CASE DEFENSE
SOLVENCY
1NC SOLVENCY
No solvency --- US demand doesn’t drive global zero-day use
Bellovin et al. 14 [Steven M., professor of computer science at Columbia University, Matt Blaze, associate
professor of computer science at the University of Pennsylvania, Sandy Clark, Ph.D. student in computer
science at the University of Pennsylvania, Susan Landau, 2012 Guggenheim Fellow; she is now at Google, Inc.,
April, 2014, “Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet,” Northwestern
Journal of Technology and Intellectual Property, 12 Nw. J. Tech. & Intell. Prop. 1] //khirn
P165 It
is interesting to ponder whether the policy of immediately reporting vulnerabilities could disrupt the
zero-day industry. Some members of the industry, such as HP DVLabs, "will responsibly and promptly notify the
appropriate product vendor of a security flaw with their product(s) or service(s)." n245 Others, such as VUPEN, which
"reports all discovered vulnerabilities to the affected vendors under contract with VUPEN," n246 do not. Although it would be a great benefit to
security if the inability to sell to law enforcement caused the sellers to actually change their course of action, U.S. law enforcement is unlikely
to have a major impact on the zero-day market since it is an international market dominated by national
security organizations .
Can’t solve lack of trust within the private sector --- regulatory and competitive barriers
Jaffer 15 [Jamil N., Adjunct Professor of Law and Director, Security Law Program, George Mason University
Law School, Occasional Papers Series, published by the Dean Rusk Center for International Law and Policy, 41-2015, “Cybersecurity and National Defense: Building a Public-Private Partnership,”
http://digitalcommons.law.uga.edu/cgi/viewcontent.cgi?article=1008&context=rusk_oc] //khirn
But, second, and perhaps
even more important, is the lack of trust within the private sector — the inability of
private industry actors to communicate with one another the threats they’re seeing. And there are a lot of reasons for that.
There are regulatory reasons, there are competitive reasons, and there’s just an inherent sense of, “It’s hard for me to
tell the guy next door what I’m doing.” Now, the truth is that at the systems administrator level this happens all the time. Systems
administrators of major corporations all the time will call each other up and say, “Hey, I’m seeing this on my network. Are you seeing it?” And the reason
that relationship works is because they trust each other. They know that the other sys admin is not going to, you know, screw them over competitively.
They do worry at the corporate level , however. If general counsel were to know about this kind of conversation going on, they’d
probably be tamping it down and saying, “Look, you can’t be talking to, you know, the sys admin over at our competitor because who knows if he tells his
CEO what’s going to happen to us competitively.”
Vulnerabilities inevitable --- orphans
Bellovin et al 14 (Steven M. Bellovin (computer science prof at Columbia), Matt Blaze (associate prof at
UPenn, Sandy Clark (Ph.D student at UPenn), & Susan Landau (Guggenheim fellow), April 2014, Lawful
Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet, Northwestern Journal of Technology
and Intellectual Property, April, 2014, 12 Nw. J. Tech. & Intell. Prop. 1, lexis) /AMarb
To whom should a vulnerability report be made? In many cases, there is an obvious point of contact: a software
vendor that sells and maintains the product in question, or, in the case of open-source software, the community
team maintaining it. In other cases, however, the answer is less clear. Not all software is actively maintained;
there may be “orphan” software without an active vendor or owner to report to.253 Also, not all vulnerabilities
result from bugs in specific software products. For example, standard communications protocols are
occasionally found to have vulnerabilities,254 and a given protocol may be used in many different products and
systems. In this situation, the vulnerability would need to be reported not to a particular vendor, but to the
standards body responsible for the protocol. Many standards bodies operate entirely in the open,255 however,
which can make quietly reporting a vulnerability—or hiding the fact that it has been reported by a law
enforcement agency—problematic. In this situation, the choice is simple: report it openly.
Can’t solve info sharing --- legal barreirs
Bucci, Ph.D., Rosenzweig and Inserra 13 (Steven P., Paul, and David, April 1, 2013, A Congressional
Guide: Seven Steps to U.S. Security, Prosperity, and Freedom in Cyberspace, Heritage Foundation,
http://www.heritage.org/research/reports/2013/04/a-congressional-guide-seven-steps-to-us-securityprosperity-and-freedom-in-cyberspace) /AMarb
There are four steps that can be taken to enable and encourage the needed cyber information sharing. First, Congress
should remove
barriers to voluntary private-sector sharing. Currently, legal ambiguities impede greater collaboration and sharing
of information.[14] As a result, nearly every cybersecurity proposal in the last Congress contained provisions for clarifying these ambiguities to
allow sharing. The 2011 Cyber Intelligence Sharing and Protection Act (CISPA), the Strengthening and Enhancing Cybersecurity by Using Research,
Education, Information, and Technology (SECURE IT) Act of 2012, and the Cyber Security Act (CSA) of 2012 all authorized sharing by stating that
“[n]otwithstanding any other provision of law” a private-sector entity can “share” or “disclose” cybersecurity threat
information with others in the private sector and with the government.[15] While sharing information is important, all of it
should be voluntary, in order to encourage true cooperation. After all, any arrangement that forces a business to share information
is, by definition, not cooperation but coercion. Voluntary sharing will also allow organizations with manifest privacy concerns to simply avoid sharing
their information, while still receiving helpful information from the government and other organizations. Second, those entities that share information
about cyber threats, vulnerabilities, and breaches should have legal protection. The fact that they shared data about an attack, or
even a complete breach, with the authorities should never open them up to legal action. This is one of the biggest
hindrances to sharing today, as it seems easier and safer to withhold information than to share it, even if it will benefit others. The Information
Technology Industry Council (ITIC) provides several examples of how liability concerns block effective information sharing. Under
current law, “Company
A [could] voluntarily report what may be a cybersecurity incident in an informationsharing environment, such as in an ISAC (Information Sharing and Analysis Centers), or directly to the government, such as to the
FBI.” The result of such sharing could be that government prosecutors, law enforcement agencies, or civil attorneys use this
information as the basis for establishing a violation of civil or criminal law against Company A or a customer, partner,
or unaffiliated entity harmed by the incident sues Company A for not informing them of the incident as soon as they
were aware of it. Company A’s disclosure can be seen as a “smoking gun” or “paper trail” of when Company A knew about a risk event though
Company A did not yet have a legal duty to report the incident. Such allegation could lead to costly litigation or settlement
regardless of its validity.[16] With the threat of legal action, businesses have determined that they are better off not
sharing information. Strong liability protection is critical to expanding information sharing. Third, the information
that is shared must be exempted from FOIA requests and use by regulators. Without such protection, a competitor can
get its hands on potentially proprietary information through a FOIA action. Alternatively, if information is shared
with a regulator, it will dampen voluntary sharing, since organizations will fear a backlash from regulators, who
could use shared information to penalize a regulated party or tighten rules. Once again, the ITIC provides a valuable
example. If a company shares information on a potential cybersecurity incident and “later finds that a database was compromised that included
Individually Identifiable Health Information as defined under the Health Insurance Portability and Accountability Act (HIPAA),” then the Federal Trade
Commission could use the shared information “as evidence in a case against [that company] for violating the security provisions of HIPAA.”[17] If shared
information is exempted from FOIA and regulatory use, a company can share important data without fear that its competitive advantages will be lost to
other firms or used by regulators to impose more rules or costs.[18]
NSA won’t listen to the plan --- circumvention inevitable
Gellman 13 (Barton Gellman writes for the national staff. He has contributed to three Pulitzer Prizes for The
Washington Post, most recently the 2014 Pulitzer Prize for Public Service. The Washington Post: “NSA broke
privacy rules thousands of times per year, audit finds.” Published August 15th, 2013. Accessed June 29th, 2015.
http://www.washingtonpost.com/world/national-security/nsa-broke-privacy-rules-thousands-of-times-peryear-audit-finds/2013/08/15/3310e554-05ca-11e3-a07f-49ddc7417125_story.html) KalM
The National Security Agency has broken privacy rules or overstepped its legal authority
thousands of times each year since Congress granted the agency broad new powers in 2008, according to an
infractions involve unauthorized surveillance of Americans or
foreign intelligence targets in the United States, both of which are restricted by statute and executive order.
They range from significant violations of law to typographical errors that resulted in unintended interception of
U.S. e-mails and telephone calls. The documents, provided earlier this summer to The Washington Post by former NSA contractor Edward
internal audit and other top-secret documents. Most of the
Snowden, include a level of detail and analysis that is not routinely shared with Congress or the special court that oversees surveillance. In one of the
documents, agency personnel are instructed to remove details and substitute more generic language in reports to the Justice Department and the Office
of the Director of National Intelligence. In one instance, the NSA decided that it need not report the unintended
surveillance of Americans. A notable example in 2008 was the interception of a “large number” of calls placed
from Washington when a programming error confused the U.S. area code 202 for 20, the international dialing
code for Egypt, according to a “quality assurance” review that was not distributed to the NSA’s oversight staff. In another case, the
Foreign Intelligence Surveillance Court, which has authority over some NSA operations, did not learn about a
new collection method until it had been in operation for many months. The court ruled it unconstitutional. Read
the documents NSA report on privacy violations Read the full report with key sections highlighted and annotated by the reporter. FISA court finds illegal
surveillance The only known details of a 2011 ruling that found the NSA was using illegal methods to collect and handle
the communications of American citizens. What's a 'violation'? View a slide used in a training course for NSA intelligence collectors and
analysts. What to say (and what not to say) How NSA analysts explain their targeting decisions without giving "extraneous information" to overseers.
[FISA judge: Ability to police U.S. spying program is limited] The Obama administration has provided almost no public information about the NSA’s
compliance record. In June, after promising to explain the NSA’s record in “as transparent a way as we possibly can,” Deputy Attorney General James
Cole described extensive safeguards and oversight that keep the agency in check. “Every now and then, there may be a mistake,” Cole said in
congressional testimony. The NSA audit obtained by The Post, dated May 2012, counted 2,776 incidents in the preceding 12 months of unauthorized
collection, storage, access to or distribution of legally protected communications. Most were unintended. Many involved failures of due diligence or
violations of standard operating procedure. The most serious incidents included a violation of a court order and unauthorized use of data about more
than 3,000 Americans and green-card holders. In a statement in response to questions for this article, the NSA said it attempts to identify problems “at
the earliest possible moment, implement mitigation measures wherever possible, and drive the numbers down.” The government was made aware of The
Post’s intention to publish the documents that accompany this article online. “We’re a human-run agency operating in a complex environment with a
number of different regulatory regimes, so at times we find ourselves on the wrong side of the line,” a senior NSA official said in an interview, speaking
with White House permission on the condition of anonymity. “You can look at it as a percentage of our total activity that occurs each day,” he said. “You
look at a number in absolute terms that looks big, and when you look at it in relative terms, it looks a little different.” There is no reliable way to calculate
from the number of recorded compliance issues how many Americans have had their communications improperly collected, stored or distributed by the
NSA. The causes and severity of NSA infractions vary widely. One in 10 incidents is attributed to a typographical error in which an analyst enters an
incorrect query and retrieves data about U.S phone calls or e-mails. But the more serious lapses include unauthorized access to
intercepted communications, the distribution of protected content and the use of automated systems without
built-in safeguards to prevent unlawful surveillance. The May 2012 audit, intended for the agency’s top leaders, counts only incidents
at the NSA’s Fort Meade headquarters and other ­facilities in the Washington area. Three government officials, speak­ing on the condition of anonymity
to discuss classified matters, said the number would be substantially higher if it included other NSA operating units and regional collection centers.
Senate Intelligence Committee Chairman Dianne Feinstein (D-Calif.), who did not receive a copy of the 2012 audit until The Post asked her staff about it,
said in a statement late Thursday that the committee “can and should do more to independently verify that NSA’s operations are appropriate, and its
reports of compliance incidents are accurate.”
Despite the quadrupling of the NSA’s oversight staff after a series of
significant violations in 2009, the rate of infractions increased throughout 2011 and early 2012. An NSA
spokesman declined to disclose whether the trend has continued since last year. One major problem is largely unpreventable, the audit says, because
current operations rely on technology that cannot quickly determine whether a foreign mobile phone has entered the United States. In what appears to
be one of the most serious violations, the NSA diverted large volumes of international data passing through
fiber-optic cables in the United States into a repository where the material could be stored temporarily for processing and selection.
The operation to obtain what the agency called “multiple communications transactions” collected and commingled U.S. and foreign e-mails, according to
an article in SSO News, a top-secret internal newsletter of the NSA’s Special Source Operations unit. NSA lawyers told the court that the agency could not
practicably filter out the communications of Americans. In October 2011, months after the program got underway, the Foreign
Intelligence Surveillance Court ruled that the collection effort was unconstitutional. The court said that the methods used
were “deficient on statutory and constitutional grounds,” according to a top-secret summary of the opinion, and it ordered the NSA to
comply with standard privacy protections or stop the program.
The plan doesn’t solve basic NSA surveillance --- that makes corporate trust impossible
Kehl, 14 (July, 2014, Danielle Kehl is a senior policy analyst at New America's Open Technology Institute,
where she researches and writes about technology policy. , “Surveillance Costs: The NSA’s Impact on the
Economy, Internet Freedom & Cybersecurity”
https://www.newamerica.org/downloads/Surveilance_Costs_Final.pdf)
Certainly, the actions of the NSA have created a serious trust and credibility problem for the United States and
its Internet industry. “All of this denying and lying results in us not trusting anything the NSA says, anything
the president says about the NSA, or anything companies say about their involvement with the NSA,” wrote
security expert Bruce Schneier in September 2013.225 However, beyond undermining faith in American
government and business, a variety of the NSA’s efforts have undermined trust in the security of the Internet
itself. When Internet users transmit or store their information using the Internet, they believe—at least to a
certain degree—that the information will be protected from unwanted third-party access. Indeed, the continued
growth of the Internet as both an economic engine and an as avenue for private communication and free
expression relies on that trust. Yet, as the scope of the NSA’s surveillance dragnet and its negative impact on
cybersecurity comes into greater focus, that trust in the Internet is eroding.226 Trust is essential for a healthy
functioning society. As economist Joseph Stiglitz explains, “Trust is what makes contracts, plans and everyday
transactions possible; it facilitates the democratic process, from voting to law creation, and is necessary for
social stability.”227 Individuals rely on online systems and services for a growing number of sensitive activities,
including online banking and social services, and they must be able to trust that the data they are transmitting
is safe. In particular, trust and authentication are essential components of the protocols and standards
engineers develop to create a safer and more secure Internet, including encryption.228 The NSA’s work to
undermine the tools and standards that help ensure cybersecurity—especially its work to thwart encryption—
also undermines trust in the safety of the overall network. Moreover, it reduces trust in the United States itself,
which many now perceive as a nation that exploits vulnerabilities in the interest of its own security.220 This
loss of trust can have a chilling effect on the behavior of Internet users worldwide.230 Unfortunately, as we
detail below, the growing loss of trust in the security of Internet as a result of the latest disclosures is largely
warranted. Based on the news stories of the past year, it appears that the Internet is far less secure than people
thought—a direct result of the NSA’s actions. These actions can be traced to a core contradiction in NSA’s two
key missions: information assurance—protecting America’s and Americans’ sensitive data—and signals
intelligence—spying on telephone and electronic communications for foreign intelligence purposes
2NC ALT CAUSES
Can’t solve corporate trust – NSA does a lot of pretty evil things
Sasso 14 [Brendan, technology correspondent for National Journal, previously covered technology policy
issues for The Hill and was a researcher and contributing writer for the 2012 edition of the Almanac of
American Politics, “The NSA Isn't Just Spying on Us, It's Also Undermining Internet Security,” National
Journal, April 29, 2014, http://www.nationaljournal.com/daily/the-nsa-isn-t-just-spying-on-us-it-s-alsoundermining-internet-security-20140429] //khirn
He said that company
officials have historically discussed cybersecurity issues with the NSA, but that he wouldn’t be
surprised if those relationships are now strained. He pointed to news that the NSA posed as Facebook to infect
computers with malware. “That does a lot of harm to companies’ brands, ” Soltani said. The NSA’s actions
have also made it difficult for the U.S. to set international norms for cyberconflict. For several years, the U.S. has
tried to pressure China to scale back its cyberspying operations, which allegedly steal trade secrets from U.S. businesses. Jason
Healey, the director of the Cyber Statecraft Initiative at the Atlantic Council, said the U.S. has “militarized cyber policy.” “The United States has been
saying that the world needs to operate according to certain norms,” he said. “It is difficult to get the norms that we want because it appears to the rest of
the world that we only want to follow the norms that we think are important.” Vines, the NSA spokeswoman, emphasized that the NSA would never hack
into foreign networks to give domestic companies a competitive edge (as China is accused of doing). “We do not use foreign intelligence capabilities to
steal the trade secrets of foreign companies on behalf of—or give intelligence we collect to—U.S. companies to enhance their international
competitiveness or increase their bottom line,” she said. Jim Lewis, a senior fellow with the Center for Strategic and International Studies, agreed that
NSA spying to stop terrorist attacks is fundamentally different from China stealing business secrets to boost its own economy. He also said
there is
widespread misunderstanding of how the NSA works , but he acknowledged that there is a “trust
problem —justified or not.” He predicted that rebuilding trust with the tech community will be one of the top challenges for
Mike Rogers, who was sworn in as the new NSA director earlier this month. “All the tech companies are in varying degrees unhappy
and not eager to have a close relationship with NSA,” Lewis said.
2NC CYBERSECURITY IMPOSSIBLE
True cybersecurity doesn’t exist, impact inevitable
Villasenor 14 (John Villasenor; Professor, UCLA; Nonresident senior fellow at the Brookings Institution;
National Fellow at the Hoover Institution. manuscript of an article to be published in the American
Intellectual Property Law Association Quarterly Journal, 2015: “Corporate Cybersecurity Realism: Managing
Trade Secrets in a World Where Breaches Occur” published August 28, 2014. Accessed June 24, 2015.
http://poseidon01.ssrn.com/delivery.php?ID=347005106102011003080125018116007000009034067081071
060081068017000117077089066011073126035037037025005058020000072094121097017060073073001
035007006103107126028000127081002001029090093119117091094066083082080081069023080104113
079101072079088008078064&EXT=pdf&TYPE=2) KalM
It would be an understatement to call trade secret cybersecurity a complex challenge. Trade secrets stored on
company networks are ripe targets for cyberintruders who have continuing access to new vulnerabilities,
including via a robust global market for zero day exploits. When a company can have hundreds or thousands of laptop computers,
servers, tablets, and smartphones; all of the associated software; and employees with varying degrees of security awareness, how can security
of economically valuable confidential information be assured ? The answer, unsurprisingly, is that
it can’t . As a result, the “every company has been hacked” theme has become a popular refrain in discussions about cybersecurity. In
2011 Dimitri Alperovitch, who was then with McAfee and went on to found cybersecurity company CrowdStrike, wrote, “I am convinced that every
company in every conceivable industry with significant size and valuable intellectual property and trade secrets
has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact.”2 In a
speech at the 2012 RSA conference, then-FBI Director Robert S. Mueller, III said “I am convinced that there are only two types of
companies: those that have been hacked and those that will be. And even they are converging into one
category: companies that have been hacked and will be hacked again.”3 So what should companies do? First and most
obviously companies need to take all reasonable steps to minimize the ability of cyber-intruders to get into their systems and make off with their trade
secrets. There is a multibillion-dollar industry of products and services available to help plug security holes, and many companies have made
there is no such thing as perfect cybersecurity. Sometimes, despite all efforts to
the contrary, skilled attackers intent on obtaining trade secrets will find their way into company systems. This
inevitability leads to a second aspect of the corporate cybersecurity challenge that is not generally appreciated: Companies need to manage
their intellectual property in light of the affirmative knowledge that their computer systems will sometimes be
breached.
cybersecurity a top priority. But
Bugs will always occur and be hard to find – no aff solvency
Bellovin et al 14 (Steven M. Bellovin (computer science prof at Columbia), Matt Blaze (associate prof at
UPenn, Sandy Clark (Ph.D student at UPenn), & Susan Landau (Guggenheim fellow), April 2014, Lawful
Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet, Northwestern Journal of Technology
and Intellectual Property, April, 2014, 12 Nw. J. Tech. & Intell. Prop. 1, lexis) /AMarb **We don’t endorse
ableist language
P67 We are suggesting use of pre-existing vulnerabilities for lawful access to communications. To understand why this is plausible, it is important to
know a fundamental tenet of software engineering: bugs happen. In his classic The Mythical Man-Month, Frederick Brooks explained why: First,
one must perform perfectly. The computer resembles the magic of legend in this respect, too. If one character, one
pause, of the incantation is not strictly in proper form, the magic doesn't work. Human beings are not accustomed to being perfect,
and few areas of human activity demand it. Adjusting to the requirement for perfection is, I think, the most difficult part of learning to program. n114
P68 Because computers, of course, are dumb--they do exactly what they are told to do-- programming has to be absolutely
precise and correct. If a computer is told to do something stupid, it does it, while a human being would notice there is a problem. A
person told to walk 50 meters then turn left would realize that there was an obstacle present, and prefer the path 52 meters down rather than walking
into a tree trunk. A computer would not, unless it had been specifically programmed to check for an impediment in its path. If it has not been
programmed that way--if there is virtually any imperfection in code--a bug will result. The circumstances which might
cause that bug to become apparent may be rare, but it would nonetheless be a bug. n115 If this bug should happen to be in a securitycritical section of code, the result may be a vulnerability. P69 A National Research Council study described the situation this way:
[*28] [A]n overwhelming majority of security vulnerabilities are caused by "buggy" code. At least a third of the Computer Emergency Response Team
(CERT) advisories since 1997, for example, concern inadequately checked input leading to character string overflows (a problem peculiar to C
programming language handling of character strings). Moreover, less than 15 percent of all CERT advisories described problems that could have been
fixed or avoided by proper use of cryptography. n116 P70 It would seem that bugs should be easy to eliminate: test the
program and fix any problems that show up. Alas, bugs can be fiendishly hard to find, and complex programs
simply have too many possible branches or execution paths to be able to test them all. n117
Cyber security impossible to be prepared for - threats are too rapidly developing
OpenDNS, 2014
(“Rethinking Cyber Security” OpenDNS is a security company operating out of San Francisco,
http://www.gridcybersec.com/cybersecurity-research/prevention-is-no-match-for-persistence)
Today, most IT security is based on prevention – an attempt to create counter measures against previously
identified tactics and threats. In theory, understanding how hackers attack us helps us prepare our best
defenses against them. But in practice, we can never build our virtual walls high or strong enough to serve as
sufficient barricades. For starters, old tactics evolve and new tactics emerge at a rate impossible for security
professionals to match. Spear phishing targets our most vulnerable employees and watering holes attract the
unwary. Our best “sandbox” malware analyses can miss some of the latest suspect behaviors. It’s impossible to
predict when and where the technologies we rely upon, such as Flash or Java, will suffer the exploitation of a
previously undetected (a.k.a. zero-day) vulnerability. Worse, practice makes perfect. The key part of any
advanced persistent threat (APT) is the persistence; even relatively basic, “off the shelf” malware can become
powerful when it is applied repeatedly across a wide attack surface. As our digital borders, via private and
public cloud services and mobile users and devices, expand they become more porous and our digital line in the
sand becomes too big to defend. For enterprises or organizations at any scale, prevention alone can never be a
sufficient defense: our security professionals must be right and fast all the time, but cyberattackers just need to
be effective once, over any time period.
Cyber security won’t happen – the internet is too large a beast to conquer
Zimmer, 4
1 March 2004, “The tensions of securing cyberspace: the Internet, state power & the National Strategy to
Secure Cyberspace,” Michael T. Zimmer is a doctoral student in Media Ecology in the Department of Culture
and Communication at New York University.
http://firstmonday.org/ojs/index.php/fm/article/view/1125/1045
The rise of information technologies, including the Internet, impacts the way governance is organized and
power is exercised in our society. As Castells notes, "Networks constitute the new social morphology of our
societies, and the diffusion of networking logic substantially modifies the operation and outcomes in processes
of production, experience, power and culture" [10]. This poses immense constraints on any government’s
attempt to secure cyberspace. While the structural tensions noted above seem clear, more abstract constraints
to State power lurk just below the surface, exposing deep substantive tensions. These include challenges to the
hierarchical structures of the nation–state, the blurring of territorial boundaries, and general resistance to
power in a society increasingly focused on control. Information technology networks contribute to the
departure from traditional hierarchical authoritative contexts privileging nation–states. As Arquilla and
Ronfeldt explain, the rise of global information networks sets in motion forces that challenge the hierarchical
design of many institutions: "It disrupts and erodes the hierarchies around which institutions are normally
designed. It diffuses and redistributes power, often to the benefit of what may be considered weaker, smaller
actors. It crosses borders, and redraws the boundaries of offices and responsibilities. It expands the spatial and
temporal horizons that actors should take into account. And thus, it generally compels closed systems to open
up." [11] As a consequence of the Internet’s capacity for anarchic global communication, new global institutions
are being formed that are preponderantly sustained by network rather than hierarchical structures — examples
include peer–based networks such as Slashdot.org, or even the IETF itself. Such global, interconnected
networks help to flatten hierarchies, often transforming them altogether, into new types of spaces where
traditional sovereign territoriality itself faces extinction.
2NC STATUS QUO SOLVES
Project Zero solves the aff – companies are eliminating bugs
Sanger and Perlroth 15 – New York Times Reporters (David and Nicole, Feb 12, 2015, New York Times,
Obama Heads to Tech Security Talks Amid Tensions, http://www.nytimes.com/2015/02/13/business/obamaheads-to-security-talks-amid-tensions.html?_r=0) /AMarb
PALO ALTO, Calif. — President Obama will meet here on Friday with the nation’s top technologists on a host of cybersecurity
issues and the threats posed by increasingly sophisticated hackers. But nowhere on the agenda is the real issue for the chief
executives and tech company officials who will gather on the Stanford campus: the deepening estrangement between Silicon Valley
and the government. The long history of quiet cooperation between Washington and America’s top technology
companies — first to win the Cold War, then to combat terrorism — was founded on the assumption of mutual
interest. Edward J. Snowden’s revelations shattered that. Now, the Obama administration’s efforts to prevent companies from greatly
strengthening encryption in commercial products like Apple’s iPhone and Google’s Android phones has set off a new battle, as the companies resist
government efforts to make sure police and intelligence agencies can crack the systems. And there is continuing tension over the government’s desire to
stockpile flaws in software — known as zero days — to develop weapons that the United States can reserve for future use against adversaries. “What
has struck me is the enormous degree of hostility between Silicon Valley and the government ,” said Herb Lin, who
spent 20 years working on cyberissues at the National Academy of Sciences before moving to Stanford several months ago. “ The relationship
has been poisoned, and it’s not going to recover anytime soon.” Mr. Obama’s cybersecurity coordinator, Michael
Daniel, concedes there are tensions. American firms, he says, are increasingly concerned about international competitiveness, and that means making a
very public show of their efforts to defeat American intelligence-gathering by installing newer, harder-to-break encryption systems and demonstrating
their distance from the United States government. The F.B.I., the intelligence agencies and David Cameron, the British prime minister, have all tried to
stop Google, Apple and other companies from using encryption technology that the firms themselves cannot break into — meaning they cannot turn over
emails or pictures, even if served with a court order. The firms have vociferously opposed government requests for such information as an intrusion on
the privacy of their customers and a risk to their businesses. “In some cases that is driving them to resistance to Washington,” Mr. Daniel said in an
interview. “But it’s not that simple. In other cases, with what’s going on in China,” where Beijing is insisting that companies turn over the software that is
their lifeblood, “they are very interested in getting Washington’s help.” Mr. Daniel’s reference was to Silicon Valley’s argument that keeping a key to
unlocking terrorists’ secret communications, as the government wants them to do, may sound reasonable in theory, but in fact would create an opening
for others. It would also create a precedent that the Chinese, among others, could adopt to ensure they can get into American communications, especially
as companies like Alibaba, the Chinese Internet giant, become a larger force in the American market. “A stupid approach,” is the assessment of one
technology executive who will be seeing Mr. Obama on Friday, and who asked to speak anonymously. That tension — between companies’ insistence that
they cannot install “back doors” or provide “keys” giving access to law enforcement or intelligence agencies and their desire for Washington’s protection
from foreign nations seeking to exploit those same products — will be the subtext of the meeting. That is hardly the only point of contention. A year after
Mr. Obama announced that the government would get out of the business of maintaining a huge database of every call made inside the United States, but
would instead ask the nation’s telecommunications companies to store that data in case the government needs it, the companies are slow-walking the
effort. They will not take on the job of “bulk collection” of the nation’s communications, they say, unless Congress forces them to. And some executives
whisper it will be at a price that may make the National Security Administration’s once-secret program look like a bargain. The stated purpose of Friday’s
meeting is trying to prevent the kinds of hackings that have struck millions of credit card holders at Home Depot and Target. A similar breach revealed
the names, Social Security numbers and other information of about 80 million people insured by Anthem, the nation’s second-largest health insurer. Mr.
Obama has made online security a major theme, making the case in hisState of the Union address that the huge
increase in attacks during his presidency called for far greater protection. Lisa Monaco, Mr. Obama’s homeland security
adviser, said this week that attacks have increased fivefold since the president came to office; some, like the Sony Pictures attack, had a clear political
agenda. The image of Kim Jong-un, the North Korean leader, shown in the Sony Pictures comedy “The Interview” has been emblazoned in the minds of
those who downloaded the film. But the one fixed in the minds of many Silicon Valley executives is the image revealed in photographs and documents
released from the Snowden trove of N.S.A. employees slicing open a box containing a Cisco Systems server and placing “beacons” in it that could tap into
a foreign computer network. Or the reports of how the N.S.A. intercepted email traffic moving between Google and Yahoo servers. “The
government is realizing they can’t just blow into town and let bygones be bygones,” Eric Grosse, Google’s vice president of
security and privacy, said in an interview. “Our business depends on trust. If you lose it, it takes years to regain .”
When it comes to matters of security, Mr. Grosse said, “Their mission is clearly different than ours. It’s a source of continuing tension. It’s
not like if they just wait, it will go away.” And while Silicon Valley executives have made a very public argument over encryption, they
have been fuming quietly over the government’s use of zero-day flaws. Intelligence agencies are intent on finding or buying
information about those flaws in widely used hardware and software, and information about the flaws often sells for hundreds of thousands of dollars on
the black market. N.S.A. keeps a potent stockpile, without revealing the flaws to manufacturers.
Companies like Google, Facebook,
Microsoft and Twitter are fighting back by paying “bug bounties” to friendly hackers who alert
them to serious bugs in their systems so they can be fixed.
month, Mr.
And last July, Google took the effort to another level. That
Grosse began recruiting some of the world’s best bug hunters to track down and neuter
the very bugs that intelligence agencies and military contractors have been paying top dollar
for to add to their arsenals. They called the effort “Project Zero ,” Mr. Grosse says, because the ultimate
goal is to bring the number of bugs down to zero. He said that “Project Zero” would never get the number of bugs down to zero “but
we’re going to get close.” The White House is expected to make a series of decisions on encryption in the coming weeks. Silicon Valley
executives say encrypting their products has long been a priority, even before the revelations by Mr. Snowden, the former N.S.A. analyst, about N.S.A.’s
surveillance, and they have no plans to slow down. In an interview last month, Timothy D. Cook, Apple’s chief executive, said the N.S.A. “would
have to cart us out in a box” before the company would provide the government a back door to its products.
Apple recently began encrypting phones and tablets using a scheme that would force the government to go directly to the user for their information. And
intelligence agencies are bracing for another wave of encryption.
CRITICAL INFRASTRUCTURE ADVANTAGE
1NC CRITICAL INFRASTRUCTURE
Reject doom and gloom predictions --- redundancies check major collapse
Hodgson 15 [Quentin E., Chief of Staff for Cyber Policy, Office of the Secretary of Defense, Occasional Papers
Series, conference, published by the Dean Rusk Center for International Law and Policy, 4-1-2015,
“Cybersecurity and National Defense: Building a Public-Private Partnership,”
http://digitalcommons.law.uga.edu/cgi/viewcontent.cgi?article=1008&context=rusk_oc] //khirn
A lot of the time — and I’ll just close with this — a
lot of the time, when we talk about cyberspace, there’s lots of doom and
gloom. I just want to get back to the piece about critical infrastructure. You know, you’ll hear people talk about the zero-day
exploits, gray and black markets and how people are constantly scanning critical infrastructure. I think it’s a very important thing that
we need to track, but I think it’s also very important to understand, from at least the Department of Defense perspective: systemic failure of
these kinds of systems is not an easy thing to do . And so we have to really be very cautious about how we think about these kinds
of threats. There are certainly threats to a power substation, for instance, that can come through cyberspace, but does that mean the
entire system will go down? Probably not . In fact, given where I live–my local company is PEPCO, one of the most hated companies in
America — and one thing they’ve gotten very good at is not having a functioning system that they are able to get back up and running again, and we
manage to live through that. On the other hand, if somebody was to target, for instance, the power generation side of things, not the distribution side of
things, GE, for instance, does not have large-scale gas turbines just sitting on a shelf. It doesn’t make sense for them to do that. That’s the case where, if
somebody could use a cyber attack to disable a large swath of those kinds of machines, to kind of go “stucksnet” on them, to coin a phrase, that could
have a
significant impact to the United States. But we have to understand that that’s something that for the most part, is only within
the reach of very few nation-states , and we think that’s still the case. There may be some very talented individuals out
there, but understanding
the complexity of these systems and that there are redundancies in these systems, we
should note a word of caution: we have to be prepared to address these threats, but we shouldn’t be slaves to the
doom and gloom
all the time and should understand what’s real and what’s not real when it comes to these risks. So, with that, I’ll conclude
my remarks and thank you.
Low probability of attack – difficulty and cost
Rid and Buchanan 14 -- professor in the Department of War Studies at King’s College London and PhD
candidate (Thomas and Ben, 12/23/2014, Attributing Cyber Attacks, pg. 21, Taylor and Francis online,
http://dx.doi.org/10.1080/01402390.2014.977382) /AMarb
Computer network exploitation requires preparation. Analysing the abilities required to breach a specific
network can be a useful clue in the attribution process. The Stuxnet attack on Iran’s heavily-guarded nuclear
enrichment facility was highly labour-intensive. The malware’s payload required superb target-specific
information, for instance hardto-get details about specific frequency-converter drives used to control rotational
speeds of motors; about the detailed technical parameters of the Iranian IR-1 centrifuges in Natanz; or about
the resonance-inducing critical input frequency for the specific configuration of these machines.48 Stuxnet also
used an unprecedented number of zero days, four or five, and exhibited the first-ever rootkit for a
programmable logic controller (used to control industrial machinery).49 These characteristics drastically
limited the number of possible perpetrators. Other preparations include target reconnaissance and payload
testing capabilities. Again Stuxnet is a useful example: the attack reprogrammed a complex target system to
achieve a kinetic effect. This required advance testing.50 The testing environment would have to use IR-1
centrifuges. Such machinery can be expensive and hard to obtain. No non-state actor, and indeed few
governments, would likely have the capability to test Stuxnet, let alone build and deploy it. This further
narrows the possibilities.
Zero chance of effective cyber attack
Lin 14 [Patrick, “Just the Right Amount of Cyber Fear,” The Atlantic, January 6, 2014,
theatlantic.com/technology/archive/2014/01/just-the-right-amount-of-cyber-fear/282787] //khirn
Likewise, “cyberterrorism” is a much-ballyhooed but vague fear: a “term like cyberterrorism has as much clarity as cybersecurity, that is none at all.”
The fear also doesn’t seem to match the hype : ... the “Izz ad-Din al-Qassam Cyber Fighters” claimed responsibility
for a series of denial-of-service attacks on five U.S. banking firms. While many believe they stole credit for cybercriminals’ work, the
effects of the attacks were negligible, shutting down customer access to the sites for a few hours. Most customers didn’t even
know there had been an attack. Take out the word “cyber” and we wouldn’t even call such a nuisance
“terrorism” … As one cyber expert put it to us, “There are threats out there, but there are no threats that threaten our
fundamental way of life.” Perhaps to Iran, the Stuxnet worm is a clear example of a cyberterrorist attack, if not an outright act of
cyberwar. The malware blew up Iran’s nuclear centrifuges and their replacement for over a year—key equipment in their alleged illegal development of
nuclear weapons. Singer and Friedman not only walk us through this dramatic operation—a real-life Mission: Impossible plot—but they also
use Stuxnet as a case study in ethical cyberweapons. In contrast to indiscriminate malware, such as an email virus, Stuxnet was
designed to activate under highly specific conditions that narrowed its target to one, e.g., only if exactly 984
centrifuges were linked together and controlled by a certain operating system. This specificity and requisite inside
knowledge reveals how hard it is to hit a weapons lab or any other sensitive facility, and therefore how
unlikely cyberterrorism might be : To cause true damage entails an understanding of the devices
themselves: how they run, their engineering, and their underlying physics. Stuxnet, for example, involved cyber experts as
well as experts in nuclear physics and engineers familiar with a specific kind of Siemens-brand industrial equipment. On top of the required
expertise, expensive software tests had to be conducted on working versions of the target hardware. As a professor at the
U.S. Naval Academy [George Lucas] explains, “the threat of cyber terrorism, in particular, has been vastly
overblown ,” because conducting a truly mass-scale act of terrorism using cyber means “simply outstrips the
intellectual, organizational, and personnel capacities of even the most well-funded and wellorganized terrorist organization, as well as those of even the most sophisticated international criminal enterprises. To be blunt: neither the 14year old hacker in your next-door neighbor’s upstairs bedroom, nor the two or three person al Qaeda cell holed up in some apartment in Hamburg are
going to bring down the Glen Canyon and Hoover Dams.” By comparison, the entire 9/11 plot cost less than $250,000 in travel and organizational costs
and used simple box-cutters.
1NC GRID IMPACT
Power grid is attacked twice a week anyway, no impact
Toppa 3/25 (SABRINA TOPPA: a journalist in Asia, formerly working at TIME Magazine’s Asia
headquarters in Hong Kong. Before this, she also worked at Kathmandu Post in Nepal and the Dhaka Tribune
in Bangladesh after serving as Rice University’s Zeff Fellow from 2013-2014. Time Magazine: “The National
Power Grid Is Under Almost Continuous Attack, Report Says.” Published March 25th, 2015. Accessed June 26,
2015. http://time.com/3757513/electricity-power-grid-attack-energy-security/) KalM
The U.S. national power grid faces physical or online attacks approximately
“once every four days,”
according to a new investigation by USA Today, threatening to plunge parts of the country into darkness.
For its report, USA Today scrutinized public records, national energy data and records from 50 electric utilities. It found that from
2011 to 2014,
the U.S. Department of Energy received 362 reports from electric utilities of physical or cyber attacks
that interrupted power services. In 2013, a Department of Homeland Security branch recorded 161
cyber attacks on the energy sector, compared to just 31 in 2011. Worryingly, most of the nation’s power
infrastructure has poor defenses — sometimes only a security camera and fence. In April 2013, PG&E Corp’s
Metcalf Transmission Substation in California reported that over 100 ammunition rounds were fired into its transformers, causing over $15 million
worth of damage. The gunmen were never apprehended — neither have the perpetrators of over 300 physical attacks on electricity infrastructure since
2011.
Utilities are un-hackable
Tanji 10 [Michael, spent 20 years in the US intelligence community; veteran of the US Army; served in
strategic and tactical assignments worldwide; participated in national and international analysis and policy
efforts for the NIC, NSC and NATO; Claremont Institute Lincoln Fellow and Senior Fellow at the Center of
Threat Awareness; lectures on intelligence issues at The George Washington University, 7/13/10, “Hacking the
Electric Grid? You and What Army?,” http://www.wired.com/dangerroom/2010/07/hacking-the-electric-gridyou-and-what-army] //khirn
People have claimed in the past to be able to turn off the internet, there are reports of foreign penetrations into government systems, “proof”
of foreign interest in attacking U.S. critical infrastructure based on studies, and concerns about adversary capabilities based on
allegations of successful critical infrastructure attacks. Which begs the question: If it’s so easy to turn off the lights using
how come it doesn’t happen more often? The fact of the matter is that it isn’t easy to do any of these
things. Your average power grid or drinking-water system isn’t analogous to a PC or even to a corporate network. The
complexity of such systems, and the use of proprietary operating systems and applications that are not readily
available for study by your average hacker, make the development of exploits for any uncovered vulnerabilities much more
difficult than using Metasploit. To start, these systems are rarely connected directly to the public internet. And that makes
your laptop,
gaining access to grid-controlling networks a challenge for all but the most dedicated, motivated and skilled — nation-states, in other words.
2NC GRID IMPACT
Grids are very resilient
Avila 12 (Jim, Senior National Correspondent at ABC News, “A U.S. Blackout as Large as India’s? ‘Very
Unlikely’”, http://abcnews.go.com/blogs/headlines/2012/07/a-u-s-blackout-as-large-as-indias-very-unlikely/)
As India recovers from a blackout that left the world’s second-largest country — and more than 600 million
residents — in the dark, a ripple of uncertainty moved through the Federal Regulatory Commission’s command
center today in the U.S. The Indian crisis had some people asking about the vulnerability of America’s grid.
