear and present danger? In J. Irwin (Ed.), War and virtual war: The challenges to communities (pp. 79–95). Rodopi. Conway, M. (2005). The media and cyberterrorism: A study in the construction of “reality.” http://www.politicalavenue.com/PDF/MConway_Terrorism.pdf Conway, M. (2014). Reality check: Assessing the (un)likelihood of cyberterrorism. In T. Chen, L. Jarvis, & S. Macdonald (Eds.), Cyberterrorism: Understanding, assessment, and response (103–122). Springer. Denning, D. E. (2012). Stuxnet: What has changed? Future Internet, 4(3). http://www.mdpi.com/1999-5903/4/3/672/pdf Farwell, J. P., & Rohozinski, R. (2011). Stuxnet and the future of cyber war. Survival, 53(1), 23–40. Giacomello, G. (2004). Bangs for the buck: A cost-benefit analysis of Cyberterrorism. Studies in Conflict and Terrorism 27(5), 387–408. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.477.2555&rep=rep1&type=pdf Gorman, S. (2012, June 2). US team and Israel developed Iran worm. The Wall Street Journal, 1. http://www.wsj.com/articles/SB10001424052702304821304577440703810436564 Hanlon, M. (2010, October 19). Why Britain is desperately vulnerable to cyber terror. Daily Mail.  http://www.dailymail.co.uk/debate/article-1321729/Why-Britain-vulnerable-cyber-terror-attacks.html HM Government. (2010). A strong Britain in an age of uncertainty: The national security strategy, Cm 7953. London, UK: Cabinet Office. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/61936/national-security-strategy.pdf Jackson, R., Jarvis, L., Gunning, J., & Breen-Smyth, M. (2011). Terrorism: A critical introduction. Palgrave. Jarvis, L. & Macdonald, S. (2014). What is cyberterrorism? Findings from a survey of researchers. Terrorism and Political Violence, 27(4) 657–678. http://www.tandfonline.com/doi/full/10.1080/09546553.2013.847827 Jarvis, L., Macdonald, S., & Nouri, L. (2014). The cyberterrorism threat: Findings from a survey of researchers. Studies in Conflict & Terrorism, 37(1), 68–90. Langner, R. (2013). To kill a centrifuge: A technical analysis of what Stuxnet’s creators tried to achieve. Arlington, VA: The Langner Group. http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf Lewis, J. A. (2002). Assessing the risks of cyber terrorism, cyber war and other cyber threats. http://csis.org/files/media/csis/pubs/021101_risks_of_cyberterror.pdf Macdonald, S., Jarvis, L., Chen, T., & Lavis, S. (2013). Cyberterrorism: A survey of researchers. Cyberterrorism Project Research Report No. 1. http://www.cyberterrorism-project.org/wp-content/uploads/2013/03/Cyberterrorism-Report-2013.pdf Rachman, G. (2010, October 4). An undeclared war in cyberspace. Financial Times. https://www.ft.com/content/539534a0-cfeb-11df-bb9e-00144feab49a?ftcamp=rss South China Morning Post. (2010, October 1). Stohl, M. (2006). Cyber terrorism: A clear and present danger, the sum of all fears, breaking point or patriot games? Crime, Law and Social Change, 46(4), 223–238. Walters, C. (2010, October 7). Mystery computer worm part of a global cyber war. The Sydney Morning Herald. http://www.smh.com.au/technology/technology-news/mystery-computer-worm-part-of-a-global-cyber-war-20101006-1686r Weimann, G. (2004). Cyberterrorism: How real is the threat? United States Institute of Peace special report 119. http://www.usip.org/publications/cyberterrorism-how-real-the-threat Welch, D. (2010, October 9). Cyber soldiers. The Sydney Morning Herald.  http://www.smh.com.au/technology/technology-news/cyber-soldiers-20101008-16c7e.html Wilson, G. (2010, October 19). Fight cyber war before planes fall out of sky. The Sun. http://www.thescottishsun.co.uk/scotsol/homepage/news/article3186185.ece Licenses and Attributions Constructing Cyberterrorism as a Security Threat: A Study of International News Media Coverage by Lee Jarvis, Stuart Macdonald, and Andrew Whiting from Perspectives on Terrorism is available under a Creative Commons Attribution 3.0 Unported license. UMGC has modified this work and it is available under the
Project 6: Global Approaches to Cybersecurity Start Here As a cybersecurity professional, it is important for you to not only understand the organizational and national human and technical factors, bu
International Cybersecurity Legal Issues International cybersecurity legal issues exist because of the global nature of activities conducted on the internet, the lack of agreed-upon norms for acceptable behaviors on the internet, and the continued evolution of laws on privacy, data access, and data rights. In many instances, existing laws apply to cybersecurity issues. In other instances, existing laws are insufficient to accommodate evolving technologies that enable both benefit and risk on the internet. Issues of international interest include privacy, data rights and the management of them, and human rights. An area that is less developed but much debated is the use of cyberspace for conflict, and whether the use of cyber capabilities can constitute the use of force or even an act of war. While the United States has made clear its intention to respond to hostile acts in cyberspace as it would to any other threat to the US (White House, 2011), it has stated its desire to promote international stability and avoid conflict in cyberspace. The key to achieving the right balance is to build consensus on norms, build confidence by demonstrating actions consistent with existing national and international laws, and to acknowledge and and accept that existing international laws have applicability to cybersecurity, and should be used and tested as needed to build confidence and consensus. International law of cyberwarfare is discussed in the Tallinn Manual on the International Law Applicable to Cyber Warfare (Schmitt, 2013), which sets forth how existing international law can and does apply to cyberwar. Like all international law—and all law in general—adherence to the law of cyberwarfare is subject to agreement among nation-states. Some do not accept that existing law applies to this new form of warfare, or selectively choose those parts they wish to apply. References Schmitt, M. N. (Ed.). (2013). The Tallinn manual on the international law applicable to cyber warfare. Cambridge University Press. The White House. (2011). International strategy for cyberspace.  https://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf International Law in Cyberspace Remarks by Harold Hongju Koh Legal Advisor, US Department of State USCYBERCOM Interagency Legal Conference Ft. Meade, MD September 18, 2012 As prepared for delivery Thank you, Colonel Brown, for your kind invitation to speak here today at this very important conference on the roles of cyber in national defense. I have been an international lawyer for more than 30 years, a government lawyer practicing international law for more than a decade, and the State Department’s legal adviser for nearly three and a half years. While my daily workload covers many of the bread-and-butter issues of international law—diplomatic immunity, the law of the sea, international humanitarian law, treaty interpretation—like many of you, I find more and more of my time is spent grappling with the question of how international law applies in cyberspace. Everyone here knows that cyberspace presents new opportunities and new challenges for the United States in every foreign policy realm, including national defense. But for international lawyers, it also presents cutting-edge issues of international law, which go to a very fundamental question: How do we apply old laws of war to new cyber circumstances, staying faithful to enduring principles, while accounting for changing times and technologies? Many, many international lawyers here in the US government and around the world have struggled with this question, so today I’d like to present an overview of how we in the US government have gone about meeting this challenge. At the outset, let me highlight that the entire endeavor of applying established international law to cyberspace is part of a broader international conversation. We are not alone in thinking about these questions; we are actively engaged with the rest of the international community, both bilaterally and multilaterally, on the subject of applying international law in cyberspace. With your permission, I’d like to offer a series of questions and answers that illuminate where we are right now—in a place where we’ve made remarkable headway in a relatively short period of time, but are still finding new questions for each and every one we answer. In fact, the US government has been regularly sharing these thoughts with our international partners. Most of the points that follow we have not just agreed upon internally, but made diplomatically, in our submissions to the UN Group of Governmental Experts (GGE) that deals with information technology issues. I. International Law in Cyberspace: What We Know So let me start with the most fundamental questions: Question 1: Do established principles of international law apply to cyberspace? Answer 1: Yes, international law principles do apply in cyberspace. Everyone here knows how cyberspace opens up a host of novel and extremely difficult legal issues. But on this key question, this answer has been apparent, at least as far as the US government has been concerned. Significantly, this view has not necessarily been universal in the international community. At least one country has questioned whether existing bodies of international law apply to the cutting-edge issues presented by the Internet. Some have also said that existing international law is not up to the task and that we need entirely new treaties to impose a unique set of rules on cyberspace. But the United States has made clear our view that established principles of international law do apply in cyberspace. Question 2: Is cyberspace a law-free zone, where anything goes? Answer 2: Emphatically no. Cyberspace is not a law-free zone where anyone can conduct hostile activities without rules or restraint. Think of it this way. This is not the first time that technology has changed and that international law has been asked to deal with those changes. In particular, because the tools of conflict are constantly evolving, one relevant body of law—international humanitarian law, or the law of armed conflict—affirmatively anticipates technological innovation and contemplates that its existing rules will apply to such innovation. To be sure, new technologies raise new issues and thus new questions. Many of us in this room have struggled with such questions, and we will continue to do so over many years. But to those who say that established law is not up to the task, we must articulate and build consensus around how it applies and reassess from there whether and what additional understandings are needed. Developing common understandings about how these rules apply in the context of cyber activities in armed conflict will promote stability in this area. That consensus-building work brings me to some questions and answers we have offered to our international partners to explain how both the law of going to war (jus ad bellum) and the laws that apply in conducting war (jus in bello) apply to cyber action: Question 3: Do cyber activities ever constitute a use of force? Answer 3: Yes. Cyber activities may in certain circumstances constitute uses of force within the meaning of Article 2(4) of the UN Charter and customary international law. In analyzing whether a cyber operation would constitute a use of force, most commentators focus on whether the direct physical injury and property damage resulting from the cyber event looks like that which would be considered a use of force if produced by kinetic weapons. Cyber activities that proximately result in death, injury, or significant destruction would likely be viewed as a use of force. In assessing whether an event constituted a use of force in or through cyberspace, we must evaluate factors, including the context of the event, the actor perpetrating the action (recognizing challenging issues of attribution in cyberspace), the target and location, effects and intent, among other possible issues. Commonly cited examples of cyber activity that would constitute a use of force include, for example, (1) operations that trigger a nuclear plant meltdown, (2) operations that open a dam above a populated area causing destruction, or (3) operations that disable air traffic control, resulting in airplane crashes. Only a moment’s reflection makes you realize that this is common sense: If the physical consequences of a cyberattack work the kind of physical damage that dropping a bomb or firing a missile would, that cyberattack should equally be considered a use of force. Question 4: May a state ever respond to a computer network attack by exercising a right of national self-defense? Answer 4: Yes. A state’s national right of self-defense, recognized in Article 51 of the UN Charter, may be triggered by computer network activities that amount to an armed attack or imminent threat thereof. As the United States affirmed in its 2011 International Strategy for Cyberspace, “when warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country.” Question 5: Do jus in bello rules apply to computer network attacks? Answer 5: Yes. In the context of an armed conflict, the law of armed conflict applies to regulate the use of cyber tools in hostilities, just as it does other tools. The principles of necessity and proportionality limit uses of force in self-defense and would regulate what may constitute a lawful response under the circumstances. There is no legal requirement that the response to a cyber armed attack take the form of a cyber action, as long as the response meets the requirements of necessity and proportionality. Question 6: Must attacks distinguish between military and nonmilitary objectives? Answer 6: Yes. The jus in bello principle of distinction applies to computer network attacks undertaken in the context of an armed conflict. The principle of distinction applies to cyber activities that amount to an “attack”—as that term is understood in the law of war—in the context of an armed conflict. As in any form of armed conflict, the principle of distinction requires that the intended effect of the attack must be to harm a legitimate military target. We must distinguish military objectives —that is, objects that make an effective contribution to military action and whose destruction would offer a military advantage—from civilian objects, which under international law are generally protected from attack. Question 7: Must attacks adhere to the principle of proportionality? Answer 7: Yes. The jus in bello principle of proportionality applies to computer network attacks undertaken in the context of an armed conflict. The principle of proportionality prohibits attacks that may be expected to cause incidental loss to civilian life, injury to civilians, or damage to civilian objects that would be excessive in relation to the concrete and direct military advantage anticipated. Parties to an armed conflict must assess what the expected harm to civilians is likely to be and weigh the risk of such collateral damage against the importance of the expected military advantage to be gained. In the cyber context, this rule requires parties to a conflict to assess: (1) the effects of cyber weapons on both military and civilian infrastructure and users, including shared physical infrastructure (such as a dam or a power grid) that would affect civilians; (2) the potential physical damage that a cyberattack may cause, such as death or injury that may result from effects on critical infrastructure; and (3) the potential effects of a cyberattack on civilian objects that are not military objectives, such as private civilian computers that hold no military significance but may be networked to computers that are military objectives. Question 8: How should states assess their cyber weapons? Answer 8: States should undertake a legal review of weapons, including those that employ a cyber capability. Such a review should entail an analysis, for example, of whether a particular capability would be inherently indiscriminate, i.e., that it could not be used consistent with the principles of distinction and proportionality. The US government undertakes at least two stages of legal review of the use of weapons in the context of armed conflict—first, an evaluation of new weapons to determine whether their use would be per se prohibited by the law of war; and second, specific operations employing weapons are always reviewed to ensure that each particular operation is also compliant with the law of war. Question 9: In this analysis, what role does state sovereignty play? Answer 9: States conducting activities in cyberspace must take into account the sovereignty of other states, including outside the context of armed conflict. The physical infrastructure that supports the Internet and cyber activities is generally located in sovereign territory and subject to the jurisdiction of the territorial state. Because of the interconnected, interoperable nature of cyberspace, operations targeting networked information infrastructures in one country may create effects in another country. Whenever a state contemplates conducting activities in cyberspace, the sovereignty of other states needs to be considered. Question 10: Are states responsible when cyber acts are undertaken through proxies? Answer 10: Yes. States are legally responsible for activities undertaken through proxy actors, who act on the state’s instructions or under its direction or control. The ability to mask one’s identity and geography in cyberspace and the resulting difficulties of timely, high-confidence attribution can create significant challenges for states in identifying, evaluating, and accurately responding to threats. But putting attribution problems aside for a moment, established international law does address the question of proxy actors. States are legally responsible for activities undertaken through putatively private actors, who act on the state’s instructions or under its direction or control. If a state exercises a sufficient degree of control over an ostensibly private person or group of persons committing an internationally wrongful act, the state assumes responsibility for the act, just as if official agents of the state itself had committed it. These rules are designed to ensure that states cannot hide behind putatively private actors to engage in conduct that is internationally wrongful. II. International Law in Cyberspace: Challenges and Uncertainties These 10 answers should give you a sense of how far we have come in doing what any good international lawyer does: applying established law to new facts, and explaining our positions to other interested lawyers. At the same time, there are obviously many more issues where the questions remain under discussion. Let me identify three particularly difficult questions that I don’t intend to answer here today. Instead, my hope is to shed some light on some of the cutting-edge legal issues