About MSDI & Missouri State U.. For twenty years, the Missouri State Debate Institute has offered an excellent educational experience in the middle of the high school topic. MSDI is distinct from other camps in six ways. First, our skills focus assures that a typical 2-week debater gets nearly 80 speeches, including over 20 debates. Second, we emphasize the largest cases on topic, with students getting both aff and neg rounds on each. Third, our senior faculty are comparable with top lab leaders in any camp. Fourth, MSDI students can earn highly transferable college credit in public speaking for a minimal cost. Fifth, we respect variance in home debate circuits – our goal is to improve line by line debating in ways that will help students no matter who judges in their home circuit. Finally, our price is below any comparable camp and far below most camps. Our 2016 information will be available shortly at: http://debate.missouristate.edu/camp.htm. Missouri State University is a large comprehensive university (enrollment over 24k), with nearly any major you might want. The university has excellent academic scholarship support – most debaters combine academic “entitlement” scholarships (guaranteed based on GPA/test scores) with debate scholarships. The Spicer Debate Forum competes in two year-long policy debate formats: NDT and NFALD. We’ve national semis or finals in both in the last decade. Our debaters have an average GPA over 3.5, a 97% graduation rate, and 70% complete law/grad school afterward. Our program is a high-impact academic experience with an exceptional alumni network. Please contact Dr. Eric Morris for more information (EricMorris@MissouriState.edu). http://debate.missouristate.edu/ http://www.missouristate.edu/FinancialAid/scholarships/ **Cyber Security DA** 1NC Shell Cyber security is a top priority now – new programs ensure safety from attack Shavit Matias, 3-5-2015, research fellow at the Hoover Institution and a member of the Jean Perkins Task Force on National Security and Law. , "Combating Cyberattacks In The Age Of Globalization," Hoover Institution, http://www.hoover.org/research/combating-cyberattacks-age-globalization Over the past decade, facing the alarming growth of cyberattacks on industry, media, banks, infrastructure and state institutions, there has been an increasing focus of industry and states on building tools to enhance capabilities to combat cybercrime, cyber espionage, cyberterrorism and cyberwarfare, and there is a major shift of funds, efforts, and focus to these areas. Many countries are creating cyber defense institutions within their national security establishments and enhancing their cyber capabilities, including through the creation of dedicated cyberwarfare units within their defense forces. Others are beginning to be aware of the necessity. According to Director of National Intelligence James R. Clapper in a January 29, 2014 Statement for the Record before the Senate Select Committee on Intelligence, the United States estimates that several of the cyber defense institutions created by states will likely be responsible for offensive cyber operations as well. The cyber arena is complex and continuously evolving. Recognizing the critical interlink between the various actors and the need for cooperation and innovation, states are increasingly trying to build cooperation between domestic state cyber institutions and industry and academia, and devise mechanisms for internal cooperation between different state units and agencies. While in the past states kept many of these efforts — including information on the formation of military cyber units — relatively secret, today they increasingly publicize their efforts both nationally and internationally. “Be an Army hacker: This top secret cyber unit wants you” shouts the headline of an April 6, 2013 article in the Military Times, explaining that the US Army is looking for computer-savvy American troops to “turn into crack cyberwarriors” for both offensive and defensive purposes. The United States Cyber Command has already announced that over the next few years it intends to recruit 6,000 cyber experts and create teams of soldiers and civilians to assist the Pentagon in defending US national infrastructure. Strong NSA Surveillance necessary to stop cyberattacks Jack Goldsmith, 2013 “We Need an Invasive NSA”, October 10, 2013, http://www.newrepublic.com/article/115002/invasive-nsa-will-protect-us-cyber-attacks, Ever since stories about the National Security Agency’s (NSA) electronic intelligence-gathering capabilities began tumbling out last June, The New York Times has published more than a dozen editorials excoriating the “national surveillance state.” It wants the NSA to end the “mass warehousing of everyone’s data” and the use of “back doors” to break encrypted communications. A major element of the Times’ critique is that the NSA’s domestic sweeps are not justified by the terrorist threat they aim to prevent.¶ At the end of August, in the midst of the Times’ assault on the NSA, the newspaper suffered what it described as a “malicious external attack” on its domain name registrar at the hands of the Syrian Electronic Army, a group of hackers who support Syrian President Bashar Al Assad. The paper’s website was down for several hours and, for some people, much longer. “In terms of the sophistication of the attack, this is a big deal,” said Marc Frons, the Times’ chief information officer. Ten months earlier, hackers stole the corporate passwords for every employee at the Times, accessed the computers of 53 employees, and breached the e-mail accounts of two reporters who cover China. “We brought in the FBI, and the FBI said this had all the hallmarks of hacking by the Chinese military,” Frons said at the time. He also acknowledged that the hackers were in the Times system on election night in 2012 and could have “wreaked havoc” on its coverage if they wanted.¶ Illustration by Harry Campbell¶ Such cyber-intrusions threaten corporate America and the U.S. government every day. “Relentless assaults on America’s computer networks by China and other foreign governments, hackers and criminals have created an urgent need for safeguards to protect these vital systems,” the Times editorial page noted last year while supporting legislation encouraging the private sector to share cybersecurity information with the government. It cited General Keith Alexander, the director of the NSA, who had noted a 17-fold increase in cyber-intrusions on critical infrastructure from 2009 to 2011 and who described the losses in the United States from cyber-theft as “the greatest transfer of wealth in history.” If a “catastrophic cyber-attack occurs,” the Timesconcluded, “Americans will be justified in asking why their lawmakers ... failed to protect them.”¶ When catastrophe strikes, the public will adjust its tolerance for intrusive government measures.¶ The Times editorial board is quite right about the seriousness of the cyber- threat and the federal government’s responsibility to redress it. What it does not appear to realize is the connection between the domestic NSA surveillance it detests and the governmental assistance with cybersecurity it cherishes. To keep our computer and telecommunication networks secure, the government will eventually need to monitor and collect intelligence on those networks using techniques similar to ones the Timesand many others find reprehensible when done for counterterrorism ends.¶ The fate of domestic surveillance is today being fought around the topic of whether it is needed to stop Al Qaeda from blowing things up. But the fight tomorrow, and the more important fight, will be about whether it is necessary to protect our ways of life embedded in computer networks.¶ Anyone anywhere with a connection to the Internet can engage in cyber-operations within the United States. Most truly harmful cyber-operations, however, require group effort and significant skill. The attacking group or nation must have clever hackers, significant computing power, and the sophisticated software—known as “malware”—that enables the monitoring, exfiltration, or destruction of information inside a computer. The supply of all of these resources has been growing fast for many years—in governmental labs devoted to developing these tools and on sprawling black markets on the Internet.¶ Telecommunication networks are the channels through which malware typically travels, often anonymized or encrypted, and buried in the billions of communications that traverse the globe each day. The targets are the communications networks themselves as well as the computers they connect— things like the Times’ servers, the computer systems that monitor nuclear plants, classified documents on computers in the Pentagon, the nasdaq exchange, your local bank, and your social-network providers.¶ To keep these computers and networks secure, the government needs powerful intelligence capabilities abroad so that it can learn about planned cyber-intrusions. It also needs to raise defenses at home. An important first step is to correct the market failures that plague cybersecurity. Through law or regulation, the government must improve incentives for individuals to use security software, for private firms to harden their defenses and share information with one another, and for Internet service providers to crack down on the botnets—networks of compromised zombie computers—that underlie many cyber-attacks. More, too, must be done to prevent insider threats like Edward Snowden’s, and to control the stealth introduction of vulnerabilities during the manufacture of computer components— vulnerabilities that can later be used as windows for cyber-attacks.¶ And yet that’s still not enough. The U.S. government can fully monitor air, space, and sea for potential attacks from abroad. But it has limited access to the channels of cyber-attack and cyber-theft, because they are owned by private telecommunication firms, and because Congress strictly limits government access to private communications. “I can’t defend the country until I’m into all the networks,” General Alexander reportedly told senior government officials a few months ago.¶ For Alexander, being in the network means having government computers scan the content and metadata of Internet communications in the United States and store some of these communications for extended periods. Such access, he thinks, will give the government a fighting chance to find the needle of known malware in the haystack of communications so that it can block or degrade the attack or exploitation. It will also allow it to discern patterns of malicious activity in the swarm of communications, even when it doesn’t possess the malware’s signature. And it will better enable the government to trace back an attack’s trajectory so that it can discover the identity and geographical origin of the threat.¶ Alexander’s domestic cybersecurity plans look like pumped-up versions of the NSA’s counterterrorism-related homeland surveillance that has sparked so much controversy in recent months. That is why so many people in Washington think that Alexander’s vision has “virtually no chance of moving forward,” as the Times recently reported. “Whatever trust was there is now gone,” a senior intelligence official told Times.¶ There are two reasons to think that these predictions are wrong and that the government, with extensive assistance from the NSA, will one day intimately monitor private networks.¶ The first is that the cybersecurity threat is more pervasive and severe than the terrorism threat and is somewhat easier to see. If the Times’ website goes down a few more times and for longer periods, and if the next penetration of its computer systems causes large intellectual property losses or a compromise in its reporting, even the editorial page would rethink the proper balance of privacy and security. The point generalizes: As cyber-theft and cyber-attacks continue to spread (and they will), and especially when they result in a catastrophic disaster (like a banking compromise that destroys market confidence, or a successful attack on an electrical grid), the public will demand government action to remedy the problem and will adjust its tolerance for intrusive government measures.¶ At that point, the nation’s willingness to adopt some version of Alexander’s vision will depend on the possibility of credible restraints on the NSA’s activities and credible ways for the public to monitor, debate, and approve what the NSA is doing over time.¶ Which leads to the second reason why skeptics about enhanced government involvement in the network might be wrong. The public mistrusts the NSA not just because of what it does, but also because of its extraordinary secrecy. To obtain the credibility it needs to secure permission from the American people to protect our networks, the NSA and the intelligence community must fundamentally recalibrate their attitude toward disclosure and scrutiny. There are signs that this is happening—and that, despite the undoubted damage he inflicted on our national security in other respects, we have Edward Snowden to thank.¶ “Before the unauthorized disclosures, we were always conservative about discussing specifics of our collection programs, based on the truism that the more adversaries know about what we’re doing, the more they can avoid our surveillance,” testified Director of National Intelligence James Clapper last month. “But the disclosures, for better or worse, have lowered the threshold for discussing these matters in public.”¶ In the last few weeks, the NSA has done the unthinkable in releasing dozens of documents that implicitly confirm general elements of its collection capabilities. These revelations are bewildering to most people in the intelligence community and no doubt hurt some elements of collection. But they are justified by the countervailing need for public debate about, and public confidence in, NSA activities that had run ahead of what the public expected. And they suggest that secrecy about collection capacities is one value, but not the only or even the most important one. They also show that not all revelations of NSA capabilities are equally harmful. Disclosure that it sweeps up metadata is less damaging to its mission than disclosure of the fine-grained details about how it collects and analyzes that metadata.¶ It is unclear whether the government’s new attitude toward secrecy is merely a somewhat panicked reaction to Snowden, or if it’s also part of a larger rethinking about the need for greater tactical openness to secure strategic political legitimacy. Let us hope, for the sake of our cybersecurity, that it is the latter. Cyber-attacks will cause extinction – outweighs all other concerns Visha Thamboo, 2014—, citing Richard Clarke, a former White House staffer in charge of counterterrorism and cyber-security, “Cyber Security: The world’s greatest threat,” 11-25, https://blogs.ubc.ca/vishathamboo/2014/11/25/cyber-security-the-worlds-greatest-threat/ After land, sea, air and space, warfare had entered the fifth domain: cyberspace. Cyberspace is arguably the most dangerous of all warfares because of the amount of damage that can be done, whilst remaining completely immobile and anonymous. In a new book Richard Clarke, a former White House staffer in charge of counter-terrorism and cyber-security, envisages a catastrophic breakdown within 15 minutes. Computer bugs bring down military e-mail systems; oil refineries and pipelines explode; airtraffic-control systems collapse; freight and metro trains derail; financial data are scrambled; the electrical grid goes down in the eastern United States; orbiting satellites spin out of control. Society soon breaks down as food becomes scarce and money runs out. Worst of all, the identity of the attacker may remain a mystery. Other dangers are coming: weakly governed swathes of Africa are being connected up to fibre-optic cables, potentially creating new havens for cyber-criminals and the spread of mobile internet will bring new means of attack. The internet was designed for convenience and reliability, not security. Yet in wiring together the globe, it has merged the garden and the wilderness. No passport is required in cyberspace. And although police are constrained by national borders, criminals roam freely. Enemy states are no longer on the other side of the ocean, but just behind the firewall. The illintentioned can mask their identity and location, impersonate others and con their way into the buildings that hold the digitised wealth of the electronic age: money, personal data and intellectual property. Deterrence in cyber-warfare is more uncertain than, say, in nuclear strategy: there is no mutually assured destruction, the dividing line between criminality and war is blurred and identifying attacking computers, let alone the fingers on the keyboards, is difficult. Retaliation need not be confined to cyberspace; the one system that is certainly not linked to the public internet is America’s nuclear firing chain. Although for now, cyber warfare has not spiralled out of control, it is only a matter of time, before cyber warfare becomes the most prominent type of attack, and the most deadly because of its scope and anonymity. Uniqueness ext Preventing cyber terror is a top priority now – by 2018 there will be total security Institute for Critical Infrastructure Technology, April 18, 2015, Critical infrastructure Alliance – public private partnership for the advancement of digital security in the United States, "Pentagon drafting civilians into Cyber Mission Force to combat cyber terrorism national emergency," http://criticalinfrastructurealliance.com/pentagon-drafting-civilians-into-cyber-mission-force-tocombat-cyber-terrorism-national-emergency/ By 2018, there will be 133 teams consisting of almost 6,200 military and civilian personnel who have been trained and equipped with the tools and infrastructure to defend US cyber space. The DoD wants its civilian personnel to come from “the most talented experts in both the uniformed and civilian workforce, as well as a close partnership with the private sector”. The US government has been struggling to find enough cyber security experts to join its ranks over the past 12 months. In May 2014, the FBI even went so far as to admit it was considering relaxing its No Weed policy in order to attract more hackers, as it had 2,000 jobs it needed to fill for its cybercrime unit. By asking IT and cybersecurity professionals to serve as reserve forces and let them keep their day jobs, the DoD is hoping to harness the power of the US cybersecurity industry in case cyberterrorism incidents escalate even further. Rosenbach concluded in his testimony to the Senate: “Cyber threats are real, serious and urgent, and we can only overcome them with a cohesive, whole-of-government approach. We have made significant strides but there is still more work to be done. “I look forward to working with this Committee and the Congress to ensure that DoD has the necessary capabilities to keep our country safe and our forces strong. Current intel gathering is key to continued security from cyber attack Jude Abeler, 2-10-2015, Independent Researcher, Journalist The Daily Caller, Thoughtree Previous Young Americans for Liberty, Abeler for U.S. Senate Education Washington Journalism Center, "White House Announces Urgent Cyber Terror Agency," Daily Caller, http://dailycaller.com/2015/02/10/whitehouse-announces-urgent-cyber-terror-agency/ The Obama administration announced the creation of a new executive agency on Tuesday that will cooperate with the private sector along with other agencies and countries to try and disrupt cyber criminals. “Those who do harm should know that they can be found, and held to account,” said Lisa Monaco, chief counterterrorism advisor to the president. The announcement is largely a response to the rise in cyber-terrorism activity, such as North Korea’s recent attacks on Sony. Monaco also cited last week’s data breach at Anthem insurance, which contains sensitive information for up to 80 million identities. The new Cyber Threat Intelligence Integration Center will employ what Monaco said are lessons we have learned in combating other forms of terrorism that need to be applied to the realm of cyber threats – namely coordinating all of the government’s tools to respond at the highest level. “Currently no single government entity is responsible for producing coordinated cyber-threat assessments ensuring that information is shared rapidly among existing cyber centers and other elements within our government,” she explained. “We need to build up the muscle memory for our cyber-response capabilities, as we have on the terrorism side.” Monaco said the new entity will not collect new intelligence, but analyze data already collected by other relevant agencies, such as the Department for Homeland Security, to enable it to do its job more effectively. According to Monaco, 85 percent of the country’s critical infrastructure such as hospitals, banks and water grids are in private sector (.com) hands. “You are vulnerable if you are hooked up to the internet,” she said. Therefore the system is designed to work in lockstep with the private sector, and encourages companies that are victims to do the patriotic thing and report the details to DHS, where it can then be passed on to CTIIC — which will use all of the government’s tools and unique capacity to integrate information about threats, and make the best possible assessment. She claimed that the government will not bottle up intelligence, but will do its utmost to share it, and used the Sony attack as an example. “Within 24 hours of learning about the Sony Pictures Entertainment attack, the U.S. government pushed out information and malware signatures to the private sector to update their cyber defenses so they could take action,” Monaco said. Officials said the new agency will begin with a staff of about 50 people and a budget of $35 million. Monaco made a gentle pitch to Congress, pointing out that cyber security should not be a partisan issue, and asked Congress to pass a budget with funding for it. Some, however, question the need for a new agency when there are already several that have cyber-operations centers. “We should not be creating more organizations and bureaucracy,” argued Melissa Hathaway, president of Hathaway Global Strategies and former White House cybersecurity coordinator. “We need to be forcing the existing organizations to become more effective – hold them accountable,” she said. Cyber security is a top national security priority – successful now Robert S. Mueller, Director Federal Bureau of Investigation, 3-1-2012, "Combating Threats in the Cyber World: Outsmarting Terrorists, Hackers, and Spies," FBI, https://www.fbi.gov/news/speeches/combating-threats-in-the-cyber-world-outsmarting-terroristshackers-and-spies Terrorists are increasingly cyber savvy. Much like every other multi-national organization, they are using the Internet to grow their business and to connect with like-minded individuals. And they are not hiding in the shadows of cyber space. Al Qaeda in the Arabian Peninsula has produced a full-color, English-language online magazine. They are not only sharing ideas, they are soliciting information and inviting recruits to join al Qaeda. Al Shabaab—the al Qaeda affiliate in Somalia—has its own Twitter account. Al Shabaab uses it to taunt its enemies—in English—and to encourage terrorist activity. Extremists are not merely making use of the Internet for propaganda and recruitment. They are also using cyber space to conduct operations. The individuals who planned the attempted Times Square bombing in May 2010 used public web cameras for reconnaissance. They used file-sharing sites to share sensitive operational details. They deployed remote conferencing software to communicate. They used a proxy server to avoid being tracked by an IP address. And they claimed responsibility for the attempted attack—on YouTube. To date, terrorists have not used the Internet to launch a full-scale cyber attack. But we cannot underestimate their intent. In one hacker recruiting video, a terrorist proclaims that cyber warfare will be the warfare of the future. Terrorist use of the Internet is not our only national security concern. As we know, state-sponsored computer hacking and economic espionage pose significant challenges. Just as traditional crime has migrated online, so, too, has espionage. Hostile foreign nations seek our intellectual property and our trade secrets for military and competitive advantage. State-sponsored hackers are patient and calculating. They have the time, the money, and the resources to burrow in, and to wait. They may come and go, conducting reconnaissance and exfiltrating bits of seemingly innocuous information—information that in the aggregate may be of high value. You may discover one breach, only to find that the real damage has been done at a much higher level. Unlike state-sponsored intruders, hackers for profit do not seek information for political power—they seek information for sale to the highest bidder. These once-isolated hackers have joined forces to create criminal syndicates. Organized crime in cyber space offers a higher profit with a lower probability of being identified and prosecuted. Unlike traditional crime families, these hackers may never meet, but they possess specialized skills in high demand. They exploit routine vulnerabilities. They move in quickly, make their money, and disappear. No company is immune, from the Fortune 500 corporation to the neighborhood “mom and pop” business. We are also worried about trusted insiders who may be lured into selling secrets for monetary gain. Perimeter defense may not matter if the enemy is inside the gates. The end result of these developments is that we . And as citizens, we are increasingly vulnerable to losing our information. Together we must find a way to stop the bleeding. We in the FBI have built up a substantial expertise to address these threats, both here at home and abroad. We have cyber squads in each of our 56 field offices, with more than 1,000 specially trained agents, analysts, and forensic specialists. Given the FBI’s dual role in law enforcement and national security, we are uniquely positioned to collect the intelligence we need to take down criminal networks, prosecute those responsible, and protect our national security. But we cannot confront cyber crime on our own. Borders and boundaries pose no obstacles for hackers. But they continue to pose obstacles for global law enforcement, with conflicting laws, different priorities, and diverse criminal justice systems. With each passing day, the need for a collective approach—for true collaboration and timely information sharing— are losing data. We are losing money. We are losing ideas and we are losing innovation becomes more pressing. The FBI has 63 legal attaché offices that cover the globe. Together with our international counterparts, we are sharing information and coordinating investigations. We have special agents embedded with police departments in Romania, Estonia, Ukraine, and the Netherlands, working to identify emerging trends and key players. Here at home, the National Cyber Investigative Joint Task Force brings together 18 law enforcement, military, and intelligence agencies to stop current and predict future attacks. With our partners at DHS, CIA, NSA, and the Secret Service, we are targeting cyber threats facing our nation. The task force operates through Threat Focus Cells—specialized groups of agents, officers, and analysts that are focused on particular threats, such as botnets. Together we are making progress. Last April, with our private sector and law enforcement partners, the FBI dismantled the Coreflood botnet. This botnet infected an estimated two million computers with malware that enabled hackers to seize control of zombie computers to steal personal and financial information. With court approval, the FBI seized domain names and re-routed the botnet to FBI-controlled servers. The servers directed the zombie computers to stop the Coreflood software, preventing potential harm to hundreds of thousands of users. In another case, just a few months ago, we worked with NASA’s Inspector General and our partners in Estonia, Denmark, Germany, and the Netherlands to shut down a criminal network operated by an Estonian company by the name of Rove Digital. The investigation, called Operation Ghost Click, targeted a ring of criminals who manipulated Internet “click” advertising. They re-directed users to their own advertisements and generated more than $14 million in illegal fees. This “click” scheme impacted more than 100 countries and infected four million computers, half-amillion of which were here in the United States. We seized and disabled computers, froze the defendants’ bank accounts, and replaced rogue servers with legitimate ones to minimize service disruptions. With our Estonian partners, we arrested and charged six Estonian nationals for their participation in the scheme. And again, we must continue to push forward together. Terrorism remains the FBI’s top priority. But in the not too distant future, we anticipate that the cyber threat will pose the number one threat to our country. We need to take lessons learned from fighting terrorism and apply them to cyber crime. We will ensure that all of our special agents have the fundamental skills to operate in this cyber environment. Those agents specializing in cyber matters will have the greatest possible skill set. We are creating a structure whereby a cyber agent in San Francisco can work in a virtual environment with an agent in Texas, an analyst in Virginia, and a forensic specialist in New York to solve a computer intrusion that emanated from Eastern Europe. At the same time, we must rely on the traditional capabilities of the Bureau: sources and wires. We must cultivate the sources necessary to infiltrate criminal online networks, to collect the intelligence to prevent the next attack, and to topple the network from the inside. We must ensure that our ability to intercept communications—pursuant to court order—is not eroded by advances in technology. These include wireless technology and peer-topeer networks, as well as social media. L – Surveillance key to stop cyberattacks Intelligence gathering provisions are critical to halting catastrophic cyberattacks Lev-Ram, 1-21—citing DeWalt, CEO of FireEye, a leader in cyber security, protecting organizations from advanced malware, zero-day exploits, APTs, and other cyberattacks. “Does President Obama's bid to bolster cyber security go far enough?” Forbes, http://fortune.com/2015/01/21/obama-state-unioncybersecurity/?icid=maing-grid7|ie8-unsupported-browser|dl31|sec3_lnk3%26pLid%3D602263 Sharing real-time threat intelligence and indicators of compromise–both between the private sector and the government and among the private sector–is a critical component of a pro-active security strategy. The timely sharing of threat intelligence improves detection and prevention capabilities and provides organizations with the ability to mitigate and minimize the adverse consequences of a breach. Sharing also provides enhanced situational awareness for the community at large. FireEye research demonstrates that over 70% of malware is highly targeted and used only once. To better manage risk stemming from this continuously evolving threat environment, FireEye recommends that organizations conduct robust compromise risk assessments, adopt behavioral based tools and techniques such as detonation chambers, actively monitor their networks for advanced cyber threats, stand ready to rapidly respond in the event of a breach and share threat intelligence and lessons learned through active engagement in information sharing organizations. As a final preventative measure, organization should obtain a cyber insurance policy to help with catastrophic repercussions of a breach. Surveillance is helping us predict and prevent cyber-attacks now James B. Comey Director Federal Bureau of Investigation Statement Before the Senate Judiciary Committee Washington, D.C. May 21, 2014 https://www.fbi.gov/news/testimony/oversight-of-thefederal-bureau-of-investigation-5 We face sophisticated cyber threats from state-sponsored hackers, hackers for hire, organized cyber syndicates, and terrorists. They seek our state secrets, our trade secrets, our technology, and our ideas—things of incredible value to all of us. They may seek to strike our critical infrastructure and our economy. The threat is so dire that cyber security has topped the Director of National Intelligence list of global threats for the second consecutive year. Given the scope of the cyber threat, agencies across the federal government are making cyber security a top priority. Within the FBI, we are targeting high-level intrusions—the biggest and most dangerous botnets, state-sponsored hackers, and global cyber syndicates. We want to predict and prevent attacks, rather than reacting after the fact. FBI agents, analysts, and computer scientists are using technical capabilities and traditional investigative techniques—such as sources and wires, surveillance, and forensics—to fight cyber crime. We are working side by side with our federal, state, and local partners on Cyber Task Forces in each of our 56 field offices and through the National Cyber Investigative Joint Task Force (NCIJTF). Through our 24-hour cyber command center, CyWatch, we combine the resources of the FBI and NCIJTF, allowing us to provide connectivity to federal cyber centers, government agencies, FBI field offices and legal attachés, and the private sector in the event of a cyber intrusion. We also work with the private sector through partnerships such as the Domestic Security Alliance Council, InfraGard, and the National Cyber Forensics and Training Alliance. And we are training our state and local counterparts to triage local cyber matters, so that we can focus on national security issues. Our legal attaché offices overseas work to coordinate cyber investigations and address jurisdictional hurdles and differences in the law from country to country. We are supporting partners at Interpol and The Hague as they work to establish international cyber crime centers. We continue to assess other locations to ensure that our cyber personnel are in the most appropriate locations across the globe. Cyber threats to critical infrastructure require a layered approach to cyber security, including partnerships with private sector owners and operators, and with Federal partners including the Department of Homeland Security (DHS). We have been successful in a joint campaign to combat a campaign of cyber intrusions targeting natural gas pipeline sector companies, in which the FBI and DHS’s Industrial Control Systems-CERTCyber Emergency Response Team deployed onsite assistance to some of the organizations targeted, and provided 14 briefings in major cities throughout the United States to over 750 personnel involved in the protection of energy assets and critical infrastructure. We have also successfully worked with DHS in to empower the U.S. banking system to better defend against cyber attacks. As powerful distributed denial of service (DDoS) incidents impacting leading U.S. banking institutions in 2012 have persisted through 2014, the FBI has worked with DHS’s US-CERT United States Computer Emergency Readiness Team to identify 600,000 DDoS-related IP addresses and contextual information, to better equip banks to defend themselves. We know that to be successful in the fight against cyber crime, we must continue to recruit, develop, and retain a highly skilled workforce. To that end, we have developed a number of creative staffing programs and collaborative private industry partnerships to ensure that over the long term we remain focused on our most vital resource—our people. Expanded NSA domestic surveillance protects against cyber-attack. Jonathan Mayer, a computer scientist + lawyer at Stanford Web Policy June 4, 2015 The NSA’s Domestic Cybersecurity Surveillance http://webpolicy.org/2015/06/04/nsa-cybersecurity/ Earlier today, the New York Times reported that the National Security Agency has secretly expanded its role in domestic cybersecurity. In short, the NSA believes it has authority to operate a warrantless, signature-based intrusion detection system—on the Internet backbone.1 Owing to the program’s technical and legal intricacies, the Times-ProPublica team sought my explanation of related primary documents.2 I have high confidence in the report’s factual accuracy.3 Since this morning’s coverage is calibrated for a general audience, I’d like to provide some additional detail. I’d also like to explain why, in my view, the news is a game-changer for information sharing legislation. The Facts Despite nearly two years of disclosures, the NSA’s domestic Internet surveillance remains shrouded in secrecy. To borrow Donald Rumsfeld’s infamous turn of phrase, it remains one of the greatest known unknowns surrounding the agency. The following facts are already public. The NSA maintains “upstream” interception equipment at many points on the global telecommunications backbone. One of the primary legal authorities for domestic upstream