“What people really want to know today is, can something like India happen here? So if there is an outage or
some problem in the Northeast, can it actually spread all the way to California,” John Wellinghoff, the
commission’s chairman, told ABC News. “It’s very, very unlikely that ultimately would happen.” Wellinghoff
said that first, the grid was divided in the middle of the nation. Engineers said that it also was monitored more
closely than ever. The grid is checked for line surges 30 times a second . Since the Northeast blackout in 2003
— the largest in the U.S., which affected 55 million — 16,000 miles of new transmission lines have been added
to the grid . And even though some lines in the Northeast are more than 70 years old, Wellinghoff said that the
chances of a blackout like India’s were very low.
Status quo solves grid cyber vulnerability
Clark, 12
4/28/12, “The Risk of Disruption or Destruction of Critical U.S. Infrastructure by an Offensive Cyber Attack,”
Paul Clark is an MA candidate in intelligence/terrorism studies at the American Military University,
http://blog.havagan.com/wp-content/uploads/2012/05/The-Risk-of-Disruption-or-Destruction-of-CriticalU.S.-Infrastructure-by-an-Offensive-Cyber-Attack.pdf
An attack against the electrical grid is a reasonable threat scenario since power systems are "a high priority
target for military and insurgents" and there has been a trend towards utilizing commercial software and
integrating utilities into the public Internet that has "increased vulnerability across the board" (Lewis 2010).
Yet the increased vulnerabilities are mitigated by an increased detection and deterrent capability that has been
"honed over many years of practical application" now that power systems are using standard, rather than
proprietary and specialized, applications and components (Leita and Dacier 2012). The security of the electrical
grid is also enhanced by increased awareness after a smart-grid hacking demonstration in 2009 and the
identification of the Stuxnet malware in 2010: as a result the public and private sector are working together in
an "unprecedented effort" to establish robust security guidelines and cyber security measures (Gohn and
Wheelock 2010).
Grids are actively improving
Koerth-Baker, 12
(8/3/12 Maggie Koerth-Baker is a science editor – Boing Boing, columnist – NYT Magazine, electric grid
expert, , “Blackout: What's wrong with the American grid,” http://boingboing.net/2012/08/03/blackoutwhats-wrong-with-t.html)
But this is about more than mere bad luck. The real causes of the 2003 blackout were fixable problems, and the
good news is that, since then, we’ve made great strides in fixing them . The bad news, say some grid experts,
is that we’re still not doing a great job of preparing our electric infrastructure for the future. Let’s get one thing
out of the way right up front: The North American electric grid is not one bad day away from the kind of
catastrophic failures we saw in India this week. I’ve heard a lot of people speculating on this, but the folks who
know the grid say that, while such a huge blackout is theoretically possible, it is also extremely unlikely. As
Clark Gellings, a fellow at the Electric Power Research Institute put it, “An engineer will never say never,” but
you should definitely not assume anything resembling an imminent threat at that scale. Remember, the
blackouts this week cut power to half of all Indian electricity customers. Even the 2003 blackout—the largest
blackout in North America ever—only affected about 15% of Americans. We don’t know yet what, exactly,
caused the Indian blackouts, but there are several key differences between their grid and our grid. India’s
electricity is only weakly tied to the people who use it, Gellings told me. Most of the power plants are in the far
north. Most of the population is in the far south. The power lines linking the two are neither robust nor
numerous. That’s not a problem we have in North America. Likewise, India has considerably more demand for
electricity than it has supply. Even on a good day, there’s not enough electricity for all the people who want it,
said Jeff Dagle, an engineer with the Pacific Northwest National Laboratory’s Advanced Power and Energy
Systems research group. “They’re pushing their system much harder, to its limits,” he said. “If they have a
problem, there’s less cushion to absorb it. Our system has rules that prevent us from dipping into our electric
reserves on a day-to-day basis. So we have reserve power for emergencies.
Military computers are resilient
Weimann 4
Gabriel Weimann, senior fellow at the United States Institute of Peace and professor of communication at the
University of Haifa, Israel, 2004, Cyberterrorism How Real Is the Threat?,
ttp://www.usip.org/files/resources/sr119.pdf
Neither al Qaeda nor any other terrorist organization appears to have tried to stage a serious cyberattack. For now, insiders or individual hackers are
responsible for most attacks and intrusions and the hackers’ motives are not political. According to a report issued in 2002 by IBM Global Security
Analysis Lab, 90 percent of hackers are amateurs with limited technical proficiency, 9 percent are more skilled at gaining unauthorized access but do not
damage the files they read, and only 1 percent are highly skilled and intent on copying files or damaging programs and systems. Most hackers, it should
be noted, try to expose security flaws in computer software, mainly in the operating systems produced by Microsoft. Their efforts in this direction have
sometimes embarrassed corpo- rations but have also been responsible for alerting the public and security professionals to serious security flaws.
Moreover, although there are hackers with the ability to damage systems, disrupt e-commerce, and force websites offline, the vast majority of hackers do
not have the necessary skills and knowledge. The ones who do, generally do not seek to wreak havoc. Douglas Thomas, a professor at the University of
Southern California, spent seven years studying computer hackers in an effort to understand better who they are and what motivates them. Thomas
interviewed hundreds of hackers and explored their “literature.” In testimony on July 24, 2002, before the House Subcommittee on Govern- ment
Efficiency, Financial Management and Intergovernmental Relations, Thomas argued that “with the vast majority of hackers, I would say 99 percent of
the risk [of cyberterrorism] is negligible for the simple reason that those hackers do not have the
skill or ability to organize or execute an attack that would be anything more than a minor inconvenience.” His
judgment was echoed in Assessing the Risks of Cyberterrorism, Cyber War, and Other Cyber Threats, a 2002
report for the Center for Strategic and International Studies, written by Jim Lewis, a sixteen-year veteran of the
State and Commerce Depart- ments. “The idea that hackers are going to bring the nation to its knees is too farfetched a scenario to be taken seriously,” Lewis argued. “Nations are more robust than the early analysts of
cyberterrorism and cyberwarfare give them credit for. Infrastructure systems [are] more flexible and
responsive in restoring service than the early analysts realized, in part because they have to deal with failure on
a routine basis.” Many computer security experts do not believe that it is possible to use the Internet to inflict
death on a large scale. Some pointed out that the resilience of computer systems to attack is the result of
significant investments of time, money, and expertise. As Green describes, nuclear weapons systems are
protected by “air-gapping”: they are not connected to the Internet or to any open computer
network and thus they cannot be accessed by intruders, terrorists, or hackers. Thus, for example,
the Defense Department protects sensitive systems by isolating them from the Internet and even
from the Pentagon’s own internal network. The CIA’s classified computers are also air-gapped, as is the
FBI’s entire computer system.
them,
Cyber-attacks don’t threaten electrical grid
Lewis 02 (James Andrew Lewis is the Director and Senior Fellow of the Technology and Public Policy
Program at the Center for Strategic and International Studies in Washington, D.C. Ph.D. from the University of
Chicago. Center for Strategic and International Studies: “Assessing the Risks of Cyber Terrorism, Cyber War
and Other Cyber Threats:” http://csis.org/files/media/csis/pubs/021101_risks_of_cyberterror.pdf) KalM
The U.S. has already run a large-scale experiment on the effects of disrupting electrical power
supplies, thanks to California’s experience with ‘deregulation’ last year. California’s efforts to de-regulate
the electrical power market resulted in months of blackouts and rolling brownouts across the state.
Deregulation was a more powerful ‘attack’ on the electrical infrastructure than anything a cyberterrorist could mount. There was clearly economic cost to the California regulatory event, but it was
not crippling nor did it strike terror into the hearts of Americans. Similarly, power outages across the country in 1999
affected millions of people and cost electrical power customers millions of dollars in lost business and productivity. These outages were the result of
increased electricity use prompted by sustained high summer temperatures. In contrast to California’s State government or hot weather, the
number of blackouts in U.S. caused by hackers or cyber-terrorists remains zero.
1NC WATER IMPACT
Cyber terror isn’t a threat to water supply: old tech, no effect, and high difficulty
Lewis 02 (James Andrew Lewis is the Director and Senior Fellow of the Technology and Public Policy
Program at the Center for Strategic and International Studies in Washington, D.C. Ph.D. from the University of
Chicago. Center for Strategic and International Studies: “Assessing the Risks of Cyber Terrorism, Cyber War
and Other Cyber Threats:” http://csis.org/files/media/csis/pubs/021101_risks_of_cyberterror.pdf) KalM
In the United States, the water supply infrastructure would be an elusive target for cyber attack. There
are 54,064 separate water systems in the U.S. Of these, 3,769 water systems serve eighty one percent
of the population and 353 systems served forty-four percent of the population. However, the uneven
spread of diverse network technologies complicates the terrorists’ task. Many of these water supply
systems in the U.S., even in large cities, continue to rely on technologies not easily disrupted by
network attacks. There have been cases in the U.S. when a community’s water supply has been
knocked out for days at a time (usually as a result of flooding), but these have produced neither terror
nor paralysis . A cyber terrorist or cyber warrior would need to carry out a sustained attack
that would simultaneously disrupt several hundred of these systems to gain any
strategic benefit. Assuming that a terrorist could find a vulnerability in a water supply system that
would allow him to shut down one city’s water for a brief period, this vulnerability could be exploited
to increase the damage of a physical attack (by denying fire fighters access to water ). In general, a cyber attack
that alone might pass unnoticed in the normal clutter of daily life could have useful multiplier effects if undertaken simultaneously with a physical attack.
This sort of simultaneous combination of physical and cyber attacks might be the only way in which cyber
weapons could be attractive to terrorists. The American Waterworks Association assessment of the
terrorist threat to water supplies placed “physical destruction of the system's components to disrupt
the supply of water” as the most likely source of infrastructure attack.4
No cyber terror risk
Lewis 02 (James Andrew Lewis is the Director and Senior Fellow of the Technology and Public Policy
Program at the Center for Strategic and International Studies in Washington, D.C. Ph.D. from the University of
Chicago. Center for Strategic and International Studies: “Assessing the Risks of Cyber Terrorism, Cyber War
and Other Cyber Threats:” http://csis.org/files/media/csis/pubs/021101_risks_of_cyberterror.pdf) KalM
While the press has reported that government officials are concerned over Al Qaeda plans to use the Internet to
wage cyber-terrorism , these stories often recycle the same hypothetical scenarios previously
attributed to foreign governments’ cyber-warfare efforts. The risk remains hypothetical but the antagonist has changed from
hostile states to groups like Al Qaeda. The only new element attributed to Al Qaeda is that the group might use cyber attacks to disrupt emergency
services in order to reinforce and multiply the effect of a physical attack. If
cyber-attacks were feasible, the greatest risk they
might pose to national security is as corollaries to more traditional modes of attacks.
Resource wars don’t happen, their ev is hype
Victor 07 (David G. Victor is a professor of law at Stanford Law School and the director of the Program on
Energy and Sustainable Development. He is a senior fellow at the Council on Foreign Relations, where he
directed a task force on energy security. He is also a frequent writer on natural resource policy. The National
Interest: “What Resource Wars?” published November/December, 2014. Accessed June 26, 2015.
http://pages.ucsd.edu/~dgvictor/publications/Faculty_Victor_Article_2007_What%20Resource%20Wars_T
he%20National%20Interest.pdf) KalM
Rising energy prices and mounting concerns about environmental depletion have animated fears that
the world may be headed for a spate of “resource wars”— hot conflicts triggered by a struggle to grab valuable resources.
Such fears come in many stripes, but the threat industry has sounded the alarm bells especially loudly in three areas. First is the rise
of China, which is poorly endowed with many of the resources it needs—such as oil, gas, timber and most minerals—
and has already “gone out” to the world with the goal of securing what it wants. Violent conflicts may follow as the country shunts others aside. A second
potential path down the road to resource wars starts with all the money
now flowing into poorly governed but resource-rich
countries. Money can fund civil wars and other hostilities, even leaking into the hands of terrorists. And third is global climate change,
which could multiply stresses on natural resources and trigger water wars, catalyze the spread of disease or bring about mass
migrations.
Most of this is bunk, and nearly all of it has focused on the wrong lessons
for policy . Classic resource wars are good material for Hollywood screenwriters. They rarely
occur in the real world . To be sure, resource money can magnify and prolong some conflicts, but the root causes of those hostilities
usually lie elsewhere. Fixing them requires focusing on the underlying institutions that govern how resources are used and largely determine whether
stress explodes into violence. When
conflicts do arise, the weak link isn’t a dearth in resources but a dearth in
governance. Resource wars are largely back in vogue within the U.S. threat industry because of China’s spectacular rise. Brazil, India, Malaysia
and many others that used to sit on the periphery of the world economy are also arcing upward. This growth is fueling a surge in world
demand for raw materials. Inevitably, these countries have looked overseas for what they need, which has animated fears of
a coming clash with China and other growing powers over access to natural resources. Within the next three
years, China will be the world’s largest consumer of energy. Yet, it’s not just oil wells that are working harder to fuel China, so too are chainsaws. Chinese
net imports of timber nearly doubled from 2000 to 2005. The country also uses about one-third of the world’s steel (around 360 million tons), or three
times its 2000 consumption. Even in coal resources, in which China is famously well-endowed, China became a net importer in 2007. Across the board,
the combination of low efficiency, rapid growth and an emphasis on heavy industry—typical in the early stages of industrial growth—have combined to
make the country a voracious consumer and polluter of natural resources. America, England and nearly every other industrialized country went through
a similar pattern, though with a human population that was much smaller than today’s resource-hungry developing world. Among the needed resources,
oil has been most visible. Indeed, Chinese state-owned oil companies are dotting Africa, Central Asia and the Persian Gulf with projects aimed to export
oil back home. The overseas arm of India’s state oil company has followed a similar strategy—unable to compete head-to-head with the major Western
companies, it focuses instead on areas where humanrights abuses and bad governance keep the major oil companies at bay and where India’s foreign
policy can open doors. To a lesser extent, Malaysia engages in the same behavior. The American threat industry rarely sounds the alarm over Indian and
Malaysian efforts, though, in part because those firms have less capital to splash around and mainly because their stories just don’t compare with fear of
efforts to lock up resources by going out fit well with the standard narrative for
resource wars—a zero-sum struggle for vital supplies. But will a struggle over resources actually lead
to war and conflict? To be sure, the struggle over resources has yielded a wide array of commercial
conflicts as companies duel for contracts and ownership. State-owned China National Offshore Oil Corporation’s (cnooc) failed bid to acquire U.S.the rising dragon. These
based Unocal—and with it Unocal’s valuable oil and gas supplies in Asia—is a recent example. But that is hardly unique to resources—similar conflicts
with tinges of national security arise in the control over ports, aircraft engines, databases laden with private information and a growing array of advanced
technologies for which civilian and military functions are hard to distinguish. These
contracts, but they do not unleash violence.
disputes win and lose some friendships and
AT: AGRICULTURE
US ag. Doesn’t feed the world
Charles 13 (Dan Charles is NPR's food and agriculture correspondent. National Public Radio: ” American
Farmers Say They Feed The World, But Do They?” published September 17, 2013. Accessed June 28 th, 2015.
http://www.npr.org/sections/thesalt/2013/09/17/221376803/american-farmers-say-they-feed-the-world-butdo-they) KalM
When critics of industrial agriculture complain that today's food production is too big and too dependent on pesticides, that it damages
the environment and delivers mediocre food, there's a line that farmers offer in response: We're feeding the world. It's
high-tech agriculture's claim to the moral high ground. Farmers say they farm the way they do to produce food
as efficiently as possible to feed the world. Charlie Arnot, a former public relations executive for food and farming companies, now CEO of the
Center for Food Integrity, says it's more than just a debating point. "U.S. farmers have a tremendous sense of pride in the fact that
they've been able to help feed the world," he says. That phrase showed up, for instance, a few weeks ago at a big farm convention in
Decatur, Ill. The seed and chemical company DuPont set up a wall with a question printed at the top in big, capital letters: "How are you making a
difference to feed the world?" The company invited people to answer that question, and thousands of them did. They wrote things like "raising cattle,"
"growing corn and beans," "plant as much as possible." Kip Tom, who grows corn and soybeans on thousands of acres of Indiana farmland, says he's very
aware of the fact that the world has more and more people, demanding more food. Yet there are fewer and fewer farmers, "and it's the duty of those of us
who are left in the business, us family farmers, to help feed that world." That means growing more food per acre, he says, which requires new and better
technology: genetically engineered seed, for instance, or pesticides. And this is why the words "feed the world" grate on the nerves of
people who believe that large-scale, technology-driven agriculture is bad for the environment and often bad for
people. Margaret Mellon, a scientist with the environmental advocacy group Union of Concerned Scientists, recently wrote an essay in which she
confessed to developing an allergy to that phrase. "If there's a controversy, the show-stopper is supposed to be, 'We have to use pesticides, or we won't be
able to feed the world!' " she says. Mellon says it's time to set that idea aside. It doesn't answer the concerns that people
have about modern agriculture — and it's not even true. American-style farming doesn't really grow
food for hungry people , she says. Forty percent of the biggest crop — corn — goes into fuel for cars. Most of
the second-biggest crop — soybeans — is fed to animals. Growing more grain isn't the solution to hunger anyway, she
says. If you're really trying to solve that problem, there's a long list of other steps that are much more important.
"We need to empower women; we need to raise incomes; we need infrastructure in the developing world; we
need the ability to get food to market without spoiling." It seemed that this dispute needed a referee. So I called Christopher Barrett,
an economist at Cornell University who studies international agriculture and poverty. "They're both right," he says, chuckling. "Sometimes the opposite
of a truth isn't a falsehood, but another truth, right?" It's true, he says, that bigger harvests in the U.S. tend to make food more affordable around the
world, and "lower food prices are a good thing for poor people." For instance, Chinese pigs are growing fat on cheap soybean meal grown by farmers in
the U.S. and Brazil, and that's one reason why hundreds of millions of people in China are eating much better than a generation ago — they can afford to
buy pork. So American farmers who grow soybeans are justified in saying that they help feed the world. But Mellon is right, too, Barrett says. The big
crops that American farmers send abroad don't provide the vitamins and minerals that billions of people need
most. So if the U.S. exports lots of corn, driving down the cost of cornmeal, "it induces poor families to buy lots
of cornmeal, and to buy less in the way of leafy green vegetables, or milk," that have the key nutrients . In this case,
you're feeding the world, but not solving the nutrition problems. Arnot, from the Center for Food Integrity, recently did a survey,
asking consumers whether they think the U.S. even has a responsibility to provide food to the rest of the world. Only 13 percent of these consumers
strongly agreed. In focus groups, many people said that if feeding the world means more industrial-scale farming, they're not comfortable with it. This is
not a message farmers like to hear. "It is a real sense of frustration for farmers that 'feeding the world' is no longer a message that resonates with the
American public," Arnot says. He tells farm groups that they'll have to find another message. They'll need to show that the
way they grow food is consistent with the values of American consumers.
Turn: US ag. actually wastes water
Lall 15 (Upmanu Lall: the Alan and Carol Silberstein Professor of Earth and Environmental Engineering and
of Civil Engineering and Engineering Mechanics. Columbia Engineering: “Will we run out of fresh water in the
21st century?” copyright date 2015. Accessed June 26th 2015. http://engineering.columbia.edu/will-we-runout-fresh-water-21st-century) KalM
In fact, one
of the key players in the looming water crisis is agriculture, which accounts for 70 percent of
global water use on average and more than 90 percent in arid regions. We might be able to
dramatically improve the efficiency of water use by improving irrigation systems, by changing the way
farmers water their crops, and by changing where different crops are grown. In fact, all these measures will need to
be effected even if our sole goal was adaptation to climate change and variability.
Agricultural water use efficiency is
not much higher in the United States than in many developing countries .
Agricultural water pollution due to the way fertilizers, herbicides, and pesticides are used is also a
significant global factor. We could also improve water use by improving food processing, storage, and
delivery as a means of reducing the 30 to 40 percent food loss that currently occurs post agricultural
production. With one-third of the developing world expected to confront severe water shortages in this century, this is not a problem that we can
ignore or avoid, and we’re working hard at the Columbia Water Center to find answers.
AT: AIR TRAFFIC CONTROL
No impact to air traffic targeting
Lewis 02 (James Andrew Lewis is the Director and Senior Fellow of the Technology and Public Policy
Program at the Center for Strategic and International Studies in Washington, D.C. Ph.D. from the University of
Chicago. Center for Strategic and International Studies: “Assessing the Risks of Cyber Terrorism, Cyber War
and Other Cyber Threats:” http://csis.org/files/media/csis/pubs/021101_risks_of_cyberterror.pdf) KalM
Interference with national air traffic systems to disrupt flights, shut down air transport and endanger
passenger and crews is another frequently cited cyber-threat.10 We are not yet at a stage where computer networks operate
aircraft remotely, so it is not possible for
5 a cyber-attacker to take over an aircraft. Aircraft still carry
pilots who are trained to operate the plane in an emergency. Similarly, the Federal Aviation Authority does not
depend solely on computer networks to manage air traffic, nor are its communications dependent on the
Internet. The high level of human involvement in the control and decision making process for air traffic
reduces the risk of any cyber attack. In a normal month storms, electrical failures and programming glitches all ensure a consistently high
level of disruption in air traffic. Pilots and air traffic controllers are accustomed to unexpected disruptions and have
adapted their practices to minimize the effect. Airlines and travelers are also accustomed to and expect a high degree of disruption in
the system. In the United States, it is normal for 15,000 to 20,000 flights to be delayed or cancelled every month. A cyber attack that degraded
the air traffic system would create delays and annoyance, but it would not pose a risk to national security.
AT: ECON IMPACT
Cyber-attacks don’t threaten econ: empirics
Lewis 02 (James Andrew Lewis is the Director and Senior Fellow of the Technology and Public Policy
Program at the Center for Strategic and International Studies in Washington, D.C. Ph.D. from the University of
Chicago. Center for Strategic and International Studies: “Assessing the Risks of Cyber Terrorism, Cyber War
and Other Cyber Threats:” http://csis.org/files/media/csis/pubs/021101_risks_of_cyberterror.pdf) KalM
Manufacturing and economic activity are increasingly dependent on computer networks, and cyber crime and
industrial espionage are new dangers for economic activity. However, the evidence is mixed as to the
vulnerability of manufacturing to cyber attack. A virus in 2000 infected 1,000 computers at Ford Motor
Company. Ford received 140,000 contaminated e-mail messages in three hours before it shut down its
network. Email service was disrupted for almost a week within the company. Yet, Ford reported, “the rogue
program appears to have caused only limited permanent damage. None of its 114 factories stopped, according
to the automaker. Computerized engineering blueprints and other technical data were unaffected. Ford was
still able to post information for dealers and auto parts suppliers on Web sites that it uses for that purpose.”12
Companies now report that the defensive measures they have taken meant that viruses that were exceptionally
damaging when they first appeared are now only “nuisances.”13
AT: EMERGENCY RESPONSE IMPACT
Cyber-attacks don’t threaten emergency response
Lewis 02 (James Andrew Lewis is the Director and Senior Fellow of the Technology and Public Policy
Program at the Center for Strategic and International Studies in Washington, D.C. Ph.D. from the University of
Chicago. Center for Strategic and International Studies: “Assessing the Risks of Cyber Terrorism, Cyber War
and Other Cyber Threats:” http://csis.org/files/media/csis/pubs/021101_risks_of_cyberterror.pdf) KalM
The 911 emergency response system, a specialized communications network that relies on local telephone
service, is also a favorite target for theorists of cyber-terrorism, but like other infrastructures, it is a robust
target. The U.S. for example, does not use a single 911 system in but instead has several thousand local systems
using different technologies and procedures. No 911 system in a major city has been hacked. It might be possible to
send a flood of email messages instructing people to call 911 for important information and thus overload the system (this was the technique used in the
1997 U.S. cyber exercise “Eligible Receiver”). This sort of technique usually works only once - but made in conjunction with a bombing or other physical
attack they could act as a ‘force multiplier’ for a terrorist event.
AT: INTERNET IMPACT
Internet take-down isn’t threatened by cyber terror
Lewis 02 (James Andrew Lewis is the Director and Senior Fellow of the Technology and Public Policy
Program at the Center for Strategic and International Studies in Washington, D.C. Ph.D. from the University of
Chicago. Center for Strategic and International Studies: “Assessing the Risks of Cyber Terrorism, Cyber War
and Other Cyber Threats:” http://csis.org/files/media/csis/pubs/021101_risks_of_cyberterror.pdf) KalM
While the Internet may have a few points of failure that offer the possibility for system wide disruption, it was designed to be
a robust, distributed communications network capable of continuing operations after a strategic nuclear
exchange. Packe
nodes in the network were eliminated and the Internet itself was designed to automatically route around damage to allow for continued communications.
Additionally, computer networks rely on a backbone of high capacity telecommunications systems that are
relatively secure from cyber-attack. The introduction of new communications technologies also enhances survivability.
Wireless and satellite communications also provide some redundancy for landline systems. Most industrial
countries now have access to three or four different modes of communications, making the system considerably
more robust than it was a decade ago. Increased use of ultra wideband and mesh radio networks will also increase redundancy and
survivability against cyber attack in communications networks.
IP THEFT ADVANTAGE
1NC CHINA MODERNIZATION
Modernization won’t turn violent despite nationalism
Dyer 9 [Gwynne, BA in History from Memorial University of Newfoundland in 1963; an MA in Military
History from Rice University, Houston, Texas, in 1966; and a PhD in Military and Middle Eastern History at
King's College London, Jakarta Post, Mar 29, http://www.thejakartapost.com/news/2005/03/12/chinaunlikely-engage-military-confrontation.html] //khirn
Given America's monopoly or huge technological lead in key areas like stealth bombers, aircraft carriers, long-range sensors, satellite
surveillance and even infantry body armor, Goss's warning is misleading and self-serving. China cannot project a
serious military force even 200 miles (km) from home, while American forces utterly dominate China's ocean frontiers,
many thousands of miles (kilometers) from the United States. But the drumbeat of warnings about China's ""military build-up""
continues. Just the other week U.S. Defense Secretary Donald Rumsfeld was worrying again about the expansion of the Chinese navy, which is finally
building some amphibious landing ships half a century after Beijing's confrontation with the non-Communist regime on the island of Taiwan began. And
Senator Richard Lugar, head of the Senate Foreign Relations Committee, warned that if the European Union ends its embargo on arms sales to China,
the U.S. would stop military technology sales to Europe. It will come as no surprise, therefore, that the major U.S. defense review planned for this year
will concentrate on the rising ""threat"" from China, or that this year for the first time the joint U.S.-Japanese defense policy statement named China as a
""security concern"", or that the Taiwan government urged the ""military encirclement"" of China to prevent any ""foreign adventures"" by Beijing. It
comes as no surprise -- but it still makes no sense. China's defense budget this year is 247.7 billion yuan: Around US$30 billion at the official exchange
rate. There are those in Washington who will say that it's more like $60 billion in purchasing power, but then there used to be ""experts"" who annually
produced hugely inflated and frightening estimates of the Soviet defense budget. Such people will always exist: to justify a big U.S. defense budget, you
need a big threat. It's true that 247.7 billion yuan buys an awful lot of warm bodies in military uniform in the low-wage Chinese economy, but it doesn't
actually buy much more in the way of high-tech military systems. It's also true that the Chinese defense budget has grown by double-digit increases for
the past fourteen years: This year it's up by 12.6 percent. But that is not significantly faster than the Chinese economy as a
whole is growing, and it's about what you have to spend in order to convert what used to be a glorified peasant militia
into a modern military force. It would be astonishing if China chose NOT to modernize its armed forces as the rest
of the economy modernizes, and the end result is not going to be a military machine that towers above all others. If
you project the current growth rates of military spending in China and the United States into the future, China's defense budget catches up with the
United States about the same time that its Gross Domestic Product does, in the late 2030s or the early 2040s. As to China's strategic
intentions, the record of the past is reassuring in several respects. China has almost never been militarily expansionist
beyond the traditional boundaries of the Middle Kingdom (which do include Tibet in the view of most Chinese), and its border
clashes with India, the Soviet Union and Vietnam in the first decades of Communist rule generally ended with a voluntary Chinese
withdrawal from the disputed territories. The same moderation has usually applied in nuclear matters. The CIA frets that
China could have a hundred nuclear missiles targeted on the United States by 2015, but that is actually evidence of
China's great restraint. The first Chinese nuclear weapons test was forty years ago, and by now China could have thousands of nuclear warheads
targeted on the U.S. if it wanted. (The United States DOES have thousands of nuclear warheads that can strike Chinese targets.) The Beijing regime is
obsessed with economic stability, because it fears that a severe downturn would trigger social and political upheaval. The last thing it
wants is a military confrontation with its biggest trading partner, the United States. It will go on playing the
nationalist card over Taiwan to curry domestic political favor, but there is no massive military build-up and no
plausible threat of impending war in East Asia.
Modernization is insulated from US policy
Holslag 9 [Jonathan, degree in political science @ Vrije Universiteit Brussels, Washington Quarterly,
“Embracing Chiense Global Security Ambitions,” July 2009,
http://www.twq.com/09july/docs/09jul_Holslag.pdf] //khirn
China increasingly acknowledges that its free ride is over, and that it will have to invest more in the protection
of its economic interests. The debate about how to protect foreign interests with military means is only starting to take place. Ma Xiaojun of the International
Institute of Strategic Studies of the Central Party School summarizes this predicament very clearly: it is the responsibility of the state to protect its citizens, and China is now
confronted with a dilemma between its principle of non-interference and the interests that derive from its national development. Experts and officials invoke four main
arguments in favor of a more proactive security policy. First, the economic competition from developed nations has compelled China to look for investment opportunities in
unstable parts of the world, particularly in oil drilling and contract labor in sub-Sahara African and South Asia. Second, China is no longer expected to stand aloof when
violence erupts. Given
its status as an aspiring great power, while national governments with which it does business
automatically ask for military aid and the international community requests mediation or sanctions, keeping a
low profilethe traditional maxim of China’s diplomacy is no longer tenable. Third, Beijing recognizes that passing the buck to
regional organizations or other powers is not an option. During a roundtable in Beijing in 2007, a group of senior military officers concluded that not only are these players
incapable of delivering, but relying on other countries with their own interests would be strategically irresponsible. Finally, Chinese
experts reckon that
China should not rely on the United States or other regional powers for its security. While coordination is
desirable, it cannot take for granted that these actors would refrain from containing China in the future. China,
therefore, is modifying its posture on foreign security challenges. In a 2007 report from the Development Research Center of the State Council,
two senior researchers of the State Council’s study department categorized non-traditional threats as a strategic economic challenge and pleaded for including a series of new
measures in the national security strategy, according to China’s position as an ‘‘influential world power.’’ After the lethal attack on a Chinese oil facility in Ethiopia in April
2007, China Daily asserted: ‘‘China needs to consider new channels to protect overseas interests.’’ The article stressed that: China must break through traditional diplomatic
thinking ... Only to rely on the traditional mode of high-level political contacts, only ‘peaceful coexistence’ and ‘mutually beneficial cooperation’ or the principle of self-restraint
are insufficient to protect ourselves or to safeguard overseas economic interests and development.’’ In a July 2008 Xinhua article, experts went beyond this idea of selfdefense, emphasizing that cooperation on asymmetric threats is also desirable for China’s international prestige but cannot be taken for granted. ‘‘Self-restraint
does
not work anymore,’’ it concluded, ‘‘China should develop its capabilities faster and show that while it becomes
stronger, it does not threaten others, but rather contributes to a stable world.’’
Zero risk of China rise impacts
Beauchamp 13 [Zach. Editor of TP Ideas, Reporter for ThinkProgress. Masters IR from London School of
Economics. “China has not replaced America — and it never will,” The Week, 2/13/14] //khirn
Many people seem to think it's simply a matter of when, not if, China takes the reins of world leadership. How, they think, can
America's 314 million people permanently outproduce a population that outnumbers the U.S. by over a billion people? This facile assumption is wrong.
China is not replacing the United States as the global hegemon. And it never will . China faces too
many internal problems and regional rivals to ever make a real play for global leadership. And even if Beijing could take the global
leadership mantle soon, it wouldn't. China wants to play inside the existing global order's rules, not change them.
Start with the obvious military point: The Chinese military has nothing like the global reach of its American
rival's. China only has one aircraft carrier, a refitted Russian vessel. The U.S. has 10, plus nine marine mini-carriers. China's
first homemade carrier is slated for completion in 2018, by which time the U.S. will have yet another modern carrier, and be well on its way to finishing another. The
idea that China will be able to compete on a global scale in the short to medium term is absurd .
Even in East Asia, it's not so easy for China. In 2012, Center for Strategic and International Studies experts Anthony Cordesman and Nicholas Yarosh looked
at the data on Chinese and Taiwanese military strength. They found that while China's relative naval strength was growing, Taiwan had
actually improved the balance of air power in its favor between 2005 and 2012 — just as China's economic growth rate, and hence
influx of new resources to spend on its military, was peaking. China's equipment is often outdated, and its training regimes can be
comically bad . A major part of its strategic missile force patrols on horseback because it doesn't have
helicopters. This isn't to deny China's military is getting stronger. It is. And one day, this might require the United States to rethink its strategic posture in East Asia. But
Chinese hard power is nowhere close to replacing, or even thinking about challenging,
American military hegemony. And look at China's geopolitical neighborhood. As a result of historical enmity and massive power disparities,
Beijing would have a tough time convincing Japan, South Korea, and Taiwan that its military buildup is
anything but threatening. Consequently, the smaller East Asian states are likely to get over their mutual disagreements and stick it out together in the Americanled alliance system for the foreseeable future. To the north and west, China is bordered by Russia and India. China fought each of them
as recently as the 1960s, and both are likely to be threatened by any serious Chinese military buildup. Unlike
the United States, bordered by oceans and two friendly states, China is surrounded by enemies and rivals.
Projecting power globally is hard when you've got to worry about defending your own turf. But what happens when China's GDP passes America's?
Well, for one thing, we're not really sure when that will be. Realizing that current growth rates were economically and ecologically unsustainable, the
Chinese government cut off the investment spigot that fueled its extraordinary 10 percent average annual growth. Today, China's growth rate is about half
of what it was in 2007. One analysis suggests China's GDP may not surpass America's until the 2100s . Moreover,
China's GDP per capita is a long way off from matching Western standards. In 2012, the World Bank assessed China's at $6,009; the United States' was $57,749. The perperson measure of wealth matters in that it reflects the government's capacity to pay for things that make its citizens happy and healthy. That's
where China's internal headaches begin. The Chinese government has staked its domestic political legitimacy
on delivering rapid, massive improvements in quality of life for its citizens. As growth slows, domestic political
dissent may rise. Moreover, growth's worst side effect to date — an unprecedented ecological crisis — is also a source of massive discontent. China has 20 of the
world's 30 most polluted cities; environmental cleanup costs may hoover up 3 percent of China's GDP. That's throwing 30 percent of
its yearly average growth (during the pre-2013 boom years!) down the drain. The mass death and poisoning that follow as severe pollution's handmaidens
threaten the very foundations of the Communist Party's power . American University China scholar Judith Shapiro writes
that environmental protests — which sometimes "shut down" huge cities — are "so severe and so central to the manner in which
China will 'rise' that it is no exaggeration to say that they cannot be separated from its national identity and the
government's ability to provide for the Chinese people." That's hardly the only threat to the Chinese economy. China's financial
system bears a disturbing resemblance to pre-crisis Wall Street. Its much-vaunted attempt to move away from an unsustainable exportbased economy, according to Minxin Pei, may break on the rocks of massive corruption and other economic problems. After listing a slew of related problems, Pei suggests
we need to start envisioning a world of " declining Chinese strength and rising probability of an
unexpected democratic transition in the coming two decades." But even if this economic gloom and doom is wrong, and China
really is destined for a prosperous future, there's one simple reason China will never displace America as global leader: It
doesn't want to. Chinese foreign policy, to date, has been characterized by a sort of realist incrementalism. China has
displayed no interest in taking over America's role as protector of the global commons; that's altogether too altruistic a task. Instead, China is content to let the United States
and its allies keep the sea lanes open and free ride off of their efforts. A
powerful China, in other words, would most likely to be happy to
pursue its own interests inside the existing global order rather than supplanting it. In 2003, Harvard's Iain Alastair
Johnston analyzed data about Chinese hostility to the global status quo across five dimensions: participation in international institutions,
compliance with international norms, twisting the rules that govern global institutions, making the transformation of global political power into a clear policy goal, and
acting militarily on that objective. He found that China was "more integrated into and more cooperative within international
institutions than ever before," and that there was "murky" evidence at best of intent to challenge the United
States outside of them. Johnston reassessed parts of his argument in 2013 and concluded that not much had changed.
Turn: Chinese modernization good; solves war and security
Tuosheng 2014 (Zhang; Tuosheng is the Director of Research and Senior Fellow at the China Foundation for International
Strategic Studies. “Impact of Chinese Military Development on Regional and Global Security,” May 8, 2014,
http://www.chinausfocus.com/peace-security/impact-of-chinese-military-development-on-regional-and-globalsecurity/#sthash.dUPF2IPd.dpuf ) //JRW
Impact on regional and global security First, Chinese
military development has played a very positive role in the
maintenance of global peace and security. For years, along with increased military capabilities, China has
undertaken major responsibility in, and made great contribution to international peacekeeping, disaster relief
and humanitarian assistance. It has also become increasingly positive towards and made contribution to naval
escort, sea-lane protection, anti-terror cooperation, prevention of proliferation of weapons of mass destruction
and nuclear security, all of which have been welcomed by the international community. Second, China has also played a
positive role in enhancing security in its neighborhood. In East Asia, the Chinese military has helped to decrease the possibility of
conflict outbreak in two traditional hot spots: Taiwan Straits and the Korean Peninsula. In Central Asia, China
has, through political and military cooperation, contained the challenges of three types of extremist forces,
contributed to regional security and stability. In West Asia, China has given important support to the
prevention of and combat of terrorist forces. Besides, the Chinese military has also taken an active part in disaster relief and medical
assistance in the neighborhood, which is also welcomed by the relevant countries.
2NC CHINA MODERNIZATION
Modernization won’t cause war
Swaine 11 [Michael, senior associate at the Carnegie Endowment for International Peace and author of the
new book America’s Challenge: Engaging a Rising China in the Twenty-First Century, Enough Tough Talk on
China, The National Interest, September 26, 2011, http://nationalinterest.org/commentary/enough-toughtalk-china-5934?page=1] //khirn
These days it
is fashionable for pundits to point out the supposedly disastrous consequences for the United States that
will result from China’s efforts to modernize its military. The latest variant of this argument was presented by Aaron Friedberg in
The New York Times on September 4 and in his new book, A Contest for Supremacy: China, America and the Struggle for Mastery in Asia. The basic facts
about China’s military buildup have been well known for years and are hardly disputed: Beijing is gradually acquiring the capability to interdict and
possibly destroy U.S. ships and bases operating near China’s coastline, primarily using missiles, submarines, cyber warfare and ground-based satellite
blinders. It’s also true that this development puts at risk Washington’s position as the predominant maritime power in that critical region. That is a
legitimate issue that requires far more serious consideration than it has thus far received from most U.S. policy makers. The question is: what does China
intend to do with its growing capabilities and how should Washington respond? Self-proclaimed realists such as Friedberg offer a relatively simple
solution: The White House must recognize China’s buildup as an intended effort to eject the United States from Asia, convince the American public (and
its allies) of the dire threat to hearth and home that it presents and, with public support in hand, plow untold additional defense dollars into maintaining
an unambiguously superior military posture in the Western Pacific. Only then will Beijing give up its determined plans for regional dominance. In
reality, there is little if any hard evidence to indicate that China’s strategic intent is to establish itself, in Friedberg’s
words, as “Asia’s dominant power by eroding the credibility of America’s security guarantees, hollowing out its alliances, and eventually easing
it out of the region.” If this is Beijing’s goal, the Pentagon has yet to discover it—and presumably not for lack of trying. The recently published annual
Department of Defense report on the Chinese military asserts that Beijing’s ultimate military intentions in Asia and elsewhere are
unknown. And privately, DoD analysts will acknowledge that the PLA is not currently acquiring the kinds of
capabilities that would be required to project substantial power far from its shores and eject the United States
from Asia. When confronted with such information, proponents of the “China is out to displace us” theory counter that
Beijing’s strategy is so stealthy as to avoid detection, and that in any event, it is the so-called realist “logic” of
China’s situation that demands such a strategy. According to this logic, Beijing has no choice but to seek to
eject the United States from Asia to ensure its own security. So much for free will and the growing imperative both countries face
to work together to solve worsening global problems, such as climate change. China’s strategic mindset is quintessentially
defensive , largely reactive, and focused first and foremost on deterring Taiwan’s independence and defending the Chinese mainland, not on
establishing itself as Asia’s next hegemon. Although it is not inconceivable that China might adopt more ambitious, far-flung military objectives in the
future—perhaps including an attempt to become the preeminent Asian military power—such goals remain ill-defined, undetermined and
subject to much debate in Beijing. This suggests that China’s future strategic orientation is susceptible to outside influence, not fixed in
stone.
