Project 6: Global Approaches to Cybersecurity Start Here As a cybersecurity professional, it is important for you to not only understand the organizational and national human and technical factors, bu

International Cybersecurity Legal Issues

International cybersecurity legal issues exist because of the global nature of activities conducted on the internet, the lack of agreed-upon norms for acceptable behaviors on the internet, and the continued evolution of laws on privacy, data access, and data rights.

In many instances, existing laws apply to cybersecurity issues. In other instances, existing laws are insufficient to accommodate evolving technologies that enable both benefit and risk on the internet. Issues of international interest include privacy, data rights and the management of them, and human rights.

An area that is less developed but much debated is the use of cyberspace for conflict, and whether the use of cyber capabilities can constitute the use of force or even an act of war. While the United States has made clear its intention to respond to hostile acts in cyberspace as it would to any other threat to the US (White House, 2011), it has stated its desire to promote international stability and avoid conflict in cyberspace.

The key to achieving the right balance is to build consensus on norms, build confidence by demonstrating actions consistent with existing national and international laws, and to acknowledge and and accept that existing international laws have applicability to cybersecurity, and should be used and tested as needed to build confidence and consensus.

International law of cyberwarfare is discussed in the Tallinn Manual on the International Law Applicable to Cyber Warfare (Schmitt, 2013), which sets forth how existing international law can and does apply to cyberwar. Like all international law—and all law in general—adherence to the law of cyberwarfare is subject to agreement among nation-states. Some do not accept that existing law applies to this new form of warfare, or selectively choose those parts they wish to apply.

References

Schmitt, M. N. (Ed.). (2013). The Tallinn manual on the international law applicable to cyber warfare. Cambridge University Press.

The White House. (2011). International strategy for cyberspace.  https://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf

International Law in Cyberspace

Remarks by Harold Hongju Koh

Legal Advisor, US Department of State

USCYBERCOM Interagency Legal Conference

Ft. Meade, MD

September 18, 2012

As prepared for delivery

Thank you, Colonel Brown, for your kind invitation to speak here today at this very important conference on the roles of cyber in national defense. I have been an international lawyer for more than 30 years, a government lawyer practicing international law for more than a decade, and the State Department's legal adviser for nearly three and a half years. While my daily workload covers many of the bread-and-butter issues of international law—diplomatic immunity, the law of the sea, international humanitarian law, treaty interpretation—like many of you, I find more and more of my time is spent grappling with the question of how international law applies in cyberspace.

Everyone here knows that cyberspace presents new opportunities and new challenges for the United States in every foreign policy realm, including national defense. But for international lawyers, it also presents cutting-edge issues of international law, which go to a very fundamental question: How do we apply old laws of war to new cyber circumstances, staying faithful to enduring principles, while accounting for changing times and technologies?

Many, many international lawyers here in the US government and around the world have struggled with this question, so today I'd like to present an overview of how we in the US government have gone about meeting this challenge. At the outset, let me highlight that the entire endeavor of applying established international law to cyberspace is part of a broader international conversation. We are not alone in thinking about these questions; we are actively engaged with the rest of the international community, both bilaterally and multilaterally, on the subject of applying international law in cyberspace.

With your permission, I'd like to offer a series of questions and answers that illuminate where we are right now—in a place where we've made remarkable headway in a relatively short period of time, but are still finding new questions for each and every one we answer. In fact, the US government has been regularly sharing these thoughts with our international partners. Most of the points that follow we have not just agreed upon internally, but made diplomatically, in our submissions to the UN Group of Governmental Experts (GGE) that deals with information technology issues.

I. International Law in Cyberspace: What We Know

So let me start with the most fundamental questions:

Question 1: Do established principles of international law apply to cyberspace?

Answer 1: Yes, international law principles do apply in cyberspace. Everyone here knows how cyberspace opens up a host of novel and extremely difficult legal issues. But on this key question, this answer has been apparent, at least as far as the US government has been concerned. Significantly, this view has not necessarily been universal in the international community. At least one country has questioned whether existing bodies of international law apply to the cutting-edge issues presented by the Internet. Some have also said that existing international law is not up to the task and that we need entirely new treaties to impose a unique set of rules on cyberspace. But the United States has made clear our view that established principles of international law do apply in cyberspace.