surveillance is Section 702 of the FISA Amendments Act (FAA). The Foreign Intelligence Surveillance Court (FISC) has authorized warrantless FAA surveillance in connection with foreign governments, counterterrorism, and counterproliferation. Each of these topics has an associated “certification,” establishing procedures for targeting and minimization. The NSA can use FAA upstream Internet surveillance to collect4 traffic that is “to,” “from,” or “about”5 a “selector.” Prior disclosures have emphasized email addresses as FAA upstream Internet selectors. In order for a selector to be eligible for FAA surveillance, it must be used by a foreign person or entity outside the United States. Intelligence communitya NSA analysts can search FAA surveillance data for information involving Americans. Senator Wyden has been a particularly persistent critic of these queries, dubbing them “backdoor searches.” The primary documents associated with today’s report confirm the following additional facts.6 The NSA can use FAA upstream Internet surveillance for cybersecurity purposes, so long as there is a nexus with one of the three prior certifications. The most common scenario is where the NSA can attribute a cybersecurity threat to another nation, enabling it to rely on the foreign government certification. Internet protocol (IP) addresses and ranges are eligible as FAA upstream surveillance selectors. The Department of Justice approved this practice in July 2012.7 Cybersecurity threat signatures are also eligible as FAA upstream surveillance selectors. This adds a de facto fourth category of FAA interceptions, since a threat signature cannot reasonably be categorized as “to,” “from,” or “about” a particular address.8 DOJ appears to have approved the practice in May 2012. The NSA has acted upon the above legal interpretations. The primary documents make reference to particular FAA cybersecurity operations. Those operations relied on the foreign government certification, and they used IP addresses as selectors. Since 2012, if not earlier, the NSA has prioritized obtaining an FAA “cyber threat” certification. From the agency’s perspective, a cyber certification has two desirable properties. First, it would eliminate the nexus requirement. The NSA would be able to intercept traffic associated with a cybersecurity threat, regardless of whether the threat originates with a foreign government. Second, a cyber certification would codify procedures for IP address and signature targeting. The present status of the cyber certification is not apparent; it may have been approved, have been bundled into another certification, still be in progress, or have been set aside.9 It is also not apparent how FAA’s foreignness requirement would be implemented under the certification.10 When data is exfiltrated in the course of an attack, it often includes sensitive information about Americans. The NSA believes that this exfiltrated data should be considered “incidental” collection, rendering it eligible for backdoor searches. Put differently: when a data breach occurs on American soil, and the NSA intercepts stolen data about Americans, it believes it can use that data for intelligence purposes. The NSA collaborates with the Department of Homeland Security and the Federal Bureau of Investigation on cybersecurity matters. It receives and shares cybersecurity threat signatures with both agencies. When the NSA wishes to disclose a threat signature to the private sector, it usually routes that information through DHS or the FBI. The NSA is not attributed as the source of the threat signature. The FBI does not have its own national security surveillance equipment installed on the domestic Internet backbone. It can borrow the NSA’s equipment, though, by having the NSA execute surveillance on its behalf. In my view, the key takeaway is this: for over a decade, there has been a public policy debate about what role the NSA should play in domestic cybersecurity. The debate has largely presupposed that the NSA’s domestic authority is narrowly circumscribed, and that DHS and DOJ play a far greater role. Today, we learn that assumption is incorrect. The NSA already asserts broad domestic cybersecurity powers. Recognizing the scope of the NSA’s authority is particularly critical for pending legislation. NSA surveillance is critical to help deter against successful cyber attacks Jack Goldsmith, Henry L. Shattuck Professor at Harvard Law School, 2012 http://www.brookings.edu/~/media/research/files/papers/2010/12/08-4th-amendmentgoldsmith/1208_4th_amendment_goldsmith.pdf The National Security Agency (“NSA”) plays an important role in the EINSTEIN projects. NSA is America’s signals-intelligence and government information assurance agency. It is technically a component of the Department of Defense (“DoD”), and it is typically headed by a lieutenant general or vice admiral. While the NSA’s collection capabilities are mostly directed outside the United States, NSA also has domestic responsibilities. It was the operator of the Terrorist Surveillance Program (TSP) that involved warrantless wiretapping of certain terrorist communications with one end in the United States. And it has been heavily involved in the development of the EINSTEIN systems. The Department of Homeland Security (“DHS”) has stated that EINSTEIN 3 capabilities are “based on technologies developed by the NSA.”8 According to the government, the “threat signatures determined by NSA in the course of its foreign intelligence and DoD information assurance missions” will be used in the EINSTEIN system.9 And based on threats identified by EINSTEIN 3, “alerts that do not contain the content of communications” will be sent to NSA, which will use the information to check cyber attacks in unknown ways that the government assures us are consistent with NSA’s “lawfully authorized missions.”10 NSA also has the lead in the recently established Cyber Command, which is headed by NSA Director General Keith Alexander. Cyber Command is charged with coordinating US offensive cyber activities and U.S. defensive efforts in protecting the .mil network. Consistent with the above analysis, Cyber Command is also in tasked with the responsibility of providing “support to civil authorities” in their cybersecurity efforts. 11 In addition, Deputy Secretary of Defense William Lynn recently stated that Cyber Command “works closely with private industry to share information about [cybersecurity] threats and to address shared vulnerabilities.”12 NSA is involved with domestic cybersecurity in these and doubtlessly other ways because it possesses extraordinary technical expertise and experience, unmatched in the government, in exploring and exploiting computer and telecommunication systems. NSA also has close relationships with private telecommunications firms and other firms central to national cybersecurity.13 These relationships are important because cybersecurity requires the government to work closely with the telecommunication firms whose hardware and software constitute the Internet’s backbone and Internet connection points. These firms already have enormous experience and expertise identifying and eliminating certain types of bad actors and agents on their systems that the government leverages in stopping threats that concern it. Broad NSA surveillance power ensures ability to prevent cyber attacks. Russell Brandom on June 4, 2015 01:17 pm Email @russellbrandom The NSA is still conducting mass surveillance of the US internet to find cyberattacks http://www.theverge.com/2015/6/4/8729155/snowden-nsa-internet-cyber-surveillance-cyberattack The NSA is scanning US web traffic for specific malware signatures, according to new Snowden documents published by The New York Times and ProPublica. Previous documents have shown the NSA and GCHQ collecting data from undersea data cables, but this is the most comprehensive look at how the NSA uses that data to zero in on specific activities or actors on the web. According to the new documents, the scanning is enabled by broad legal powers, granted by the Department of Justice and FISA court in 2012. An initial Justice Department order (interpreting Section 702 of the FISA Amendments Act) authorized the NSA to target data based on specific IP addresses or threat signatures that were linked to foreign nations. In addition to its surveillance operations, the NSA is tasked with defending official US networks from digital intrusions, a task that's grown increasingly difficult as states like China have grown more sophisticated. But according to the documents, limiting the scans to foreign states was too restrictive for the NSA. Over the course of 2012, NSA director Keith Alexander lobbied the Justice Department to extend the signature-based scans to malware that hadn't been linked to state actors, but his efforts were unsuccessful. Still, the agency Specific malware programs are often reused, even between criminals and governments, so it's notoriously difficult for researchers to connect a tactic to a specific actor. Experts are comparing the resulting system to the network intrusion detection systems (or NIDS) that are deployed on many private networks. Given a top-down view of the network, NIDS systems monitor for malware traveling between points on the network, rather than catching the bad actors as they infect individual machines. Those systems have also been proposed at a national level, although they've rarely been deployed publicly due to the privacy issues involved. Current surveillance techniques are effective and disrupt/deter terrorist attacks David Rothkopf 2014 a visiting scholar at the Carnegie Endowment as well as CEO and editor of Foreign Policy. “National Insecurity: American Leadership in an Age of Fear,” PublicAffairs, p. 337-8 For all of the questions raised by some of the sweeping programs revealed by Snoweden, the surveillance programs of the US government include some targeted efforts that are widely regarded within the intelligence and policy communities as extremely helpful. And new capabilities are emerging daily. Although these will require vigilance to avoid future violations of civil liberties, there is also a sense that on the cyber side, as with drones and the development of light-footprint approaches for combating terror, important steps have been taken that actually enhance the security of the American people and reduce the likelihood of future attacks like those that ushered in this era.¶ Those tools have made such a marked difference in US counterterrorism efforts that intelligence community leaders are becoming comfortable with the idea of relaxing other controversial practices. Mike Hayden noted that one reason he was willing to “empty the prisons” and “scale back on the authorized interrogation techinques” is that he was not “nearly as desperate as [Director of Central Intelligence] George [Tenet] was back in 2002, 2003. I’ve got agent networks. I’ve got penetrations. I’ve built up a strong human intelligence collection efforts. [sic] I’m less dependent on capturing and questioning than I was in 2002. More sources. Better electronic intelligence. You’re hitting on all cylinders now. And with the requisite intelligence, it enables your orthoscopic stuff” (meaning “surgical” or “light-footprint activities”).¶ Lisa Monaco asserts, “I think the US government has done a good job of creating a counterterrorism structure and apparatus-operationally and policy-wise – to learn the lessons of 9/11 and have an ability to meet the threats that we face, share information, apply the right kind of military, intelligence, diplomatic, and law enforcement tools today…. As an example, say we know a terrorist is transiting Germany. We have an apparatus to reach out: The FBI will talk to its German counterparts, share information, get their assistance within the bounds of the rule of law to try and detail that person. So, we have a process. We share intelligence. We try and disrupt that threat.” Although she acknowledges the systems are not quite as evolved on the cybersecurity side, the point is that – despite metastasizing terror threats worldwide, and confusion and ill-conceived programs of the US government is in a number of important ways fulfilling its core mission of helping to make America and Americans safer. NSA surveillance is critical to protecting us against cyber attacks Michelle Van Cleave What It Takes: In Defense of the NSA NOVEMBER/DECEMBER 2013 http://www.worldaffairsjournal.org/article/what-it-takes-defense-nsa For my old business of US counterintelligence, the Snowden case is something of an unraveling nightmare. At this stage, there is no telling whether or not he acted alone, or what he compromised. Four months isn’t much time on-site, yet he used his access to identify and download highly classified information that would be of particular use to him. How did he decide what was of value to snatch? Where did he find it? How did he take it without getting caught? He admitted that he took the NSA contractor job in March of this year in order to gain access to this material, so his preparations had been under way for quite a while. The deeper question is at what point along the way he started to get outside help and direction, and from whom. At a minimum, the press leaks were very well scripted to provide cover for the rest of the operation, which has received far less attention. Snowden passed documents allegedly showing US and UK surveillance of Russian and Turkish representatives at a Group of 20 meeting. He passed ostensible records of US signals intelligence operations in Hong Kong and elsewhere, as well as Britain’s signals intelligence arm, GCHQ. He passed information about top-secret plans to counter Chinese cyber-attack capabilities, and about joint intelligence undertakings among Western allies, including US and German cooperation. That’s just what has been reported publicly. Then of course there is whatever else he stole. Whether or not there are audit trails for IT administrators like Snowden we can only guess. If not, there may be no way of bounding the potential damage. And since we don’t know what secrets may have been lost, we won’t know what or who may now be at risk. That uncertainty alone is an intelligence bonanza for our adversaries. Whatever else Snowden may be, he has been a voice of disinformation. For example, here’s an excerpt from his Guardian interview: “Any analyst at any time can target anyone, any selector, anywhere. . . I sitting at my desk certainly had the authorities to wiretap anyone from you or your accountant to a federal judge to even the president if I had a personal e-mail.” If that were true, it would be an outrageous abuse of authority. But it is not true, not a whit. Now maybe Snowden is just delusional. Or maybe someone is coaching him a little, the better to inflame public opinion. But who would know, when there is an immediate rush to judgment to pronounce the man a “hero” or a “conscientious objector” or “deeply idealistic” or whatever other bouquets of virtue were thrown his way. By such means, some of the West’s best and brightest (looking less bright all the time) become part of the disinformation campaign directed against America’s moral standing in the world. That campaign has a long history. Two inherent qualities make US intelligence unique among the world’s intelligence services. The first is its accountability and unparalleled openness to public scrutiny and the rigorous oversight of the political process. The fact that we measure these things against civil liberties, and bring them under the careful checks and balances of our Constitution, is the bedrock of their strength. Even more fundamentally, US intelligence is part of the great experiment in governance that is our democratic republic. Beginning with George Washington’s first State of the Union Address, in which he requested a secret fund for clandestine activities, intelligence has been an instrument to achieve the broad goals of the American people and the policies advanced by their duly elected representatives. That is why any rupture between public confidence and the US intelligence enterprise is so destructive. It is also why America’s adversaries have long sought to provoke one. During the Cold War, the KGB expended a great deal of energy and treasure in undermining the credibility and effectiveness of US intelligence in general and the CIA in particular. Soviet disinformation campaigns included some breathtaking lies, deceptions, and fantastic tales (e.g., forged documents, planted news reports, and grotesque accusations that the CIA was responsible for trafficking in baby parts, assassinating President Kennedy, and inventing AIDS). It took decades for the CIA to recover from the Church Committee investigations of the 1970s—years that the Soviets used to advantage in undermining pro-Western governments, supporting insurgencies, and implanting spies. And here we go again. Whatever Snowden may have had in mind when he decided to break his oath, the secrets he disclosed have been used to discredit US intelligence among the very democratic populations that depend most on the American defense umbrella. Across Europe, there have been lawsuits to stop NSA operations. Round two of Snowden’s leaks included purported US collection activities directed against members of the European Union, so the EU, the French, the Germans, and others lodged diplomatic complaints and suspended trade and other talks and loudly proclaimed their indignation. (This is more than a little hypocritical, given their own intelligence activities against one another—not to mention the value they derive from ours.) To make matters worse, a whole series of damaging leaks in recent years, ranging from WikiLeaks to include some from the highest levels of the US government, have called into question America’s reliability as an intelligence partner. For friendly intelligence services, trusting the Americans to keep secrets secret has become a far riskier proposition. In fact, our stock as an intelligence partner has never been lower, which is exceedingly worrisome in an era when we rely so heavily on liaison services for essential intelligence about terrorist targets. For American intelligence personnel, doing their jobs has become that much more difficult and that much more thankless. You can be sure that the Russians, the Chinese, and others, knowing about the demoralizing effects of the Snowden leaks, are working overtime pursuing new recruitment prospects within US intelligence ranks. They know from long experience that low morale is a key factor in persuading Americans to spy on their own country. Today, there are more Russian intelligence personnel operating in the United States than there were at the height of the Cold War, and they are far from alone. By some counts, China is here in even greater numbers, and even more active against us through cyber means. Add to that the Cubans, the Iranians, and most of the rest of the world’s governments—plus some thirty-five suspected terrorist organizations—all here, taking advantage of the freedom of movement, access, and anonymity afforded by American society. And then there is the phenomenon of the hacker culture and virtual anarchists like “Anonymous,” which is hard at work to set the conditions for what it calls a “global secrets meltdown.” Their ostensible plan is to recruit individuals to infiltrate governments to steal classified information or enable Anonymous hackers to steal it. Then, when the message “do it now” goes out, they will simultaneously reveal all of the world’s secrets (but of course mostly concentrated in the West because that’s where the access is). It may sound ridiculous until you realize just how many disaffected, cynical youth like Snowden are drawn to these circles to find some sense of belonging and self-importance. The United States has built a global intelligence apparatus because it has global interests and global responsibilities. We have taken seriously the duties of leader of the free world, as two world wars, Korea, Vietnam, Afghanistan, Iraq, and freedom fighters in many parts of the world can attest. None of these duties in the last sixty years could have been met without the exceptional resources of NSA. Successive presidents and Congresses, entrusted with preserving and defending our freedom, have judged these investments to be vital to our nation’s security. They have protected the core secrets that enable collection programs to succeed, as have those in US business and industry who have been integral to their success. The unquestioned qualitative edge of US intelligence has been as essential to defending this country and preserving our freedom as have the forces we have built to arm and equip our military. But time has not stood still. China is attacking computer systems throughout the world, stealing information and implanting features to enable future control. China’s prominence in IT commercial markets means that they are in the supply chain, and their market share is growing as part of a purposeful, state-run program for strategic position. A long roll call of spies from Russia, China, Cuba, and other nations have targeted the essential secrets of US intelligence capabilities in order to be able to defeat them. And now they have the Snowdens and the WikiLeakers of the world helping them out. Interconnected global networks of digital data have become the single most important source of intelligence warning of threats, enabling our defense at home and the advancement of freedom abroad. To say “hands off,” as some shortsighted privacy advocates have been doing, will not preserve our liberties, it will endanger them. It should be possible for an enlightened citizenry to empower government action in that sphere without forfeiting the very rights that our government exists to secure. That challenge is, at the very least, a part of the continuing experiment that is our democracy. Surveillance efforts are expanding and deterring cyber attacks Frank Konkel 9/10/2014 (writer for NextGov, IS THERE ANY PART OF GOVERNMENT THAT HASN’T BEEN HACKED YET?, http://www.nextgov.com/cybersecurity/2014/09/there-any-part-governmenthasnt-been-hacked-yet/93704/) Feds Cite ‘Unprecedented’ Collaboration with Industry The only way to stay ahead of the evolving threats is to collaborate and share information with the private sector, officials testified. “We’re engaging in an unprecedented level of collaboration” with industry, international law organizations and other bodies, Anderson said, and those partnerships will continue to expand. For example, the FBI released 40 near real-time alerts on “current and emerging threat trends and technical indicators,” to the private sector – with 21 of those alerts sent to the financial industry. The agency is now engaging in a more back-and-forth dialogue as opposed to the FBI listening and rarely sharing – which used to be the case. Anderson also vowed harsher deterrents for malicious actors, referencing the recent indictments of Chinese citizens who were caught hacking the networks of American companies. Sen. Tom Coburn, ROkla., said he was pleased with FBI’s get-tough approach. “I’m happy to see the FBI being aggressive on deterrence,” said Coburn, the committee’s ranking Republican. “For so long, we thought building a higher wall was [the way to protect], but people are going to climb over any war we have. We need prosecutorial deterrence. I’m thankful of that attitude from FBI both domestically and internationally.” NSA surveillance prevents cyber attack Jonathan Mayer, a computer scientist + lawyer at Stanford Web Policy June 4, 2015 The NSA’s Domestic Cybersecurity Surveillance http://webpolicy.org/2015/06/04/nsa-cybersecurity/ This much is certain about FAA cybersecurity surveillance: If the NSA snoops on hackers as they move stolen data over the Internet backbone, agency analysts can sift through that information—other than with explicit U.S. person queries. If the NSA, FBI, or CIA snoops on hackers as they move stolen data through a cloud service, such as Dropbox or Gmail, analysts can sift through that information—including with explicit U.S. person queries. I - Cyber threat is high Cyber-threat risk is high – prefer consensus Jordain Carney 14, Staff @ National Journal, “Defense Leaders Say Cyber is Top Terror Threat,” 1-6-14, http://www.nationaljournal.com/defense/defense-leaders-say-cyber-is-top-terror-threat-20140106, DOA: 8-13-14, Defense officials see cyberattacks as the greatest threat to U.S. national security , according to a survey released Monday. Forty-five percent of respondents to the Defense News Leadership Poll named a cyberattack as the single greatest threat —nearly 20 percentage points above terrorism, which ranked second. The Defense News Leadership Poll, underwritten by United Technologies, surveyed 352 Defense News subscribe rs , based on job seniority, between Nov. 14 and Nov. 28, 2013. The poll targeted senior employees within the White House, Pentagon, Congress, and the defense industry. " The magnitude of the cyber problem , combined with declining budgets, will challenge the nation for years to come ," said Vago Muradian, the editor of Defense News. It's not the first time cyber has ranked at or near the top of a list of security concerns. Seventy percent of Americans called a cyberattack from another country a major threat in a Pew Research Center survey released last month. Defense Department officials, for their part, have warned FBI Director James Comey, Rand Beers, the then-acting secretary for the Homeland Security Department, and Gen. Keith Alexander, director of the National Security Agency, each voiced their concerns before Congress last about the increasing threat. year. And House Intelligence Committee Chairman Mike Rogers, R-Mich., called it the "largest national security threat to the face the U.S. that we are not even close to being prepared to handle as a country." Threat of cyber-attack real and growing; most serious economic and national security challenge in 2015. DUSTIN VOLZ, April 1 2015 http://www.nationaljournal.com/tech/obama-declares-cyber-attacks-anational-emergency-20150401 April 1, 2015 President Obama on Wednesday signed an executive order expanding his administration's ability to respond to malicious cyberattacks by allowing financial penalties to be inflicted on foreign actors who engage in destructive hacking campaigns. "Cyberthreats pose one of the most serious economic and national security challenges to the United States, and my administration is pursuing a comprehensive strategy to confront them," Obama said in a statement. "As we have seen in recent months, these threats can emanate from a range of sources and target our critical infrastructure, our companies, and our citizens. This executive order offers a targeted tool for countering the most significant cyberthreats that we face." The order allows the Treasury secretary, in consultation with the attorney general and the secretary of State, to impose financial sanctions—such as freezing of assets or prohibition of commercial trade—on individuals or groups responsible for malicious cyberattacks that "create a significant threat to U.S. national security, foreign policy, or economic health or financial stability of the United States," Obama said. Administration officials have long indicated a desire to strengthen the government's ability to respond to and penalize those engaging in cyberattacks. The massive hit on Sony Pictures last Thanksgiving—which the White House publicly blamed on North Korea—increased the urgency to bolster the nation's cyberdefenses. In January, Obama signed a separate executive order allowing for further sanctions against designated North Korean targets, but that action was limited solely to government officials in that country and not tethered directly to the Sony cyberattack. Wednesday's order will broaden the government's authority to permit the levying of sanctions against those directly responsible for hacking activities—and officials will not need to acquire a discrete order to respond to each attack. Data breaches in recent years at places like Target, Home Depot, and Anthem Insurance have resulted in the heist of the personal data of millions of consumers, ranging from credit-card information to Social Security numbers and health information. But hundreds, if not thousands, of cyberattacks are waged daily against the United States, officials have said, and many of them originate overseas. China and Russia have been identified as particularly aggressive and adept at cyberintrusion and cyberespionage. Cyberattacks are currently the biggest threat to US national security Council on foreign relations 3/15, “Cyberattacks on US Infrastructure”, http://www.cfr.org/global/global-conflict-tracker/p32137#!/?marker=2 In March 2013, Director of National Intelligence James Clapper identified cyberattacks as the greatest threat to U.S. national security. Critical infrastructure—the physical and virtual assets, systems, and networks vital to national and economic security, health, and safety—is vulnerable to cyberattacks by foreign governments, criminal entities, and lone actors. Due to the increasingly sophisticated, frequent, and disruptive nature of cyberattacks, such an attack on critical infrastructure could be significantly disruptive or potentially devastating. Policymakers and cybersecurity experts contend that energy is the most vulnerable industry; a large-scale attack could temporarily halt the supply of water, electricity, and gas, hinder transportation and communication, and cripple financial institutions. The rising prevalence of cyberattacks was detailed in a 2013 report by the U.S. security firm Mandiant that linked the Chinese military to 140 cyberattacks against U.S. and foreign corporations. The same year, major U.S. banks called on policymakers for assistance after experiencing cyberattacks emanating from Iran. The Obama administration has emphasized the importance of cybersecurity—its fiscal year 2014 budget requested a 20 percent increase in funding, and in February the White House announced the establishment of a new Cyber Threat Initiative Integration Center (CTIIC)to provide analysis and support to U.S. government agencies in response to cyber threats. The United States has strengthened its offensive strategies by developing rules of engagement for cyber warfare and cyber weapons capabilities. However, cyberspace policymaking remains decentralized with authority shared among the White House and five executive departments, resulting in gaps in U.S. cyber policy that leave vulnerabilities unaddressed. Cyber threat is high---tech advancement Josephine Wolff 13 is a Ph.D. candidate at MIT and a fellow at Harvard’s Berkman Center for Internet and Society, "Great, Now Malware Can Jump the “Air Gap” Between Computers," 12-3-2013, Slate Magazine, http://www.slate.com/blogs/future_tense/2013/12/03/researchers_michael_hanspach_michael_goetz_prove_malware_can_jump_air_gap.html, DOA: 3-15-2015, y2k The gold standard for protecting computer systems—as everyone from the U.S. military to Osama Bin Laden’s ghost well knows—is disconnecting them from the Internet. Called an “ air gap ,” because prior to wireless networking it literally meant making sure there was no cable physically connecting a computer to the public Internet, this is one of the most drastic, inconvenient, and difficult-to-maintain computer security measures out there. It’s usually reserved for systems that require the very highest levels of security, because it leaves you with a computer system that may be limited in what it can do, but at least it’s absolutely safe. But according to a recent paper by researchers at the Fraunhofer Institute for Communication, Information Processing, and Ergonomics, that [air]gap can be bridged by high-frequency audio signals . The researchers, Michael Hanspach and Michael Goetz, were able to transmit data between airgapped laptops up to 19.7 meters (more than 60 feet) apart at a rate of approximately 20 bits per second by using acoustic methods originally developed for underwater communications. In other words, the computers communicated via their built-in speakers and microphones by transmitting inaudible acoustic waves. The paper announcing this prototype comes just weeks after security consultant Dragos Ruiu hypothesized that the “ badBIOS” malware he was studying was able to penetrate air-gapped machines in the same manner. Even without Hanspach and Goetz’s confirmation of its feasibility, Ruiu’s claim was enough to unsettle some. At the Defense One conference last month, United States Naval Academy cyber security professor and retired Navy captain Mark Hagerott said the discovery of air-gap jumping technology would “disrupt the world balance of power.” The basic idea underlying an air gap is that we want to cut off all access to a computer system to the outside world but, as it turns out, there are lots of ways to access computers even through the air. The name itself is deeply misleading, and it reflects a certain kind of misguided thinking about computer security that comes from carelessly applying the language of physical security to the virtual world. It’s not just that the things we can’t see—the electromagnetic and acoustic waves—can serve as access points for attackers. It’s that we don’t yet have any thorough understanding of what all the possible access points to computer systems are, or what their complete “attack surface” looks like. Hanspach and Goetz’s research, and Ruiu’s warning, will likely mean that the definition of “air-gapped” is extended yet again—this time so that its implementation includes shutting off audio input and output devices. In the long tradition of mixing archaic physical security metaphors with modern cybersecurity efforts, you can think of it as a sort of modern-day version of Odysseus telling his sailors to plug their ears as they sail past the sirens. Hanspach and Goetz also suggest as possible defenses against acoustic malware high-frequency audio filtering and audio intrusion detection systems, but these solutions are more complicated to implement and may be less effective. This isn’t the first time we’ve discovered that the machines we thought were protected by an impermeable air gap were, in fact, vulnerable . Stuxnet made headlines in 2010 when it was spread to the air-gapped machines in the Iranian Natanz nuclear facilities using infected USB drives. The realization (or reminder, really) that USB drives could carry malware meant that the notion of airgapping computer systems was extended to include banning removable media, or filling USB ports with superglue. Of course, with each such addition to the protocol for thorough air gapping , the practice becomes more and more difficult to maintain . This summer, for instance, it was revealed that Edward Snowden used a flash drive to copy the classified materials he later leaked to the press. Turns out the Department of Defense may have granted thousands of exceptions to its nominal ban on removable media devices. A mandate to shut off all computer audio input and output devices could meet a similar fate, with organizations finding that these tools are necessary for certain important tasks—or employees finding safety measures to be a hassle. More stringent requirements for air-gapping almost inevitably lead to less rigorous implementation and, as the new acoustic malware prototype suggests, we don’t even know yet all of the possible attack vectors for computer systems, or what other basic functions they will mean shutting off and deactivating in the name of greater security. Trends in social engineering and phishing attacks show that the human users of computer systems are often crucial (and very vulnerable) attack vectors , while research in side-channel attacks on cryptosystems has shown that the power used by computers, as well as the sounds they make, can be used to target encrypted information. In short, audio input and output devices are only the latest in a long list of computer features that turn out to be vulnerable to attack—that doesn’t make the researchers’ discovery any less important or significant, but it does mean that it’s probably far from the final word in air-gap-jumping technology. New attacks will continue to emerge alongside technological improvements —dark reflections of our ingenuity. The security vulnerabilities of computers extend across every dimension , including several we likely haven’t thought of yet, and it would be unwise to rely too heavily on the wax in your ears, or the glue in your computer ports—or the protective cushion of the air. Prefer qualified evidence---9/11 commission concludes aff Melissa Clyne 2014, Staff Writer @ News Max, “9/11 Commission: Cyberattack on US Is Imminent Threat,” 7-22-14, http://www.newsmax.com/Newsfront/911-terrorism-cyberattack-powergrid/2014/07/22/id/584093/#ixzz3AIa4AZSB, DOA: 8-13-14, y2k Terrorists are plotting a cyberattack against the United States that is tantamount to 9/11, American public is acutely uninformed about the grave danger, according to The Wall Street Journal. Members and the of the former 9/11 Commission , formed to investigate and analyze the terrorist attacks, will release a report today stating a growing complacency has set in since 2001, despite