Chinese nuclear posture is stable
Alagappa 9 [Muthiah Alagappa, Distinguished Senior Fellow, East-West Center PhD, International Affairs,
Fletcher School of Law and Diplomacy, Tufts University, 2009, “The Long Shadow,” p.517-518] //khirn
The caution induced by nuclear weapons, their leveling effect, the strategic insurance they provide to cope with unanticipated
contingencies, and general deterrence postures inform and circumscribe interaction among the major powers, reduce their anxieties, and constrain
the role of force in their interaction. This enables major powers to take a long view and focus on other national priorities. Nuclear
weapons feature primarily in deterrence and insurance roles. These roles are not necessarily threatening to other
parties. Modernization of nuclear arsenals and the development of additional capabilities have proceeded at a
moderate pace; they have produced responses but not intense strategic competition. The net effect has been
stabilizing. The stabilizing effect of nuclear weapons in the Sino-American, Russo-American, and Sino-Indian dyads were discussed in Chapter 17.
Here I will limit myself to making some additional points. Continuing deterrence dominance underlies China’s measured
response to the U.S. emphasis on offensive strategies and its development of strategic missile defense. Perceiving these
as undermining the robustness of its strategic deterrent force, China seeks to strengthen the survivability of its retaliatory force and is
attempting to develop capabilities that would threaten American space-based surveillance and communications
facilities in the event of hostilities. However, these efforts are not presented as a direct challenge to or competition with
the United States. Beijing has deliberately sought to downplay the modernization of its nuclear force. This is not simply
deception, but a serious effort to develop a strong deterrent force without entering into a strategic competition with
the United States, which it cannot win due to the huge imbalance in military capabilities and technological
imitations. Strategic competition will also divert attention and resources away from the more urgent
modernization goals. A strong Chinese strategic deterrent force blunts the military advantage of the United States, induces caution in that
country, and constrains its military option in the event of hostilities. Although Russia’s response to the U.S. development of offensive and strategic
defense capabilities has been more vocal, it lacks specifics. Moscow also does not appear to have allocated significantly more resources to its nuclear
force.
Modernization’s stable---it’ll stay within NFU and de-mated force structure
Lewis 9 [Jeffrey Lewis, Director of the Nuclear Strategy and Nonproliferation Initiative at the New America
Foundation, Former executive director of the Managing the Atom Project at the Belfer Center for Science and
International Affairs. Ph.D. in policy studies (international security and economic policy) from the University
of Maryland, April 2009, “Chinese Nuclear Posture and Force Modernization,” in Engaging China and Russia
on Nuclear Disarmament, eds. Hansell and Potter, online: http://cns.miis.edu/opapers/op15/op15.pdf]
//khirn
Although such increases are within China’s economic and industrial capabilities, especially if China were to deploy as many as five new ballistic missile submarines, it is also
possible that China’s
modernization will occur within the general parameters of its overall force posture,
characterized by keeping warheads in storage and a restrictive nuclear no-first-use declaratory policy. China’s nuclear arsenal also stands out from
the other nuclear powers not merely due to its small size, but also because China keeps its nuclear forces off alert and under the strictures
of a no-first use pledge. By all indications, Chinese nuclear warheads are not normally mated to their missiles. Robert Walpole, then national intelligence officer
for strategic and nuclear programs at the CIA, stated in 1998 that “China keeps its missiles unfueled and without warheads mated.”20 The
warheads are stored at nearby, but separate, bases. Press reports of Chinese mobile ballistic missile exercises published by the state-run Xinhua News Agency indicate that
nuclear warheads would be mated in the fi eld to mobile ballistic missiles before launch, similar to the procedure used by Soviet Mobile Technical Rocket Bases (PRTB, in
Russian) stationed in East Germany and elsewhere during the Cold War.21 Anecdotal evidence from public descriptions of Chinese exercises and doctrinal materials suggest
that Chinese
forces expend considerable effort training to conduct retaliatory missions in the harsh environment after a nuclear
strike. One Chinese textbook that is used to train cadres is forthright about the difficulty of maintaining a
survivable retaliatory capability under a no-first-use doctrine. “According to our principle of no first-use of nuclear weapons,” the text
Zhanyi Xue (Operational Studies) warns future commanders, “the nuclear retaliation campaign of the Second Artillery will be conducted under the circumstances when [the]
enemy has launched a nuclear attack on us. … The personnel, position equipment, weapons equipment, command telecommunication system and the roads and bridges in the
battlefi eld will be seriously hurt and damaged.”22 Whether Chinese leaders will change these features of their nuclear posture is difficult to predict. Western
analysts have long predicted, for example, that China would eventually move away from a no-first-use posture—
yet China’s political leaders continue to appear committed to the policy. In part, the judgment that China would dump no-first-use has
been based on voluminous criticisms of no-first-use in Chinese military writings. The considerable ink spilled in Chinese military publications complaining about “no-firstuse” is probably the best evidence that the policy remains in place.23 Dissatisfaction among some Second Artillery commanders with no-first-use might also explain the
growing deployments of conventionally armed ballistic missiles, which are presumably subject to less doctrinal interference from senior leaders and Chinese nuclear weapons
scientists.
Modernization is inherently slow and stable---it’s guided by their doctrine which rejects any
offensive role for nuclear weapons---there’s no chance modernization turns offensive
Yuan 9 [Jing-Dong, Director of the East Asia Nonproliferation Program at the James Martin Center for
Nonproliferation Studies and associate professor of international policy studies at the Monterey Institute of
International Studies, April 2009, “China and the Nuclear-Free World,” in Engaging China and Russia on
Nuclear Disarmament, eds. Hansell and Potter, online: http://cns.miis.edu/opapers/op15/op15.pdf] //khirn
China has long maintained that its nuclear weapons development is largely driven by the need to respond to nuclear coercion and blackmail. The role
of nuclear weapons, in this context, is purely defensive and retaliatory, rather than war-fighting, as some western analysts suggest.19 Indeed, in
the early years, China even rejected the concept of deterrence, regarding it as an attempt by the superpowers to compel others with the threat of nuclear weapons. This
probably explains the glacial pace with which China introduced, modified, and modernized its small-size nuclear
arsenals over the past four decades. Mainly guided by the principle that nuclear weapons will only be used (but used in a rather indiscriminate way) if
China is attacked with nuclear weapons by others, nuclear weapons in China’s defense strategy serve political rather than military
purposes.20 PLA analysts emphasize that the terms “nuclear strategy” and “nuclear doctrine” are rarely used in Chinese strategic discourse; instead, a more commonly
used term refers to “nuclear policy,” which in turn is governed by the country’s national strategy. Hence, the deployment and use of nuclear weapons
are strictly under the “supreme command” of the Communist Party and its Central Military Commission. Nuclear
weapons are for strategic deterrence only; no tactical or operational utility is entertained . If and when China is under a
nuclear strike, regardless of the size and the yield, it warrants strategic responses and retaliation.21 Chinese leaders and military strategists consider the role for nuclear
weapons as one of defensive nuclear deterrence (ziwei fangyu de heweishe). Specifically, the country’s nuclear doctrine and force modernization have been informed and
guided by three general principles: effectiveness (youxiaoxing), sufficiency (zugou), and counter-deterrence (fanweishe).22 China’s 2006 Defense White Paper emphasizes the
importance of developing land-based strategic capabilities, both nuclear and conventional, but provides no specifics on the existing arsenal, the structure of the Second
Artillery Corps (China’s strategic nuclear force) order of battle, or the projected size of the nuclear force. It indicates only that China will continue to maintain and build a lean
and effective nuclear force. While Chinese analysts acknowledge that deterrence underpins China’s nuclear doctrine, it is more in the sense of preventing nuclear coercion by
the superpower(s) without being coercive itself, and hence it is counter-coercion or counter-deterrence. Rather
than build a large nuclear arsenal as
resources and relevant technologies have become available, a path pursued by the superpowers during the Cold
War, China has kept the size of its nuclear weapons modest, compatible with a nuclear doctrine of minimum
deterrence.23 According to Chinese analysts, nuclear weapons’ role in China’s defense doctrine and posture is
limited and is reinforced by the NFU position, a limited nuclear arsenal, and support of nuclear disarmament.
Reject hyperbole—the US has accounted for Chinese buildup
Ross 9 [Robert, professor of political science at Boston College, The National Interest, “Myth”, 9/1,
http://nationalinterest.org/greatdebate/dragons/myth-3819] //khirn
Yet China
does not pose a threat to America's vital security interests today, tomorrow or at any time in the near
future. Neither alarm nor exaggerated assessments of contemporary China's relative capabilities and the
impact of Chinese defense modernization on U.S. security interests in East Asia is needed because, despite
China's military advances, it has not developed the necessary technologies to constitute a grave threat. Beijing's
strategic advances do not require a major change in Washington's defense or regional security policy, or in U.S. policy toward China. Rather, ongoing
American confidence in its capabilities and in the strength of its regional partnerships allows the United States
to enjoy both extensive military and diplomatic cooperation with China while it consolidates its regional
security interests. The China threat is simply vastly overrated. AMERICA'S VITAL security interests, including in East Asia, are all
in the maritime regions. With superior maritime power, the United States can not only dominate regional sea-lanes but
also guarantee a favorable balance of power that prevents the emergence of a regional hegemon. And despite
China's military advances and its challenge to America's ability to project its power in the region, the United States can be confident in
its ability to retain maritime dominance well into the twenty-first century. East Asia possesses plentiful offshore assets that
enable the United States to maintain a robust military presence, to contend with a rising China and to maintain a favorable balance of power. The U.S.
alliance with Japan and its close strategic partnership with Singapore provide Washington with key naval and air facilities essential to regional power
projection. The United States also has developed strategic cooperation with Malaysia, Indonesia and the Philippines. Each country possesses significant
port facilities that can contribute to U.S. capabilities during periods of heightened tension, whether it be over Taiwan or North Korea. The United States
developed and sustained its strategic partnerships with East Asia's maritime countries and maintained the balance of power both during and after the
cold war because of its overwhelming naval superiority. America's power-projection capability has assured U.S. strategic
partners that they can depend on the United States to deter another great power from attacking them; and, should war ensue, that they would
incur minimal costs. This American security guarantee is as robust and credible as ever. The critical factor in
assessing the modernization of the PLA's military forces is thus whether China is on the verge of challenging
U.S. deterrence and developing war-winning capabilities to such a degree that East Asia's maritime countries
would question the value of their strategic alignment with the United States. But, though China's capabilities are
increasing, in no way do they challenge U.S. supremacy . America's maritime security is based not only on its superior
surface fleet, which enables it to project airpower into distant regions, but also on its subsurface ships, which provide secure "stealth" platforms for
retaliatory strikes, and its advanced command, control, communications, computers, intelligence, surveillance and reconnaissance (C 4ISR) capabilities.
In each of these areas, China is far from successfully posing any kind of serious immediate challenge. CHINA IS buying and building a better maritime
capability. However, the net effect of China's naval advances on U.S. maritime superiority is negligible. Since the early 1990s-especially later in the
decade as the Taiwan conflict escalated and following the 1996 U.S.-China Taiwan Strait confrontation-Beijing focused its maritime-acquisitions
program primarily on the purchase of modern submarines to contribute to an access-denial capability that could limit U.S. operations in a Taiwan
contingency. It purchased twelve Kilo-class submarines from Russia and it has developed its own Song-class and Yuan-class models. These highly
capable diesel submarines are difficult to detect. In addition, China complemented its submarine capability with a coastal deployment of Russian Su-27
and Su-30 aircraft and over one thousand five hundred Russian surface-to-air missiles. The combined effect of these deployments has been greater
Chinese ability to target an American aircraft carrier and an improved ability to deny U.S. ships and aircraft access to Chinese coastal waters. Indeed,
American power-projection capabilities in East Asia are more vulnerable now than at any time since the end of the cold war. We can no longer guarantee
the security of a carrier. Nevertheless, the
U.S. Navy is acutely aware of Chinese advances and is responding with
measures to minimize the vulnerability of aircraft carriers. Due to better funding, improved technologies and
peacetime surveillance of Chinese submarines, the American carrier strike group's ability to track them and the
U.S. Navy's antisubmarine capabilities are constantly improving. The U.S. strike group's counter-electronic-warfare capabilities
can also interfere with the PLA Navy's reconnaissance ability. Improved Chinese capabilities complicate U.S. naval operations and require greater
caution in operating an aircraft carrier near the Chinese coast, particularly in the case of a conflict over Taiwan. A carrier strike force may well have to
follow a less direct route into the area and maintain a greater distance from China's coast to reduce its vulnerability to Chinese capabilities. But such
complications to U.S. operations do not significantly degrade Washington's ability to project superior power
into maritime theaters. The United States still possesses the only power-projection capability in East Asia.
1NC HEGEMONY
Cyber-attacks don’t threaten military
Lewis 02 (James Andrew Lewis is the Director and Senior Fellow of the Technology and Public Policy
Program at the Center for Strategic and International Studies in Washington, D.C. Ph.D. from the University of
Chicago. Center for Strategic and International Studies: “Assessing the Risks of Cyber Terrorism, Cyber War
and Other Cyber Threats:” http://csis.org/files/media/csis/pubs/021101_risks_of_cyberterror.pdf) KalM
Cyber attacks are often presented as a threat to military forces and the Internet has major implications for
espionage and warfare. Information warfare covers a range of activities of which cyber attacks may be the least
important. While information operations and information superiority have become critical elements in
successful military operations, no nation has placed its military forces in a position where they are dependent
on computer networks that are vulnerable to outside attack. This greatly limits the effectiveness of cyber
weapons (code sent over computer networks). The many reports of military computer networks being hacked
usually do not explain whether these networks are used for critical military functions. It is indicative, however,
that despite regular reports of tens of thousands of network attacks every year on the Department of Defense,
there has been no degradation of U.S. military capabilities.
Nukes are airgapped and resilient to hacking
Reed 12 [John, national security reporter for Foreign Policy “Keeping nukes safe from cyber attack,”
September 25, 2012, Foreign Policy,
complex.foreignpolicy.com/posts/2012/09/25/keeping_nukes_safe_from_cyber_attack] //khirn
"Our ability to keep our networks assured and protected and not vulnerable is really important, it's something we have
looked at hard," Maj. Gen. William Chambers, head of Air Force Global Strike Command's nuclear deterrence shop, told Killer Apps during a Sept. 18
interview. "It's something that we build into all of our new nuclear weapons systems so that they remain cyber-
secure." Global Strike Command manages U.S. land-based nuclear ICBMs and air-launched nuclear cruise missiles and bombs. Protecting what are
arguably the nation's most important military assets from cyber attack, and avoiding the terrifying scenario of an enemy feeding incorrect information
into the nuclear command-and-control networks "seized" Air Force officials after they lost contact with a field of 50 Minuteman III ICBMs at FE Warren
Air Force Base in Wyoming for an hour in late 2010, according to Chambers. "It's really important. It's a problem that about a year ago we
were seized with. We have done some pretty comprehensive studies of the cyber-state of our ICBM force. We
are confident in it," said Chambers. "There was an issue: we had a temporary interruption in our ability to monitor one of our missile squadrons
back in the fall of 2010. That produced a need to take a comprehensive look at the entire system. It took a year to do that study, and we're confident that
the system is good, but as we upgrade it, modernize it, integrate it, we've got to really pay attention to" protecting nuclear command-and-control
information. While Chambers didn't go into specifics of how Global Strike Command will protect its nuclear command-and-control networks
from cyber attack, he did say that it is
working to harden its networks against intrusion and the manipulation of nuclear
command-and-control information and to increase backup communications abilities. Chambers added that the
Minuteman III ICBM command systems, designed in the 1960s and 1970s, are incredibly robust . "ICBM-wise we
have a very secure system." A Boeing official later told Killer Apps that while it is looking at upgrading the ancient technology used in parts of
the Minuteman command networks, that technology is safe from hacking . Boeing is on contract with the Air Force
to maintain the 1970s-vintage Minuteman III fleet and is helping the service keep the missiles in service
through the 2030s. "Our C2 [command-and-control] system for Minuteman is a very old system. There's a network called the
HICS [hardened intersite cable system] network, and it's [made of] copper wire, and it's limited in bandwidth ,"
said Peggy Morse, director of Boeing's strategic missiles systems programs, told Killer Apps on Sept. 18. While it's old, " it's very secure ," she
added. Still, "as we look at different C2 systems and ways to move data about in the field, information assurance is a big deal there, and the
security requirements are going to drive the solutions that we look at," said Morse. The company is also working to modernize the actual
cryptographic devices used to encrypt and decipher launch codes for nuclear missiles.
Russia and China can’t cyberattack the US – they only use it to crack down on their own
populations
Rid 12 [Thomas, reader in war studies at King's College London, is author of "Cyber War Will Not Take Place"
and co-author of "Cyber-Weapons.", March/April 2012, “Think Again: Cyberwar”,
http://www.foreignpolicy.com/articles/2012/02/27/cyberwar?page=full] //khirn
"The West Is Falling Behind Russia and China." Yes, but not how you think. Russia
and China are busy sharpening their
cyberweapons and are already well steeped in using them. The Russian military clandestinely crippled Estonia's economy in 2007
and Georgia's government and banks in 2008. The People's Liberation Army's numerous Chinese cyberwarriors have long inserted "logic bombs" and
"trapdoors" into America's critical infrastructure, lying dormant and ready to wreak havoc on the country's grid and bourse in case of a crisis. Both
countries have access to technology, cash, and talent -- and have more room for malicious maneuvers than law-abiding Western democracies poised to
fight cyberwar with one hand tied behind their backs. Or
so the alarmists tell us. Reality looks quite different . Stuxnet, by
far the most sophisticated cyberattack on record, was most likely a U.S.-Israeli operation. Yes, Russia and China
have demonstrated significant skills in cyberespionage, but the fierceness of Eastern cyberwarriors and their
coded weaponry is almost certainly overrated . When it comes to military-grade offensive attacks, America
and Israel seem to be well ahead of the curve. Ironically, it's a different kind of cybersecurity that Russia and China may be more
worried about. Why is it that those countries, along with such beacons of liberal democracy as Uzbekistan, have suggested that the United Nations
establish an "international code of conduct" for cybersecurity? Cyberespionage was elegantly ignored in the suggested wording for the convention, as
virtual break-ins at the Pentagon and Google remain a favorite official and corporate pastime of both countries. But what Western democracies see as
constitutionally protected free speech in cyberspace, Moscow and Beijing regard as a new threat to their ability to control their citizens.
Cybersecurity has a broader meaning in non-democracies: For them, the worst-case scenario is not collapsing
power plants, but collapsing political power.b The social media-fueled Arab Spring has provided dictators with a
case study in the need to patrol cyberspace not only for subversive code, but also for subversive ideas. The fall of
Egypt's Hosni Mubarak and Libya's Muammar al-Qaddafi surely sent shivers down the spines of officials in Russia and China. No wonder the two
countries asked for a code of conduct that helps combat activities that use communications technologies -- "including networks" (read: social networks) - to undermine "political, economic and social stability." So Russia and China are ahead of the United States, but mostly in
defining cybersecurity as the fight against subversive behavior. This is the true cyberwar they are fighting.
Meaningful attacks are infeasible
Clark 12 [Paul, MA candidate – Intelligence Studies @ American Military University, senior analyst –
Chenega Federal Systems, “The Risk of Disruption or Destruction of Critical U.S. Infrastructure by an Offensive
Cyber Attack,” 4/28/2012, American Military University] //khirn
The Department of Homeland
Security worries that our critical infrastructure and key resources (CIKR) may be
exposed, both directly and indirectly, to multiple threats because of CIKR reliance on the global cyber infrastructure, an
infrastructure that is under routine cyberattack by a “spectrum of malicious actors ” (National Infrastructure Protection Plan
2009). CIKR in the extremely large and complex U.S. economy spans multiple sectors including agricultural, finance and banking, dams
and water resources, public health and emergency services, military and defense, transportation and shipping, and energy (National
Infrastructure Protection Plan 2009). The disruption and destruction of public and private infrastructure is part of warfare, without this infrastructure
conflict cannot be sustained (Geers 2011). Cyber-attacks are desirable because they are considered to be a relatively “low cost and long range” weapon
(Lewis 2010), but prior to the creation of Stuxnet, the first cyber-weapon, the ability to disrupt and destroy critical
infrastructure through cyber-attack was theoretical. The movement of an offensive cyber-weapon from
conceptual to actual has forced the United States to question whether offensive cyber-attacks are a significant
threat that are able to disrupt or destroy CIKR to the level that national security is seriously degraded. It is important to understand the risk posed to
national security by cyber-attacks to ensure that government responses are appropriate to the threat and balance security with privacy and civil liberty
concerns. The risk posed to CIKR from cyber-attack can be evaluated by measuring the threat from cyber-attack
against the vulnerability of a CIKR target and the consequences of CIKR disruption. As the only known cyber-weapon,
Stuxnet has been thoroughly analyzed and used as a model for predicting future cyber-weapons. The U.S.
electrical grid, a key component in the CIKR energy sector, is a target that has been analyzed for vulnerabilities and the consequences
of disruption predicted – the electrical grid has been used in multiple attack scenarios including a classified scenario provided to
the U.S. Congress in 2012 (Rohde 2012). Stuxnet will serve as the weapon and the U.S. electrical grid will serve as the target in this risk
analysis
that
concludes that there is a low risk of disruption or destruction of critical
infrastructure from a an offensive cyber-weapon because of the complexity of the attack path, the limited capability
of non-state adversaries to develop cyber-weapons, and the existence of multiple methods of mitigating the cyberattacks. To evaluate the threat posed by a Stuxnet-like cyber-weapon, the complexity of the weapon, the available attack vectors for the weapon, and
the resilience of the weapon must be understood. The complexity – how difficult and expensive it was to create the weapon – identifies the relative cost
and availability of the weapon; inexpensive and simple to build will be more prevalent than expensive and difficult to build. Attack vectors are the
available methods of attack; the larger the number, the more severe the threat. For example, attack vectors for a cyberweapon may be email attachments,
peer-to-peer applications, websites, and infected USB devices or compact discs. Finally, the resilience of the weapon determines its availability and
affects its usefulness. A useful weapon is one that is resistant to disruption (resilient) and is therefore available and reliable. These concepts are seen in
the AK-47 assault rifle – a simple, inexpensive, reliable and effective weapon – and carry over to information technology structures (Weitz 2012). The
evaluation of Stuxnet identified malware that is “ unusually
complex and large ” and required code written in
multiple languages (Chen 2010) in order to complete a variety of specific functions contained in a “vast array” of
components – it is one of the most complex threats ever analyzed by Symantec (Falliere, Murchu and Chien 2011). To be
successful, Stuxnet required a high level of technical knowledge across multiple disciplines , a laboratory with the
target equipment configured for testing, and a foreign intelligence capability to collect information on the
target network and attack vectors (Kerr, Rollins and Theohary 2010). The malware also needed careful monitoring and
maintenance because it could be easily disrupted; as a result Stuxnet was developed with a high degree of configurability and was upgraded
multiple times in less than one year (Falliere, Murchu and Chien 2011). Once introduced into the network, the cyberweapon then had to utilize four known vulnerabilities and four unknown vulnerabilities, known as zero-day exploits, in
order to install itself and propagate across the target network (Falliere, Murchu and Chien 2011). Zero-day exploits are
incredibly difficult to find and fewer than twelve out of the 12,000,000 pieces of malware discovered each
year
utilize zero-day exploits
and this rarity makes them valuable, zero-days
can fetch $50,000 to $500,000 each on the
black market (Zetter 2011). The use of four rare exploits in a single piece of malware is
“unprecedented” (Chen 2010). Along with the use of four unpublished exploits, Stuxnet also used the “first ever”
programmable logic controller rootkit, a Windows rootkit, antivirus evasion techniques, intricate process injection routines,
and other complex interfaces (Falliere, Murchu and Chien 2011) all wrapped up in “layers of encryption like Russian nesting
dolls” (Zetter 2011) – including custom encryption algorithms (Karnouskos 2011). As the malware spread across the now-infected network it had to
utilize additional vulnerabilities in proprietary Siemens industrial control software (ICS) and hardware used to control the equipment it
was designed to sabotage. Some of these ICS vulnerabilities were published but some were unknown and required such a high
degree of inside knowledge that there was speculation that a Siemens employee had been involved in the
malware design (Kerr, Rollins and Theohary 2010). The unprecedented technical complexity of the Stuxnet cyberweapon, along with the extensive technical and financial resources and foreign intelligence capabilities required for its development and deployment,
indicates that the malware was likely developed by a nation-state (Kerr, Rollins and Theohary 2010). Stuxnet had very limited
attack vectors. When a computer system is connected to the public Internet a host of attack vectors are available to the cyber-attacker (Institute for
Security Technology Studies 2002). Web browser and browser plug-in vulnerabilities, cross-site scripting attacks, compromised email attachments, peerto-peer applications, operating system and other application vulnerabilities are all vectors for the introduction of malware into an Internetconnected
computer system. Networks that are not connected to the public internet are “air gapped,” a technical colloquialism to identify
a physical separation between networks. Physical
separation from the public Internet is a common safeguard for sensitive
networks including classified U.S. government networks. If the target network is air gapped, infection can only
occur through physical means – an infected disk or USB device that must be physically introduced into a possibly
access controlled environment and connected to the air gapped network. The first step of the Stuxnet cyber-attack was to initially infect the target
networks, a difficult task given the probable disconnected and well secured nature of the Iranian nuclear facilities. Stuxnet was introduced
via
a USB device to the target network, a method that suggests that the attackers were familiar with the configuration of
the network and knew it was not connected to the public Internet (Chen 2010). This assessment is supported by two rare features in Stuxnet –
having all necessary functionality for industrial sabotage fully embedded in the malware executable along with the ability to self-propagate and upgrade
through a peer-to-peer method (Falliere, Murchu and Chien 2011). Developing an understanding of the target network configuration
was a significant and daunting task based on Symantec’s assessment that Stuxnet repeatedly targeted a total of
five different organizations over nearly one year (Falliere, Murchu and Chien 2011) with physical introduction via USB drive
being the only available attack vector. The final factor in assessing the threat of a cyber-weapon is the resilience of the weapon. There are
two primary factors that make Stuxnet non-resilient: the complexity of the weapon and the complexity of the target.
Stuxnet was highly customized for sabotaging specific industrial systems (Karnouskos 2011) and needed a large number of very
complex components and routines in order to increase its chance of success (Falliere, Murchu and Chien 2011). The malware
required eight vulnerabilities in the Windows operating system to succeed and therefore would have failed if those vulnerabilities had
been properly patched; four of the eight vulnerabilities were known to Microsoft and subject to elimination (Falliere, Murchu and Chien 2011).
Stuxnet also required that two drivers be installed and required two stolen security certificates for installation (Falliere, Murchu
and Chien 2011); driver installation would have failed if the stolen certificates had been revoked and marked as invalid. Finally, the configuration of
systems is ever-changing as components are upgraded or replaced. There is no guarantee that the network that was mapped for
vulnerabilities had not changed in the months, or years, it took to craft Stuxnet and successfully infect the target network.
Had specific components of the target hardware changed – the targeted Siemens software or programmable logic controller – the attack
would have failed. Threats are less of a threat when identified; this is why zero-day exploits are so valuable. Stuxnet went to
great lengths to hide its existence from the target and utilized multiple rootkits, data manipulation routines, and virus avoidance techniques
to stay undetected. The malware’s actions occurred only in memory to avoid leaving traces on disk, it masked its activities by running under legal
programs, employed layers of encryption and code obfuscation, and uninstalled itself after a set period of time, all efforts to avoid detection because its
authors knew that detection meant failure. As a result of the complexity of the malware, the changeable nature of the target
network, and the chance of discovery, Stuxnet is not a resilient system. It is a fragile weapon that
required an investment of time and money to constantly monitor, reconfigure, test and deploy over the course of a year.
There is concern, with Stuxnet developed and available publicly, that the world is on the brink of a storm of highly
sophisticated Stuxnet-derived cyber-weapons which can be used by hackers, organized criminals and terrorists (Chen
2010). As former counterterrorism advisor Richard Clarke describes it, there is concern that the technical brilliance of the United States “has created
millions of potential monsters all over the world” (Rosenbaum 2012). Hyperbole aside, technical knowledge spreads. The techniques behind
cyber-attacks are “constantly evolving and making use of lessons learned over time” (Institute for Security Technology
Studies 2002) and the publication of the Stuxnet code may make it easier to copy the weapon (Kerr, Rollins and Theohary 2010).
However, this is something of a zero-sum game because knowledge works both ways and cyber-security techniques
are also evolving , and “understanding attack techniques more clearly is the first step toward increasing security” (Institute for Security
Technology Studies 2002). Vulnerabilities are discovered and patched, intrusion detection and malware signatures are
expanded and updated, and monitoring and analysis processes and methodologies are expanded and honed. Once
the element of surprise is lost, weapons and tactics are less useful , this is the core of the argument that
“uniquely surprising” stratagems like Stuxnet are single-use, like Pearl Harbor and the Trojan Horse, the “very success
[of these attacks] precludes their repetition” (Mueller 2012). This paradigm has already been seen in the “son of Stuxnet” malware –
named Duqu by its discoverers – that is based on the same modular code platform that created Stuxnet (Ragan 2011). With the techniques
used by Stuxnet now known, other variants such as Duqu are being discovered and countered by security
researchers (Laboratory of Cryptography and System Security 2011). It is obvious that the effort required to create, deploy, and
maintain Stuxnet and its variants is massive and it is not clear that the rewards are worth the risk and
effort.
Given the location of initial infection and the number of infected systems in Iran (Falliere, Murchu and Chien 2011) it is believed that Iranian
nuclear facilities were the target of the Stuxnet weapon. A
significant amount of money and effort was invested in creating
Stuxnet but yet the expected result – assuming that this was an attack that expected to damage production – was minimal at best.
Iran claimed that Stuxnet caused only minor damage, probably at the Natanz enrichment facility, the Russian contractor Atomstroyeksport
reported that no damage had occurred at the Bushehr facility, and an unidentified “senior diplomat” suggested that Iran was forced to shut down its
centrifuge facility “for a few days” (Kerr, Rollins and Theohary 2010). Even the most optimistic estimates believe that Iran’s
nuclear enrichment program was only delayed by months, or perhaps years (Rosenbaum 2012). The actual damage done by Stuxnet
is not clear (Kerr, Rollins and Theohary 2010) and the primary damage appears to be to a higher number than average replacement of centrifuges at the
Iran enrichment facility (Zetter 2011). Different targets may produce different results. The Iranian nuclear facility was a difficult target with limited
attack vectors because of its isolation from the public Internet and restricted access to its facilities. What is the probability of a successful
attack against the U.S. electrical grid and what are the potential consequences should this critical infrastructure be disrupted or destroyed?
An attack against the electrical grid is a reasonable threat scenario since power systems are “a high priority target for military and
insurgents” and there has been a trend towards utilizing commercial software and integrating utilities into the public Internet that has “increased
vulnerability across the board” (Lewis 2010). Yet the increased vulnerabilities are mitigated by an increased
detection and deterrent capability that has been “honed over many years of practical application” now that
power systems are using standard, rather than proprietary and specialized, applications and components (Leita
and Dacier 2012). The security of the electrical grid is also enhanced by increased awareness after a smart-grid
hacking demonstration in 2009 and the identification of the Stuxnet malware in 2010; as a result the public and
private sector are working together in an “unprecedented effort” to establish robust security
guidelines
and cyber security measures (Gohn and Wheelock 2010).
1NC RUSSIAN MODERNIZATION
Europe contains Russian aggression
Bandow 12 [Doug, senior fellow at the Cato Institute, specializing in foreign policy and civil liberties, “Op Ed:
NATO and Libya: It’s Time To Retire a Fading Alliance,” 1/2/2012, http://feb17.info/editorials/op-ed-natoand-libya-its-time-to-retire-a-fading-alliance] //khirn
The Cold War required an extraordinary defense commitment from the U.S. But no longer. Europe still
matters, but it faces no genuine military threat. Whatever happens politically in Moscow, there will be no
Red Army pouring armored divisions through Germany’s Fulda Gap. Washington has much to
worry about, but Europe is not on the list. Of course, the Europeans still have geopolitical concerns. Civil wars in the
Balkans and Libya threatened refugee flows and economic disruption. However, the Europeans are capable of handling such
issues. Potentially more dangerous is the situation in Eastern Europe and beyond, most notably Georgia and Ukraine.
But not dangerous to America. The U.S. has survived most of its history with these lands successively part of the
Russian Empire and the Soviet Union. Nor is there any evidence that Russia wants to forcibly reincorporate its
“lost” territories into a renewed Soviet empire. Rather, Moscow appears to have retrogressed to a “great power”
like Imperial Russia. The new Russia is concerned about international respect and border security. Threaten that,
and war might result, as Georgia learned in 2008.
No impact because Russian elites know US strength will return
Kuchins 11 [Andrew, Director of the Russia and Eurasia Program at the Center for Strategic and International
Studies in Washington, D.C., “Reset expectations: Russian assessments of U.S. power,”
http://csis.org/files/publication/110613_kuchins_CapacityResolve_Web.pdf] //khirn
Like the U.S.-Russia relationship, Russian elite perceptions of U.S. power and role in the world have
experienced great volatility in the past 20 years. How durable is the current Russian perception that not only is
the United States less threatening but is pursuing policies far more accommodating to Russian interests? And
because we are entering a new Russian (and American) presidential cycle in the coming year, to what extent does possible de facto leadership change in Moscow matter?
There is no definitive answer to this question, but from reviewing the last ten years or so since Vladimir Putin first
became the Russian president, my conclusion is that U.S. policies will be a far more important factor in effecting Russian
leader and elite views of the United States than who the next Russian president is. The Russian perspective on U.S. power and role in
the world did not change during the last two years because Dmitri Medvedev replaced Vladimir Putin as
president of Russia. The Russian perspective changed because of the impact of the global economic crisis and changes in Obama administration policies of greatest
interest to Moscow. Russian elites are unsure about the durability of U.S. power capacity, but they have seen the
United States renew itself in the wake of global foreign and economic setbacks in, for example, the 1980s. Russians
are as aware as anybody of the current fiscal challenges of the United States and the questions about whether the U.S. political system will be capable of managing to resolve
them. They are also watching closely the political commitment of the United States to stabilize Afghanistan. If
the United States manages progress on
these domestic and foreign policy fronts and, more important, continues to pursue a pragmatic set of policies that
accommodate some of Russia’s core interests, then the current trend toward a more positive assessment of U.S.
power and growing cooperation on a wide variety of issues will continue. In other words, we are the critical
independent variable.
OCO’S ADVANTAGE
1NC TREATIES/NORMS
Current mechanisms solve—any real treaty would be impossible to enforce
Lindsay 12 [Jon Lindsay, a research fellow at the University of California Institute on Global Conflict and
Cooperation at UC-San Diego; June 8, 2012; “International Cyberwar Treaty Would Quickly Be Hacked to
Bits,” USNews.com; http://www.usnews.com/debate-club/should-there-be-an-international-treaty-oncyberwarfare/international-cyberwar-treaty-would-quickly-be-hacked-to-bits] //khirn
A cyberweapon (like Stuxnet, which damaged Iranian uranium enrichment) is not like a nuclear bomb or a gun that can be used to
damage many different types of targets all around the world. Traditional weapons can be tested on a range, stockpiled in an
arsenal, and fired predictably at their targets in wartime. A cyberweapon, by contrast, must be carefully engineered
against any particular target, and this requires a lot of intelligence, technical expertise, test infrastructure, and
operational management. A cyberattack is less like a strategic bombing attack delivered by a formidable force of airplanes and missiles
and more like a special operation staged by a daring band of commandos far behind enemy lines . A cyberweapon for
espionage (like the spyware Duqu and Flame) likewise require lots of planning and expertise to control. Covert operations are risky gambles
(they might fail or be compromised if mistakes in planning or execution are made), and the damage they cause is far more unpredictable than that of
traditional weapons. States resort to covert action options only when they don't have the will or ability (for either material
or political reasons) to use overt force. When states act covertly, they break the domestic laws of other states (which is why spies can be caught
and tried). Usually states moderate their ambitions for covert action because they don't want to trigger escalatory retaliation in the event the operation is
compromised. Cyberoperations, like other types of intelligence and covert operations, take place in the shadows. An international treaty on
cyberweapons would be like an international treaty against espionage and covert action. This is totally
unenforceable , since such activity is designed to evade detection and attribution. The rhetoric of cyberwar is
frightening, but the reality is more complicated. A world without cyberweapons is probably more desirable, but an
international treaty is not the way to get there. I am not a lawyer (I write as an international security scholar), but I suspect that
existing international law of war and legal mechanisms for managing covert operations in this country are
probably sufficient, or at most need just marginal adjustments, in order to deal with the problems posed by cyberweapons. Cyberwar is not a
revolutionary development, but a complicating electronic elaboration on clandestine and covert operations, and states have been conducting these for
centuries.
Opponents would cheat
Lewis 12 [James, Director of the Technology and Public Policy Program at the Center for Strategic and
International Studies, June 8, 2012, “A Cybersecurity Treaty is a Bad Idea,” USNews.com,
http://www.usnews.com/debate-club/should-there-be-an-international-treaty-on-cyberwarfare/acybersecurity-treaty-is-a-bad-idea] //khirn
With all the excitement over Flame, Stuxnet, and the rest, a
spokesperson for the Russian government has called for a global
cybersecurity treaty. It's a bad idea that dates back to the 1990s. Back then, American academics proposed a complex legal
instrument for cybersecurity whose distant ancestor appeared to be to the Kellogg-Briand Pact of the 1920s,
where nations renounced war as an instrument of policy. A cybertreaty made about as much sense. Russia also proposed a cybertreaty
about the same time, and introduced a draft in the United Nations in what was to become a recurring annual exercise that could never quite achieve
consensus. A cybertreaty at first attracted support in the General Assembly, but there has been no progress because cybertreaties are
unimplementable. How would any country address serious issues in treaty compliance and verification for cyber capabilities? A
cybersecurity treaty would be unworkable if it went much beyond the existing constraints on the use of force
found in international laws, if only because potential opponents are likely to cheat and it would be hard to
detect this. Important definitional issues have never been resolved, probably because they are unresolvable. A commitment to
limit "information weapons" is not very useful if you cannot say what they are, and efforts to define these "weapons" quickly
run afoul of the overwhelmingly commercial use and availability of information technologies. Is a teenager with a laptop a weapon? How
about a newspaper or magazine? A few countries would say yes. The international community has always looked studiously away from any
treaty trying to banning espionage—it's a nonstarter, and Russia is the leading opponent of any real agreement to cooperate in fighting cybercrime. The
idea of a treaty did not make sense in the 1990s and it does not make sense now. There are serious discussions underway on
reducing the risk of cyberconflict, including bilateral talks between the United States and Russia, and the United States and China. The United Nation
has a group of experts meeting later this summer. Many regional groups, like the Organization for Security and Co-operation in Europe or the Asian
Regional Forum are talking about norms, confidence building measures and other kinds of agreement to limit cyber attack. Countries recognize
that there is increasing risk that cyber incidents like Flame could lead to misperception or miscalculation that
could escalate into more damaging conflict. But a treaty? Kellogg Briand is still in force and there has never
been a war since, has there?
1NC CYBERWAR
Deterrence and rapid response check
Fox 11 [Assistant Editor, InnovationNewsDaily, 2 July 2011, “Why Cyberwar Is Unlikely ,”
http://www.securitynewsdaily.com/cyberwar-unlikely-deterrence-cyber-war-0931] //khirn
In the two decades since cyberwar first became possible, there hasn't been a single event that politicians, generals and
security experts agree on as having passed the threshold for strategic cyberwar . In fact, the attacks that have occurred have
fallen so far short of a proper cyberwar that many have begun to doubt that cyberwarfare is even possible. The
reluctance to engage in strategic cyberwarfare stems mostly from the uncertain results such a conflict would
bring, the lack of motivation on the part of the possible combatants and their shared inability to defend
against counterattacks . Many of the systems that an aggressive cyberattack would damage are actually as valuable to any potential
attacker as they would be to the victim. The five countries capable of large-scale cyberwar (Israel, the U.S., the U.K., Russia and China)
have more to lose if a cyberwar were to escalate into a shooting war than they would gain from a successful cyberattack.
"The half-dozen countries that have cyber capability are deterred from cyberwar because of the fear of the American response.
Nobody wants
this to spiral out of control ," said James Lewis, senior fellow and director of technology and public policy at
the Center for Strategic and International Studies in Washington, D.C. "The countries that are capable of doing this don't have a
reason to," Lewis added. "Chinese officials have said to me, 'Why would we bring down Wall Street when we own so
much of it?' They like money almost as much as we do." Big deterrent: retaliation Deterrence plays a major factor in
preventing cyberwar. Attacks across the Internet would favor the aggressor so heavily that no country has developed an effective defense.
Should one country initiate a cyberattack, the victim could quickly counter-attack, leaving both countries
equally degraded, Lewis told InnovationNewsDaily. Even if an attacker were to overcome his fear of retaliation, the low
rate of success would naturally give him pause. Any cyberattack would target the types of complex systems that
could collapse on their own, such as electrical systems or banking networks. But experience gained in fixing dayto-day problems on those systems would allow the engineers who maintain them to quickly undo damage
caused by even the most complex cyberattack , said George Smith, a senior fellow at Globalsecurity.org in Alexandria, Va.