that we’ll all be facing together over the next few years: Unresolved question 1: How can a use of force regime take into account all of the novel kinds of effects that states can produce through the click of a button? As I said above, the United States has affirmed that established jus ad bellum rules do apply to uses of force in cyberspace. I have also noted some clear-cut cases where the physical effects of a hostile cyber action would be comparable to what a kinetic action could achieve: For example, a bomb might break a dam and flood a civilian population, but insertion of a line of malicious code from a distant computer might just as easily achieve that same result. As you all know, however, there are other types of cyber actions that do not have a clear kinetic parallel, which raise profound questions about exactly what we mean by force. At the same time, the difficulty of reaching a definitive legal conclusion or consensus among states on when and under what circumstances a hostile cyber action would constitute an armed attack does not automatically suggest that we need an entirely new legal framework specific to cyberspace. Outside of the cyber context, such ambiguities and differences of view have long existed among states. To cite just one example of this, the United States has for a long time taken the position that the inherent right of self-defense potentially applies against any illegal use of force. In our view, there is no threshold for a use of deadly force to qualify as an armed attack that may warrant a forcible response. But that is not to say that any illegal use of force triggers the right to use any and all force in response—such responses must still be necessary and of course proportionate. We recognize, on the other hand, that some other countries and commentators have drawn a distinction between the use of force and an armed attack, and view armed attack—triggering the right to self-defense—as a subset of uses of force, which passes a higher threshold of gravity. My point here is not to rehash old debates but to illustrate that states have long had to sort through complicated jus ad bellum questions. In this respect, the existence of complicated cyber questions relating to jus ad bellum is not in itself a new development; it is just applying old questions to the latest developments in technology. Unresolved question 2: What do we do about dual-use infrastructure in cyberspace? As you all know, information and communications infrastructure is often shared between state militaries and private civilian communities. The law of war requires that civilian infrastructure not be used to seek to immunize military objectives from attack, including in the cyber realm. But how, exactly, are the jus in bello rules to be implemented in cyberspace? Parties to an armed conflict will need to assess the potential effects of a cyberattack on computers that are not military objectives, such as private civilian computers that hold no military significance but may be networked to computers that are valid military objectives. Parties will also need to consider the harm to the civilian uses of such infrastructure in performing the necessary proportionality review. Any number of factual scenarios could arise, however, which will require a careful, fact-intensive legal analysis in each situation. Unresolved question 3: How do we address the problem of attribution in cyberspace? As I mentioned earlier, cyberspace significantly increases an actor’s ability to engage in attacks with plausible deniability, by acting through proxies. I noted that legal tools exist to ensure that states are held accountable for those acts. What I want to highlight here is that many of these challenges—in particular, those concerning attribution—are as much questions of a technical and policy nature rather than exclusively or even predominantly questions of law. Cyberspace remains a new and dynamic operating environment, and we cannot expect that all answers to the new and confounding questions we face will be legal ones. These questions about effects, dual use, and attribution are difficult legal and policy questions that existed long before the development of cyber tools and that will continue to be a topic of discussion among our allies and partners as cyber tools develop. Of course, there remain many other difficult and important questions about the application of international law to activities in cyberspace—for example, about the implications of sovereignty and neutrality law, enforcement mechanisms, and the obligations of states concerning hacktivists operating from within their territory. While these are not questions that I can address in this brief speech, they are critically important questions on which international lawyers will focus intensely in the years to come. And just as cyberspace presents challenging new issues for lawyers, it presents challenging new technical and policy issues. Not all of the issues I’ve mentioned are susceptible to clear legal answers derived from existing precedents—in many cases, quite the contrary. Answering these tough questions within the framework of existing law, consistent with our values and accounting for the legitimate needs of national security, will require a constant dialogue between lawyers, operators, and policymakers. All that we as lawyers can do is to apply in the cyber context the same rigorous approach to these hard questions that arise in the future, as we apply every day to what might be considered more traditional forms of conflict. III. The Role of International Law in a Smart Power Approach to Cyberspace This, in a nutshell, is where we are with regard to cyberconflict: We have begun work to build consensus on a number of answers, but questions continue to arise that must be answered in the months and years ahead. Beyond these questions and answers and unresolved questions, though, lies a much bigger picture, one that we are very focused on at the State Department. Which brings me to my final two questions: Final question 1: Is international humanitarian law the only body of international law that applies in cyberspace? Final answer 1: No. As important as international humanitarian law is, it is not the only international law that applies in cyberspace. Obviously, cyberspace has become pervasive in our lives, not just in the national defense arena, but also through social media, publishing and broadcasting, expressions of human rights, and expansion of international commerce, both through online markets and online commercial techniques. Many other bodies of international and national law address those activities, and how those different bodies of law overlap and interact with the laws of cyber conflict is something we will all have to work out over time. Take human rights. At the same time that cyber activity can pose a threat, we all understand that cyber communication is increasingly becoming a dominant mode of expression in the twenty-first century. More and more people express their views not by speaking on a soapbox at Speakers’ Corner but by blogging, tweeting, commenting, or posting videos and commentaries. The 1948 Universal Declaration of Human Rights (UDHR)—adopted more than 70 years ago—was remarkably forward-looking in anticipating these trends. It says: “Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers” (emphasis added). In short, all human beings are entitled to certain rights, whether they choose to exercise them in a city square or an Internet chat room. This principle is an important part of our global diplomacy, and is encapsulated in the Internet Freedom agenda about which my boss, Secretary Clinton, has spoken so passionately. You all know of this administration’s efforts not just in the areas of cyberconflict but also in many other cyber areas: cybersecurity, cybercommerce, fighting child pornography and other forms of cybercrime, stopping intellectual property piracy, as well as promoting free expression and human rights. So the cyber conflict issues with which this group grapples do not constitute the whole of our approach to cyberspace; they are an important part—but only a part—of this administration’s broader smart power approach to cyberspace. What I have outlined today are a series of answers to cyberspace questions that the United States is on the record as supporting. I have also suggested a few of the challenging questions that remain before us, and developments over the next decade will surely produce new questions. But you should not think of these questions and answers as just a box to check before deciding whether a particular proposed operation is lawful or not. Rather, these questions and answers are part of a much broader foreign policy agenda, which transpires in a broader framework of respect for international law. That leads to my final question for this group: Why should US government lawyers care about international law in cyberspace at all? The answer: Because compliance with international law frees us to do more, and do more legitimately, in cyberspace, in a way that more fully promotes our national interests. Compliance with international law in cyberspace is part and parcel of our broader smart power approach to international law as part of US foreign policy. It is worth noting two fundamentally different philosophies about international law. One way to think about law, whether domestic or international, is as a straitjacket, a pure constraint. This approach posits that nations have serious, legitimate interests, and legal regimes restrict their ability to carry them out. One consequence of this view is that since law is just something that constrains, it should be resisted whenever possible. Resisting so-called extensions of the law to new areas often seems attractive, because, after all, the old laws weren’t built for these new challenges anyway, some say, so we should tackle those challenges without the legal straitjacket, while leaving the old laws behind. But that is not the United States government’s view of the law, domestic or international. We see law not as a straitjacket but, as one great university calls it when it confers its diplomas, a body of “wise restraints that make us free.” International law is not purely constraint; it frees us and empowers us to do things we could never do without law’s legitimacy. If we succeed in promoting a culture of compliance, we will reap the benefits. And if we earn a reputation for compliance, the actions we do take will earn enhanced legitimacy worldwide for their adherence to the rule of law. These are not new themes, but I raise them here because they resonate squarely with the strategy we have been pursuing in cyberspace over the past few years. Of course, the United States has impressive cyber capabilities; it should be clear from the bulk of my discussion that adherence to established principles of law does not prevent us from using those capabilities to achieve important ends. But we also know that we will be safer, the more that we can rally other states to the view that these established principles do impose meaningful constraints, and that there is already an existing set of laws that protect our security in cyberspace. And the more widespread the understanding that cyberspace follows established rules—and that we live by them—the stronger we can be in pushing back against those who would seek to introduce brand new rules that may be contrary to our interests. That is why, in our diplomacy, we do not whisper about these issues. We talk openly and bilaterally with other countries about the application of established international law to cyberspace. We talk about these issues multilaterally, at the UN Group of Governmental Experts and at other fora, in promoting this vision of compliance with international law in cyberspace. We talk about them regionally, as when we recently cosponsored an ASEAN Regional Forum event to focus the international community’s attention on the problem of proxy actors engaging in unlawful conduct in cyberspace. Preventing proxy attacks on us is an important interest, and as part of our discussions we have outlined the ways that existing international law addresses this problem. The diplomacy I have described is not limited to the legal issues this group of lawyers is used to facing in the operational context. These issues are interconnected with countless other cyber issues that we face daily in our foreign policy, such as cybersecurity, cyber commerce, human rights in cyberspace, and public diplomacy through cyber tools. In all of these areas, let me repeat again: compliance with international law in cyberspace is part and parcel of our broader smart power approach to international law as part of US foreign policy. Compliance with international law—and thinking actively together about how best to promote that compliance—can only free us to do more, and to do more legitimately, in the emerging frontiers of cyberspace, in a way that more fully promotes our US national interests. Thank you very much. Licenses and Attributions International Law in Cyberspace by Harold Hongju Koh comprises public domain material from the US Department of State. UMGC has modified this work. International Cybersecurity Strategy: Deterring Foreign Threats and Building Global Cyber Norms Testimony Christopher Painter Coordinator for Cyber Issues Statement Before the Senate Foreign Relations Subcommittee on East Asia, the Pacific, and International Cybersecurity Policy Washington, DC May 25, 2016 Chairman Gardner, Ranking Member Cardin, members of the Subcommittee on East Asia, the Pacific, and International Cybersecurity Policy, it is a pleasure to appear again before your subcommittee to provide an update on key developments in our cyber foreign policy efforts. Since I testified before your subcommittee one year ago, the Department of State (the Department) has continued to work closely with other federal departments and agencies and has made significant progress in a number of areas. It is also important to note that last month, as required by the Consolidated Appropriations Act for 2016, the Department submitted to Congress the Department of State International Cyberspace Policy Strategy (the Strategy), which included a report on the Department’s work to implement the president’s 2011 International Strategy for Cyberspace, as well as a discussion of our efforts to promote norms of responsible state behavior in cyberspace, alternative concepts for norms promoted by certain other countries, threats facing the United States, tools available to the president to deter malicious actors, and resources required to build international norms. I appreciate the opportunity today to provide an update on our progress as well as the challenges we face in a number of areas. As reflected in the Strategy we provided to Congress last month, the Department of State structures its cyberspace diplomacy in close cooperation with our interagency partners – including the Departments of Justice, Commerce, Defense, Homeland Security, and Treasury, and the Intelligence Community – around the following interrelated, dynamic, and cross-cutting policy pillars drawn from the president’s International Strategy for Cyberspace: digital economy, international security, promoting cybersecurity due diligence, combating cybercrime, Internet governance, Internet freedom, and international development and capacity building, as well as cross-cutting issues such as countering the use of the Internet for terrorist purposes. In addition, as we noted, the Department is actively mainstreaming cyberspace issues into its foreign diplomatic engagements and building the necessary internal capacity. I am happy to answer any questions regarding the Strategy, which discusses all of these policy priorities in greater detail, including specific accomplishments from our robust bilateral and multilateral diplomatic engagements and highlights from the roles and contributions of other federal agencies. In spite of the successes outlined in the Strategy, the U.S. vision for an open, interoperable, secure, and reliable Internet faces a range of policy and technical challenges. Many of these challenges were described in my testimony last year, and they largely remain. I would like to focus my time today delving specifically into our efforts to promote a broad international framework for cyber stability, as well some of the alternative views regarding the Internet that some governments are promoting. I will also spend some time discussing the technical challenges and threats posed by continuing malicious cyberactivity directed at the United States, as well as our allies, and the tools we have at our disposal to deter these actions. Diplomatic Efforts to Shape the Policy Environment Building a Framework for International Stability in Cyberspace The Department of State, working with our interagency partners, is guided by the vision of the president’s International Strategy for Cyberspace, which is to promote a strategic framework of international cyber stability. This framework is designed to achieve and maintain a peaceful cyberspace environment where all states are able to fully realize its benefits, where there are advantages to cooperating against common threats and avoiding conflict, and where there is little incentive for states to engage in disruptive behavior or to attack one another. This framework has three key elements: (1) global affirmation that international law applies to state behavior in cyberspace; (2) development of an international consensus on and promotion of additional voluntary norms of responsible state behavior in cyberspace that apply during peacetime; and (3) development and implementation of practical confidence building measures (CBMs), which promote stability in cyberspace by reducing the risks of misperception and escalation. Since 2009, the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) has served as a productive and groundbreaking expert-level venue for the United States to build support for this framework. The consensus recommendations of the three UN GGE reports in 2010, 2013, and 2015 have set the standard for the international community on international cyberspace norms and CBMs. The UN GGE process will continue to play a central role in our efforts to fully promulgate this framework when it reconvenes in August 2016. Applicability of international law. The first and most fundamental pillar of our framework for international cyber stability is the applicability of existing international law to state behavior in cyberspace. The 2013 UN GGE report was a landmark achievement that affirmed the applicability of existing international law, including the UN Charter, to state conduct in cyberspace. The 2013 report underscored that states must act in cyberspace under the established international obligations and commitments that have guided their actions for decades – in peacetime and during conflict – and states must meet their international obligations regarding internationally wrongful acts