heightened threats facing the country. For the 10th anniversary of the release of the 9/11 report, the National Commission on Terrorist Attacks met to assess the current national security climate and how the government is handling it. As part of their undertaking, the panel interviewed current and former intelligence officials, the Journal reports. In the report, most top "growing danger that the spy officials pointed to cyberattacks as a that the government has yet to adequately address," according to the Journal. The Washington Post reports panel’s most recent findings indicate that cyberspace is the "battlefield of the future" and advocate for cybersecurity legislation allowing private companies to work with the government to counter the threat. National security is tantamount to privacy protection. Additionally, the public should be made aware of the seriousness of the looming threat, according to the panel. "Platitudes will not persuade the public," the authors wrote. In 2012, then Defense Secretary Leon Panetta warned that terrorists were targeting computer control systems that operate chemical, electricity, and water plants, and those that guide transportation throughout the country, Bloomberg reported at the time. "We successfully gained access to these know of specific instances where intruders have control systems ," Panetta said. "We also know they are seeking to create advanced tools to attack these systems and cause panic, destruction, and even the loss of life ." He explained that an attacker could across the country derail trains, contaminate the water supply, or shut down power grids by gaining access to control switches. It’s important, according to the report’s authors, that Americans learn of the threats before it’s too late. "History may be repeating itself in the cyber realm," the report states. "Complacency is setting in. There is a danger that this waning sense of urgency will divert attention and needed resources from counterterrorism efforts." Cyber attacks are possible, likely, and will escalate Bucci 9, Dr. Steven P. Bucci is IBM's Issue Lead for Cyber Security Programs and a part of the Global Leadership Initiative, the in-house think tank for IBM's public-sector practice. He most recently served as Deputy Assistant Secretary of Defense, Homeland Defense and Defense Support to Civil Authorities. Dr. Bucci delivered these remarks at a meeting of The Heritage Foundation's Cyber Security Working Group, The Confluence of Cyber Crime and Terrorism, http://www.heritage.org/research/lecture/theconfluence-of-cyber-crime-and-terrorism If a cash-rich terrorist group would use its wealth to hire cyber criminal botnets for their own use, we would have a major problem. A terrorist group so enabled could begin to overwhelm the cyber defenses of a specific corporation, government organization, or infrastructure sector and do much damage. They could destroy or corrupt vital data in the financial sector communications over a wide , cripple area to spread panic and uncertainty. Similar to the nation-state attack scenarios discussed earlier, terrorists could use botnet-driven DDoS attacks to blind security forces at a border crossing point as a means of facilitating an infiltration operation, or a cyber attack in one area of a country to act as a diversion so a "conventional" kinetic terrorist attack can occur elsewhere. They could even conduct SCADA attacks on specific sites and use the system to create kinetic-like effects without the kinetic component. A good example would be to open the valves at a chemical plant near a population center, creating a Bhopal-like event. The permutations are as endless as one's imagination . The cyber capabilities that the criminals could provide would in short order make any terrorist organization infinitely more dangerous and effective. Some have opined that cyber attacks are not suitable as terror tactics because they lack the drama and spectacular effect of, say, a suicide bomber. This does not take into account the ability of the terrorists to adapt. As our intelligence and law enforcement agencies continue to effectively combat the terrorists, they will continue to evolve. The terrorists' old methods will be augmented and improved. They will need to develop more imagination and versatility if they are to conduct successful operations. This evolutionary capability has not been in short supply among the terrorist leadership. They will not define "spectacular" so narrowly. Imagine the operational elegance of simply hitting the return key and seeing thousands of enemies die a continent away, or watching a bank go under due to the destruction of all its data by an unknown force . This will be enormously attractive to terrorist groups. Additionally, the combination of cyber methods and kinetic strikes could be spectacular regardless of one's definition. Criminals, for their part, are motivated by greed and power. Few of the leaders of the enormous cyber organized crime world would hesitate at selling their capabilities to a terrorist loaded with cash. That fact, combined with the ever-growing terrorist awareness of cyber vulnerabilities, makes this set of scenarios not just likely, but nearly inevitable . I – War/Escalation Cyber attacks escalate to nuclear war Jason Fritz 2009, Former Captain of the U.S. Army, Jason, July, Hacking Nuclear Command and Control, www.icnnd.org/Documents/Jason_Fritz_Hacking_NC2.doc The US uses the two-man rule to achieve a higher level of security in nuclear affairs. Under this rule two authorized personnel must be present and in agreement during critical stages of nuclear command and control. The President must jointly issue a launch order with the Secretary of Defense; Minuteman missile operators must agree that the launch order is valid; and on a submarine, both the commanding officer and executive officer must agree that the order to launch is valid. In the US, in order to execute a nuclear launch, an Emergency Action Message (EAM) is needed. This is a preformatted message that directs nuclear forces to execute a specific attack. The contents of an EAM change daily and consist of a complex code read by a human voice. Regular monitoring by shortwave listeners and videos posted to YouTube provide insight into how these work. These are issued from the NMCC, or in the event of destruction, from the designated hierarchy of command and control centres. Once a command centre has confirmed the EAM, using the two-man rule, the Permissive Action Link (PAL) codes are entered to arm the weapons and the message is sent out. These messages are sent in digital format via the secure Automatic Digital Network and then relayed to aircraft via single-sideband radio transmitters of the High Frequency Global Communications System, and, at least in the past, sent to nuclear capable submarines via Very Low Frequency (Greenemeier 2008, Hardisty 1985). The technical details of VLF submarine communication methods can be found online, including PC-based VLF reception. Some reports have noted a Pentagon review, which showed a potential “ electronic back door into the US Navy’s system for broadcasting nuclear launch orders to Trident submarines” (Peterson 2004). The investigation showed that cyber terrorists could potentially infiltrate this network and insert false orders for launch. The investigation led to “elaborate new instructions for validating launch orders” (Blair 2003). Adding further to the concern of cyber terrorists seizing control over submarine launched nuclear missiles; The Royal Navy announced in 2008 that it would be installing a Microsoft Windows operating system on its nuclear submarines (Page 2008). The choice of operating system, apparently based on Windows XP, is not as alarming This may attract hackers and narrow the necessary reconnaissance to learning its details and potential exploits. It is unlikely that the operating system would play a direct role in the signal to launch, although this is far from certain. Knowledge of the operating system may lead to the insertion of malicious code, which could be used to gain accelerating privileges, tracking, valuable information, and deception that could subsequently be used to initiate a launch. Remember from Chapter 2 that the UK’s nuclear submarines have the authority to launch if they believe the central command has been destroyed.¶ Attempts by cyber terrorists to create the illusion of a decapitating strike could also be used to engage fail-deadly systems. Open source knowledge is scarce as to whether Russia continues to as the advertising of such a system is. operate such a system. However evidence suggests that they have in the past. Perimetr, also known as Dead Hand , was an automated system set to launch a mass scale nuclear attack in the event of a decapitation strike against Soviet leadership and military.¶ In a crisis, military officials would send a coded message to the bunkers, switching on the dead hand. If nearby ground-level sensors detected a nuclear attack on Moscow, and if a break was detected in communications links with top military commanders, the system would send low-frequency signals over underground antennas to special rockets. Flying high over missile fields and other military sites, these rockets in turn would broadcast attack orders to missiles, bombers and, via radio relays, submarines at sea. Contrary to some Western beliefs, Dr. Blair says, many of Russia's nuclear-armed missiles in underground cyber terrorists would need to create a crisis situation in order to activate Perimetr, and then fool it into believing a decapitating strike had taken place. While this is not an easy task, the information age makes it easier. Cyber reconnaissance could help locate the machine and learn its inner workings. This could be done by targeting the computers high of level official’s —anyone silos and on mobile launchers can be fired automatically. (Broad 1993) ¶ Assuming such a system is still active, who has reportedly worked on such a project, or individuals involved in military operations at underground facilities, such as those reported to be located at Yamantau and Kosvinksy mountains in the central southern Urals Cyber terrorists could cause incorrect information to be transmitted, received, or displayed at nuclear command and control centres, or shut down these centres’ computer networks completely. In 1995, a Norwegian scientific sounding rocket was mistaken by Russian early warning systems as a nuclear missile launched from a US submarine. A (Rosenbaum 2007, Blair 2008)¶ Indirect Control of Launch¶ radar operator used Krokus to notify a general on duty who decided to alert the highest levels. Kavkaz was implemented, all three chegets activated, and the countdown for a nuclear decision began. It took eight minutes Creating a false signal in these early warning systems would be relatively easy using computer network operations . The real difficulty would be gaining access to these systems as they are most likely on a closed network. However, if they are transmitting wirelessly, that may provide an entry point, and information gained through the internet may reveal the details, such as passwords and software, for gaining entrance to the closed network. If access was obtained, a false alarm could before the missile was properly identified—a considerable amount of time considering the speed with which a nuclear response must be decided upon (Aftergood 2000). ¶ be followed by something like a DDoS attack, so the operators believe an attack may be imminent, yet they can no longer verify it. This could add pressure to the decision making process, and if coordinated precisely, could appear as a first round EMP burst. Terrorist groups could also attempt to launch a non-nuclear missile, such as the one used by Norway, in an attempt to fool the system. The number of states who possess such technology is far greater than the number of states who possess nuclear weapons. Obtaining them would be considerably easier, especially when enhancing operations through computer network operations. Combining traditional terrorist methods with cyber techniques opens opportunities neither could accomplish on their own. For example, radar stations might be more vulnerable to a computer attack, while satellites are more vulnerable to jamming from a laser beam, thus together they deny dual phenomenology. Mapping communications networks through cyber reconnaissance may expose weaknesses, and automated scanning devices created by more experienced hackers can be readily found on the internet.¶ Intercepting or spoofing communications is a highly complex science. These systems are designed to protect against the world’s most powerful and well funded militaries. Yet, there are recurring gaffes, and the very nature of asymmetric warfare is to bypass complexities by finding simple loopholes. For example, commercially available software for voice-morphing could be used to capture voice commands within the command and control structure, cut these sound bytes into phonemes, and splice it back together in order to issue false voice commands (Andersen 2001, Chapter 16). Spoofing could also be used to escalate a volatile situation in the hopes of starting a nuclear war. “ [they cut off the paragraph] “In a nuclear war does start, you will be the first to scream” (Denning 1999). Hacker web-page defacements like these are often derided by critics of cyber terrorism as simply being a nuisance which June 1998, a group of international hackers calling themselves Milw0rm hacked the web site of India’s Bhabha Atomic Research Center (BARC) and put up a spoofed web page showing a mushroom cloud and the text “If causes no significant harm. However, web-page defacements are becoming more common, and they point towards alarming possibilities in subversion. During the 2007 cyber attacks against Estonia, a counterfeit letter of apology from Prime Minister Andrus Ansip was planted on his political party website (Grant 2007). This took place amid the confusion of mass DDoS attacks, real world protests, and accusations between governments. Cyberattacks cause great power wars Habiger 2010 [Eugue – Retired Air Force General, Cyberwarfare and Cyberterrorism, The Cyber Security Institute, Feb 2010. p. 11-19] However, there are reasons to believe that what is going on now amounts to a fundamental shift as opposed to business as usual. Today’s network exploitation or information operation trespasses possess a number of characteristics that suggest that the line between espionage and conflict has been, or is close to being, crossed. (What that suggests for the proper response is a different matter.) First, the number of cyberattacks we are facing is growing significantly. Andrew Palowitch, a former CIA official now consulting with the US Strategic Command (STRATCOM), which oversees the Defense Department’s Joint Task Force‐Global Network Operations, recently told a meeting of experts that the Defense Department has experienced almost 80,000 computer attacks, and some number of these assaults have actually “reduced” the military’s “operational capabilities.”20 Second, the nature of these attacks is starting to shift from penetration attempts aimed at gathering intelligence (cyber spying) to offensive efforts aimed at taking down systems (cyberattacks). Palowitch put this in stark terms last November, “We are currently in a cyberwar and war is going on today.”21 Third, these recent attacks need to be taken in a broader strategic context. Both Russia and China have stepped up their offensive efforts and taken a much more aggressive cyberwarfare posture. The Chinese have developed an openly discussed cyberwar strategy aimed at achieving electronic dominance over the U.S. and its allies by 2050. In 2007 the Department of Defense reported that for the first time China has developed first strike viruses, marking a major shift from prior investments in defensive measures.22 And in the intervening period China has launched a series of offensive cyber operations against U.S. government and private sector networks and infrastructure. In 2007, Gen. James Cartwright, the former head of STRATCOM and now the Vice Chairman of the Joint Chiefs of Staff, told the US‐China Economic and Security Review Commission that China’s ability to launch “denial of service” attacks to overwhelm an IT system is of particular concern. 23 Russia also has already begun to wage offensive cyberwar. At the outset of the recent hostilities with Georgia, Russian assets launched a series of cyberattacks against the Georgian government and its critical infrastructure systems, including media, banking and transportation sites.24 In 2007, cyberattacks that many experts attribute, directly or indirectly, to Russia shut down the Estonia government’s IT systems. Fourth, the current geopolitical context must also be factored into any effort to gauge the degree of threat of cyberwar. The start of the new Obama Administration has begun to help reduce tensions between the United States and other nations. And, the new administration has taken initial steps to improve bilateral relations specifically with both China and Russia. However, it must be said that over the last few years the posture of both the Chinese and Russian governments toward America has clearly become more assertive, and at times even aggressive. Some commentators have talked about the prospects of a cyber Pearl Harbor, and the pattern of Chinese and Russian behavior to date gives reason for concern along these lines: both nations have offensive cyberwarfare strategies in place; both nations have taken the cyber equivalent of building up their forces; both nations now regularly probe our cyber defenses looking for gaps to be exploited; both nations have begun taking actions that cross the line from cyberespionage to cyberaggression; and, our bilateral relations with both nations are increasingly fractious and complicated by areas of marked, direct competition. Clearly, there a sharp differences between current U.S. relations with these two nations and relations between the US and Japan just prior to World War II. However, from a strategic defense perspective, there are enough warning signs to warrant preparation. In addition to the threat of cyberwar, the limited resources required to carry out even a large scale cyberattack also makes likely the potential for a significant cyberterror attack against the United States. However, the lack of a long list of specific incidences of cyberterrorism should provide no comfort. There is strong evidence to suggest that al Qaeda has the ability to conduct cyberterror attacks against the United States and its allies. Al Qaeda and other terrorist organizations are extremely active in cyberspace, using these technologies to communicate among themselves and others, carry out logistics, recruit members, and wage information warfare. For example, al Qaeda leaders used email to communicate with the 9‐11 terrorists and the 9‐11 terrorists used the Internet to make travel plans and book flights. Osama bin Laden and other al Qaeda members routinely post videos and other messages to online sites to communicate. Moreover, there is evidence of efforts that al Qaeda and other terrorist organizations are actively developing cyberterrorism capabilities and seeking to carry out cyberterrorist attacks. For example, the Washington Post has reported that “U.S. investigators have found evidence in the logs that mark a browser's path through the Internet that al Qaeda operators spent time on sites that offer software and programming instructions for the digital switches that run power, water, transport and communications grids. In some interrogations . . . al Qaeda prisoners have described intentions, in general terms, to use those tools.”25 Similarly, a 2002 CIA report on the cyberterror threat to a member of the Senate stated that al Qaeda and Hezbollah have become "more adept at using the internet and computer technologies.”26 The FBI has issued bulletins stating that, “U. S. law enforcement and intelligence agencies have received indications that Al Qaeda members have sought information on Supervisory Control And Data Acquisition (SCADA) systems available on multiple SCADA‐related web sites.”27 In addition a number of jihadist websites, such as 7hj.7hj.com, teach computer attack and hacking skills in the service of Islam.28 While al Qaeda may lack the cyber‐attack capability of nations like Russia and China, there is every reason to believe its operatives, and those of its ilk, are as capable as the cyber criminals and hackers who routinely effect great harm on the world’s digital infrastructure generally and American assets specifically. In fact, perhaps, the most troubling indication of the level of the cyberterrorist threat is the countless, serious non‐terrorist cyberattacks routinely carried out by criminals, hackers, disgruntled insiders, crime syndicates and the like. If run‐of‐the‐mill criminals and hackers can threaten powergrids, hack vital military networks, steal vast sums of money, take down a city’s of traffic lights, compromise the Federal Aviation Administration’s air traffic control systems, among other attacks, it is overwhelmingly likely that terrorists can carry out similar, if not more malicious attacks. Moreover, even if the world’s terrorists are unable to breed these skills, they can certainly buy them. There are untold numbers of cybermercenaries around the world—sophisticated hackers with advanced training who would be willing to offer their services for the right price. Finally, given the nature of our understanding of cyber threats, there is always the possibility that we have already been the victim or a cyberterrorist attack, or such an attack has already been set but not yet effectuated, and we don’t know it yet. Instead, a well‐designed cyberattack has the capacity cause widespread chaos, sow societal unrest, undermine national governments, spread paralyzing fear and anxiety, and create a state of utter turmoil, all without taking a single life. A sophisticated cyberattack could throw a nation’s banking and finance system into chaos causing markets to crash, prompting runs on banks, degrading confidence in markets, perhaps even putting the nation’s currency in play and making the government look helpless and hapless. In today’s difficult economy, imagine how Americans would react if vast sums of money were taken from their accounts and their supporting financial records were destroyed. A truly nefarious cyberattacker could carry out an attack in such a way (akin to Robin Hood) as to engender populist support and deepen rifts within our society, thereby making efforts to restore the system all the more difficult. A modestly advanced enemy could use a cyberattack to shut down (if not physically damage) one or more regional power grids. An entire region could be cast into total darkness, power‐dependent systems could be shutdown. An attack on one or more regional power grids could also cause cascading effects that could jeopardize our entire national grid. When word leaks that the blackout was caused by a cyberattack, the specter of a foreign enemy capable of sending the entire nation into darkness would only increase the fear, turmoil and unrest. While the finance and energy sectors are considered prime targets for a cyberattack, an attack on any of the 17 delineated critical infrastructure sectors could have a major impact on the United States. For example, our healthcare system is already technologically driven and the Obama Administration’s e‐health efforts will only increase that dependency. A cyberattack on the U.S. e‐health infrastructure could send our healthcare system into chaos and put countless of lives at risk. Imagine if emergency room physicians and surgeons were suddenly no longer able to access vital patient information. A cyberattack on our nation’s water systems could likewise cause widespread disruption. An attack on the control systems for one or more dams could put entire communities at risk of being inundated, and could create ripple effects across the water, agriculture, and energy sectors. Similar water control system attacks could be used to at least temporarily deny water to otherwise arid regions, impacting everything from the quality of life in these areas to agriculture. In 2007, the U.S. Cyber Consequences Unit determined that the destruction from a single wave of cyberattacks on critical infrastructures could exceed $700 billion, which would be the rough equivalent of 50 Katrina‐esque hurricanes hitting the United States all at the same time.29 Similarly, one IT security source has estimated that the impact of a single day cyberwar attack that focused on and disrupted U.S. credit and debit card transactions would be approximately $35 billion.30 Another way to gauge the potential for harm is in comparison to other similar noncyberattack infrastructure failures. For example, the August 2003 regional power grid blackout is estimated to have cost the U.S. economy up to $10 billion, or roughly .1 percent of the nation’s GDP. 31 That said, a cyberattack of the exact same magnitude would most certainly have a much larger impact. The origin of the 2003 blackout was almost immediately disclosed as an atypical system failure having nothing to do with terrorism. This made the event both less threatening and likely a single time occurrence. Had it been disclosed that the event was the result of an attack that could readily be repeated the impacts would likely have grown substantially, if not exponentially. Additionally, a cyberattack could also be used to disrupt our nation’s defenses or distract our national leaders in advance of a more traditional conventional or strategic attack. Many military leaders actually believe that such a disruptive cyber pre‐offensive is the most effective use of offensive cyber capabilities. This is, in fact, the way Russia utilized cyberattackers—whether government assets, governmentdirected/ coordinated assets, or allied cyber irregulars—in advance of the invasion of Georgia. Widespread distributed denial of service (DDOS) attacks were launched on the Georgian governments IT systems. Roughly a day later Russian armor rolled into Georgian territory. The cyberattacks were used to prepare the battlefield; they denied the Georgian government a critical communications tool isolating it from its citizens and degrading its command and control capabilities precisely at the time of attack. In this way, these attacks were the functional equivalent of conventional air and/or missile strikes on a nation’s communications infrastructure.32 One interesting element of the Georgian cyberattacks has been generally overlooked: On July 20th, weeks before the August cyberattack, the website of Georgian President Mikheil Saakashvili was overwhelmed by a more narrowly focused, but technologically similar DDOS attack.33 This should be particularly chilling to American national security experts as our systems undergo the same sorts of focused, probing attacks on a constant basis. The ability of an enemy to use a cyberattack to counter our offensive capabilities or soften our defenses for a wider offensive against the United States is much more than mere speculation. In fact, in Iraq it is already happening. Iraq insurgents are now using off‐the‐shelf software (costing just $26) to hack U.S. drones (costing $4.5 million each), allowing them to intercept the video feed from these drones.34 By hacking these drones the insurgents have succeeded in greatly reducing one of our most valuable sources of real‐time intelligence and situational awareness. If our enemies in Iraq are capable of such an effective cyberattack against one of our more sophisticated systems, consider what a more technologically advanced enemy could do. At the strategic level, in 2008, as the United States Central Command was leading wars in both Iraq and Afghanistan, a cyber intruder compromised the security of the Command and sat within its IT systems, monitoring everything the Command was doing. 35 This time the attacker simply gathered vast amounts of intelligence. However, it is clear that the attacker could have used this access to wage cyberwar—altering information, disrupting the flow of information, destroying information, taking down systems—against the United States forces already at war. Similarly, during 2003 as the United States prepared for and began the War in Iraq, the IT networks of the Department of Defense were hacked 294 times.36 By August of 2004, with America at war, these ongoing attacks compelled then‐Deputy Secretary of Defense Paul Wolfowitz to write in a memo that, "Recent exploits have reduced operational capabilities on our networks."37 This wasn’t the first time that our national security IT infrastructure was penetrated immediately in advance of a U.S. military option.38 In February of 1998 the Solar Sunrise attacks systematically compromised a series of Department of Defense networks. What is often overlooked is that these attacks occurred during the ramp up period ahead of potential military action against Iraq. The attackers were able to obtain vast amounts of sensitive information—information that would have certainly been of value to an enemy’s military leaders. There is no way to prove that these actions were purposefully launched with the specific intent to distract American military assets or degrade our capabilities. However, such ambiguities—the inability to specifically attribute actions and motives to actors—are the very nature of cyberspace. Perhaps, these repeated patterns of behavior were mere coincidence, or perhaps they weren’t. The potential that an enemy might use a cyberattack to soften physical defenses, increase the gravity of harms from kinetic attacks, or both, significantly increases the potential harms from a cyberattack. Consider the gravity of the threat and risk if an enemy, rightly or wrongly, believed that it could use a cyberattack to degrade our strategic weapons capabilities. Such an enemy might be convinced that it could win a war—conventional or even nuclear—against the United States. The effect of this would be to undermine our deterrence‐based defenses, making us significantly more at risk of a major war. The cyber arms race is accelerating — the best data proves; involves countries like Iran and at least 12 of the world’s 15 largest nuclear powers. Goldman 2013, CNN Writer, Nations Prepare for Cyberwar, http://money.cnn.com/2013/01/07/technology/security/cyber-war/index.html In 2012, large-scale cyberattacks targeted at the Iranian government were uncovered, and in return, Iran is believed to have launched massive attacks aimed at U.S. banks and Saudi oil companies. At least 12 of the world's 15 largest military powers are currently building cyberwarfare programs, according to James Lewis, a cybersecurity expert at the Center for Strategic and International Studies. So a cyber Cold War is already in progress. But some security companies believe that battle will become even more heated this year. "Nation states and armies will be more frequent actors and victims of cyberthreats," a team of researchers at McAfee Labs, an Intel (INTC, Fortune 500)subsidiary, wrote in a recent report. Michael Sutton, head of security research at cloud security company Zscaler, said he expects governments to spend furiously on building up their cyber arsenals. Some may even outsource attacks to online hackers. The Obama administration and many in Congress have been more vocal about how an enemy nation or a terrorist cell could target the country's critical infrastructure in a cyberattack. Banks, stock exchanges, nuclear power plants and water purification systems are particularly vulnerable, according to numerous assessments delivered to Congress last year. Escalation likely – comparative to nuclear weapons Stephen Dycus, 2010, Professor of national security law at Vermont Law School, former member of the National Academies committee on cyber warfare, LLM, Harvard University, LLB, BA, Southern Methodist University, “Congress’ Role in Cyber Warfare,” Journal of National Security Law & Policy, 4(1), 2010, p.161164, http://www.jnslp.com/read/vol4no1/11_Dycus.pdf In other ways, cyber weapons are critically different from their nuclear counterparts. For one thing, the time frame for response to a cyber attack might be much narrower. A nuclear weapon delivered by a land-based ICBM could take 30 minutes to reach its target. An electronic attack would arrive instantaneously, and leave no time to consult with or even inform anyone outside the executive branch before launching a counterstrike, if that were U.S. policy. Cyber attacks escalate Sean Lawson 2009 assistant professor in the Department of Communication at the University of Utah, Cross-Domain Response to Cyber Attacks and the Threat of Conflict, http://www.seanlawson.net/?p=47 At a time when it seems impossible to avoid the seemingly growing hysteria over the threat of cyber war,[1] network security expert Marcus Ranum delivered a refreshing talk recently, “The Problem with Cyber War,” that took a critical look at a number of the assumptions underlying contemporary cybersecurity discourse in the United States. He addressed one issue in partiuclar that I would like to riff on here, the issue of conflict escalation–i.e. the possibility that offensive use of cyber attacks could escalate to the use of physical force. As I will show, his concerns are entirely legitimate as current U.S. military cyber doctrine assumes the possibility of what I call “cross-domain responses” to cyberattacks. Backing Your Adversary (Mentally) into a Corner Based on the premise that completely blinding a potential adversary is a good indicator to that adversary that an attack is iminent, Ranum has argued that “The best thing that you could possibly do if you want to start World War III is launch a cyber attack. [...] When people talk about cyber war like it’s a practical thing, what they’re really doing is messing with the OK button for starting World War III. We need to get them to sit the f-k down and shut the f-k up.” [2] He is making a point similar to one that I have made in the past: Taking away an adversary’s ability to make rational decisions could backfire. [3] For example, Gregory Witol cautions that “attacking the decision maker’s ability to perform rational calculations may cause more problems than it hopes to resolve… Removing the capacity for rational action may result in completely unforeseen consequences, including longer and bloodier battles than may otherwise have been.” [4] Cross-Domain Response So, from a theoretical standpoint, I think his concerns are well founded. But the current state of U.S. policy may be cause for even greater concern. It’s not just worrisome that a hypothetical blinding attack via cyberspace could send a signal of imminent attack and therefore trigger an irrational response from the adversary. What is also cause for concern is that current U.S. policy indicates that “kinetic attacks” (i.e. physical use of force) are seen as potentially legitimate responses to cyber attacks. Most worrisome is that current U.S. policy implies that a nuclear response is possible, something that policy makers have not denied in recent press reports. The reason, in part, is that the U.S. defense community has increasingly come to see cyberspace as a “domain of warfare” equivalent to air, land, sea, and space. The definition of cyberspace as its own domain of warfare helps in its own right to blur the online/offline, physical-space/cyberspace boundary. But thinking logically about the potential consequences of this framing leads to some disconcerting conclusions. If cyberspace is a domain of warfare, then it becomes possible to define “cyber attacks” (whatever those may be said to entail) as acts of war. But what happens if the U.S. is attacked in any of the other domains? It retaliates. But it usually does not respond only within the domain in which it was attacked. Rather, responses are typically “cross-domain responses”–i.e. a massive bombing on U.S. soil or vital U.S. interests abroad (e.g. think 9/11 or Pearl Harbor) might lead to air strikes against the attacker. Even more likely given a U.S. military “way of warfare” that emphasizes multidimensional, “joint” operations is a massive conventional (i.e. non-nuclear) response against the attacker in all domains (air, land, sea, space), simultaneously. The possibility of “kinetic action” in response to cyber attack, or as part of offensive U.S. cyber operations, is part of the current (2006) National Military Strategy for Cyberspace Operations [5]: (U) Kinetic Actions. DOD will conduct kinetic missions to preserve freedom of action and strategic advantage in cyberspace. Kinetic actions can be either offensive or defensive and used in conjunction with other mission areas to achieve optimal military effects. Of course, the possibility that a cyber attack on the U.S. could lead to a U.S. nuclear reply constitutes possibly the ultimate in “cross-domain response.” And while this may seem far fetched, it has not been ruled out by U.S. defense policy makers and is, in fact, implied in current U.S. defense policy documents. From the National Military Strategy of the United States (2004): “The term WMD/E relates to a broad range of