"You mean to tell me that the people who work the electrical system 24 hours a day don't respond to problems?
What prevents people from turning the lights right back on?" Smith told SecurityNewsDaily. "And attacks on the financial system
have always been a non-starter for me. I mean, [in 2008] the financial system attacked the U.S.!"
No real cyber aggression – it’s paranoia
Barnett 13 [Thomas, special assistant for strategic futures in the DOD's Office of Force Transformation from
2001 to 2003, chief analyst for Wikistrat, March/April 2013, “Think Again: The Pentagon,” Foreign Policy,
http://www.foreignpolicy.com/articles/2013/03/04/the_pentagon?page=full] //khirn
As for cyber serving as a stand-alone war-fighting domain, there you'll find the debates no less theological in their intensity. After
serving as senior managing director for half a dozen years at a software firm that specializes in securing supply
chains, I'm deeply skeptical. Given the uncontrollable nature of cyberweapons (see: Stuxnet's many permutations), I
view them as the 21st century's version of chemical weapons -- nice to have, but hard to use. Another way to look at it
is to simply call a spade a spade: Cyberwarfare is nothing more than espionage and sabotage updated for the digital era. Whatever cyberwar
turns out to be in the national security realm, it will always be dwarfed by the industrial variants -- think
cyberthieves, not cyberwarriors. But you wouldn't know it from the panicky warnings from former Defense Secretary Leon Panetta
and the generals about the imminent threat of a "cyber Pearl Harbor."
Reject their lashout impact – nobody’s that stupid
Lewis 10 [James Andrew, “The Cyber War Has Not Begun,” Center for Strategic and International Studies,
March, csis.org/files/publication/100311_TheCyberWarHasNotBegun.pdf] //khirn
Expanded attention to cybersecurity is a good thing, but it seems that it is
difficult to discuss this topic without exaggeration. We
are not in a „cyber war‟. War is the use of military force to attack another nation and damage or destroy its capability and will to resist. Cyber
war would involve an effort by another nation or a politically motivated group to use cyber attacks to attain political ends. No nation
has launched a cyber attack or cyber war against the United States. Indeed, it would be a bold nation that would do so. A deliberate attack
on the United States could trigger a violent if not devastating response. No nation would be foolish enough to send a
missile , aircraft or commando team to attack critical infrastructure in this country. The same logic applies to cyber attack. Foreign leaders
will not lightly begin a war with the United States and the risk of cyber war is too high for frivolous or spontaneous
engagement.
Zero impact to cyber-attacks --- overwhelming consensus of qualified authors goes neg
Gray 13 [Colin S., Prof. of International Politics and Strategic Studies @ the University of Reading and
External Researcher @ the Strategic Studies Institute @ the U.S. Army War College, April, “Making Strategic
Sense of Cyber Power: Why the Sky Is Not Falling,” U.S. Army War College Press,
http://www.strategicstudiesinstitute.army.mil/pdffiles/PUB1147.pdf] //khirn
CONCLUSIONS AND RECOMMENDATIONS:
THE SKY IS NOT FALLING
This analysis has sought to explore, identify, and explain the strategic
meaning of cyber power. The organizing and thematic question that has shaped and driven the inquiry has been “So what?” Today we all do cyber, but this behavior usually has
not been much informed by an understanding that reaches beyond the tactical and technical. I have endeavored to analyze in strategic terms what is on offer from the largely
technical and tactical literature on cyber. What can or might be done and how to go about doing it are vitally important bodies of knowledge. But at least as important is
understanding what cyber, as a fifth domain of warfare, brings to national security when it is considered strategically. Military history is stocked abundantly with examples of
tactical behavior un - guided by any credible semblance of strategy. This inquiry has not been a campaign to reveal what cy ber can and might do; a large literature already
exists that claims fairly convincingly to explain “how to . . .” But what does cyber power mean, and how does it fit strategically, if it does? These Conclusions and Rec
ommendations offer some understanding of this fifth geography of war in terms that make sense to this strategist, at least. 1. Cyber can only be an enabler of physical effort.
Stand-alone (popularly misnamed as “strategic”) cyber action is inherently grossly limited by its immateriality.
The
physicality of conflict with cyber’s human participants and mechanical artifacts has not been a passing phase in our species’ strategic history. Cyber action, quite independent
of action on land, at sea, in the air, and in orbital space, certainly is possible. But the
strategic logic of such behavior, keyed to anticipated success in
tactical achievement, is not promising. To date, “What if . . .” speculation about strategic cyber attack usually is either
contextually too light, or, more often, contextually
unpersuasive . 49 However, this is not a great strategic truth, though it is a judgment advanced with
considerable confidence. Although societies could, of course, be hurt by cyber action, it is important not to lose touch with the fact, in Libicki’s apposite words, that “[i]n
the absence of physical combat, cyber war cannot lead to the occupation of territory. It is almost
inconceivable that a sufficiently vigorous cyber war can overthrow the adversary’s government and replace
it with a more pliable one.” 50 In the same way that the concepts of sea war, air war, and space war are fundamentally unsound, so also the idea of cyber war is
unpersuasive. It is not impossible, but then, neither is war conducted only at sea, or in the air, or in space. On the one hand, cyber war may seem more probable than like
environmentally independent action at sea or in the air. After all, cyber
warfare would be very unlikely to harm human beings
directly , let alone damage physically the machines on which they depend. These near-facts (cyber attack might cause socially
critical machines to behave in a rogue manner with damaging physical consequences) might seem to ren - der cyber a safer zone of belligerent engagement than would
physically violent action in other domains. But most likely there
would be serious uncertainties pertaining to the consequences of
cyber action, which must include the possibility of escalation into other domains of conflict. Despite popular assertions to
the contrary, cyber is not likely to prove a precision weapon anytime soon. 51 In addition, assuming that the political and strategic contexts
for cyber war were as serious as surely they would need to be to trigger events warranting plausible labeling as cyber war, the distinctly limited harm likely
to follow from cyber assault would hardly appeal as prospectively effective coercive moves. On balance, it is most probable
that cyber’s strategic future in war will be as a contribut - ing enabler of effectiveness of physical efforts in the other four geographies of conflict. Speculation about cyber war,
defined strictly as hostile action by net - worked computers against networked computers, is hugely unconvincing. 2. Cyber
defense is difficult, but should be
sufficiently effective. The structural advantages of the offense in cyber conflict are as obvious as they are easy to
overstate. Penetration and exploitation, or even attack, would need to be by surprise. It can be swift almost beyond the imagination
of those encultured by the traditional demands of physical combat. Cyber attack may be so stealthy that it escapes notice for a long while, or it might wreak digital havoc by
com - plete surprise. And need one emphasize, that at least for a while, hostile cyber action is likely to be hard (though not quite impossible) to attribute with a cy - berized
equivalent to a “smoking gun.” Once one is in the realm of the catastrophic “What if . . . ,” the world is indeed a frightening place. On a personal note, this defense analyst was
for some years exposed to highly speculative briefings that hypothesized how unques - tionably cunning plans for nuclear attack could so promptly disable the United States as
a functioning state that our nuclear retaliation would likely be still - born. I should hardly need to add that the briefers of these Scary Scenarios were obliged to make a series of
The literature of cyber scare is more than mildly reminiscent of the nuclear attack stories with
which I was assailed in the 1970s and 1980s. As one may observe regarding what Winston Churchill wrote of the disaster that was the Gallipoli
Heroic Assumptions.
campaign of 1915, “[t]he terrible ‘Ifs’ accumulate.” 52 Of course, there are dangers in the cyber domain. Not only are there cyber-competent competitors and enemies abroad;
there are also Americans who make mistakes in cyber operation. Furthermore, there are the manufacturers and constructors of the physical artifacts behind (or in, depending
upon the preferred definition) cyber - space who assuredly err in this and that detail. The
more sophisticated—usually meaning complex—the
code for cyber, the more certain must it be that mistakes both lurk in the program and will be made in digital
communication. What I have just outlined minimally is not a reluc - tant admission of the fallibility of cyber, but rather a statement of what is obvious and should be
anticipat - ed about people and material in a domain of war. All human activities are more or less harassed by friction and carry with them some risk of failure, great or small.
A strategist who has read Clausewitz, especially Book One of On War , 53 will know this. Alternatively, anyone who skims my summary version of the general theory of strategy
will note that Dictum 14 states explicitly that “Strategy is more difficult to devise and execute than are policy, operations, and tactics: friction of all kinds comprise phenomena
inseparable from the mak - ing and execution of strategies.” 54 Because of its often widely distributed character, the physical infrastruc - ture of an enemy’s cyber power is
typically, though not invariably, an impracticable target set for physical assault. Happily, this probable fact should have only annoying consequences. The discretionary nature
and therefore the variable possible characters feasible for friendly cyberspace(s), mean that the more danger - ous potential vulnerabilities that in theory could be the condition
of our cyber-dependency ought to be avoidable at best, or bearable and survivable at worst. Libicki offers forthright advice on this aspect of the subject that deserves to be
taken at face value: [T]here is no inherent reason that improving informa - tion technologies should lead to a rise in the amount of critical information in existence (for
example, the names of every secret agent). Really critical information should never see a computer; if it sees a computer, it should not be one that is networked; and if the
computer is networked, it should be air-gapped. Cyber defense admittedly is difficult to do, but so is cyber offense. To quote Libicki yet again,
“[i]n this medium [cyberspace] the best defense is not necessarily a good offense; it is usually a good defense.” 56 Unlike the geostrategic context for nuclear-framed
competition in U.S.–Soviet/Russian rivalry, the geographical domain of cyberspace definitely is defensible. Even when the enemy is both
clever and lucky, it will be our own design and operating fault if he is able to do more than disrupt and irritate us temporarily. When cyber is contextually regarded properly—
which means first, in particular, when it is viewed as but the latest military domain for defense planning—it should be plain to see that cyber performance needs to be good
enough rather than perfect. 57 Our Landpower,
sea power, air power, and prospectively our space systems also will have to be capable of
accepting combat damage and loss, then recovering and carrying on. There is no fundamental reason that less
should be demanded of our cyber power. Second, given that cyber is not of a nature or potential character at all likely to parallel nuclear dangers in the
menace it could con - tain, we should anticipate international cyber rivalry to follow the competitive dynamic path already fol - lowed in the other domains in the past. Because
the digital age is so young, the pace of technical change and tactical invention can be startling. However, the mechanization RMA of the 1920s and 1930s recorded reaction to
the new science and technology of the time that is reminiscent of the cyber alarmism that has flour - ished of recent years. 58 We
can be confident that cyber
defense should be able to function well enough , given the strength of political, military, and commercial
motivation for it to do so. The technical context here is a medium that is a constructed one, which provides air-gapping options for choice regarding the extent of
networking. Naturally, a price is paid in convenience for some closing off of possible cyberspace(s), but all important defense decisions involve choice, so what is novel about
that? There is nothing new about accepting some limitations on utility as a price worth paying for security. 3. Intelligence is critically important, but informa - tion should not
be overvalued. The strategic history of cyber over the past decade confirms what we could know already from the science and technology of this new domain for conflict.
Specifically,
cyber power is not technically forgiving of user error. Cyber warriors seeking criminal or military
benefit require precise information if their intended exploits are to succeed. Lucky guesses should not stumble upon passwords,
while efforts to disrupt electronic Supervisory Con - trol and Data Acquisition (SCADA) systems ought to be unable to achieve
widespread harmful effects. But obviously there are practical limits to the air-gap op - tion, given that control (and command) systems need to be networks for
communication. However, Internet connection needs to be treated as a potential source of serious danger. It is one thing to be able to be an electronic
nuisance, to annoy, disrupt, and perhaps delay. But it is quite another to be capable of inflicting real persisting harm on the
fighting power of an enemy. Critically important military computer networks are, of course, accessible neither
to the inspired amateur outsider, nor to the malignant political enemy. Easy passing reference to a hypothetical
“cyber Pearl Harbor” reflects both poor history and ignorance of contemporary military common
sense. Critical potential military (and other) targets for cyber attack are extremely hard to access and
influence (I believe and certainly hope), and the technical knowledge, skills, and effort required to do serious harm to
national security is forbiddingly high. This is not to claim, foolishly, that cyber means absolutely could not secure near-catastrophic
results. However, it is to say that such a scenario is extremely improbable . Cyber defense is advancing all the time, as is cyber offense, of
course. But so discretionary in vital detail can one be in the making of cyberspace, that confidence—real confidence—in cyber attack could not plausibly be high. It should be
noted that I am confining this particular discussion to what rather idly tends to be called cyber war. In political and strategic practice, it is unlikely that war would or, more
importantly, ever could be restricted to the EMS. Somewhat rhetorically, one should pose the question: Is it likely (almost anything, strictly, is possible) that cyber war with the
potential to inflict catastrophic damage would be allowed to stand unsupported in and by action in the other four geographical domains of war? I believe not. Because we have
told ourselves that ours uniquely is the Information Age, we have become unduly respectful of the potency of this rather slippery catch-all term. As usual, it is helpful to
contextualize the al - legedly magical ingredient, information, by locating it properly in strategic history as just one important element contributing to net strategic
effectiveness. This mild caveat is supported usefully by recognizing the general contemporary rule that information per se harms nothing and nobody. The electrons in cyber ized conflict have to be interpreted and acted upon by physical forces (including agency by physical human beings). As one might say, intelligence (alone) sinks no ship; only
men and machines can sink ships! That said, there is no doubt that if friendly cyber action can infiltrate and misinform the electronic informa - tion on which advisory
weaponry and other machines depend, considerable warfighting advantage could be gained. I do not intend to join Clausewitz in his dis - dain for intelligence, but I will argue
that in strategic affairs, intelligence usually is somewhat uncertain. 59 Detailed up-to-date intelligence literally is essential for successful cyber offense, but it can be healthily
sobering to appreciate that the strategic rewards of intelligence often are considerably exaggerated. The basic reason is not hard to recognize. Strategic success is a complex
endeavor that requires adequate perfor - mances by many necessary contributors at every level of conflict (from the political to the tactical). When thoroughly reliable
intelligence on the en - emy is in short supply, which usually is the case, the strategist finds ways to compensate as best he or she can. The IT-led RMA of the past 2 decades
was fueled in part by the prospect of a quality of military effec - tiveness that was believed to flow from “dominant battle space knowledge,” to deploy a familiar con - cept. 60
While there is much to be said in praise of this idea, it is not unreasonable to ask why it has been that our ever-improving battle space knowledge has been compatible with so
troubled a course of events in the 2000s in Iraq and Afghanistan. What we might have misunderstood is not the value of knowledge, or of the information from which
knowledge is quarried, or even the merit in the IT that passed information and knowledge around. Instead, we may well have failed to grasp and grip understanding of the
whole context of war and strategy for which battle space knowledge unquestionably is vital. One must say “vital” rather than strictly essential, because relatively ignorant
armies can and have fought and won despite their ig - norance. History requires only that one’s net strategic performance is superior to that of the enemy. One is not required
to be deeply well informed about the en - emy. It is historically quite commonplace for armies to fight in a condition of more-than-marginal reciprocal and strategic cultural
ignorance. Intelligence is king in electronic warfare, but such warfare is unlikely to be solely, or even close to solely, sovereign in war and its warfare, considered overall as they
should be. 4. Why the sky will not fall. More accurately, one should say that the
sky will not fall because of hostile action against us in
cyberspace unless we are improb - ably careless and foolish. David J. Betz and Tim Ste vens strike the right note when they conclude that “[i]f cyberspace is not quite the
hoped-for Garden of Eden, it is also not quite the pestilential swamp of the imagination of the cyber-alarmists.” 61 Our understanding of cyber is high at the technical and
Nonetheless, our
scientific, technological, and tactical knowledge and understanding clearly indicates that the sky
tactical level, but re - mains distinctly rudimentary as one ascends through operations to the more rarified altitudes of strategy and policy.
is not falling and is unlikely to fall in the future as a result of hostile cyber action. This analysis has
weighed the more technical and tactical literature on cyber and concludes, not simply on balance , that
cyber alarmism has little basis save in the imagination of the alarmists. There is military and civil peril in the hostile use of cyber, which is why we must take
cyber security seriously, even to the point of buying redundant capabilities for a range of command and control systems. 62 So seriously should we regard cyber danger that it
is only prudent to as - sume that we will be the target for hostile cyber action in future conflicts, and that some of that action will promote disruption and uncertainty in the
damage it will cause. That granted, this analysis recommends strongly that the U.S. Army, and indeed the whole of the U.S. Government, should strive to comprehend cyber in
context. Approached in isolation as a new technol - ogy, it is not unduly hard to be over impressed with its potential both for good and harm. But if we see networked
computing as just the latest RMA in an episodic succession of revolutionary changes in the way information is packaged and communicated, the computer-led IT revolution is
set where it belongs, in historical context. In modern strategic history, there has been only one truly game-changing basket of tech - nologies, those pertaining to the creation
and deliv - ery of nuclear weapons. Everything else has altered the tools with which conflict has been supported and waged, but has not changed the game. The nuclear
revolution alone raised still-unanswered questions about the viability of interstate armed conflict. How - ever, it would be accurate to claim that since 1945, methods have been
found to pursue fairly traditional political ends in ways that accommodate nonuse of nuclear means, notwithstanding the permanent pres - ence of those means. The light cast
by general strategic theory reveals what requires revealing strategically about networked computers. Once one sheds some of the sheer wonder at the seeming miracle of
cyber’s ubiquity, instanta - neity, and (near) anonymity, one realizes that cyber is just another operational domain, though certainly one very different from the others in its
nonphysi - cality in direct agency. Having placed cyber where it belongs, as a domain of war, next it is essential to recognize that its nonphysicality compels that cyber should
be treated as an enabler of joint action, rather than as an agent of military action capable of behav - ing independently for useful coercive strategic effect. There
are
stand-alone possibilities for cyber action, but they are not convincing as attractive options either for or in
opposition to a great power, let alone a superpower. No matter how intriguing the scenario design for cyber war
strictly or for cyber warfare, the logic of grand and military strategy and a common sense fueled by
understanding of the course of strategic history, require one so to contextualize cyber war that its
independence is seen as too close to absurd to merit much concern.
Cyberwar won’t escalate – low probability, current defense checks, and too difficult to
coordinate
Gartzke & Lindsay, PhD, 15 (Erik (Associate professor at UC San Diego) and Jon R (PhD at MIT), June
22,2015, Weaving Tangled Webs: Offense,
Defense, and Deception in Cyberspace, Taylor and Francis Online,
http://www.tandfonline.com/doi/full/10.1080/09636412.2015.1038188#.VYsDgvlVhBc, pg. 325) /AMarb
Indeed, the US Department of Defense gets attacked ten million times a day; a US university receives a hundred thousand Chinese attacks per day; and
one firm measures three thousand distributed denial of service (DDoS) attacks per day worldwide.23 In reality, however, most of these so-
called attacks are just routine probes by automated networks of compromised computers (botnets) run by profitseeking criminals or spy bureaucracies—a far cry from terrorism or military assault. The most alarming
scenarios of a “digital Pearl Harbor” or “cyber 9/11” have yet to materialize despite decades of warning . The
Stuxnet worm caused limited and temporary disruption of Iran’s nuclear program in the late 2000s, the only known
historical case of infrastructure damage via deliberate cyber attack, but this operation seems to reveal more about the strategic
limitations of cyber war than its potency.24 The cyber revolution should presumably provide rivals with potent new tools of influence, yet
actual cyber disputes from 2001 to 2011 remain restrained and regionalized, not disruptive and global .25
Computer espionage and nuisance cybercrime thrive, to be sure, but they are neither as prevalent nor as costly as
they might be, leading skeptics to describe US losses as “a rounding error” in a fifteen trillion dollar economy.26 It is possible in principle that the
same tools used for computer-network exploitation may one day be leveraged for more destructive strikes. Yet even if the nontrivial operational
challenges of cyber war can be overcome, proponents of the cyber-revolution thesis have yet to articulate convincing
strategic motives for why a state or non-state actor might actually use cyber capabilities effectively.27 A considerable
shortage of evidence in the study of cyber conflict is thus a source both of concern and relief. That cyber war remains unusual is puzzling in light of the
widely held belief that offense is easier than defense in cyberspace. A straightforward implication of the notable scarcity of cyber war
would be that, contrary to conventional wisdom, cyberspace is defense dominant for some reason. More carefully
stated, since clearly there is much mischief online, offense dominance may exist only for nuisance attacks that are rarely
strategically significant, such as piracy, espionage, and “hacktivist” protest, even as the Internet is defense dominant for
more harmful or complicated forms of attack. Serious cyber attacks against complicated infrastructure require considerable
intelligence preparation, test and evaluation infrastructure, planning capacity, technical expertise, and
complementary military or non-cyber intelligence assets.28 If so, it would be a categorical error to mistake the frequency of irritant
activity for a more general tendency toward offense dominance across the entire cyber domain.
Cyber doom is not coming, only gradual and miniscule threats that can’t be eliminated
Lawson, 15
4/05/2015, Sean Lawson is Associate Professor in the Department of Communication at the University of Utah.
“The Death of Cyber Doom? Not So Fast,” http://www.forbes.com/sites/seanlawson/2015/04/05/the-deathof-cyber-doom-not-so-fast/
For decades, we
have heard a lot of talk from American officials, industry experts, and others about the supposed
threat of a “cyber 9/11,” “cyber Pearl Harbor,” “cyber Katrina,” or even “cyber Sandy.” In short, we have been
warned repeatedly that “cyber doom” is coming. Indeed, as recently as this fall, cyber doom was in the news as a result of the cyber
attack on Sony. But the latest World Wide Threat Assessment (WWTA) [PDF] presented to Congress by the Director of National Intelligence, Gen. James
Clapper, says that “Cyber Armageddon“ is unlikely. Rather, the assessment “foresee[s] an ongoing series of low-tomoderate level cyber
attacks form a variety of sources over time, which will impose costs on US economic competitiveness and national security.”
This threat, it says, “cannot be eliminated; rather, cyber risk must be managed.” Some have argued that such scenarios were
always about threat inflation and fear mongering and have applauded the admission by intelligence officials who once trafficked in such rhetoric that
these scenarios are unlikely after all. Has the era of cyber doom fear mongering come to an end? Not likely. Key
intelligence officials, like NSA Director Admiral Michael Rogers are still using this rhetoric. Just three days before the release of WWTA, Rogers defined
“cyber Pearl Harbor” and said that one had already occurred. Asked to define a ’cyber Pearl Harbor’, a phrase used in 2012 by then-Defense Secretary
Leon Panetta, Rogers replied: ‘An action directed against infrastructure within the United States that leads to significant impact—whether that’s
economic, whether that’s in our ability to execute our day-to-day functions as a society, as a nation.’ He added that the hack of Sony Pictures
Entertainment last November met that dire criteria. Movie studios fit into the U.S. government’s broad definition of critical infrastructure. With this
comment, Admiral Rogers follows in the footsteps of Amit Yoran, former head of the Department of Homeland Security’s National Cyber Security
Division, who claimed in 2009, “Cyber 9–11 has happened over the last 10 years, but it’s happened slowly so we don’t see it.” Of course, there was no
evidence then that anything like 9/11 had occurred in or through cyberspace, just as the hack of Sony is nothing
like Pearl Harbor now. Why do such outrageous claims persist even in the face of contradictory evidence and
assessments? One reason is that, despite claims to the contrary, the use of “cyber doom” is primarily about
emotions not facts. Its function is to motivate a response through the use of fear, not to describe accurately the true nature of the threat and its
likely impacts. Among those who use cyber doom rhetoric when speaking in public or to the media, there is often a disconnect between the threat as
implied in that rhetoric and the diagnosis of threats that these same individuals provide in more formal settings like threat assessments for Congress. For
example, though Admiral Rogers warned publicly of “cyber Pearl Harbor” in February 2015, less than a month later, in his testimony to Congress, his
description of the cyber threats facing the United States focused primarily on censorship as a threat to “Internet freedom,” theft of intellectual property,
and disruption of networks and access to information. Cyber attacks against critical infrastructure were mentioned, but as in the past, were framed as a
“potential” future threat that could “perhaps” result in sabotage during a wider conflict (page 10). Diagnosing the cyber threat as primarily about
espionage, theft, and disruption while simultaneously relying on doom scenarios out of step with that diagnosis has been a feature of U.S. public policy
discourse on this issue since at least 2008. And as long as officials believe there is still a need to motivate a response, cyber
doom will continue to be a feature of U.S. public policy discourse on cyber security, even if their own
assessments find such scenarios unlikely.
2NC CYBERWAR
Cyberwar won’t happen – countries will go for low risk rewards and its costly
Gartzke & Lindsay, PhD, 15 (Erik (Associate professor at UC San Diego) and Jon R (PhD at MIT), June
22,2015, Weaving Tangled Webs: Offense,
Defense, and Deception in Cyberspace, Taylor and Francis Online,
http://www.tandfonline.com/doi/full/10.1080/09636412.2015.1038188#.VYsDgvlVhBc, pg. 345) /AMarb
The asymmetric actors featured in cybersecurity discourse—rogue states, lone hackers, criminals, and
terrorists—will tend to focus on the low-risk, low-reward bonanza and avoid deception-dominant high-risk,
high-reward operations. Advanced industrial states will also partake in low-risk, lowreward espionage and
harassment in cyberspace. Capable countries will, however, employ risky computer network attacks against
lucrative targets only when they are willing and able to follow them up or backstop them with conventional
military power. Because intelligence is costly and its exploitation is complicated, wealthier and larger states
tend to have more sophisticated, robust intelligence capacities. Only capable actors, such as major powers, are
likely to be able to master the complex tango of deception and counter-deception necessary to execute highintensity operations. Powerful actors have an operational advantage in cyberspace. Even then, the frequency of
complex and risky action should still be relatively low.
Cyber attacks not a threat for near future
Healey, 13
(March 20, 2013, “No, Cyberwarfare Isn't as Dangerous as Nuclear War,” Jason Healey is the Director of the
Cyber Statecraft Initiative of the Atlantic Council. www.usnews.com/opinion/blogs/worldreport/2013/03/20/cyber-attacks-not-yet-an-existential-threat-to-the-us)
America does not face an existential cyberthreat today, despite recent warnings. Our cybervulnerabilities are
undoubtedly grave and the threats we face are severe but far from comparable to nuclear war. The most recent
alarms come in a Defense Science Board report on how to make military cybersystems more resilient against
advanced threats (in short, Russia or China). It warned that the "cyber threat is serious, with potential
consequences similar in some ways to the nuclear threat of the Cold War." Such fears were also expressed by
Adm. Mike Mullen, then chairman of the Joint Chiefs of Staff, in 2011. He called cyber "The single biggest
existential threat that's out there" because "cyber actually more than theoretically, can attack our
infrastructure, our financial systems." While it is true that cyber attacks might do these things, it is also true
they have not only never happened but are far more difficult to accomplish than mainstream thinking believes.
The consequences from cyber threats may be similar in some ways to nuclear, as the Science Board concluded,
but mostly, they are incredibly dissimilar. Eighty years ago, the generals of the U.S. Army Air Corps were sure
that their bombers would easily topple other countries and cause their populations to panic, claims which did
not stand up to reality. A study of the 25-year history of cyber conflict, by the Atlantic Council and Cyber
Conflict Studies Association, has shown a similar dynamic where the impact of disruptive cyberattacks has
been consistently overestimated. Rather than theorizing about future cyberwars or extrapolating from today's
concerns, the history of cyberconflict that have actually been fought, shows that cyber incidents have so far
tended to have effects that are either widespread but fleeting or persistent but narrowly focused. No attacks, so
far, have been both widespread and persistent. There have been no authenticated cases of anyone dying from a
cyber attack. Any widespread disruptions, even the 2007 disruption against Estonia, have been short-lived
causing no significant GDP loss. Moreover, as with conflict in other domains, cyberattacks can take down
many targets but keeping them down over time in the face of determined defenses has so far been out of the
range of all but the most dangerous adversaries such as Russia and China. Of course, if the United States is in a
conflict with those nations, cyber will be the least important of the existential threats policymakers should be
worrying about. Plutonium trumps bytes in a shooting war. This is not all good news. Policymakers have
recognized the problems since at least 1998 with little significant progress. Worse, the threats and
vulnerabilities are getting steadily more worrying. Still, experts have been warning of a cyber Pearl Harbor for
20 of the 70 years since the actual Pearl Harbor. The transfer of U.S. trade secrets through Chinese cyber
espionage could someday accumulate into an existential threat. But it doesn't seem so seem just yet, with only
handwaving estimates of annual losses of 0.1 to 0.5 percent to the total U.S. GDP of around $15 trillion. That's
bad, but it doesn't add up to an existential crisis or "economic cyberwar."
No impact to cyber war
Weimann, 2004
(Gabriel is on the Department of Communication at the University of Haifa, “Cyberterrorism How Real Is the
Threat?” http://www.usip.org/ pubs/specialreports/sr119.pdf, December 2004)
It seems fair to say that the current threat posed by cyberterrorism has been exaggerated. No single instance of
cyberterrorism has yet been recorded; U.S. defense and intelligence computer systems are air-gapped and thus
isolated from the Internet; the systems run by private companies are more vulnerable to attack but also more
resilient than is often supposed; the vast majority of cyberattacks are launched by hackers with few, if any,
political goals and no desire to cause the mayhem and carnage of which terrorists dream. So, then, why has so
much concern been expressed over a relatively minor threat? The reasons are many. First, as Denning has
observed, "cyberterrorism and cyberattacks are sexy right now. . . . [Cyberterrorism is] novel, original, it
captures people's imagination." Second, the mass media frequently fail to distinguish between hacking and
cyberterrorism and exaggerate the threat of the latter by reasoning from false analogies such as the following:
"If a sixteen-year-old could do this, then what could a well-funded terrorist group do?" Ignorance is a third
factor. Green argues that cyberterrorism merges two spheres—terrorism and technology—that many people,
including most lawmakers and senior administration officials, do not fully understand and therefore tend to
fear. Moreover, some groups are eager to exploit this ignorance. Numerous technology companies, still reeling
from the collapse of the high-tech bubble, have sought to attract federal research grants by recasting
themselves as innovators in computer security and thus vital contributors to national security. Law
enforcement and security consultants are likewise highly motivated to have us believe that the threat to our
nation's security is severe. A fourth reason is that some politicians, whether out of genuine conviction or out of
a desire to stoke public anxiety about terrorism in order to advance their own agendas, have played the role of
prophets of doom. And a fifth factor is ambiguity about the very meaning of "cyberterrorism," which has
confused the public and given rise to countless myths.
2NC FEAR MONGERING
The us government uses fear mongering to exaggerate cyberwar greatly
Rid, 13
(March 13, 2013, “The Great Cyberscare,” http://foreignpolicy.com/2013/03/13/the-great-cyberscare/ Thomas
Rid is a professor in the Department of War Studies at King’s College London.
The White House likes a bit of threat. In his State of the Union address, Barack Obama
wanted to nudge Congress yet again into passing
meaningful legislation. The president emphasized that America's enemies are "seeking the ability to sabotage our power grid, our financial
institutions, and our air traffic control systems." After two failed attempts to pass a cybersecurity act in the past two years, he added swiftly: "We cannot
look back years from now and wonder why we did nothing in the face of real threats to our security and our economy." Fair enough. A bit of threat to
prompt needed action is one thing. Fear-mongering is something else: counterproductive. Yet too many a participant in
the cybersecurity debate reckons that puffery pays off. The Pentagon, no doubt, is the master of razzmatazz. Leon Panetta set the tone by
warning again and again of an impending "cyber Pearl Harbor." Just before he left the Pentagon, the Defense Science
Board delivered a remarkable report, Resilient Military Systems and the Advanced Cyber Threat. The paper seemed obsessed with making
yet more drastic historical comparisons: "The cyber threat is serious," the task force wrote, "with potential consequences similar to the
nuclear threat of the Cold War." The manifestations of an all-out nuclear war would be different from cyberattack, the Pentagon scientists helpfully
acknowledged. But then they added, gravely, that "in the end, the existential impact on the United States is the same." A reminder is in order: The
world has yet to witness a single casualty, let alone fatality, as a result of a computer attack. Such statements are a plain
insult to survivors of Hiroshima. Some sections of the Pentagon document offer such eye-wateringly shoddy analysis that they would not have passed as
an MA dissertation in a self-respecting political science department. But in the current debate it seemed to make sense. After all a bit of fear helps
to claim -- or keep -- scarce resources when austerity and cutting seems out-of-control. The report recommended
allocating the stout sum of $2.5 billion for its top two priorities alone, protecting nuclear weapons against cyberattacks and determining the mix of
weapons necessary to punish all-out cyber-aggressors. Then there are private computer security companies. Such firms, naturally, are
keen to pocket some of the government's money earmarked for cybersecurity. And hype is the means to that
end. Mandiant's much-noted report linking a coordinated and coherent campaign of espionage attacks dubbed Advanced Persistent Threat 1, or
"APT1," to a unit of the Chinese military is a case in point: The firm offered far more details on attributing attacks to the
Chinese than the intelligence community has ever done, and the company should be commended for making the report public. But
instead of using cocky and over-confident language, Mandiant's analysts should have used Words of Estimative Probability, as professional intelligence
analysts would have done. An example is the report's conclusion, which describes APT1's work: "Although they control systems in dozens of countries,
their attacks originate from four large networks in Shanghai -- two of which are allocated directly to the Pudong New Area," the report found. Unit 61398
of the People's Liberation Army is also in Pudong. Therefore, Mandiant's computer security specialists concluded, the two were identical: "Given the
mission, resourcing, and location of PLA Unit 61398, we conclude that PLA Unit 61398 is APT1." But the report conspicuously does not mention that
Pudong is not a small neighborhood ("right outside of Unit 61398's gates") but in fact a vast city landscape twice the size of Chicago. Mandiant's
report was useful and many attacks indeed originate in China. But the company should have been more careful
in its overall assessment of the available evidence, as the computer security expert Jeffrey Carr and others have pointed out. The firm
made it too easy for Beijing to dismiss the report. My class in cybersecurity at King's College London started poking holes into the report after 15 minutes
of red-teaming it -- the New York Times didn't. Which leads to the next point: The media want to sell copy through threat inflation.
"In Cyberspace, New Cold War," the headline writers at the Times intoned in late February. "The U.S. is not ready for a cyberwar," shrieked the
Washington Post earlier this week. Instead of calling out the above-mentioned Pentagon report, the paper actually
published two supportive articles on it and pointed out that a major offensive cyber capability now seemed
essential "in a world awash in cyber-espionage, theft and disruption." The Post should have reminded its readers that the only military-style
cyberattack that has actually created physical damage -- Stuxnet -- was actually executed by the United States
government. The Times, likewise, should have asked tough questions and pointed to some of the evidential problems in the Mandiant report;
instead, it published what appeared like an elegant press release for the firm. On issues of cybersecurity, the nation's fiercest watchdogs too
often look like hand-tame puppies eager to lap up stories from private firms as well as anonymous sources in the security
establishment.
2NC RETALIATION
Attribution difficulty makes retaliation highly improbable
Krepinivich 12 [Andrew, President of the Center for Strategic and Budgetary Assessments, “CYBER
WARFARE A “NUCLEAR OPTION”?, Center for Strategic and Budgetary Assessments] //khirn
As the discussion of attack attribution earlier in this report suggests, for at least the near term the source of a
nuclear attack is far more likely to be identified than the source of a cyber attack. The difficulty in determining attribution
of a cyber attack is a significant and perhaps enduring character of cyber warfare. This is due in part to the potential large number of actors that can
execute cyber attacks, and to the relative ease by which cyber attackers can mask the origins of an at- tack. To date even substantial efforts to determine
attribution of a sophisticated attack have not produced a “smoking gun” level of evidence, and have taken con- siderable time and resources to pursue.
237 This suggests that in the case of a cyber attack whose purpose is to inflict catastrophic destruction, the victim may have difficulty determining its
source. To
the extent this is the case, the victim will also want to avoid being deceived into engaging in a
catalytic war by retaliating against the apparent source of an attack that was actually conducted by a third
party. Moreover, cyber weapons could also be employed to trigger a catalytic nu- clear war in other ways; for example, by feeding
false information into a state’s early warning system to spoof operators into believing their country is under attack when in fact it is not. 238 It
seems unlikely that nuclear weapons could be employed to trigger a catalytic cyber war, at least given the
current state of nuclear proliferation. This may change as more states or even groups acquire nuclear weapons. 23
2NC STATUS QUO SOLVES
IDSs Solve for monitoring
Balon-Perin & Gamback 13 – Software Engineer and Professor in Language Technology at Norwegian
University of Science and Technology (Alexandre, Bjorn, 2013, Ensembles of Decision Trees for Network
Intrusion Detection System, International Journal on Advances in Security, vol 6 no 1 &
2,http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.362.1200&rep=rep1&type=pdf#page=69, pg. 62)
/AMarb
Intrusion detection systems (IDSs) are monitoring devices that have been added to the wall of security in order
to prevent malicious activity on a system. Here we will focus on network intrusion detection systems mainly
because they can detect the widest range of attacks compared to other types of IDSs. In particular the paper
discusses machine learning based mechanisms that can enable the network IDS to detect modified versions of
previously seen attacks and completely new types of attacks [1].
Algorithms help detect zero-day vulnerabilities
Balon-Perin & Gamback 13 – Software Engineer and Professor in Language Technology at Norwegian
University of Science and Technology (Alexandre, Bjorn, 2013, Ensembles of Decision Trees for Network
Intrusion Detection System, International Journal on Advances in Security, vol 6 no 1 &
2,http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.362.1200&rep=rep1&type=pdf#page=69, pg. 63)
/AMarb
The most popular technique of unsupervised learning is clustering, where the algorithm exploits the similarity
of the examples in order to form clusters or groups of instances. Examples belonging to the same cluster are
assumed to have similar properties and belong to the same class. In contrast to supervised learning,
disadvantages of unsupervised learning include manual choice of the number of cluster that the algorithm
must form, lower accuracy of the prediction, and that the meaning of each cluster must be interpreted to
understand the output. However, unsupervised learning is more robust to large variations. This is a very
important advantage when applied to the problem of intrusion detection, since it means that unsupervised
learning is able to generalize to new types of attacks much better than supervised learning. In particular, this
property could be quite beneficial when trying to detect zero-day vulnerabilities.
2NC US STRIKES FIRST
Cyber war is inevitable—US will strike first
Clarke 12 former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism for the
United States (Richard A., Cyber War: The Next Threat to National Security and What to Do About It, p.26
4/20/10) | js
The perception that cyberspace is a “domain” where fighting takes place, a domain that the U.S. must “dominate,”
pervades American military thinking on the subject of cyber war. The secret-level National Military Strategy for
Cyber Operations (partially declassified as a result of a Freedom of Information Act request) reveals the military’s attitude toward cyber war,
in part because it was written as a document that we, the citizens, were never supposed to see. It is how they talk about it behind the closed doors of the
Pentagon. What is striking in the document is not only the acknowledgment that cyber war is real, but the almost reverential way in which
it is discussed as the
keystone holding up the edifice of modern war-fighting capability. Because there are so few opportunities
document,
signed out under a cover letter from the Secretary of Defense, declares that the goal is “to ensure the US military [has] strategic
superiority in cyberspace.” Such superiority is needed to guarantee “freedom of action” for the American military and to “deny
the same to our adversaries.” To obtain superiority, the U.S. must attack, the strategy declares. “Offensive capabilities in
cyberspace [are needed] to gain and maintain the initiative.” At first read, the strategy sounds like a mission statement with a bit of
zealotry thrown in. On closer examination, however, the strategy reflects an understanding of some of the key problems created by cyber
war. Speaking to the geography of cyberspace, the strategy implicitly acknowledges the sovereignty issue (“the lack of geopolitical
boundaries…allows cyberspace operations to occur nearly anywhere”) as well as the presence of civilian targets (“cyberspace reaches
across geopolitical boundaries…and is tightly integrated into the operations of critical infrastructure and the conduct of commerce”). It does not,
however, suggest that such civilian targets should be off-limits from U.S. attacks. When it comes to defending U.S. civilian targets,
the strategy passes the buck to the Department of Homeland Security. The need to take the initiative, to go first, is dictated in part by
the fact that actions taken in cyberspace move at a pace never before experienced in war (“cyberspace allows high rates
to hear from the U.S. military on cyber war strategy, it is worth reading closely the secret-level attempt at a cyber war strategy. The
of operational maneuver…at speeds that approach the speed of light…. [It] affords commanders opportunities to deliver effects at speeds that were
previously incomprehensible”). Moreover, the strategy notes that if you do not act quickly, you may not be able to do so
because “a previously vulnerable target may be replaced or provided with new defenses with no warning,
rendering cyberspace operations less effective.” In short, if you wait for the other side to attack you in cyberspace, you may find that the opponent has,
simultaneously with their attack, removed your logic bombs or disconnected the targets from the network paths you expected to use to access them. The
strategy does not discuss the problems associated with going first or the pressure to do so.