attributable to them. The 2014-2015 UN GGE also made progress on issues related to international law by affirming the applicability of the inherent right to self-defense as recognized in Article 51 of the UN Charter, and noting the law of armed conflict’s fundamental principles of humanity, necessity, proportionality, and distinction. Norms of responsible state behavior. The United States is also building consensus on a set of additional, voluntary norms of responsible state behavior in cyberspace that define key areas of risk that would be of national and/or economic security concern to all states and should be off-limits during times of peace. If observed, these stability measures – which are measures of self-restraint – can contribute substantially to conflict prevention and stability. The United States was the first state to propose a set of specific peacetime cyber norms, including the cybersecurity of critical infrastructure, the protection of computer security incident response teams (CSIRTs), and cooperation between states in responding to appropriate requests in mitigating malicious cyberactivity emanating from their territory. In May 2015, Secretary of State Kerry highlighted these norms in his speech in Seoul, South Korea, on an open and secure Internet. The 2015 UN GGE report’s most significant achievement was its recommendation for voluntary norms of state behavior designed for peacetime, which included concepts championed by the United States. Confidence Building Measures. Together with our work on law and voluntary norms, cyber CBMs have the potential to contribute substantially to international cyber stability. CBMs have been used for decades to build confidence, reduce risk, and increase transparency in other areas of international concern. Examples of cyber CBMs include transparency measures, such as sharing national strategies or doctrine; cooperative measures, such as an initiative to combat a particular cyber incident or threat actor; and stability measures, such as committing to refrain from a certain activity of concern. Cyber CBMs are being developed, and are in the first stages of implementation, in two regional venues – the Organization for Security and Cooperation in Europe (OSCE) and the ASEAN Regional Forum, where agreement was reached in 2015 on a detailed work plan with a proposed set of CBMs for future implementation. Although many of the elements of the framework I have described above may seem self-evident to an American audience, it is important to recognize that cyber issues are new to many states, and as I describe later in my testimony, there are also many states that hold alternative views on how we should promote cyber stability. Notwithstanding these headwinds, as well as the fact that diplomatic negotiations on other issues can take many years, if not decades, the United States and its allies have made substantial progress in recent years towards advancing our strategic framework of international cyber stability. At this point, I would like to highlight examples from last year that reflect our progress. U.S.-China Cyber Commitments The United States strongly opposes the use of cyber technology to steal intellectual property for commercial advantage, and has raised this concern with Chinese interlocutors for several years. In 2014, the United States indicted five members of the Chinese military for hacking, economic espionage, and other offenses directed at six US entities. This led China to suspend the US-China Cyber Working Group. The United States and China, however, reached an agreement during President Xi Jinping’s state visit in September 2015 on several key commitments on cyber issues. These commitments are both governments agreed to cooperate and provide timely responses to requests for information and assistance regarding malicious cyberactivity emanating from their territories, neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property for commercial advantage, both governments will work together to further identify and promote appropriate norms of state behavior in cyberspace and hold a senior experts group on international security issues in cyberspace, and both governments will establish a ministerial-level joint dialogue mechanism on fighting cybercrime and related issues. Two weeks ago today – on May 11 – the United States hosted the first meeting in Washington of the senior experts group on international security issues in cyberspace, which provided a forum to further engage with China on its views and seek common ground regarding norms of state behavior in cyberspace and other topics. The Department of State led the US delegation that included participation from the Department of Defense and other US government agencies. The senior experts group helps us advance the growing international consensus on international law and voluntary cyber norms of state behavior. We also have encouraged China to join us in pushing for other states to affirm these principles in international forums like the Group of Twenty (G20), and will continue to do so. To implement other commitments reached during President Xi’s visit, the United States and China held the first ministerial-level dialogue on cybercrime and other related issues in Washington on December 1, 2015. Attorney General Loretta Lynch and Homeland Security Secretary Jeh Johnson, together with Chinese State Councilor Guo Shengkun, co-chaired the first US-China High-Level Joint Dialogue on Cybercrime and Related Issues to foster mutual understanding and enhance cooperation on law enforcement and network protection issues. The second dialogue is scheduled to occur next month in Beijing, China. Moreover, regarding the commitment that neither government will conduct or knowingly support cyber-enabled theft for commercial gain, Deputy Secretary of State Blinken testified last month before the full Committee on Foreign Relations that the United States is “watching very closely to ensure this commitment is followed by action.” The outcomes of last year’s Xi-Obama summit focus on concrete actions and arrangements that will allow us to hold Beijing accountable to the commitments they have made. These commitments do not resolve all our challenges with China on cyber issues. However, they do represent a step forward in our efforts to address one of the sharpest areas of disagreement in the US-China bilateral relationship. Group of Twenty (G20) Antalya Summit In November 2015, the leaders of the G20 met in Antalya, Turkey, to discuss and make progress on a wide range of critical issues facing the global economy. At the conclusion of the Antalya Summit, the strong final communique issued by the G20 leaders affirmed the US-championed vision of international cyber stability and its pillars. Among other things, the G20 leaders affirmed in their statement that “no country should conduct or support the ICT-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.” They also highlighted the “key role played by the United Nations in developing norms” and the work of the UN GGE and its 2015 report. Addressing our overall framework, the G20 leaders stated that they “affirm that international law, and in particular the UN Charter, is applicable to state conduct in the use of ICTs and commit ourselves to the view that all states should abide by norms of responsible state behavior in the use of ICTs…” The G20 leaders’ communique represents a remarkable endorsement of our approach to promoting stability in cyberspace. Still, there is still more to do. The United States will continue to work within the G20 and in other bilateral and multilateral engagements to promote and expand these policy pronouncements regarding responsible state behavior in cyberspace. Organization for Security and Cooperation in Europe As a result of the leadership by the United States and like-minded countries, the 57 member states of the OSCE, which includes not only Western allies but also Russia and other former Soviet states, reached consensus in March 2016 on an expanded set of CBMs. This expanded set, which includes five new CBMs, builds upon the 11 CBMs announced by the OSCE in 2013 that member states are already working to implement. The initial 11 CBMs were primarily focused on building transparency and putting in place mechanisms for de-escalating conflict. For example, there were CBMs calling upon participating states to identify points of contact that foreign governments could reach out to in the event of a cyber incident emanating from the state’s territory and put in place consultation and mediation mechanisms. The additional five CBMs focused more on cooperative measures focusing on issues like cybersecurity of critical infrastructure and developing public-private partnerships. Secure and resilient critical infrastructure, including in the communications sector, requires the integration of cyber, physical, and human elements. Since most critical infrastructure is privately owned, public-private partnerships are essential for strengthening critical infrastructure. Given the distributed nature of critical infrastructure, these efforts also require international collaboration. Work will continue this year to strengthen implementation of the previous CBMs and to begin implementing the new ones as well. This will build on the cooperation we have underway with many international partners in this and other similar fora. We also hope that this further success within the OSCE context can serve to strengthen CBMs as a model that other regional security organizations can adopt. In addition to our work with governmental organizations, the Department of State engages extensively with a range of stakeholders outside of government, who play critical roles in helping to preserve and promote the same vision of cyberspace held by the United States. Nongovernment stakeholders are often part of our delegations to key meetings, for which there is intensive consultation, and we often engage with our stakeholders before and after key events to hear their views and to inform them of our activities. We also engage extensively with the stakeholder community ahead of and immediately following major cyber conferences, such as the Global Conference on Cyberspace, most recently in The Hague, the Netherlands, and previously in Seoul, South Korea. Policy Challenge: Alternative Views of the Internet One challenge to the implementation of our cyberspace strategy is a competing and alternative view of the Internet. The United States and much of the broader international community support the open flow and movement of data on the Internet that drives economic growth, protects human rights, and promotes innovation. The United States believes in a multistakeholder approach whereby governments, private sector, civil society, and the technical and academic communities cooperate to address both technical and policy threats through inclusive, transparent, consensus-driven processes. China’s approach to cyberspace in the international context is propelled by its desire to maintain internal stability, maintain sovereignty over its domestic cyberspace, and combat what it argues is an emerging cyber arms race and “militarization” of cyberspace. China has been willing to consider cyber confidence building measures, and has affirmed that international law applies in cyberspace, but has not been willing to affirm more specifically the applicability of the law of armed conflict or other laws of war, because it believes it would only serve to legitimize state use of cyber tools as weapons of war. This has led to a set of external policies that reinforces traditional Chinese foreign policy priorities of noninterference in internal affairs, national sovereignty over cyberspace, and “no first use” of weapons. China views its expansive online censorship regime – including technologies such as the Great Firewall – as a necessary defense against destabilizing domestic and foreign influences, and it has promoted this conception internationally. China also urges creation of new “cyber governance” instruments, which would, inter alia, create new binding rules designed to limit the development, deployment, and use of “information weapons”; promote speech and content controls; seek to replace the framework of the Council of Europe Convention on Cybercrime (Budapest Convention); elevate the role of governments vis-à-vis other stakeholders; and likely give the United Nations authority for determining attribution and responding to malicious cyberactivity. While the United States and its partners seek to focus our cyber policy efforts on combatting threats to networks, cyber infrastructure, and other physical threats from cyber tools, China also emphasizes the threats posed by online content. In addition, some of these policies stand in sharp contrast to the U.S. view that all stakeholders should be able to contribute to the making of public policy regarding the Internet. Russia’s approach to cyberspace in the international context has focused on the maintenance of internal stability, as well as sovereignty over its “information space.” While Russia co-authored the Code of Conduct, with China and other Shanghai Cooperation Organization members, Russia’s ultimate goal is also a new international cyber convention, which they pair with criticism of the Budapest Convention. Russia has nonetheless found common ground with the United States on our approach of promoting the applicability of international law to state conduct in cyberspace as well as voluntary, nonbinding norms of state behavior in peacetime. Russia has also committed to the first ever set of bilateral cyber confidence building measures with the United States, as well as the first ever set of cyber CBMs within a multilateral institution, at the OSCE in 2013 and 2016 that I previously discussed. We counter these alternative concepts of cyberspace policy through a range of diplomatic tools that include not only engagement in multilateral venues, but also direct bilateral engagement and awareness-raising with a variety of state and non-state actors. I now would like to discuss some of the technical challenges and threats the United States faces and some of the tools we have to respond to and prevent cyber incidents. Responding to and Preventing Cyber Incidents Continuing Cyberthreats Cyberthreats to US national and economic security are increasing in frequency, scale, sophistication, and severity. In 2015, high-profile cyber incidents included the breach of health insurance company Anthem, Inc.’s IT system, resulting in the theft of account information for millions of customers; an unauthorized breach of the Office of Personnel Management’s systems, resulting in the theft of approximately 22 million personnel files; and hackers launching an unprecedented attack on the Ukraine power grid that cut power to hundreds of thousands of customers. Overall, the unclassified information and communications technology networks that support US government, military, commercial, and social activities remain vulnerable to espionage and disruption. As the Department noted in the Strategy we submitted last month, however, the likelihood of a catastrophic attack against the United States from any particular actor is remote at this time. The Intelligence Community instead foresees an ongoing series of low-to-moderate level cyber operations from a variety of sources, which will impose cumulative costs on US economic competitiveness and national security, pose risks to federal and private sector infrastructure in the United States, infringe upon the rights of US intellectual property holders, and violate the privacy of US citizens. In February, Director of National Intelligence James Clapper testified before Congress on the 2016 Worldwide Threat Assessment of the US Intelligence Community, and stated “Many actors remain undeterred from conducting reconnaissance, espionage, and even attacks in cyberspace because of the relatively low costs of entry, the perceived payoff, and the lack of significant consequences.” He highlighted the malicious cyber activities of the leading state actors, non-state actors such as Da’esh, and criminals who are developing and using sophisticated cyber tools, including ransomware for extortion and malware to target government networks. The Intelligence Community continues to witness an increase in the scale and scope of reporting on malicious cyberactivity that can be measured by the amount of corporate data stolen or deleted, personally identifiable information compromised, or remediation costs incurred by U.S. victims. The motivation to conduct cyberattacks and cyberespionage will probably remain strong because of the gains for the perpetrators. Tools Available to Counter Cyberthreats The United States works to counter technical challenges through a whole-of-government approach that brings to bear its full range of instruments of national power and corresponding policy tools – diplomatic, law enforcement, economic, military, and intelligence – as appropriate and consistent with applicable law. The United States believes that deterrence in cyberspace is best accomplished through a combination of “deterrence by denial” – reducing the incentive of potential adversaries to use cyber capabilities against the United States by persuading them that the United States can deny their objectives – and “deterrence through cost imposition” – threatening or carrying out actions to inflict penalties and costs against adversaries that conduct malicious cyberactivity against the United States. It is important to note that there is no one-size-fits-all approach to deterring or responding to cyberthreats. Rather, the individual characteristics of a particular threat determine the tools that would most appropriately be used. The president has at his disposal a number of tools to carry out deterrence by denial. These include a range of policies, regulations, and voluntary standards aimed at increasing the security and resiliency of U.S. government and private sector computer systems. They also include incident response capabilities and certain law enforcement authorities. With respect to cost imposition, the president is able to draw on a range of response options from across the United States government. Diplomatic tools provide a way to communicate to adversaries when their actions are unacceptable and to build support and greater cooperation among, or seek assistance from, allies and like-minded countries to address shared threats. Diplomatic démarches to both friendly and potentially hostile states have become a regular component of the United States’ response to major international cyberincidents. In the longer term, US efforts to promote principles of responsible state behavior in cyberspace, including peacetime norms, are intended to build increasing consensus among like-minded states that can form a basis for cooperative responses to irresponsible state actions. Law enforcement tools can be used to investigate crimes and prosecute malicious cyber actors both within the United