HomeWild Blue YonderArticle Display

Wild Blue Yonder Home Page

The views and opinions expressed or implied in WBY are those of the authors and should not be construed as carrying the official sanction of the Department of Defense, Air Force, Air Education and Training Command, Air University, or other agencies or departments of the US government or their international equivalents.

Wrong Time to Hack: How Deterrence Theory Informs Policy Options in a Time of COVID-19

Wild Blue Yonder / Maxwell AFB, AL --

 

 

NO NETWORK FOUND” are the three words no one wants to see on their smart television or laptop right now. Even before the Coronavirus pandemic, the American way of life grew increasingly connected. From banking to viewing shows; from seeking medical advice to shopping; and from paying taxes to watching the NFL draft, Americans rely upon the Internet. With a fully functional Internet, life amid social distancing goes on. Without it, life gets complicated. In this time of social distancing, strategists consider the unthinkable: what if someone, purposefully or unintentionally, denied Americans access to the Internet? Because the results of such an event are so disruptive, they ask, how can the United States deter such an event?

This article begins by highlighting the risks to the Internet, then presents a summary of deterrence theory to conceptualize a range of options available for senior leaders. A review of the research on the Internet, deterrence theory, national authorities, and limited criminal justice theory suggests that the Department of Defense (DOD), Department of State, Intelligence Community, and the interagency offices for public affairs should support the Federal Bureau of Investigation (FBI) in making high-profile arrests of cyberhackers. By demonstrating a clear threat of punishment, deterrence theory suggests a significant percentage of future hackers will be deterred. By demonstrating capacity and will, the United States can use strategic and criminal justice deterrence theory to protect the American people during this period of increased vulnerability.

The Problem

The stirring idea of a world without the Internet demands explanation. This article refers to the specific global network of users, tiered Internet service providers (ISP), points of presence (PoP), and Internet protocols (IP); and therefore, the article capitalizes the proper noun, Internet. The Internet is inherently vulnerable. All our commerce, social media, banking, and media exist in a virtual community with no central governance of access, usage, or protection. Besides the IP address, and the Domain Name System (DNS), each subordinate network sets its own norms, rules, and standards. The following section shows how cyberattacks in the past have had unintended consequences and the confluence of factors increases the aggregate risk of a complete loss.

Cyberattacks rose 37 percent in March 2020, often composed of “recreational” users, judging by the level of sophistication.1 The web security firm, Barracuda Networks, reported that phishing attempts, when hackers trick users into submitting credit card or personal information, increased by over 600 percent in March.2 This comes as no surprise, given the confluence of unique conditions including a home-bound population reliant on a vulnerable Internet, overburdened local and state governments, and an unprecedented rise in unemployment. Also, many elderly and full-time workers are spending more time on the Internet than ever, and they are the least cyberaware and most vulnerable to these attacks. A cybersecurity awareness company, KnowBe4, reported that 38 percent of users failed to detect realistic phishing scenarios, an increase of 8 percent from 2019.3 This is concerning, however, because the Internet is particularly vulnerable to unintended consequences.

Current pandemic guidelines to “stay at home” exacerbate global dependence upon the Internet. Lucrative targets have always existed in cyberspace. And with spiking unemployment rates, more people have incentives for quick wins.4 Individuals with hacking skills might not have needed to use them previously but now might see limited cost and lucrative gains in doing so. Criminal acts require two things, opportunity and will.5 Less sophisticated hackers can target families, who depend upon the Internet, for blackmail either through threatening exploitation of private information or by preventing access to critical documents until payment.

Malign cyberacts are inherently cruel. Ransomware can hold local governments hostage. In 2018, the SamSam ransomware strain destabilized the city government of Atlanta, Georgia. While the ransom demand was $50,000, the second-order costs Atlanta incurred were more than $3 million.6 In Baltimore, Maryland, a 2018 ransomware attack targeted Baltimore’s 911 and emergency services. Later in 2019, the Robinhood ransomware attack blocked Baltimore city e-mail servers and prevented the city court system from receiving credit card payments. Hackers demanded 13 bitcoins (worth roughly $100,000) for the decryption keys. The Emsisoft Lab estimates that in 2019 alone, ransomware attacks in the United States totaled a potential cost of over $7.5 billion.7

While the US Cyber Strategy primarily addresses state-sponsored cyberthreats, this article focuses on deterring individual cyberattackers. State-supported cyberattacks have a high capacity for damage, but states are deterred by US cybercapabilities as well as physical strikes. The total cost of a cyberattack is hard to quantify. Former FBI agent John Carlin wrote in the Dawn of the Code War that