AT: CHINA IMPACT
No China cyber war
Goldsmith 10 [Jack, teaches at Harvard Law School and is a visiting fellow at the Hoover Institution at
Stanford University, “The New Vulnerability,” New Republic, June 7, 2010,
http://www.newrepublic.com/article/books-and-arts/75262/the-new-vulnerability] //khirn
There is much to agree with in Clarke’s analysis, including his description of the absorption of cyber weapons into all aspects of military planning, his
account of the secret cyber-arms race among nations, and his assessment of America’s cyber-security weaknesses, especially in its privately owned
critical infrastructure sectors. But there are problems as well. The first is with his obsessive focus on cyber war. There is little doubt that several nations
have significant offensive cyber capacities that could in theory cause enormous destruction. What Clarke never adequately explains is why nations would
use these weapons in this way. Yes, China is stockpiling cyber weapons and planning for cyber war. But so, too, is the United States. Capacities and
contingency plans, taken alone, do not add up to a serious threat. There must also be a plausible scenario in which a nation has the motivation to use
these weapons. Clarke addresses this issue briefly, in trying to explain why China might destroy American infrastructure by means of a cyber attack even
though “China’s dependence on U.S. markets for its manufactured goods and the trillions the country has invested in U.S. treasury bills mean that China
would have a lot to lose.” His explanation is weak. He says that the United States and China might be drawn into a war over Taiwan or the oil-rich islands
in the South China Sea. Perhaps. But it is hard to imagine that China would wipe out the New York Stock Exchange or the
electrical grid of the East Coast unless it were in a total war over those islands--the sort of war that would also
involve enormously destructive non-cyber weapons, including even nuclear weapons. This does not mean we should stop
worrying about China’s offensive cyber weapons. Clarke is right that these weapons might (like China’s conventional forces) deter the United States from
intervening against China in a Pacific Rim contest. But he should also acknowledge that this deterrent is weakened by China’s
dependency on a functioning American economy,
which significantly reduces the credibility of its cyber threat. It is also true,
as Clarke argues, that the stealth cyber-arms race, the difficulty of knowing for sure which nation is behind a cyber attack, and the absence of norms to
govern such attacks combine to create an unstable situation in which destructive cyber activities might escalate by accident. We should indeed worry
about cyber war. But Clarke does not justify his central claim that cyber war is in fact the most serious cyber threat,
the one we should worry most about and take the most aggressive steps to meet. His error is to focus on the
worst-case cyber-war scenario without a hard-nosed assessment of its likelihood, and without comparing its
expected harms, given its small likelihood, with the expected total harms from other smaller but more likely
cyber threats. A cyber-attack threat that Clarke appears to understate comes from terrorists, some of whom have powerful motives to destroy our
domestic infrastructure and nothing to lose from doing so. For years the government insisted that Al Qaeda and its friends lacked the technological
capacity to inflict cyber attacks and had shown no interest in doing so. “Cyber terrorism is largely a red herring,” says Clarke, repeating the old
government line. But some have worried that Al Qaeda might purchase cyber capabilities on the black market. And while Clarke’s book was in
production, the government changed its tune. In November, the FBI announced that it was investigating individuals affiliated with Al Qaeda “who have
recognized and discussed the vulnerabilities of U.S. infrastructure to cyber attack, who have demonstrated an interest in elevating their computer
hacking skills, and who are seeking more sophisticated capabilities from outside of their close-knit circles.” There is a good case to be made that the
greatest cyber threats are not cyber-attacks by states or terrorists, but rather cyber espionage and cyber theft.
Private cyber criminals are growing in numbers and sophistication, and they are causing enormous economic
damage. Presumably the efficiencies of online banking and stock trading (to take two out of thousands of examples) still
outweigh the costs of these criminal activities, but the balance of benefits to costs is probably shrinking. Consumer trust in
online activities--an essential ingredient for successful e-commerce and more generally for the continued flourishing of the Internet-- is
certainly shrinking . In contrast to the very uncertain motives that states have to engage in cyber war, untold and growing
thousands of cyber criminal miscreants have powerful incentives to steal from American firms, and are doing
so daily. And so, too, are states. “The extent of Chinese government hacking against U.S., European, and Japanese
industries and research facilities is without precedent in the history of espionage,” Clarke notes. “The secrets behind
everything from pharmaceutical formulae, to bioengineering designs, to nanotechnology, to weapons systems, to
everyday industrial products have been taken by the People’s Liberation Army and been given to China, Inc.” Clarke
provides no convincing explanation why China would jeopardize this economic bonanza and its economic prosperity more generally by destroying the
networks that make this massive wealth transfer possible. Nor does he explain why he thinks the serious damage caused by ongoing public and private
cyber espionage and cyber theft should be less feared than the possible evils of a cyber war.
OFFCASE ARGUMENTS
ADVANTAGE COUNTERPLANS
1NC OVERSIGHT CP
The United States federal government should:
-support and increase encryption efforts in US companies;
-move the NSA Information Assurance Directorate to the Department of Homeland Security;
-establish executive and public oversight over the disclosure of zero-day exploits and
vulnerabilities.
Counterplan solves the case and avoids the deterrence DA
Nojeim 13 (Greg Nojeim, former Associate Director and Chief Legislative Counsel of the ACLU’s
Washington Legislative Office. Greg graduated from the University of Rochester in 1981 with a B.A. in Political
Science. He received his J.D. from the University of Virginia in 1985 and sat on the Editorial Board of the
Virginia Journal of International Law. He is now the senior counsel and director of the freedom, security, and
technology project. “Sweeping Review Group Recommendations Will Fuel NSA Reform Effort”,
https://cdt.org/blog/sweeping-review-group-recommendations-will-fuel-nsa-reform-effort, December 18,
2013 )//CLi
The Review Group’s report rightly recognizes the importance of strong encryption to the proper functioning of the Internet. It indicates that it
found no systematic effort by the NSA to undermine the security of communications by coercing companies to
build in backdoors to the Internet-based services they offer or by inserting backdoors surreptitiously. Documents
released by Edward Snowden and interviews with industry officials reportedly showed the opposite, including that the NSA “began
collaborating with technology companies in the United States and abroad to build entry points into their
products,” as the New York Timesreported on September 5. My colleague, Joseph Lorenzo Hall, blogged about concerns from the cryptographic
community that the NSA may have attempted to undermine the NIST cryptographic standard, SHA-3. These concerns came on the heels of allegations
that the NSA deliberately inserted a backdoor into a particular random number generator. The Review Group did not address these reports. It did,
however, make three important statements and recommendations about cybersecurity and encryption: Support
Secure Software. The Review group said in no uncertain terms in Recommendation 29 that
Strong Encryption and
the U.S. should “fully support
and not undermine efforts to create encryption standards ; not in any way subvert, undermine, weaken, or make
vulnerable generally available commercial software;
and, increase the use of encryption and urge US companies to
do so , in order to better protect data in transit, at rest, in the cloud, and in other storage.” These are exceedingly strong statements that recognize
that
global online commerce, infrastructure , and increasingly social activity are mediated by products
that must be secure so people can trust them when they are used . Much of the uncertainty in recent months about
the surveillance disclosures has centered around how secure or insecure are the products and services we use every day at work and at home. The
Review Group’s ringing support for secure communications, software, and interoperable standards go some way towards reducing this uncertainty. Its
recommendation that the government not subvert the security of commercial software is particularly welcome. Move NSA’s Cybersecurity Activities To a
Different DOD Element. NSA has two conflicting missions: breaking into the computers and networks of foreign
adversaries and securing the computer networks of elements of the U.S. intelligence community and certain
government contractors. The NSA’s Information Assurance Directorate does the cybersecurity work and the Review Group recommended
(Recommendation 25) this function be removed from NSA to the Department of Defense (DOD). Cisco, for example, recently
reported that its overseas business was being hurt by a perception that NSA was requiring it and other companies to build in backdoors so the NSA could
listen in.
Remov ing the Information Assurance Directorate from the NSA could enhance trust in
its mission and in the products the Directorate helps make more secure . However, the Directorate would
stay within the Department of Defense, which could diminish the desired effect of this move. Putting the cybersecurity function where it
belongs, at the Department of Homeland Security or at the Department of Commerce would have been a more
effective reform and refute inferences that the separation of these functions was not sufficient. Disclose Zero Day
Vulnerabilities . Like other intelligence agencies, and like commercial and other hackers, the NSA uses software vulnerabilities to gain access to
computers and steal information from adversaries. The most useful vulnerabilities are the “zero day” vulnerabilities – those that have never been
exploited before, and which the software maker therefore has not yet developed and distributed to users a patch for the vulnerability. When the
NSA discovers a zero day vulnerability, it has a decision to make: does it sit on it and use the vulnerability to gain access to an
adversary’s computer, or does it reveal the vulnerability to the software maker so it can be patched? Or, to put it another way, does NSA’s
intelligence collection mission trump its cybersecurity mission when it comes to zero days? The Review Group’s
recommendation is that cybersecurity should almost always win out and that such vulnerabilities should be
immediately disclosed to the software manufacturer, except in very narrow cases with very tight oversight from
the White House. The presumption is that NSA will inform the software so a patch can be fashioned, but that in rare
instances, the intelligence community could briefly exploit a zero day for a high priority target before informing
the software manufacturer.
2NC OVERSIGHT SOLVES
Public oversight is crucial to solve
Bellovin et al. 14 [Steven M., professor of computer science at Columbia University, Matt Blaze, associate
professor of computer science at the University of Pennsylvania, Sandy Clark, Ph.D. student in computer
science at the University of Pennsylvania, Susan Landau, 2012 Guggenheim Fellow; she is now at Google, Inc.,
April, 2014, “Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet,” Northwestern
Journal of Technology and Intellectual Property, 12 Nw. J. Tech. & Intell. Prop. 1] //khirn
Providing Oversight P187 There is potential danger that an operationalized exploit may proliferate past its
intended target. Stuxnet n267 provides an interesting case in point. Although aimed at Iran, the malware spread to computers in
other countries, including India and Indonesia. n268 It is unclear from the public record how this happened. It may have been
due to a flaw in the code, as Sanger contends; n269 alternatively, it may have been foreseeable but unavoidable collateral
damage from the means chosen to launch the attack against Iran. Either possibility, though, represents a process that may be acceptable for a military
C.
or intelligence operation but is unacceptable for law enforcement. Only the legally authorized target should be put at risk from the malware used. P188
Given the public policy issues raised by the use of vulnerabilities, it would be appropriate to have public
accountability on the use of this technique. For example, annual reports on vulnerability use similar
to the AO's Wiretap Reports, presenting such data as: How many vulnerabilities were used by law enforcement
in a given year? Were they used by federal or state and local? Was the vulnerability subsequently patched by the
vendor, and how quickly after being reported? Was the vulnerability used by anyone outside of law
enforcement? Was the vulnerability exploited outside law enforcement during the period that law enforcement
was aware of the problem but had not yet told the vendor? Did the operationalized vulnerability spread past its
intended target? What damages occurred from its exploitation? Making such information open to public
analysis should aid in decisions about the right balance between efficacy and public safety. n270
Cp solves the entirety of case—oversight and transparency key to trust
Fidler 14 (Mailyn Fidler, graduate student at the Center for International Security and Cooperation Freeman
Spogli Institute for International Studies, Stanford University. “ANARCHY OR REGULATION:
CONTROLLING THE GLOBAL TRADE IN ZERO-DAY VULNERABILITIES”, May 2014,
https://stacks.stanford.edu/file/druid:zs241cm7504/ZeroDay%20Vulnerability%20Thesis%20by%20Fidler.pdf)//CLi
3.4.3 Analysis of the Potential Application of Oversight Mechanisms to U.S. Government Zero Day Vulnerability Purchase and Use Existing zero-day
oversight stems from the executive branch. No evidence publicly exists that legislative or judicial mechanisms have yet
dealt with zero-day vulnerabilities. The Obama administration has set standards to encourage greater disclosure of vulnerabilities to
companies, and could continue to augment that policy. An executive order or presidential policy directive could
establish common definitions and policies across agencies . 423 Executive branch oversight has a
significant amount of flexibility in placing effective procedural limits on zero-day vulnerability use. In terms of
expanding existing executive oversight for zero-day vulnerabilities, an executive order could , for instance, require the approval of the
president or an executive branch department head on certain kinds of purchase, use, or disclosure of vulnerabilities. It could also
facilitate
cooperation between agencies to facilitate greater price transparency between competing
government purchasers , an idea I will address further in the next section. Scott Charney of Microsoft suggests additional possibilities:
“you can do things like an Inspector General’s report, an outside review, and independent audit by cleared people.”424 Charney emphasizes that what
you really want is “rigor over the equities process...for there to be a real bias toward defense,” but that the real challenge is “how do you convince outside
people that the process has rigor?”425 In sum, executive oversight is a relatively available path to increased oversight and is more easily adapted to
changing circumstances than legislative and judicial oversight. Executive oversight may lack public transparency, but a congressional or judicial
approach would also be 423 It is possible that classified executive mechanisms such as executive orders or presidential policy directives already exist
pertaining to the zero-day field. 424 Charney. 425 Charney. 109 considerably shrouded from public view in light of the involvement of intelligence and
military equities. The judicial review mechanisms addressed here, primarily FISA/FISC, deal with the authorization of foreign intelligence activities. As
such, they are tool-neutral: foreign intelligence surveillance enabled by a zero-day vulnerability or via wiretapping would likely be treated the same by
this statute and court. Given this aspect, there is not an obvious role for judicial oversight of use or purchase of zero-day vulnerabilities. Establishing
FISC oversight over purchase, use, or disclosure of zero-days is not in keeping with the judiciary’s role in this context and would likely be opposed by the
intelligence community as heavy-handed and unnecessary. The intelligence community would likely, and perhaps rightly, question whether an operation
carried out using a purchased zero-day vulnerability deserves greater judicial scrutiny than other operations. Congressional action could also implement
controls on when and how zero-days can be bought and used. Congressional action could be used to impose the limits discussed
in the executive oversight section: limits on purchase, use, and disclosure of zero-day vulnerabilities. It could also
require reporting to relevant Congressional committees when a zero-day is not disclosed. Congressional oversight provides an avenue
for longer-lasting oversight regimes, in contrast with more easily alterable executive orders, and also could be accompanied by additional
funding for oversight or the threat of cutting off appropriations if the executive branch fails to follow oversight rules. However, congressional oversight is
likely politically difficult to achieve. Snowden has made most cyber topics politically fraught, and Congress is currently generally perceived as
dysfunctional. Beyond these political considerations, congressional oversight has traditionally 110 been reserved for oversight programs with a broader
purview, such as establishing principles that apply to all foreign intelligence activities or covert operations, not principles that apply just a specific tool.
3.4.4 Select Possibilities for Expanded Executive Branch Oversight of Zero-Day Vulnerabilities Taking into account the three major forms for oversight
and the NSA Review Panel’s recommendations, this section presents several specific examples of the broader categories of oversight examined above.
These models have been developed through conversations and interviews with experts. They are not intended to serve as policy recommendations, but
rather, they demonstrate the range and flexibility the mechanisms could possess and specifically target the holes in the current policy that this research
has demonstrated. Particularly, these sketches attempt to synthesize an oversight approach that could address both use and purchase of zero-day
vulnerabilities, whereas current oversight seems to focus exclusively on appropriate disclosure. This section previously analyzed oversight of executive
branch actions through executive branch oversight, judicial review, and legislative action.
Based on the emerging culture of
executive oversight of zero-days and its advantages of relatively easy implementation and alteration,
oversight established by the executive branch appears to have the most promise as a zero-day
oversight mechanism. The first potential way to expand executive oversight would be to encourage increased transparency of government
practices. Transparency is a typical first-stage oversight approach and could take a variety of forms. Currently, U.S.
government agencies seem to make zero-day purchases separately, without coordination, potentially bidding prices up.426 To address this issue, one
possible transparency mechanism might be to have government agencies that purchase 111 zero-days participate in a registry available to other agencies,
where prices for purchases are listed.427 Economists have demonstrated that price transparency generally leads to lower and more uniform prices,
although effects vary depending on the product.428,429,430 To address bidding wars that drive prices extremely high or low, Jonathan Mayer suggested
mitigating competition by also instituting “a priority list, so if DEA [Drug Enforcement Agency] and NSA bid on a vulnerability, NSA could get it.”431
This shared-list mechanism would be a form of buyer coordination, which has been demonstrated as one way of achieving lower prices.432,433
Intelligence agencies have so far resisted public disclosure of prices paid for zero-day vulnerabilities, redacting this information from documents released
through the Freedom of Information Act, but buyer coordination could represent a middle path, hopefully resulting in lower prices for purchasing
agencies while not requiring public sharing of price lists.434 Transparency mechanisms can be criticized for weakness. Mayer suggests several
mechanisms that could help ensure transparency mechanisms are more than gestures. As one example, he could envision a policy that states “after three
years, zero-days will be banned, but at two years a report is due, which leaves a year to decide whether to keep the ban or not” on the I credit Chris
Soghoian for the original inspiration for this idea. 428 Austin, D. Andrew, and Gravelle, Jane G. “Does Price Transparency Improve Market Efficiency?
Implications of Empirical Evidence in Other Markets for the Health Sector.” Congressional Research Service. 29 April 2008, 2. 429 Bloomfield, Robert,
and O’Hara, Maureen. “Market Transparency: Who Wins and Who Loses?” Review of Financial Studies 12.1 (1999): 5-35. 430 In financial and online
markets, especially price comparison sites for insurance and airline tickets, transparency has been demonstrated to generally decrease prices (see Austin
& Gravelle, 2). In some market structures, particularly those involving intermediate goods or middlemen, price transparency can make strategic
bargaining and collusion easier for the sellers, raising prices (See Austin & Gravelle, 7). 431 Mayer. 432 Phillips, Owen R., Menkhaus, Dale J., and
Coatney, Kalyn T. “Collusive Practices in Repeated English Auctions: Experimental Evidence on Bidding Rings.” The American Economic Review 93.3
(2003): 965-979, 965. 433 United States Department of Agriculture. “Assessment of the Cattle and Hog Industries Calendar Year 2000.” Grain
Inspection, Packers, and Stockyards Administration. June 2001, 30. 434 NSA-Vupen Contract. 112 basis of how well the players are responding to the
transparency mechanisms.435 However, Mayer concedes, “politically speaking, you’re probably not going to be able to get the sword of Damocles to hang
over industry right now,” and transparency mechanisms would likely have only baby teeth, if that.436 Transparency mechanisms for the seller-side of
the trade are also worth exploring. I will only briefly address these here, because industry oversight would require Congressional
action, and this section primarily focuses on potential paths to executive oversight. Possible public private transparency
measures might include requiring a vendor to report to the government if a vulnerability they sold or discovered is used in an illegal attack.437
Alternatively, a vendor could be required to inform the government if a vulnerability they sold or discovered is subsequently found by a second party.438
Other potential public-private transparency building mechanisms are conceivable; these represent a few possibilities. This topic would be fruitful to
explore in further research. Beyond transparency, executive oversight could be used to strengthen the equities process for disclosure of vulnerabilities,
extending what was recently announced. Particularly, instituting a post-use or post-stockpiling review process could ensure frequent reevaluation of
vulnerabilities that were exempted from disclosure during first-round review .
This review process could make sure that the
original national security need exempting the vulnerability from disclosure continues to
validate keeping the vulnerability undisclosed.
Cp solves net better—aff’s all or nothing approach leaves us vulnerable to terrorists
Erwin 15 (Marshall was the intelligence specialist at the Congressional Research Service, focusing upon
National Security Agency surveillance leaks and legislative changes to the FISA statute, non-residential fellow
at Stanford University. “An Intelligence Committee Agenda Part III: Zero-day Vulnerability Disclosure”
http://www.overtaction.org/2015/01/an-intelligence-committee-agenda-part-iii-zero-day-vulnerabilitydisclosure/, January 2015)
If those committees want to make a singular, genuine impact on this emerging threat, they should focus
on oversight of the Administration’s zero-day vulnerability disclosure process. Zero-day
vulnerabilities are flaws in software and hardware that aren’t known to the companies or developers that make the technology. Those
vulnerabilities can provide a useful tool to intelligence services, as well as to criminal groups and other nefarious
actors. The Stuxnet computer worm that attacked Iranian centrifuges in 2010 utilized several zero-day vulnerabilities. It has often been suggested
that the National Security Agency (NSA) has a huge ‘stockpile’ of such vulnerabilities that it uses to conduct surveillance operations. As valuable as
these vulnerabilities might be to intelligence services, they can also become a threat to millions of computer
and Internet users in the United States and around the globe if they are present in widely used software and
hardware. This is why many have suggested that organizations like NSA should disclose the vulnerabilities they discover and allow the broader public
to reap the security benefits of disclosures. In April, in response to apparently unfounded concerns that NSA had known about theHeartbleed
vulnerability, the White House Cybersecurity Policy Coordinator Michael Daniel commented publicly about the Administration’s zero-day disclosure
process. Here is how he characterized the issues: [T]here are legitimate pros and cons to the decision to disclose, and the tradeoffs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences.
Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence
that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous
vulnerabilities that are being used by hackers or other adversaries to exploit our networks. Building up a huge stockpile of
undisclosed vulnerabilities while leaving the Internet vulnerable and the American people
unprotected would not be in our national security interest. But that is not the same as arguing that we should
completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run. Weighing these tradeoffs is not easy,
and so we have established principles to guide agency decision-making in this area. Daniel went on to describe a “re-invigorated” interagency process put
in place in 2014 dedicated to weighing the pros and cons and determining whether a zero-day known to the U.S. government should be disclosed. He also
listed nine questions that need to be answered whenever an agency proposes withholding knowledge of a vulnerability. This new processapparently
improved upon a process originally established in 2010 and run by NSA.
Zero-day vulnerability disclosure decisions
require a careful balancing that will be difficult to achieve under the best of circumstances. This is made all the
more difficult by the fact that, regardless of whatever process is put in place, incentives will still favor non-disclosure. The benefits of disclosure
are broad and global while any cost will be felt acutely by intelligence services that will lose capabilities. The
current process
in essence
depends on the benign hegemony of the executive branch in cyberspace.
1NC REGULATIONS CP
The United States federal government should:
 require firms that transact in software security vulnerabilities permit the federal government to
participate in any offerings or service they provide the sale of zero-day exploits and vulnerabilities that
are unreported to the National Security Agency;
 require confidential reporting for transactions zero-day exploits and vulnerabilities; and
 establish a reward system for researchers who share zero-day vulnerabilities and exploits with the
government.
Counterplan solves zero-day use and boosts cyberdefense --- prevents every 1ac impact
Bambauer 14 [Derek E., Professor of Law, James E. Rogers College of Law, University of Arizona, “Ghost in
the Network,” April, 2014, University of Pennsylvania Law Review, 162 U. Pa. L. Rev. 1011, lexis] //khirn
B. Partial Defenses
While a complete defense to zero-day attacks is impossible, policymakers can improve
cybersecurity with three regulatory moves : (1) mandatory access to public zero-day markets for the
federal government, (2) required confidential reporting on transactions by firms in those markets, and (3) a reward
system for researchers who share vulnerabilities with the government. [*1085] Congress should pass legislation
to implement these measures, and the United States should move to convert unknown unknowns to known unknowns. First, firms that
transact in software security vulnerabilities should be required to permit the federal government to participate
in any offerings or services they provide, on nondiscriminatory terms. If Vupen, for example, sought to sell zero-day exploits to
France's security services, but not to the United States' NSA, that would be problematic. Software security firms should be legally
bound to provide paid access to the U.S. government as a necessary condition of continued operation. This would
enable the government to develop and deploy countermeasures to at least some zero-day attacks. Congress has taken analogous measures
for other potential risks to national security. For example, one cannot obtain a patent for inventions in nuclear
materials or weapons, n492 but such inventions are eligible for a governmental reward scheme. n493 And, the
statute transfers rights to the invention from the inventor to the federal government. n494 Similarly, export controls
restrict private firms' ability to engage in transactions with foreign countries. One may not transfer software utilizing encryption to
countries such as Iran or North Korea, n495 and one may not sell certain supercomputers to countries such as
China or Russia. n496 These rules apply to all firms within U.S. jurisdiction. Thus, Congress has either mandated
or forbidden certain transactions based on national security concerns and could mount a similar effort for
zero-day sales . Not all zero-day merchants fall under U.S. jurisdiction or enforcement. Even those operating
abroad, however, likely have contacts with the United States. Vupen's employees, for example, visit the United States. n497 Many, if not all,
such firms use financial or payment processing companies that are [*1086] subject to U.S. regulation. Some software
companies, such as Microsoft, are eager to access U.S. government data on vulnerabilities and threats and have
demonstrated a willingness to provide the NSA with exploit information before making it public. n498 These links
provide potential leverage. Congress could attach provisions to this legislation that would allow the executive branch
to designate firms that do not provide access to the government and to require banks and payment processors
to forgo transactions with them. n499 Analogous measures have been implemented to interdict financing for terrorist groups n500 and have
been proposed to deal with websites illegally offering prescription drugs or copyrighted works. n501
2NC REGULATIONS CP
Mandated transaction reporting allows effective countermeasures
Bambauer 14 [Derek E., Professor of Law, James E. Rogers College of Law, University of Arizona, “Ghost in
the Network,” April, 2014, University of Pennsylvania Law Review, 162 U. Pa. L. Rev. 1011, lexis] //khirn
Second, Congress
should mandate a transaction-reporting system for firms trading in vulnerabilities. These
companies should have to report, on a confidential basis, the purchaser's identity in all transactions of zero-day
exploits to the NSA. This data would remain confidential and should be designated as statutorily immune from
discovery or other use unless the NSA expressly chooses to share it. n502 The statute should enable auditing of firms' records by
the NSA if the Agency is able to demonstrate an objectively reasonable basis to suspect inaccuracies or falsification. To make this provision less
objectionable for the vulnerability merchants, Congress should include payments to the reporting firms. While additional spending
[*1087] is politically difficult, this expenditure would be a small but worthwhile investment in security. Similar
reporting systems are
widely used to mitigate risk. NASA, for example, encourages confidential reporting of "near-miss incidents" - those
that nearly resulted in aviation mishaps - to improve safety procedures and detect product defects. n503 Similarly,
insurers offering policies for medical malpractice liability must report judgments and settlements to the National Health Practitioner Data Bank. n504
This malpractice information is available for use by state medical licensing boards and federal agencies, but is otherwise confidential. n505 In addition,
the Federal Railroad Administration is testing a Confidential Close Call Reporting System to identify risks in rail operations via confidential reporting of
near-miss incidents. n506 The Department of Veterans Affairs has a similar reporting system for patient safety. n507 And finally, the Federal
Communications Commission has one for network outages. n508 Thus, the federal government already has well-established
confidential reporting systems to help manage risk. A zero-day reporting system has several benefits. It would
enable the government to detect problematic sales , particularly to unfriendly states and insecure parties. It
would increase the effectiveness of countermeasures that mitigate zero-day exploits by providing a
rough guide to how widely distributed a particular attack tool is. It would allow the government to identify whether firms follow
their stated criteria for sales (such as Vupen's self-imposed limit to NATO countries and clients) and to scrutinize suspect firms more closely. Lastly, it
would provide a crude estimate of the ebb and flow of zero-day threats and of the platforms and applications
viewed by the merchant as worthy of attention (and payment).
Bug bounty programs solve cyberdefense while boosting effective offensive capacity
Bambauer 14 [Derek E., Professor of Law, James E. Rogers College of Law, University of Arizona, “Ghost in
the Network,” April, 2014, University of Pennsylvania Law Review, 162 U. Pa. L. Rev. 1011, lexis] //khirn
Finally, Congress
should authorize a "bug bounty" program. n509 Its goal would be to collect zero-day exploits and
encourage researchers to sell their [*1088] findings to the U.S. government rather than to private firms or other
nation-states. A government agency, such as the NSA or the U.S. Computer Emergency Readiness Team (CERT), should be
provided funds to buy zero-day vulnerability information . n510 The entity selling the exploit, such as a
security research firm, would have to certify under penalty of perjury that it had not previously shared the
vulnerability information with others and would have to agree contractually not to do so in the future . n511
Congress should consider backing these requirements with substantial criminal penalties as it has done
in other contexts. n512 Arms dealers who sell to both sides are held in low esteem. Similar private bounty programs implemented by
Google and Mozilla have had considerable success in identifying and remediating bugs. n513 The funding and
amount paid per bug should be generous: removing zero-days from the Internet ecosystem is highly
beneficial . Moreover, generous payments will have further positive effects. First, these payments will spur researchers to
search for additional bugs. These bugs are like latent defects in a product - they lurk, creating risk, until they are discovered. Second, paying abovemarket rates makes it more difficult for others to purchase zero-days.
Pushing others out of the zero-day market is useful
both offensively and defensively . Offensively, accumulating zero-days provides the United States with
the building blocks for future Stuxnets. Defensively, it reduces the likelihood that U.S. firms or government
entities will fall victim to attack .
Developing zero-day regulatory frameworks allows for the creation of multilateral frameworks
Castelli 14 (Christopher J. Castelli, Senior Correspondent at Inside Cybersecurity, “Report urges policymakers
to curb booming cyber-arms sales”, http://insidecybersecurity.com/Cyber-Daily-News/Daily-News/report-
urges-policymakers-to-curb-booming-cyber-arms-sales/menu-id-1075.html, January 13, 2014)//CLi
Reining in booming sales of cyber weapons that could threaten critical infrastructure will require policymakers to shield software developers from
liability, create export controls and enable prosecutions of digital-arms dealers, a former defense official argues in a new essay. There is a
significant risk that hackers could discover and exploit previously unknown weaknesses -- so-called "zero day" vulnerabilities
-- in the applications layer of the industrial control systems that underpin the U.S. electric grid and other critical infrastructure sectors, former Pentagon
homeland-defense chief Paul Stockton and a co-author write in an essay for the Yale Law and Policy Review. Such exploits could be used to
gather sensitive commercial or intelligence information, incapacitate computer systems, or inflict widespread
physical damage -- by targeting the air traffic control system to cause collisions, for example, the essay states. A three-step approach is needed to
mitigate the risk, according to Stockton and his co-author, Yale Law School student Michele Golabek-Goldman. First, Congress must address
the threat's root cause by incentivizing developers of critical software to enhance their products' security, state the
authors, who call for amending the Support Anti-Terrorism by Fostering Effective Technologies Act of 2002 to extend liability coverage to these
developers. Second, U.S. officials and international partners must develop criteria for "illegitimate" sales of zero-day
exploits and establish uniform export controls through the Wassenaar Arrangement, the essay states. It credits the Senate Armed Services Committee
for raising the visibility of this proliferating threat and for seeking measures to address it. House and Senate authorizers, in their fiscal year 2014 defense
authorization bill, included a provision directing the White House to work with industry to develop a policy that would control the proliferation of cyber
weapons through various means. How such controls should be structured is unclear, but only a multilateral approach can
succeed, the essay argues. The authors say the United States should implement the Wassenaar Arrangement's recommended exploit controls through
its Commerce Control List. A significant limitation is that China is not a member of the arrangement, but on the other hand China has made progress in
adhering to international norms, the essay states. Finally, the authors contend, Congress should strengthen the capacity to prosecute
individuals who sell zero-day exploits targeting critical infrastructure to U.S. adversaries. They urge Congress to amend
the Computer Fraud and Abuse Act, the United States' most significant federal computer-crime statute. The amended law should require sellers of zeroday exploits to show that they "reasonably investigated" buyers' backgrounds and had "reasonable grounds to believe" that buyers would not attack
industrial control systems -- and it should enable prosecutions of U.S. and foreign vendors who sell zero-day exploits to
U.S. persons who deploy them to attack critical infrastructure, the authors write. In some cases, they argue, the United States
should be able to extradite researchers abroad who have violated the law.
1NC WASSENAAR REGULATIONS CP
The United States federal government should require vendors of zero-day exploits and
vulnerabilities to obtain licenses from the Department of Commerce. The United States federal
government should propose the creation of new rules controlling exports of zero day
vulnerabilities to other members of the Wassenaar Agreement.
Control of øDay sales would deter researchers from exploitation
Golabek-Goldman 14 [Michele, A New Strategy for Reducing the Threat of Dangerous Øday Sales to Global
Security and the Economy," Available at SSRN 2438164, <http://ssrn.com/abstract=2438164>] /eugchen
This multilateral effort would help foster international norms among many nations on illegitimate Øday
purchases and build international consensus on states’ responsibility to halt dangerous sales from within their
borders. Most importantly, multilateral export controls would increase the costs associated with selling dangerous Ødays to those seeking to deploy
them for malicious purposes. Many of the leading gray market firms that sell Ødays are located in Wassenaar member nations,
including the United States, Malta, and France.193 These firms would now have to apply for licenses to sell
dangerous Ødays, move their operations elsewhere, or risk significant criminal penalties for contravening
export controls and operating on the black market. For example, intentional violation of the Export Administration
Regulations (“EAR”) would result in criminal penalties of up to $1 million and prison sentences of up to 20 years. 194
Such high penalties—especially if accompanied by stronger enforcement 195—would likely deter many
researchers from engaging in illicit transactions. Therefore, as part of a broader effort to stem dangerous Øday sales, creating
uniform export controls through the Wassenaar Arrangement would constitute a critical step forward in
safeguarding nations from malicious cyber activities.
Collaboration with the international community through the Wassenaar Arrangement key to
controlling zero day sales
Golabek-Goldman 14 [Michele, A New Strategy for Reducing the Threat of Dangerous Øday Sales to Global
Security and the Economy," Available at SSRN 2438164, < http://ssrn.com/abstract=2438164>] /eugchen
The United States should therefore consider collaborating with the international community to develop export control criteria through the Wassenaar
Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (“Wassenaar Arrangement”). 148 The Wassenaar
Arrangement, which was established in 1996, is a superior alternative to the other three existing multilateral
export regimes—the Nuclear Suppliers Group, the Missile Technology Control Regime, and the Australia
Group—for implementing export controls of Øday sales. Since the Nuclear Suppliers Group’s overarching objective is to “prevent
nuclear exports for commercial and peaceful purposes from being used to make nuclear weapons,” incorporating controls of Ødays into this arrangement
would fall outside the purview of the regime. 149 Likewise, the Missile Technology Control Regime seeks to curb “proliferation of missiles and missile
technology,” which is irrelevant for addressing Øday sales. 150 The Australia Group, whose mission is to “ensure that exports do not contribute to the
development of chemical or biological weapons,”151 is also ill-suited for curbing indiscriminate sales of Ødays. Unlike these other multilateral export
regimes, the Wassenaar Arrangement has a broad mission that could aptly encompass Øday sales: to “contribute
to regional and international security and stability, by promoting transparency and greater responsibility in
transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing
accumulations.”152 The arrangement, which currently includes 41 member nations, strives to achieve this objective by
establishing uniform “control lists” of dual-use technologies, sharing information on dual-use transfers, and
consulting with members on national export policies and denials of export license applications. 153 Wassenaar
members could incorporate Øday sales into the Arrangement’s dual-use lists, which already cover certain types of code and software, including
encryption software. 154 Furthermore, the Wassenaar Arrangement already provides for controls of “intangible
technology,” which members have agreed are “critical to the credibility and effectiveness of [a Participating
State’s] domestic export control regime.”155 The Arrangement defines “intangible technology” as “specific information necessary for the
‘development,’ ‘production’ or ‘use’ of a product,” including “technical data or technical assistance.”156 Selling technical knowledge on how to exploit
vulnerabilities in computer software appropriately falls under this definition.157
2NC SOLVENCY
Collaboration with the international community through the Wassenaar Arrangement key to
controlling zero day sales
Golabek-Goldman 14 [Michele, A New Strategy for Reducing the Threat of Dangerous Øday Sales to Global
Security and the Economy," Available at SSRN 2438164, < http://ssrn.com/abstract=2438164>] /eugchen
The United States should therefore consider collaborating with the international community to develop export control criteria through the Wassenaar
Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (“Wassenaar Arrangement”). 148 The Wassenaar
Arrangement, which was established in 1996, is a superior alternative to the other three existing multilateral
export regimes—the Nuclear Suppliers Group, the Missile Technology Control Regime, and the Australia
Group—for implementing export controls of Øday sales. Since the Nuclear Suppliers Group’s overarching objective is to “prevent
nuclear exports for commercial and peaceful purposes from being used to make nuclear weapons,” incorporating controls of Ødays into this arrangement
would fall outside the purview of the regime. 149 Likewise, the Missile Technology Control Regime seeks to curb “proliferation of missiles and missile
technology,” which is irrelevant for addressing Øday sales. 150 The Australia Group, whose mission is to “ensure that exports do not contribute to the
development of chemical or biological weapons,”151 is also ill-suited for curbing indiscriminate sales of Ødays. Unlike these other multilateral export
regimes, the Wassenaar Arrangement has a broad mission that could aptly encompass Øday sales: to “contribute
to regional and international security and stability, by promoting transparency and greater responsibility in
transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing
accumulations.”152 The arrangement, which currently includes 41 member nations, strives to achieve this objective by
establishing uniform “control lists” of dual-use technologies, sharing information on dual-use transfers, and
consulting with members on national export policies and denials of export license applications.153 Wassenaar
members could incorporate Øday sales into the Arrangement’s dual-use lists, which already cover certain types of code and software, including
encryption software. 154 Furthermore, the Wassenaar Arrangement already provides for controls of “intangible
technology,” which members have agreed are “critical to the credibility and effectiveness of [a Participating
State’s] domestic export control regime.”155 The Arrangement defines “intangible technology” as “specific information necessary for the
‘development,’ ‘production’ or ‘use’ of a product,” including “technical data or technical assistance.”156 Selling technical knowledge on how to exploit
vulnerabilities in computer software appropriately falls under this definition.157
CP effectively regulates øDay sales – deters researchers from engaging in illicit deals
Golabek-Goldman 14 [Michele, A New Strategy for Reducing the Threat of Dangerous Øday Sales to Global
Security and the Economy," Available at SSRN 2438164, < http://ssrn.com/abstract=2438164>] /eugchen
Since the recent changes were instituted, there has been significant confusion among experts regarding the “intended scope of these clauses.” 164
Some gray market vulnerability research firms, including the French-based VUPEN, broadly interpreted the
Wassenaar Arrangement’s new “intrusion software” controls to apply to Øday sales. 165 They therefore
immediately took extra precautions by altering their sales policies to comply with the Arrangement’s end-user
restrictions. 166 Nevertheless, in recent months, delegates to the Arrangement have clarified that the new inclusion of “intrusion software” is only
meant to apply to software deployed to “disseminate and implement intrusion software,” rather than the “malware, rootkits, or exploits” themselves.167
While Øday sales have yet to be regulated under the Arrangement, these recent changes and growing acknowledgement among Wassenaar members that
dual use cyber technologies can be deployed to endanger international security should pave the way for future incorporation of Øday sales into the
Arrangement’s dual-use lists. Furthermore, it is very revealing that firms such as VUPEN that interpreted the
Wassenaar Arrangement’s new controls to govern Øday sales—even if their interpretation was ultimately
incorrect—rapidly altered their sales policies. This demonstrates that, unlike regulatory skeptics contend,
increasing the risks and penalties associated with indiscriminately selling Ødays can deter researchers from
entering into illicit transactions.
Empirics prove control of intangible data is feasible
Golabek-Goldman 14 [Michele, A New Strategy for Reducing the Threat of Dangerous Øday Sales to Global
Security and the Economy," Available at SSRN 2438164, < http://ssrn.com/abstract=2438164>] /eugchen
Some might counter that it is impractical to control “intangible” data transfers like Ødays. However, the government has successfully
limited exports of dangerous technical data for years under the Export Administration Regulations (“EAR”),
the International Traffic in Arms Regulations (“ITAR”), and the Atomic Energy Act (“AEA”). 181 It is
indisputable that it has the statutory authority to regulate information that can be deployed in the
“development,” “production,” or “use” of prohibited defense materials.182 For example, pursuant to these statutes, the
government prevents individuals and universities from training or sharing information with foreigners on how to develop a nuclear weapon, missiles,
and other dangerous technologies.183 The “intangible” electronic or digital transmission of “blueprints, diagrams, manuals, instructions, [and] software”
related to controlled items is also forbidden.184 BIS would be able to deploy the same procedures to control information
transfers regarding exploiting vulnerabilities in our nation’s computer systems.
***Note BIS= Commerce Department’s Bureau of Industry and Security
AT: CP DOESN’T SOLVE CHINA
The Wassenaar Arrangement would spillover to China and other non-member nations
Golabek-Goldman 14 [Michele, A New Strategy for Reducing the Threat of Dangerous Øday Sales to Global
Security and the Economy," Available at SSRN 2438164, < http://ssrn.com/abstract=2438164>] /eugchen
While this report advocates for designating the PLA and its agents as illegitimate Øday end-users under the Wassenaar Arrangement in order to safeguard U.S. security
interests, it acknowledges the significant disadvantages of this approach and recommends that this issue be the subject of highlevel
diplomacy, including meetings at the U.S.-China Strategic Security Dialogue’s Cyber Working Group. One
strategy would be for diplomats to highlight both nations’ mutual vulnerability to indiscriminate Øday sales,
especially in the realm of cybercrime. For example, although China’s own vulnerability to cyber threats is rarely covered in the press, China is also
suffering major economic losses from cybercrime.191 In 2012 alone, cybercrimes such as online identity theft and cyber-enabled fraud cost China approximately $46.4 billion.