States and abroad. International cooperation is critical to cybercrime investigations, which is why the United States has promoted international harmonization of substantive and procedural cybercrime laws through the Budapest Convention, created an informal channel for data preservation and information sharing through the G7 24/7 network, and promoted donor partnerships to assist developing nations. Economic tools, such as financial sanctions, may be used as a part of the broader U.S. strategy to change, constrain, and stigmatize the behavior of malicious actors in cyberspace. Since January 2015, the president has provided guidance to the Secretary of the Treasury to impose sanctions to counter North Korea’s malicious cyber-enabled activities. Executive Order 13687 was issued, in part, in response to the provocative and destructive attack on Sony Pictures Entertainment, while Executive Order 13722 targets, among others, significant activities by North Korea to undermine cybersecurity, in line with the recently-signed North Korea Sanctions and Policy Enhancement Act of 2016. Aside from these North Korea-specific authorities, in April 2015, the president issued Executive Order 13694, Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities, which authorizes the imposition of sanctions against persons whose malicious cyber-enabled activities could pose a significant threat to the national security, foreign policy, or economic health or financial stability of the United States. Military capabilities provide an important set of options for deterring and responding to malicious cyberactivity. The Department of Defense continues to build its cyber capabilities and strengthen its cyber defense and deterrence posture. As part of this effort, the Department of Defense is building its Cyber Mission Force, which is already employing its capabilities to defend Department of Defense networks, defend the nation against cyberattacks of significant consequence, and generate integrated cyberspace effects in support of operational plans and contingency operations. In addition, Secretary of Defense Ashton Carter announced earlier this year that US forces are using cybertools to disrupt Da’esh’s command and control systems and to negatively impact its networks. Intelligence capabilities are also an important tool at the President’s disposal in detecting, responding to, and deterring malicious activities in cyberspace, particularly given the unique challenges associated with attributing and understanding the motivation behind such malicious activities. Even with this broad range of tools, deterring cyberthreats remains a challenge. Given the unique characteristics of cyberspace, the United States continues to work to develop additional and appropriate consequences that it can impose on malicious cyber actors. Capacity Building In addition to the tools that I have just outlined, the ability of the United States to respond to foreign cyberthreats and fight transnational cybercrime is greatly enhanced by the capabilities and strength of our international partners in this area. Therefore, the Department of State is working with departments and agencies, allies and multilateral partners to build the capacity of foreign governments, particularly in developing countries, to secure their own networks as well as investigate and prosecute cybercriminals within their borders. The Department also actively promotes donor cooperation, including bilateral and multilateral participation in joint cyber capacity building initiatives. In 2015, for example, the United States joined the Netherlands in founding the Global Forum on Cyber Expertise, a global platform for countries, international organizations, and the private sector to exchange best practices and expertise on cyber capacity building. The United States partnered with Japan, Australia, Canada, the African Union Commission, and Symantec on four cybersecurity and cybercrime capacity building initiatives. The Department also provided assistance to the Council of Europe, the Organization of American States, and the United Nations Global Program on Cybercrime to enable delivery of capacity building assistance to developing nations. Many traditional bilateral law enforcement training programs increasingly include cyber elements, such as training investigators and prosecutors in the handling of electronic evidence. Much of our foreign law enforcement training on combating intellectual property crime focuses on digital theft. In another example of capacity building, the Department of State, through its Bureau of International Narcotics and Law Enforcement Affairs, manages five International Law Enforcement Academies (ILEAs) worldwide, and one additional Regional Training Center. These six facilities provide law enforcement training and instruction to law enforcement officials from approximately 85 countries each year. The ILEA program includes a wide variety of cyber investigation training courses, from basic to advanced levels, taught by subject matter experts from the US Secret Service and other agencies and policy-level discussions with senior criminal justice officials. This serves as a force multiplier to enhance the capabilities of the international law enforcement community to collaborate in the effort to fight cybercrime. The Department of State is committed to continuing its capacity building initiatives as another effective way to counter international cyberthreats and promote international cyber stability. Looking ahead Cybersecurity will continue to be a challenge for the United States when we take into consideration the rapidly expanding environment of global cyberthreats, the increasing reliance on information technology and number of “smart devices,” the reality that many developing nations are still in the early stages of their cyber maturity, and the ongoing and increasingly sophisticated use of information technology by terrorists and other criminals. Thus, the Department of State anticipates a continued increase and expansion of our cyber-focused diplomatic and capacity building efforts for the foreseeable future. The Department will continue to spearhead the effort to promote international consensus that existing international law applies to state actions in cyberspace and build support for certain peacetime norms through assisting states in developing technical capabilities and relevant laws and policies, to ensure they are able to properly meet their commitments on norms of international cyber behavior. The Department of State remains appreciative of this Subcommittee’s continued support. Thank you for the opportunity to testify today. I am happy to answer your questions. Licenses and Attributions International Cybersecurity Strategy: Deterring Foreign Threats and Building Global Cyber Norms by Christopher Painter comprises public domain material from the U.S. Department of State. UMGC has modified this work. Global Cybersecurity Threats Cybersecurity threats can originate from any geographic region, can affect any geographic region, can achieve relative anonymity on the global infrastructure known as the internet, and can have varying degrees of sophistication and motivation. Geographically, cybersecurity threats and associated threat actors are more prevalent in some regions than others. Threats with Middle Eastern origins include rogue and/or state-sponsored actors who leverage capabilities, either indigenously produced or stolen, against global targets. The motivation of these threat actors is varied, from theft of intellectual property for their own national purposes, to using threats to send political or social messages, to theft for the purposes of financial gain, to even terrorism. Cybersecurity threats from Russia are generally characterized as sophisticated and stealthy, while threats from other European nations vary as determined by their national policies, political pressures, and impacts to their populations. Asian Cybersecurity Threats Among foreign threats, the Chinese are among the most capable and active. China has used fairly sophisticated tools and techniques to attack a wide range of targets. In 2010, Chinese actors attacked Adobe Systems, Yahoo, Symantec, Northrop Grumman, Morgan Stanley, and Dow Chemical (Bengali, et. al) using an advanced persistent threat (APT) that appeared to be based in Beijing. The massive theft of tens of millions records from the Office of Personnel Management (OPM) in 2014 is attributed to the Chinese, as is the 2015 theft of millions of records from Anthem. This represented the most significant theft of healthcare records to date. Chinese attacks against US interests became so prolific and bold that the US took the unprecedented step of publicly accusing China of attacking US government systems. The Guardians of Peace—an alleged North Korean hacker group—has been identified as the perpetrators of the 2014 attack on Sony networks, which wiped out servers and stole terabytes of data. The 2013 attack on South Korean banks is also attributed to North Korean actors. References Bengali, S., Dilanian, K., Zavis, A. (2013). Chinese Cyber Attack Disclosures. The Los Angeles Times. Retrieved from http://timelines.latimes.com/la-fg-china-cyber-disclosures-timeline/ African Cybersecurity Threats While Africa has lagged in developing and implementing cybersecurity measures, cybersecurity threats from Africa are on the rise, largely due to rampant criminal activities that can be enhanced with illicit access to networks and data. African networks are easier targets because African networks are less protected. Threat actors from Africa are taking advantage of this relative ease of access to successfully gain access to networks and data. The prime motives are criminal, and largely for the purposes of financial gain. There is little evidence that African-inspired cyber threat actors pose significant threats outside of African borders. Middle-Eastern Cybersecurity Threats One of the most devastating Middle-Eastern cybersecurity attacks occurred in 2012, when the Cutting Sword of Justice group launched a virus attack against the Saudi Arabian oil company Aramco, disabling 30,000 desktop computers. At the time, this was one of the most destructive attacks ever against a company. Threats from the Middle East continue to manifest, with threat actors developing and delivering payloads, launching phishing schemes to gain unauthorized access, and stealing terabytes of data. Today, cyberattacks within and from the Middle East are a mix of hacktivism—attacks focused on promoting political agendas—and state-sponsored attacks. Economics significantly influences the motivations of Middle-Eastern cybersecurity attacks, with the global issues of gas and oil resources helping to stimulate malicious acts. Iranian threat actors are prominent, according to a report by a California security firm, Cylance: “Since at least 2012, Iranian actors have directly attacked, established persistence in, and extracted highly sensitive materials from the networks of government agencies and major critical infrastructure companies in the following countries: Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, United Arab Emirates, and the United States”(Cylance, 2015). Iranian threat actors continue to develop sophisticated capability. This was evidenced in Operation Cleaver, a massive series of malware attacks launched in 2014, reported to be linked to Tehran and demonstrating Iran’s growing cyberattack capabilities. Iran is also suspected of “…flat lining the in-house networks” of the Las Vegas Sands casino corporation “in retaliation for public comments made by its CEO, who said the U.S. should threaten a nuclear attack on Tehran to keep its nuclear program in check” (Risen, 2015). References Cylance. (2015). Operation cleaver. Retrieved from https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf Risen, T. (2015, December 15). Iran’s growing cybersecurity threat. Retrieved from http://www.usnews.com/news/articles/2014/12/15/irans-growing-cybersecurity-threat Russian Cybersecurity Threats Russia has emerged as the top global cybersecurity threat and is considered home of some of most sophisticated threats operating in cyberspace. Among the more prominent Russian-backed cyberattacks was the May 2007 attack on Estonia, largely attributed to Russian hacktivism. This attack was in response to a conflict between Russia and Estonia, which resulted in Estonia deciding to remove a historic Russian monument. With its relatively cheap labor pool, and wealth of well-trained computer specialists, Russia has demonstrated its capacity and willingness to conduct cyberattacks. Russia is structurally posturing to attack command and control systems and conduct cyber-related propaganda operations, and Russian actors have developed the capability to target industrial control systems (ICS). They employ this access to attack electric power grids, air-traffic control, and oil and gas distribution. According to Director of National Intelligence James Clapper, “Russian actors have successfully compromised the product supply chains of three ICS vendors so that customers download exploitative malware directly from vendors’ websites along with routine software updates” (Statement for the Record of James R. Clapper 2015). The significant increases in the scope and scale of Russian cybersecurity threats have impacted global economies and cyber defense efforts around the world. Particularly, it has created opportunities for cyber defenders. Kevin Mandia, CEO of Fireeye, said in response to an increase in company earnings in November 2016, “I think Russia’s operating at its fullest scale and scope right now, and for the first time in maybe 15 years, in my opinion, we’re responding to more state actor intrusions from Russia than China” (Balakrishnan 2016). While Russia’s inherent cybersecurity threats are cause for concern, it is important to also be wary of the expansion of Russian threats to other nations or threat actors. “Particularly concerning for the former Soviet republics, the United States, and others who find themselves in disagreement with Russia are the growing sophistication of the attacks; the possible expansion of attackers’ recruits to Russian expats; and the possibility of Russian cyber warriors selling their skills, labor, and expertise to other states (such as Iran) or organizations (such as Hamas or Hezbollah, which enjoy sympathy and support in Russia” (Flook 2009). References Balakrishnan, A. (November 2016). Fireeye pops 12% as requests to fight Russian cyberthreats, email hacks boosts business. CNBC. Retrieved from http://www.cnbc.com/2016/11/04/fireeye-pops-15-as-requests-to-fight-russian-cyberthreats-email-hacks-boost-business.html Flook, K. (May 2009). Russia and the cyber threat. Retrieved from http://www.criticalthreats.org/russia/russia-and-cyber-threat Statement for the Record of James R. Clapper. (February 2015). Worldwide threat assessment. Retrieved from http://www.widener.edu/about/campus_resources/wolfgram_library/documents/apa_govt_guide.pdf
Project 6: Global Approaches to Cybersecurity Start Here As a cybersecurity professional, it is important for you to not only understand the organizational and national human and technical factors, bu
International Cybersecurity Threat Matrix Country: Cyber Culture (i.e., How does the country view cyber threats? Is this consistent with the general country culture?) Cybersecurity Threats Cyber Legal Perspective/Cyber Economic Perspective Response to Cyberterrorism/Recruiting Country: Cyber Culture (i.e., How does the country view cyber threats? Is this consistent with the general country culture?) Cybersecurity Threats Cyber Legal Perspective/Cyber Economic Perspective Response to Cyberterrorism/Recruiting Country: Cyber Culture (i.e., How does the country view cyber threats? Is this consistent with the general country culture?) Cybersecurity Threats Cyber Legal Perspective/Cyber Economic Perspective Response to Cyberterrorism/Recruiting
Project 6: Global Approaches to Cybersecurity Start Here As a cybersecurity professional, it is important for you to not only understand the organizational and national human and technical factors, bu