Today, it’s truly impossible to capture the cost of cybercrime. It’s not like the early days of the FBI when you could just total up the cost of the nation’s stolen cars or add up the amount of money that walked out the front door with bank robbers like John Dillinger. Instead, there’s both real costs—the actual dollars stolen from the bank accounts, business, individuals—and a more subtle cost—the value of ideas, designs, and intellectual property compromised and stolen by hackers.8

Globalization elevated the capacity of and opportunity for individuals to take actions that previously were reserved to sovereign states. Writing in 2000, columnist Thomas Friedman described “Super-empowered individuals” as being a reality in the new globalized twenty-first century. 9 He described individuals with the power of networked organizations who can take action that only states could in the past. Friedman focused on Osama bin Laden, and, soon after on 11 September 2001, bin Laden and al-Qaeda launched the most destructive attack on US soil.

The existential threat to the Internet lies in the inherent naïveté of amateur cyberhackers. Even when individual cyberattackers intend to launch limited attacks, their actions could have catastrophic effects, either by accident or by their naïveté. The WannaCry virus is a good example of a rogue actor’s attacks with unintended effects. WannaCry is a ransomware device attributed to the Lazarus Group of North Korea. Introduced in May 2017, the ransomware encrypts all the files on a computer’s hard drive, then demands a ransom payment in bitcoin for the decryption code. Cybersecurity professionals believe that the WannaCry virus was intended to infect a select group of computers; however, the virus had unintended global effects, affecting 200,000 computers in 150 countries. Some of the hardest-hit targets were the British National Health Service’s computers, MRI scanners, and blood-storage sites. Global economic losses were estimated at $4 billion. The audacity of these attacks on the global commons could originate from any number of rogue actors and could deny military access to space and cyber capabilities indefinitely.10

The COVID-19 pandemic has led to stock market volatility. In the current environment, a cybereffect, purposeful or not, on the New York Stock Exchange servers could erase the stock market. Therefore, deterring individual hackers is of critical importance.

A Review of Deterrence Theory

Deterrence theory informs the options available to senior leaders. The instruments of national power, diplomacy, information, military, and economics (DIME) are all available to policy makers in response to a state-sponsored cyberattack. Deterrence refers to the “[prevention] of adversary action through the presentation of a credible threat of unacceptable counteraction and belief that the cost of action outweighs the perceived benefits.”11 Indeed, “deterrence is most often associated with threats of punishment, and, indeed, that is the most direct way of manipulating an enemy’s cost-benefit calculations while denial-based deterrence strategies entail discouraging an adversary from taking a prohibited action by convincing enemy leaders that such efforts can be countered sufficiently to deny their benefit.”12

The concept of deterrence pervades the 2018 National Cyber Strategy. The document opens with a statement of US intent “to deter and if necessary punish those who use cybertools for malicious purposes . . . activity that is contrary to responsible behavior in cyberspace is deterred through the imposition of costs through cyber and non-cyber means.”13 The document goes on to say, “We will also deter malicious cyber actors by imposing costs on them and their sponsors by leveraging a range of tools, including but not limited to prosecutions and economic sanctions, as part of a broader deterrence strategy.”14 The concept of a deterrence strategy deserves an explanation, as the notion of deterrence often conjures images of retaliation in a nuclear conflict, images with little relevance in the cyberworld.

Much of this connotation derives from the early development of deterrence theory during the Cold War. As military, policy, and scientific experts contemplated the employment of nuclear weapons, at that time a relatively new peril, they recognized the weapons’ ominous destructive potential and unclear ramifications to their employment. As he pondered war and diplomacy in the nuclear era, economist and Nobel laureate Thomas Schelling defined deterrence as, “To prevent from action by fear of consequences.”15 The deterring party announces a penalty for taking a proscribed action, and waits, a sequence Schelling calls “stage-setting.”16 Schelling distinguished deterrence from compellence, which he defined as “initiating an action (or an irrevocable commitment to action) that can cease, or become harmless, only if the opponent responds.”17 Thus, both deterrence and compellence rest on the credibility of the entity making the threat, and the perceived value and potential cost to the threatened party.