192 By
stressing these mutual concerns, members of the Wassenaar Arrangement might persuade China to join
this aspect of the Wassenaar Arrangement and at least adopt part of the regime’s export control list
recommendations for Øday sales. The Wassenaar Arrangement should consider using similar engagement
strategies with other non-member states including Pakistan, India, and Israel.
AT: CAN’T CATCH ALL VULNERABILITIES
Catch-all provision would be a safety net to new øday vulnerabilities
Golabek-Goldman 14 [Michele, A New Strategy for Reducing the Threat of Dangerous Øday Sales to Global
Security and the Economy," Available at SSRN 2438164, < http://ssrn.com/abstract=2438164>] /eugchen
In addition to enumerating specific categories of Ødays on the Wassenaar Arrangement’s and CCL’s controlled
items lists, member nations could also curb dangerous sales through export “catch-all” provisions.176 In the context
of weapons of mass destruction and missile material controls, “catch-all” provisions are defined as controls that “provide a legal and/or regulatory basis
to require government permission to export unlisted items when there is reason to believe such items are intended for a WMD/Missile end-use or enduser.”177 Member nations would need to define “catch-all” provisions in the Øday context and specify under
which conditions such a provision would govern. For example, the “catch-all” provision might be invoked when
sellers have “reason to know” that their Ødays will be deployed for “malicious cyber activity,”178 which could
be defined as including cyberattacks and cyber espionage.179 Due to the rapidly evolving nature of technologies and discoveries of
new vulnerabilities, the international community may be unable to immediately incorporate newly discovered Ødays
into their control lists. A “catch-all” provision for dangerous Øday sales would therefore provide a critical safety
net in this context.180
CYBERDETERRENCE DA
1NC CYBERDETERRENCE DA
Maintaining zero day’s is key to offensive cyber operations and rapid crisis response
Cushing 14 [Seychelle, B.A. in political science from Simon Fraser University, “Leveraging Information as Power: America’s Pursuit of Cyber
Security,” Simon Fraser University, 11/28/14 <http://summit.sfu.ca/system/files/iritems1/14703/etd8726_SCushing.pdf>]//eugchen
In comparison, the
zero-days used in cyber weapons require the US to constantly discover new vulnerabilities
to maintain a deployable cyber arsenal . Holding a specific zero-day does not guarantee that the vulnerability will remain unpatched
for a prolonged period of time by the targeted state.59 Complicating this is the fact that undetected vulnerabilities, once acquired, are rarely used
immediately given the time and resources it takes to construct a cyber attack.60 In the time between acquisition and use, a patch for the vulnerability
may be released, whether through routine patches or a specific identification of a security hole, rendering the vulnerability obsolete. To minimize this,
America deploys several zero-days at once in a cyber attack to increase the odds that at least one (or more) of
the vulnerabilities remains open to provide system access.61 Multiple backdoor entry points are preferable given that America
cannot be absolutely certain of what vulnerabilities the target system will contain62 despite extensive pre-launch cyber attack testing63 and
customization.64 A successful cyber attack needs a minimum of one undetected vulnerability to gain access to the target system. Each successive
zero-day that works adds to the strength and sophistication of a cyber assault.65 As one vulnerability is patched,
America can still rely on the other undetected vulnerabilities to continue its cyber strike. Incorporating multiple undetected vulnerabilities into a cyber
attack reduces the need to create new cyber attacks after each zero-day fails. Stuxnet, a joint US-Israel operation, was a cyber attack
designed to disrupt Iran’s progress on its nuclear weapons program.66 The attack was designed to alter the code
of Natanz’s computers and industrial control systems to induce “chronic fatigue,” rather than destruction, of
the nuclear centrifuges.67 The precision of Stuxnet ensured that all other control systems were ignored except for those regulating the
centrifuges.68 What is notable about Stuxnet is its use of four zero-day exploits (of which one was allegedly
purchased)69 in the attack.70 That is, to target one system, Stuxnet entered through four different backdoors. A target state aware of a specific
vulnerability in its system will enact a patch upon detection and likely assume that the problem is fixed. Exploiting multiple vulnerabilities creates
variations in how the attack is executed given that different backdoors alter how the attack enters the target system.71 One patch does not stop the cyber
attack. The use of multiple zero-days thus capitalizes on a state’s limited awareness of the vulnerabilities in its system. Each phase of Stuxnet was
different from its previous phase which created confusion among the Iranians. Launched in 2009, Stuxnet was not discovered by the Iranians until
2010.72 Yet even upon the initial discovery of the attack, who the attacker was remained unclear. The failures in the Natanz centrifuges were first
attributed to insider error73 and later to China74 before finally discovering the true culprits.75 The use of multiple undetected
vulnerabilities helped to obscure the US and Israel as the actual attackers.76 The Stuxnet case helps illustrate
the efficacy of zero-day attacks as a means of attaining political goals . Although Stuxnet did not
produce immediate results in terminating Iran’s nuclear program, it helped buy time for the Americans to
consider other options against Iran. A nuclear Iran would not only threaten American security but possibly open
a third conflict for America77 in the Middle East given Israel’s proclivity to strike a nuclear Iran first. Stuxnet allowed the United States to
delay Iran’s nuclear program without resorting to kinetic action.78
Losing our comparative advantage emboldens China to take Taiwan – that breaks down cyber
deterrence and turns heg
Hjortdal 11 [Magnus Hjortdal is a researcher asso ciated with CHINA-SEC, Centre for Military Studies at the
University of Copenhagen. He ho lds an M.Sc. in Political Science from the University of Copenhagen and is
owner of MH International Relations, which advise s private and public institutions, “China's Use of Cyber
Warfare: Espionage Meets Strategic Deterrence” Journal of Strategic Security , 4 (2): 1-24] //khirn
China's military strategy mentions cyber capabilities as an area that the People's Liberation Army (PLA) should invest in
and use on a large scale. 13 The U.S. Secretary of Defense, Robert Gates, has also declared that China's development in the cyber area
increasingly concerns him, 14 and that there has been a decade-long trend of cyber attacks emanating from China. 15
Virtually all digital and electronic military systems can be attacked via cyberspace . Therefore, it is
essential for a state to develop capabilities in this area if it wishes to challenge the present American
hegemony . The interesting question then is whether China is developing capabilities in cyberspace in order to deter the United States. 16
China's military strategists describe cyber capabilities as a powerful asymmetric opportunity in a deterrence
strategy. 19 Analysts consider that an "important theme in Chinese writings on computer-network operations (CNO) is
the use of computer-network attack (CNA) as the spearpoint of deterrence ." 20 CNA increases the enemy's costs
to become too great to engage in warfare in the first place, which Chinese analysts judge to be essential for
deterrence. 21 This could , for example, leave China with the potential ability to deter the U nited S tates from
intervening in a scenario concerning Taiwan . CNO is viewed as a focal point for the People's Liberation
Army, but it is not clear how the actual capacity functions or precisely what condit ions it works under. 22 If a state with superpower potential (here
China) is to create an opportunity to ascend militarily and politically in the international system, it
would require an asymmetric
deterrence capability such as that described here. 23 It is said that the "most significant computer network attack is
characterized as a pre-emption weapon to be used under the rubric of the rising Chinese strategy of [...] gaining mastery
before the enemy has struck." 24 Therefore, China, like other states seeking a similar capacity, has recruited massively within the hacker
milieu inside China. 25 Increasing resources in the PLA are being allocated to develop assets in relation to cyberspace.
26 The improvements are visible: The PLA has established " information warfare " capabilities, 27 with a special focus on
cyber warfare that, according to their doctrine, can be used in peacetime. 28 Strategists from the PLA advocate
the use of virus and hacker attacks that can paralyze and surp rise its enemies. 29
That goes nuclear
Glaser 11 [Professor of Political Science and International Affairs – George Washington University, “Will
China’s Rise Lead to War?” Foreign Affairs Vol. 9 Iss. 2, March/April] //khirn
THE PROSPECTS for avoiding intense military competition and war may be good, but growth in China's power may nevertheless require some
changes in U.S. foreign policy that Washington will find disagreeable--particularly regarding Taiwan. Although it lost control of Taiwan during the
Chinese Civil War more than six decades ago, China still considers Taiwan to be part of its homeland, and unification
remains a key political goal for Beijing. China has made clear that it will use force if Taiwan declares independence,
and much of China's conventional military buildup has been dedicated to increasing its ability to coerce Taiwan and
reducing the United States' ability to intervene. Because China places such high value on Taiwan and because the United States
and China--whatever they might formally agree to--have such different attitudes regarding the legitimacy of the status quo, the issue poses
special dangers and challenges for the U.S.-Chinese relationship, placing it in a different category than Japan or South
Korea. A crisis over Taiwan could fairly easily escalate to nuclear war, because each step along the way
might well seem rational to the actors involved. Current U.S. policy is designed to reduce the probability that Taiwan will declare
independence and to make clear that the United States will not come to Taiwan's aid if it does. Nevertheless, the United States would find
itself under pressure to protect Taiwan against any sort of attack, no matter how it originated. Given the
different interests and perceptions of the various parties and the limited control Washington has over Taipei's
behavior, a crisis could unfold in which the United States found itself following events rather than leading them. Such
dangers have been around for decades, but ongoing improvements in China's military capabilities may make Beijing
more willing to escalate a Taiwan crisis . In addition to its improved conventional capabilities, China is modernizing
its nuclear forces to increase their ability to survive and retaliate following a large-scale U.S. attack. Standard
deterrence theory holds that Washington's current ability to destroy most or all of China's nuclear force enhances its bargaining position. China's
nuclear modernization might remove that check on Chinese action, leading Beijing to behave more boldly in future crises than it
has in past ones. A
U.S. attempt to preserve its ability to defend Taiwan, meanwhile, could fuel a conventional and
nuclear arms race . Enhancements to U.S. offensive targeting capabilities and strategic ballistic missile defenses might be
interpreted by China as a signal of malign U.S. motives, leading to further Chinese military efforts and a general poisoning of
U.S.-Chinese relations.
2NC LINK/TURNS CASE WALL
The plan destroys offensive cyber-capabilities and cedes cyberspaces to China
Aitel and Rampersaud 14 [Dave, CEO of Immunity Inc., a leading offensive security firm that serves major
financial institutions, industrials, Fortune/Global 500s and US government/military agencies, former NSA
computer scientist and DARPA contractor, and Skylar, a former NSA computer scientist and director of
vulnerability analysis at Immunity, “Some People Want A Time Limit On The NSA's 'Zero-Day' Exploits —
Here's Why That's A Terrible Idea,” Business Insider, July 2, 2014, http://www.businessinsider.com/why-atime-limit-on-zero-days-is-a-bad-idea-2014-7] //khirn
In particular, people have suggested that the NSA be restrained from collecting a “zero-day” stockpile and that one of
the logical ways to do this was to force them to report any discovered vulnerabilities to the vendor for patching after a certain time period has elapsed,
presumably so they could use them in the meantime for intelligence collection. First, some context from the White House’s NSA task force and their own
blog: Recommendation 30: “US policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are
patched on US Government and other networks. In rare instances, US policy may briefly authorize using a Zero Day for high priority intelligence
collection, following senior, interagency review involving all appropriate departments.” “But there are legitimate pros and cons to the decision to
disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant
consequences. Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop
the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to
exploit our networks.” However, people with experience in the field of information operations, computer and network exploitation, or any related signals
assigning a time limit to your methods is madness . Specifically, computer and network
operations are fragile in the sense that they are often linked together. Take one simple sample operation for example: penetrating the Iranian
nuclear establishment. This may involve at a minimum three different kinds of 0days (penetrating into a computer, taking full control
of that computer, and spreading from that computer to other computers), but it also involves special software for maintaining a
presence on the network and getting large volumes of data out of the network (think FLAME). These tools are known as “implants.” Obviously,
the first time someone discovers the implant, they can hunt down all other machines that have been infected and
intelligence occupation know that
start making guesses as to what information you were after, or may have gotten. This is why the minute you become aware that someone has found you,
you clean up every possible operation using that implant. What is less well known is how the discovery of vulnerability
information (“0days”) can affect operations. In particular, the modern age of cloud computing allows countries to store and
analyze huge volumes of their traffic (or indeed, other countries’ traffic, as Snowden has helpfully pointed out). This means that when a
vulnerability goes public they can search through all of history to find out when any traffic matching that
vulnerability may have happened. They then rush to look at that machine, and will likely find any implant on it.
In other words, releasing a vulnerability means that all of your implants in Iran must be removed if any of them
were installed using that vulnerability. In addition, hard targets are often compromised with the help of human agents, recruited by human
intelligence organizations. These people’s lives are then put at risk if any computer they have touched is discovered to have been compromised by a tool
that can be linked back to the United States or her Allies. In addition, you are not just releasing the information that the vulnerability exists. If you are
giving that vulnerability information to the vendor, you are also saying that it was definitely the United States government that was involved with that
operation. This solves the “attribution problem” for your enemy. But it solves more difficult problems for your enemy too. Software bugs are
often related, and the knowledge that a bug exists can lead them to find different bugs in the same code or
similar bugs in other products. By looking at all the vulnerabilities you release, they know the state of your vulnerability-finding programs.
They know how far ahead or behind of you they are. They can focus their own vulnerability-finding resources with greater precision. They will be
able to find vulnerabilities that you have not found - and they will have the added advantage of knowing when
to wrap up their own exploit operations. Vulnerabilities are a finite thing - taking the tack of releasing them over
time means that eventually the United States’ ability to find them will be heavily drained, but China’s will
not , much like exhausting an oil reserve. Even if we ignore the problem of adversarial nation-states gaining an
advantage in vulnerability research, the discussion of a limited-use window appears based on a non-existent
thing: a static set of intelligence priorities. The idea being presented is that the NSA would find a vulnerability, use it for some amount of
time to exploit its “high priority” intelligence targets, then send it off to be patched. This ignores the fact that intelligence priorities can
change rapidly and often , hindering NSA’s ability to respond rapidly to world events . In addition,
computer network operations are continuous things that often involve waiting for windows of opportunity-something that is incompatible with many of your tools having a time-limited lifespan. Integrating 0days into a
toolkit, testing them and using them may cost millions of dollars before it pays off with valuable intelligence.
Keep in mind as well, that not all 0days pay off , and any can be discovered and destroyed in an instant and you
have the very picture of a resource you can’t afford to waste. Because of the interconnected nature of the entire computer and
network exploitation framework, forcing the
NSA to report vulnerabilities to vendors would force it to give up using
vulnerabilities altogether . This is not a considered and wise action , even in light of Snowden’s revelations.
Maintaining zero-day exploits creates long-term cyber resiliency – that’s the only effective
cyberdefense
Cushing 14 [Seychelle, B.A. in political science from Simon Fraser University, “Leveraging Information as Power: America’s Pursuit of Cyber
Security,” Simon Fraser University, 11/28/14 <http://summit.sfu.ca/system/files/iritems1/14703/etd8726_SCushing.pdf>]//eugchen
Cyber defence is an initially disadvantaged position167 given that cyber barriers cannot stop all attacks from penetrating its systems. The
ability to absorb a
cyber attack, while inconvenient, helps America identify holes in its own security. Although America may be aware of a number of
vulnerabilities, additional unaccounted for vulnerabilities will always exist in its systems. A cyber strike thus helps the United
States identify where additional previously unknown vulnerabilities exist and, as a result, the US can direct its
security apparatus to develop counter-capabilities. The United States, through the Department of Homeland Security, has launched both passive
and active cyber sensors to detect network intrusions. EINSTEIN 2, the passive sensor, was launched in 2008 to detect network intrusions.168 Building on the capabilities of
EINSTEIN 2 was EINSTEIN
3, an active sensor designed to provide realtime threat detection capable of stopping
known malware before it reaches the targeted government network.169 Passive defences “scan, firewall, and patch” in an attempt to
protect a system. These defences, however, have little utility against sophisticated cyber attacks, such as Stuxnet, or against
attacks employing zero-days. Active defences, in comparison, build on passive defences to try and stop the cyber attack170 but the success rates of such
measures in the US security architecture remains unknown.171 In reality, the EINSTEIN systems only detect and (in the case of EINSTEIN 3) stop
known malware entering through known vulnerabilities.172 Nevertheless, every vulnerability subsequently
discovered through attack absorption allows EINSTEIN 3 to erect new cyber barriers in its systems. A cyber-capable
adversary may undertake multiple attempts to create sustained access to a target system or network.173 Absorbing the initial attack becomes
necessary to find and fix the exploited vulnerability to avert subsequent strikes. If only the first intrusion succeeds, the attacker
will be forced to adjust its strike strategy to reopen the system access it once had. By erecting cyber obstacles, one is able to discourage weaker actors from exploiting the same
vulnerability before it is patched. Adapting
from vulnerabilities to defensive barriers may not stop cyber attacks altogether
but it can frustrate cyber-capable states from “easily succeeding in […subsequent] attacks.”174 Allowing a cyber
attack, while counterintuitive, allows the US to gather valuable information on its attacker. By identifying how an attacker
got into an American system or network and what information was sought, the US is positioned to better understand not only its vulnerabilities
but also the capabilities and intentions of its adversaries. Resiliency through attack absorption diminishes the
prospect of long-term disruption to American networks. As a result, the benefits to an attacker diminish.175 What was an initial
disadvantage can be converted into a long-term security gain.
That means the status quo solves the aff by maintaining cyber innovation
Cushing 14 [Seychelle, M.A. Political Science, Simon Fraser U, “Leveraging information as cyberpower:
America’s pursuit of cybersecurity,” November 28, 2014, http://summit.sfu.ca/item/14703] //khirn
The Internet has made information seeking easier given its lax security structure that privileges offense over defence. Where the
US once relied on its
can now also purchase the necessary tools keep up with its peer
competitors in cyberspace. Buying zero days in the vulnerabilities market thus serves a dual purpose: it takes away
potential attack tools from its adversaries while building America’s own cyber arsenal. The problem, however, is that zero
days may not work when you need them. Unlike nuclear or conventional weapons, there is no guarantee that an acquired zero-day can
remain dormant yet functional. As a result, the US must consistently discover and collect zero-days to
own ingenuity to support its national security innovations, it
maintain a deployable cyber arsenal . America, despite its cyber superiority, cannot credibly threaten to use crushing cyber power
to defeat its adversaries without revealing part of its capabilities. Compounding this problem is the fact that a cyber attack alone, while disruptive, is
survivable at this time. America is thus experiencing a shift in its security strategy, albeit incrementally. What previously worked in the physical domain
does not necessarily translate into successful primacy in the electronic domain. Although Cold War models of deterrence by denial and
retribution may help frame the cyber problem, these models will
eventually need to give way to new thinking about security in
cyberspace. Deterrence, despite its Cold War successes, is not enough to stop your adversaries from attacking you in cyberspace. Instead,
resiliency to absorb a cyber attack will carry America further in securing a net security advantage. While absorbing attacks
seems counterintuitive, it is a short term risk that will garner important information. Resiliency then is as much about learning about
your adversaries, their capabilities, and targets, and it is about comparatively measuring your own
vulnerabilities and strengths in cyber offense and defence. The more information America can acquire, the better
equipped it will be to face the cyber threat . Preparations for kinetic conflict are likely to begin in cyberspace as
states collect vast information about their adversaries . Tapping into the millions of gigabytes of data
that passes through the Internet is necessary to help America build a better picture of its adversaries’
actions and intent , including “the readiness of foreign militaries .”250 America, despite its cyber sophistication,
United States strategically shares information and capabilities with its partners to
influence the intelligence priorities of the Five Eyes.252 Sharing initially puts the United States in a vulnerable position – exclusive control
cannot undertake such a task alone.251 Instead, the
over a part of its cyber capabilities are conceded to its partners. From a vulnerable position, American cyber power can nevertheless influence conditions
necessary to execute innovative, albeit high risk, intelligence operations. Information gathered from cyber can both reflect the strengths and weaknesses
of America’s (and by extension, its adversaries’) offensive and defensive capabilities both within and outside cyberspace. Amassing
an
informational advantage to use against its adversaries will enable the US to enhance its security posture.
Information , as the new realm of cyber security illustrates, is still a growing foundation of power . Leveraging
information in cyberspace is key to producing a long-term net gain in security. In seeking a cyber advantage, the United
States must endure short-term cyber insecurity. Tipping the security seesaw may not produce immediate advantages but
instead, can be understood as a step towards long-term security. Consistently working to tip the seesaw towards
advantage, while managing the associated vulnerabilities, helps produce a long-term advantage. The US’ ability to
enhance its cyber posture while managing the associated vulnerabilities ultimately produces a net gain in national security.
Innovation is crucial to preventing cyberattack
Cushing 14 [Seychelle, M.A. Political Science, Simon Fraser U, “Leveraging information as cyberpower:
America’s pursuit of cybersecurity,” November 28, 2014, http://summit.sfu.ca/item/14703] //khirn
Adversaries study America’s cyber tool and techniques “to capitalize on [US…] ideas” for their own strategic advantage.89 On the one hand,
innovating on its own code allows America to continue executing its security objectives in cyberspace. On the other
hand, innovation
allows the United States to speculate on how variations in its attack code may evolve to help
anticipate potential attacks from its adversaries. While the United States may not be able to close all of its potential vulnerabilities,90
it can at least flag the unpatched vulnerabilities most likely exploited in a cyber strike. Red-teaming cyber games further
allow the US to test both anticipated attacks and potential responses to maintain an informational advantage.91 Cyber favours offense over
defence given its lax security architecture. Sophisticated cyber states that are able to innovate first will enjoy a
relative advantage.92 Amassing an arsenal of undetected vulnerabilities does not necessarily produce an immediate, usable advantage. Instead,
these vulnerabilities provide important information to gauge the strengths and weaknesses of America’s
offensive and defensive capabilities. Finding undetected vulnerabilities, and knowing how to exploit those,
positions the US to capitalize on the offense-defence innovation cycle to preserve a cyber advantage. The strike
methods of nuclear or conventional weapons are largely unchanged and can be used to great effect. Cyber weapons, in comparison, only
successfully work once. Innovation is required to not only manage the “constant pressure to keep up,”93 but to
also tip the balance of informational advantage in your favour.
Maintaining zero-days forces allies to share their info with us --- that produces effective
cyberdefense
Cushing 14 [Seychelle, M.A. Political Science, Simon Fraser U, “Leveraging information as cyberpower:
America’s pursuit of cybersecurity,” November 28, 2014, http://summit.sfu.ca/item/14703] //khirn
A capabilities
gap exists in the alliance between America, the primary, technologically sophisticated, and well-resourced partner, and
UK and Canada, in particular, but also Australia and New Zealand.190 As a result, the intelligence
burden is unequally shared among the partners. The United States reinforces an asymmetric relationship that “bind[s] its
all[ies…] more firmly to the [alliance]”191 by perpetuating a continued dependence on American SIGINT
the secondary partners of the
capabilities . Dependence, as a result of the capabilities gap, entrenches America’s hegemonic position within the
Five Eyes.192 The NSA shares its technologies and capabilities in exchange for strongly influencing the intelligence
priorities of its partners.193 Sharing occurs in two ways: (1) the NSA directly supplies computing resources to its partners194 or, (2) the NSA
funds a partner to “develop [specific] technologies.”195 Capabilities sharing becomes a strategic tool of America’s larger efforts of guaranteeing partner
cooperation to prioritize its own security interests within the alliance. 196 The technology directly shared, reported to be mostly American in
origin,197 creates
a level of interoperability between the Five Eyes’ systems. Integration can help mitigate unexpected cyber shocks that
NSA experienced a “‘system
overload’” where its computers were unable to process intelligence for four days.198 During this time, the US reassigned
would otherwise disrupt American intelligence gathering and processing functions. In 2000, for example, the
the processing of American SIGINT to its partners.199 To carry out the Five Eyes mission – defending government systems in cyber and providing
information to support governmental decision-making – access to high- level intelligence is required.200 The alliance partners, however, are dependent
on American capabilities to produce comprehensive intelligence.201 Rejecting an American-dictated reprioritization of its intelligence tasks could
potentially jeopardize an alliance member’s national interests. The partners, in a comparatively weaker position, acquiesced to American
needs during the NSA’s blackout to ensure future access to significant intelligence assets . 202 Integrated systems
allowed American intelligence efforts to carry on despite experience a significant systems blackout.203 Although the NSA’s systems overload resulted
from a computer glitch rather than a cyber attack,204 it nevertheless provides an example for future outages. Should the United States
experience a significant cyber attack targeting availability in the future, America can still direct its alliance
partners to collect intelligence and produce assessments. The US will still get the information it needs to make strategic security
decisions.
1NC Cushing ev says that maintaining the offensive use of zero-days allows rapid crisis
response capabilities --- the impact is every major security threat
Berkowitz, 8 - research fellow at the Hoover Institution at Stanford University and a senior analyst at RAND.
He is currently a consultant to the Defense Department and the intelligence community (Bruce, STRATEGIC
ADVANTAGE: CHALLENGERS, COMPETITORS, AND THREATS TO AMERICA’S FUTURE, p. 1-4)
National
security policy—both making it and debating it — is harder today because the issues that are involved are more numerous and
varied. The problem of the day can change at a moment's notice . Yesterday, it might have been
proliferation; today, terrorism; tomorrow, hostile regional powers. Threats are also more likely to be
intertwined—proliferators use the same networks as narco-traffickers, narco-traffickers support terrorists, and terrorists align themselves with regional powers. Yet, as worrisome as these
immediate concerns may be, the long-term challenges are even harder to deal with, and the stakes are higher. Whereas the main Cold War threat — the Soviet Union — was brittle, most of the
potential adversaries and challengers America now faces are resilient. In at least one dimension where the Soviets were weak (economic efficiency,
public morale, or leadership), the new threats are strong. They are going to be with us for a long time. As a result, we need to reconsider how we think about national security. The most
important task for U.S. national security today is simply to retain the strategic advantage . This term, from the world of
THIS BOOK is intended to help readers better understand the national security issues facing the United States today and offer the general outline of a strategy for dealing with them.
military doctrine, refers to the overall ability of a nation to control, or at least influence, the course of events.1 When you hold the strategic advantage, situations unfold in your favor, and each round ends
so that you are in an advantageous position for the next. When you do not hold the strategic advantage, they do not. As national goals go, “keeping the strategic advantage” may not have the idealistic ring
keeping the strategic advantage is critical,
because it is essential for just about everything else America hopes to achieve — promoting freedom,
of “making the world safe for democracy” and does not sound as decisively macho as “maintaining American hegemony.” But
protecting the homeland, defending its values, preserving peace , and so on. The Changing Threat If one needs proof of this new, dynamic
environment, consider the recent record. A search of the media during the past fifteen years suggests that there were at least a dozen or so events that were considered at one time or another the
most pressing national security problem facing the United States — and thus the organizing concept for U.S. national security. What is most interesting is how varied and
different the issues were, and how many different sets of players they involved — and how each was replaced in turn by a different issue and a cast of characters that seemed, at least for the moment, even
included, roughly in chronological order, • regional conflicts — like Desert Storm — involving the threat of war between conventional armies; •
stabilizing “failed states” like Somalia, where government broke down in toto; • staying economically competitive with Japan; • integrating Russia into the international
community after the fall of communism and controlling the nuclear weapons it inherited from the Soviet Union; • dealing with “rogue states,” unruly nations
like North Korea that engage in trafficking and proliferation as a matter of national policy; • combating international crime, like the scandal involving the Bank of Credit and
Commerce International, or imports of illegal drugs; • strengthening international institutions for trade as countries in Asia, Eastern Europe, and Latin America adopted market
more pressing. They
economies; • responding to ethnic conflicts and civil wars triggered by the reemergence of culture as a political force in the “clash of civilizations”; • providing relief to millions of people affected by natural
terrorism driven by sectarian or religious extremism; • grassroots activism on a
global scale, ranging from the campaign to ban land mines to antiglobalization hoodlums and environmentalist crazies; • border security and illegal immigration; • the worldwide ripple effects
of currency fluctuations and the collapse of confidence in complex financial securities; and • for at least one fleeting moment, the
catastrophes like earthquakes, tsunamis, typhoons, droughts, and the spread of HIV/AIDS and malaria; • combating
safety of toys imported from China. There is some overlap in this list, and one might want to group some of the events differently or add others. The important point, however, is that when you look at
these problems and how they evolved during the past fifteen years, you do not see a single lesson or organizing principle on which to base U.S. strategy. Another way to see the dynamic nature of today's
national security challenges is to consider the annual threat briefing the U.S. intelligence community has given Congress during the past decade. These briefings are essentially a snapshot of what U.S.
officials worry most about. If one briefing is a snapshot, then several put together back to back provide a movie, showing how views have evolved.2 Figure 1 summarizes these assessments for every other
year between 1996 and 2006. It shows when a particular threat first appeared, its rise and fall in the rankings, and in some cases how it fell off the chart completely. So, in 1995, when the public briefing
first became a regular affair, the threat at the very top of the list was North Korea. This likely reflected the crisis that had occurred the preceding year, when Pyongyang seemed determined to develop
nuclear weapons, Bill Clinton's administration seemed ready to use military action to prevent this, and the affair was defused by an agreement brokered by Jimmy Carter. Russia and China ranked high as
threats in the early years, but by the end of the decade they sometimes did not even make the list. Proliferation has always been high in the listings, although the particular countries of greatest concern
have varied. Terrorism made its first appearance in 1998, rose to first place after the September 11, 2001, terrorist attacks, and remains there today. The Balkans appeared and disappeared in the middle to
late 1990s. A few of the entries today seem quaint and overstated. Catastrophic threats to information systems like an “electronic Pearl Harbor” and the “Y2K problem” entered the list in 1998 but
disappeared after 2001. (Apparently, after people saw an airliner crash into a Manhattan skyscraper, the possible loss of their Quicken files seemed a lot less urgent.) Iraq first appeared in the briefing as a
regional threat in 1997 and was still high on the list a decade later—though, of course, the Iraqi problem in the early years (suspected weapons of mass destruction) was very different from the later one (an
insurgency and internationalized civil war).
All this is why the United States needs agility . It not only must be able to refocus its
resources repeatedly; it needs to do this faster than an adversary can focus its own resources.
LINK – LEGAL RESTRICTIONS
Legal restrictions on cyber capabilities destroy our ability to prevent attacks – court clog and
military paralysis
Baker 11 [Stewart, former official at the U.S. Department of Homeland Security and the National Security
Agency, “Denial of Service,” Foreign Policy, Sept. 30,
http://www.foreignpolicy.com/articles/2011/09/30/denial_of_service] //khirn
Lawyers don't win wars. But can they lose one? We're likely to find out, and soon. Lawyers across the U.S. government
have raised so many show-stopping legal questions about cyberwar that they've left the military unable to
fight or even plan for a war in cyberspace. But the only thing they're likely to accomplish is to make
Americans less safe. No one seriously denies that cyberwar is coming . Russia pioneered cyberattacks in its conflicts
with Georgia and Estonia, and cyberweapons went mainstream when the developers of Stuxnet sabotaged Iran's
Natanz uranium-enrichment plant, setting back the Islamic Republic's nuclear weapons program more effectively than a 500pound bomb ever could. In war, weapons that work get used again . Unfortunately, it turns out that cyberweapons
may work best against civilians. The necessities of modern life -- pipelines, power grids, refineries, sewer and water lines
-- all run on the same industrial control systems that Stuxnet subverted so successfully. These systems may be
even easier to sabotage than the notoriously porous computer networks that support our financial and
telecommunications infrastructure. And the consequences
would be devastating . The body
charged with ensuring the resilience of power supplies in North America admitted last year that a coordinated cyberattack on the continent's
power system "could result in long-term (irreparable) damage to key system components" and could "cause
large population centers to lose power for extended periods." Translated from that gray prose, this means that foreign militaries
could reduce many of U.S. cities to the state of post-Katrina New Orleans -- and leave them that way for months. Can the United States keep
foreign militaries out of its networks? Not today . Even America's premier national security agencies have
struggled to respond to this new threat. Very sophisticated network defenders with vital secrets to protect have
failed to keep attackers out. RSA is a security company that makes online credentials used widely by the Defense Department and defense
contractors. Hackers from China so badly compromised RSA's system that the company was forced to offer all its
customers a new set of credentials. Imagine the impact on Ford's reputation if it had to recall and replace every
Ford that was still on the road; that's what RSA is experiencing now. HBGary, another well-respected security firm, suffered an attack on its
of successful sabotage
system that put thousands of corporate emails in the public domain, some so embarrassing that the CEO lost his job. And Russian intelligence was able
to extract large amounts of information from classified U.S. networks -- which are not supposed to touch the Internet -- simply by infecting the thumb
drives that soldiers were using to move data from one system to the next. Joel Brenner, former head of counterintelligence for the Office of the Director
of National Intelligence, estimates in his new book, America the Vulnerable, that billions of dollars in research and design work have been stolen
electronically from the Defense Department and its contractors. In short, even the best security experts in and out of government cannot protect their
own most precious secrets from network attacks. But the attackers need not stop at stealing secrets. Once they're in, they can just as easily sabotage the
network to cause the "irreparable" damage that electric-grid guardians fear. No agency has developed good defenses against such
attacks. Unless the United States produces new technologies and new strategies to counter these threats, the
hackers will get through . So far, though, what the United States has mostly produced is an outpouring of new lawremarkably, new legal restrictions . Across the federal government, lawyers are tying
themselves in knots of legalese. Military lawyers are trying to articulate when a cyberattack can be classed as an
armed attack that permits the use of force in response. State Department and National Security Council lawyers are
implementing an international cyberwar strategy that relies on international law "norms" to restrict cyberwar .
CIA lawyers are invoking the strict laws that govern covert action to prevent the Pentagon from launching
cyberattacks. Justice Department lawyers are apparently questioning whether the military violates the law of war if it does what every cybercriminal
has learned to do -- cover its tracks by routing attacks through computers located in other countries. And the Air Force recently surrendered
to its own lawyers, allowing them to order that all cyberweapons be reviewed for "legality under [the law of
armed conflict], domestic law and international law" before cyberwar capabilities are even acquired. The result is
predictable, and depressing. Top Defense Department officials recently adopted a cyberwar strategy that simply omitted any plan for
conducting offensive operations, even as Marine Gen. James Cartwright, then vice chairman of the Joint Chiefs of Staff, complained publicly that a
review articles, new legal opinions, and,
strategy dominated by defense would fail : "If it's OK to attack me and I'm not going to do anything other
than improve my defenses every time you attack me, it's very difficult to come up with a deterrent
strategy."
Today, just a few months later, Cartwright is gone, but the lawyers endure. And apparently the other half of the U.S. cyberwar strategy
will just have to
wait until the lawyers can agree on what kind of offensive operations the military is
allowed to mount .
LINK – TRANSPARENCY
Establishing transparency undermines deterrence and turns the aff – ambiguity is the only way
to maintain cyber dominance
Mowchan 11 [Lieutenant Colonel, member of the staff and faculty at the Center for Strategic Leadership, U. S.
Army War College, where he teaches cyber warfare and national intelligence, career Army intelligence officer
and holds a master’s degree in strategic intelligence from the National Intelligence University, served for 20
years in a variety of tactical, theater, and strategic intelligence positions and is a member of the U.S. Naval
Institute’s Editorial Board, Don’t Draw the (Red) Line,” Proceedings Magazine - October 2011, Vol 137, no
10/1304, http://www.usni.org/magazines/proceedings/2011-10/dont-draw-red-line] //khirn
In a strategic environment that has become more volatile, complex, and uncertain, the
United States increasingly relies on cyberspace
to advance its national interests. Simultaneously, our adversaries, particularly nation states, are afforded more
opportunities to undermine our efforts through their own nefarious activities in the digital domain. While not every
act in coming years will pose an imminent threat to U.S. national security, economic well-being, or social stability, some will. Because of this,
strategists, government leaders, and scholars frequently disagree over whether the United States should
establish thresholds (or “red lines”) for responding to such hostile acts. Red-line proponents assert that thresholds can
decrease the ambiguity of U.S. policies, bolster deterrence, and facilitate swift, decisive action. Establishing cyber red lines , however,
is folly . Given the evolving threat, current strategies, and the challenges of attribution in this domain, the United
States is better served by not delineating them. Maintaining ambiguity on when and how U.S.
instruments of national power will be used after a cyber attack gives government leaders the
flexibility to tailor responses much as they would to threats in the other global domains. Sources of Invisible Threats To properly
it is necessary to understand the evolving digital threat environment and current U.S. strategies.
Hazards to national security and economic prosperity in cyberspace are multiplying. As the world becomes more interconnected,
diverse state and non-state actors will have greater access and operational maneuverability to conduct
malicious activities.
frame the issue,
Intentional ambiguity is key – provides flexibility and guarantees deterrence
Mowchan 11 [Lieutenant Colonel, member of the staff and faculty at the Center for Strategic Leadership, U. S.
Army War College, where he teaches cyber warfare and national intelligence, career Army intelligence officer
and holds a master’s degree in strategic intelligence from the National Intelligence University, served for 20
years in a variety of tactical, theater, and strategic intelligence positions and is a member of the U.S. Naval
Institute’s Editorial Board, Don’t Draw the (Red) Line,” Proceedings Magazine - October 2011, Vol 137, no
10/1304, http://www.usni.org/magazines/proceedings/2011-10/dont-draw-red-line] //khirn
While DOD’s strategy is defensive in nature, it states that U.S. military power will be used if necessary: “The
Department will work with interagency and international partners to encourage responsible behavior and oppose those who would seek to disrupt
networks and systems, dissuade and deter malicious actors, and reserve the right to defend these vital national assets as necessary and appropriate.” 12
Both plans lead to several key observations. First, the ISC and DSOC are intentionally ambiguous. Neither
defines a hostile act in cyberspace, nor is there language explicitly stating when, how, and to what extent the
United States will respond to such acts. Second, both strategies acknowledge that there are no simple solutions to
the challenges of the day. Finally, decisions will continue to be shaped by the dynamic interplay of a surfeit of political, economic, military, and
social variables in the international environment, and because the world is more “gray” than black-and-white, responses to
hostile acts in the digital domain will be determined as strategic responses are in conventional warfare. The Case
for Thresholds Red-line advocates believe that creating thresholds will decrease the ambiguity of our policies,
bolster deterrence, and facilitate a more timely response. Some pundits criticize the ISC and DSOC, arguing they take ambiguity too
far. The DSOC in particular, they think, should outline response thresholds that if crossed, would result in diplomatic or military retaliation. Following
the release of DOD’s strategy, Representative Jim Langevin (D-RI) acknowledged the DSOC represented a good start but said it was deficient in several
key areas, including its fixation on defense and the identification of acceptable red lines. 13 After the DSOC was published, now-retired
Marine Corps General James Cartwright, the former vice chairman of the Joint Chiefs of Staff, remarked that
the strategy was too defensive, stating “we are supposed to be offshore convincing people if they attack, it won’t be
free . . . [and that] disabling computerized patient records at a hospital such that the patients cannot be treated
would be a violation of the law of armed conflict [which could] then [trigger a] proportional response.” 14 General Cartwright
went on to emphasize the nation will need stronger deterrents. Although he did not say what the deterrents should be or what
instruments of national power would be used, his words lend support to red-line advocates who demand greater specificity
in U.S. policies, greater clarity on what constitutes a hostile act, and clear thresholds. Why Ambiguity Is Good Those
arguing for establishing red lines fail to comprehend the complexity of the digital domain, in which adaptation
and anonymity are the norm. The United States is better served in the long run by not establishing such
thresholds, for four reasons. First, not doing so allows government leaders the latitude to tailor response
options based on a hostile act, its physical and digital effects, and how it relates to the current state of affairs in
the international system. As retired Air Force General Kevin Chilton remarked in 2009 as commander, U.S. Strategic Command, “I don’t
think you take anything off the table when you provide [response] options to the president to decide. Why
would we constrain ourselves on how we would respond [to hostile acts in cyberspace]?” 15 Such an approach does not
differ from the way the United States addresses hostile acts in other domains. If red lines are established, we will be compelled to
respond to each threat that crosses the line, which is unrealistic, given that our computer networks are
subjected to millions of probes, scans, and attacks on a daily basis. Even if red lines are narrowly focused (e.g.,
employing military force if a cyber attack results in the deaths of U.S. citizens), the first time the United States
fails to respond accordingly, it will undermine the credibility and deterrence effect of our other capabilities. A
second reason in favor of ambiguity is that if our adversaries know our response to such acts, they will adjust accordingly.
Because neither the national nor the defense strategy explicitly defines a hostile act in cyberspace or exactly how the United States will respond, this
leaves it open to interpretation. As one military official remarked, “If you shut down our power grid, maybe we will put a missile
down one of your smokestacks.” 16 In addition, hostile actors may perceive a green light for certain acts that do not
cross a particular response threshold. While one such act below this threshold may not be harmful to U.S. interests, what if 100 million
are? Again, maintaining ambiguity concerning when, how, and to what extent to respond gives the United States
greater latitude. Third, because cyberspace is a global domain that emphasizes open access, the free flow of
information, and anonymity, it is extremely difficult to determine where the threat or attack originated. For
example, U.S. military networks are probed more than six million times a day by assailants operating in one corner of the world using computer
networks or servers in another corner. Most perpetrators are never identified, except for a computer Internet protocol address or a one-time user alias.