Cybersecurity International Policy International cybersecurity policy has emerged based on efforts by international bodies and also in national strategies. International bodies, such as the United Nations, NATO, and the European Union, have each developed cybersecurity policies in concert with the focus, membership, and resources of their organizations. For example, NATO has made clear its objective to ensure that its operational and mission-related information systems are protected from cyberthreats while the organization continues to help member nations increase the security of their own national networks. The United States has articulated its own international policy in the International Strategy for Cyberspace, released in 2011. This document establishes an approach for US engagement with foreign partners on cyberspace issues. It includes the following policy objectives (White House, 2011): promoting international standards and innovative, open markets extending collaboration and the rule of law preparing for twenty-first-century challenges promoting effective and inclusive structures building capacity, security, and prosperity supporting fundamental freedoms and privacy However, future presidential administrations could result in significant changes, and even revocation, of the International Strategy for Cyberspace and other policies. References The White House. (2011). International strategy for cyberspace.  https://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf https://safe.menlosecurity.com/doc/docview/viewer/docNEB6322775701daf62e9f5e9987787b4afe438b8d6914c7686633e5ce7b909735f809ace8e093 International Cybersecurity Strategy: Deterring Foreign Threats and Building Global Cyber Norms Testimony Christopher Painter Coordinator for Cyber Issues Statement Before the Senate Foreign Relations Subcommittee on East Asia, the Pacific, and International Cybersecurity Policy Washington, DC May 25, 2016 Chairman Gardner, Ranking Member Cardin, members of the Subcommittee on East Asia, the Pacific, and International Cybersecurity Policy, it is a pleasure to appear again before your subcommittee to provide an update on key developments in our cyber foreign policy efforts. Since I testified before your subcommittee one year ago, the Department of State (the Department) has continued to work closely with other federal departments and agencies and has made significant progress in a number of areas. It is also important to note that last month, as required by the Consolidated Appropriations Act for 2016, the Department submitted to Congress the Department of State International Cyberspace Policy Strategy (the Strategy), which included a report on the Department’s work to implement the president’s 2011 International Strategy for Cyberspace, as well as a discussion of our efforts to promote norms of responsible state behavior in cyberspace, alternative concepts for norms promoted by certain other countries, threats facing the United States, tools available to the president to deter malicious actors, and resources required to build international norms. I appreciate the opportunity today to provide an update on our progress as well as the challenges we face in a number of areas. As reflected in the Strategy we provided to Congress last month, the Department of State structures its cyberspace diplomacy in close cooperation with our interagency partners – including the Departments of Justice, Commerce, Defense, Homeland Security, and Treasury, and the Intelligence Community – around the following interrelated, dynamic, and cross-cutting policy pillars drawn from the president’s International Strategy for Cyberspace: digital economy, international security, promoting cybersecurity due diligence, combating cybercrime, Internet governance, Internet freedom, and international development and capacity building, as well as cross-cutting issues such as countering the use of the Internet for terrorist purposes. In addition, as we noted, the Department is actively mainstreaming cyberspace issues into its foreign diplomatic engagements and building the necessary internal capacity. I am happy to answer any questions regarding the Strategy, which discusses all of these policy priorities in greater detail, including specific accomplishments from our robust bilateral and multilateral diplomatic engagements and highlights from the roles and contributions of other federal agencies. In spite of the successes outlined in the Strategy, the U.S. vision for an open, interoperable, secure, and reliable Internet faces a range of policy and technical challenges. Many of these challenges were described in my testimony last year, and they largely remain. I would like to focus my time today delving specifically into our efforts to promote a broad international framework for cyber stability, as well some of the alternative views regarding the Internet that some governments are promoting. I will also spend some time discussing the technical challenges and threats posed by continuing malicious cyberactivity directed at the United States, as well as our allies, and the tools we have at our disposal to deter these actions. Diplomatic Efforts to Shape the Policy Environment Building a Framework for International Stability in Cyberspace The Department of State, working with our interagency partners, is guided by the vision of the president’s International Strategy for Cyberspace, which is to promote a strategic framework of international cyber stability. This framework is designed to achieve and maintain a peaceful cyberspace environment where all states are able to fully realize its benefits, where there are advantages to cooperating against common threats and avoiding conflict, and where there is little incentive for states to engage in disruptive behavior or to attack one another. This framework has three key elements: (1) global affirmation that international law applies to state behavior in cyberspace; (2) development of an international consensus on and promotion of additional voluntary norms of responsible state behavior in cyberspace that apply during peacetime; and (3) development and implementation of practical confidence building measures (CBMs), which promote stability in cyberspace by reducing the risks of misperception and escalation. Since 2009, the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) has served as a productive and groundbreaking expert-level venue for the United States to build support for this framework. The consensus recommendations of the three UN GGE reports in 2010, 2013, and 2015 have set the standard for the international community on international cyberspace norms and CBMs. The UN GGE process will continue to play a central role in our efforts to fully promulgate this framework when it reconvenes in August 2016. Applicability of international law. The first and most fundamental pillar of our framework for international cyber stability is the applicability of existing international law to state behavior in cyberspace. The 2013 UN GGE report was a landmark achievement that affirmed the applicability of existing international law, including the UN Charter, to state conduct in cyberspace. The 2013 report underscored that states must act in cyberspace under the established international obligations and commitments that have guided their actions for decades – in peacetime and during conflict – and states must meet their international obligations regarding internationally wrongful acts attributable to them. The 2014-2015 UN GGE also made progress on issues related to international law by affirming the applicability of the inherent right to self-defense as recognized in Article 51 of the UN Charter, and noting the law of armed conflict’s fundamental principles of humanity, necessity, proportionality, and distinction. Norms of responsible state behavior. The United States is also building consensus on a set of additional, voluntary norms of responsible state behavior in cyberspace that define key areas of risk that would be of national and/or economic security concern to all states and should be off-limits during times of peace. If observed, these stability measures – which are measures of self-restraint – can contribute substantially to conflict prevention and stability. The United States was the first state to propose a set of specific peacetime cyber norms, including the cybersecurity of critical infrastructure, the protection of computer security incident response teams (CSIRTs), and cooperation between states in responding to appropriate requests in mitigating malicious cyberactivity emanating from their territory. In May 2015, Secretary of State Kerry highlighted these norms in his speech in Seoul, South Korea, on an open and secure Internet. The 2015 UN GGE report’s most significant achievement was its recommendation for voluntary norms of state behavior designed for peacetime, which included concepts championed by the United States. Confidence Building Measures. Together with our work on law and voluntary norms, cyber CBMs have the potential to contribute substantially to international cyber stability. CBMs have been used for decades to build confidence, reduce risk, and increase transparency in other areas of international concern. Examples of cyber CBMs include transparency measures, such as sharing national strategies or doctrine; cooperative measures, such as an initiative to combat a particular cyber incident or threat actor; and stability measures, such as committing to refrain from a certain activity of concern. Cyber CBMs are being developed, and are in the first stages of implementation, in two regional venues – the Organization for Security and Cooperation in Europe (OSCE) and the ASEAN Regional Forum, where agreement was reached in 2015 on a detailed work plan with a proposed set of CBMs for future implementation. Although many of the elements of the framework I have described above may seem self-evident to an American audience, it is important to recognize that cyber issues are new to many states, and as I describe later in my testimony, there are also many states that hold alternative views on how we should promote cyber stability. Notwithstanding these headwinds, as well as the fact that diplomatic negotiations on other issues can take many years, if not decades, the United States and its allies have made substantial progress in recent years towards advancing our strategic framework of international cyber stability. At this point, I would like to highlight examples from last year that reflect our progress. U.S.-China Cyber Commitments The United States strongly opposes the use of cyber technology to steal intellectual property for commercial advantage, and has raised this concern with Chinese interlocutors for several years. In 2014, the United States indicted five members of the Chinese military for hacking, economic espionage, and other offenses directed at six US entities. This led China to suspend the US-China Cyber Working Group. The United States and China, however, reached an agreement during President Xi Jinping’s state visit in September 2015 on several key commitments on cyber issues. These commitments are both governments agreed to cooperate and provide timely responses to requests for information and assistance regarding malicious cyberactivity emanating from their territories, neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property for commercial advantage, both governments will work together to further identify and promote appropriate norms of state behavior in cyberspace and hold a senior experts group on international security issues in cyberspace, and both governments will establish a ministerial-level joint dialogue mechanism on fighting cybercrime and related issues. Two weeks ago today – on May 11 – the United States hosted the first meeting in Washington of the senior experts group on international security issues in cyberspace, which provided a forum to further engage with China on its views and seek common ground regarding norms of state behavior in cyberspace and other topics. The Department of State led the US delegation that included participation from the Department of Defense and other US government agencies. The senior experts group helps us advance the growing international consensus on international law and voluntary cyber norms of state behavior. We also have encouraged China to join us in pushing for other states to affirm these principles in international forums like the Group of Twenty (G20), and will continue to do so. To implement other commitments reached during President Xi’s visit, the United States and China held the first ministerial-level dialogue on cybercrime and other related issues in Washington on December 1, 2015. Attorney General Loretta Lynch and Homeland Security Secretary Jeh Johnson, together with Chinese State Councilor Guo Shengkun, co-chaired the first US-China High-Level Joint Dialogue on Cybercrime and Related Issues to foster mutual understanding and enhance cooperation on law enforcement and network protection issues. The second dialogue is scheduled to occur next month in Beijing, China. Moreover, regarding the commitment that neither government will conduct or knowingly support cyber-enabled theft for commercial gain, Deputy Secretary of State Blinken testified last month before the full Committee on Foreign Relations that the United States is “watching very closely to ensure this commitment is followed by action.” The outcomes of last year’s Xi-Obama summit focus on concrete actions and arrangements that will allow us to hold Beijing accountable to the commitments they have made. These commitments do not resolve all our challenges with China on cyber issues. However, they do represent a step forward in our efforts to address one of the sharpest areas of disagreement in the US-China bilateral relationship. Group of Twenty (G20) Antalya Summit In November 2015, the leaders of the G20 met in Antalya, Turkey, to discuss and make progress on a wide range of critical issues facing the global economy. At the conclusion of the Antalya Summit, the strong final communique issued by the G20 leaders affirmed the US-championed vision of international cyber stability and its pillars. Among other things, the G20 leaders affirmed in their statement that “no country should conduct or support the ICT-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.” They also highlighted the “key role played by the United Nations in developing norms” and the work of the UN GGE and its 2015 report. Addressing our overall framework, the G20 leaders stated that they “affirm that international law, and in particular the UN Charter, is applicable to state conduct in the use of ICTs and commit ourselves to the view that all states should abide by norms of responsible state behavior in the use of ICTs…” The G20 leaders’ communique represents a remarkable endorsement of our approach to promoting stability in cyberspace. Still, there is still more to do. The United States will continue to work within the G20 and in other bilateral and multilateral engagements to promote and expand these policy pronouncements regarding responsible state behavior in cyberspace. Organization for Security and Cooperation in Europe As a result of the leadership by the United States and like-minded countries, the 57 member states of the OSCE, which includes not only Western allies but also Russia and other former Soviet states, reached consensus in March 2016 on an expanded set of CBMs. This expanded set, which includes five new CBMs, builds upon the 11 CBMs announced by the OSCE in 2013 that member states are already working to implement. The initial 11 CBMs were primarily focused on building transparency and putting in place mechanisms for de-escalating conflict. For example, there were CBMs calling upon participating states to identify points of contact that foreign governments could reach out to in the event of a cyber incident emanating from the state’s territory and put in place consultation and mediation mechanisms. The additional five CBMs focused more on cooperative measures focusing on issues like cybersecurity of critical infrastructure and developing public-private partnerships. Secure and resilient critical infrastructure, including in the communications sector, requires the integration of cyber, physical, and human elements. Since most critical infrastructure is privately owned, public-private partnerships are essential for strengthening critical infrastructure. Given the distributed nature of critical infrastructure, these efforts also require international collaboration. Work will continue this year to strengthen implementation of the previous CBMs and to begin implementing the new ones as well. This will build on the cooperation we have underway with many international partners in this and other similar fora. We also hope that this further success within the OSCE context can serve to strengthen CBMs as a model that other regional security organizations can adopt. In addition to our work with governmental organizations, the Department of State engages extensively with a range of stakeholders outside of government, who play critical roles in helping to preserve and promote the same vision of cyberspace held by the United States. Nongovernment stakeholders are often part of our delegations to key meetings, for which there is intensive consultation, and we often engage with our stakeholders before and after key events to hear their views and to inform them of our activities. We also engage extensively with the stakeholder community ahead of and immediately following major cyber conferences, such as the Global Conference on Cyberspace, most recently in The Hague, the Netherlands, and previously in Seoul, South Korea. Policy Challenge: Alternative Views of the Internet One challenge to the implementation of our cyberspace strategy is a competing and alternative view of the Internet. The United States and much of the broader international community support the open flow and movement of data on the Internet that drives economic growth, protects human rights, and promotes innovation. The United States believes in a multistakeholder approach whereby governments, private sector, civil society, and the technical and academic communities cooperate to address both technical and policy threats through inclusive, transparent, consensus-driven processes. China’s approach to cyberspace in the international context is propelled by its desire to maintain internal stability, maintain sovereignty over its domestic cyberspace, and combat what it argues is an emerging cyber arms race and “militarization” of cyberspace. China has been willing to consider cyber confidence building measures, and has affirmed that international law applies in cyberspace, but has not been willing to affirm more specifically the applicability of the law of armed conflict or other laws of war, because it believes it would only serve to legitimize state use of cyber tools as weapons of war. This has led to a set of external policies that reinforces traditional Chinese foreign policy priorities of noninterference in internal affairs, national sovereignty over cyberspace, and “no first use” of weapons. China views its expansive online censorship regime – including technologies such as the Great Firewall – as a necessary defense against destabilizing domestic and foreign influences, and it has promoted this conception internationally. China also urges creation of new “cyber governance” instruments, which would, inter alia, create new binding rules designed to limit the development, deployment, and use of “information weapons”; promote speech and content controls; seek to replace the framework of the Council of Europe Convention on Cybercrime (Budapest Convention); elevate the role of governments vis-à-vis other stakeholders; and likely give the United Nations authority for determining attribution and responding to malicious cyberactivity. While the United States and its partners seek to focus our cyber policy efforts on combatting threats to networks, cyber infrastructure, and other physical threats from cyber tools, China also emphasizes the threats posed by online content. In addition, some of these policies stand in sharp contrast to the U.S. view that all stakeholders should be able to contribute to the making of public policy regarding the Internet. Russia’s approach to cyberspace in the international context has focused on the maintenance of internal stability, as well as sovereignty over its “information space.” While Russia co-authored the Code of Conduct, with China and other Shanghai Cooperation Organization members, Russia’s ultimate goal is also a new international cyber convention, which they pair with criticism of the Budapest Convention. Russia has nonetheless found common ground with the United States on our approach of promoting the applicability of international law to state conduct in cyberspace as well as voluntary, nonbinding norms of state behavior in peacetime. Russia has also committed to the first ever set of bilateral cyber confidence building measures with the United States, as well as the first ever set of cyber CBMs within a multilateral institution, at the OSCE in 2013 and 2016 that I previously discussed. We counter these alternative concepts of cyberspace policy through a range of diplomatic tools that include not only engagement in multilateral venues, but also direct bilateral engagement and awareness-raising with a variety of state and non-state actors. I now would like to discuss some of the technical challenges and threats the United States faces and some of the tools we have to respond to and prevent cyber incidents. Responding to and Preventing Cyber Incidents Continuing Cyberthreats Cyberthreats to US national and economic security are increasing in frequency, scale, sophistication, and severity. In 