adversary capabilities that pose potentially devastating impacts. WMD/E includes chemical, biological, radiological, nuclear, and enhanced high explosive weapons as well as other, more asymmetrical ‘weapons’. They may rely more on disruptive impact than destructive kinetic effects. For example, cyber attacks on US commercial information systems or attacks against transportation networks may have a greater economic or psychological effect than a relatively small release of a lethal agent.” [6] The authors of a 2009 National Academies of Science report on cyberwarfare respond to this by saying, “Coupled with the declaratory policy on nuclear weapons described earlier, this statement implies that the U nited S tates will regard certain kinds of cyberattacks against the United States as being in the same category as nuclear, biological, and chemical weapons, and thus that a nuclear response to certain kinds of cyberattacks (namely, cyberattacks with devastating impacts) may be possible. It also sets a relevant scale–a cyberattack that has an impact larger than that associated with a relatively small release of a lethal agent is regarded with the same or greater seriousness.” [7] I - Cyber attacks on the grid Grid is vulnerable now and an attack on the grid by terrorists would cripple society Stuart Poole-Robb, 7-4-2015, "National power grids hit by cyber terrorist onslaught," ITProPortal, http://www.itproportal.com/2015/04/07/cyber-terrorists-target-national-power-grids/ An analysis of federal energy records has revealed that parts of the US power grid are attacked online or in person every few days. This threat is now also looming over major cities outside the US such as London. After analysing federal data and surveying more than 50 electric utilities, USA Today described the power grid as vulnerable to a major outage that could affect millions. Although a cyberattack has not yet caused a major loss of power, the mechanisms guarding the grid undergo small hacks multiple times a week. The Department of Homeland Security was alerted to 151 energy-related “cyber incidents” in 2013, up from 111 in 2012. But, since 2013, the attacks have escalated hugely with probes now continuously taking place, according to the Edison Electric Institute. The massive power outage that occurred across the US NorthEast in 2003 is evidence that national power grids in even the most developed countries are vulnerable to cyber attacks. While no one at the time thought of attributing the widespread outage to a cyber attack, investigations revealed that the outage was originally caused by a software bug in the alarm system at a control room of the FirstEnergy Corporation, located in Ohio. The failed alarm left operators unaware of the need to re-distribute power after overloaded transmission lines hit some trees. This triggered a race condition in the control software and the local blackout cascaded into a widespread power outage. There are now growing fears on both sides of the Atlantic that terrorist groups or hostile governments might be behind the repeated attempts to hack into the power grids’ control systems. Other possibilities include that of an organised criminal gang (OCG) using the threat of repeated power outages to hold a city such as New York or London to ransom. A group of terrorist hackers located in Iran called Parastoo is already known to be actively recruiting software engineers with precisely those skills needed to bring down the power supply in a major city such as New York or London. Parastoo has already been linked to a military-style attack on an electric power station, the PG&E Metcalf substation in California on 16 April 2013. Parastoo now claims it has been testing national critical infrastructure using cyber vectors. Although cities in the US and Europe appear equally vulnerable to a determined cyber attack, the US national grid is particularly at risk. Jon Wellinghoff, former chairman of the Federal Energy Regulatory Commission warns that the power grid is currently “too susceptible to a cascading outage” because of its reliance on a small number of critical substations and other physical equipment. Such an attack could leave areas populated by millions of Americans without power. The US national grid operates as an interdependent network and, if one element fails, energy must be drawn from other geographical areas. It is an essentially old-fashioned system which predates the era of cyber terrorism. A determined cyber attack by a group such as Parastoo would involve ensuring that multiple parts of the US Grid failed at the same time. If successful, this type of attack would result in what has been called “a cascading effect” that could rob millions of people of power for weeks, perhaps even longer. According to Wellinghoff, “Those critical nodes can, in fact, be attacked in one way or another. You have a very vulnerable system that will continue to be vulnerable until we figure out a way to break it out into more distributed systems.” It is easy to underestimate the potentially devastating effect that a major power outage lasting weeks might have on a city such as London or New York. It would not merely be a question of lost production and a rush in the shops for torches as happened in the UK during the energy workers’ strikes in the early 1970s. Today’s economy and society is far more electronic and computerised than that of four decades ago. Our financial systems are powered by highly-sophisticated real time computer systems, as are all the cash dispensers. A major power outage could also cripple shop tills and retail security systems, meaning that most shops and stores would be forced to close until the power was restored. Cyber attack on the grid would cause death and collapse the economy; all infrastructure at risk. Kevin Mandi, 2-19-2013, "Successful hacker attack could cripple U.S. infrastructure, experts say," NBC News, http://usnews.nbcnews.com/_news/2013/02/19/17019005-successful-hacker-attack-couldcripple-us-infrastructure-experts-say?lite A report tying the Chinese military to computer attacks against American interests has sent a chill through cyber-security experts, who worry that the very lifelines of the United States — its energy pipelines, its water supply, its banks — are increasingly at risk. The experts say that a successful hacker attack taking out just a part of the nation’s electrical grid, or crippling financial institutions for several days, could sow panic or even lead to loss of life. “I call it cyberterrorism that makes 9/11 pale in comparison,” Rep. Mike Rogers, a Michigan Republican and chair of the House Intelligence Committee, told NBC News on Tuesday. An American computer security company, Mandiant, reported with near certainty that members of a sophisticated Chinese hacking group work out of the headquarters of a unit of the Chinese army outside Shanghai. The report was first detailed in The New York Times, which said that the hacking group’s focus was increasingly on companies that work with American infrastructure, including the power grid, gas lines and waterworks. The Chinese embassy in Washington told The Times that its government does not engage in computer hacking. As reported, the Chinese attacks constitute a sort of asymmetrical cyberwarfare, analysts said, because they bring the force of the Chinese government and military against private companies. “To us that’s crossing a line into a class of victim that’s not prepared to withstand that type of attack,” Grady Summers, a Mandiant vice president, said on the MSNBC program “Andrea Mitchell Reports.” The report comes as government officials and outside security experts alike are sounding ever-louder alarms about the vulnerability of the systems that make everyday life in the United States possible. Power grid super vulnerable – empirics prove risk Pierluigi Paganini, 7-4-2015, Works as a director at European Union Agency for Network and Information Security and is a fellow at the EUROPEAN CENTRE FOR INFORMATION POLICY & SECURITY, "US power grid vulnerable to cyber-attacks," Security Affairs, http://securityaffairs.co/wordpress/38296/security/us-power-grid-vulnerable.html Security experts and US politicians are aware that the power grid is vulnerable to a terrorist attack. Nation’s power grid is a privileged target for terrorists as explained by the former Secretary of Defense William Cohen: “It’s possible and whether it’s likely to happen soon remains to be seen,” said Cohen on Monday on “The Steve Malzberg Show.” A major attack on the power grid would cause chaos in the country by interrupting vital services for the population, the former government official said. Not only cyber attacks are threatening the vulnerable power grid, natural disasters, such as the solar storm known as the Carrington Event, could also interfere or disrupt the power delivery system nationwide. Terrorists have several options to hit a power grid, from a cyber attack on SCADA systems to an EMP attack, according to Cohen. “You can do it through cyber attacks, and that’s the real threat coming up as well. We have to look at cyber attacks being able to shut down our power grid, which you have to remember is in the private sector’s hands, not the government’s. And we’re vulnerable,” Cohen added. “It’s possible and whether it’s likely to happen soon remains to be seen.” “That’s because the technology continues to expand and terrorism has become democratized. Many, many people across the globe now have access to information which allows them to be able to put together a very destructive means of carrying out their terrorist plans. We’re better at detecting than we were in the past. We’re much more focused in integrating and sharing the information that we have, but we’re still vulnerable and we’ll continue to be vulnerable as long as groups can operate either on the margins or covertly to build these kind of campaigns of terror.” said Cohen. Former Department of Homeland Security Secretary Janet Napolitano shared the same Cohen’s concerns, a major cyber attack the power grid was a matter of “when,” not “if.” State-sponsored hackers, cyber terrorists are the main threat actors, but as confirmed by a recent research conducted by TrendMicro, also the cybercrime represents a serious menace. Former senior CIA analyst and EMP Task Force On National Homeland Security Director, Dr. Peter Vincent Pry, told Newsmax TV that that a cyber attack against the power grid could cause serious destruction and losses of lives. Not only US power grid are under attack, In January 2015 the British Parliament revealed that UK Power Grid is under cyber attack from foreign hackers, but the emergency is for critical infrastructure worldwide. Attacks on the grid would be devastating Tara Dodrill, 06-30-2015, "Power Grid Vulnerable To Cyber Attack, Former Defense Secretary Says," Inquisitr News, http://www.inquisitr.com/2213678/power-grid-vulnerable-to-cyber-attackformer-defense-secretary-says/ Read more at http://www.inquisitr.com/2213678/power-grid-vulnerable-to-cyber-attack-formerdefense-secretary-says/#fqs9YG7EpwxldHox.99 The power grid is vulnerable to a terrorist attack, former Secretary of Defense William Cohen said. A direct assault on the electrical system would cause chaos and civil unrest throughout the country, the former government official said. Natural disasters, such as Carrington Event-level solar flares, could also take down the power delivery system nationwide. William Cohen was a Republican Senator from Maine and is currently serving as the CEO and chairman of The Cohen Group. Cohen recently released a new thriller, Collision, which is published by Forge Books. Cohen served as Secretary of Defense under President Bill The destruction of the power grid by terrorists would not necessarily have to involve an EMP attack, according to Cohen. “You can do it through cyber attacks, and that’s the real threat coming up as well. We have to look at cyber attacks being able to shut down our power grid, which you have to remember is in the private sector’s hands, not the government’s. And we’re vulnerable,” the former Secretary of Defense added. “It’s possible and whether it’s likely to happen soon remains to be seen.” As previously reported by the Inquisitr, former Department of Clinton from 1997-2001. Homeland Security Secretary Janet Napolitano said that a cyber attack on the power grid was a matter of “when,” not “if.” Former senior CIA analyst and EMP Task Force On National Homeland Security Director, Dr. Peter Vincent Pry, told Newsmax TV that that America is a “sitting duck” for a terror attack that could completely destroy the power grid and take the lives of every nine out of ten Americans in the process. William Cohen detailed the power grid threats and what role modern technology could play in a terror attack that would leave all of America That’s because the technology continues to expand and terrorism has become democratized. Many, many people across the globe now have access to information which allows them to be able to put together a very destructive means of carrying out their terrorist plans. We’re better at detecting than we were in the past. We’re much more focused in integrating and sharing the information that we have, but we’re still vulnerable and we’ll continue to be vulnerable as long as groups can operate either on the margins or covertly to build these kind of campaigns of terror.” The American Society of Civil Engineers (ASCE) reviewed the sitting in the dark. “ soundness and functionality of the power grid, and gave the vital piece of infrastructure a barely passing grade of “D+.” The rating means the power grid is in “poor to fair condition and mostly below standard, with many elements approaching the end of their service life.” The ASCE review also revealed that a “large portion of the system exhibits significant deterioration” with a “strong risk of failure.” I - Grid attacks escalate Grid attacks cause nuclear war Robert Tilford 12, Graduate US Army Airborne School, Ft. Benning, Georgia, “Cyber attackers could shut down the electric grid for the entire east coast” 2012, http://www.examiner.com/article/cyberattackers-could-easily-shut-down-the-electric-grid-for-the-entire-east-coa ***we don’t agree with the albeist language To make matters worse a cyber attack that can take out a civilian power grid, for example could also cripple destroy the U.S. military .¶ The senator notes that is that the same power grids that supply cities and towns, stores and gas stations, cell towers and heart monitors also power “ every military base in our country.”¶ “Although bases would be prepared to weather a short power outage with backup diesel generators, within hours, not days, fuel supplies would run out”, he said.¶ Which means military c ommand and c ontrol centers could go dark .¶ Radar systems that detect air threats to our country would shut Down completely.¶ “Communication between commanders and their troops would also go silent. And many weapons systems would be left without either fuel or electric power”, said Senator Grassley.¶ “So in a few short hours or days, the mightiest military in the world would be left scrambling to maintain base functions”, he said.¶ We contacted the Pentagon and officials confirmed the threat of a cyber attack is something very real .¶ Top national security officials—including the Chairman of the Joint Chiefs, the Director of the National Security Agency, the Secretary of Defense, and the CIA Director— have improving the nation’s electric grids is among the said, “preventing a cyber attack and most urgent priorities of our country” (source: Congressional Record).¶ So how serious is the Pentagon taking all this?¶ Enough to start, or end a war over it, for sure.¶ A cyber attack today against the US could very well be seen as an “Act of War” and could be met with a “full scale” US military response . ¶ That could include the use of “nuclear weapons”, if authorized by the President. Blackouts escalate to nuke war Andres and Breetz 11 Richard B, Professor of National Security Strategy at the National War College and a Senior Fellow and Energy and Environmental Security and Policy Chair in the Center for Strategic Research, Institute for National Strategic Studies, at the National Defense University and Hanna L, doctoral candidate in the Department of Political Science at The Massachusetts Institute of Technology, February, "Small Nuclear Reactors for Military Installations: Capabilities, Costs, and Technological Implications", www.ndu.edu/press/lib/pdf/StrForum/SF-262.pdf Government and private organizations are currently working to secure the grid against attacks; however, it is not clear that they will be successful. Most military bases currently have backup power that allows them to function for a period of hours or, at most, a few days on their own. If power were not restored after this amount of time, the results could be disastrous. First, military assets taken offline by the crisis would not be available to help with disaster relief. Second, during an extended blackout, global military operations could be seriously compromised; this disruption would be particularly serious if the blackout was induced during major combat operations. During the Cold War, this type of event was far less likely because the United States and Soviet Union shared the common understanding that blinding an opponent with a grid blackout could escalate to nuclear war . America’s current opponents, however, may not share this fear or be deterred by this possibility.¶ In 2008, the Defense Science Board stressed that DOD should mitigate the electrical grid’s vulnerabilities by turning military installations into “islands” of energy self-sufficiency.10 The department has made efforts to do so by promoting efficiency programs that lower power consumption on bases and by constructing renewable power generation facilities on selected bases. Unfortunately, these programs will not come close to reaching the goal of islanding the vast majority of bases. Even with massive investment in efficiency and renewables, most bases would not be able to function for more than a few days after the civilian grid went offline. Cyber attack hurts economy Cyber-attacks are the biggest threat to our economy Ed Moy, 7-6-2015, "Cyber Attacks Pose Biggest Unrecognized Threat to Economy," Newsmax, http://www.newsmax.com/Finance/Ed-Moy/cyber-attack-terrorism-economy/2015/05/07/id/643241/ There is no shortage of threats to the U.S. economy: fragile growth, increasing regulation, the timing of the Fed’s raising interest rates, White House and congressional inaction, out-of-control entitlements, and a punitive and complicated tax system. Yet the biggest threat may be one that is least mentioned: cyber attacks. Cyber attacks have been expanding quickly from criminal gain to corporate espionage to ideological warfare. And these attacks have been increasing in frequency, scale, sophistication and severity. The primary reason for cyber attacks has been financial gain. Criminals go where the money is and there is easy money using personal data to commit fraud. Credit card data are sold to other criminals who use them to make purchases. Medical data are used to create new personal identities for credit card and bank fraud. Health insurance information is used to make false claims, access addictive prescription drugs and get free medical treatment. As a result, stealing personal data has reached epidemic proportions. The numbers from recent data breaches are staggering: credit card information from 56 million Home Depot and 70 million Target customers, 145 million login credentials from eBay, contact information for 76 million J.P. Morgan Chase customers and 80 million Anthem customers. Even small companies are not immune to these cyber attacks. From card skimmers to point-of-sale intrusions, data theft rings have targeted relatively unprotected small businesses as a new and vast profit center. The economic costs are monumental. It costs the breached organization an average of $200 per compromised record, mostly from business disruption and revenue loss. That does not include intangible costs like losing customer loyalty or hurting a company’s brand. To add insult to injury, corporate espionage attacks are increasing. Stealing intellectual property and spying on competitors comprises a growing number of attacks and come at huge costs to the company that has been hacked. And the big difference with corporate spying is that the attacker usually does not give up until they are successful. Finally, and most dangerous, are ideologically and politically motivated attacks. Cyber attacks have proven that computers are very vulnerable. But like any profit-driven enterprise, criminals and corporations are adverse to killing the goose that lays their golden eggs. Even nation states like China and Russia may be too co-dependent on the U.S. But the growth of ideologically driven movements is changing the risk. It is not a huge leap of imagination to envision a radical environmental group hacking into our energy infrastructure. Or terrorist groups like ISIS, Boko Haram and al Qaeda wanting to bring down our banking system. Ideological or political enemies can exploit the same vulnerabilities but have no remorse about maiming or killing the goose. In the recent annual threat assessment delivered to Congress, the National Director of Intelligence said that cyber attacks by politically and criminally motivated actors are the biggest threat to U.S. national security. In this brave new world, the good guys are playing catch up to the bad guys, who seem to always be one step ahead. Cyberterrorism turns both the economy and surveillance Patrick Tucker 2014 [Patrick - technology editor for Defense One. He’s also the author of The Naked Future: What Happens in a World That Anticipates Your Every Move? “Major Cyber Attack Will Cause Significant Loss of Life By 2025, Experts Predict”, Defense One, 10/29/14, http://www.defenseone.com/threats/2014/10/cyber-attack-will-cause-significant-loss-life-2025experts-predict/97688/ Signals Intelligence, CyberWar and You You may believe that a major cyber attack is likely to occur between now and 2025, or you may view the entire cyber menace as a scheme by security software companies. (The truth may be a mixture of both.) However, one thing that the threat of cyberwar will certainly do is increase the amount of computer, and particularly network government, surveillance to detect “anomalous behaviors,” possibly related to cyber attacks. The same recently released Pentagon paper on offensive cyber operations made a pointed mention of networks and the cloud as a potential source of signals intelligence of relevance to cyber-operators. Networks were “a primary target for signals intelligence (SIGINT), including computer network exploitation (CNE), measurement and signature intelligence, open source intelligence, and human intelligence.” Make no mistake, signals intelligence collection means watching how individuals behave online. As for the Pew’s 2025 date, Jason Healey, director of the Cyber Statecraft Initiative of the Atlantic Council, told Defense One that he considered it to be arbitrary. “We just don’t have a clue when it’s going to happen,” he said, adding that a single cyber attack on the scale of Pearl Harbor frightened him less than the prospect of a massive cyber failure, absent of malice but with real-time market implications. “I’m less concerned about attacks and more about a shock” of the size of a major market collapse, he said and argued that pre-occupation with a “cyber Pearl Harbor” ignores the “larger complexity” of the issue. “What do we do if one of these IT companies that’s too big to fail has a Lehman Brother’s moment? The data was there on Monday and is gone on Friday? If a major cloud provider fails, how do we get our data back?” While Healey was incredulous that a country like Russia would launch a cyber attack resulting in loss of life, he acknowledged that much has changed between today and 1991 when the electronic Pearl Harbor concept first emerged. And the changes are coming only more rapidly, as are potential vulnerabilities. “The more that we plug things to the Internet, things of concrete and steel and connect them to the Internet, the more likely we are to get ourselves into the state where this will happen in 2025. The dynamic that will make that more and more true is the Internet of Things,” he said Cyber attacks could potentially cause millions in damage. Next 3 years are critical. Patricia Burke 7/1/15 Burke is a writer for CEO Insight “CIOs Need to Address Growing Cyber-Crime Threats” http://www.cioinsight.com/security/cios-need-to-address-growing-cyber-crime-threats.html / EM Aside from a communications gap, increased cyber-attacks will cost enterprises millions, and not just because of down time and lost productivity. Within three years, due to the increase in cyber-attacks and cyber- terrorism, organizations will be facing the need to invest more in compliance with mandates on critical infrastructure protection and national cyber-defense strategies, according to the report. The study, titled “The Global Megatrends in Cybersecurity 2015,” questioned 1,006 cyber security CIOs, CISOs and senior IT leaders. It revealed that within the current state of cyber-security across surveyed organizations: * Less than one-half of respondents (47 percent) believe their organizations take appropriate steps to comply with the leading cyber-security standards. *Only one-third of those surveyed believe their organizations are prepared to deal with the cyber-security risks associated with the Internet of things (IoT) and the proliferation of IoT devices. *Fewer than half of all respondents (47 percent) said their organizations have sufficient resources to meet cyber-security requirements. *Two-thirds (66 percent) of those surveyed indicated their organizations need more knowledgeable and experienced cyber-security practitioners. “You don’t have to wait until you’re attacked to take cyber-security seriously,” said Jack Harrington, vice president of cyber-security and special missions at Raytheon Intelligence, Information and Services. “Rallying around the cyber-security issue is critical to address the real threats we face as a global society.” Many security leaders believe the next three years will determine if organizations can win the cyber-war, according to the study. Understanding the trends that will impact organizations will help IT leaders make more informed decisions about investments in people, processes and technologies. Cyber-attacks will destroy the economy Carter Dougherty, 8-30-2014, "Next Big Bailout for U.S. Banks Could Be Forced by Cyber-Attack," Bloomberg, http://www.bloomberg.com/news/articles/2014-08-29/next-u-s-bank-bailout-could-come-after-acyber-terror-attack Bankers and U.S. officials have warned that cyber-terrorists will try to wreck the financial system’s computer networks. What they aren’t saying publicly is that taxpayers will probably have to cover much of the damage. Even if customers don’t lose money from a hacking assault on JPMorgan Chase & Co., the episode is a reminder that banks with the most sophisticated defenses are vulnerable. Treasury Department officials have quietly told bank insurers that in the event of a cataclysmic attack, they would activate a government backstop that doesn’t explicitly cover electronic intrusions, two people briefed on the talks said. “I can’t foresee a situation where the president wouldn’t do something via executive order,” said Edward DeMarco, general counsel of the Risk Management Association, a professional group of the banking industry. “All we’re talking about is the difference between the destruction of tangible property and intangible property.” The attack on New York-based JPMorgan, though limited in scope, underscored how cyber assaults are evolving in ferocity and sophistication, and turning more political, possibly as a prelude to the sort of event DeMarco describes. Not simply an effort to steal money, the attack looted the bank of gigabytes of data from deep within JPMorgan’s network. And bank security officials believe the hackers may have been aided by the Russian government, possibly as retribution for U.S. sanctions over the Ukraine war. Cyber-crime will collapse the economy Matt Egan, 7-22-2013, "Report: Cyber Crime Costs Global Economy Up to $500B a Year," Fox Business, http://www.foxbusiness.com/technology/2013/07/22/report-cyber-crime-costs-global-economy-up-to1-trillion-year/ Cyber evildoers are inflicting serious damage to the world’s already-sluggish economy. According to a newly-released report sponsored by McAfee, global cyber activity is costing up to $500 billion each year, which is almost as much as the estimated cost of drug trafficking. In the U.S. alone, the report estimates that cyber crime is the catalyst behind the loss of as many as 500,000 jobs as companies grapple with the loss of coveted intellectual property, confidential strategies that are snooped on, and suffer reputational harm. “Extracting value from the computers of unsuspecting companies and government agencies is a big business,” the 20-page report from McAfee and the Center for Strategic and International Studies says. “These losses could just be the cost of doing business or they could be a major new risk for companies and nations as these illicit acquisitions damage global economic competitiveness and undermine technological advantage," the report said. Biggest threat Cyberwarfare is a bigger threat than terrorism- Experts agree Michael Pizzi January 7,, 1-7-2014, "Cyberwarfare greater threat to US than terrorism, say security experts," No Publication, http://america.aljazeera.com/articles/2014/1/7/defense-leaderssaycyberwarfaregreatestthreattous.html Cyberwarfare is the greatest threat facing the United States – outstripping even terrorism – according to defense, military, and national security leaders in a Defense News poll, a sign that hawkish warnings about an imminent “cyber Pearl Harbor” have been absorbed in defense circles. That warning, issued by then Secretary of Defense Leon Panetta in Oct. 2012, struck many as a fear-mongering plug for defense and intelligence funding at a moment when many in the United States, including 32 percent of those polled by the same Defense News Leadership Poll, believe the government spends too much on defense. But 45 percent of the 352 industry leaders polled said cyberwarfare is the gravest danger to the U.S., underlining the government’s shift in priority – and resources – towards the burgeoning digital arena of warfare. In 2010, the Pentagon created the U.S. Cyber Command, under the helm of NSA director Gen. Keith Alexander, to better prepare the U.S. for a potential attack on digital infrastructure. Later that year, U.S. Deputy Secretary of Defense William Lynn said cyberspace had become “just as critical to military operations as land, sea, air, and space.” The nebulous term "cyberwarfare" refers to full-on conflict between countries or terror groups featuring digital attacks on computer systems. But its more devastating, violent impacts are considered by many analysts to be largely theoretical at this point. Looming fears of cyber attacks on pacemakers of world leaders, for instance, have inspired movie plots and television shows but are not known to have occurred, noted Morgan Marquis-Boire, a security researcher at the University of Toronto's Citizen Lab. “At the moment, this is all set in the realm of science fiction." Marquis-Boire said the most kinetic cyberattack to date was probably the Stuxnet worm that attacked Iran’s Natanz nuclear enrichment facility in 2010, stoking fears of a cyber-triggered nuclear terror attack. In the U.S., the most prominent cyber attacks have targeted websites, including the Syrian Electronic Army's infamous White House bomb hoax that briefly caused a 140-point drop in the Dow Jones Industrial Average. But the classic fear is that enemy hackers – from countries like Iran, China, or Russia – could infiltrate the U.S. power grid, shutting down government agencies, crashing planes into buildings, and grinding the economy to a halt. And though it has yet to happen, security experts say a large-scale attack on the U.S. power grid that could inflict mass casualties is within the realm of possibility. The North American Electric Reliability Corporation reported in 2009 that the U.S. grid remains susceptible to infiltration despite substantial government investment in securing it. “We do have a security problem whereby life is rushing towards the Internet faster than we’re developing Internet security,” said Marquis-Boire. “Many of these systems weren’t built in a cyberwarfare age. We weren’t worried about cyberwarfare when we built the national power grid, and it’s difficult to retrofit security.” The impact of such an attack could be devastating. Massive power outages could not only unleash chaos, they could also distract from a simultaneous military – or terrorist – attack. That latter concern – that cyber war tactics might blur with traditional terrorism – were underlined in June 2012, when information security expert Eugene Kaspersky announced his lab’s discovery of the Flame virus that targeted computers in Iran. “It’s not cyber war, its cyber terrorism and I’m afraid it’s just the beginning of the game,” Kaspersky said at a conference in Tel Aviv. “I’m afraid it will be the end of the world as we know it.” A few months later, Panetta compounded fears when he warned of a “new, profound sense of vulnerability” in the U.S. due to the prospect of cyberwarfare. But with the exception of several high-profile hacking incidents of websites, the American public has yet to experience any sort of large-scale attack on U.S. infrastructure, let alone American lives. Despite the improbability of a full-on cyber conflict, analysts say they are not surprised the nebulous threat posed by cyberwarfare has struck fear in American hearts. "The capability is out there to launch a large-scale cyberattack resulting in loss of life or property damage, and potential targets are in some sense infinite, because everything is connected to computers in one way or the other,” said Tara Maller, a research fellow with the National Security Studies program at the New America Foundation and a former military analyst for the CIA. "But do I think it is very likely another country would launch a cyber attack of this type on the U.S. right now? No, because I think there is some level of cyber deterrence that exists between states," she said. The prospect of cyberwarfare between world powers might be compared to a nuclear standoff: Unless geopolitical dynamics shift, it's difficult to envision a viable scenario whereby any state's capacity to wreak havoc and mass casualties is actually deployed. A "cyber" Pearl Harbor – like the real one – could spark a world war. "I don’t think there’s any country right now where tensions are high enough for the state to essentially carry out an act of war against the U.S.," added Maller. "It could make more sense for a terrorist group, but they have more limited capabilities." Affirmative Answers Not protected now The U.S. is very vulnerable – new digital controls, weak cyber security and a lack of professionals prove Michael Assante, Mr. Assante is director of Industrial Control Systems as well as Supervisory Control and Data Acquisition Networks for the SANS Institute., 11-11-2014, "America's Critical Infrastructure Is Vulnerable To Cyber Attacks," Forbes, http://www.forbes.com/sites/realspin/2014/11/11/americascritical-infrastructure-is-vulnerable-to-cyber-attacks/2/ America’s critical infrastructure—the utilities, refineries, military defense systems, water treatment plants and other facilities on which we depend every day—has become its soft underbelly, the place where we are now most vulnerable to attack. Over the past 25 years, hundreds of thousands of analog controls in these facilities have been replaced with digital systems. Digital controls provide facility operators and managers with remote visibility and control over every aspect of their operations, including the flows and pressures in refineries, the generation and transmission of power in the electrical grid, and the temperatures in nuclear cooling towers. In doing so, they have made industrial facilities more efficient and more productive. But the same connectivity that managers use to collect data and control devices allows cyber attackers to get into control system networks to steal sensitive information, disrupt processes, and cause damage to equipment. Hackers, including those in China, Russia and the Middle East, have taken notice. While early control system breaches were random, accidental infections, industrial control systems today have become the object of targeted attacks by skilled and persistent adversaries. Industrial control systems are being targeted The recently discovered Industrial Control System modules of the HAVEX trojan are one example. The malware infiltrated an indeterminate number of critical facilities by attaching itself to software updates distributed by control system manufacturers. When facilities downloaded the updates to their network, HAVEX used open communication standards to collect information