Question 2: Is cyberspace a law-free zone, where anything goes?

Answer 2: Emphatically no. Cyberspace is not a law-free zone where anyone can conduct hostile activities without rules or restraint.

Think of it this way. This is not the first time that technology has changed and that international law has been asked to deal with those changes. In particular, because the tools of conflict are constantly evolving, one relevant body of law—international humanitarian law, or the law of armed conflict—affirmatively anticipates technological innovation and contemplates that its existing rules will apply to such innovation. To be sure, new technologies raise new issues and thus new questions. Many of us in this room have struggled with such questions, and we will continue to do so over many years. But to those who say that established law is not up to the task, we must articulate and build consensus around how it applies and reassess from there whether and what additional understandings are needed. Developing common understandings about how these rules apply in the context of cyber activities in armed conflict will promote stability in this area.

That consensus-building work brings me to some questions and answers we have offered to our international partners to explain how both the law of going to war (jus ad bellum) and the laws that apply in conducting war (jus in bello) apply to cyber action:

Question 3: Do cyber activities ever constitute a use of force?

Answer 3: Yes. Cyber activities may in certain circumstances constitute uses of force within the meaning of Article 2(4) of the UN Charter and customary international law. In analyzing whether a cyber operation would constitute a use of force, most commentators focus on whether the direct physical injury and property damage resulting from the cyber event looks like that which would be considered a use of force if produced by kinetic weapons. Cyber activities that proximately result in death, injury, or significant destruction would likely be viewed as a use of force. In assessing whether an event constituted a use of force in or through cyberspace, we must evaluate factors, including the context of the event, the actor perpetrating the action (recognizing challenging issues of attribution in cyberspace), the target and location, effects and intent, among other possible issues. Commonly cited examples of cyber activity that would constitute a use of force include, for example, (1) operations that trigger a nuclear plant meltdown, (2) operations that open a dam above a populated area causing destruction, or (3) operations that disable air traffic control, resulting in airplane crashes. Only a moment's reflection makes you realize that this is common sense: If the physical consequences of a cyberattack work the kind of physical damage that dropping a bomb or firing a missile would, that cyberattack should equally be considered a use of force.

Question 4: May a state ever respond to a computer network attack by exercising a right of national self-defense?

Answer 4: Yes. A state's national right of self-defense, recognized in Article 51 of the UN Charter, may be triggered by computer network activities that amount to an armed attack or imminent threat thereof. As the United States affirmed in its 2011 International Strategy for Cyberspace, "when warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country."

Question 5: Do jus in bello rules apply to computer network attacks?

Answer 5: Yes. In the context of an armed conflict, the law of armed conflict applies to regulate the use of cyber tools in hostilities, just as it does other tools. The principles of necessity and proportionality limit uses of force in self-defense and would regulate what may constitute a lawful response under the circumstances. There is no legal requirement that the response to a cyber armed attack take the form of a cyber action, as long as the response meets the requirements of necessity and proportionality.

Question 6: Must attacks distinguish between military and nonmilitary objectives?

Answer 6: Yes. The jus in bello principle of distinction applies to computer network attacks undertaken in the context of an armed conflict. The principle of distinction applies to cyber activities that amount to an "attack"—as that term is understood in the law of war—in the context of an armed conflict. As in any form of armed conflict, the principle of distinction requires that the intended effect of the attack must be to harm a legitimate military target. We must distinguish military objectives —that is, objects that make an effective contribution to military action and whose destruction would offer a military advantage—from civilian objects, which under international law are generally protected from attack.

Question 7: Must attacks adhere to the principle of proportionality?