2015, high-profile cyber incidents included the breach of health insurance company Anthem, Inc.’s IT system, resulting in the theft of account information for millions of customers; an unauthorized breach of the Office of Personnel Management’s systems, resulting in the theft of approximately 22 million personnel files; and hackers launching an unprecedented attack on the Ukraine power grid that cut power to hundreds of thousands of customers. Overall, the unclassified information and communications technology networks that support US government, military, commercial, and social activities remain vulnerable to espionage and disruption. As the Department noted in the Strategy we submitted last month, however, the likelihood of a catastrophic attack against the United States from any particular actor is remote at this time. The Intelligence Community instead foresees an ongoing series of low-to-moderate level cyber operations from a variety of sources, which will impose cumulative costs on US economic competitiveness and national security, pose risks to federal and private sector infrastructure in the United States, infringe upon the rights of US intellectual property holders, and violate the privacy of US citizens. In February, Director of National Intelligence James Clapper testified before Congress on the 2016 Worldwide Threat Assessment of the US Intelligence Community, and stated “Many actors remain undeterred from conducting reconnaissance, espionage, and even attacks in cyberspace because of the relatively low costs of entry, the perceived payoff, and the lack of significant consequences.” He highlighted the malicious cyber activities of the leading state actors, non-state actors such as Da’esh, and criminals who are developing and using sophisticated cyber tools, including ransomware for extortion and malware to target government networks. The Intelligence Community continues to witness an increase in the scale and scope of reporting on malicious cyberactivity that can be measured by the amount of corporate data stolen or deleted, personally identifiable information compromised, or remediation costs incurred by U.S. victims. The motivation to conduct cyberattacks and cyberespionage will probably remain strong because of the gains for the perpetrators. Tools Available to Counter Cyberthreats The United States works to counter technical challenges through a whole-of-government approach that brings to bear its full range of instruments of national power and corresponding policy tools – diplomatic, law enforcement, economic, military, and intelligence – as appropriate and consistent with applicable law. The United States believes that deterrence in cyberspace is best accomplished through a combination of “deterrence by denial” – reducing the incentive of potential adversaries to use cyber capabilities against the United States by persuading them that the United States can deny their objectives – and “deterrence through cost imposition” – threatening or carrying out actions to inflict penalties and costs against adversaries that conduct malicious cyberactivity against the United States. It is important to note that there is no one-size-fits-all approach to deterring or responding to cyberthreats. Rather, the individual characteristics of a particular threat determine the tools that would most appropriately be used. The president has at his disposal a number of tools to carry out deterrence by denial. These include a range of policies, regulations, and voluntary standards aimed at increasing the security and resiliency of U.S. government and private sector computer systems. They also include incident response capabilities and certain law enforcement authorities. With respect to cost imposition, the president is able to draw on a range of response options from across the United States government. Diplomatic tools provide a way to communicate to adversaries when their actions are unacceptable and to build support and greater cooperation among, or seek assistance from, allies and like-minded countries to address shared threats. Diplomatic démarches to both friendly and potentially hostile states have become a regular component of the United States’ response to major international cyberincidents. In the longer term, US efforts to promote principles of responsible state behavior in cyberspace, including peacetime norms, are intended to build increasing consensus among like-minded states that can form a basis for cooperative responses to irresponsible state actions. Law enforcement tools can be used to investigate crimes and prosecute malicious cyber actors both within the United States and abroad. International cooperation is critical to cybercrime investigations, which is why the United States has promoted international harmonization of substantive and procedural cybercrime laws through the Budapest Convention, created an informal channel for data preservation and information sharing through the G7 24/7 network, and promoted donor partnerships to assist developing nations. Economic tools, such as financial sanctions, may be used as a part of the broader U.S. strategy to change, constrain, and stigmatize the behavior of malicious actors in cyberspace. Since January 2015, the president has provided guidance to the Secretary of the Treasury to impose sanctions to counter North Korea’s malicious cyber-enabled activities. Executive Order 13687 was issued, in part, in response to the provocative and destructive attack on Sony Pictures Entertainment, while Executive Order 13722 targets, among others, significant activities by North Korea to undermine cybersecurity, in line with the recently-signed North Korea Sanctions and Policy Enhancement Act of 2016. Aside from these North Korea-specific authorities, in April 2015, the president issued Executive Order 13694, Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities, which authorizes the imposition of sanctions against persons whose malicious cyber-enabled activities could pose a significant threat to the national security, foreign policy, or economic health or financial stability of the United States. Military capabilities provide an important set of options for deterring and responding to malicious cyberactivity. The Department of Defense continues to build its cyber capabilities and strengthen its cyber defense and deterrence posture. As part of this effort, the Department of Defense is building its Cyber Mission Force, which is already employing its capabilities to defend Department of Defense networks, defend the nation against cyberattacks of significant consequence, and generate integrated cyberspace effects in support of operational plans and contingency operations. In addition, Secretary of Defense Ashton Carter announced earlier this year that US forces are using cybertools to disrupt Da’esh’s command and control systems and to negatively impact its networks. Intelligence capabilities are also an important tool at the President’s disposal in detecting, responding to, and deterring malicious activities in cyberspace, particularly given the unique challenges associated with attributing and understanding the motivation behind such malicious activities. Even with this broad range of tools, deterring cyberthreats remains a challenge. Given the unique characteristics of cyberspace, the United States continues to work to develop additional and appropriate consequences that it can impose on malicious cyber actors. Capacity Building In addition to the tools that I have just outlined, the ability of the United States to respond to foreign cyberthreats and fight transnational cybercrime is greatly enhanced by the capabilities and strength of our international partners in this area. Therefore, the Department of State is working with departments and agencies, allies and multilateral partners to build the capacity of foreign governments, particularly in developing countries, to secure their own networks as well as investigate and prosecute cybercriminals within their borders. The Department also actively promotes donor cooperation, including bilateral and multilateral participation in joint cyber capacity building initiatives. In 2015, for example, the United States joined the Netherlands in founding the Global Forum on Cyber Expertise, a global platform for countries, international organizations, and the private sector to exchange best practices and expertise on cyber capacity building. The United States partnered with Japan, Australia, Canada, the African Union Commission, and Symantec on four cybersecurity and cybercrime capacity building initiatives. The Department also provided assistance to the Council of Europe, the Organization of American States, and the United Nations Global Program on Cybercrime to enable delivery of capacity building assistance to developing nations. Many traditional bilateral law enforcement training programs increasingly include cyber elements, such as training investigators and prosecutors in the handling of electronic evidence. Much of our foreign law enforcement training on combating intellectual property crime focuses on digital theft. In another example of capacity building, the Department of State, through its Bureau of International Narcotics and Law Enforcement Affairs, manages five International Law Enforcement Academies (ILEAs) worldwide, and one additional Regional Training Center. These six facilities provide law enforcement training and instruction to law enforcement officials from approximately 85 countries each year. The ILEA program includes a wide variety of cyber investigation training courses, from basic to advanced levels, taught by subject matter experts from the US Secret Service and other agencies and policy-level discussions with senior criminal justice officials. This serves as a force multiplier to enhance the capabilities of the international law enforcement community to collaborate in the effort to fight cybercrime. The Department of State is committed to continuing its capacity building initiatives as another effective way to counter international cyberthreats and promote international cyber stability. Looking ahead Cybersecurity will continue to be a challenge for the United States when we take into consideration the rapidly expanding environment of global cyberthreats, the increasing reliance on information technology and number of “smart devices,” the reality that many developing nations are still in the early stages of their cyber maturity, and the ongoing and increasingly sophisticated use of information technology by terrorists and other criminals. Thus, the Department of State anticipates a continued increase and expansion of our cyber-focused diplomatic and capacity building efforts for the foreseeable future. The Department will continue to spearhead the effort to promote international consensus that existing international law applies to state actions in cyberspace and build support for certain peacetime norms through assisting states in developing technical capabilities and relevant laws and policies, to ensure they are able to properly meet their commitments on norms of international cyber behavior. The Department of State remains appreciative of this Subcommittee’s continued support. Thank you for the opportunity to testify today. I am happy to answer your questions. Licenses and Attributions International Cybersecurity Strategy: Deterring Foreign Threats and Building Global Cyber Norms by Christopher Painter comprises public domain material from the U.S. Department of State. UMGC has modified this work. International Cybersecurity Approaches While individual nations continue to develop and implement their understanding of and approaches to cybersecurity, international bodies have also begun to include the topic on their agendas and even establish special bodies to address cybersecurity. Cybersecurity challenges for international bodies—for example NATO, the United Nations, or the European Union—are unique as determined by the governing principles and membership of each body. Another factor is the approach of the member nations to key cybersecurity-related issues, such as privacy. Many nations, particularly those that are less technologically developed, do not have the resources to fully absorb and respond to cybersecurity requirements, much less to contribute to the efforts of international bodies to do so. Such nations may benefit most from the efforts of international bodies, particularly those efforts that are focused on developing strategies, understanding security solutions, and implementing defensive measures to protect networks and data. Cybersecurity: The Case for a European Approach May 27, 2016 At the June summit, which will take place after the UK referendum, the high representative of the Union for Foreign Affairs and Security Policy, Federica Mogherini, will present the results of her global review of external strategy. As part of the review process, the Human Security Study Group, at the LSE, which is convened by Mary Kaldor and Javier Solana, has presented a report entitled From Hybrid Peace to Human Security: Rethinking the EU Strategy Towards Conflict together with 12 background research papers. Conflicts are at the sharp end of contemporary crises. Refugees, extremist ideologies, criminality, and predation are all produced in conflict. Contemporary conflicts are sometimes known as “hybrid wars” or “new wars” in which classic distinctions between public and private, government/regular and rebel/irregular, and internal and external breakdown. They are best understood not as legitimate contests of wills (the twentieth-century idea of war) but as a degenerate social condition in which armed groups mobilize sectarian and fundamentalist sentiments and construct a predatory economy through which they enrich. Identifying ways to address violent conflict could open up strategies for dealing with broader issues. In this special openDemocracy series, the Human Security Study Group outlines the main conclusions of our report in our introductory essay together with six essays based on some of the background papers. These essays include an analysis of the conceptual premises of the Global Review (Sabine Selchow); three essays on specific conflict zones—Syria (Rim Turkmani), Ukraine (Tymofiy Mylovanov), the Horn of Africa (Alex de Waal); the importance of the EU’s justice instrument (Iavor Rangelov); and how EU cybersecurity policy is human rights-focused rather than state-focused (Genevieve Schmeder and Emmanuel Darmois). The EU objective of developing a cyber soft power privileging defense, resilience, and civil society sharply contrasts with national cybersecurity policies developed both inside and outside Europe. The increasing digitalization of our societies creates new vulnerabilities both to accidents and to intentional threats. Malevolent individuals and organizations may, without any physical presence, infiltrate all possible networks, including the most sensitive ones, modify the behavior of applications and compromise data. Every individual as well as governmental, nongovernmental, and business organization may be targeted. Hence the growing concern of cyberthreats, whose characteristics relate them more to human security than to traditional security approaches: They transcend international boundaries, mostly concern civil societies, are in essence asymmetrical, and have a crucial human rights dimension. We focus here on EU policies in the field and their specificities. They end up in shaping a distinctive EU approach to cybersecurity that does reject the kind of technological determinism and mass surveillance that tends to characterize the approaches of most other national and international actors. Cybersecurity: Its Nature, Actors, and Real Threats Cybersecurity has to do with the prevention, detection, mitigation, and response to destructive or malevolent practices developed in cyberspace, which affect computer systems and their associated data. These practices range from the least damaging, which disrupt nonessential services or are mainly a (costly) nuisance, to the potentially catastrophic (sabotage of critical infrastructures; accidents or disasters causing bloodshed). They have become mainstream, extremely frequent and have growing negative economic, societal, and security consequences. The gradual emergence of cyberspace since the end of the ’70s has gone together with some enabling factors, such as anonymity, impunity, and cost reduction. Another crucial factor for the development of cyberthreats is the proliferation of vulnerabilities, both technical and human. Today’s cyber systems have complex architectures that are highly interdependent and hard to test exhaustively, which use vulnerable end-user devices (e.g., smartphones). The human factor is even more crucial since most often it is people, either through lack of attention or ignorance, who are the weak link. All these vulnerabilities have created opportunities for organized criminals with a financial motivation, which also use cyberspace for their traditional activities. Theft and illegal trade of sensitive data (personal data, intellectual property, R&D, business-strategic data, etc.), money extortion and laundering, sexual abuse, etc., are a very fast-growing segment of cybercriminality, which has become a true industry, constantly seeking to improve both its division of labor and its technology. Targeted companies and legal actors are in a difficult defensive position. They are generally reluctant to communicate their problems, for fear of loss of reputation or of negative reactions from customers or stakeholders. Furthermore, effective cybersecurity requires huge investments, and securing just a link in the chain is not enough. Yet it seems that the cost of poor cybersecurity is still considered as bearable and that arbitration against cybersecurity spending persists. Yet the worst may be still to come with the emergence of sabotage as a new frontier for cybercriminality, in particular with the emergence of intelligent transport systems, eHealth, smart grids, or the Internet of things. Indeed, technically, it is already feasible and possible (or it will be soon) to get control of some connected objects, or to disrupt elements of electricity distribution networks, water treatment plants, emergency services, and so forth. Moreover, terrorists and jihadist organizations have swiftly recognized the benefits of using the Internet as a part of their arsenal. So far, however, despite scenarios in which sophisticated cyberterrorists break into critical infrastructures, they have not inflicted the kind of damage that would qualify them as cyberterrorism. The Role of Governance, State Actors, and Transparency States are mobilizing important resources for their cybersecurity activities that are both military and civilian, defensive and offensive. In the military field, most states develop capabilities to back traditional military operations. A number of them—including several European countries —consider that offensive defense is not enough. Preparing