Decades later, Lawrence Freedman echoed Schelling’s definition of deterrence, observing that “deterrence is concerned with discouraging others from acting in ways that advantage them but harm you.”18 Freedman took the concept a step further, however, noting that time can provide a useful distinction between deterrence and compellence. For example, if the objective is for no action to be taken, the time horizon can be indefinite, hence deterrence. Conversely, if the desired action is time-bound, then the form of influence tends toward compellence, often in the form of an ultimatum or similar threat of consequences.19

More recently, Joseph Nye further developed deterrence theory, observing that “Deterrence is a psychological process that depends on the perceptions of both the actors and the targets, and the ability to communicate those views clearly.”20 Considering the application of deterrence theory to cyberspace, he proposed, “four major mechanisms to reduce and prevent adverse actions in cyberspace: threat of punishment, denial by defense, entanglement, and normative taboos.”21 This next section will review the four mechanisms in more detail.

Anonymity. The FBI and DOJ can weigh the advantages of anonymity against other considerations when making high-profile arrests.
Army model predicts number of cyberattacks that pierce company networks [Image 2 of 2]
Anonymity. The FBI and DOJ can weigh the advantages of anonymity against other considerations when making high-profile arrests.
Photo By: Jhi Scott
VIRIN: 200409-F-YT915-0001

Photo by Jhi Scott, Army Research Laboratory

Figure 1. Anonymity. The FBI and DOJ can weigh the advantages of anonymity against other considerations when making high-profile arrests.

Threat of Punishment

Threat of punishment is the most basic mechanism of deterrent theory and forms the basis of the recommendation of this article. While strategic deterrence helps to identify what needs to be protected, criminal justice deterrence theory aids in identifying the right method to discourage individual actors. In criminal justice, deterrence is the theory that the threat of punishment will reduce the probability that people will commit offenses in society. It is one of the five objectives of punishment and incarceration, the other four being denunciation, incapacitation, retribution, and rehabilitation.22 In addition, recent research showed more correlation to the certainty of punishment (the likelihood of attribution) than to the severity of punishment (the length of a prison sentence or other punishment).23

The FBI demonstrated its formidable reach and unprecedented access through its penetration of violent extremist organizations (VEO). One example is that of ISIL cyberhacker and propagandist, Junaid Hussain. Through online contact, Hussain amplified the radicalization of a 21-year-old from Cincinnati, Ohio, to kidnap and behead a US soldier based in Ohio. He even sent the soldier’s home address. In May 2015, the FBI successfully used human intelligence and cybertools to arrest the Xavier University dropout when he was on his way to purchase an AK-47.24 The FBI is uniquely equipped to inflict punishment on cyberhackers in the United States. And when targets exist internationally, information-sharing and targeting can be extended to the DOD for targeted strikes. Three months after the arrest in Ohio, US Central Command monitored Junaid Hussain as he left a Raqqa, Syria Internet café, waited until he was sufficiently away from civilians, and killed him with a Hellfire missile from overhead.25

Then in 2016, the FBI, in conjunction with other US government agencies, conducted three actions to deter state-sponsored cyberoffenses. First, on 22 March 2016, the Department of Justice (DOJ) announced charges against members of Bashar al-Assad’s Syrian Electronic Army, who sent a tweet from the Associated Press about a fake 2013 White House bombing. The next day, Chinese national Su Bin pleaded guilty to stealing secret military information by hacking Boeing’s computers. Then, on the following day, the DOJ indicted seven Islamic Revolutionary Guard hackers who gained access to US infrastructure and financial institutions. The acts communicated the threat of punishment and demonstrated reach and capacity.26

Denial by Defense

By lowering the probability of a cyberattack’s success, the government can support strategic deterrence. This is known as denial by defense or dissuasion by denial—when the surety of an action’s ineffectiveness deters an enemy from taking that action.27 By enhancing cybersecurity at the user and Internet protocol levels, the probability that the hacker will benefit is lower. The FBI has made this clear on the front of their 2 April 2020 homepage.28

Screenshot of FBI website: FBI Urges Vigilance during COVID-19 Pandemic
FBI Urges Vigilance during COVID-19 Pandemic
Screenshot of FBI website: FBI Urges Vigilance during COVID-19 Pandemic
Photo By: Dr. Ernest Rockwell
VIRIN: 200408-F-YT915-0001

Source: Federal Bureau of Investigation, https://www.fbi.gov/coronavirus

Figure 2. “FBI Urges Vigilance During COVID-19 Pandemic”

FBI press releases continually focus on user preparation and reporting methods to alert authorities. These steps are exactly in line with the deterrence intent of denial by defense.

Entanglement

Entanglement refers to increasing global interconnectedness due to the Internet, particularly in the economic sphere. Entanglement blurs the distinction between lawful military and collateral targets because of the carryover effects of cyberattacks. Entanglement is both a vulnerability and an opportunity for the United States. Because of the interconnectedness of American systems, the strategist can advertise the dual-use nature of these systems, suggesting that the targeting of military systems—or vice versa—will harm collateral systems resulting in escalation wherein the United States responds by means and at a time of its choosing.