Answer 7: Yes. The jus in bello principle of proportionality applies to computer network attacks undertaken in the context of an armed conflict. The principle of proportionality prohibits attacks that may be expected to cause incidental loss to civilian life, injury to civilians, or damage to civilian objects that would be excessive in relation to the concrete and direct military advantage anticipated. Parties to an armed conflict must assess what the expected harm to civilians is likely to be and weigh the risk of such collateral damage against the importance of the expected military advantage to be gained. In the cyber context, this rule requires parties to a conflict to assess: (1) the effects of cyber weapons on both military and civilian infrastructure and users, including shared physical infrastructure (such as a dam or a power grid) that would affect civilians; (2) the potential physical damage that a cyberattack may cause, such as death or injury that may result from effects on critical infrastructure; and (3) the potential effects of a cyberattack on civilian objects that are not military objectives, such as private civilian computers that hold no military significance but may be networked to computers that are military objectives.

Question 8: How should states assess their cyber weapons?

Answer 8: States should undertake a legal review of weapons, including those that employ a cyber capability. Such a review should entail an analysis, for example, of whether a particular capability would be inherently indiscriminate, i.e., that it could not be used consistent with the principles of distinction and proportionality. The US government undertakes at least two stages of legal review of the use of weapons in the context of armed conflict—first, an evaluation of new weapons to determine whether their use would be per se prohibited by the law of war; and second, specific operations employing weapons are always reviewed to ensure that each particular operation is also compliant with the law of war.

Question 9: In this analysis, what role does state sovereignty play?

Answer 9: States conducting activities in cyberspace must take into account the sovereignty of other states, including outside the context of armed conflict. The physical infrastructure that supports the Internet and cyber activities is generally located in sovereign territory and subject to the jurisdiction of the territorial state. Because of the interconnected, interoperable nature of cyberspace, operations targeting networked information infrastructures in one country may create effects in another country. Whenever a state contemplates conducting activities in cyberspace, the sovereignty of other states needs to be considered.

Question 10: Are states responsible when cyber acts are undertaken through proxies?

Answer 10: Yes. States are legally responsible for activities undertaken through proxy actors, who act on the state's instructions or under its direction or control. The ability to mask one's identity and geography in cyberspace and the resulting difficulties of timely, high-confidence attribution can create significant challenges for states in identifying, evaluating, and accurately responding to threats. But putting attribution problems aside for a moment, established international law does address the question of proxy actors. States are legally responsible for activities undertaken through putatively private actors, who act on the state's instructions or under its direction or control. If a state exercises a sufficient degree of control over an ostensibly private person or group of persons committing an internationally wrongful act, the state assumes responsibility for the act, just as if official agents of the state itself had committed it. These rules are designed to ensure that states cannot hide behind putatively private actors to engage in conduct that is internationally wrongful.

II. International Law in Cyberspace: Challenges and Uncertainties

These 10 answers should give you a sense of how far we have come in doing what any good international lawyer does: applying established law to new facts, and explaining our positions to other interested lawyers. At the same time, there are obviously many more issues where the questions remain under discussion. Let me identify three particularly difficult questions that I don't intend to answer here today. Instead, my hope is to shed some light on some of the cutting-edge legal issues that we'll all be facing together over the next few years:

Unresolved question 1: How can a use of force regime take into account all of the novel kinds of effects that states can produce through the click of a button?

As I said above, the United States has affirmed that established jus ad bellum rules do apply to uses of force in cyberspace. I have also noted some clear-cut cases where the physical effects of a hostile cyber action would be comparable to what a kinetic action could achieve: For example, a bomb might break a dam and flood a civilian population, but insertion of a line of malicious code from a distant computer might just as easily achieve that same result. As you all know, however, there are other types of cyber actions that do not have a clear kinetic parallel, which raise profound questions about exactly what we mean by force. At the same time, the difficulty of reaching a definitive legal conclusion or consensus among states on when and under what circumstances a hostile cyber action would constitute an armed attack does not automatically suggest that we need an entirely new legal framework specific to cyberspace. Outside of the cyber context, such ambiguities and differences of view have long existed among states.

To cite just one example of this, the United States has for a long time taken the position that the inherent right of self-defense potentially applies against any illegal use of force. In our view, there is no threshold for a use of deadly force to qualify as an armed attack that may warrant a forcible response. But that is not to say that any illegal use of force triggers the right to use any and all force in response—such responses must still be necessary and of course proportionate. We recognize, on the other hand, that some other countries and commentators have drawn a distinction between the use of force and an armed attack, and view armed attack—triggering the right to self-defense—as a subset of uses of force, which passes a higher threshold of gravity. My point here is not to rehash old debates but to illustrate that states have long had to sort through complicated jus ad bellum questions. In this respect, the existence of complicated cyber questions relating to jus ad bellum is not in itself a new development; it is just applying old questions to the latest developments in technology.