from control devices and send that information to the attackers for analysis. This type of attack represents a significant threat to confidential production data and corporate intellectual property and may also be an early indicator of an advanced targeted attack on an organization’s production control systems. Other hacks represent a direct threat to the safety of U.S. citizens. Earlier this year, the FBI released information on Ugly Gorilla, a Chinese attacker who invaded the control systems of utilities in the United States. While the FBI suspects this was a scouting mission, Ugly Gorilla gained the cyber keys necessary for access to systems that regulate the flow of natural gas. Considering that cyber attackers are numerous and persistent—for every one you see there are a hundred you don’t—those developments should sound alarms among executives at companies using industrial controls and with the people responsible for protecting American citizens from attacks. To their credit, both businesses and the U.S. government have begun to take action; however, neither is adequately addressing the core of the issue. The threat isn’t static Businesses continue to believe that cybersecurity issues can be addressed solely through technology. The problem was created by technology so the solution must be more technology, they reason, ignoring the spirit of Einstein’s observation that “no problem can be solved from the same level of consciousness that created it.” Technology is static and the threat is not. Hackers will always find a way to beat technology-based solutions. That’s why we have to do more than create barriers to keep out intruders. We have to man our digital borders with people who have the same skill and determination as the attackers similar to the use of technology, the ability to regulate a solution is inherently limited. Regulation creates a compliance mentality in which policies and investments are based on achieving and maintaining compliance. Compliance is predictable, which makes it the hacker’s best friend. Lack in security professionals who understand both digital security and control system technology Legislation (HR 3696) has been introduced in the U.S. Congress that would increase the sharing of information related to control system breaches to better arm security professionals to prevent future breaches. That is a worthwhile goal; unfortunately, there is a dire lack of security professionals with an understanding of both digital security and control system technology to benefit from this information sharing. Filling this gap is where the lion’s share of the cybersecurity effort must go. It is estimated in the latest Project SHINE report that the United States has more than half a billion control system devices connected to the Internet. The SANS Institute, the largest cybersecurity training organization in the world, estimates that in the U.S. power industry alone thousands of new or existing control systems security professionals must be deployed or further developed in the next five years to adequately address the challenge of control system security within the electric sector. Cyber-terrorists have the upper hand – major attack is a question of when, not if Aasha Bodhani, 1-19-2015,Award-winning journalist / Industry Features Editor at The IET, "Cybersecurity: organisations vulnerable to new swathe of attacks in 2015," No Publication, http://eandt.theiet.org/magazine/2015/01/special-report-cyber-security.cfm 2014 was a bad year for cyber security, and experts warn that 2015 could be even worse. The scale of attacks indicates that cyber crime is not only a considerable challenge but that the bad guys are winning. Rather than implement effective security, many organisations are simply gambling that they do not represent an attractive enough target compared with their peers. The cyber world has become an increasingly attractive playground for criminals, activists and terrorists motivated to become noticed, make money, cause havoc or bring down corporations and governments through online attacks. In 2013 alone, IBM reported, 1.5 million monitored cyber attacks took place in the US, so it is not a surprise that cyber-security specialist and senior vice president of products at Clearswift Guy Bunker warns: "threats are an everyday event and breaches are 'when' not 'if'." To make matters worse, cyber criminals are not only hacking the obvious such as smartphones, e-health devices and credit card theft; they are beginning to see driverless vehicles, e-cigarettes and smart kitchen appliances as potential targets. Before 2014 got under way, security consultancy Websense predicted a number of attack types would blossom. Its recent '2014 Predictions Accuracy' report shows that the experts had identified some key problems correctly. The report states that as the cloud became the preferred location for storing data, cyber criminals focused their attention on attacking the cloud. Other predictions that appear to have come true include a shift from simple data theft at corporation level to nation-state level, a decrease in the quantity of new malware resulting in more targeted attacks and cyber criminals targeting the weakest links in the information chain, such as third-party vendors, contractors, point-of-'sale devices and out-of-date software. Cyber Risk High – The US fails to implement security. Tony Kovaleski, Liz Wagner and Mark Villarreal, 2-1-2015, "Critical Infrastructure Vulnerable to Cyber Attack," NBC Bay Area, http://www.nbcbayarea.com/news/local/Critical-InfrastructureVulnerable-to-Cyber-Attacks-Experts-Warn-290370921.html Recent security breaches at Sony Pictures, Target and Home Depot have put a spotlight on the vulnerabilities of the nation’s cyber systems. But an NBC Bay Area investigation reveals concerns from some of the country’s leading cyber security experts that threats have moved beyond movies, credit cards and bank accounts, to the ability to hack into computer systems that control vital infrastructure. For nearly two decades, the United States government has known and warned about potential threats to critical infrastructure, including nuclear plants, electric substations, gas pipelines, transit systems, chemical facilities and drinking water supplies. “It’s those systems, that if we lose them, it’s going to have a serious impact on our way of life,” said Perry Pederson, a Washington, D.C.-based expert on cyber security. In 2007, when Pederson worked for the Department of Homeland Security (DHS), he helped design a government test now known as Project Aurora. The experiment involved hacking into a replica of an Idaho power plant’s control system and causing it to smoke, shake and self-destruct. “It ultimately proved and demonstrated on video that you can destroy physical equipment with a cyberattack,” Pederson said. “It’s a type of vulnerability we should be concerned about.” But Pederson said the United States isn’t employing the lessons learned from the experiment. “Aurora should have been a wakeup call, and we just hit the snooze button and go back to sleep,” Pederson said. Lack necessary protections against cyber attacks now Katherine Brocklehurst, 1-27-2015, Working with network security technologies ranging from protocols to core encryption to intrusion detection/prevention to web application firewalls, she’s touched every layer in the ISO model. Katherine is a subject matter expert on security and compliance policies, and works on this every day in the field of security configuration management as senior solutions manager at Tripwire. "Cyberterrorists Attack on Critical Infrastructure Could Be Imminent," State of Security, http://www.tripwire.com/state-of-security/security-data-protection/securitycontrols/cyberterrorists-attack-on-critical-infrastructure-could-be-imminent/ In a November 20, 2014, hearing for the House Intelligence Committee, NSA Director Admiral Michael Rogers said several foreign governments had already hacked into U.S. energy, water and fuel distribution systems, potentially damaging essential services, according to Bloomberg. “This is not theoretical,” Rogers said. “This is something real that is impacting our nation and those of our allies and friends every day.” DHS Warns U.S. Utility Was Hacked In May 2014, the Department of Homeland Security and its Industrial Control Systems Cyber Emergency Response Team issued an ICS-CERT report warning of several known attacks against U.S. utilities in the first quarter of 2014. They cited details of one unnamed utility that had been breached and warned U.S. utilities to be on guard for intrusion activity. The complete article on this information is available here. CYBER THREATS CAN BE PHYSICAL Increasing cyber threat concerns are having an impact on critical infrastructure organizations because the physical implications have the potential to be catastrophic—cybersecurity rated as the fourth highest issue for energy executives in 2014, up from sixth place in 2013. This shows dramatic progress; it was not even in the top ten concerns for utilities two years ago. According to the 2014 annual report from industry consultants Black & Veatch conducted in May of 2014: “We are seeing an industry that is actively moving forward with the deployment of comprehensive asset protection plans following several high-profile cyber and physical threat events.” 48% OF ELECTRIC UTILITIES SURVEYED NEED CYBER THREAT PROTECTION Still – a survey of electric utility representatives showed that 48% of respondents indicated they did not have integrated security systems with the “proper segmentation, monitoring and redundancies” needed for cyber threat protection. Only 32% said they had these protections in place. Surveillance hurts ability to fight cyber attacks NSA surveillance actually decreases ability to fight cyber-attacks by decreasing the overall security of the internet. Eduard Kovacs on July 30, 2014 NSA Surveillance Programs Directly Damage Internet Security: Report http://www.securityweek.com/nsa-surveillance-programs-directly-damage-internet-security-report “The NSA has both weakened overall trust in the network and directly harmed the security of the Internet.” A report published by the New America Foundation’s Open Technology Institute on Tuesday details the impact of NSA surveillance activities on the United Sates economy, foreign policy and Internet security. There have been numerous discussions on the intelligence agency's controversial spying programs over the past year, ever since former NSA contractor Edward Snowden started leaking classified information obtained from the organization's systems. However, the Open Technology Institute argues that most discussions have revolved around the impact of surveillance programs on privacy and civil liberties, and not so much on how they affect the interests of the United States and the global Internet community. The 64-page paper focuses on the costs to cybersecurity, the direct economic costs to U.S businesses, the economic and technological costs of data localization and data protection proposals, and political costs to American foreign policy. Internet Security Weakened by NSA. Internet security has been greatly impacted by NSA spying because in addition to monitoring online communications, the agency has been involved in various activities that, according to the authors of the report, "fundamentally threaten the basic security of the Internet." For example, the report points to the NSA's attempts to intentionally weaken critical cryptographic standards. One of these algorithms was until recently included in cryptographic libraries used by default by RSA and other companies. The agency is also said to be spending hundreds of millions of dollars on getting companies to intentionally create backdoors in their products, including communication devices, commercial encryption systems and IT networks. In addition to getting companies to insert security holes into their products, the NSA keeps information about zero-day vulnerabilities to itself, instead of notifying the companies whose solutions are affected. This leaves organizations and regular users exposed to attacks from the NSA, and also from other entities that might have knowledge of the flaws, the report said. The Open Technology Institute believes costs to cybersecurity also stem from the activities of the NSA's Tailored Access Operations (TAO) unit, whose employees rely on an aggressive set of tools to hack into computers, phones, routers and even SCADA systems. One of the tactics used by this unit involves targeting networks and network providers, including the undersea cables that carry Internet traffic between continents. The TAO unit is also said to have impersonated several major US companies, including Facebook and LinkedIn, in an effort to insert malware and steal sensitive information. NSA surveillance undermines our ability to prevent cyber attacks DAVID HAMILTON NOV 18, 2014 The Real Lesson From Recent Cyberattacks: Let's Break Up The NSA It's supposed to guard against cyberintrusion. Remember? http://readwrite.com/2014/11/18/hackingcyber-attack-break-up-the-nsa Over the weekend, the U.S. State Department shut down its unclassified email network after finding evidence that hackers might have been prowling around. It's in good company: In the past several weeks, hackers have poked around in computers at the White House, the Postal Service and the National Weather Service—not to mention JPMorgan and nine other big banks. If only there was a federal agency dedicated to protecting federal information systems and critical U.S. infrastructure from criminals and foreign attackers. Oh, wait—there is. It's the National Security Agency. And to all appearances, it's botched the job so badly you'd think it wasn't really trying in the first place. Maybe it wasn't. The NSA has historically been a house divided against itself. On one side, it ostensibly works to "ensure appropriate security solutions are in place to protect and defend information systems, as well as our nation’s critical infrastructure." This mission, the NSA says, aims to ensure "confidence in cyberspace." Then there's the other side of the NSA, which listens in on the communications of U.S. adversaries, conducts mass surveillance of Americans and foreigners and undertakes military-style cyber attacks against other nations and alleged terrorists. Oh, and that also deliberately tries to undermine security tools used to guard both civilian and and government systems against intrusion. For instance, the NSA's secret 2013 budget request—provided by Edward Snowden and published by the New York Times, ProPublica and other outlets a year ago—revealed that the agency seeks to "introduce vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communication devices used by targets." In other words, the NSA routinely undermines the security tools that government agencies, businesses and consumer services use to protect messages and data from attackers. It's a little as if car makers were surreptitiously making it easier for repo men to unlock and drive away your vehicle—right in the midst of an auto-theft epidemic. The NSA apparently does this in the misguided belief that its own spooks will be the only ones to notice and exploit these vulnerabilities. But criminals and foreign governments are smart, too, and just as eager to exploit security holes created by accident or design. In 2010, for instance, Chinese hackers were able to break into individual Gmail accounts by using "secret" backdoors that Google had installed specifically to comply with U.S. government search-warrant requests. NSA surveillance undermines protection from cyber-attacks. LeakSource, 2015 What Goes Around Comes Around: NSA Cyberattacks Helping Other Countries (Iran) Learn to Hack Better http://leaksource.info/2015/02/16/what-goes-around-comes-around-nsacyberattacks-helping-other-countries-iran-learn-to-hack-better/ The NSA’s concern of inadvertently aiding Iran’s cyberattack capabilities is striking given the government’s recent warning about the ability of adversaries to develop more advanced viruses. A top official at the Pentagon’s Defense Advanced Research Projects Agency’s (DARPA) appeared on 60 Minutes this Sunday and claimed that cyberattacks against the U.S. military are becoming more potent. “The sophistication of the attacks is increasing,” warned Dan Kaufman, director of DARPA’s Information Innovation Office. The NSA document suggests that offensive cyberattacks on other states do not merely provoke counterattacks—those attacks can teach adversaries how to launch their own. “Iran continues to conduct distributed denial-of-service (DDOS) attacks against numerous U.S. financial institutions, and is currently in the third phase of a series of such attacks that began in August 2012,” the document says. “SIGINT indicates that these attacks are in retaliation to Western activities against Iran’s nuclear sector and that senior officials in the Iranian government are aware of these attacks.” This would not be the first time the U.S. has inadvertently assisted Iran’s attack capabilities. Last month, former CIA officer Jeffrey Sterling was convicted of multiple felony counts for telling New York Times reporter James Risen about an agency program designed to feed Iran false data about nuclear engineering in order to create setbacks, but which instead may have provided useful information the Iranians were able to exploit to advance their nuclear research. As of 2013, the NSA said that while it had no indications “that Iran plans to conduct such an attack against a U.S. or UK target, we cannot rule out the possibility of such an attack, especially in the face of increased international pressure on the regime.” The NSA “can’t comment or speculate on the motivations of those who aim to harm the United States or our allies,” a spokesperson for the agency said. “The National Security Agency works with foreign partners to protect our interests and citizens in cyberspace.” NSA surveillance efforts compromise our ability to improve cybersecurity Danielle Kehl How the NSA Hurts Our Economy, Cybersecurity, and Foreign Policy 2014 http://www.slate.com/blogs/future_tense/2014/07/31/usa_freedom_act_update_how_the_nsa_hurts_ our_economy_cybersecurity_and_foreign.html Lastly, there’s growing evidence that certain NSA surveillance techniques are actually bad for cybersecurity. As the Institute of Electrical and Electronics Engineers recently explained: “The United States might have compromised both security and privacy in a failed attempt to improve security.” We’ve learned in the past year that the NSA has been deliberately weakening the security of the Internet, including commercial products that we rely on every day, in order to improve its own spying capabilities. The agency has apparently tried everything from secretly undermining essential encryption tools and standards to inserting backdoors into widely used computer hardware and software products, stockpiling vulnerabilities in commercial software, and building a vast network of spyware inserted onto computers and routers around the world. A former U.S. ambassador to the U.N. Human Rights Council, Eileen Donahoe, wrote a forceful article back in March about how the NSA’s actions threaten our national security. The NSA weakens encryption and increases risk of cyber attack Matt Buchanan, 9-6-2013, "How the N.S.A. Cracked the Web," New Yorker, http://www.newyorker.com/tech/elements/how-the-n-s-a-cracked-the-web It’s been nearly three months since Edward Snowden started telling the world about the National Security Agency’s mass surveillance of global communications. But the latest disclosures, by the Guardian, New York Times, and ProPublica are perhaps the most profound yet: N.S.A. and its partner agency in the United Kingdom, the Government Communications Headquarters, the possess significant capabilities to circumvent widely used encryption software in order to access private data . Encryption poses a problem for intelligence agencies by scrambling data with a secret code so that even if they, or any other third-party, manages to capture it, they cannot read it—unless they possess the key to decrypt it or have the ability to crack the encryption scheme. Encryption has become only more pervasive in the decade since the N.S.A.’s “aggressive, multipronged effort to break widely used Internet encryption technologies” began in 2000. When you log into Gmail or Facebook, chat over iMessage, or check your bank account, the data is typically encrypted. This is because encryption is vital for everyday Web transactions; if for instance, you were to log in to your Gmail account using a park’s open wireless network and your username and password were transmitted in plain form, without being encrypted, your credentials could potentially be captured by anyone using that same network. Both the Times and the Guardian write that the N.S.A. and the G.C.H.Q. have “cracked much of the encryption” on the Web. But we don’t know precisely how much: the Times writes that the “full extent of the N.S.A.’s decoding capabilities is known only to a limited group of top analysts from the so-called Five Eyes: the N.S.A. and its counterparts in Britain, Canada, Australia and New Zealand.” But it deploys “custom-built, superfast computers to break codes,” and it works with “technology companies in the United States and abroad to build entry points into their products.” While the Times and the Guardian do not make clear precisely which encryption schemes the N.S.A. and its partners have rendered effectively useless—and which companies the agency has partnered with—there are some hints about what the N.S.A. has accomplished with Bullrun, its project to defeat network encryption. N.S.A. has Guardian says The apparently possessed “groundbreaking capabilities” against encrypted voice and text communication since 2010, which the made “‘vast amounts’ of data collected through internet cable taps newly ‘exploitable. ’” The N.S.A. appears to have found a way around some Internet-level encryption protocols that use outdated standards, but are nonetheless ubiquitous: the Guardian writes, “ The agency has capabilities against widely used online protocols , such as HTTPS, voice-over-IP and Secure Sockets Layer.” And the Times notes that the “most intensive efforts have focused on the encryption in universal use in the United States , including Secure Sockets Layer, or SSL; virtual private networks, or V.P.N.s; and the protection used on fourth-generation, or 4G, smartphones .” The hypertext transfer protocol (H.T.T.P.) is the basis for Web communication—it’s the “http” in your browser’s address bar. S.S.L. is one of the most common cryptographic protocols on the Web and is supported by nearly all Web sites. (It’s also used by instant-messaging and other programs to secure transmissions over the Internet.) H.T.T.P.S. is essentially the application of the S.S.L. protocol to H.T.T.P., making online services like e-mail and banking secure. A virtual private network enables a user to have a private connection on a public network in which their transmissions are protected. Under normal circumstances, the use of these protocols would shield data from the N.S.A.’s dragnet surveillance of communications. Cryptographic and security experts have been able to piece together some ideas about the extent of the agency’s capabilities. Mike Janke, the C.E.O. of the encrypted-communications company Silent Circle—which shut down its encrypted e-mail service a few weeks ago—said over the phone that, based on information and literature he has seen, he believes the N.S.A. developed “a massive push-button scale” ability to defeat or circumvent S.S.L. encryption in virtually real time. He added, “the reality of it is that most of the security world has known that lower level encryption— S.S.L., H.T.T.P.S., V.P.N.s—are highly susceptible to being defeated because of their architecture.” Bruce Schneier, who has seen the Snowden documents, wrote that the N.S.A. has circumvented common Web encryption “primarily by cheating, not by mathematics.” Instead of busting the algorithms that power encryption schemes, that the N.S.A. has Schneier is suggesting found a way around it. Matthew Green, a prominent crypto researcher, suggests that the N.S.A. may have compromised the encryption software that implements the algorithms that determine how data is scrambled —in particular, software made by Microsoft and used by many Web servers for encryption. The Times writes that the “the agency maintains an internal database of encryption keys for specific commercial products, called a Key Provisioning Service, which can automatically decode many messages.” Intriguingly, it adds, “independent cryptographers say many are probably collected by hacking into companies’ computer servers, where they are stored.” If the agency possesses the keys, there is no need to crack the encryption algorithm. Thomas Drake, an N.S.A. whistleblower who was profiled by Jane Mayer in the magazine, said over the phone that he believes the 2010 breakthrough was possibly more dramatic and may refer to the defeat of “some of the main-line encryption” algorithms in wide use, like the R.S.A. algorithm or the Advanced Encryption Standard at 256-bit level. (The length of the key used to encrypt and decrypt information, measured in bits, is one of many aspects of what determines how hard an encryption scheme is to crack: 128-bit encryption is now relatively easy; 2048-bit is much harder.) This kind of capability was hinted at in James Bamford’s piece a year ago about the N.S.A.’s massive new data center in Utah. The most damning aspect of the new disclosures is that the N.S.A. has worked to make widely used technology less secure . The Times reports that in 2006, the N.S.A. intentionally introduced a vulnerability into an encryption standard adopted by both the N ational I nstitute of S tandards and T echnology and the I nternational O rganization for S tandardization. This is deeply problematic, Green writes, because the cryptographic industry is “highly dependent on NIST standards.” The N.S.A. also uses its Commercial Solutions Center, which invites companies, including start-ups, to show their technology to the agency under the guise of improving security, in order to “leverage sensitive, cooperative relationships with specific industry partners” and covertly make those products more susceptible to N.S.A.’s surveillance. Schneier, who has reviewed the documents, describes the process thusly: “ Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on.” This is why the N.S.A. specifically asked the Times and Guardian to not publish their articles and the documents detailing the program warn explicitly and repeatedly of the need for secrecy: “Do not ask about or speculate on sources or methods.” The Times notes that the N.S.A. expects to “gain full unencrypted access to an unnamed major Internet phone call and text service” sometime this year. The Guardian further specifies that it is a “major internet peer-to-peer voice and text communications,” which sounds like it might be Skype—owned by Microsoft and previously named as an N.S.A. partner. Drake said that he was certain that Skype has been “compromised.” And, in one instance, the Times notes that “after the government learned that a foreign intelligence target had ordered new computer hardware, the American manufacturer agreed to insert a back door into the product before it was shipped.” This is worse than the legal mandate the N.S.A. and the F.B.I. pushed for in the nineties to force technology companies to build backdoors into their products, because, as Chris Soghoian, the principal technologist for the American Civil Liberties Union said, “with a secret backdoor you’ll think it’s secure,” rather than simply avoiding the technology. Schneier writes, “My guess is that most encryption products from large U.S. companies have NSA-friendly back doors, and many foreign ones probably do as well.” The pervasive effort to engineer backdoors into commercial technology strikes upon a broader question, raised by Soghoian: “Can we rely on technology provided by corporations with extensive relations with the U.S. government?” Despite the scope of the N.S.A.’s program, and its apparent success against Internet-level encryption, strong encryption schemes do remain uncracked by the N.S.A, and they are “your best bet” for privacy, said Janke. Pretty Good Privacy, a common encryption program, if used with the latest algorithms, remains safe, he added, as does the encryption used in Z.R.T.P., which is used by Silent Circle’s voice and text products to encrypt communications. Janke believes in their security in large part because “it’s good enough for the government to approve it for their use.” Soghoian says that the “the kind of stuff we need is already available, it’s just not in our browsers and not with Google and Facebook.” (However, in response to the N.S.A. revelations, Google has fast-tracked its plan to encrypt data as it zips between its own data centers to prevent it from being subject to intelligence-agency prying.) Janke notes that on a local level, TrueCrypt, a hard-drive encryption program, along with Apple’s native hard-disk encryption tool both remain unbroken. Though Drake said he would only trust 2048-bit level encryption schemes and that he relies largely on open-source software, he would not reveal how he protects his own communications. “I just don’t want others to know how I protect myself,” he said. “I literally do not trust anything commercial.” In response to the latest revelations, Representative Rush Holt of New Jersey has introduced a bill, the Surveillance State Repeal Act, which would, among other things, bar the N.S.A. from installing such backdoors into encryption software. While a statement from the Director of National Intelligence, James Clapper— published after the reports by the Times and the Guardian—said that the fact that the N.S.A. works to crack encrypted data was “not news,” Holt said, correctly, that “ if in the process they degrade the security of the encryption we all use, it’s a net national disservice.” The upshot is that it is now known that “the N.S.A. cannot be trusted on the issue of cyber security,” said Soghoian. He continued, “My sincere hope is that the N.S.A. loses its shine. systems; they’re exploiting vulnerabilities.” They’re the bad guy; they’re breaking into It’s conceivable that they have good intentions. And yet, Soghoian continued, “they act like any other hacker. They steal data. They read private communications.” With that methodology, how easy can it be, though, to give the agency the benefit of the doubt? As many have, Thomas Drake compared the worldview of what he calls the “rogue agency” to the total surveillance of George Orwell’s “1984,” in which the only way to escape was “to cower in a corner. I don’t want to live like that. I’ve already lived that and it’s not pleasant.” NSA has made US more vulnerable to hacker for many reasons Brendan Sasso, 4-30-2014, "How the NSA Undermines Cybersecurity to Protect You," Nextgov, http://www.nextgov.com/cybersecurity/2014/04/how-nsa-undermines-cybersecurity-protectyou/83482/ But critics argue that the National Security Agency has actually undermined cybersecurity and made the United States more vulnerable to hackers. At its core, the problem is the NSA’s dual mission. On one hand, the agency is tasked with securing U.S. networks and information. On the other hand, the agency must gather intelligence on foreign threats to national security. Collecting intelligence often means hacking encrypted communications. That’s nothing new for the NSA; the agency traces its roots back to code-breakers deciphering Nazi messages during World War II. So in many ways, strong Internet security actually makes the NSA’s job harder. “This is an administration that is a vigorous defender of surveillance,” said Christopher Soghoian, the head technologist for the American Civil Liberties Union. “Surveillance at the scale they want requires insecurity.” The leaks from Edward Snowden have revealed a variety of efforts by the NSA to weaken cybersecurity and hack into networks. Critics say those programs, while helping NSA spying, have made U.S. networks less secure. According to the leaked documents, the NSA inserted a so-called back door into at least one encryption standard that was developed by the National Institute of Standards and Technology. The NSA could use that back door to spy on suspected terrorists, but the vulnerability was also available to any other hacker who discovered it. NIST, a Commerce Department agency, sets scientific and technical standards that are widely used by both the government and the private sector. The agency has said it would never “deliberately weaken a cryptographic standard,” but it remains unclear whether the agency was aware of the back door or whether the NSA tricked NIST into adopting the compromised standard. NIST is required by law to consult with the NSA for its technical expertise on cybersecurity. The revelation that NSA somehow got NIST to build a back door into an encryption standard has seriously damaged NIST’s reputation with security experts. “NIST is operating with a trust deficit right now,” Soghoian said. “Anything that NIST has touched is now tainted.” It’s a particularly bad time for NIST to have lost the support of the cybersecurity community. NSA has hindered- not helped- cybersecurity Brendan Sasso, 4-30-2014, "How the NSA Undermines Cybersecurity to Protect You," Nextgov, http://www.nextgov.com/cybersecurity/2014/04/how-nsa-undermines-cybersecurity-protectyou/83482/ The U.S. government “is as concerned as the public is with the security of these products.” “The United States pursues its intelligence mission with care to ensure that innocent users of those same technologies are not affected,” she said. According to Vines, the NSA relies on the same encryption standards it recommends to the public to protect its own classified networks. “We do not make recommendations that we cannot stand behind for protecting national security systems and data,” she said. But due to concern over the NSA damaging Internet security, the president’s review group on surveillance issues recommended that the U.S. government promise not to “in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption.” “Encryption is an essential basis for trust on the Internet; without such trust, valuable communications would not be possible,” the group wrote in its report, which was released in December. “For the entire system to work, encryption software itself must be trustworthy.” In response to the report, the administration adopted a new policy on whether the NSA can exploit “zero-days”—vulnerabilities that haven’t been discovered by anyone else yet. According to the White House, there is a “bias” toward publicly disclosing flaws in security unless “there is a clear national security or law enforcement need.” In a blog post Monday, Michael Daniel, the White House’s cybersecurity coordinator, said that disclosing security flaws “usually makes sense.” “Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest,” he said. But Daniel added that, in some cases, disclosing a vulnerability means that the U.S. would “forego an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities.” He said that the government weighs a variety of factors, such as the risk of leaving the vulnerability un-patched, the likelihood that anyone else would discover it, and how important the potential intelligence is. But privacy advocates and many business groups are still uncomfortable with the U.S. keeping security flaws secret. And many don’t trust that the NSA will only exploit the vulnerabilities with the most potential for intelligence and least opportunity for other hackers. “The surveillance bureaucracy really doesn’t have a lot of self-imposed limits. “Now I think people dealing with that bureaucracy have to understand they can’t take anything for granted.” Most computer networks are run by private companies, and the government must work closely with the private sector to improve cybersecurity. But companies have become reluctant to share security information with the U.S. government, fearing the NSA could use any information to hack into their systems. “When you want to go into partnership with somebody and work on serious issues—such as cybersecurity—you want to know you’re being told the truth,” Black said. NSA hurt cyber-security by making backdoor required which increases risk of compromise Trevor Timm, 3-4-2015, "Building backdoors into encryption isn't only bad for China, Mr President," Guardian, http://www.theguardian.com/commentisfree/2015/mar/04/backdoors-encryption-chinaapple-google-nsa In a stunningly short-sighted move, the FBI - and more recently the NSA - have been pushing for a new US law that would force tech companies like Apple and Google to hand over the encryption keys or build backdoors into their products and tools so the government would always have access to our communications. It was only a matter of time before other governments jumped on the bandwagon, and China wasted no time in demanding the same from tech companies a few weeks ago. As President Obama himself described to Reuters, China has proposed an expansive new “anti-terrorism” bill that “would essentially force all foreign companies, including US companies, to turn over to the Chinese government mechanisms where they can snoop and keep track of all the users of those services.” Obama continued: “Those kinds of restrictive practices I think would ironically hurt the Chinese economy over the long term because I don’t think there is any US or European firm, any international firm, that could credibly get away with that wholesale turning over of data, personal data, over to a government.” Bravo! Of course these are the exact arguments for why it would be a disaster for US government to force tech companies to do the same. (Somehow Obama left that part out.) As Yahoo’s top security executive Alex Stamos told NSA director Mike Rogers in a public confrontation last week, building backdoors into encryption is like “drilling a hole into a windshield.” Even if it’s technically possible to produce the flaw - and we, for some reason, trust the US government never to abuse it other countries will inevitably demand access for themselves. Companies will no longer be in a position to say no, and even if they did, intelligence services would find the backdoor unilaterally - or just steal the keys outright. No impact to cyberterrorism Zero impact to cyber-attacks --- overwhelming consensus of qualified authors goes neg - No motivation---can’t be used for coercive leverage - Defenses solve---benefits of offense are overstated - Too difficult to execute/mistakes in code are inevitable - AT: Infrastructure attacks - Military networks are air-gapped/difficult to access - Overwhelming consensus goes neg Colin S. Gray 13, Prof. of International Politics and Strategic Studies @ the University of Reading and External Researcher @ the Strategic Studies Institute @ the U.S. Army War College, April, “Making Strategic Sense of Cyber Power: Why the Sky Is Not Falling,” U.S. Army War College Press, http://www.strategicstudiesinstitute.army.mil/pdffiles/PUB1147.pdf CONCLUSIONS AND RECOMMENDATIONS: THE SKY IS NOT FALLING¶ This analysis has sought to explore, identify, and explain the strategic meaning of cyber power. The organizing and thematic question that has shaped and driven the inquiry has been “So what?” Today we all do cyber, but this behavior usually has not been much informed by an understanding that reaches beyond the tactical and technical. I have endeavored to analyze in strategic terms what is on offer from the largely technical and tactical literature on cyber. What can or might be done and how to go about doing it are vitally important bodies of knowledge. But at least as important is understanding what cyber, as a fifth domain of warfare, brings to national security when it is considered strategically. Military history is stocked abundantly with examples of tactical behavior un - guided by any credible semblance of strategy. This inquiry has not been a campaign to reveal what cy ber can and might do; a large literature already exists that claims fairly convincingly to explain “how to . . .” But what does cyber power mean, and how does it fit strategically, if it does? These Conclusions and Rec ommendations offer some understanding of this fifth geography of war in terms that make sense to this strategist, at least. ¶ 1. Cyber can only be an enabler of physical effort. Stand-alone (popularly misnamed as “strategic”) cyber action is inherently grossly limited by its immateriality. The physicality of conflict with cyber’s human participants and mechanical artifacts has not been a passing phase in our species’ strategic history. Cyber action, quite independent of action on land, at sea, in the air, and in orbital space, certainly is possible. But the strategic logic of such behavior, keyed to anticipated success in tactical achievement, is not promising. To date, “What if . . .” speculation about strategic cyber attack usually is either contextually too light, or, more often, contextually unpersuasive . 