Normative Taboos

Normative taboos, while extant in conventional conflict and certainly in the nuclear realm, continually evolve as stakeholders consider the potential and impact of cyberattacks and cyberwarfare. As an example, such taboos may evolve to include multilateral agreements repudiating cyberattacks on healthcare facilities or key infrastructure and imposing reputational costs.29 Nye cogently observed that challenges presented by the diversity of cyberadversaries, and the ambiguities of attribution, can potentially make punishment a less viable alternative. However, the mechanisms of entanglement and normative taboos may hold promise as analysts endeavor to develop effective deterrent strategies.30 Thomas Schelling noted the importance of focal points saliences on establishing norms. Cybersecurity experts Henry Farrell and Charles Glaser recently extrapolated these terms to the cyberspace field.31 While their research focused on interstate actors, this article extrapolates the terms to individual cyberhackers.

The DOJ established norms regarding COVID-19 fraud. In Austin, Texas, the department filed charges against the website owners of “coronavirusmedicalkit.com” who attempted to profit from widespread fear regarding COVID-19. US District Judge Robert Pitman issued a temporary restraining order, which required the registrar of the fraudulent website to immediately block public access to it. These attempts at fraud will continue to plague Internet users.

Without government support, cybersecurity professionals are waging their own response to protect hospitals, specifically, from cyberattacks. Cybersecurity firm Emsisoft and mitigation response company Coveware announced free ransomware assistance to healthcare providers. The Emsisoft blog made the following plea,

Make no mistake, an attack on a healthcare organization will have negative outcomes and may result in loss of life. We ask for your empathy and cooperation. Please do not target healthcare providers during the coming months and, if you target one intentionally, please provide them with the decryption key at no cost as soon as you possibly can. We’re all in this together, right?32

In deterrence theory, that statement represents the importance of focal points. Schelling noted that focal points have “prominence, uniqueness, simplicity, precedent, or some rationale that makes them qualitatively differentiable from the continuum of possible alternatives.”33 Focal points are created by a broad understanding of their importance. In the context of the pandemic, hospitals are the clear focal point. Salience occurs when all actors have a common understanding of the focal points and what the consequences will be for either party. Schelling, writing in the Cold War context, could imagine one superpower leader calling another on a red phone and describing what he thought was a salient focal point. For example, a nuclear strike would be seen as escalatory and would warrant a nuclear response by the other actor. Deterring millions of individual cyberhackers requires a different method of establishing focal points and saliences. The exact means for this are beyond the scope of this article; however, they involve some measure of community shaming and general public awareness.

Deterrence theory is not without its detractors. Deterrence “requires that there be conflict and common interest between the parties involved.”34 Herein lies the rub. While cyberspace is certainly contested, it is challenging to convince would-be nefarious actors that not acting in malign manners is in their self-interest. Yet, minimizing the benefits of cyberattacks—that is deterring through denial—attributing attacks when they occur, and prosecuting malicious cyberactors illustrates, at a minimum, that a future hacking attempt may be costlier than the payoff intended effects promised. Because of the risk to the American digital way of life, any action is worth consideration if even a portion of the possible hackers are deterred.

Recommendation

There are many options for dealing with the threat of cyberattacks. In May 2019, the Israeli Defense Forces (IDF) dispatched its air force to physically bomb the building used by Hamas hackers. Satisfied that a cyberattack came from a specific Hamas intelligence headquarters, Israel launched a manned airstrike on the facility. Using advanced cyberresources, the IDF located and destroyed the building, which was used by an active Hamas hacking group. The attack was the first physical airstrike in response to a cyberattack and informs the role that specialized forces could take in their prosecution of multi-domain operations.35 Unless cyberattacks caused extreme damage and loss of life, this option would likely face opposition from policy makers.

Understanding authorities is a critical task in assessing strategic options. Rosa Brooks, in her book How Everything Became War and the Military Became Everything, noted how US government action tends to gravitate toward the DOD for solutions. In this case, the DOD plays a supporting role, while the FBI is the supported agency. “The FBI is the lead federal agency for investigating cyberattacks by criminals, overseas adversaries, and terrorists.”36 Within the DOD, US Cyber Command (USCYBERCOM), “as the coordination authority for cyber operations, plans coordinates, integrates, synchronizes, and conducts activities to direct the security operations.”37 In this realm, the FBI is the clear leader and can expect support from a variety of departments in the US government.