Army General Keith Alexander, commander of U.S. Cyber Command and Director, National Security Agency, emphasized this challenge, saying, “Too
often, the military discovers through forensics that network probes have been successful [and] as a
consequence, response becomes policing up after the fact versus mitigating it real time.” 17 If red lines demand a
timely response and there is no one to pin responsibility on, then how can a response be implemented? Finally,
even if the source of the attacks is determined in a timely manner, automatic triggers for a response, particularly
those that employ military force, could create negative second- and third-order effects that make a bad
situation even worse. Given that nation states pose the greatest threat to U.S. networks, red lines that
automatically result in a response could escalate an already volatile situation. For example, in 2009 individuals in China
and Russia penetrated computer networks operating parts of the U.S. electrical power grid. 18 They reportedly inserted malware that
could destroy infrastructure components. Although their identities or associations with the Russian and Chinese governments were not
disclosed, it validates the point that response options must be tailored. If Russia or China, two nuclear powers, were responsible, a
U.S. response would be markedly different than if they had they been conducted by a non-nuclear state. Clearly
the diplomatic, information, and economic instruments of national power versus military force would receive more emphasis with China or Russia for
what could be considered a hostile act in cyberspace. Given the complex and indeterminate 21st century international system
and the multitude of current threats, U.S. interests will be better served by not establishing clear
thresholds . Ambiguity is a powerful tool to shape our adversaries’ actions in all domains and
allows us the maneuverability to respond where, when, and how we choose. Red-line advocates must
understand that thresholds only constrain our actions and could undermine credibility and the power to
effectively deter our adversaries.
BRINK – NO CYBERWAR NOW
No cyber war now --- but on the brink
Singer 15 [Peter Singer, strategist at New America think tank, interview with Passcode] initial article: [ Sara
Sorcher, “Peter Singer: How a future World War III could be a cyberconflict,” Passcode, 6/24/15,
http://www.csmonitor.com/World/Passcode/2015/0624/Peter-Singer-How-a-future-World-War-III-couldbe-a-cyberconflict]//eugchen
It's simple: The reason there is no cyber war right is that there is no actual wars right now between states with
cybercapacities. The reason we have seen this restraint in cyber operations between say the US and China, or
the US and Iran, is the very same reason they aren’t dropping actual bombs on each other: Because the two
sides are not at war. But if they did go to war, which could happen for any number of reasons, accidental or by choice, of course
you would see cyberoperations against each other that would be of a different kind of scale and impact than
we’ve seen so far. The first Cyber Pearl Harbor might happen from a decision to reorder the global politics in
the 2020s, or it could happen just because two warships accidentally scrape paint over some reef in the South
China Sea no one can find on a map.
INTERNAL LINK – CHINA WAR
Offensive cyber responses key to deter China from aggressive military moves
Schmitt 13 [Gary, co-directs the Marilyn War Center for Security Studies at the American Enterprise
Institute, “How to meet the threat from China's army of cyber guerrillas” June 6, 2013, Fox News] //khirn
When President Obama meets woth Chinese President Xi Jinping Friday and Saturday in Southern California, a major topic of conversation between the
two will be Chinese cyber-attacks and cyber-espionage against American commercial and government targets. According to U.S.
counterintelligence officials, billions upon billions
of dollars worth of information has been “lifted” out of American computers and
had
used cyber attacks to gather data on more than three dozen key U.S. military programs, including the country’s
most advanced missile defense systems, naval warships and even the F-35 Joint Strike Fighter—the stealthy,
fifth-generation jet that will be the backbone of the American military’s ability to sustain air superiority in the
decades ahead. As one might expect, the Chinese government has denied any complicity in these attacks. And it is doubtful, given how successful
servers in recent years. In fact, only last week, newspapers were reporting that an internal Defense Department review had concluded that China
Chinese efforts have been, that even “blunt” talk by the president to the new Chinese leader, will have much effect on Chinese practices. The reality is,
the Chinese government is engaged in a form of warfare—new to be sure in its technological aspects but not new in the sense that
cyber attacks harm our relative military strength and damage the property (intellectual and proprietary)
of citizens and companies alike. So far, the American government’s response has largely been defensive, either
talking to the Chinese about establishing new, agreed-upon “rules of road” for cyberspace or working assiduously to perfect new
security walls to protect government and key private sector computer systems. Although neither effort should be abandoned, they are no
more likely to work than, say, before World War II, the Kellogg-Briand Pact could outlaw war and the Maginot Line could
protect France from an invading Germany. This last point is especially important. When it comes to cyberspace, according to
Cyber Command head and director of the National Security Agency, General Keith Alexander, those on the offensive side of the computer
screen–that is, those hacking into or compromising computer systems–have the advantage over those on the defensive side who
are trying to keep systems secure. Walls have always been breached and codes broken. Moreover, attempts to beef up
security are complicated by the fact that our own cyber warriors are undoubtedly reluctant to provide those charged with protecting systems here at
home with the latest in their own capabilities. In addition to increasing the chance such information might leak by expanding the number of persons in
the know, efforts to use that information to plug our own vulnerabilities can inadvertently alert a potential adversary on the very backdoors American
would want to save for using in a future crisis or conflict. All of which leads to the conclusion that to stem the tide of harmful
cyber attacks by the Chinese (or, for that matter, Iran, Russia or North Korea), there has to be a cyber response on
America’s part that deters continued cyber aggression . Reprisals that are proportionate, in self-defense and designed to
stop others from such behavior falls well within the bounds of international law as traditionally understood. Nor is it the case that such reprisals should
be limited to responding to government-on-government cyber attacks. The U.S. government has always understood that it has an
affirmative duty to protect the lives and property of its citizens from foreign aggression and, in times both past
and current, this has meant using American military might. That need not be the case here, however. Indeed, one advantage of the
cyber realm is the wide variety of options it offers up for reprisal that can inflict economic harm without causing loss of life or limb. The good news is that
the U.S. government has been gradually beefing up its offensive cyber capabilities. Indeed, a little over a month ago in open testimony before the House
Armed Services Committee, Gen. Alexander said that he created thirteen new teams that would go on the offensive if the nation
were hit by a major cyber attack. And new reports coming out of the Pentagon indicate that the Joint Chiefs would like to empower geographic
combatant commanders to counter cyber attacks with offensive cyber operations of their own. These are necessary steps if we hope to
create a deterrent to Chinese cyber aggression; however, they are not sufficient. The threat posed by China’s
army of cyber “guerrillas” is constant, is directed at both the U.S. government and the private sector, and ranges
from the annoying to the deadly serious. A truly adequate response would require meeting the Chinese
challenge on all these fronts. And no amount of summitry between the American and Chinese leaders is likely to
substitute for the cold, hard fact that, when it comes to Chinese misbehavior, upping the cost to Beijing is
a necessary first step to reclaiming the peaceful potential of the newest of the “great commons,”
cyberspace.
INTERNAL LINK/IMPACT – KOREA WAR
Credible cyberdefensive posture gives the US coercive leverage to deescalate North Korean
nuclear brinksmanship --- speed is key
Libicki 13 [Martin C., Senior Management Scientist @ RAND and adjunct fellow @ Georgetown’s Center for
Security Studies, 2013, “Brandishing Cyberattack Capabilities,” RAND, http://www.rand.org/pub
s/research_reports/RR175.html] //khirn
Our inquiry is therefore more humble. Could
a U.S. threat that it might interfere with a rogue state’s nuclear weapon
delivery help shape a nuclear confrontation? For this question, assume a rogue nuclear power with a handful of weapons capable of
hitting nearby countries (but generally incapable of hitting the continental United States). The United States has a robust cyberattack
capability
(in general terms), from
which the rogue state’s nuclear arsenal is not provably immune . Although the
United States enjoys escalation dominance, the
rogue state is far more willing to go to the nuclear brink than the United States is.
The rogue state (thinks it) has more at stake (i.e., regime survival). Furthermore, it may act in ways that are irrational by Western
perspectives. We first model a two-state confrontation, then later introduce a friendly state on whose behalf the United States has intervened. The
United States enters this scenario facing the choice of acting when doing so risks the rogue state releasing a nuclear weapon. Whether the threat is
explicit or implicit is secondary. The usual calculus applies. The rogue state is better off if its threat leads the United States to stop. The United States is
better off ignoring the threat and going ahead with what it would have done in the absence of the threat if the threat can be nullified but cannot know
that it will be for certain. The rogue state understands that if it does use nuclear weapons, it could face great retaliation.1 If the United States acts
(successfully) in the face of warning and if the rogue state does not use nuclear weapons, the United States achieves its objectives and wins the overall
confrontation.2 If the United States flinches, the rogue state wins. If the rogue state uses its nuclear weapons and if, as is likely, the United States
responds likewise, the rogue state loses greatly, but the United States is also far worse off.3 Two-Party Confrontations In a confrontation in which
disaster would result from both sides carrying out their threats, each must ask: Are such threats credible? If one side thinks the other will yield, it pays to
stand firm. If it thinks, however, that the other is implacable, it may have no good choice but to yield itself. The projection of implacability is beneficial,
but the reality of implacability is frequently suicidal. Note that the basis for the implacability can also be entirely subjective, which is to say, unfounded
on the facts of the matter. If one party is convinced that it will never pay a high price for being implacable, communicates as much, and acts as if it were
so, the other cannot take any comfort from the fact that the first has no technical basis for the belief. The only consideration is whether the first party
actually believes as much, is willing to act accordingly, and can ignore the logic that whispers that no one can possibly be completely confident on the
basis of iffy information. To one party, the willingness to act on the basis of the impossible seems like cheating. To use an analogy, imagine a game of
“chicken” in which the driver of one of the two oncoming cars throws the steering wheel out the window. This cheat forces the opponent to choose
between a certain crash or veering away (and thus losing). However, when the consequences of a crash are far greater than the benefits of winning, this
strategy is irrational if there is a nontrivial likelihood that the other side will be intent on punishing cheaters at the cost of all other values. In the analogy,
the second driver might rather crash than lose to a cheater.4 But in general, a strategy of implacability, can, if credible, do well, as long as the other side
is not equally implacable. So, the United States creates the belief (whether by saying so, hinting, or letting others draw their own conclusion)
that the rogue state cannot carry out its nuclear threat. That is, the United States acts as though a flaw somewhere in the
nuclear c ommand- and - c ontrol cycle, probably an induced flaw, prevents immediate nuclear use. A lesser case is that the
command and control is less certain, the weapon is weaker, and/or the delivery system is far less accurate than feared.5 Although permanently disabling
a nuclear command-and-control system is quite a stretch for cyberwar, it is less fantastic to imagine that the United States could delay a
weapon’s use. A temporary advantage, though, may still give the United States time to cross the red line and thereby
attain a fait accompli. So posturing, the United States prepares to cross the red line, while communicating its
confidence that the rogue state will not retaliate. This confidence stems from a combination of its own nuclear
deterrence capability plus its ability to confound the rogue state’s nuclear capability : The rogue nuclear
state probably will not decide to retaliate, and if it did decide to, probably cannot retaliate. The combination, in this
case, is what reduces the odds of a nuclear response to a sufficiently low level , if the rogue state is at all rational. Even if it
later assures itself and others that its nuclear capacity is intact, but the United States has already acted, the onus then falls on the rogue nuclear state to
respond to what could well be a done deal. If the rogue state understands the logic before brandishing its own nuclear weapons, it may choose not to
ratchet up tensions in advance of the U.S. crossing red lines.
IMPACT – CHINA WAR
US-China tensions are rising – makes conflict and miscalc likely
Zenko 14 [Micah, Douglas Dillon Fellow – Council on Foreign Relations, “How to Avoid a Naval War With
China,” Foreign Policy, 3-24, http://www.foreignpolicy.com/articles/2014/03/24/how_
to_avoid_a_naval_war_with_china] //khirn
War between the United States and China is not preordained. But tensions are high , especially in the fiercely
contested waters of the East and South China seas -- and even further into the Pacific. Communication is the best medicine: the
intentions and
supporting doctrine for Beijing's growing naval capabilities are unclear, specifically regarding disputes with China's Exclusive
United States should be explicit with what it needs to know about China's behavior in the waters near its coast. Unfortunately, the
Economic Zone (EEZ). Most countries, including the United States, agree that territorial waters extend 12 nautical miles from a nation's coastline, while
EEZs extend much further -- usually up to 200 nautical miles. There is also consensus that while the United Nations Convention on the Law of the Sea
(UNCLOS) established EEZs as a feature of international law and gives coastal states the right to regulate economic activities within them, it does not
provide coastal states the right to regulate foreign military activities in their EEZs beyond their 12-nautical-mile territorial waters. However, China and
some other countries like North Korea interpret UNCLOS as giving coastal states the right to regulate all economic and foreign military activities within
their EEZs. There are numerous international agreements that regulate interactions at sea. The United States and Soviet Union signed the Incidents at
Sea Agreement (INCSEA) in 1972 after Soviet warships collided with a U.S. destroyer. While INCSEA allowed for U.S. and Russian commanders to
communicate directly, and ultimately avoid an escalation of force between warships, it really functioned as a stopgap between the 1972 signature and
1977 implementation of the International Regulations for Preventing Collisions at Sea (COLREGS). And while the 2000 Code for Unalerted Encounters
at Sea (CUES) is not an international agreement or legally binding, it does offer safety measures and procedures, and a means to limit mutual
interference and uncertainty when warships, submarines, public vessels, or naval aircraft are in close proximity. The fundamental difference of
interpretation between China and most of the world exists on parts IV (archipelagic states) and V (EEZ) of the UNCLOS. The disagreement between
China and the United States centers on three issues: First, China asserts that military activities in the EEZ are subject to coastal state approval. Second,
excessive maritime claims of territorial sovereignty are a significant sticking point between China and
many other nations operating in the East China Sea and the South China Sea. And third, China's demarcation line in the South
China Sea, commonly referred to as the "nine-dashed line," is nebulous and defined as neither a territorial sea nor EEZ. Beijing
appears to purposefully leave this description vague. Until China agrees that its EEZ is not to be treated as territorial waters, COLREGS, CUES, and any
INCSEA-like agreement offers only a partial solution to avoiding dangerous interactions on the high seas. While there are a growing number
of U.S.-China military exchanges among senior uniformed officers, these efforts must be bolstered by China's willingness to
operate appropriately within their EEZ, thus helping to prevent conflict at sea. The United States and China must also agree that all of its governmentcontrolled ships, including those of the State Oceanic Administration (SOA) and Fisheries Law Enforcement Command (FLEC), must operate in
accordance with COLREGS and CUES, because many encounters between the United States and China -- outside China's territorial waters but within its
EEZ -- have been between U.S. ships and those of the FLEC and SOA. The
United States could be drawn into a conflict over a
territorial dispute involving China, especially since the United States has bilateral defense treaties with Japan
and the Philippines. Clear and unambiguous understanding of expected actions in the EEZs by China and the United States has both near and
long-term implications. The immediate effect could be safer, more professional, and more respected interactions between Chinese and non-Chinese
ships. Clearly agreed upon interpretations of what are appropriate actions within this body of water would immediately improve transparency and
predictability, and hopefully prevent military conflict. In the longer-term, this effort could serve as a springboard to resolving other U.S.China diplomatic, military, and economic issues.
High risk of China war—no defense
Miller 11 [Paul, assistant professor of international security studies at National Defense University, December
16, 2011, Foreign Affairs,
http://shadow.foreignpolicy.com/posts/2011/12/16/how_dangerous_is_the_world_part_ii] //khirn
China in 2011 is even more clearly a danger equal to or greater than the danger it posed during the Cold War.
We went through two phases with
China: from 1950 to 1972 the United States and China were declared enemies and fought to a very bloody stalemate in the Sino-America battles of the
Korean War, but the overt hostility was less dangerous because of China's crippling economic weakness. From 1972 to 1989, the U.S. and China lessened
their hostility considerably, but China's power also began to grow quickly as it liberalized its economy and modernized its armed forces. In other words,
in phase one, China was hostile but weak; in phase two, more friendly but also more powerful. We have never faced a China that was both powerful and
hostile.
That is exactly the scenario that may be shaping up. China's economic and military modernization has clearly made it one of
the great powers of the world today, including nuclear weapons, a ballistic-missile capability, and aspirations
for a blue-water navy. At the same time, Chinese policymakers, like their Russian counterparts, continue to talk openly
about their intent to oppose American unipolarity, revise the global order, and command a greater share of
global prestige and influence. There are several flashpoints where their revisionist aims might lead to conflict: Taiwan, the
Korean Peninsula, the South China Sea, etc. And U.S. relations with China are prone to regular downward spikes
(as during the Tiananmen Square Massacre in 1989, the 1996 cross-straits crisis, the accidental embassy bombing in 1999, the EP3
incident in 2001, the anti-satellite missile test in 2007, and the current trade and currency dispute, to say nothing of our annual
A militarized conflict with China is more likely today, with greater
consequences, than at almost any point since the Korean War.
weapons sales to Taiwan).
Small conflicts with China could escalate into a nuclear conflict – err on the side of caution
Fisher 11 [Max, Associate Editor at the Atlantic, Editor of the International Channel, “5 Most Likely Ways the
US and China Could Spark Accidental Nuclear War”] //khirn
There's a near- infinite number of small-scale conflicts that could come up between the U.S. and China, and
though none of them should escalate any higher than a few tough words between diplomats,
it's the unpredictable events that are
the most dangerous . In 1983 alone, the U.S. and Soviet Union almost went to war twice over bizarre and
unforeseeable events. In September, the Soviet Union shot down a Korean airliner it mistook for a spy plane; first Soviet officials feared the U.S.
had manufactured the incident as an excuse to start a war, then they refused to admit their error, nearly pushing the U.S. to actually start war. Two
months later, Soviet spies misread an elaborate U.S. wargame (which the U.S. had unwisely kept secret) as preparations for an unannounced nuclear hit
on Moscow, nearly leading them to launch a preemptive strike. In both cases, one of the things that ultimately diverted disaster was the fact that both
sides clearly understood the others' red lines -- as long as they didn't cross them, they could remain confident there would be
no nuclear war. But the U.S. and China have not yet clarified their red lines for nuclear strikes. The kinds
of bizarre, freak accidents that the U.S. and Soviet Union barely survived in 1983 might well bring today's two Pacific powers into conflict -unless, of course, they can clarify their rules. Of the many ways that the U.S. and China could stumble into the nightmare
scenario that neither wants, here are five of the most likely. Any one of these appears to be extremely unlikely in today's
AT: CYBERDEFENSE
Cyber defense methods are insufficient to combat zero day vulnerabilities
Averbuch and Siboni 13 [Amir Averbuch, professor of computer science at Tel-Aviv university, and Gabi Siboni, Senior Research Fellow,
head of the Program on Military and Strategic Affairs and Program on Cyber Security @ the Institute for National Security Studies, “The Classic Cyber
Defense Methods Have Failed – What Comes Next?” Military and Strategic Affairs, Volume 5 - No. 1, p. 45-46, May 2013, <
http://www.inss.org.il/uploadImages/systemFiles/MASA5-1Eng5_Averbuch%20and%20Siboni.pdf>]//eugchen
The classic defense methods employed throughout the world in recent decades are proving unsuccessful in halting modern
malware attacks that exploit unknown (and therefore still unsolved) security breaches called “zero-day vulnerabilities.”
Viruses, worms, backdoor, and Trojan horses (remote management/access tools – RATs) are some examples of these attacks on the
computers and communications networks of large enterprises and providers of essential and critical infrastructure and services. The
classic defense methods, which include firewall-based software and hardware tools, signatures and rules,
antivirus software, content filters, intruder detection systems (IDS), and the like, have completely failed to defend
against unknown threats such as those based on zeroday vulnerabilities or new threats. These sophisticated and stealth threats
impersonate reliable and legal information and data in the system, and as a result, the classic defense methods
do not provide the necessary defense solution. The current defensive systems usually protect against known
attacks, creating heuristic solutions based on known signatures and analysis that are already known attacks,1 but they are useless against
the increasing number of unfamiliar attacks that lack any signature.
Cyber defense fails for both broadcast and targeted attacks
Averbuch and Siboni 13 [Amir Averbuch, professor of computer science at Tel-Aviv university, and Gabi Siboni, Senior Research Fellow,
head of the Program on Military and Strategic Affairs and Program on Cyber Security @ the Institute for National Security Studies, “The Classic Cyber
Defense Methods Have Failed – What Comes Next?” Military and Strategic Affairs, Volume 5 - No. 1, p. 47-48, May 2013, <
http://www.inss.org.il/uploadImages/systemFiles/MASA5-1Eng5_Averbuch%20and%20Siboni.pdf>]//eugchen
The realm of attack in cyberspace can be divided into two types of attacks that exploit numerous weaknesses, including
zero-day vulnerabilities: a. Broadcast attacks are attacks that try to damage computers indiscriminately. They
also feature extensive infection of software agents in order to create an entire network of computers (Botnet), with
the aim of making these computers execute independent commands at a later stage or retrieve commands from a control server. As noted above, when
information about new threats reaches the antivirus companies, they identify the signature or investigate them heuristically. By means of regular
updates, the computers can be protected against these attacks. Given the extensive target community, the information about such threats will
undoubtedly reach the relevant companies rapidly and be inserted into future versions of their products. In some cases, the goal of an attack of this kind
is to reach a large number of computers – for example, employees (in the case of an attack against an organizational network) or
customers (in the case of an
attack against a financial institution, an attempt to steal credit cards via the internet, and so on).
After the computer is infected, a Trojan horse is installed on it, making it possible to steal information or access the computer
from a remote location. These attacks include various types of malicious code, even codes that vary from one infection to another in order to render
identification through a signature more difficult (polymorphic viruses). There is still no complete defense since Trojan horse
developers regularly check whether the antivirus software programs have already identified the hostile code and
created the signature or group of heuristic rules to intercept it. In most cases, if the detection systems manage to identify the hostile
code, the developers change the way it spreads or the way it operates in order to prevent its detection. In this way,
many Trojan horses consistently succeed in evading detection by the leading defensive software. b. Targeted
attacks are planned especially for a specific need, and exploit unknown weaknesses in the operating systems or widely known software
packages while independently spotting new weaknesses. The vast majority of antivirus software, which is by nature based on
signature defense, is incapable of identifying and preventing this type of attack, and the limited target
community enables such attacks to evade the “radar” of antivirus manufacturers. It should be noted that threats are
rapidly developing in the direction of focused attacks on high caliber targets.
Cyber defense can’t detect unknown threats, malware appears to be legal, and operating
systems can’t deal with multiple types of attacks
Averbuch and Siboni 13 [Amir Averbuch, professor of computer science at Tel-Aviv university, and Gabi Siboni, Senior Research Fellow,
head of the Program on Military and Strategic Affairs and Program on Cyber Security @ the Institute for National Security Studies, “The Classic Cyber
Defense Methods Have Failed – What Comes Next?” Military and Strategic Affairs, Volume 5 - No. 1, p. 48-49, May 2013, <
http://www.inss.org.il/uploadImages/systemFiles/MASA5-1Eng5_Averbuch%20and%20Siboni.pdf>]//eugchen
The quantity of malware successfully penetrating all the existing defense systems and overcoming all the signature and
rule-based classic defenses is
increasing by leaps and bounds. The rate of increase has been in the three-digit
percentages from 2011 until the present time.6 The existing systems are based mainly on preventing and
thwarting known threats through the use of signatures and rules that are known in advance. Having no known
signature at any given moment, these systems cannot detect zero-day attacks. They also find it difficult to
identify Trojan horses and backdoors, and many sophisticated stealth attacks have no known signatures. Because
they appear to be legal data and code, and do not look like malware, they can penetrate almost any computer system. The attacks succeed in
penetrating organizational networks and end-user computers despite all the defense systems; this is attributable
to the fact that the initial
appearance and behavior of the malware appears to be legal and proper. Furthermore, most of today’s
operating systems are built to handle a certain kind of attack, and are unable to deal with a broad range of
attacks with mutations and secondary attacks.
AT: CYBEROFFENSE BAD
Cyber offense prevents cyber war
Harris 13 [Chandler, “Hacking for Change – Could Revealing Cyber Capabilities Prevent Cyber War?” 6/26/13 <
http://news.clearancejobs.com/2013/06/26/hacking-for-changing-could-revealing-cyber-capabilities-prevent-cyber-war/>]//eugchen
Revealing the capabilities of the U.S. nuclear arsenal is a key part of the U.S. nuclear deterrence strategy. So when it comes to the U.S. cyber warfare
capabilities, the same tactic could be used to deter cyber war, claims a new paper by the Rand Corporation. Offisive cyber operations may
be
a legitimate deterrence strategy. The paper, Brandishing Cyberattack Capabilities, was prepared for the Office of the Secretary of Defense,
and seeks to identify if demonstrations, or “brandishing” cyberwar capabilities, serve as effective deterrents to a potential cyber war. The paper says that
brandishing cyberattack capabilities would accomplish three things: declare a capability, suggest the possibility
of its use in a particular circumstance, and indicate that such use would really hurt. “The most obvious way to
demonstrate the ability to hack into an enemy’s system is to actually do it, leave a calling card, and hope it is passed forward
to national decision-makers,” the report says. “This should force the target to recalculate its correlation of forces
against the attacker.” “Advertising” cyberwar capabilities may be helpful as a backup a deterrence strategy by
dissuading other countries from performing harmful activities. Plus, it could limit a country’s confidence in the
reliability of its information, command and control, or weapon systems, the paper says.
AT: DETERRENCE IMPOSSIBLE
Deterrence is possible – but only with decision-making flexibility
Alperovitch 11 [Dmitri, “Towards Establishment of Cyberspace Deterrence Strategy,” 2011, 3rd International
Conference on Cyber Conflict,
http://www.ccdcoe.org/publications/2011proceedings/TowardsEstablishmentOfCyberstapeDeterrenceStrateg
y-Alperovitch.pdf] //khirn
Advanced defensive tactics, technologies
and highly trained personnel will contribute to the shrinking of the detection
and classification gap. Separation of defensive and offensive resources, such as storage of offensive cyberweapons in offline
locations which are less vulnerable to virtual targeting and distributing the retaliatory information
systems and networks across wide virtual and physical space will help to build credible resilience to the
counter-strike force. This can reduce the reliance on rapid detection and classification of inbound attack by
providing the means for the decision makers to retaliate even after suffering a devastating first strike, minimizing the chance
that the adversary can count on taking out all of the counter-strike assets in a single attack. Second, is the
need to preserve a rapid C2 decision-making and execution of a counter-strike option when facing a
devastating cyber attack. This can be accomplished by preserving the resiliency and integrity of
command chain communications by instituting or preserving offline communications channels that are less
likely to be impacted by cyber attacks, such as dedicated traditional secure POTS (plain old telephone service) lines and encrypted
radio and satellite communications that are physically separated from virtual networks which can carry attack codes. Third, the
counter-strike itself must be capable of instituting devastating damage on the attacker’s own virtual and physical
infrastructure to make the first-strike prohibitively expensive. Limited public demonstrations of cyber offensive capabilities can serve a useful purpose in
alerting potential opponents to what they may face should they decide to attack. However, this part of the deterrence equation presents
the biggest challenge to developed nation-states with advanced cyber defensive and offensive capabilities but
who face developing nation-state adversaries with dangerous offensive cyber weapons but are themselves not reliant on
cyberspace for their national economic or military interests. It is hard to cause 92 prohibitively devastating damage on your opponent through cyber
means alone if his vital infrastructure is completely disconnected from the network. This problem presents a serious conundrum to policy makers, who
face the unappealing choice of rising up the escalatory ladder and retaliating with conventional or perhaps even nuclear weapons in response to a cyberonly attack, in the process risking violations of international norms of proportional response, or absorbing the attack without a response and looking
weak to their enemies, friends and populations alike. Yet, while this is a significant unresolved policy problem today, it is
reasonable to expect that its consequences will lessen with time , as more and more developing countries
rapidly increase their reliance on cyberspace in order to reap the economic, efficiency and force-multiplier
benefits it affords.
AT: DETERRENCE DOESN’T APPLY TO CYBER
Deterrence is a state of mind – making our capabilities appear more robust linearly decreases
the chances of use
Beidleman 9 [Lieutenant Colonel Scott W., Director, Development Planning, Space and Missile Systems
Center (SMC) Los Angeles Air Force Base, California, January 6, 2009, “Defining and Deterring Cyber War,”
Strategy Research Project] //khirn
In general, deterrence
is a state of mind. It is the concept of one state influencing another state to choose not to do something that would
conflict with the interests of the influencing state. Similarly, the central idea of deterrence from the perspective of the Department of Defense is “to
decisively influence the adversary’s decision-making calculus in order to prevent hostile actions against U.S.
vital interests.” Deterred states decide not to take certain actions because they perceive or fear that such
actions would produce intolerable consequences. The idea of influencing states’ decisions assumes that states are rational
actors “willing to weigh the perceived costs of an action against the perceived benefits, and to choose a course of action” logically based on
“some reasonable cost-benefit ratio.” Thus the efficacy of cyber deterrence relies on the ability to impose or raise
costs and to deny or lower benefits related to cyber attack in a state’s decision-making calculus. Credible
cyber deterrence is also dependent on a state’s willingness to use these abilities and a potential
aggressor’s awareness that these abilities, and the will to use them, exist. While a state’s ability to deter cyber attacks is
a subset of its overarching defense strategy comprised of all instruments of national power, this paper focuses on states’ actions to deter cyber attack
within the cyberspace domain. Effective cyber deterrence in cyberspace will employ a comprehensive scheme of
offensive and defensive cyber capabilities supported by a robust international legal framework. Offensive capabilities are
the primary tools used to impose or raise costs in deterrence . Offensive cyber capabilities and
operations provide a state the means and ways for retaliation and enhance the perceived probability that
aggressors will pay severely for their actions. A more robust capability translates to a more credible imposition
of costs. Until recently, U.S. efforts to develop offensive cyber capabilities have lagged efforts on the defensive side. The daily onslaught of attacks on
U.S. networks, coupled with the likelihood that potential U.S. adversaries will be less dependent on electronic networks than the U.S., has prioritized
intelligence gathering and defending U.S. capabilities over disrupting enemy capabilities.
And, deterrence is the only way to solve
Schreier 12 [Fred, consultant for the DCAF, a retired colonel, has served in various command and general
staff positions and in different functions in the Swiss Ministry of Defense as a senior civil servant, “On
Cyberwarfare,” DCAF Horizon, 2015 Working Paper Series, The Geneva Centre for the Democratic Control of
Armed Forces (DCAF) is one of the world’s leading institutions in the areas of security sector reform and
security sector governance] //khirn
Nonetheless, cyber
attacks loom on the horizon as a threat that is best understood as an extraordinary means to a
wide variety of political and military ends, many of which can have serious national security ramifications. For
example, computer hacking can be used to steal offensive weapons technologies, including weapons of mass
destruction technology. Or it could be used to render adversary defenses inoperable during a conventional
military attack. As long as secure passive cyber defense is impossible, deterrence seems the only feasible path . In that
light,
attempting proactively to deter cyber attacks may become an essential part of national
strategy . However, deterrence is pointless without attribution. Attribution means knowing who is attacking you, and being able to respond
appropriately against the actual place that the attack is originating from.Attribution as it relates to cyber warfare is also defined as “determining the
identity or location of an attacker or an attacker’s intermediary.” In the case of a cyber attack, an attacker’s identity may be a name or an account
number, and a location may be a physical address or a virtual location such as an IP address.But if retaliation does not hit the attacker, he will not be
deterred. And it is of legal importance as well. Retaliation against the wrong actor is unjust and a crime of war. Thus
attribution is a necessary condition for the law of war. An attacker has to be identified and, to make it an armed attack
and not just a criminal act, the attacker has to be a state actor or those acting on behalf of a state. At the level of the nation-state, there are two
possible deterrence strategies: denial and punishment.
AT: DETERRENCE FAILS (ATTRIBUTION)
Deterrence via attribution is effective – actual threats will self report
Glaser 11 [Charles L., Professor of Political Science and International Affairs Elliot School of International
Affairs, George Washington University, “Deterrence of Cyber Attacks and U.S. National Security,” Report GWCSPRI-2011-5, June 1, 2011, http://www.offnews.info/downloads/2011-5CyberDeterrenceGlaser.pdf] //khirn
Many experts are quite pessimistic about the feasibility of attribution. For example, William Lynn, the U.S. Deputy
Secretary of Defense recently wrote, “The forensic work necessary to identify an attacker may take months, if identification is possible at all.” Cyber
deterrence and the attribution problem 4 Richard Clarke reports that a leading group of cyber experts concluded that it
is
“fruitless” to try to attribute the source of cyber attacks.5 This view, however, may exaggerate the attribution
problem by overlooking either the purposes of the attacker or the scenario in which the attack occurs .6 A state
that launches a “countervalue” attack against the United States’ economic infrastructure, economy and/or society is likely to have a
political purpose. Possible purposes could include compelling the United States to make political concessions
during a crisis before a war starts, compelling the United States to stop fighting a war, and reducing the U.S. ability to
fight a war by weakening its economy and industrial infrastructure. For these compelling threats to be effective, the state
would have to make demands and spell out its threat. In addition, it would have to provide the United States with
some confidence that attacks would stop if the United States meets that attacker’s demands. These
communication requirements would largely eliminate the attribution problem. For the scenario of attacking to weaken the
U.S. ability to fight, the country the United States was fighting would be immediately identified as the likely suspect;
the possibility that the United States would likely come to this conclusion could be sufficient to deter the adversary’s cyber attack. Alternatively, the
attacker might not be deterred because the costs of U.S. retaliation were not large compared to the costs of the on-going war; but in this case the failure
of deterrence would not result from the attribution problem but instead from the size of the retaliatory costs the United States was threatening. Of
course, actors that lack political objectives are not covered by this argument. Terrorist groups are therefore a
natural concern, as they are often viewed as motivated simply by the desire to damage the United States. A very different perspective
disagrees, however, arguing that terrorist groups, including al Qaeda, are motivated by political goals and use
terror attacks as a means to achieve their political ends.7 The attribution issue for “counterforce” attacks—those
directed against U.S. capabilities—is quite different, but may be even less of a problem than with counter value attacks
launched by states. This type of attack is most likely to occur during a crisis or war, with the adversary employing the cyber attack to gain a
military advantage. Attribution will likely not be a problem, because the United States will know which state it is involved within a conflict. This is
not to say that deterring this type of attack will not be difficult; it might be for reasons other than attribution .
This is a separate issue that we deal with briefly below. If this is the case, a terrorist group will find itself facing communication requirements that are not
unlike those facing states. A terrorist group might be hard to deter by retaliation because there are no good targets to hit in retaliation, and almost
certainly no important cyber targets, but again the difficulty of deterrence would not result from attribution problems, but the more familiar problem of
threatening attacks that would inflict sufficiently high costs on a terrorist group. Another type of actor that might be of concern here are hackers who are
motivated by the technical challenge of undermining U.S. cyber systems and not by political objectives. All of this said, the difficulty of attribution does
create a variety of potential dangers. One possibility is dangerous mischief: a third party—country, terrorist group, or hacker—could
launch a cyber attack against the United States while it was involved in a crisis or war with another state. Based on
the logic sketched above, this could lead to misattribution, because the United States’ first inclination would likely be to attribute the attack to the
country it was already fighting. Consequently, the third party could use such an attack to generate escalation in the on-going conflict, with the goal of
increasing the damage that the United States and/or its adversary would suffer. Another problem is that the inability to attribute attacks undermines the
U.S. ability to deter (and otherwise respond) to much lower level cyber attacks, including data stealing, espionage, and disruption of commerce. At a
minimum, attribution would enable the United States to try to deter these types of attacks by promising to
pursue legal actions. But for the most part, these types of attacks do not threaten vital U.S. national security
interests, so from a security perspective the attribution problem does not generate large risks.
AT: NO RETALIATION
Retaliation can happen
Cushing 14 (Seychelle, Cushing, SFU Vice President of Research, November 11th 2014,” Leveraging
Information as Power: America’s Pursuit of Cyber Security”, Simon Fraser University Summit Intstitutional
Repository, http://summit.sfu.ca/item/14703,CE)
If the United States revealed what retaliation would look like in cyberspace, it would, in effect, expose part of its
cyber capabilities. One of China’s longest intrusions, taking place over the better part of a decade, was within
America’s military networks and systems. Information on American weapons systems and other military
technology was accessed according to a classified Defense Science Board report.132 Assume for a moment that
the United States makes its retaliation strategy explicit. For every instance of Chinese infiltration into
Department of Defense networks to steal information, for example, the US will hack back into Chinese military
networks to deny access to information. In this theoretical example, public disclosure reveals two things about
American capabilities: (1) that it has access to Chinese military networks and, (2) that it has the capability to
launch availability attacks. In doing so, the United States has essentially told the Chinese what part of its cyber
capabilities are and the extent of penetration into Chinese networks. With this knowledge, the Chinese could
shore up their networks and create better cyber strikes to circumvent an American retaliatory response.133
American disclosure thus limits the usefulness of such retaliatory capabilities in the future. 134
AT: OTHER AGENCIES SOLVE
NSA is the only agency that can solve
McConnell 10 [Mike McConnell was the director of the National Security Agency in the Clinton
administration and the director of national intelligence during President George W. Bush's second term. A
retired Navy vice admiral, he is executive vice president of Booz Allen Hamilton, which consults on
cybersecurity for the private and public sector. 2/28/10,”Mike McConell on How to Won the Cyber War We’re
Losing” http://www.washingtonpost.com/wp-dyn/content/article/2010/02/25/AR2010022502493.html]
//khirn
There are many organizations (including al-Qaeda) that are not motivated by greed, as with criminal organizations, or a
desire for geopolitical advantage, as with many states. Rather, their worldview seeks to destroy the systems of global
commerce, trade and travel that are undergirded by our cyber-infrastructure. So deterrence is not enough;
preemptive strategies might be required before such adversaries launch a devastating cyber-attack. We
preempt such groups by degrading, interdicting and eliminating their leadership and capabilities to mount
cyber-attacks, and by creating a more resilient cyberspace that can absorb attacks and quickly recover. To this
end, we must hammer out a consensus on how to best harness the capabilities of the National Security Agency ,
which I had the privilege to lead from 1992 to 1996. The NSA is the only agency in the United States with the legal
authority, oversight and budget dedicated to breaking the codes and understanding the capabilities and
intentions of potential enemies. The challenge is to shape an effective partnership with the private sector so
information can move quickly back and forth from public to private -- and classified to unclassified -- to protect the
nation's critical infrastructure.
AT: TRANSPARENCY SOLVES WAR
Disclosing posture fails – encourages enflaming arms races
Goldsmith 11 [Jack, Professor, Harvard Law, “General Cartwright on Offensive Cyber Weapons and
Deterrence,” Nov 8, 2011, http://www.lawfareblog.com/2011/11/general-cartwright-on-offensive-cyberweapons-and-deterrence/] //khirn
One cannot read too much into snippets of an interview, but of course matters are more complex than this. First, talking
cyber-capabilities is a tricky business. Merely talking
demonstrating their capabilities,
cannot advance deterrence
weapons can do
about offensive
about the weapons in general terms, without revealing and perhaps
very much. But on the other hand, too
much detail about what the
make it easier , and potentially very easy, for adversaries to defend against these weapons by (among
other things) closing the vulnerabilities that the weapons exploit. Moreover, openly demonstrating or even discussing
cyber capabilities would further enflame the cyber arms race in ways that might be self-defeating. Second,
revealing the circumstances in which these weapons will be used might invite infiltrations just short of those
circumstances. “As soon as you declare a red line, you’re essentially telling people that everything up to that line is OK,” noted former Pentagon
official Eric Sterner in the Reuters story. Third, and to my mind most fundamental, revealing the weapons capabilities and
the (possible) circumstances of their use will not go far toward establishing deterrence unless the United States
can credibly commit to using the weapons. This, I think, is hard to do. The main threat today is cyber-exploitation (i.e. espionage, theft,
copying) that does not violate international law and that would not warrant any use of force under international law. I have a hard time
understanding how a law-sensitive DOD will credibly commit to ever using cyber-weapons, or kinetic weapons for that
matter, in response to even the most devastating cyber-exploitations.
AT: TREATIES SOLVE
Legal restrictions will only constrain America – maintaining military control of OCO’s crucial
to prevent global cyberwar
Baker 11 [Stewart, former official at the U.S. Department of Homeland Security and the National Security
Agency, “Denial of Service,” Foreign Policy, Sept. 30,
http://www.foreignpolicy.com/articles/2011/09/30/denial_of_service] //khirn
American lawyers' attempts to limit the scope of cyberwar are just as certain to fail as FDR's limits on air war -and perhaps more so. It's true that half a century of limited war has taught U.S. soldiers to operate under strict restraints, in part because
winning hearts and minds has been a higher priority than destroying the enemy's infrastructure. But it's unwise to put too much faith in
the notion that this change is permanent. Those wars were limited because the stakes were limited, at least for the United
States. Observing limits had a cost, but one the country could afford. In a way, that was true for the Luftwaffe, too, at least at the start. They were on
offense, and winning, after all. But when the British struck Berlin, the cost was suddenly too high . Germans didn't
want law and diplomatic restraint; they wanted retribution -- an eye for an eye. When cyberwar comes to America and citizens start
to die for lack of power, gas, and money, it's likely that they'll want the same. More likely, really, because Roosevelt's bargain
was far stronger than any legal restraints we're likely to see on cyberwar. Roosevelt could count on a shared European horror at the aerial destruction of
cities. The modern world has no such understanding -- indeed, no such shared horror -- regarding cyberwar. Quite the contrary. For some of America's
potential adversaries, the idea that both sides in a conflict could lose their networked infrastructure holds no horror. For some, a conflict that reduces
both countries to eating grass sounds like a contest they might be able to win. What's more,
cheating is easy and strategically
profitable . America's compliance will be enforced by all those lawyers.