49 However, this is not a great strategic truth, though it is a judgment advanced with considerable confidence. Although societies could, of course, be hurt by cyber action, it is important not to lose touch with the fact, in Libicki’s apposite words, that “[ i]n the absence of physical combat, cyber war cannot lead to the occupation of territory. It is almost inconceivable that a sufficiently vigorous cyber war can overthrow the adversary’s government and replace it with a more pliable one.” 50 In the same way that the concepts of sea war, air war, and space war are fundamentally unsound, so also the idea of cyber war is unpersuasive. ¶ It is not impossible, but then, neither is war conducted only at sea, or in the air, or in space. On the one hand, cyber war may seem more probable than like environmentally independent action at sea or in the air. After all, cyber warfare would be very unlikely to harm human beings directly , let alone damage physically the machines on which they depend. These near-facts (cyber attack might cause socially critical machines to behave in a rogue manner with damaging physical consequences) might seem to ren - der cyber a safer zone of belligerent engagement than would physically violent action in other domains. But most likely there would be serious uncertainties pertaining to the consequences of cyber action, which must include the possibility of escalation into other domains of conflict. Despite popular assertions to the contrary, cyber is not likely to prove a precision weapon anytime soon. 51 In addition, assuming that the political and strategic contexts for cyber war were as serious as surely they would need to be to trigger events warranting plausible labeling as cyber war, the distinctly limited harm likely to follow from cyber assault would hardly appeal as prospectively effective coercive moves. On balance, it is most probable that cyber’s strategic future in war will be as a contribut - ing enabler of effectiveness of physical efforts in the other four geographies of conflict. Speculation about cyber war, defined strictly as hostile action by net - worked computers against networked computers, is hugely unconvincing. ¶ 2. Cyber defense is difficult, but should be sufficiently effective. The structural advantages of the offense in cyber conflict are as obvious as they are easy to overstate. Penetration and exploitation, or even attack, would need to be by surprise. It can be swift almost beyond the imagination of those encultured by the traditional demands of physical combat. Cyber attack may be so stealthy that it escapes notice for a long while, or it might wreak digital havoc by com - plete surprise. And need one emphasize, that at least for a while, hostile cyber action is likely to be hard (though not quite impossible) to attribute with a cy - berized equivalent to a “smoking gun.” Once one is in the realm of the catastrophic “What if . . . ,” the world is indeed a frightening place. On a personal note, this defense analyst was for some years exposed to highly speculative briefings that hypothesized how unques - tionably cunning plans for nuclear attack could so promptly disable the United States as a functioning state that our nuclear retaliation would likely be still - born. I should hardly need to add that the briefers of these Scary Scenarios were obliged to make a series of Heroic Assumptions. ¶ The literature of cyber scare is more than mildly reminiscent of the nuclear attack stories with which I was assailed in the 1970s and 1980s. As one may observe regarding what Winston Churchill wrote of the disaster that was the Gallipoli campaign of 1915, “[t]he terrible ‘Ifs’ accumulate.” 52 Of course, there are dangers in the cyber domain. Not only are there cyber-competent competitors and enemies abroad; there are also Americans who make mistakes in cyber operation. Furthermore, there are the manufacturers and constructors of the physical artifacts behind (or in, depending upon the preferred definition) cyber - space who assuredly err in this and that detail. The more sophisticated— usually meaning complex—the code for cyber, the more certain must it be that mistakes both lurk in the program and will be made in digital communication.¶ What I have just outlined minimally is not a reluc - tant admission of the fallibility of cyber, but rather a statement of what is obvious and should be anticipat - ed about people and material in a domain of war. All human activities are more or less harassed by friction and carry with them some risk of failure, great or small. A strategist who has read Clausewitz, especially Book One of On War , 53 will know this. Alternatively, anyone who skims my summary version of the general theory of strategy will note that Dictum 14 states explicitly that “Strategy is more difficult to devise and execute than are policy, operations, and tactics: friction of all kinds comprise phenomena inseparable from the mak - ing and execution of strategies.” 54 Because of its often widely distributed character, the physical infrastruc - ture of an enemy’s cyber power is typically, though not invariably, an impracticable target set for physical assault. Happily, this probable fact should have only annoying consequences. The discretionary nature and therefore the variable possible characters feasible for friendly cyberspace(s), mean that the more danger - ous potential vulnerabilities that in theory could be the condition of our cyber-dependency ought to be avoidable at best, or bearable and survivable at worst. Libicki offers forthright advice on this aspect of the subject that deserves to be taken at face value: ¶ [T]here is no inherent reason that improving informa - tion technologies should lead to a rise in the amount of critical information in existence (for example, the names of every secret agent). Really critical information should never see a computer; if it sees a computer, it should not be one that is networked; and if the computer is networked, it should be airgapped.¶ Cyber defense admittedly is difficult to do, but so is cyber offense. To quote Libicki yet again, “[i]n this medium [cyberspace] the best defense is not necessarily a good offense; it is usually a good defense.” 56 Unlike the geostrategic context for nuclear-framed competition in U.S.–Soviet/Russian rivalry, the geographical domain of cyberspace definitely is defensible. Even when the enemy is both clever and lucky, it will be our own design and operating fault if he is able to do more than disrupt and irritate us temporarily.¶ When cyber is contextually regarded properly— which means first, in particular, when it is viewed as but the latest military domain for defense planning—it should be plain to see that cyber performance needs to be good enough rather than perfect. 57 Our Landpower, sea power, air power, and prospectively our space systems also will have to be capable of accepting combat damage and loss, then recovering and carrying on. There is no fundamental reason that less should be demanded of our cyber power. Second, given that cyber is not of a nature or potential character at all likely to parallel nuclear dangers in the menace it could con - tain, we should anticipate international cyber rivalry to follow the competitive dynamic path already fol - lowed in the other domains in the past. Because the digital age is so young, the pace of technical change and tactical invention can be startling. However, the mechanization RMA of the 1920s and 1930s recorded reaction to the new science and technology of the time that is reminiscent of the cyber alarmism that has flour - ished of recent years. 58 We can be confident that cyber defense should be able to function well enough , given the strength of political, military, and commercial motivation for it to do so. The technical context here is a medium that is a constructed one, which provides air-gapping options for choice regarding the extent of networking. Naturally, a price is paid in convenience for some closing off of possible cyberspace(s), but all important defense decisions involve choice, so what is novel about that? There is nothing new about accepting some limitations on utility as a price worth paying for security.¶ 3. Intelligence is critically important, but informa - tion should not be overvalued. The strategic history of cyber over the past decade confirms what we could know already from the science and technology of this new domain for conflict. Specifically, cyber power is not technically forgiving of user error. Cyber warriors seeking criminal or military benefit require precise information if their intended exploits are to succeed. Lucky guesses should not stumble upon passwords, while efforts to disrupt electronic Supervisory Con - trol and Data Acquisition (SCADA) systems ought to be unable to achieve widespread harmful effects. But obviously there are practical limits to the air-gap op - tion, given that control (and command) systems need to be networks for communication. However, Internet connection needs to be treated as a potential source of serious danger.¶ It is one thing to be able to be an electronic nuisance, to annoy, disrupt, and perhaps delay. But it is quite another to be capable of inflicting real persisting harm on the fighting power of an enemy. Critically important military computer networks are, of course, accessible neither to the inspired amateur outsider, nor to the malignant political enemy. Easy passing reference to a hypothetical “cyber Pearl Harbor” reflects both poor history and ignorance of contemporary military common sense. Critical potential military (and other) targets for cyber attack are extremely hard to access and influence (I believe and certainly hope), and the technical knowledge, skills, and effort required to do serious harm to national security is forbiddingly high. However, it is to say that such This is not to claim, foolishly, that cyber means absolutely could not secure near-catastrophic results. a scenario is extremely improbable . Cyber defense is advancing all the time, as is cyber offense, of course. But so discretionary in vital detail can one be in the making of cyberspace, that confidence—real confidence—in cyber attack could not plausibly be high. It should be noted that I am confining this particular discussion to what rather idly tends to be called cyber war. In political and strategic practice, it is unlikely that war would or, more importantly, ever could be restricted to the EMS. Somewhat rhetorically, one should pose the question: Is it likely (almost anything, strictly, is possible) that cyber war with the potential to inflict catastrophic damage would be allowed to stand unsupported in and by action in the other four geographical domains of war? I believe not.¶ Because we have told ourselves that ours uniquely is the Information Age, we have become unduly respectful of the potency of this rather slippery catch-all term. As usual, it is helpful to contextualize the al - legedly magical ingredient, information, by locating it properly in strategic history as just one important element contributing to net strategic effectiveness. This mild caveat is supported usefully by recognizing the general contemporary rule that information per se harms nothing and nobody. The electrons in cyber - ized conflict have to be interpreted and acted upon by physical forces (including agency by physical human beings). As one might say, intelligence (alone) sinks no ship; only men and machines can sink ships! That said, there is no doubt that if friendly cyber action can infiltrate and misinform the electronic informa - tion on which advisory weaponry and other machines depend, considerable warfighting advantage could be gained. I do not intend to join Clausewitz in his dis - dain for intelligence, but I will argue that in strategic affairs, intelligence usually is somewhat uncertain. 59 Detailed up-to-date intelligence literally is essential for successful cyber offense, but it can be healthily sobering to appreciate that the strategic rewards of intelligence often are considerably exaggerated. The basic reason is not hard to recognize. Strategic success is a complex endeavor that requires adequate perfor mances by many necessary contributors at every level of conflict (from the political to the tactical). ¶ When thoroughly reliable intelligence on the en - emy is in short supply, which usually is the case, the strategist finds ways to compensate as best he or she can. The IT-led RMA of the past 2 decades was fueled in part by the prospect of a quality of military effec - tiveness that was believed to flow from “dominant battle space knowledge,” to deploy a familiar con - cept. 60 While there is much to be said in praise of this idea, it is not unreasonable to ask why it has been that our ever-improving battle space knowledge has been compatible with so troubled a course of events in the 2000s in Iraq and Afghanistan. What we might have misunderstood is not the value of knowledge, or of the information from which knowledge is quarried, or even the merit in the IT that passed information and knowledge around. Instead, we may well have failed to grasp and grip understanding of the whole context of war and strategy for which battle space knowledge unquestionably is vital. One must say “vital” rather than strictly essential, because relatively ignorant armies can and have fought and won despite their ig - norance. History requires only that one’s net strategic performance is superior to that of the enemy. One is not required to be deeply well informed about the en - emy. It is historically quite commonplace for armies to fight in a condition of morethan-marginal reciprocal and strategic cultural ignorance. Intelligence is king in electronic warfare, but such warfare is unlikely to be solely, or even close to solely, sovereign in war and its warfare, considered overall as they should be. ¶ 4. Why the sky will not fall. More accurately, one should say that the sky will not fall because of hostile action against us in cyberspace unless we are improb - ably careless and foolish. David J. Betz and Tim Ste vens strike the right note when they conclude that “[i]f cyberspace is not quite the hoped-for Garden of Eden, it is also not quite the pestilential swamp of the imagination of the cyber-alarmists.” 61 Our understanding of cyber is high at the technical and tactical level, but re - mains distinctly rudimentary as one ascends through operations to the more rarified altitudes of strategy and policy. Nonetheless, our scientific, technological, and tactical knowledge and understanding clearly indicates that the sky is not falling and is unlikely to fall in the future as a result of hostile cyber action. This analysis has weighed the more technical and tactical literature on cyber and concludes, not simply on balance , that cyber alarmism has little basis save in the imagination of the alarmists. There is military and civil peril in the hostile use of cyber, which is why we must take cyber security seriously, even to the point of buying redundant capabilities for a range of command and control systems. 62 So seriously should we regard cyber danger that it is only prudent to as - sume that we will be the target for hostile cyber action in future conflicts, and that some of that action will promote disruption and uncertainty in the damage it will cause.¶ That granted, this analysis recommends strongly that the U.S. Army, and indeed the whole of the U.S. Government, should strive to comprehend cyber in context. Approached in isolation as a new technol - ogy, it is not unduly hard to be over impressed with its potential both for good and harm. But if we see networked computing as just the latest RMA in an episodic succession of revolutionary changes in the way information is packaged and communicated, the computer-led IT revolution is set where it belongs, in historical context. In modern strategic history, there has been only one truly game-changing basket of tech - nologies, those pertaining to the creation and deliv - ery of nuclear weapons. Everything else has altered the tools with which conflict has been supported and waged, but has not changed the game. The nuclear revolution alone raised still-unanswered questions about the viability of interstate armed conflict. How - ever, it would be accurate to claim that since 1945, methods have been found to pursue fairly traditional political ends in ways that accommodate nonuse of nuclear means, notwithstanding the permanent pres - ence of those means.¶ The light cast by general strategic theory reveals what requires revealing strategically about networked computers. Once one sheds some of the sheer wonder at the seeming miracle of cyber’s ubiquity, instanta - neity, and (near) anonymity, one realizes that cyber is just another operational domain, though certainly one very different from the others in its nonphysi - cality in direct agency. Having placed cyber where it belongs, as a domain of war, next it is essential to recognize that its nonphysicality compels that cyber should be treated as an enabler of joint action, rather than as an agent of military action capable of behav - ing independently for useful coercive strategic effect. There are stand-alone possibilities for cyber action, but they are not convincing as attractive options either for or in opposition to a great power, let alone a superpower. No matter how intriguing the scenario design for cyber war strictly or for cyber warfare, the logic of grand and military strategy and a common sense fueled by understanding of the course of strategic history, require one so to contextualize cyber war that its independence is seen as too close to absurd to merit much concern. No risk or impact related to cyberterror Bicchierai 2015 [ LORENZO FRANCESCHI - staff writer at VICE Motherboard in Brooklyn, New York, where he covers hacking, information security, and digital rights. “The 'ISIS Cyberwar' Hype Machine Is Doing More Harm Than Good”, MotherBoard,] Yet, that didn’t stop a new round of breathless hype. On Sunday, The Hill wrote that ISIS was preparing for “cyberwar” and an “all-out cyber crusade.” Looks like ISIS wannabes successfully hacked the media once again. “Toss out a shitty video that claims that you do things that you’re not—doesn’t matter, we’ll still overreact,” Peter W. Singer, an author and well-known expert in cybersecurity, told Motherboard. Instead of responding with a “keep calm and carry on” attitude “we lose our shit.” That being said, it’s worth pointing out that ISIS could do real damage by doing espionage online, monitoring and tracking down dissidents who live in ISIS-controlled territories. That might have already happened. Last November someone targeted a Syrian citizen media group known as Raqqa Is Being Slaughtered Silently (RSS), which documents human rights crimes in Raqqa, the self-proclaimed capital of the ISIS caliphate. To date, however, there hasn’t been a case of actual cyberterrorism—an act targeting computers systems that result in physical violence, as the FBI defines it. In fact, squirrels have been way more damaging to US critical infrastructure than cyberterrorists. Singer criticized the article, which he said is good for a “cyber laugh.” But jokes apart, Singer warned that hyping ISIS hacking abilities rewards the group with useful attention that it can turn into recruiting power. Instead of responding with a “keep calm and carry on” attitude, Singer added, “we lose our shit.” This encourages and incentivizes ISIS to keep attacking, or at least claim attacks—something that doesn’t help anyone. Robert M. Lee, an active duty Air Force cyber warfare operations officer, agreed with Singer, and dismissed the hype on Twitter. “Terrorist groups will continue to use the internet to spread their message and perform hacktivist-type acts but nothing of significant damage,” he wrote. “Performing significant damage requires more than just internet connected devices. It requires advanced logistical support and expertise.” “Describing savvy use of social media as cyberwar is akin to describing Miley Cyrus as the Clausewitz of cyberwar.” In other words, being good at social media, as ISIS is, doesn’t mean you’ll be a good hacker. The truth, as we reported before, is that all the cyberattacks attributed to ISIS in the recent past have been unsophisticated attacks carried out by what looks like online fanboys not at all affiliated with the group. As Singer put it, “it’s either sympathizers or people doing it for shits and giggles.” As Singer explained in 2012, “cyberterrorism” is overhyped, just like our obsessive fear of sharks. As he put it, we are “15,000 times more likely to be hurt or killed by an accident involving a toilet,” yet Discovery Channel has Shark Week and not Toilet Week. No cyber impact Jason Healey 2013 Jason, Director of the Cyber Statecraft Initiative at the Atlantic Council, "No, Cyberwarfare Isn't as Dangerous as Nuclear War", 3/20, www.usnews.com/opinion/blogs/worldreport/2013/03/20/cyber-attacks-not-yet-an-existential-threat-to-the-us America does not face an existential cyberthreat today, despite undoubtedly grave and recent warnings . Our cybervulnerabilities are the threats we face are severe but far from comparable to nuclear war . ¶ The most recent alarms come in a Defense Science Board report on how to make military cybersystems more resilient against advanced threats (in short, Russia or China). It warned that the "cyber threat is serious, with potential consequences similar in some ways to the nuclear threat of the Cold War." Such fears were also expressed by Adm. Mike Mullen, then chairman of the Joint Chiefs of Staff, in 2011. He called cyber "The single biggest existential threat that's out there" because "cyber actually more than theoretically, can attack our infrastructure, our financial systems." ¶ While it is true that cyber attacks might do these things, it is also true they have not only never happened but are far more difficult to accomplish than mainstream thinking believes . The consequences from cyber threats may be similar in some ways to nuclear, as the Science Board concluded, but mostly, they are incredibly dissimilar. ¶ Eighty years ago, the generals of the U.S. Army Air Corps were sure that their bombers would easily topple other countries and cause their populations to panic, claims which did not stand up to reality. A study of the 25- year history of cyber conflict, by the Atlantic Council and Cyber Conflict Studies Association, has shown a similar dynamic where the impact of disruptive cyberattacks has been consistently overestimated. ¶ Rather than theorizing about future cyberwars or extrapolating from today's concerns, the history of cyberconflict that have actually been fought, shows that cyber incidents No attacks, so far, have been both widespread and persistent. There have been no authenticated cases of have so far tended to have effects that are either widespread but fleeting or persistent but narrowly focused. anyone dying from a cyber attack. Any widespread disruptions, even the 2007 disruption against have been short-lived Estonia, causing no significant GDP loss. ¶ Moreover, as with conflict in other domains, cyberattacks can take down many targets but keeping them down over time in the face of determined defenses has so far been out of the range of all but the most dangerous adversaries such as Russia and China. Of course, if the United States is in a conflict with those nations, cyber will be the least important of the existential threats policymakers should be worrying about. Plutonium trumps bytes in a shooting war.¶ This is not all good news. Policymakers have recognized the problems since at least 1998 with little significant progress. Worse, the threats and vulnerabilities are getting steadily more worrying. Still, experts have been warning of a cyber Pearl Harbor for 20 of the 70 years since the actual Pearl Harbor . ¶ The cyber espionage could someday accumulate into an existential threat. But it doesn't seem so seem just yet, with only handwaving estimates of annual losses of 0.1 to 0.5 percent to the total U.S. GDP of around $15 trillion. That's bad, but it doesn't add up to an existential crisis or transfer of U.S. trade secrets through Chinese "economic cyberwar." Cyber threats are exaggerated hype – alarmist rhetoric and won’t escalate Thomas Rid, 2012 reader in war studies at King's College London, is author of "Cyber War Will Not Take Place" and co-author of "Cyber-Weapons.", March/April 2012, “Think Again: Cyberwar”, http://www.foreignpolicy.com/articles/2012/02/27/cyberwar?page=full "Cyberwar Is Already Upon Us." No way. "Cyberwar is coming!" John Arquilla and David Ronfeldt predicted in a celebrated Rand paper back in 1993. Since then, it seems to have arrived -- at least by the account of the U.S. military establishment, which is busy competing over who should get what share of the fight. Cyberspace is "a domain in which the Air Force flies and fights," Air Force Secretary Michael Wynne claimed in 2006. By 2012, William J. Lynn III, the deputy defense secretary at the time, was writing that cyberwar is "just as critical to military operations as land, sea, air, and space." In January, the Defense Department vowed to equip the U.S. armed forces for "conducting a combined arms campaign across all domains -- land, air, maritime, space, and cyberspace." Meanwhile, growing piles of books and articles explore the threats of cyberwarfare, cyberterrorism, and how to survive them. Time for a reality check: Cyberwar is still more hype than hazard. Consider the definition of an act of war: It has to be potentially violent, it has to be purposeful, and it has to be political. The cyberattacks we've seen so far, from Estonia to the Stuxnet virus, simply don't meet these criteria. Take the dubious story of a Soviet pipeline explosion back in 1982, much cited by cyberwar's true believers as the most destructive cyberattack ever. The account goes like this: In June 1982, a Siberian pipeline that the CIA had virtually booby-trapped with a so-called "logic bomb" exploded in a monumental fireball that could be seen from space. The U.S. Air Force estimated the explosion at 3 kilotons, equivalent to a small nuclear device. Targeting a Soviet pipeline linking gas fields in Siberia to European markets, the operation sabotaged the pipeline's control systems with software from a Canadian firm that the CIA had doctored with malicious code. No one died, according to Thomas Reed, a U.S. National Security Council aide at the time who revealed the incident in his 2004 book, At the Abyss; the only harm came to the Soviet economy. But did it really happen? After Reed's account came out, Vasily Pchelintsev, a former KGB head of the Tyumen region, where the alleged explosion supposedly took place, denied the story. There are also no media reports from 1982 that confirm such an explosion, though accidents and pipeline explosions in the Soviet Union were regularly reported in the early 1980s. Something likely did happen, but Reed's book is the only public mention of the incident and his account relied on a single document. Even after the CIA declassified a redacted version of Reed's source, a note on the so-called Farewell Dossier that describes the effort to provide the Soviet Union with defective technology, the agency did not confirm that such an explosion occurred. The available evidence on the Siberian pipeline blast is so thin that it shouldn't be counted as a proven case of a successful cyberattack. Most other commonly cited cases of cyberwar are even less remarkable. Take the attacks on Estonia in April 2007, which came in response to the controversial relocation of a Soviet war memorial, the Bronze Soldier. The well-wired country found itself at the receiving end of a massive distributed denial-of-service attack that emanated from up to 85,000 hijacked computers and lasted three weeks. The attacks reached a peak on May 9, when 58 Estonian websites were attacked at once and the online services of Estonia's largest bank were taken down. "What's the difference between a blockade of harbors or airports of sovereign states and the blockade of government institutions and newspaper websites?" asked Estonian Prime Minister Andrus Ansip. Despite his analogies, the attack was no act of war. It was certainly a nuisance and an emotional strike on the country, but the bank's actual network was not even penetrated; it went down for 90 minutes one day and two hours the next. The attack was not violent, it wasn't purposefully aimed at changing Estonia's behavior, and no political entity took credit for it. The same is true for the vast majority of cyberattacks on record. Indeed, there is no known cyberattack that has caused the loss of human life. No cyberoffense has ever injured a person or damaged a building. And if an act is not at least potentially violent, it's not an act of war. Separating war from physical violence makes it a metaphorical notion; it would mean that there is no way to distinguish between World War II, say, and the "wars" on obesity and cancer. Yet those ailments, unlike past examples of cyber "war," actually do kill people. "A Digital Pearl Harbor Is Only a Matter of Time." Keep waiting. U.S. Defense Secretary Leon Panetta delivered a stark warning last summer: "We could face a cyberattack that could be the equivalent of Pearl Harbor." Such alarmist predictions have been ricocheting inside the Beltway for the past two decades, and some scaremongers have even upped the ante by raising the alarm about a cyber 9/11. In his 2010 book, Cyber War, former White House counterterrorism czar Richard Clarke invokes the specter of nationwide power blackouts, planes falling out of the sky, trains derailing, refineries burning, pipelines exploding, poisonous gas clouds wafting, and satellites spinning out of orbit -- events that would make the 2001 attacks pale in comparison. But the empirical record is less hair-raising, even by the standards of the most drastic example available. Gen. Keith Alexander, head of U.S. Cyber Command (established in 2010 and now boasting a budget of more than $3 billion), shared his worst fears in an April 2011 speech at the University of Rhode Island: "What I'm concerned about are destructive attacks," Alexander said, "those that are coming." He then invoked a remarkable accident at Russia's Sayano-Shushenskaya hydroelectric plant to highlight the kind of damage a cyberattack might be able to cause. Shortly after midnight on Aug. 17, 2009, a 900-ton turbine was ripped out of its seat by a socalled "water hammer," a sudden surge in water pressure that then caused a transformer explosion. The turbine's unusually high vibrations had worn down the bolts that kept its cover in place, and an offline sensor failed to detect the malfunction. Seventy-five people died in the accident, energy prices in Russia rose, and rebuilding the plant is slated to cost $1.3 billion. Tough luck for the Russians, but here's what the head of Cyber Command didn't say: The ill-fated turbine had been malfunctioning for some time, and the plant's management was notoriously poor. On top of that, the key event that ultimately triggered the catastrophe seems to have been a fire at Bratsk power station, about 500 miles away. Because the energy supply from Bratsk dropped, authorities remotely increased the burden on the Sayano-Shushenskaya plant. The sudden spike overwhelmed the turbine, which was two months shy of reaching the end of its 30-year life cycle, sparking the catastrophe. If anything, the Sayano-Shushenskaya incident highlights how difficult a devastating attack would be to mount. The plant's washout was an accident at the end of a complicated and unique chain of events. Anticipating such vulnerabilities in advance is extraordinarily difficult even for insiders; creating comparable coincidences from cyberspace would be a daunting challenge at best for outsiders. If this is the most drastic incident Cyber Command can conjure up, perhaps it's time for everyone to take a deep breath. "Cyberattacks Are Becoming Easier." Just the opposite. U.S. Director of National Intelligence James R. Clapper warned last year that the volume of malicious software on American networks had more than tripled since 2009 and that more than 60,000 pieces of malware are now discovered every day. The United States, he said, is undergoing "a phenomenon known as 'convergence,' which amplifies the opportunity for disruptive cyberattacks, including against physical infrastructures." ("Digital convergence" is a snazzy term for a simple thing: more and more devices able to talk to each other, and formerly separate industries and activities able to work together.) Just because there's more malware, however, doesn't mean that attacks are becoming easier. In fact, potentially damaging or life-threatening cyberattacks should be more difficult to pull off. Why? Sensitive systems generally have built-in redundancy and safety systems, meaning an attacker's likely objective will not be to shut down a system, since merely forcing the shutdown of one control system, say a power plant, could trigger a backup and cause operators to start looking for the bug. To work as an effective weapon, malware would have to influence an active process -- but not bring it to a screeching halt. If the malicious activity extends over a lengthy period, it has to remain stealthy. That's a more difficult trick than hitting the virtual off-button. Take Stuxnet, the worm that sabotaged Iran's nuclear program in 2010. It didn't just crudely shut down the centrifuges at the Natanz nuclear facility; rather, the worm subtly manipulated the system. Stuxnet stealthily infiltrated the plant's networks, then hopped onto the protected control systems, intercepted input values from sensors, recorded these data, and then provided the legitimate controller code with pre-recorded fake input signals, according to researchers who have studied the worm. Its objective was not just to fool operators in a control room, but also to circumvent digital safety and monitoring systems so it could secretly manipulate the actual processes. Building and deploying Stuxnet required extremely detailed intelligence about the systems it was supposed to compromise, and the same will be true for other dangerous cyberweapons. Yes, "convergence," standardization, and sloppy defense of control-systems software could increase the risk of generic attacks, but the same trend has also caused defenses against the most coveted targets to improve steadily and has made reprogramming highly specific installations on legacy systems more complex, not less. Many barriers to a cyber-attack Martin Libicki, October 2014, A Dangerous World? Threat Perceptions and US National Security, ed. Christopher Peeble & John Mueller, Martin Libicki is a senior management scientist at the RAND Corporation, where his research focuses on the effects of information technology on domestic and national security. He is the author of several books, including Conquest in Cyberspace: National Security and Information Warfare and Information Technology Standards: Quest for the Common Byte. He has also written two cyberwar monographs: Cyberwar and Cyberdeterrence and Crisis and Escalation in Cyberspace. Prior to joining RAND, Libicki was a senior fellow at the National Defense University, page # at end of card An attack as large as posited would be unprecedented. No comparable major cyberattack has occurred since the Internet became accessible to the world’s public 20 years ago. Although prior absence is no proof that it will never happen, it may be premature to declare a major attack inevitable. All the trend lines— good and bad— are rising at the same time: (a) the sophistication of attackers and defenders; (b) the salience of cyberattack as a weapon, but also the rising sensitivity to the prospect that such attacks are possible and must be countered; (c) the bandwidth available for organizing a flooding attack, but also to ward it off; and (d) the complexity of operational software (which increases the number of places where vulnerabilities can be found), but also the complexity of security software and systems (which deepens the number of levels an attack must overcome to succeed). (2014-10-14). A Dangerous World? Threat Perception and U.S. National Security (Kindle Locations 2518-2524). Cato Institute. Kindle Edition. No impact to a cyber-attack Brandon Valeriano and Ryan Maness 11/21/12, Lecturer in Social and Political Sciences at the University of Glasgow AND Ph.D. candidate at the University of Illinois at Chicago, "The Fog of Cyberwar," Foreign Affairs, www.foreignaffairs.com/articles/138443/brandon-valeriano-and-ryanmaness/the-fog-of-cyberwar?page=show Some cyberattacks over the past decade have briefly affected state strategic plans, but none has resulted in death or lasting damage. For example, the 2007 cyberattacks on Estonia by Russia shut down networks and government websites and disrupted commerce for a few days, but things swiftly went back to normal. The majority of cyberattacks worldwide have been minor: easily corrected annoyances such as website defacements or basic data theft -- basically the least a state can do when challenged diplomatically.