Based on diverse sources of deterrence theory, the US National Cyber Security Policy, and an understanding of US government authorities and statutes, we make the following recommendations for a whole-of-government response.

First, it is important to accurately attribute cyberattack candidates. USCYBERCOM logs over 30,000 hacking attempts every day. USCYBERCOM, through coordination with the Counterterrorism Center, could support the FBI through accurate attribution of the cyberhacker. When attribution is achieved, agencies should prioritize the candidate for arrest using guidelines, which supports the future desired conditions. Of note, the severity of punishment is not as correlated to deterrence as the probability of attribution. Criminologist Clement Guitton’s research from 2003 to 2010 found a correlation between media reports of cyberattribution and a reduction in cyberattacks in France, the United Kingdom, and Germany.38 Therefore, the FBI does not necessarily need to prioritize the biggest (defined by dollars or ransomware, computers/users affected, or damage inflicted) hackers. The ability to clearly and accurately attribute cybercrime, regardless of the damage caused, is more important than spending time and resources investigating higher-profile cases that cause more damage.

Second, the FBI should oversee high-profile arrests. The actual law enforcement officers on the scene of the arrest are not as important as the arrests occurring. The FBI can reserve the highest deterrent potential candidates for their arrests and use their considerable national influence and credibility to bring attention to them.

Third, arresting cyberattackers should be public. Cold War deterrence could integrate a phone call with a senior state leader to explain international norms. To deter an individual hacker, however, the arrests must be compelling enough to garner high visibility—the best term to describe a level of hyperawareness is the phrase “go viral.” To amplify the viral nature of each arrest, consider the location of the arrest. Vary the locale from urban to rural and from domestic to international. Viewers must understand that the FBI has the operational reach and access to apprehend even low-level hackers globally. Also, agencies must work closely with media before the raid. Whether through embedded reporters or media outlets prestaged at the location, the images of the event must be recorded and broadcast to have a deterrent effect. Follow up matters as well. City and state government leaders need to be on hand to immediately explain the significance of the event to diverse audiences.

Emile Simpson, a former British officer, wrote about how actions communicate a different message to different audiences.39 To the American people, demonstrating attribution capabilities evinces the Internet is secure. To possible cyberhackers, they learn this is the wrong time to hack, as their actions are no longer conducted clandestinely. To allies and partners, the action communicates a set of cybernorms that the United States will enforce to support the global international order. Attribution must be clear, but actions should also deny the perpetrator any hope of fame from cyberattacks.

Fourth, consider anonymity. Maintaining the anonymity of the cyberhacker is important for communication reasons and also to enhance the deterrent effect. Arrests must also communicate: “You will not be famous or a martyr.” The role of cyberhacker in popular media is edgy, and if the media makes hackers famous, the phenomenon of copycat attacks could arise. The media’s recent norms regarding school shootings are instructive in this area.40 Anonymity also satisfies a feature of Schelling’s deterrence theory: the importance of uncertainty. Schelling wrote that “a threat that leaves something to chance” could amplify deterrence by upending the cyberhackers’ preconceived notions of governmental capacity and will.41 Without knowing the identity of the apprehended hacker, the greater hacker community is left to wonder which one of them was apprehended and to worry if they could be next. The FBI and DOJ can weigh the advantages of anonymity against other considerations when making high-profile arrests.

Fifth, demonstrate operational reach. The National Cyber Strategy explicitly warrants this action. “Deterring cybercrime requires a credible threat that perpetrators will be identified, apprehended, and brought to justice.”42 Within the United States, local police SWAT teams could provide access to the FBI. The cyber strategy continues, “however, some foreign nations choose not to cooperate with extradition requests, impose unreasonable limitations, or actively interfere with those efforts.”43 In these cases, United States Special Operations Command could work with the Department of State to set conditions in a certain country to enable FBI operational reach and access.