Unresolved question 2: What do we do about dual-use infrastructure in cyberspace?

As you all know, information and communications infrastructure is often shared between state militaries and private civilian communities. The law of war requires that civilian infrastructure not be used to seek to immunize military objectives from attack, including in the cyber realm. But how, exactly, are the jus in bello rules to be implemented in cyberspace? Parties to an armed conflict will need to assess the potential effects of a cyberattack on computers that are not military objectives, such as private civilian computers that hold no military significance but may be networked to computers that are valid military objectives. Parties will also need to consider the harm to the civilian uses of such infrastructure in performing the necessary proportionality review. Any number of factual scenarios could arise, however, which will require a careful, fact-intensive legal analysis in each situation.

Unresolved question 3: How do we address the problem of attribution in cyberspace?

As I mentioned earlier, cyberspace significantly increases an actor's ability to engage in attacks with plausible deniability, by acting through proxies. I noted that legal tools exist to ensure that states are held accountable for those acts. What I want to highlight here is that many of these challenges—in particular, those concerning attribution—are as much questions of a technical and policy nature rather than exclusively or even predominantly questions of law. Cyberspace remains a new and dynamic operating environment, and we cannot expect that all answers to the new and confounding questions we face will be legal ones.

These questions about effects, dual use, and attribution are difficult legal and policy questions that existed long before the development of cyber tools and that will continue to be a topic of discussion among our allies and partners as cyber tools develop. Of course, there remain many other difficult and important questions about the application of international law to activities in cyberspace—for example, about the implications of sovereignty and neutrality law, enforcement mechanisms, and the obligations of states concerning hacktivists operating from within their territory. While these are not questions that I can address in this brief speech, they are critically important questions on which international lawyers will focus intensely in the years to come.

And just as cyberspace presents challenging new issues for lawyers, it presents challenging new technical and policy issues. Not all of the issues I've mentioned are susceptible to clear legal answers derived from existing precedents—in many cases, quite the contrary. Answering these tough questions within the framework of existing law, consistent with our values and accounting for the legitimate needs of national security, will require a constant dialogue between lawyers, operators, and policymakers. All that we as lawyers can do is to apply in the cyber context the same rigorous approach to these hard questions that arise in the future, as we apply every day to what might be considered more traditional forms of conflict.

III. The Role of International Law in a Smart Power Approach to Cyberspace

This, in a nutshell, is where we are with regard to cyberconflict: We have begun work to build consensus on a number of answers, but questions continue to arise that must be answered in the months and years ahead. Beyond these questions and answers and unresolved questions, though, lies a much bigger picture, one that we are very focused on at the State Department. Which brings me to my final two questions:

Final question 1: Is international humanitarian law the only body of international law that applies in cyberspace?

Final answer 1: No. As important as international humanitarian law is, it is not the only international law that applies in cyberspace.

Obviously, cyberspace has become pervasive in our lives, not just in the national defense arena, but also through social media, publishing and broadcasting, expressions of human rights, and expansion of international commerce, both through online markets and online commercial techniques. Many other bodies of international and national law address those activities, and how those different bodies of law overlap and interact with the laws of cyber conflict is something we will all have to work out over time.

Take human rights. At the same time that cyber activity can pose a threat, we all understand that cyber communication is increasingly becoming a dominant mode of expression in the twenty-first century. More and more people express their views not by speaking on a soapbox at Speakers' Corner but by blogging, tweeting, commenting, or posting videos and commentaries. The 1948 Universal Declaration of Human Rights (UDHR)—adopted more than 70 years ago—was remarkably forward-looking in anticipating these trends. It says: "Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers" (emphasis added). In short, all human beings are entitled to certain rights, whether they choose to exercise them in a city square or an Internet chat room. This principle is an important part of our global diplomacy, and is encapsulated in the Internet Freedom agenda about which my boss, Secretary Clinton, has spoken so passionately.

