By: Gregory Falco, Stanford University
Martin Eling, University of St. Gallen
Danielle Jablanski, Stanford University
Virginia Miller, Stanford University
Lawrence A. Gordon, University of Maryland
Shaun Shuxun Wang, Nanyang Technological University
Joan Schmit, University of Wisconsin-Madison
Corruption of the information ecosystem is not just a multiplier of two long-acknowledged existential threats to the future of humanity—climate change and nuclear weapons. Cyber-enabled information warfare has also become an existential threat in its own right, its increased use posing the realistic possibility of a global information dystopia, in which the pillars of modern democratic self-government—logic, truth, and reality—are shattered, and anti-Enlightenment values undermine civilization around the world.
Offensive cyber operations have become increasingly important elements of U.S. national security policy. From the deployment of Stuxnet to disrupt Iranian centrifuges to the possible use of cyber methods against North Korean ballistic missile launches, the prominence of offensive cyber capabilities as instruments of national power continues to grow. Yet conceptual thinking lags behind the technical development of these new weapons. How might offensive cyber operations be used in coercion or conflict? What strategic considerations should guide their development and use?
Nations around the world recognize cybersecurity as a critical issue for public policy. They are concerned that their adversaries could conduct cyberattacks against their interests—damaging their military forces, their economies, and their political processes. Thus, their cybersecurity efforts have been devoted largely to protecting important information technology systems and networks against such attacks.
Attribution of malicious cyber activities is a deep issue about which confusion and disquiet can be found in abundance. Attribution has many aspects—technical, political, legal, policy, and so on. A number of well-researched and executed papers cover one or more of these aspects, but integration of these aspects is usually left as an exercise for the analyst. This paper distinguishes between attribution of malicious cyber activity to a machine, to a specific human being pressing the keys that initiate that activity, and to a party that is deemed ultimately responsible for that activity.
On Tuesday March 3, 2015, the Subcommittee on Oversight and Investigations held a hearing entitled, “Understanding the Cyber Threat and Implications for the 21st Century Economy.” This was the first in a series of hearings focused on cyberspace, the Internet, and the challenges and opportunities that they present.
As the fallout from the November 2014 cyber attack on Sony Pictures Entertainment continues, with Sony co-chairman Amy Pascal stepping down this month, it’s still not clear how the story will end, either for the Hollywood luminaries or U.S. national security. Herb Lin writes in this Bulletin of the Atomic Scientists piece that we can learn from the incident and start to formulate responses for the future attacks that will inevitably occur.