The FBI has experience in high-profile arrests that have far-reaching consequences. In March 2020, the FBI apprehended Kirill Victorovich Firsov, an alleged Russian hacker and platform site administrator in San Diego. His platform allowed criminals to purchase illicit cyber storefronts and sell personally identifiable information (PII) and financial and corporate data and was linked to Russian servers.44

Demonstrating resolve is notoriously difficult given how the intended audience perceives the message.45 Yet, in a mixed-motive game—as is commonly found in the situation between a cyberdeterrer and a would-be hacker—demonstrating the ability to track and prosecute cybercriminality, illustrates the deterrer’s commitment quite clearly, especially when combined with efforts to advertise capability and openly call out criminals.46 Guitton’s empirical study showed that media reporting correlates directly with the perception of attribution, which led to reduced cyberattacks.47 Guitton also identified three populations, and each had varying levels of reduced crime, given the increase in media reporting of arrests of cyberattackers. Furthermore, he found that safeguards make it harder for cyberattackers and creates a higher threshold for attacks, making only the savviest cyberhackers capable of achieving their aims. These safeguards are known in deterrence theory as deterrence by denial, as cyberactors are deterred from attacking because they can reasonably expect that their attacks will fail.48 In the cost-benefit calculus, the perceived likelihood of achieving the hacker’s aims decreases while the cost of being caught remains constant.

It is worth noting a feature of cybercrime theory that defies generalized crime research. A deterrent posture hinges upon an assumption of rational human behavior and decision making. However, criminologist Valerie Wright noted, “half of all state prisoners were under the influence of drugs or alcohol at the time of their offense. Therefore, it is unlikely that such persons are deterred by either the certainty or severity of punishment because of their temporarily impaired capacity to consider the pros and cons of their actions.”49 In cyberattacks, if the level of expertise required is high, it might be difficult to execute while under the influence. Therefore, the cyberhacker’s awareness and perception of cost and benefit remain intact, aligning with Guitton’s conclusion at the end of his study. This leaves only the most sophisticated cyberattackers to conduct the attack. Guitton’s research found that sophisticated cyberattackers are among the population that is most affected by attribution in the media.50 Therefore, combining increased security protections with increased attribution has the potential for reducing cyberattacks.

Conclusion

Deterrence theory terms and principals can inform the US approach to preventing cyberattacks. Appropriately, much of national cyber strategy sets conditions to defend against state-sponsored cyberattacks. Meanwhile, the Internet that Americans depend upon is vulnerable to attacks from individual hackers. Any action which reduces the probability of one of those attacks leading to catastrophe is worthy of national effort.

When the United States demonstrates the ability to apprehend cyberhackers and bring them to justice, it changes the risk calculus of possible hackers. The combination of cyberawareness for users and cyberdefense deny attackers easy wins; however, such would-be perpetrators must also be deterred by demonstrations of high-profile arrests. This is the difference between dissuasion by denial in the former and active deterrence in the latter. This article highlighted the immense value that the FBI provides to the United States and provided ideas and concepts for policy makers to best support the FBI’s efforts. What is needed now is a series of high-profile indictments of individual hackers that demonstrate the same resolve and reach as the FBI’s tremendously successful actions against VEOs and state-sponsored hacking. Those actions, when supported by appropriate US government agencies, can effectively deter individual cyberhackers.

Lt Col Scott Pence, US Army

Colonel Pence served in Iraq and Afghanistan and is completing the Advanced Strategic Leadership Studies Program (senior service college) at the School for Advanced Military Studies (SAMS) at Fort Leavenworth, Kansas. A graduate of Ranger School, SAMS, and the Cavalry Leaders Course, he previously commanded 5-73 Cavalry Squadron at the 82nd Airborne Division.

Lt Col Ryan Sanford, US Air Force

Colonel Sanford is completing the Advanced Strategic Leadership Studies Program at the School for Advanced Military Studies (SAMS) at Fort Leavenworth, Kansas. He is a graduate of the US Air Force’s School of Advanced Air and Space Studies and Test Pilot School. He flew operationally and in combat in the F-15E and recently commanded a flight test squadron.

Col Nick Simontis, US Army

Colonel Simontis served four tours in Iraq and is a faculty member in the Advanced Strategic Leadership Studies Program (senior service college) at the School for Advanced Military Studies (SAMS) at Fort Leavenworth, Kansas. An Army strategist, he is a graduate of the Advanced Strategic Leadership Studies Program and Advanced Strategic Leadership Studies Program at SAMS.


 

Notes

1 Phil Muncaster, “Cyber-Attacks Up 37% Over Past Month as #COVID19 Bites,” Infosecurity Magazine, April 1, 2020, https://www.infosecurity-magazine.com.

2 Phil Muncaster, “#COVID19 Fears Drive Phishing Emails Up 667% in Under a Month,” Infosecurity Magazine, March 26, 2020, https://www.infosecurity-magazine.com.

3 Phil Muncaster, “Cyber-Attacks Up 37% Over Past Month as #COVID19 Bites.”

4 Heather Long, “Record Numbers Applied for Unemployment Benefits in March, an Unprecedented Spike Due to the Coronavirus Outbreak,” Washington Post, April 2, 2020, https://www.washingtonpost.com/.