¶ Our research shows that although warnings about cyberwarfare have become more severe, the actual magnitude and pace of attacks do not match popular perception. Only 20 of 124 active rivals -- defined as the most conflict-prone pairs of states in the system -engaged in cyberconflict between 2001 and 2011. And there were only 95 total cyberattacks among these 20 rivals. The number of observed attacks pales in comparison to other ongoing threats: a state is 600 times more likely to be the target of a terrorist attack than a cyberattack. We used a severity score ranging from five, which is minimal damage, to one, where death occurs as a direct result from cyberwarfare. Of all 95 cyberattacks in our analysis, the highest score -- that of Stuxnet and Flame -- was only a three. Its just alarmist rhetoric Jerry Brito (senior research fellow at the Mercatus Center and directs the Technology Policy Program at George Mason University) and Tate Watkins (research associate for the Technology Policy Program and the State and Local Policy Project at George Mason University) April 26, 2011 “Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy” http://mercatus.org/sites/default/files/publication/WP1124_Loving_cyber_bomb.pdf Cybersecurity is an important policy issue, but the alarmist rhetoric coming out of Washington that focuses on worst-case scenarios is unhelpful and dangerous. Aspects of current cyber policy discourse parallel the run-up to the Iraq War and pose the same dangers. Pre-war threat inflation and conflation of threats led us into war on shaky evidence. By focusing on doomsday scenarios and conflating cyber threats, government officials threaten to legislate, regulate, or spend in the name of cybersecurity based largely on fear, misplaced rhetoric, conflated threats, and credulous reporting. The public should have access to classified evidence of cyber threats, and further examination of the risks posed by those threats, before sound policies can be proposed, let alone enacted. Furthermore, we cannot ignore parallels between the military-industrial complex and the burgeoning cybersecurity industry. As President Eisenhower noted, we must have checks and balances on the close relationships between parties in government, defense, and industry. Relationships between these parties and their potential conflicts of interest must be considered when weighing cybersecurity policy recommendations and proposals. Before enacting policy in response to cyber threats, policymakers should consider a few things. First, theyshould end the cyber rhetoric. The alarmist rhetoric currently dominating the policy discourse is unhelpful and potentially dangerous. Next, they should declassify evidence relating to cyber threats. Overclassification is a widely acknowledged problem, and declassification would allow the public to verify before trusting blindly. They must also disentangle the disparate cyber threats so that they can determine who is best suited to address which threats. In cases of cyber crime and cyber espionage, for instance, private network owners may be best suited and may have the best incentive to protect their own valuable data, information, and reputations. After disentangling threats, policymakers can then assess whether a market failure or systemic problem exists when it comes to addressing each threat. Finally, they can estimate the costs and benefits of regulation and its alternatives and determine the most effective and efficient way to address disparate cyber threats. No impact – effects of cyber-attacks are just temporary pinpricks to the system Erik Gartzke is Professor of Government at the University of Essex and Associate Professor of Political Science at the University of California San Diego (“The Foreign Policy Essay: Erik Gartzke on “Fear and War in Cyberspace”” 12/1, http://www.lawfareblog.com/2013/12/foreign-policy-essay-erik-gartzke-onfear-and-war-in-cyberspace/) Should we fear cyberspace? The internet is said to be a revolutionary leveler, reducing the hard won military advantages of western powers, even as the dependence of developed nations on computer networks leaves them vulnerable to attack. Incidents like the Stuxnet worm and cyber attacks against U.S. government computers, apparently launched from servers in China, seem to testify to the need for concern. Yet, even if these details are correct—and some are not—there is no reason to believe that the internet constitutes an Achilles heel for the existing world order. To the contrary, cyberwar promises major advantages for status quo powers like the United States. Contrasting a Logic of Possibilities with a Logic of Consequences The ability to harm is ubiquitous. Anyone passing on the street could just punch you in the face. Still, violence is relatively rare in large part because little is typically gained from most potential uses of force. Perpetrators must ask not just “what harm can I inflict?” but “how can I benefit by inflicting harm?” In short, cyberwar requires a logic of consequences. Just as a morbid fear of being sucker punched at random may be misplaced, concern about cyberwar can be exaggerated if there is little to suggest how internet aggression can be of benefit to potential perpetrators. Efficacy separates the widespread potential for harm from actual aggression. Nations, groups and persons threaten force to influence, compelling others to cooperate or deterring aggression. Violence is also exercised to alter the balance of power. If the damage inflicted is temporary, however, then aggression must be followed up with other actions, or an attack serves no purpose. Creating “a window of opportunity” cannot matter unless one intends to exercise the opportunity. Fighting on the Internet In isolation, the internet is an inferior venue for achieving objectives traditionally associated with military violence, particularly coercion. Traditional military capabilities are observable. Armies can be seen standing near city gates. Missiles can be observed in firing positions ready to launch. Capability coerces precisely because the effects of a contest can be anticipated. A city does not need to be stormed for inhabitants to imagine the consequences of an attack. Cyber coercion is problematic because capabilities are difficult to communicate without harming military potency. Targets cannot assess credibility unless they are given access to details of a planned cyber attack, but attackers cannot share this information with defenders without undermining their own attack. If instead a defender accedes to unverified threats, then it will invite a multitude of false claims. Harm threatened can compel if it is credible and does not weaken the exercise of force. Harm inflicted can be used to threaten future harm, but only if the act of harming is a good indicator of future effectiveness. This works pretty well with war elephants, infantry brigades or high speed penetrating bombers, where capability is not determined by whether the enemy knows they exist. But again the success of cyber aggression is unusually reliant on conditions of surprise and even an internet attacker that has succeeded before can be tempted to bluff if bluffing will be believed. The bigger issue, however, is that the effects of internet attacks are temporary . Unlike a rocket strike on an oil refinery or demolition of critical elements of the transportation grid, cyber attacks generally achieve “soft kills,” temporary incapacitation that can be reversed relatively quickly at moderate cost. Unless it has a lasting effect on the balance of power, internet aggression serves either as an irritant, or as an adjunct to other, more traditional, forms of coercion or force. Imagine that some unspecified cyber attack disables communication or transportation nodes in a target country. What then? While inconvenienced, the target will eventually get the lights back on and vehicles running. The target will then attempt to retaliate. Permanent harm inflicted over the internet can weaken an opponent and serve as a motive for aggression. Yet, harm inflicted over the internet, or at Pearl Harbor for that matter, only benefits the attacker if it can extract concessions from the target, or if the attack can be made to permanently weaken an opponent. Considerable damage was done to the U.S. Pacific Fleet in the Pearl Harbor attack, but it failed to force the United States to be bargaining table, a critical component of Japan’s grand strategy. Though Japan’s leadership knew that total war with the United States would result in their defeat, they hoped for a limited contest. Cyberwar with no follow-on strategy is much more foolish than the Japanese plan in 1941 to the degree that the effects of an attack can be repaired more quickly. Any attack over the internet must either convert short-term advantages into long-term effects, or wager that the enemy will accept defeat in cyberspace lying down. A cyber Pearl Harbor has no purpose unless it is accompanied by a terrestrial attack precisely because the target is capable and is destined to respond to any serious attack with a vigorous reprisal. If the target is unlikely to succumb to traditional forms of aggression, then cyber attack makes very little sense, either. Cyberwar Benefits the Strong While many can imagine a cyber attack on the United States, few find it practical to speculate about physical invasion of U.S. territory. Yet, short of invasion, all that can be achieved by cyber attack are the kinds of pin pricks that anger and mobilize an enemy, rather than leading to concessions or defeat. It is far less difficult to imagine powerful nations invading weaker states. It is thus as an adjunct to existing capabilities that cyberwar is destined to prove most useful. Cyberterror threats are exaggerated – too many vested interests for accurate predictions Jerry Brito (senior research fellow at the Mercatus Center and directs the Technology Policy Program at George Mason University) and Tate Watkins (research associate for the Technology Policy Program and the State and Local Policy Project at George Mason University) April 26, 2011 “Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy” http://mercatus.org/sites/default/files/publication/WP1124_Loving_cyber_bomb.pdf An industrial complex reminiscent of the Cold War‘s may be emerging in cybersecurity today. Some serious threats may exist, but we have also seen evidence of threat inflation. Alarm raised over potential cyber threats has led to a cyber industry build-up and political competition over cyber pork. 1. Build-up In many cases, those now inflating the scope and probability of cyber threats might well benefit from increased regulation and more government spending on information security. Cybersecurity is a big and booming industry.163 The U.S. government is expected to spend $10.5 billion per year on information security by 2015, and analysts have estimated the worldwide market to be as much as $140 billion per year.164 The Department of Defense has also said it is seeking more than $3.2 billion in cybersecurityfunding for 2012.16In recent years, in addition to traditional information security providers like MacAfee, Symantec, and Checkpoint, defense contractors and consulting firms have recognized lucrative opportunities in cybersecurity.166 To weather probable cuts on traditional defense spending, and to take advantage of the growing market, these firms have positioned themselves to compete with information security firms for government contracts.167 Lockheed Martin, Boeing, L-3 Communications, SAIC, and BAE Systems have all launched cybersecurity business divisions in recent years.168 Other traditional defense contractors, like Northrop Grumman, Raytheon, and ManTech International, have also invested in information security products and services.169 Such investments appear to have positioned defense firms well. In 2009, the top 10 information technology federal contractors included Lockheed Martin, Boeing, Northrop Grumman, General Dynamics, Raytheon, SAIC, L-3 Communications, and Booz Allen Hamilton.170 Traditional IT firms also see more opportunities to profit from cybersecurity business in both the public and private sectors.171 Earlier this year, a software security company executive noted ―a very large rise in interest in spending on computer security by the government.‖172 And as one IT market analyst put it: ―It‘s a cyber war and we‘re fighting it. In order to fight it, you need to spend more money, and some of the core beneficiaries of that trend will be the security software companies.‖173 Some companies from diverse industries have also combined forces in the cybersecurity buildup. In 2009, a combination of defense, security, and tech companies, including Lockheed, McAfee, Symantec, Cisco, Dell, Hewlett-Packard, Intel, Juniper Networks, and Microsoft, formed a cybersecurity technology alliance to study threats and innovate solutions.174 IT lobbyists, too, have looked forward to cybersecurity budget increases, to the dismay of at least one executive at a small tech firm, who claimed, ―Money gets spent on the vendors who spend millions lobbying Congress.‖175 There are serious real online threats, and security firms, government agencies, the military, and private companies clearly must invest to protect against such threats. But as with the Cold War bomber and missile gap frenzies, we must be wary of parties with vested interests exaggerating threats, leading to unjustified and superfluous defense spending in the name of national security. Don’t believe their impacts – the cyber-industrial complex ensures wild exaggeration Jerry Brito (senior research fellow at the Mercatus Center and directs the Technology Policy Program at George Mason University) and Tate Watkins (research associate for the Technology Policy Program and the State and Local Policy Project at George Mason University) April 26, 2011 “Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy” http://mercatus.org/sites/default/files/publication/WP1124_Loving_cyber_bomb.pdf The rhetoric of ―cyber doom‖2 employed by proponents of increased federal intervention, however, lacks clear evidence of a serious threat that can be verified by the public. As a result, the United States may be witnessing a bout of threat inflation similar to that seen in the run-up to the Iraq War. Additionally, a cyber-industrial complex is emerging, much like the military-industrial complex of the Cold War. This complex may serve to not only supply cybersecurity solutions to the federal government, but to drum up demand for them as well Even new cyberterror therats are exaggerated Tom Espiner (writer for ZDnet) January 2011 “Cyber-war risk is exaggerated, says OECD study” http://www.zdnet.co.uk/news/security/2011/01/17/cyber-war-risk-is-exaggerated-says-oecd-study40091451/ In a cyber-warfare report released on Monday, the OECD said that the risk of a catastrophic attack on critical national systems has been exaggerated. The majority of cyberattacks are low level and cause inconvenience rather than serious or long-term disruption, according to report co-author professor Peter Sommer of the London School of Economics. "There are many scare stories, which, when you test, don't actually pan out," Sommer said. "When you analyse malware, a lot is likely to be short term, or fail." Sophisticated malware such as Stuxnet, which targets industrial control processes, is the exception, not the norm, according to Sommer. Stuxnet used a number of zero-day vulnerabilities to target programmable logic controllers in frequency converter drives used mainly to control motors in uranium-enrichment facilities. Policy makers should be aware that a number of different cyber-events, disasters or physical attacks could come together to create a "perfect storm", says the report. However, a pure cyber-war would be unlikely to occur, with attacks on computer systems more likely to be used in conjunction with other, physical types of attacks. No motivation – terrorists perceive other methods as more worthwhile Sandeep Bhardwaj (Research Officer, Institute of Peace and Conflict Studies) August 2008 “Cyberterrorism: Threat Exaggerated?” http://www.ipcs.org/Terrorism_kashmirLevel2.jsp?action=showView&kValue=2675&subCatID=1014&st atus=article&mod=g In conclusion, while the threat of cyber terrorism in terms of hacking, viruses and cyber attacks remains real, it is less serious than it is perceived to be. For a terrorist, a simple cost-benefit analysis would make clear that an IED, built with much less technical know-how, has a much larger impact than bringing down government networks. However, a much more pertinent and significant threat which is often ignored, is the help terrorists get from internet to make their operations easier, global and hence more effective. The internet is a tool that can be used to increase productivity and this could well refer to how much destruction can be caused in the world. Cyberterror risk is exaggerated– but the really catastrophic attacks are impossible to pull off Peter Singer 2012 Director, 21st Century Defense Initiative, Senior Fellow, Foreign Policy, November 2012, “The Cyber Terror Bogeyman”, Brookings, http://www.brookings.edu/research/articles/2012/11/cyber-terror-singer About 31,300. That is roughly the number of magazine and journal articles written so far that discuss the phenomenon of cyber terrorism. Zero. That is the number of people that who been hurt or killed by cyber terrorism at the time this went to press. In many ways, cyber terrorism is like the Discovery Channel’s “Shark Week,” when we obsess about shark attacks despite the fact that you are roughly 15,000 times more likely to be hurt or killed in an accident involving a toilet. But by looking at how terror groups actually use the Internet, rather than fixating on nightmare scenarios, we can properly prioritize and focus our efforts. Part of the problem is the way we talk about the issue. The FBI defines cyber terrorism as a “premeditated, politically motivated attack against information, computer systems, computer programs and data which results in violence against non-combatant targets by subnational groups or clandestine agents.” A key word there is “violence,” yet many discussions sweep all sorts of nonviolent online mischief into the “terror” bin. Various reports lump together everything from Defense Secretary Leon Panetta’s recent statements that a terror group might launch a “digital Pearl Harbor” to Stuxnet-like sabotage (ahem, committed by state forces) to hacktivism, the way we use a term like cyber terrorism “has as much clarity as cybersecurity — that is, none at all.” Another part of the problem is that we often mix up our fears with the actual state of affairs. Last year, Deputy Defense Secretary William Lynn, the Pentagon’s lead official for cybersecurity, spoke to the top experts in the field at the RSA Conference in San Francisco. “It is possible for a terrorist group to develop cyber-attack tools on their own or to buy them on the black market,” Lynn warned. “A couple dozen talented programmers wearing flip-flops and drinking Red Bull can do a lot of damage.” The deputy defense secretary was conflating fear and reality, not just about what stimulant-drinking programmers are actually hired to do, but also what is needed to pull off an attack that causes meaningful violence. The requirements go well beyond finding top cyber experts. Taking down hydroelectric generators, or designing malware like Stuxnet that causes nuclear centrifuges to spin out of sequence doesn’t just require the skills and means to get into a computer system. It’s also knowing what to do once you are in. To cause true damage requires an understanding of the devices themselves and how they run, the engineering and physics behind the target. The Stuxnet case, for example, involved not just cyber experts well beyond a few wearing flip-flops, but also experts in areas that ranged from intelligence and surveillance to nuclear physics to the engineering of a specific kind of Siemens-brand industrial equipment. It also required expensive tests, not only of the software, but on working versions of the WikiLeaks and credit card fraud. As one congressional staffer put it, target hardware as well. As George R. Lucas Jr., a professor at the U.S. Naval Academy, put it, conducting a truly mass-scale action using cyber means “simply outstrips the intellectual, organizational and personnel capacities of even the most wellfunded and well-organized terrorist organization, as well as those of even the most sophisticated international criminal enterprises.” Lucas said the threat of cyber terrorism has been vastly overblown. “To be blunt, neither the 14-year-old hacker in your next-door neighbor’s upstairs bedroom, nor the two- or three-person al-Qaida cell holed up in some apartment in Hamburg are going to bring down the Glen Canyon and Hoover dams,” he said. No cyber war A Cyber war will never happen Anna Leach 10/20/11, Author for The Journal of Strategic Studies, “killer cyberattacks wont happen”, http://www.theregister.co.uk/2011/10/20/cyber_war_wont_be_real/ People worried about a cyber-war should calm down and stop worrying because it will never happen , a war studies academic has said. In the paper Cyber War Will Not Take Place Dr Thomas Rid confidently argues that hacking and computer viruses never actually kill people. An act of war must have the potential to be lethal, says Dr Rid, of King's College London, writing in The Journal of Strategic Studies, but hacking and cyber-attacks have much more in common with spying than, say, nuclear bombs. He believes that although a "cyber war" conforms to the traditional definition of a two-sided conflict, a lethal one will never take place. "The threat intuitively makes sense," Dr Rid says. "Almost everybody has an iPhone, an email address and a Facebook account. We feel vulnerable to cyber-attack every day. Cyber-war seems the logical next step." But worriers are misguided: Dr Rid states that to constitute cyber-warfare an action must be a "potentially lethal, instrumental and political act of force, conducted through the use of software". Yet, he says, no single cyber attack has ever been classed as such and no single digital onslaught has ever constituted an act of war . He concludes: " Politically motivated cyber-attacks are simply a more sophisticated version of activities that have always occurred within warfare: sabotage, espionage and subversion." Wait for those deadly country-wide digital infrastructure attacks, Dr Rid, just you wait. No impact to cyber war/ won’t escalate Fox 11—Assistant Editor, InnovationNewsDaily (Stuart, 2 July 2011, “Why Cyberwar Is Unlikely ,” http://www.securitynewsdaily.com/cyberwar-unlikely-deterrence-cyber-war-0931 In the two decades since cyberwar first became possible, there hasn't been a single event that politicians, generals and security experts agree on as having passed the threshold for strategic cyberwar. In fact, the attacks that have occurred have fallen so far short of a proper cyberwar that many have begun to doubt that cyberwarfare is even possible. The reluctance to engage in strategic cyberwarfare stems mostly from the uncertain results such a conflict would bring, the lack of motivation on the part of the possible combatants and their shared inability to defend against counterattacks. Many of the systems that an aggressive cyberattack would damage are actually as valuable to any potential attacker as they would be to the victim. The five countries capable of large-scale cyberwar (Israel, the U.S., the U.K., Russia and China) have more to lose if a cyberwar were to escalate into a shooting war than they would gain from a successful cyberattack. "The half-dozen countries that have cyber capability are deterred from cyberwar because of the fear of the American response. Nobody wants this to spiral out of control," said James Lewis, senior fellow and director of technology and public policy at the Center for Strategic and International Studies in Washington, D.C. "The countries that are capable of doing this don't have a reason to," Lewis added. "Chinese officials have said to me, 'Why would we bring down Wall Street when we own so much of it?' They like money almost as much as we do." Big deterrent: retaliation Deterrence plays a major factor in preventing cyberwar. Attacks across the Internet would favor the aggressor so heavily that no country has developed an effective defense. Should one country initiate a cyberattack, the victim could quickly counter-attack, leaving both countries equally degraded, Lewis told InnovationNewsDaily. Even if an attacker were to overcome his fear of retaliation, the low rate of success would naturally give him pause. Any cyberattack would target the types of complex systems that could collapse on their own, such as electrical systems or banking networks. But experience gained in fixing day-to-day problems on those systems would allow the engineers who maintain them to quickly undo damage caused by even the most complex cyberattack , said George Smith, a senior fellow at Globalsecurity.org in Alexandria, Va. "You mean to tell me that the people who work the electrical system 24 hours a day don't respond to problems? What prevents people from turning the lights right back on?" Smith told SecurityNewsDaily. "And attacks on the financial system have always been a non-starter for me. I mean, [in 2008] the financial system attacked the U.S.!" Cyber war infeasible Paul Clark, 2012 MA candidate – Intelligence Studies @ American Military University, senior analyst – Chenega Federal Systems, 4/28/’12 (Paul, “The Risk of Disruption or Destruction of Critical U.S. Infrastructure by an Offensive Cyber Attack,” American Military University) The Department of Homeland Security worries that our critical infrastructure and key resources (CIKR) may be exposed, both directly and indirectly, to multiple threats because of CIKR reliance on the global cyber infrastructure, an infrastructure that is under routine cyberattack by a “spectrum of malicious actors” (National Infrastructure Protection Plan 2009). CIKR in the extremely large and complex U.S. economy spans multiple sectors including agricultural, finance and banking, dams and water resources, public health and emergency services, military and defense, transportation and shipping, and energy (National Infrastructure Protection Plan 2009). The disruption and destruction of public and private infrastructure is part of warfare, without this infrastructure conflict cannot be sustained (Geers 2011). Cyber-attacks are desirable because they are considered to be a relatively “low cost and long range” weapon (Lewis 2010), but prior to the creation of Stuxnet, the first cyber-weapon, the ability to disrupt and destroy critical infrastructure through cyber-attack was theoretical. The movement of an offensive cyber-weapon from conceptual to actual has forced the United States to question whether offensive cyber-attacks are a significant threat that are able to disrupt or destroy CIKR to the level that national security is seriously degraded. It is important to understand the risk posed to national security by cyberattacks to ensure that government responses are appropriate to the threat and balance security with privacy and civil liberty concerns. The risk posed to CIKR from cyber-attack can be evaluated by measuring the threat from cyber-attack against the vulnerability of a CIKR target and the consequences of CIKR disruption. As the only known cyber-weapon, Stuxnet has been thoroughly analyzed and used as a model for predicting future cyber-weapons. The U.S. electrical grid, a key component in the CIKR energy sector, is a target that has been analyzed for vulnerabilities and the consequences of disruption predicted – the electrical grid has been used in multiple attack scenarios including a classified scenario provided to the U.S. Congress in 2012 (Rohde 2012). Stuxnet will serve as the weapon and the U.S. electrical grid will serve as the target in this risk analysis that concludes that there is a low risk of disruption or destruction of critical infrastructure from a an offensive cyber-weapon because of the complexity of the attack path, the limited capability of non-state adversaries to develop cyber-weapons, and the existence of multiple methods of mitigating the cyber-attacks. To evaluate the threat posed by a Stuxnet-like cyber-weapon, the complexity of the weapon, the available attack vectors for the weapon, and the resilience of the weapon must be understood. The complexity – how difficult and expensive it was to create the weapon – identifies the relative cost and availability of the weapon; inexpensive and simple to build will be more prevalent than expensive and difficult to build. Attack vectors are the available methods of attack; the larger the number, the more severe the threat. For example, attack vectors for a cyberweapon may be email attachments, peer-to-peer applications, websites, and infected USB devices or compact discs. Finally, the resilience of the weapon determines its availability and affects its usefulness. A useful weapon is one that is resistant to disruption (resilient) and is therefore available and reliable. These concepts are seen in the AK-47 assault rifle – a simple, inexpensive, reliable and effective weapon – and carry over to information technology structures (Weitz 2012). The evaluation of Stuxnet identified malware that is “ unusually complex and large ” and required code written in multiple languages (Chen 2010) in order to complete a variety of specific functions contained in a “vast array” of components – it is one of the most complex threats ever analyzed by Symantec (Falliere, Murchu and Chien 2011). To be successful, Stuxnet required a high level of technical knowledge across multiple disciplines, a laboratory with the target equipment configured for testing, and a foreign intelligence capability to collect information on the target network and attack vectors (Kerr, Rollins and Theohary 2010). The malware also needed careful monitoring and maintenance because it could be easily disrupted; as a result Stuxnet was developed with a high degree of configurability and was upgraded multiple times in less than one year (Falliere, Murchu and Chien 2011). Once introduced into the network, the cyber-weapon then had to utilize four known vulnerabilities and four unknown vulnerabilities, known as zero-day exploits, in order to install itself and propagate across the target network (Falliere, Murchu and Chien 2011). Zero-day exploits are incredibly difficult to find and fewer than twelve out of the 12,000,000 pieces of malware discovered each year utilize zero-day exploits and this rarity makes them valuable, zero-days can fetch $50,000 to $500,000 each on the black market (Zetter 2011). The use of four rare exploits in a single piece of malware is “unprecedented” (Chen 2010). Along with the use of four unpublished exploits, Stuxnet also used the “first ever” programmable logic controller rootkit, a Windows rootkit, antivirus evasion techniques, intricate process injection routines, and other complex interfaces (Falliere, Murchu and Chien 2011) all wrapped up in “layers of encryption like Russian nesting dolls” (Zetter 2011) – including custom encryption algorithms (Karnouskos 2011). As the malware spread across the now-infected network it had to utilize additional vulnerabilities in proprietary Siemens industrial control software (ICS) and hardware used to control the equipment it was designed to sabotage. Some of these ICS vulnerabilities were published but some were unknown and required such a high degree of inside knowledge that there was speculation that a Siemens employee had been involved in the malware design (Kerr, Rollins and Theohary 2010). The unprecedented technical complexity of the Stuxnet cyber-weapon, along with the extensive technical and financial resources and foreign intelligence capabilities required for its development and deployment, indicates that the malware was likely developed by a nation-state (Kerr, Rollins and Theohary 2010). Stuxnet had very limited attack vectors. When a computer system is connected to the public Internet a host of attack vectors are available to the cyber-attacker (Institute for Security Technology Studies 2002). Web browser and browser plug-in vulnerabilities, cross-site scripting attacks, compromised email attachments, peer-to-peer applications, operating system and other application vulnerabilities are all vectors for the introduction of malware into an Internetconnected computer system. Networks that are not connected to the public internet are “air gapped,” a technical colloquialism to identify a physical separation between networks. Physical separation from the public Internet is a common safeguard for sensitive networks including classified U.S. government networks. If the target network is air gapped, infection can only occur through physical means – an infected disk or USB device that must be physically introduced into a possibly access controlled environment and connected to the air gapped network. The first step of the Stuxnet cyber-attack was to initially infect the target networks, a difficult task given the probable disconnected and well secured nature of the Iranian nuclear facilities. Stuxnet was introduced via a USB device to the target network, a method that