You all know of this administration's efforts not just in the areas of cyberconflict but also in many other cyber areas: cybersecurity, cybercommerce, fighting child pornography and other forms of cybercrime, stopping intellectual property piracy, as well as promoting free expression and human rights. So the cyber conflict issues with which this group grapples do not constitute the whole of our approach to cyberspace; they are an important part—but only a part—of this administration's broader smart power approach to cyberspace.

What I have outlined today are a series of answers to cyberspace questions that the United States is on the record as supporting. I have also suggested a few of the challenging questions that remain before us, and developments over the next decade will surely produce new questions. But you should not think of these questions and answers as just a box to check before deciding whether a particular proposed operation is lawful or not. Rather, these questions and answers are part of a much broader foreign policy agenda, which transpires in a broader framework of respect for international law.

That leads to my final question for this group: Why should US government lawyers care about international law in cyberspace at all?

The answer: Because compliance with international law frees us to do more, and do more legitimately, in cyberspace, in a way that more fully promotes our national interests. Compliance with international law in cyberspace is part and parcel of our broader smart power approach to international law as part of US foreign policy.

It is worth noting two fundamentally different philosophies about international law. One way to think about law, whether domestic or international, is as a straitjacket, a pure constraint. This approach posits that nations have serious, legitimate interests, and legal regimes restrict their ability to carry them out. One consequence of this view is that since law is just something that constrains, it should be resisted whenever possible. Resisting so-called extensions of the law to new areas often seems attractive, because, after all, the old laws weren't built for these new challenges anyway, some say, so we should tackle those challenges without the legal straitjacket, while leaving the old laws behind.

But that is not the United States government's view of the law, domestic or international. We see law not as a straitjacket but, as one great university calls it when it confers its diplomas, a body of "wise restraints that make us free." International law is not purely constraint; it frees us and empowers us to do things we could never do without law's legitimacy. If we succeed in promoting a culture of compliance, we will reap the benefits. And if we earn a reputation for compliance, the actions we do take will earn enhanced legitimacy worldwide for their adherence to the rule of law.

These are not new themes, but I raise them here because they resonate squarely with the strategy we have been pursuing in cyberspace over the past few years. Of course, the United States has impressive cyber capabilities; it should be clear from the bulk of my discussion that adherence to established principles of law does not prevent us from using those capabilities to achieve important ends. But we also know that we will be safer, the more that we can rally other states to the view that these established principles do impose meaningful constraints, and that there is already an existing set of laws that protect our security in cyberspace. And the more widespread the understanding that cyberspace follows established rules—and that we live by them—the stronger we can be in pushing back against those who would seek to introduce brand new rules that may be contrary to our interests.

That is why, in our diplomacy, we do not whisper about these issues. We talk openly and bilaterally with other countries about the application of established international law to cyberspace. We talk about these issues multilaterally, at the UN Group of Governmental Experts and at other fora, in promoting this vision of compliance with international law in cyberspace. We talk about them regionally, as when we recently cosponsored an ASEAN Regional Forum event to focus the international community's attention on the problem of proxy actors engaging in unlawful conduct in cyberspace. Preventing proxy attacks on us is an important interest, and as part of our discussions we have outlined the ways that existing international law addresses this problem.

The diplomacy I have described is not limited to the legal issues this group of lawyers is used to facing in the operational context. These issues are interconnected with countless other cyber issues that we face daily in our foreign policy, such as cybersecurity, cyber commerce, human rights in cyberspace, and public diplomacy through cyber tools. In all of these areas, let me repeat again: compliance with international law in cyberspace is part and parcel of our broader smart power approach to international law as part of US foreign policy. Compliance with international law—and thinking actively together about how best to promote that compliance—can only free us to do more, and to do more legitimately, in the emerging frontiers of cyberspace, in a way that more fully promotes our US national interests.

Thank you very much.

Licenses and Attributions

International Law in Cyberspace by Harold Hongju Koh comprises public domain material from the US Department of State. UMGC has modified this work.