5 Pamela Wilcox and Francis T. Cullen, “Situational Opportunity Theories of Crime,” Annual Review of Criminology 1, no. 1 (2018): 123–48, https://doi.org/.

6 Alec T. Dean, “The Growth of Ransomware and Its Impact on City Governments” (PhD thesis, Utica College, 2019), 1.

7 Emsisoft Lab, “The State of Ransomware in the US: Report and Statistics 2019”, Emsisoft Blog, December 12, 2019, https://blog.emsisoft.com/.

8 John P. Carlin, Dawn of the Code War: America’s Battle Against Russia, China, and the Rising Global Cyber Threat (New York: PublicAffairs, 2018), 35.

9 Thomas L. Friedman, The Lexus and the Olive Tree: Understanding Globalization (New York: Farrar, Straus and Giroux, 2000).

10 John Wetzel, “What Is WannaCry? Analyzing the Global Ransomware Attack,” Recorded Future, May 15, 2017, https://www.recordedfuture.com/.

11 US Department of Defense, Joint Staff, Joint Publication (JP) 3-0, Joint Operations (Washington, DC: Government Printing Office, 2018).

12 Forrest E. Morgan et al., Dangerous Thresholds: Managing Escalation in the 21st Century (Santa Monica, CA: The RAND Corporation, 2008), xiii.

13 The White House, National Cyber Strategy of the United States of America (September 2018), accessed March 31, 2010, 3, https://www.whitehouse.gov/.

14 The White House, National Cyber Strategy of the United States of America (September 2018), 8.

15 Thomas C. Schelling, Arms and Influence (New Haven, CT: Yale University Press, 2008), 71.

16 Schelling, Arms and Influence,71–72.

17 Schelling, Arms and Influence, 72.

18 Lawrence Freedman, Deterrence (Cambridge, UK: Polity Press, 2004), 109.

19 Freedman, Deterrence, 111.

20 Joseph Nye Jr., “Deterrence and Dissuasion in Cyberspace,” International Security 41, no. 3 (Winter 2016/17), 53.

21 Nye, “Deterrence and Dissuasion in Cyberspace,” 54–55.

22 Valerie Wright, Deterrence in Criminal Justice: Evaluating Certainty vs. Severity of Punishment (Sentencing Project, 2010).

23 Wright, Deterrence in Criminal Justice, 1.

24 US Department of Justice Office of Public Affairs, “Ohio Man Sentenced to 20 Years in Prison for Plot to Attack U.S. Government Officers,” November 23, 2016, https://www.justice.gov/.

25 Carlin, Dawn of the Code War, 29.

26 Carlin, Dawn of the Code War, 62–63.

27 Paul K. Davis, “Toward Theory for Dissuasion (or Deterrence) by Denial: Using Simple Cognitive Models of the Adversary to Inform Strategy,” Working Paper (Santa Monica: RAND, January 2014).

28 Federal Bureau of Investigation, “Public Service Announcement: Cyber Actors Take Advantage of COVID-19 Pandemic to Exploit Increased Use of Virtual Environments” (Washington, DC: Federal Bureau of Investigation, April 1, 2020), https://www.ic3.gov/.

29 Nye, “Deterrence and Dissuasion in Cyberspace,” 60.

30 Nye, “Deterrence and Dissuasion in Cyberspace,” 68.

31 Henry Farrell and Charles L. Glaser, “The Role of Effects, Saliencies and Norms in US Cyberwar Doctrine,” Journal of Cybersecurity 3, no. 1 (2017): 7–17.

32 “Free Ransomware Help for Healthcare Providers during the Coronavirus Outbreak,” Emsisoft | Security Blog, March 18, 2020, https://blog.emsisoft.com/.

33 Thomas C. Schelling, The Strategy of Conflict (Cambridge: Harvard University Press, 1980), 70.

34 Schelling, Strategy of Conflict, 11.

35 Lily Hay Newman, “What Israel’s Strike on Hamas Hackers Means for Cyberwar,” Wired, May 6, 2019, https://www.wired.com/.

36 “Cyber Crime,” Folder, Federal Bureau of Investigation, accessed March 28, 2020, https://www.fbi.gov/.

37 US Department of Defense, Joint Staff, Joint Publication (JP) 3-12, Cyberspace Operations (Washington, DC: Government Printing Office, 2018), 16.

38 Clement Guitton, “Criminals and Cyber Attacks: The Missing Link Between Attribution and Deterrence,” International Journal of Cyber Criminology 6, no. 2 (2012): 1030–43.