for aggressive cyberwar which, unlike conventional war, is not subject to any rule or control, they include preemptive digital strikes in their global panoply. They are behind the most sophisticated cyberthreats, which involve a wide range of actions, from disinformation, vandalism, economic cybercriminality, espionage, to sabotage. Involved military and intelligence services often hide their aggressive and malicious actions behind other malevolent actors. Beyond the potentially lower costs, the main advantage of leaving the attacks to informal cyber gangs is that states can deny their responsibility. In the economic domain, all governments consider as their obligation to have capabilities to defend their domestic infrastructures and economy. Though this defensive approach is well in line with the protection role expected from the nation-state, it is mostly fulfilled by the private sector itself. When it comes to the political dimension, the situation is different. While it is difficult to find nation-states that have a genuine policy of using their cyber capabilities to defend their civil society, it is extremely easy to find examples of states that are using their cyber capabilities to push their political agendas against civil societies, very often starting with their own. The life of active participants in civil society is thus becoming difficult, due to government pressure—generally justified in the name of the fight against terrorism—against the use by the public of protective technologies such as encryption and the lack of a basic regulation of cyberspace. The activity of civil societies in cyberspace is largely relying on the openness of the Internet, which relies not only on the possibility of deploying new applications and services in a simple way and on the availability of cheap or free resources that can be easily assembled and set up, but also on the “open” and transparent governance of Internet. As some actions (such as whistle-blowing for instance) are considered as illegitimate by existing powers, the supporting actors may need to be protected against nation-states, the most active enemies of civil societies in cyberspace. In most countries, however, governments and government agencies systematically attempt to delegitimize the right to use technologies such as encryption, supposedly because this would undermine the state’s security. From this standpoint, the EU is developing a different approach that is addressed in the next sections. The EU’s Approach to Cybersecurity The first overarching approach to cybersecurity in the EU was the European Cybersecurity Strategy, presented in February 2013, which announced three basic principles: The same core values, laws, and norms that apply in the physical world apply also in the cyber domain; the Internet is a public or collective good that should be available and accessible to all; the governance model for Internet should be democratic, and cybersecurity policy should be a shared and multistakeholder responsibility. The strategy also defined five strategic priorities, which included establishing a coherent international cyberspace policy in order to promote core EU values (EU “cyber diplomacy”). Europe has in effect an ambition to be a normative global actor, capable of creating an effective and constructive culture of cybersecurity within and beyond the EU. EU cybersecurity policy diverges both from policies pursued in EU member states and from policies that are being developed in the rest of the world in many important respects, in particular the nature of cyber power, the governance model, and respect for fundamental rights. The EU, in conformity with its core norms and values, doesn’t develop the kind of hard and offensive cyber power concept pursued by those states that approach the issue through the logic of national security and superiority. The EU approach is basically legalistic and protective. It focuses on soft power capabilities, i.e., building capacities that enable detection, response and recovery from sophisticated cyberthreats. In the defense/military field, the EU is solely engaged in cyber self-protection and assured access to cyberspace to enable its operations and missions. Offensive capabilities, when they exist, are not developed or deployed under the EU banner. Europe’s is crucially different from the concept defined in the United States after the terrorist attacks on September 11, 2001, and with approaches carried on by other crucial state players, such as the Russian Federation, the People’s Republic of China, all widely suspected of sponsoring various forms of cyberattacks for political purposes, together with the majority of individual EU member states, which do allocate significant budgets and personnel to developing cyberoffensive capabilities. Governance Models Governance models broadly oppose multistakeholder to governmental models. On one side, a number of non-European countries, such as the United States, Japan, Canada, and Australia, share with the EU the vision of multistakeholder governance. They consider that traditional top-down state-centered models are ill-suited to global, decentralized, publicly shared but largely privately developed communication networks. They do not agree, however, on the list of relevant stakeholders. While the EU recommends the inclusion of all players—from citizens to governments—the United States argues for a predominantly nongovernmental model with the strong participation of the business sector. On the other side, the multistakeholder approach is highly contested by a number of countries, such as Russia, China, Iran, and India, which defend both a centralized and intergovernmental approach. Arguing that Western countries are holding too much power over the management of the Internet and that they themselves are underrepresented in the actual global Internet governance institutions, they plead in favor of much more governmental involvement in cyberspace, and they want the Internet to be governed at the international level by intergovernmental organizations. The EU, given its unique features, has in theory the potential to be a model for other regions of the world, since it is a remarkable full-sized “institutional laboratory,” which must constantly find compromises and trade-offs between contradictory actors, principles, instruments, and interests. The EU is also building a consistent and comprehensive governance model, with a decentralized structure in which different agencies and institutions are responsible for different aspects of the digital world, and political and legal control is exercised by two major institutional players: the EU Parliament and the European Court of Justice, which play an essential role in avoiding the capture of the regulatory game by economic lobbies, political leaders, or technological experts, thereby ensuring a balance between cybersecurity, public interest, and other legitimate economic, commercial, or regional interests, and the defense of citizens’ rights and freedoms. Fundamental Rights’ Protection In the cyber domain, the main difference between the EU and other approaches is the attention paid to respect for civil liberties and the rule of law, including international law, and to the promotion and defense of fundamental rights. While the EU, which cannot depart from the principles of the European Charter of Human Rights, is preoccupied with balancing cybersecurity with the protection of such rights, individual countries—both outside and inside Europe—are more ready to accept derogations for reasons of national security. Indeed, to a large extent, EU cybersecurity policy has been a reactive rather than a proactive policy. Normative texts set up by the EU in the field of cybersecurity have often appeared as reactions to external circumstances. The successive revelations of US surveillance activities concerning European citizens, for instance, had an undisputable norm-productive effect. It brought the issue of rights and democracy under closer scrutiny, and increased pressure within the EU to ensure respect for European citizens’ rights online, both domestically and abroad. Conclusions The digitalization of our societies creates new forms of vulnerability and new potential threats, as ill-intentioned people can relatively easily gain access both to sensitive information and to the operation of crucial services. Critical infrastructure systems are complex and therefore bound to contain weaknesses that might be exploited. Malevolent actors—which include states as well as criminals and terrorists —can at least in theory approach targets that would otherwise be utterly unassailable, such as power grids or air traffic control systems, that might be attacked to inflict human or material destruction. So far such cyberattacks have not killed people, but this could come in a relatively near future. Such threats are addressed by cybersecurity policies whose effective implementation depends not only on state actions but also on public-private cooperation and on coordination between policy areas and international institutions, especially the EU. In recent years, the EU has been working to implement a consistent, balanced, and overarching cybersecurity strategy, built on internal resilience and its core values. The EU’s declared ambition is to make its digital environment not only the most secure but also the most respectful of the citizens’ fundamental rights in the world. This is a real challenge, given the difficulty of finding a satisfactory and sustainable balance between security, freedom, and protection of citizens’ fundamental rights. The EU objective of developing a cyber soft power privileging defense, resilience, and civil society sharply contrasts with national cybersecurity policies developed both inside and outside Europe. In Europe, where governments tend to play on emotional reactions to terrorist threats to support traditional national security approaches, some uncertainty remains over member state buy-in for such a common EU approach. In the rest of the world, major cyber players have different concepts, cultures, and logics on these matters, particularly regarding norms for cybersecurity behavior. How to find compromises capable of satisfying these opposite exigencies (security and rights protection), which are complementary imperatives lying at the root basis of democratic systems? It is certainly wrong to regard the negative impact of communication technologies as uncontrollable, but also to imagine that one can bring them completely under control. Too much security kills security, and some policy responses to cyberthreats are just as worrying in the long term as the evils to which they pretend remedy. Licenses and Attributions Cybersecurity: The Case for a European Approach by Genevieve Schmeder and Emmanuel Darmois from openDemocracy is available under a Creative Commons Attribution-NonCommercial 4.0 International license. UMGC has modified this work and it is available under the original license. NATO Cybersecurity Approaches The North Atlantic Treaty Organization (NATO), established in 1949, is a 28-member international alliance whose purpose is to “…safeguard the security and freedom of its members through political and military means” (NATO, n.d.).” Specifically, NATO promotes democratic values and encourages consultation and cooperation on defense and security issues to build trust and, in the long term, prevent conflict is committed to the peaceful resolution of disputes. As an international organization with operational capacity, NATO has lagged in its approach to cybersecurity, although recent events indicate NATO’s recognition of and commitment to cyber defense. Since 2014—and, as agreed to by the allies at the NATO Summit that same year—NATO has established two cyberdefense priorities. The first is the protection of NATO’s networks, which is made difficult due to the geographic span of the alliance, as well as the vastly different operational sites. The objective is to “…ensure that the communications and information systems that the Alliance relies upon for its operations and missions are protected against threats emanating from cyberspace” (Robinson, 2016). The second priority is to help NATO member nations to develop their own cyberdefense capacity and capabilities, starting with the fundamentals of providing assistance in creating individual cyberdefense strategies. To that end, NATO offers education, training, and exercises to support member nation needs. It is important that each member nation raises the bar on its own cyberdefense capabilities because the alliance as a whole is only as strong as its weakest member nation (Robinson, 2016). The maturation of NATO perspectives on cyberdefense continues to date, most recently marked by the June 2016 acknowledgement by NATO defense ministers that cyberspace is a domain of warfare. The announcement, made on the same day that the US Democratic National Committee announced that its networks had been hacked, appears to have been made in an effort to improve the security of member nation networks. “The effort is designed to bolster the Allies’ cyberdefenses, but also will begin a debate over whether NATO should eventually use cyber weapons that can shut down enemy missiles and air defenses or destroy adversaries’ computer networks” (Barnes, 2016). References Barnes, J. (2016, June 14). NATO recognizes cyberspace as new frontier in defense. The Wall Street Journal. Retrieved from http://www.wsj.com/articles/nato-to-recognize-cyberspace-as-new-frontier-in-defense-1465908566 NATO. (n.d.). What is NATO? Retrieved from http://www.nato.int/nato-welcome/index.html Robinson, N. (2016). NATO: Changing gear on cyber defense. NATO Review. Retrieved from http://www.nato.int/docu/Review/2016/Also-in-2016/cyber-defense-nato-security-role/EN/index.htm United Nations Cybersecurity Approaches The United Nations (UN) was founded in 1945, and is currently composed of 193 member states. The mission of the UN is as follows: maintain international peace and security develop friendly relations among member nations based on respect for equal rights achieve international cooperation in solving international problems to be a center for harmonizing actions of nations in attaining common goals The UN has been considering cybersecurity approaches since the late 1990s, when cybersecurity first appeared on the agenda of the UN General Assembly. Since that time, it has appeared on the agenda annually, with various resolutions offered, discussed, and often voted upon and passed. Most of the resolutions in the past, however, have focused more on general agreement of the growing cybersecurity threat or emerging interest in understanding the role of the UN in relation to cybersecurity. Past cybersecurity discussions have been conducted under the title “developments in the field of information and telecommunications in the context of international security.” 2014-15 marked a turning point in the UN’s approach to cybersecurity, as it directed the establishment of a Group of Governmental Experts (GGEs) to study and make recommendations on cybersecurity. While this was not the first GGE to assemble and discuss this topic, this particular GGE worked for a year to develop a consensus report—one that was highly anticipated among UN members. “In the report, experts from 20 states agreed upon an impressive array of recommendations for confidence-building measures, capacity-building efforts, and voluntary, non-binding norms” (Korzak, 2015). The 2014-15 GGE report focused on information and communications technology (ICT), which acknowledged the disturbing trends that threatened international peace and security. It also emphasized the importance of cooperation among member states to reduce risks posed by these threats. The group also examined applicable international laws and norms, noting that “…states should guarantee full respect for human rights, including privacy and freedom of expression” (GGE, 2015). The recommendations include the following (GGE, 2015): States should not conduct or support ICT activity that damages or impairs critical infrastructure. States should take appropriate measures to protect their critical infrastructure. States should not harm the information systems of authorized emergency response teams—or use those teams—to engage in malicious international activity. States should encourage reporting of ICT vulnerability, ensure the integrity of the supply chain, and prevent the proliferation of malicious ICT tools and techniques While previous resolutions have “taken note” of the GGE report conclusions, the 2015 conclusions “…’calls upon’ member states ‘to be guided in their use of information and communications technologies'” (Korzak 2015). These conclusions marked a significant shift in the UN’s prerogative of information security. References Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE). (2015). UNGA A/70/174. United Nations Charter. (n.d.). Purposes and principles. http://www.un.org/en/charter-united-nations/index.html Korzak, E. (2015). Cybersecurity at the UN: another year, another GGE. Lawfare. Retrieved from https://www.lawfareblog.com/cybersecurity-un-another-year-another-gge
Project 6: Global Approaches to Cybersecurity Start Here As a cybersecurity professional, it is important for you to not only understand the organizational and national human and technical factors, bu
International Cybersecurity Threat Matrix Country: Cyber Culture (i.e., How does the country view cyber threats? Is this consistent with the general country culture?) Cybersecurity Threats Cyber Legal Perspective/Cyber Economic Perspective Response to Cyberterrorism/Recruiting Country: Cyber Culture (i.e., How does the country view cyber threats? Is this consistent with the general country culture?) Cybersecurity Threats Cyber Legal Perspective/Cyber Economic Perspective Response to Cyberterrorism/Recruiting Country: Cyber Culture (i.e., How does the country view cyber threats? Is this consistent with the general country culture?) Cybersecurity Threats Cyber Legal Perspective/Cyber Economic Perspective Response to Cyberterrorism/Recruiting
Project 6: Global Approaches to Cybersecurity Start Here As a cybersecurity professional, it is important for you to not only understand the organizational and national human and technical factors, bu
International Cybersecurity Environmental Scan Template Country: _________________________ What are some unique characteristics of the country’s culture that make cyberspace issues more challenging? If you projected forward into the next decade, what things do you think will change? What could be the catalyst(s) for change? From an economic perspective, is there a possibility that the country will take a different approach with regard to cyberspace than it has in the past? From the criminality perspective, does the country do enough in the cyberspace area? What changes would you suggest if you were the US ambassador to these countries? Describe and discuss the potential impact of your recommendations.