suggests that the attackers were familiar with the configuration of the network and knew it was not connected to the public Internet (Chen 2010). This assessment is supported by two rare features in Stuxnet – having all necessary functionality for industrial sabotage fully embedded in the malware executable along with the ability to self-propagate and upgrade through a peer-to-peer method (Falliere, Murchu and Chien 2011). Developing an understanding of the target network configuration was a significant and daunting task based on Symantec’s assessment that Stuxnet repeatedly targeted a total of five different organizations over nearly one year (Falliere, Murchu and Chien 2011) with physical introduction via USB drive being the only available attack vector. The final factor in assessing the threat of a cyber-weapon is the resilience of the weapon. There are two primary factors that make Stuxnet non-resilient: the complexity of the weapon and the complexity of the target. Stuxnet was highly customized for sabotaging specific industrial systems (Karnouskos 2011) and needed a large number of very complex components and routines in order to increase its chance of success (Falliere, Murchu and Chien 2011). The malware required eight vulnerabilities in the Windows operating system to succeed and therefore would have failed if those vulnerabilities had been properly patched; four of the eight vulnerabilities were known to Microsoft and subject to elimination (Falliere, Murchu and Chien 2011). Stuxnet also required that two drivers be installed and required two stolen security certificates for installation (Falliere, Murchu and Chien 2011); driver installation would have failed if the stolen certificates had been revoked and marked as invalid. Finally, the configuration of systems is everchanging as components are upgraded or replaced. There is no guarantee that the network that was mapped for vulnerabilities had not changed in the months, or years, it took to craft Stuxnet and successfully infect the target network. Had specific components of the target hardware changed – the targeted Siemens software or programmable logic controller – the attack would have failed. Threats are less of a threat when identified; this is why zero-day exploits are so valuable. Stuxnet went to great lengths to hide its existence from the target and utilized multiple rootkits, data manipulation routines, and virus avoidance techniques to stay undetected. The malware’s actions occurred only in memory to avoid leaving traces on disk, it masked its activities by running under legal programs, employed layers of encryption and code obfuscation, and uninstalled itself after a set period of time, all efforts to avoid detection because its authors knew that detection meant failure. As a result of the complexity of the malware, the changeable nature of the target network, and the chance of discovery, Stuxnet is not a resilient system. It is a fragile weapon that required an investment of time and money to constantly monitor, reconfigure, test and deploy over the course of a year. There is concern, with Stuxnet developed and available publicly, that the world is on the brink of a storm of highly sophisticated Stuxnet-derived cyber-weapons which can be used by hackers, organized criminals and terrorists (Chen 2010). As former counterterrorism advisor Richard Clarke describes it, there is concern that the technical brilliance of the United States “has created millions of potential monsters all over the world” (Rosenbaum 2012). Hyperbole aside, technical knowledge spreads. The techniques behind cyber-attacks are “constantly evolving and making use of lessons learned over time” (Institute for Security Technology Studies 2002) and the publication of the Stuxnet code may make it easier to copy the weapon (Kerr, Rollins and Theohary 2010). However, this is something of a zero-sum game because knowledge works both ways and cyber-security techniques are also evolving , and “understanding attack techniques more clearly is the first step toward increasing security” (Institute for Security Technology Studies 2002). Vulnerabilities are discovered and patched, intrusion detection and malware signatures are expanded and updated, and monitoring and analysis processes and methodologies are expanded and honed. Once the element of surprise is lost, weapons and tactics are less useful , this is the core of the argument that “uniquely surprising” stratagems like Stuxnet are single-use, like Pearl Harbor and the Trojan Horse, the “very success [of these attacks] precludes their repetition” (Mueller 2012). This paradigm has already been seen in the “son of Stuxnet” malware – named Duqu by its discoverers – that is based on the same modular code platform that created Stuxnet (Ragan 2011). With the techniques used by Stuxnet now known, other variants such as Duqu are being discovered and countered by security researchers (Laboratory of Cryptography and System Security 2011). It is obvious that the effort required to create, deploy, and maintain Stuxnet and its variants is massive and it is not clear that the rewards are worth the risk and effort. Given the location of initial infection and the number of infected systems in Iran (Falliere, Murchu and Chien 2011) it is believed that Iranian nuclear facilities were the target of the Stuxnet weapon. A significant amount of money and effort was invested in creating Stuxnet but yet the expected result – assuming that this was an attack that expected to damage production – was minimal at best. Iran claimed that Stuxnet caused only minor damage, probably at the Natanz enrichment facility, the Russian contractor Atomstroyeksport reported that no damage had occurred at the Bushehr facility, and an unidentified “senior diplomat” suggested that Iran was forced to shut down its centrifuge facility “for a few days” (Kerr, Rollins and Theohary 2010). Even the most optimistic estimates believe that Iran’s nuclear enrichment program was only delayed by months, or perhaps years (Rosenbaum 2012). The actual damage done by Stuxnet is not clear (Kerr, Rollins and Theohary 2010) and the primary damage appears to be to a higher number than average replacement of centrifuges at the Iran enrichment facility (Zetter 2011). Different targets may produce different results. The Iranian nuclear facility was a difficult target with limited attack vectors because of its isolation from the public Internet and restricted access to its facilities. What is the probability of a successful attack against the U.S. electrical grid and what are the potential consequences should this critical infrastructure be disrupted or destroyed? An attack against the electrical grid is a reasonable threat scenario since power systems are “a high priority target for military and insurgents” and there has been a trend towards utilizing commercial software and integrating utilities into the public Internet that has “increased vulnerability across the board” (Lewis 2010). Yet the increased vulnerabilities are mitigated by an increased detection and deterrent capability that has been “honed over many years of practical application” now that power systems are using standard, rather than proprietary and specialized, applications and components (Leita and Dacier 2012). The security of the electrical grid is also enhanced by increased awareness after a smart-grid hacking demonstration in 2009 and the identification of the Stuxnet malware in 2010; as a result the public and private sector are working together in an “unprecedented effort” to establish robust security guidelines and cyber security measures (Gohn and Wheelock 2010). Their authors conflate threats Paul Clark, MA candidate – Intelligence Studies @ American Military University, senior analyst – Chenega Federal Systems, 2012 (Paul, “The Risk of Disruption or Destruction of Critical U.S. Infrastructure by an Offensive Cyber Attack,” American Military University) This increased focus on cyber-security has led to concern that the perceived risk is greater than the actual risk , a situation that has resulted in an imbalance between security and privacy and civil liberties (American Civil Liberties Union 2012). In 1993 a Rand Corporation paper predicted that “cyberwar is coming” and twenty years later the prediction is the same and critics argue that cyber-war is “more hype than hazard” (Rid 2012). A review of high profile cyberattacks shows that, with the exception of Stuxnet and the limited Israeli disruption of Syrian air defense networks, most cyberattacks are categorized as information theft, network compromise, or website defacement (Lewis 2012). Even the high profile threat of an “Electronic Pearl Harbor” (Bronk 2009), despite being repeated by senior government officials like U.S. Defense Secretary Leon Panetta (Rid 2012) , has been found to be only a slight possibility (Wilson 2005). There is no doubt that cyber-security is important. Businesses recognize this importance and spent more than $80 billion on computer network security in 2011 (Johnson 2012) and the federal government is expected to be spending $10.5 billion per year by 2015 (Brito and Watkins 2012). This response is appropriate when data shows that the vast majority of cyber-attacks are focused on espionage and the theft of intellectual property. It is not clear why senior government officials corporate executives and focus on high-impact low-probability events and engage in “alarmist rhetoric ” (Brito and Watkins 2011) that skews the public perception of risk and creates an atmosphere of fear. The danger of an inappropriate response in reaction to an inflated threat and prevalence of misinformation is exemplified by the politicized intelligence that led to the invasion of Iraq in 2003 (Brito and Watkins 2011). Understanding how information on the risk posed by cyber-attacks is poorly communicated and the public reaction to an increased perception of risk – fear – is important in identifying when the perceived risk is greater than the actual risk; when risk is more hype than threat. Critics of current cyber-security policy believe that threats are being conflated; this results in a threat appearing larger than it is (Brito and Watkins 2012). In essence, a wide variety of cyber-activity – political and social activity, criminal activity for profit, espionage, and offensive cyber-attack – are treated as presenting the same level of threat. There is a wide divide between easily mounted and easily defended denial of service attacks on public websites and high-potential cyber-weapons capable of severely disrupting or destroying critical infrastructure (Rid and McBurney 2012). The rise of automated tools that allow for low-level cyber-attacks to be easily mounted has caused a significant increase in the number of cyber-attacks, a statistic often cited as proof of increased risk, but qualified cyber -security organizations have discarded the number of cyberattacks as a metric and consider it to be meaningless (Wilson 2005). Without as a method of assessing the scope and effects of cyber-attacks differentiating between generic malicious software and highly specialized and targeted offensive cyberattacks, the risk of cyber-attacks on critical infrastructure systems like the electrical grid cannot be properly assessed. The threshold for this impact is incredibly high – no chance of serious cyber war Dr. James A. Lewis, senior fellow at CSIS where he writes on technology, national security and the international economy, October 2009 “The “Korean” Cyber Attacks and Their Implications for Cyber Conflict” http://csis.org/files/publication/091023_Korean_Cyber_Attacks_and_Their_Implications_for_Cyber_Co nflict.pdf Only a few nations –Russia, China, Israel, France, the United States, and the United Kingdom, and perhaps a small number of the most sophisticated cyber criminals – have the advanced capabilities needed to launch a cyber attack that could do serious and long-term damage equivalent to sabotage or bombing and thus rise to the level of an act of war. A sophisticated attack against infrastructure requires planning, reconnaissance, resources and skills that are currently available only to these advanced cyber attackers. As part of their larger military planning, these nations have likely planned to launch such attacks in the event of a crisis.8 Such attacks are not yet within the scope of capabilities possessed by most non-state hackers. Serious cyber attack independent of some larger conflict is unlikely. To transpose cyber to the physical world, there are remarkably few instances of a nation engaging in covert sabotage attacks against another nation (particularly larger powers) unless they were seeking to provoke or if conflict was imminent. The political threshold for serious cyber attack (as opposed to espionage) by a nation-state is very high, likely as high as the threshold for conventional military action. At a minimum, this suggests that a serious cyber attack is a precursor, a warning, that some more serious conflict is about to begin. Absent such larger conflict, however, a nation-state is no more likely to launch a serious cyber attack than they are to shoot a random missile at an opponent.9 The risk is too great and the benefits of a cyber attack by itself too small for political leaders to authorize the use of this capability in anything short of a situation where they had already decided on military action. Cyber weapons are not decisive; cyber attack by itself will not win a conflict, particularly against a large and powerful opponent. It is striking that to date; no cyber "attack" that rises above the level of espionage or crime has been launched outside of a military conflict. It’s literally impossible for terrorists to hack into and fire U.S. nuclear weapons because they have no connection to any outside networks Newman, Slate Reporter, 4-28-14 (Lily Hay, “Why U.S. Nuclear Missile Silos Rely on Decades-Old Technology,” accessed 3-14-15, http://www.slate.com/blogs/future_tense/2014/04/28/huge_floppy_disks_and_other_old_tech_is_co mmon_at_air_force_nuclear_missile.html You'd probably expect to encounter all sorts of crazy technology in a U.S. Air Force nuclear silo. One you might not expect: floppy disks. Leslie Stahl of CBS's 60 Minutes reported from a Wyoming nuclear control center for a segment that aired on Sunday, and the Cold War-era tech she found is pretty amazing. But it also makes sense. The government built facilities for the Minuteman missiles in the 1960s and 1970s, and though the missiles have been upgraded numerous times to make them safer and more reliable, the bases themselves haven't the bases have extremely tight IT and cyber security, because they're not Internet-connected and they use changed much. And there isn't a lot of incentive to upgrade them. ICBM forces commander Maj. Gen. Jack Weinstein told Stahl that such old hardware and software. While on the base, missileers showed Stahl the 8-inch floppy disks they use as part of launch commands for the missiles. Later, in an interview with Weinstein, Stahl described the disk she was shown as "gigantic," and said she had never seen one that big. Weinstein explained, "Those older systems provide us some, I will say, huge safety, when it comes to some cyber issues that we currently have in the world." A2 Cyber-attack collapses economy At most $1 billion in economic damage Martin Libicki, October 2014, A Dangerous World? Threat Perceptions and US National Security, ed. Christopher Peeble & John Mueller, Martin Libicki is a senior management scientist at the RAND Corporation, where his research focuses on the effects of information technology on domestic and national security. He is the author of several books, including Conquest in Cyberspace: National Security and Information Warfare and Information Technology Standards: Quest for the Common Byte. He has also written two cyberwar monographs: Cyberwar and Cyberdeterrence and Crisis and Escalation in Cyberspace. Prior to joining RAND, Libicki was a senior fellow at the National Defense University, page # at end of card The immediate and direct damage from a major cyberattack can range from zero to tens of billions of dollars (e.g., from a broad outage of electric power). Direct casualties would likely be few, and indirect causalities may have to be inferred from guessing what would have happened if, say, emergency 911 service had not been taken down. In this essay’s scenario, total damage would likely be less than $ 1 billion. Indirect effects may be larger if a cyberattack causes a great loss of confidence— in the banking system, for example, which could trigger a recession. But it is a stretch to argue that even a cyberattack that stopped the banking system completely (much less the sort that merely prevented 24– 7 access to a bank’s website) would damage customers’ confidence that their bank accounts would maintain their integrity. NASDAQ’s three-hour shutdown on August 22, 2013, for example, did not spark a wave of selling. It would require data corruption (e.g., depositors’ accounts being zeroed out) rather than temporary disruption, before an attack would likely cause depositors to question whether their deposits are safe. A2 Grid attacks No long-term shut-down of the power grid Martin Libicki, October 2014, A Dangerous World? Threat Perceptions and US National Security, ed. Christopher Peeble & John Mueller, Martin Libicki is a senior management scientist at the RAND Corporation, where his research focuses on the effects of information technology on domestic and national security. He is the author of several books, including Conquest in Cyberspace: National Security and Information Warfare and Information Technology Standards: Quest for the Common Byte. He has also written two cyberwar monographs: Cyberwar and Cyberdeterrence and Crisis and Escalation in Cyberspace. Prior to joining RAND, Libicki was a senior fellow at the National Defense University, page # at end of card Compared with terrorism involving conventional explosives, the ratio of death and destruction from cyberattacks is likely to be several orders of magnitude lower; in that respect, 9/ 11 was an outlier among terrorist attacks, with the March 11, 2004, Madrid attacks or the July 7, 2005, London attacks being more typical. It is by no means clear what the worst plausible disaster emanating from cyberspace might be (it is far clearer that it would not come from Iran, whose skills at cyberwarfare likely pale in comparison with China’s, much less Russia’s). Doomsayers argue that a coordinated attack on the national power grid that resulted in the loss of electric power for years would lead to widespread death from disease (absent refrigeration of medications) and starvation (the preelectrified farm sector was far less productive than today’s). But even if their characterization of the importance of electricity were not exaggerated (it is), killing electric power for that long requires that equipment with lengthy repair times (e.g., transformers, few of which are made here) be broken. (2014-10-14). A Dangerous World? Threat Perception and U.S. National Security (Kindle Locations 2599-2604). Cato Institute. Kindle Edition. Grid resilience means no impact and no attempt Kaplan 07 (Eben–Associated Editor at the Council of Foreign Relations, “America’s Vulnerable Energy Grid,” 4-27-2007, http://www.cfr.org/publication/13153/americas_vulnerable_energy_grid.html) Attacks on infrastructure are an almost daily fact of life in Iraq. Experts caution the war in that country will produce a whole generation of terrorists who have honed their skills sabotaging infrastructure. In his recent book, The Edge of Disaster, CFR security expert Stephen E. Flynn cautions, “The terrorist skills acquired are being catalogued and shared in Internet chat rooms.” But when it comes to Iraq’s electrical grid, RAND economist Keith W. Crane says terrorists are not the main cause of disruptions: “Most of the destruction of the control equipment was looting,” he says. Either way, Clark W. Gellings, vice president of the Electric Power Research Institute, an industry research organization, thinks the U.S. grid is an unlikely target. “It’s not terribly sensational,” he explains, “The system could overcome an attack in hours, or at worst, days.” That said, attacks on electricity infrastructure could become common in future warfare: The U.S. military has designed and entire class of weapons designed to disable power grids. Terrorism DA Updates Surveillence solves terrorism Intelligence is the best way we have to prevent new terrorist attacks Jason Howerton Jun. 10, 2013 7:00pm Here Is the Pro-NSA Surveillance Argument http://www.theblaze.com/stories/2013/06/10/here-is-the-pro-nsa-surveillance-argument/ In his weekly column for the Washington Post, Marc A. Thiessen calls out critics who believe the NSA’s surveillance is overreaching and reminiscent of George Orwell’s “1984.” “If the critics don’t think the NSA should be collecting this information, perhaps they would like to explain just how they would have us stop new terrorist attacks,” he writes. Thiessen goes on to point out the various ways that President Barack Obama has stifled the federal government’s ability to gather intelligence. By his estimation, without the ability to monitor the “enemy’s phone calls and Internet communications,” there would be no effective way to protect the country. “Terrorists don’t have armies or navies we can track with satellites. There are only three ways we can get information to prevent terrorist attacks: The first is interrogation — getting the terrorists to tell us their plans. But thanks to Barack Obama, we don’t do that anymore. The second is penetration, either by infiltrating agents into al-Qaeda or by recruiting operatives from within the enemy’s ranks. This is incredibly hard — and it got much harder, thanks to the leak exposing a double agent, recruited in London by British intelligence, who had penetrated alQaeda in the Arabian Peninsula and helped us break up a new underwear bomb plot in Yemen — forcing the extraction of the agent. That leaves signals intelligence — monitoring the enemy’s phone calls and Internet communications — as our principal source of intelligence to stop terrorist plots. Now the same critics who demanded Obama end CIA interrogations are outraged that he is using signals intelligence to track the terrorists. Well, without interrogations or signals intelligence, how exactly is he supposed to protect the country? Status quo internet surveillance prevents terrorism Williams Janbek, Ph.D, and Valerie Williams 2014 Williams and Valerie, Sping/Summer Ed. The Brown Journal of World Affairs, 20.2, “The Role of the Internet in post-9/11 Terrorism and Counterterrorism,” The way in which terrorists utilize the Internet has continuously evolved since 9/11. U.S. intelligence, law enforcement, and security agencies have responded by significantly expanding their counterterrorism workforce, conducting undercover operations, and increasing surveillance of communications and online activity. Collaboration between these agencies has been vital to the nation's counterterrorism efforts; information gathered by the National Security Agency (NSA)'s surveillance technology is shared with the FBI for use in investigations.20 Though these strategies have arguably stopped potential attacks on U.S. soil, media outlets have questioned the ethics behind undercover operations and advanced surveillance technologies.¶ Due to varying motivations, levels of expertise, and tactics of extremist groups and individuals, the FBI acknowledges terrorism as a complex threat. As a response, the agency has increased its number of agents by 40 percent and now allocates approximately half of its resources to counterterrorism and the remaining half to all other criminal activity.21 Between 2001 and 2011, the agency has almost tripled its intelligence analyst workforce.22 It has also increased the number of Joint Terrorism Task Force (JTTF) partnerships from 35 to over 100.23 JTTF partnerships exist between law enforcement agencies across the country that share essential information with each other. These partnerships contribute resources, enhance operational capability, and significantly expand the FBI's intelligence base. According to the FBI, "JTTFs have been instrumental in breaking up cells...[and] they've foiled attacks on the Fort Dix Army base in New Jersey, on the JFK International Airport in New York, and on various military and civilian targets in Los Angeles."24¶ In addition to expanding its labor force, the FBI has adapted its investigative approach to more proactive, intelligenceled strategies to combat terrorist attacks. These strategies are specifically tailored to the targeted suspect, requiring agents to utilize unique skill sets and language abilities for undercover operations. The FBI implements a variety of undercover tactics on the Internet, at times creating terrorist-network recruiting websites convincing enough to attract potential terrorists. When 18-year-old would-be terrorist Abdella Ahmad Tounisi was searching the Internet for Jabhat al-Nusra, an al-Qaeda branch in Syria, he found one of these sites. Created and maintained by the FBI, the page featured pictures and videos of armed fighters in masks and fatigues intended to depict terrorist training.25 A section of the site, titled "A Call for Jihad in Syria," urged visitors to "come and join your lion brothers of Jabhat AlNusra who are fighting under the true banner of Islam, come and join your brothers, the heroes of Jabhat Al-Nusra."26 When Tounisi contacted the website's recruiter, who in reality was an FBI agent, they exchanged email messages in which the teen divulged his detailed plan to engage in jihad in Syria. As a result of this communication, the agency was able to arrest Tounisi in 2013 at Chicago's O'Hare International Airport before his flight across seas. Tounisi was ultimately charged with attempting to provide material support to a foreign terrorist organization and lying to federal authorities.¶ The FBI utilizes specially trained undercover agents to befriend and earn the trust of domestic terror suspects similar to Tounisi. This strategy allows agents to monitor terrorism plots in their beginning stages and intercept forum posts and emails from individual suspects before they catch the attention of authentic extremist organizations. For example, after posting violent messages on an online extremist forum, teenaged Texas resident Hosam Maher Husein Smadi was befriended by an Arabic-speaking FBI agent posing as a member of an al-Qaeda sleeper cell.27 Within months, Smadi and three undercover agents devised a plot to bomb a 60-story corporate building in Dallas, Texas. On the last day of the sting operation in 2009, Smadi attempted to detonate the fake bomb provided by the FBI and was immediately arrested.¶ Once an agent befriends a targeted suspect, plans are developed and if necessary, resources are provided at the target's request. Throughout this process, FBI agents attempt to dissuade the suspect, offering him or her a chance to abandon the plan.28 If the individual is adamant in completing the mission-at times seen in attempts to purchase weapons, to leave the country, or to detonate an FBI-provided bomb-he or she is arrested and tried for the crime. This scenario is not uncommon; there have been several cases of homegrown violent extremism fueled by extremist websites, even in individuals as young as 14.29 In cases like these, the FBI asserts that if an individual is susceptible to an undercover agent, he or she would be just as susceptible to an extremist group.30 Although sting operations have been used by law enforcement for decades, this process of befriending and working with potential terrorists online has sparked an ethical debate. Furthermore, some have questioned whether sting operations are the best use of counterterrorism resources. Some consider these operations to be entrapment since the FBI partially devises the plan and provides money, fake bombs, and even vehicles to suspects. In a recent New York Times article, author David Shipler questioned the legitimacy of cultivating potential terrorists instead of finding real ones.31 Shipler dismisses some terror suspects as "incompetent wannabes looking for a cause that the informer or undercover agent skillfully helps them find."32¶ Cases like that of Hosam Smadi exemplify these arguments; Smadi's defense team described him as a troubled youth who suffered from depression and schizophrenia. 33 According to the defense, Smadi was motivated by the undercover agents' praise and companionship.34 Despite their efforts to portray him as a misguided victim of entrapment, Smadi was charged in 2010 with one count of attempting to use a weapon of mass destruction and one count of bombing a public place. He was sentenced to 24 years in prison and deportation upon release. According to investigative journalist Trevor Aaronson, no terrorism defendant since 9/11 has won an acquittal using entrapment as a defense.35 Collaborating with prosecutors, undercover operatives determine strategies to prove the suspect's predisposition to committing the crime. Working together, prosecutors and FBI employees document proof to use in court later.36 Though its ethical standards are in question by the public, the FBI's strategies have been successful under legal standards.¶ Undercover operations represent just one investigative technique for identifying terrorists and their networks. FBI operatives also investigate activities of known terrorist organizations, interview locals, and monitor foreign press for intelligence. These traditional, preventative policing techniques are employed in collaboration with online data to compile evidence necessary to prosecute terrorists.37 Although controversy surrounds the agency's sting operations, the FBI reports that it has removed more than 20 of al-Qaeda's top 30 leaders due to the FBI's improvements since 9/11.38 These changes hinder alQaeda's efforts in fundraising, recruiting, training, and planning attacks outside their local region. The FBI also says that every major al-Qaeda affiliate has lost its key leader.39 Although these leaders can be replaced, al-Qaeda is forced to use less experienced leaders, degrading their overall efficiency. The FBI credits their achievements to their expansion in intelligence and access to digital records, due in part to post- 9/11 legislation.¶ Post-9/11 legislation, including the PATRIOT Act and the FISA (Foreign Intelligence Surveillance Act of 1978) Amendments Act, enables the NSA to gain access to individuals' online activity, employ advanced surveillance technology, and increase the use of National Security Letters. National Security Letters, commonly used in counterterrorism investigations, enable agents to collect noncontent consumer information including Internet records, telephone records, and credit reports from third party service providers. Additionally, section 215 of the PATRIOT Act permits the FBI to seize anything tangible from a person for investigations against international terrorism.40 Intelligence officials admit that "the National Security Agency is searching the contents of vast amounts of Americans' email and text communications into and out of the country" for mentions of foreign terrorist suspects under surveillance.41 Relevant data collected by this surveillance is shared with the FBI and their JTTFs to aid investigations.42 NSA surveillance programs disrupt cyber attacks. Jim Michaels, USA TODAY 1:21 a.m. EDT June 13, 2013 NSA chief: Surveillance programs protect Americans http://www.usatoday.com/story/news/politics/2013/06/12/alexander-nsa-cybersnowden/2415217/ WASHINGTON — Gen. Keith Alexander, director of the National Security Agency, defended his agency and surveillance programs, saying they help protect Americans. "I think what we're doing to protect American citizens here is the right thing," Alexander told members of the Senate Appropriations Committee. "We aren't trying to hide it." Alexander said he favors providing more transparency so the public can learn more about the programs. "This is not us doing something under the covers," Alexander said. Alexander also said NSA programs have led to the disruption of "dozens" of terrorist plots. Alexander said he was pushing for declassifying as much as possible about the programs to improve transparency, but he said those disclosures had to be weighed against potential damage to national security. Surveillance doesn’t prevent terrorism (general) Surveillance does not prevent terrorism – claims to the contrary have been completely discredited with evidence. CINDY COHN AND NADIA KAYYALI JUNE 2, 2014 The Top 5 Claims That Defenders of the NSA Have to Stop Making to Remain Credible https://www.eff.org/deeplinks/2014/06/top-5-claims-defendersnsa-have-stop-making-remain-credible The NSA has Stopped 54 Terrorist Attacks with Mass Spying The discredited claim NSA defenders have thrown out many claims about how NSA surveillance has protected us from terrorists, including repeatedly declaring that it has thwarted 54 plots. Rep. Mike Rogers says it often. Only weeks after the first Snowden leak, US President Barack Obama claimed: “We know of at least 50 threats that have been averted” because of the NSA’s spy powers. Former NSA Director Gen. Keith Alexander also repeatedly claimed that those programs thwarted 54 different attacks. Others, including former Vice President Dick Cheney have claimed that had the bulk spying programs in place, the government could have stopped the 9/11 bombings, specifically noting that the government needed the program to locate Khalid al Mihdhar, a hijacker who was living in San Diego. Why it’s not credible: These claims have been thoroughly debunked. First, the claim that the information stopped 54 terrorist plots fell completely apart. In dramatic Congressional testimony, Sen. Leahy forced a formal retraction from NSA Director Alexander in October, 2013: "Would you agree that the 54 cases that keep getting cited by the administration were not all plots, and of the 54, only 13 had some nexus to the U.S.?" Leahy said at the hearing. "Would you agree with that, yes or no?" "Yes," Alexander replied, without elaborating. But that didn’t stop the apologists. We keep hearing the “54 plots” line to this day. As for 9/11, sadly, the same is true. The government did not need additional mass collection capabilities, like the mass phone records programs, to find al Mihdhar in San Diego. As ProPublica noted, quoting Bob Graham, the former chair of the Senate Intelligence Committee: U.S. intelligence agencies knew the identity of the hijacker in question, Saudi national Khalid al Mihdhar, long before 9/11 and had the ability find him, but they failed to do so. "There were plenty of opportunities without having to rely on this metadata system for the FBI and intelligence agencies to have located Mihdhar," says former Senator Bob Graham, the Florida Democrat who extensively investigated 9/11 as chairman of the Senate’s intelligence committee. Moreover, Peter Bergen and a team at the New America Foundation dug into the government’s claims about plots in America, including studying over 225 individuals recruited by al Qaeda and similar groups in the United States and charged with terrorism, and concluded: Our review of the government’s claims about the role that NSA "bulk" surveillance of phone and email communications records has had in keeping the United States safe from terrorism shows that these claims are overblown and even misleading... When backed into a corner, the government’s apologists cite the capture of Zazi, the socalled New York subway bomber. However, in that case, the Associated Press reported that the government could have easily stopped the plot without the NSA program, under authorities that comply with the Constitution. Sens. Ron Wyden and Mark Udall have been saying this for a long time. Both of the President’s hand-picked advisors on mass surveillance concur about the telephone records collection. The President’s Review Board issued a report in which it stated “the information contributed to terrorist investigations by the use of section 215 telephony meta-data was not essential to preventing attacks,” The Privacy and Civil Liberties Oversight Board (PCLOB) also issued a report in which it stated, “we have not identified a single instance involving a threat to the United States in which [bulk collection under Section 215 of the Patriot Act] made a concrete difference in the outcome of a counterterrorism investigation.” And in an amicus brief in EFF’s case First Unitarian Church of Los Angeles v. the NSA case, Sens. Ron Wyden, Mark Udall, and Martin Heinrich stated that, while the administration has claimed that bulk collection is necessary to prevent terrorism, they “have reviewed the bulk-collection program extensively, and none of the claims appears to hold up to scrutiny.” Even former top NSA official John Inglis admitted that the phone records program has not stopped any terrorist attacks aimed at the US and at most, helped catch one guy who shipped about $8,000 to a Somalian group that the US has designated as a terrorist group but that has never even remotely been involved in any attacks aimed at the US.