39 Emile Simpson, War from the Ground Up: Twenty-First Century Combat as Politics (Oxford: Oxford University Press, 2013).

40 Jaclyn Schildkraut, “A Call to the Media to Change Reporting Practices for the Coverage of Mass Shootings,” Washington University Journal of Law and Policy 60 (2019): 273–305.

41 Thomas C. Schelling, The Strategy of Conflict (Cambridge: Harvard University Press, 1980), 187.

42 The White House, “National Cyber Strategy of the United States of America” (Washington, DC, September 2018), 11.

43 The White House, “National Cyber Strategy of the United States of America,” 11.

44 “FBI Takes Down a Russian-Based Hacker Platform; Arrests Suspected Russian Site Administrator,” March 24, 2020, https://www.justice.gov/.

45 Schelling, Strategy of Conflict, 86.

46 Schelling, Strategy of Conflict, 161.

47 Guitton, “Criminals and Cyber Attacks.”

48 Paul K. Davis, “Toward Theory for Dissuasion (or Deterrence) by Denial: Using Simple Cognitive Models of the Adversary to Inform Strategy,” Working Paper (Santa Monica: RAND, January 2014).

49 Wright, Deterrence in Criminal Justice, 2.

50 Guitton, “Criminals and Cyber Attacks.”


 

USAF Comments Policy
If you wish to comment, use the text box below. AF reserves the right to modify this policy at any time.

This is a moderated forum. That means all comments will be reviewed before posting. In addition, we expect that participants will treat each other, as well as our agency and our employees, with respect. We will not post comments that contain abusive or vulgar language, spam, hate speech, personal attacks, violate EEO policy, are offensive to other or similar content. We will not post comments that are spam, are clearly "off topic", promote services or products, infringe copyright protected material, or contain any links that don't contribute to the discussion. Comments that make unsupported accusations will also not be posted. The AF and the AF alone will make a determination as to which comments will be posted. Any references to commercial entities, products, services, or other non-governmental organizations or individuals that remain on the site are provided solely for the information of individuals using this page. These references are not intended to reflect the opinion of the AF, DoD, the United States, or its officers or employees concerning the significance, priority, or importance to be given the referenced entity, product, service, or organization. Such references are not an official or personal endorsement of any product, person, or service, and may not be quoted or reproduced for the purpose of stating or implying AF endorsement or approval of any product, person, or service.

Any comments that report criminal activity including: suicidal behaviour or sexual assault will be reported to appropriate authorities including OSI. This forum is not:

  • This forum is not to be used to report criminal activity. If you have information for law enforcement, please contact OSI or your local police agency.
  • Do not submit unsolicited proposals, or other business ideas or inquiries to this forum. This site is not to be used for contracting or commercial business.
  • This forum may not be used for the submission of any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

AF does not guarantee or warrant that any information posted by individuals on this forum is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. AF may not be able to verify, does not warrant or guarantee, and assumes no liability for anything posted on this website by any other person. AF does not endorse, support or otherwise promote any private or commercial entity or the information, products or services contained on those websites that may be reached through links on our website.

Members of the media are asked to send questions to the public affairs through their normal channels and to refrain from submitting questions here as comments. Reporter questions will not be posted. We recognize that the Web is a 24/7 medium, and your comments are welcome at any time. However, given the need to manage federal resources, moderating and posting of comments will occur during regular business hours Monday through Friday. Comments submitted after hours or on weekends will be read and posted as early as possible; in most cases, this means the next business day.

For the benefit of robust discussion, we ask that comments remain "on-topic." This means that comments will be posted only as it relates to the topic that is being discussed within the blog post. The views expressed on the site by non-federal commentators do not necessarily reflect the official views of the AF or the Federal Government.

To protect your own privacy and the privacy of others, please do not include personally identifiable information, such as name, Social Security number, DoD ID number, OSI Case number, phone numbers or email addresses in the body of your comment. If you do voluntarily include personally identifiable information in your comment, such as your name, that comment may or may not be posted on the page. If your comment is posted, your name will not be redacted or removed. In no circumstances will comments be posted that contain Social Security numbers, DoD ID numbers, OSI case numbers, addresses, email address or phone numbers. The default for the posting of comments is "anonymous", but if you opt not to, any information, including your login name, may be displayed on our site.

Thank you for taking the time to read this comment policy. We encourage your participation in our discussion and look forward to an active exchange of ideas.

Wild Blue Yonder Home


Visit Other Air University Journals