Its adversaries'
compliance
will be enforced by, well, by no one . It will be difficult, if not impossible , to find a return address on their
cyberattacks . They can ignore the rules and say -- hell, they are saying -- "We're not carrying out cyberattacks.
We're victims too. Maybe you're the attacker. Or maybe it's Anonymous. Where's your proof?" Even if all sides were
genuinely committed to limiting cyberwar, as they were in 1939, history shows that it only takes a single error to
break the legal limits forever . And error is inevitable. Bombs dropped by desperate pilots under fire
go astray -- and so do cyberweapons. Stuxnet infected thousands of networks as it searched blindly for Iran's uraniumenrichment centrifuges. The infections lasted far longer than intended. Should we expect fewer errors from code
drafted in the heat of battle and flung at hazard toward the enemy? Of course not. But the lesson of all this for the lawyers and the
diplomats is stark : Their effort to impose limits on cyberwar is almost certainly doomed . No one can welcome
this conclusion, at least not in the United States. The country has advantages in traditional war that it lacks in cyberwar. Americans are not used to the
idea that launching even small wars on distant continents may cause death and suffering at home. That is what drives the lawyers -- they
hope to maintain the old world. But they're being driven down a dead end . If America wants to defend
against the horrors of cyberwar, it needs first to face them, with the candor of a Stanley Baldwin. Then the country needs
to charge its military strategists, not its lawyers, with constructing a cyberwar strategy for the world we live in, not the
world we'd like to live in.
NATO COUNTERPLAN
1NC NATO COUNTERPLAN
The United States federal government should propose the development of a zero-day
vulnerability and exploit threat sharing program to the North Atlantic Treaty Organization. The
United States federal government should disclose zero-day vulnerabilities and exploits to the
North Atlantic Treaty Organization.
The counterplan solves the aff and reinvigorates NATO --- bolsters international cyberdefense
capabilities while maintaining strategic use of offensive cyber operations
Fidler 15 -- Marshall Scholar, Department of Politics and International Relations, University of Oxford
(Mailyn, Summer 2015, REGULATING THE ZERO-DAY VULNERABILITY TRADE: A PRELIMINARY
ANALYSIS, http://moritzlaw.osu.edu/students/groups/is/files/2015/06/Fidler-Second-Review-ChangesMade.pdf, pg. 72-74) /AMarb
NATO is an influential body, and, if it addressed trade in zero-days, its policies would have global importance.
NATO has been relatively successful in addressing new collective defense challenges, so it may have the institutional
flexibility to take on zero-days. NATO membership maps well with participants in the zero-day market, including
countries with notable buyers and sellers. Additionally, because NATO is a collective defense organization for allies,
conceptions of the underlying security problem and opinions about approach may be more aligned than among states not
engaged in collective defense. Given the difficulties of other forms of international cooperation, achieving consensus among allies might be
strategically attractive. NATO has developed a focus on cyber defense, and zero-days are relevant to that agenda. Not
only could trade in zero-days facilitate attacks against NATO networks, but the stockpiling behavior of member states also leaves other members
vulnerable. Key NATO members, such as the United States and United Kingdom, are purchasers of zero-days.327
NATO’s commitment to cyber defense has resulted in the development of a cyber policy- and decision-making structure and
processes that could also be used to address the zero-day issue without significant alteration. Despite this institutional
base, NATO would have to experience a policy shift before addressing zero-days. Zero-days are inherently exploitable: although they have significant
implications for cyber defense, they are also closely tied with offensive capabilities of member states and the potential for NATO offensive capabilities.
NATO, as an organization, is currently not positioned to discuss offensive cyber issues and has demonstrated wariness of an expanded cyber mandate.
Still, as demonstrated by Libya and Russia’s actions in Crimea, cyber is an increasing reality of security threats facing NATO.
NATO must address cyber capabilities, not just passive cyber defense. Zero-days, as a technology that overlaps both categories, could be
a useful place to start this shift. If this shift occurred, NATO could use its existing structure to foster guidelines for
addressing zero-days. The Cyber Defense Management Board (CDMB), which implemented the 2011 Action Plan, could be a starting place for
discussions about zero-day policy. NATO could do this in several ways, including using CDMB to increase transparency and information sharing about
zero-day issues within member states. For instance,
NATO could establish a zero-day threat-sharing program, in
which governments share information about the nature of the zero-day threats they face. This
probably be least resisted by member states, but NATO could go further. NATO could institute a group
disclosure program: when one member stockpiles a vulnerability, it could also disclose the vulnerability to a
kind of program would
NATO clearinghouse . NATO members could then protect themselves against that vulnerability or make use of it.
NATO could also push for harmonized purchasing policies, perhaps agreeing that NATO members will only purchase or stockpile certain vulnerabilities
from certain countries or suppliers. However, given NATO’s lack of appetite for discussing offensive capabilities, NATO can, at best, function
as a place to start a conversation among likeminded states. For instance, the CDMB could facilitate discussion of the zero-day issue
at the next NATO defense ministers meeting. But even that, as demonstrated, may be a difficult topic to broach. NATO simply may not be ready to
address something as complex and controversial as the zero-day trade. NATO is also not an entity designed for addressing trade in dual-use technologies.
It could discuss zero-days, particularly government use and purchasing of zero-days, but it is not designed to
influence global trade. NATO has only 28 members; even though many members are active buyers or host active sellers, and may share enough
interests to come to consensus, an agreement among a limited group could only produce governance of limited global effect.
The plan and permutation disrupt the counterplan’s process for handling zero-day
vulnerabilities by unilaterally disclosing all of them to vendors --- that endangers the national
security of allies
Zetter 14 –award-winning reporter at Wired covering cybercrime, privacy, and security (Kim, 4/15/14,
“Obama: NSA must reveal bugs like Heartbleed, unless they help the NSA,” Wired,
http://www.wired.com/2014/04/obama-zero-day/) /AMarb
Rogers said that within
the NSA “there is a mature and efficient equities resolution process for handling ‘0-day’
vulnerabilities discovered in any commercial product or system (not just software) utilized by the U.S. and its
allies.” The policy and process, he said, ensures that “all vulnerabilities discovered by NSA in the conduct of its lawful
missions are documented, subject to full analysis, and acted upon promptly.” He noted that the NSA is “now working with
the White House to put into place an interagency process for adjudication of 0-day vulnerabilities.” He also said that “the
balance must be
tipped toward mitigating any serious risks posed to the U.S. and allied networks” and that he intended to “sustain the
emphasis on risk mitigation and defense” over offensive use of zero days. Rogers noted that when the NSA discovers a
vulnerability, “Technical experts document the vulnerability in full classified detail, options to mitigate the vulnerability, and a proposal for how to
disclose it.” The default is to disclose vulnerabilities in products and systems used by the U.S. and its allies, said
Rogers, who was confirmed by the Senate and took command of the NSA and US Cyber Command in March. “When
NSA decides to withhold
a vulnerability for purposes of foreign intelligence, then the process of mitigating risks to US and allied
systems is more complex . NSA will attempt to find other ways to mitigate the risks to national security
systems and other US systems, working with stakeholders like CYBERCOM, DISA, DHS, and others, or by issuing
guidance which mitigates the risk.”
That alienates NATO allies --- they don’t want to be treated as junior partners
Keohane et al 14 (Daniel (Research director in NATO), Stefan Lehne (MA in IR), Ulrich Speck (PhD at
University of Frankfurt), and Jan Techau (Director of Carnegie Europe which works on EU integration and
foreign policy), Oct. 28,2014, A New Ambition for Europe: A Memo to the European Union Foreign Policy
Chief, Carnegie Europe, http://carnegieeurope.eu/publications/?fa=57044) /AMarb
Clarify the EU’s partnership with the United States on security challenges. The EU should not play the role of an
American junior partner nor automatically side with the United States. But it should cooperate and coordinate with
Washington whenever possible, as not only do interests on many issues converge but the United States is also the EU’s closest international
partner. The EU should define its own positions on Asian security challenges based on international law (such as the
UN Convention on the Law of the Sea) and communicate these positions to all sides. Militarily, the EU cannot do much, but it
can help build a multilateral order and security architecture in the region to the extent that governments in the
region are interested. ASEAN, although a Southeast Asian grouping, could be the nucleus of a new Asia-Pacific rulesbased order, for instance via the ASEAN-affiliated East Asia Summits, and the EU should support such efforts. There may also be
potential for offering EU experience with nonmilitary approaches to security, such as mediation, crisis management,
confidence building, and application of the rule of law, to help reduce geopolitical tensions.
Preventing NATO fragmentation crucial to curbing Russian aggression
Stewart 14 (Brian, 3-28-14, "Ukraine crisis: Can a weakened NATO stand up to Putin?" CBC News)
www.cbc.ca/news/world/ukraine-crisis-can-a-weakened-nato-stand-up-to-putin-1.2589288)
Even leaving Ukraine aside, NATO
has other potential crises on its flanks, where it is obliged by treaty to protect
increasingly nervous NATO members who are also neighbours of Russia. These include the three former Soviet Union
satellites, Estonia, Latvia and Lithuania, all with fragile economies and significant Russian minorities; as well as the much larger Poland, a
former member of the Soviet Union's Warsaw Pact military alliance. Including Estonia, Latvia and Lithuania was always controversial within NATO
because they are so far east and so difficult to defend. Still, they made it in and now demand NATO show it would be ready to honour
its famous (Article 5) guarantee that an attack on one member involves an attack on all. In recent weeks, the U.S., with
U.K. support to come, has rushed in limited fighter plane and other air support for the Baltic members, as well as 300 support staff and some naval units.
UKRAINE-CRISIS/ Russian sailors mill about onboard the Suzdalets at the Crimean port of Sevastopol earlier this week. As many as 150,000 Russian
troops are also taking part in exercises along Ukraine's eastern boundary. (Reuters) But so cautious a response has not eased the nervousness in the
region, which has been warning NATO for years about Russian ambitions. Some of their fears stem from the large military exercises Moscow has run in
the Baltic region in recent years, including some that simulate attacks on Lithuania and Poland. NATO, it should be noted, also exercises units in the
Baltic region, while Poland has recently launched a substantial arms buildup of its own in response to Russia's. These days, NATO is also hearing rising
security concerns and demands for reassurance from nations such as Hungary, Romania and Bulgaria , as well as both the Czech and Slovak Republics.
Here, NATO's worries are not limited to military pressure-tactics, but encompass the deep political crises and anti-democratic trends in some of these
Eastern Europe countries, where crony-capitalism and the leverage of Russian gas supplies open new doors to Putin's influence. No, this is not the old
Cold War. Today's Russia is weaker than the West, even with few European powers ready for yet another arms race with Moscow. But if Putin's
regime really does feel that NATO's once triumphant march to the east is at least in part reversible, given the
right pressure points, then NATO's very credibility is about to be severely tested, yet again.
The impact is global nuclear war
Fisher 14 (Max, Political Analyst @ Vox, 9/3/14 "Obama's Russia paradox: Why he just threatened WWIII in
order to prevent it," http://www.vox.com/2014/9/3/6101507/obama-just-committed-the-us-to-war-againstrussia-if-it-invades)
President Obama gave a speech on Wednesday, in a city most Americans have never heard of, committing the United States to possible war against Russia. He said that
the North Atlantic Treaty Organization, a Western military alliance better known as NATO, would fight to defend eastern European members
like Estonia against any foreign aggression. In other words, if Russian President Vladimir Putin invades Estonia or Latvia
as he invaded Ukraine, then Putin would trigger war with the US and most of Europe. Obama's speech from the Estonian
capital of Tallinn, though just a speech, may well be America's most important and aggressive step yet against Russia for its invasion of Ukraine. While the speech will do
nothing for Ukraine, it is meant to stop Russia from invading, or perhaps from sponsoring rebellions in, other European countries — so long as those European countries are
part of NATO, as most are. "We'll be here for Estonia. We will be here for Latvia. We will be here for Lithuania," President Obama said from the capital of Estonia, one of the
three Baltic states that were once part of the Soviet Union but now are members of NATO. "You lost your independence once before. With NATO, you will never lose it again."
Obama was making a promise, and a very public one meant to reverberate not just in European capitals but in Moscow as well: If
Russia invades any member
of NATO, even these small Baltic states on the alliance's far periphery, then it will be at war with all of them — including
the United States. "The defense of Tallinn and Riga and Vilnius is just as important as the defense of Berlin and Paris and London," Obama said. To be really clear:
that defense means war with Russia, which has the world's second-largest military and second-largest nuclear arsenal, a prospect
so dangerous that even during the angriest moments of the Cold War, the world managed to avoid it. The idea, though, is not that Obama wants to go to
war with Russia, it's that he wants to avoid war with Russia — this is also why the US and Europe are not intervening militarily in Ukraine to
push back the Russian tanks — but that avoiding war with Russia means deterring Russian President Vladimir Putin from
invading these Baltic states in the first place
such an invasion , by the way, is real: these
Putin also clearly
sees former Soviet states as fair game; he has invaded Ukraine and Georgia, both marked in red on the above map. So the Baltic states are
rightly terrified that they are next. Here is Obama's dilemma, and Europe's: They want to prove to Putin that they will definitely defend Estonia and Latvia
by scaring him off. The risk of
countries are about one-quarter ethnic Russian, and Ukraine's own Russian minority which was Putin's excuse for invading Crimea in March.
and other eastern European NATO members as if they were American or British or German soil, so that Putin will not invade those countries as he did in Ukraine. But the
entire world, including Putin, is suspicious as to whether or not this threat is a bluff. And the worst possible thing that could happen, the thing that
could
legitimately lead to World War Three and global nuclear war , is for Putin to call Obama's bluff, invade Estonia, and have
Obama's bluff turn out to not be a bluff.
2NC NATO CP SOLVENCY
NATO is key to solve cyberattacks – the counterplan produces cooperation with companies at
the discretion of NATO allies
Thompson 14 -- writes about national security (Loren, 9/19/14, Cyber Alliances: Collective Defense
Becomes Central To Securing Networks, Data, Forbes,
http://www.forbes.com/sites/lorenthompson/2014/09/19/cyber-alliances-collective-defense-becomescentral-to-securing-networks-data/) /AMarb
When the North Atlantic Treaty Organization — NATO — wrapped up its summit in Wales earlier this month, the member-states
issued a lengthy communique expressing solidarity on major defense challenges. One of the challenges
mentioned was cybersecurity. The alliance stated that “cyber defence is part of NATO’s core task of collective defence,”
presenting concerns so severe that they might lead to invocation of Article Five of the North Atlantic Treaty — the article calling on
all members to come to the defense of a threatened nation. The communique went on to stress that “strong partnerships
play a key role in addressing cyber threats and risks,” and committed alliance members to intensified cooperation in pursuit of
integrated solutions. It isn’t hard to see why NATO is worried about threats in cyberspace, given Russia’s recent use of on-line attacks against Ukraine
and other countries in a style of combat that has come to be called “hybrid warfare.” However, a report by the Pentagon’s prestigious Defense Science
Board released last year suggests that the cyber challenge reaches far beyond the use of botnets and distributed denial-of-
service tactics. Describing the extensive vulnerability of U.S. military forces to cyber assault, the report then observed, The impact of a
destructive cyber attack on the civilian population would be even greater with no electricity, money,
communications, TV, radio or fuel (electrically pumped). In a short time, food and medicine distribution systems would
be ineffective; transportation would fail or become so chaotic as to be useless. Law enforcement, medical staff, and
emergency personnel capabilities could be expected to be barely functional in the short term and dysfunctional over sustained
periods. These sustained periods, the science board stated, might last “months or years” as government and industry
sought to rebuild damaged infrastructure — a possibility that led the panel to compare the specter of state-sponsored
cyber attacks to the threat of nuclear war. So if you think that 56 million payment cards being compromised atHome Depot HD +0.3% is
about as bad as cyber threats can get, think again. Civilians and soldiers alike have hardly begun to experience how
destructive the coming age of information warfare is going to be. But like NATO, private industry is beginning to grasp
the challenge. And also like NATO, industry has begun to embrace the value of collective defense in meeting that challenge. Earlier this
month, McAfee and Symantec SYMC -1.57% — the nation’s two biggest cybersecurity firms — agreed to join a Cyber
Threat Alliance founded in May by Fortinet and Palo Alto Networks PANW -1.5%. The goal of the new consortium, quoting a white paper it
issued, is “to disperse threat intelligence on advanced adversaries across all member organizations to raise the
overall situational awareness in order to better protect their organizations and their customers.” What that rather
bland formulation indicates is that even the biggest players in cybersecurity have come to doubt that the kind of
“advanced persistent threats” they are now encountering can be defeated unless industry emulates NATO in
embracing some form of collective defense. In the past, companies like McAfee and Symantec would have resisted the kind of deep
collaboration now being proposed for fear of losing competitive advantage. But attacks on networks and data repositories have become so pervasive and
clever that collective defense — the one-for-all and all-for-one approach — may be crucial to averting castastrophe. Under this
emerging construct,
the industry alliance will focus on generating actionable intelligence about zero-
day exploits and other dangers that can be quickly disseminated to members. Zero-day exploits are attack
vectors and methods not previously observed for which no off-the-shelf solution currently exists. They may require drastic action like shutting down a
network before it can be thoroughly compromised, and because time is of the essence the dissemination of threat details will probably have to be
automated. Over time, the Cyber Threat Alliance will generate standards spelling out how this should be done, presumably using software such as the
Trusted Automated Exchange of Indicator Information (TAXII) framework developed by MITRE and the Department of Homeland Security. Industry’s
bid for greater collaboration in meeting the cyber challenge has been matched by efforts at broader cooperation by the government. For instance, during
the first Obama Administration, former Deputy Secretary of Defense Bill Lynn drove efforts to forge a cybersecurity alliance between his department and
its contractors, which now has blossomed into the Defense Industrial Base Cybersecurity/Information Assurance Program. Under that program, industry
and the military share information about cyber threats that is quickly analyzed and disseminated to counter emerging dangers. A broader effort managed
in conjunction with the Department of Homeland Security provides similar support to companies operating critical infrastructure — including
sometimes sharing highly classified threat indications. However, a well-known federal advisor in such matters told me this week that the government
unwittingly creates disincentives for industry to cooperate, for example by failing to protect sensitive information provided by companies that have
experienced cyber attacks. McAfee president Gert-Jan Schenk has cited the absence of legislation promoting cross-national
collaboration on cyber threats as one area where industry has to work harder to make up for government’s
failure to act. His enterprise, which has invested heavily in cybersecurity research since being acquired by Intel in 2011, has become a leading
proponent of collaborative efforts at closing the seams between organizations and domains that on-line criminals exploit. So it seems that collective
defense is no longer solely the province of diplomats and military allies. Companies, even when they are competing in the same markets,
increasingly see the advantages of working together to counter shared threats. Some will say this demonstrates the
ability of market forces to encourage enlightened behavior even when government does not intervene. However, a
more sobering interpretation is that cyber threats are becoming so sophisticated and alarming they are forcing changes in the way people behave.
Whichever interpretation you favor, it’s clear that collective defense is becoming an organizing principle for global cybersecurity efforts.
EU can aid in solving cybersecurity
Keohane et al 14 (Daniel (Research director in NATO), Stefan Lehne (MA in IR), Ulrich Speck (PhD at
University of Frankfurt), and Jan Techau (Director of Carnegie Europe which works on EU integration and
foreign policy), Oct. 28,2014, A New Ambition for Europe: A Memo to the European Union Foreign Policy
Chief, Carnegie Europe, http://carnegieeurope.eu/publications/?fa=57044) /AMarb
Make cybersecurity a priority. The EU has a major stake in and role to play on global security challenges, such
as maritime security and the potential security impact of climate change. But cybersecurity deserves particular
attention since it will bring about a revolution in security thinking. Protecting the globally integrated
information infrastructure from intrusion and disruption will bring together homeland security authorities, the
military, and the private sector in a hitherto unknown alliance. Because of the EU’s deep collaboration with the
various national ministries invested in protecting cybernetworks, the union is better suited than any other
international organization to develop and implement a proactive crossborder strategy for this part of the global
commons. The EU foreign policy chief should dedicate considerable internal resources to staying on top of this
fast-developing area and to becoming a valuable resource for EU member states.
NATO has experience with responses to cyberattacks – solves the advantage
Fidler 15 -- Marshall Scholar, Department of Politics and International Relations, University of Oxford
(Mailyn, Summer 2015, REGULATING THE ZERO-DAY VULNERABILITY TRADE: A PRELIMINARY
ANALYSIS, http://moritzlaw.osu.edu/students/groups/is/files/2015/06/Fidler-Second-Review-ChangesMade.pdf, pg. 69-70) /AMarb
The 2007 Estonia attacks were NATO’s cyber awakening. In this incident, Estonian government, commercial,
and news web capabilities were taken down by cyber attacks in response to controversy about moving a Sovietera war memorial in Tallinn. The Estonia attacks demonstrated to NATO the“technical scale and political
implications of potential cyber attacks.”307 The 2008 Bucharest Summit addressed these implications. NATO
established two institutions: the Cyber Defense Management Authority (CDMA) and the Cooperative Cyber
Defense Center of Excellence (CCDCOE).308 The CDMA helps coordinate member state cyber defense, reviews
capabilities, and conducts risk management. The CCDCOE helps improve cyber defense cooperation through
research, information sharing, and convening thought leaders. For instance, in 2009, the CCDCOE requested
that experts analyze how international law applies to cyber warfare.309 Although the resulting 2013 report is
not official doctrine, it provides important analysis about how NATO members might think about international
law, conflict, and cyberspace.310 In June 2011, NATO adopted the Cyber Defense Policy and Action Plan, the
most advanced step in the maturation of NATO’s cyber capabilities.311 The document enumerated steps to
enhance the political and operational readiness of NATO to respond to cyber incidents, including defining
minimum requirements for the security of national networks critical to NATO’s operations.312 The CDMA
transitioned to a group called the Cyber Defense Management Board, which has been carrying out the Action
Plan. 313 The 2012 Chicago Summit reaffirmed these efforts, and NATO Defense Ministers met for the first
time in 2013 to focus exclusively on cyber defense.314
2NC NATO IMPACT
The dilapidation of NATO shatters global economic structures and seriously threatens
international security and agriculture.
Ahmed 11/25/9
Nafeez Mosaddeq Ahmed uthor and political scientist specialising in interdisciplinary security studies. He teaches International Relations at the School
of Social Sciences and Cultural Studies, University of Sussex, Brighton, where he recently completed Doctoral research on European imperial genocides
from the 15th to the 19th centuries. http://www.mediamonitors.net/mosaddeq12.html 11/25/9
For this reason, according to Robert J. Art - a research associate at the Olin Institute at Harvard, and Herter Professor of International Relations at Brandeis University America’s “overarching stake” in Europe consists partly of “the valuable investment the
United States has to protect [which] is the politicoeconomic cohesion of Western Europe”, the objective being to “produce an outward-looking, liberal trading
community, not an inward-looking protectionist one”,[65] thus maintaining the integration of the whole of
Europe under the “stability” a US-dominated international economic system. It is in this context that we may note the particular
objective of eradicating socialism in the Balkans and throughout the region in general, to enforce and secure US corporate economic interests.[66] The inseparable linkage
between US/Western militarism and US/Western corporate economic interests is thus absolutely clear.[67] One high-ranking and experienced Western European diplomat
put it succintly: “The United States presence in Europe is crucial. The role of the United States goes beyond balancing the Soviet Union. The United States keeps our national
rivalries down. We are now faced with the emergence of a friendly local superpower - Germany. Our chances of succeeding are greater if the United States stays. If it goes,
however, the
effects will be felt way beyond the security field - in GATT, agriculture, and so forth. If NATO breaks
up, our economic structures are threatened also.”[68] By strengthening NATO and expanding US military hegemony over Europe through NATO,
not only does the US manage to prevent the arisal of an independent European security apparatus that may rival NATO, but furthermore, all European nations become
subordinate within the US-dominated NATO alliance, thus once more eliminating the possibility of any significant rivalry. In this way, US economic hegemony is maintained
within the global “economic structures” of the international system, protected under a military hegemony dominated by American leadership.
Without NATO, free Europe doesn’t exist. Enemies from the East would move in for the attack,
and the world would be plunged into global war.
Steingart 10/20/06
Spiegel Online 10/20/6 Gabor Steingart chief editor of Handelsblatt, Germany's leading economic newspaper.
http://www.spiegel.de/international/0,1518,443306,00.html
For 50 years it was a highly controversial institution. Today, though, every schoolchild knows that without the North
Atlantic Treaty Organization, free Europe wouldn't exist. If the Western alliance hadn’t ostentatiously demonstrated its
power -- with its fighter jets, tank divisions and continually updated weaponry -- Soviet communism would have expanded
westward instead of imploding as it did. By the end of the Cold War, even NATO’s fiercest critics had learned their lesson:
The dove of peace could only survive because the hawk was ready on his perch. The world war for wealth calls for a different, but
every bit as contradictory, solution. Alas, once again many lack the imagination to see that the aims of our economic opponents
are far from peaceful. Yet what sets this situation apart from what we usually call a conflict -- what paralyzes the West -- is
how quietly the enemy is advancing. The two camps are divided between Europe and America on the one side and Asia on
the other. But so far there has been no shouting, no bluster and no shooting. Nor have there been any threats, demands or accusations. On the contrary,
there is an atmosphere of complete amiability wherever our politicians and business executives might travel in Asia. At airports in Beijing, Jakarta,
Singapore and New Delhi red carpets lie ready, Western national anthems can be played flawlessly on cue -- and they even parry Western complaints
about intellectual property theft, environmental damage and human rights abuses with a polite patience that can only be admired. The Asians are
the friendliest conquerors the world has ever seen
2NC RUSSIA CYBERWAR IMPACT
Russia is using zero-days to intercept NATO data about Ukraine --- cooperative threat reduction
key to solve
Rashid 14 – writes about security and core internet infrastructure (Fahmida, October 14, 2014,
SecurityWeek, Russia-linked Hackers Exploited Windows Zero-day to Spy on NATO, EU, Others,
http://www.securityweek.com/russian-hackers-exploited-windows-zero-day-spy-nato-eu-other-high-profiletargets) /AMarb
Attackers exploited a zero-day vulnerability in Windows to spy on NATO, the European Union, Poland,
Ukraine, private energy organizations, and European telecommunications companies, according to cyberintelligence firm iSight Partners.
Microsoft is expected to patch the flaw today as part of October's Patch Tuesday release.
The espionage campaign began five years ago and is still in progress, iSight said in its advisory. It has evolved
several times over the years to adopt new attack methods, and only began targeting the Windows zero-day with
malicious PowerPoint files in August, according to the company. iSight analysts have named the operation
"Sandworm Team" because the attackers included several references to Frank Herbert's Dune in the code.
"It is critical to note that visibility is limited and that there is a potential for broader targeting from this group
(and potentially other threat actors) using this zero-day," iSight warned.
Sandworm targeted victims with malicious PowerPoint documents which, when opened, triggered the zero-day
bug in all supported versions of Windows, including Windows Vista, 7, or 8, Windows Server 2008 and 2012,
iSight said. The exploit installed another executable file onto the infected machine to open a backdoor, thus
giving remote access to attackers.
The zero-day itself may not be as scary as it sounds, according to one security expert. “People shouldn’t panic
about Sandworm," Ross Barrett, senior manager of security engineering at Rapid7, said over email. Even
though the vulnerability is present in all supported operating systems, it is a local file format exploit, which are
fairly common and routinely patched by Microsoft. While the bug can give attackers complete control of the
compromised system, attackers need to launch a multi-stage attack in order to exploit this flaw. "The steps
required to get there limit the impact of this vulnerability," he said.
While Microsoft has patched the flaw, iSight also provided some workarounds, such as disabling the WebClient
Service to prevent Web Disributed Authoring and Versioning (WebDAV) requests from being transmitted,
blocking TCP ports 139 and 445, and preventing executables from being launched by setup .inf files.
It's not known at this point what kind of information the attackers were after. Considering the list of victims,
it's likely the attackers were looking for information regarding the Ukraine crisis, diplomatic communications,
and sensitive documents related to the energy and telecomm industries. Sandworm also attempts to steal SSL
keys and code-signing certificates, which may be used in future attacks.
iSight believes the attackers are Russian because analysts found Russian-language files on the command server
used by Sandworm. The list of victims was another clue, since they are all strategically related to the Ukrainian
conflict. While researchers haven't found technical indicators linking the attackers to the Russian government,
the fact that the campaign focused on cyber-espionage and not cybercrime meant nation-state involvement was
highly likely, according to the company. It's also expensive and time-consuming to look for security flaws in the
operating system, making it quite possible the group had nation-state funding and support.
For example, the group targeted NATO computers with emails with a malicious document claiming to have
information on European diplomacy back in December. An American academic with a focus on Ukraine and
several Ukrainian regional government officials received spear-phishing messages just before a NATO summit
over the summer. The malicious messages claimed to have information gathered by Ukrainian security services
on Russian sympathizers, such as a list of pro-Russian extremists, iSight said.
It’s interesting that iSight found the zero-day flaw "being used in Russian cyber espionage attacks in the wild,
targeting NATO, the European Union, and the telecommunications and energy sectors, but that’s probably the
most interesting aspect of it," Barrett said.
Previous Sandworm attacks exploited older vulnerabilities to install the BlackEnergy exploit kit. BlackEnergy
was used to create botnets with launched distributed denial-of-serve attacks against computers in Georgia
during the country's conflict with Russia back in 2008. Originally a DDoS tool, BlackEnergy evolved to steal
banking credentials and other information.
Sandworm was previously identified by F-Secure researchers in a whitepaper on a group they called
Quedach released last month. "In the summer of 2014, we noted that certain samples of BlackEnergy malware
began targeting Ukranian government organizations for information harvesting," F-Secure researchers wrote
at the time.
iSight is sharing the detailed report with its customers but warned that malware and indicator data could be
potentially misused to create "copycat exploits."
US-Russia nuclear war risks extinction – huge risk of miscalc and escalation
Starr 14 (Steven, Senior Scientist for Physicians for Social Responsibility and Director of the Clinical
Laboratory Science Program @ University of Missouri, “Ukraine + NATO = Nuclear War,”, 11 March 2014
13:03 pg. http://tinyurl.com/ohgfk5p)
Furthermore, US/NATO naval forces should not be deployed in the Black Sea, where they would be in close proximity to Russian naval forces. In the
event of a war in which Russian forces were actively engaged, the presence of US forces nearby would create a significant chance
for a mistake in which US or Russian forces would fire upon each other. Supersonic fighters traveling at more than 1,000 mph
can easily overfly national boundaries or "hostile" military forces. If NATO and Russian forces to come into direct military conflict, then the
possibility of nuclear conflict increases exponentially . NATO cannot send in its 25,000 man Response Force and expect to
defeat 150,000 Russian troops (or more) in a fight at the Russian border. In a NATO-Russian conventional conflict, in which Russian forces were
prevailing, NATO would have the choice of withdrawing, calling for a ceasefire, or using its nuclear weapons against Russian forces. NATO has at least a
couple hundred US B61 nuclear weapons forward deployed in Belgium, Germany, Italy, the Netherlands, and Turkey. The B61 is a "variable yield"
weapon; the two models currently forward-based in Europe, the B61-3 and B61-4 both can be set to have an explosive yield of 300 tons of TNT (0.3
kilotons). In other words, the B61 is designed to be "useable" nuclear weapon, beginning with a "small" detonation that is roughly 20-30 times larger
than our largest conventional weapon. However, the B61-4 can also be set to have an explosive power as much as 50,000 tons of TNT (50 kilotons), and
the B61-3 as much as 170,000 tons of TNT (170 kilotons) – which is 70% greater than many of the strategic nuclear warheads carried by US nuclear subs.
Even if NATO could manage to use its conventional forces to defeat Russian conventional forces, Russia would *not* allow such a defeat
upon its very border. Russia would certainly use nuclear weapons to stop NATO. Russia has for some time
adopted the policy of "nuclear de-escalation": "In order to maintain a credible nuclear deterrence effect under the conditions of a
regional war, Russia believes it should not rely on strategic nuclear forces, or on them only, but must maintain a
range of options for the limited or selective use of nuclear weapons in order to be able to inflict a precisely set
level of damage to the enemy sufficient to convince him to terminate military confrontation by exposing him to the
danger of further nuclear escalation . . . When introducing the concept of "nuclear de-escalation" in the late 1990s, the Russian defence establishment
was obsessed with the possibility of a Kosovo-type US/NATO intervention in the war ("armed conflict") in Chechnya, which resumed in 1999. It did not
exclude the possibility that, in the event of such a case, Russia would be forced to resort to nuclear weapons." In a NATO-Russian conflict, in
which Russia introduced nuclear weapons, NATO would be fully capable of responding in a tit-for-tat fashion.
This would be the same pattern as was seen in the NATO war games of the Cold War. Once the nuclear "firebreak" is crossed, once
nuclear weapons are introduced into a military conflict in which *both sides have nuclear weapons*, there
would likely be an almost inevitable escalation of conflict, a progressive use of nuclear weapons by both sides, with progressively
larger targets being taken out. Peer-reviewed scientific studies predict that a war fought with hundreds or thousands of
US and Russian strategic nuclear weapons would ignite nuclear firestorms over tens of thousands of square miles. These
mass fires would produce between 50 million to 150 million tons of smoke, which would quickly rise above cloud level in to
the stratosphere, where winds would carry it around the Earth. In a matter of weeks or months, a global stratospheric smoke layer would form, which
would block up to 70% of warming sunlight, quickly producing Ice Age weather conditions in the Northern Hemisphere. The scientists
predict that temperatures in the central US and Eurasia would fall below freezing every day for about three years. The smoke, the darkness, and extreme
cold weather would last for ten years or longer, eliminating growing seasons, making it impossible to grow food. Most
people and animals would perish from nuclear famine. Nuclear war is suicide for the human race.
AT: PERMUTATION
Perm fails – NATO is fragmented amongst members
Fidler 15 -- Marshall Scholar, Department of Politics and International Relations, University of Oxford
(Mailyn, Summer 2015, REGULATING THE ZERO-DAY VULNERABILITY TRADE: A PRELIMINARY
ANALYSIS, http://moritzlaw.osu.edu/students/groups/is/files/2015/06/Fidler-Second-Review-ChangesMade.pdf, pg. 74) /AMarb
Moreover, despite being composed of allies, NATO faces fragmentation of member policies and opinions.
NATO members sometimes have domestic political or legal constraints affecting NATO decisions, and the
complicated legal ecosystem affecting NATO, made up of national law, transnational law, and international
law, creates legal divergence.328 As indicated by post-Snowden wariness, NATO members do not always share
consensus on what activities, particularly in cyberspace, are permissible under international law, especially
when activities touch sovereignty and non-intervention issues.329 Last, in 2014, NATO has been preoccupied
with the Ukrainian crisis. Even though cyber played a role in the Ukrainian crisis, the cyber threats are
marginal compared to the kinetic, territorial, and political security threats posed by Russian behavior.
Empirics prove perm will only harm relations
Serafty, PhD 8 – PhD in polisci at Johns Hopkins (Simon, 2008, The pressures for a new Euro-Atlantic
security strategy, Europe’s World,
http://www.europesworld.org/NewEnglish/Home/Article/tabid/191/ArticleType/articleview/ArticleID/21138
/Default.aspx) /AMarb
To some extent, these questions are not new. They were first raised, though in a highly different institutional and geopolitical context, over the
failed Anglo-French intervention in Suez more than half a century ago. Ever
since, European allies have often
questioned what they see as an American tendency to misrepresent the diplomatic
procedures for providing information about a decision, and to ignore the
institutional processes that ensure genuine consultation beforehand. During the
Cuban missile crisis, President Kennedy turned to the allies only after a careful
internal review of the options he faced, so they were informed rather than
consulted. That the Bush administration returned to the 1962 crisis to justify its
approach to Iraq is not surprising: under what they saw as similarly existential
conditions, the president and his advisors found the threat to be so high and so
unpredictable as to be “imminent”. As Secretary of State Colin Powell, hardly the allies’ bête noire, put it at the time,
the United States “tries to persuade others why this is the correct position. When it does not work, then we will take the position we believe is
correct.”
Genuine high-level dialogue necessary to preserve relations.
Hass, President of Council on Foreign Relations, 2004 (Richard N. July President of the Council on
Foreign Relations,
http://www.cfr.org/publication/8049/marriage_counseling_for_america_and_europe.html) /AMarb
Americans, for their part, must accept that a strong Europe will not be content to simply do America’s
bidding. The US should support European integration, because a strong Europe is at least a potential strategic partner, whereas a weak Europe is not.
Indeed, the sort of troop-intensive nation-building exercises taking place in Iraq and Afghanistan are hardly unique; they are sure to be repeated, and European
contributions will be required. That American troops are being withdrawn from Korea and sent to Iraq is both unfortunate and revealing. But genuine
consultation will be necessary. Consultation cannot consist of simply informing others of what has
already been decided, not adapting policies, and yet still expecting support. Nor can consultations on how to deal
with today’s central global challenges wait until a crisis. Most importantly, the US and Europe must learn how to disagree. The best guideline is to not
permit disagreements to spill over and complicate or infect the relationship. Such “compartmentalization” is as
essential now as it was during the Cold War. In order to limit the consequences of disagreement, Americans should
explain their position and offer alternatives when a proposed international arrangement is deemed
undesirable.
POLITICS LINKS
1NC POLITICS LINK
Plan not popular – no work can be done in congress to disclose zero days
Fidler, 15
Jun 6, 2015, Mailyn Fidler is a Marshall Scholar, Department of Politics and International Relations,
University of Oxford “Regulating the Zero-day Vulnerability Trade: a Preliminary Analysis”
http://moritzlaw.osu.edu/students/groups/is/files/2015/06/Fidler-Second-Review-Changes-Made.pdf
It has taken recent steps to strengthen internal checks and balances in the intelligence community, including
establishing the Office of the Intelligence Community Inspector General (IG) in the Office of Director of
National Intelligence (ODNI) in 2010.167 In light of the Snowden disclosures, many questioned whether
congressional oversight of intelligence community (IC) activities is effective. The House attempted to prohibit
the NSA’s phone records collection program in July 2013, but the bill was narrowly defeated. 168 The House
approved a similar bill in 2014, but the Senate failed to secure enough votes to bring its version to a floor
debate, leaving the path to legislative NSA reform highly unlikely. 169 Many proposals have been made to
address this sense of failure of congressional oversight of intelligence. For instance, Fred Cate, a privacy and
cybersecurity expert, suggests creating an independent agency separate from both Congress and the executive
branch to provide stronger oversight. 170
Congress could impose limits on purchase, use, and disclosure of zero-days. As it has done with intelligence
activities and covert actions, it could require reporting from agencies and/or Inspector Generals to relevant
congressional committees when a zero-day is purchased, used, disclosed, and/or not disclosed. Such
requirements could be accompanied by the threat of withheld appropriations if the executive branch fails to
follow oversight rules. However, congressional oversight is likely politically difficult to achieve. Snowden has
made cyber topics politically fraught, and Congress is perceived as dysfunctional. Congressional oversight has
also traditionally applied to broad programs, such as foreign intelligence activities within the United States or
covert operations overseas, not a specific means of accomplishing law enforcement, intelligence, or military
objectives.
TPA SOLVES IP THEFT
TPA will guarantee IP theft isn’t a threat.
Hendrie, 15
(June 6, 2015 “Free Trade Agreements Will Encourage Stronger Intellectual Property Rights”
http://dailycaller.com/2015/06/05/free-trade-agreements-will-encourage-stronger-intellectual-propertyrights/ Alexander Hendrie is an Associate at Property Rights Alliance (PRA), an advocacy group affiliated with
Americans for Tax Reform.)
The U.S. House of Representatives will soon vote on Trade Promotion Authority (TPA), legislation that outlines
congressional objectives and prerogatives the president must follow when negotiating trade agreements. While
TPA encompasses a diverse and comprehensive range of guidelines and objectives, perhaps most importantly it
is an opportunity to strengthen global protections of intellectual property (IP). TPA includes almost 150
objectives related to agriculture, investment, labor, state-owned enterprises, currency manipulation, and more.
In addition, TPA contains strong oversight provisions that give Congress the final say so that any agreement is
in the best interest of the American people. In regards to intellectual property, TPA will ensure that American
companies receive fair and equitable market opportunities when operating overseas. The legislation requires
any trade agreement to “promote adequate and effective protection of intellectual property rights” and
encourages trade partners to adopt many of the strong IP protections that are found in U.S. law. Stronger IP
protections will be beneficial to all economies. IP-intensive industries are defined as any business that relies on
trademarks, copyrights, or patents. This includes pharmaceuticals, automobile manufactures, film and music
industries, and tech firms.