Project 6: Global Approaches to Cybersecurity Start Here As a cybersecurity professional, it is important for you to not only understand the organizational and national human and technical factors, bu
Botnet Research Template Learning Content Key Botnet Notes International Concerns Botnets Creating Profit Global Botnets and Emerging Issues Botnet Attack at Westwood Mutual
Project 6: Global Approaches to Cybersecurity Start Here As a cybersecurity professional, it is important for you to not only understand the organizational and national human and technical factors, bu
What Is a Botnet? A botnet is a network of bots (sometimes explained as a contraction of the word robots). Essentially a bot is a program that, much like a RAT, allows a third party to direct the affected machine to perform certain tasks. However, unlike a RAT, bots don’t sit around on the affected machine waiting for a third party to find and connect to them. Instead, they go out and connect to one or more communication points where other instances of the bot have also connected and await instruction. In this way, the third party can give instructions to thousands of affected computers at once. The simplest botnet configuration is where all the bots connect to a single hub, such as an IRC chat room, where the bot master (the third party controlling the bots) will give them instructions. Although this is conceptually simple, it suffers from problems of scale: The more bots connected to a central communication server, the harder it will be for that server to cope with all the connections. A hierarchical network, where the bot master communicates with only a few (hundred?) bots, which in turn each command a few (hundred?) more and so on, is also possible. This has the benefit of scaling better and allowing the bot master to cultivate a much larger botnet. A third possible configuration is a peer-to-peer network between bots so that the bot master need only communicate with a single bot, which in turn spreads the command to its bot peers. A peer-to-peer configuration can help with scaling as well, but the more significant strength is its nonreliance on a central communication point that might get attacked and/or shut down. In addition to the more sophisticated communication pathway between the machine and the remote third party, another difference between a bot and a RAT is that although a bot gives control of the affected machine to a remote third party, a bot would never be used for remote administration purposes. A botnet’s strength is in aggregating control over huge numbers of machines, and while a remote control software may be a legitimate means to perform quick and dirty remote administration of one or two machines, when you get to large numbers, more formal techniques and technologies (such as Group Policy or Active Directory) become appropriate. One way bots can get installed on a system is by tricking the user into running an e-mail or instant message attachment or other file downloaded from the Internet, and in this case the bot would qualify as a Trojan horse at the very least. Bots also are often able to spread themselves to systems by self-replication either as worms or viruses or both. In fact self-replication is often the best way to affect large numbers of systems, as we have seen time and again with worms like Blaster and Slammer. Licenses and Attributions What Is a Botnet? from anti-virus rants is available under a Creative Commons Attribution 2.5 Generic license. UMGC has modified this work and it is available under the original license. Taking Down Botnets Joseph Demarest, Assistant Director, Cyber Division, Federal Bureau of Investigation Statement before the Senate Judiciary Committee, Subcommittee on Crime and Terrorism, July 15, 2014 Good morning, Senator Whitehouse. I thank you for holding this hearing today, and I look forward to discussing the progress the FBI has made on campaigns to disrupt and disable significant botnets. As you well know, we face cyberthreats from state-sponsored hackers, hackers for hire, organized cyber syndicates, and terrorists. They seek our state secrets, our trade secrets, our technology, and our ideas—things of incredible value to all of us. They may seek to strike our critical infrastructure and our economy. The threat is so dire that cybersecurity has topped the director of national intelligence list of global threats for the second consecutive year. Cybercriminal threats pose very real risks to the economic security and privacy of the United States and its citizens. The use of botnets is on the rise. Industry experts estimate that botnets attacks have resulted in the overall loss of millions of dollars from financial institutions and other major US businesses. They also affect universities, hospitals, defense contractors, government, and even private citizens. The weapons of a cybercriminal are tools, like botnets, which are created with malicious software that is readily available for purchase on the Internet. Criminals distribute malicious software, also known as malware, that can turn a computer into a bot. When this occurs, a computer can perform automated tasks over the Internet, without any direction from its rightful user. A network of these infected computers—numbering in the hundreds of thousands or even millions—is called a botnet (robot network), and each computer becomes connected to a command-and-control server operated by the criminal. Once the botnet is in place, it can be used in distributed denial of service (DDoS) attacks, proxy and spam services, malware distribution, and other organized criminal activity. Botnets can also be used for covert intelligence collection, and terrorists or state-sponsored actors could use a botnet to attack Internet-connected critical infrastructure. And they can be used as weapons in ideology campaigns against their target to instigate fear, intimidation, or public embarrassment. A botnet typically operates without obvious visible evidence and can remain operational for years. Our personal computers can become part of a botnet—it only takes one wrong click for a home user to download malicious code. For example, you might get an unsolicited e-mail promoting a dating website or a work-at-home arrangement or an e-mail that appears to come from your bank containing a seemingly harmless link. You could be sent a link by a friend asking you to view a great video, which was actually sent because your friend’s computer is already infected. You could see a link on a webpage that seems to be soliciting donations for a recent tragedy. And you might even visit a fraudulent website—or a legitimate one that’s been compromised—and download video, pictures, or a document containing malicious code. Once the malware is on your computer, it’s hard to detect. In addition to your computer being commanded to link up with other compromised computers to facilitate criminal activity, the bot can also collect and send out your personally identifiable information—like credit card numbers, banking information, and passwords—to the criminals running it. Those criminals will take advantage of the information themselves or offer it for sale on cybercriminal forums. The impact of this global cyberthreat has been significant. According to industry estimates, botnets have caused over $9 billion in losses to US victims and over $110 billion in losses globally. Approximately 500 million computers are infected globally each year, translating into 18 victims per second. The FBI, with its law enforcement and private sector partners, has had success in taking down a number of large botnets. But our work is never done, and by combining the resources of government and the private sector, and with the support of the public, we will continue to improve cybersecurity by identifying and catching those who threaten it. FBI’s Cybercriminal Strategy Due to the complicated nature of today’s cybercriminal threat, the FBI has developed a strategy to systematically identify cybercriminal enterprises and individuals involved in the development, distribution, facilitation, and support of complex criminal schemes impacting US systems. This complete strategy involves a holistic look at the entire cyber underground ecosystem and all facilitators of a computer intrusion. The FBI’s overall goal is to remove, reduce, and prevent cybercrime by attacking the threat through the identification of the most significant cybercriminal actors. Our success can only be attained through coordination of our overall cybercriminal strategy amongst all FBI Cyber Division’s existing and emerging entities. Just last month, the FBI Cyber Division evolved to create a threat-model approach to address the most significant domestic and international cyberthreats. The FBI cybercriminal strategy consists of the newly established Major Cyber Crimes Unit, which serves as the primary headquarters unit addressing the cybercriminal threat by providing strategic and field office operational support; the Cyber Initiative and Resource Fusion Unit (CIRFU), which supports the National Cyber Forensics and Training Alliance (NCFTA) and is composed of representatives from industry, academia, and the FBI; and the Internet Crime Complaint Center (IC3), which has a vital role in the identification of cyberfraud-related threats. All of these entities work together to enhance and support field office operations by developing and maintaining long-term strategies to infiltrate cybercriminal networks, provide tactical support, and develop intelligence collection opportunities against predicated targets. The FBI cybercriminal strategy also includes working closely with our international partners to develop a holistic assessment of the threat posed by cybercriminals and organizations to partner countries. Through this collaborative process, the FBI hopes to launch aggressive and comprehensive mitigation strategies through joint investigations and operational partnerships with law enforcement partners, private industry, and academia. These important components of the FBI cybercriminal strategy coordinate efforts with the National Cyber Investigative Joint Task Force (NCIJTF), which is intended to be the focal point for all US government agencies to coordinate, integrate, and share domestic cyberthreat information specific to national security investigations. FBI Efforts to Combat Botnets Through the NCIJTF and in alliance with its US government (USG) partners, international partners, and private sector stakeholders, the FBI has worked collaboratively in developing a multipronged effort aimed at defeating the world’s most dangerous botnets. Over the past several years, the FBI’s efforts to combat these significant cyberthreats have caused the disruption and dismantlement of numerous botnets, including Butterfly Bot, Rove Digital, Coreflood, ZeroAccess, and GameOver Zeus, resulting in numerous arrests, extraditions, and convictions. Operation Clean Slate In April 2013, the FBI initiated an aggressive approach to disrupt and dismantle the most significant botnets threatening the US economy and our national security. This initiative, named Operation Clean Slate, is spearheaded by the FBI’s NCIJTF. It is a comprehensive public/private effort engineered to eliminate the most significant botnets jeopardizing US interests by targeting the criminal coders who create them. This initiative incorporates all facets of the USG, international partners, major Internet service providers, the U.S financial sector, and other private sector cyber stakeholders. Operation Clean Slate has three objectives: (1) to degrade or disrupt the actor’s ability to exfiltrate sensitive information from US networks through arrests, by deploying a technical solution to interrupt the botnet, and by working with private sector partners to update security software that detects and damages the bot’s malware; (2) to increase the actor’s cost of business by causing wasted time debugging failures or forcing an actor to write new code for new botnet attacks; and (3) to seed uncertainty in the actor’s cyber activity by causing concern about potential or actual law enforcement action. The FBI Cyber Division ranked the Citadel botnet as the highest priority under the Operation Clean Slate initiative. In June 2013, the FBI, in coordination with its partners, disrupted the Citadel botnet, which had facilitated unauthorized access to computers of individuals and financial institutions to steal online banking credentials, credit card information, and other personally identifiable information. Citadel was responsible for the loss of over a half-billion dollars. Over 1,000 Citadel domains were seized, accounting for more than 11 million victim computers worldwide. In separate but coordinated operations, the FBI, Microsoft, and financial services industry leaders successfully disrupted more than 1,000 botnets built on Citadel malware in a massive global cybercrime operation that is estimated by the financial services industry to have been responsible for over half a billion dollars in financial fraud. Microsoft exercised its independent civil authorities in this matter. The company then coordinated with the FBI and other private parties. The FBI provided information to foreign law enforcement counterparts so that they could also take voluntary action on botnet infrastructure located outside of the United States. The FBI also obtained and served court-authorized search warrants domestically related to the botnets. Building on the success of the disruption of Citadel, in December 2013, the FBI and Europol, together with Microsoft and other industry partners, disrupted the ZeroAccess botnet. ZeroAccess was responsible for infecting more than two million computers, specifically targeting search results on Google, Bing, and Yahoo search engines, and is estimated to have cost online advertisers $2.7 million each month. Recent Successes Other recent FBI successes in combating the botnet threat include domestic and international investigative efforts which have resulted in indictments, arrests, and extraditions. Examples include: In April 2011, the FBI executed criminal seizure warrants to disable an international botnet consisting of hundreds of thousands of computers infected with a malicious software program known as Coreflood. Coreflood allowed infected computers to be controlled remotely for the purpose of stealing private personal and financial information from unsuspecting computer users, including users on corporate computer networks, and used that information to steal funds. In November 2011, a two-year FBI investigation called Operation Ghost Click resulted in the dismantlement of an international cyber ring that infected millions of computers worldwide with a virus that enabled the thieves to manipulate the multibillion-dollar Internet advertising industry. In November 2013, three Estonian nationals were extradited to the United States to face charges related these crimes. In December 2012, the FBI disrupted an international organized cybercrime ring related to Butterfly botnet, which stole computer users’ credit card, bank account, and other personally identifiable information. Butterfly botnet compromised more than 11 million computer systems and resulted in over $850 million in losses. The FBI, along with international law enforcement partners, executed numerous search warrants, conducted interviews, and arrested 10 individuals from Bosnia and Herzegovina, Croatia, Macedonia, New Zealand, Peru, the United Kingdom, and the United States. In April 2014, the FBI’s investigative efforts resulted in the indictments of nine alleged members of a wide-ranging racketeering enterprise and conspiracy who infected thousands of business computers with malicious software known as Zeus, which is malware that captured passwords, account numbers, and other information necessary to log into online banking accounts. The conspirators allegedly used the information captured by Zeus to steal millions of dollars from account-holding victims’ bank accounts. In May 2014, the FBI announced the indictments of a Swedish national and a US citizen believed to be the codevelopers of a particularly insidious computer malware known as Blackshades. This software was sold and distributed to thousands of people in more than 100 countries and has been used to infect more than half a million computers worldwide. Also charged and arrested in the United States was an individual who helped market and sell the malware, and two Blackshades users who bought the malware and then unleashed it upon unsuspecting computer users, surreptitiously installing it on their hardware. At least 40 FBI field offices conducted approximately 100 interviews, executed more than 100 e-mail and physical search warrants, and seized more than 1,900 domains used by Blackshades users to control victims’ computers, and at least 18 other countries were involved in executing more than 90 arrests and more than 300 searches. In June 2014, the FBI announced a multinational effort to disrupt the GameOver Zeus botnet, the most sophisticated botnet that the FBI and its allies had ever attempted to disrupt. GameOver Zeus is believed to be responsible for the theft of millions of dollars from businesses and consumers in the US and around the world. This effort to disrupt it involved impressive cooperation with the private sector and international law enforcement. GameOver Zeus is an extremely sophisticated type of malware designed specifically to steal banking and other credentials from the computers it infects. In the case of GameOver Zeus, its primary purpose is to capture banking credentials from infected computers, then use those credentials to initiate or redirect wire transfers to accounts overseas that are controlled by the criminals. Losses attributable to GameOver Zeus are estimated to be more than $100 million. Way Forward The FBI is proud of these successes, but we recognize that we must constantly strive to be more efficient and effective. Just as our adversaries continue to evolve, so too must the FBI. We live in a time of sophisticated cybercriminal threats—threats that most often impact our private citizens. Much like with the FBI’s other investigative priorities where we focus on impacting the leaders of a criminal enterprise or terrorist organization, we are focusing on the major cyber actors behind the botnets. The FBI must also continue to develop and deploy creative solutions in order to defeat today’s complex cyberthreat actors. This includes research and development addressing how to identify and shut down botnets faster than they are created and used. We also strive to build better relationships in order to overcome the obstacles that prevent us from collaborating and sharing information. We remain focused on defending the United States against these threats, and we welcome opportunities like the one today to discuss these efforts. We are grateful for the committee’s support, and we look forward to working with you as we continue to forge aggressive campaigns against botnets. Licenses and Attributions Taking Down Botnets by Joseph Demarest comprises public domain material from the Federal Bureau of Investigation, U.S. Department of Justice. A botnet is a network of computers, or “bots,” that are maliciously infected with malware that allows them to be controlled as part of a network. Botnets are used to infect other networks or systems, to launch malicious email (spam), and to conduct distributed denial-of-service (DDoS) attacks. Bots have the ability to cause significant harm by limiting access to functions or enabling the covert communications of rogue actors. Botnets generally leverage computers without the knowledge of the owner, using the computers to increase the capacity of the botnet to wreck damages. As with other networks, botnets can operate using several different configurations, including peer-to-peer, hierarchical, or hub and spoke. Botnets operate under the command and control of a lead or central computer.