International Cybersecurity Strategy: Deterring Foreign Threats and Building Global Cyber Norms

Testimony

Christopher Painter

Coordinator for Cyber Issues

Statement Before the Senate Foreign Relations Subcommittee on East Asia, the Pacific, and International Cybersecurity Policy

Washington, DC

May 25, 2016

Chairman Gardner, Ranking Member Cardin, members of the Subcommittee on East Asia, the Pacific, and International Cybersecurity Policy, it is a pleasure to appear again before your subcommittee to provide an update on key developments in our cyber foreign policy efforts.

Since I testified before your subcommittee one year ago, the Department of State (the Department) has continued to work closely with other federal departments and agencies and has made significant progress in a number of areas.

It is also important to note that last month, as required by the Consolidated Appropriations Act for 2016, the Department submitted to Congress the Department of State International Cyberspace Policy Strategy (the Strategy), which included a report on the Department's work to implement the president's 2011 International Strategy for Cyberspace, as well as a discussion of our efforts to promote norms of responsible state behavior in cyberspace, alternative concepts for norms promoted by certain other countries, threats facing the United States, tools available to the president to deter malicious actors, and resources required to build international norms. I appreciate the opportunity today to provide an update on our progress as well as the challenges we face in a number of areas.

As reflected in the Strategy we provided to Congress last month, the Department of State structures its cyberspace diplomacy in close cooperation with our interagency partners – including the Departments of Justice, Commerce, Defense, Homeland Security, and Treasury, and the Intelligence Community – around the following interrelated, dynamic, and cross-cutting policy pillars drawn from the president's International Strategy for Cyberspace: digital economy, international security, promoting cybersecurity due diligence, combating cybercrime, Internet governance, Internet freedom, and international development and capacity building, as well as cross-cutting issues such as countering the use of the Internet for terrorist purposes. In addition, as we noted, the Department is actively mainstreaming cyberspace issues into its foreign diplomatic engagements and building the necessary internal capacity.

I am happy to answer any questions regarding the Strategy, which discusses all of these policy priorities in greater detail, including specific accomplishments from our robust bilateral and multilateral diplomatic engagements and highlights from the roles and contributions of other federal agencies.

In spite of the successes outlined in the Strategy, the U.S. vision for an open, interoperable, secure, and reliable Internet faces a range of policy and technical challenges. Many of these challenges were described in my testimony last year, and they largely remain. I would like to focus my time today delving specifically into our efforts to promote a broad international framework for cyber stability, as well some of the alternative views regarding the Internet that some governments are promoting. I will also spend some time discussing the technical challenges and threats posed by continuing malicious cyberactivity directed at the United States, as well as our allies, and the tools we have at our disposal to deter these actions.

Diplomatic Efforts to Shape the Policy Environment

Building a Framework for International Stability in Cyberspace

The Department of State, working with our interagency partners, is guided by the vision of the president's International Strategy for Cyberspace, which is to promote a strategic framework of international cyber stability. This framework is designed to achieve and maintain a peaceful cyberspace environment where all states are able to fully realize its benefits, where there are advantages to cooperating against common threats and avoiding conflict, and where there is little incentive for states to engage in disruptive behavior or to attack one another.

This framework has three key elements: (1) global affirmation that international law applies to state behavior in cyberspace; (2) development of an international consensus on and promotion of additional voluntary norms of responsible state behavior in cyberspace that apply during peacetime; and (3) development and implementation of practical confidence building measures (CBMs), which promote stability in cyberspace by reducing the risks of misperception and escalation.

Since 2009, the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) has served as a productive and groundbreaking expert-level venue for the United States to build support for this framework. The consensus recommendations of the three UN GGE reports in 2010, 2013, and 2015 have set the standard for the international community on international cyberspace norms and CBMs. The UN GGE process will continue to play a central role in our efforts to fully promulgate this framework when it reconvenes in August 2016.

Applicability of international law. The first and most fundamental pillar of our framework for international cyber stability is the applicability of existing international law to state behavior in cyberspace. The 2013 UN GGE report was a landmark achievement that affirmed the applicability of existing international law, including the UN Charter, to state conduct in cyberspace. The 2013 report underscored that states must act in cyberspace under the established international obligations and commitments that have guided their actions for decades – in peacetime and during conflict – and states must meet their international obligations regarding internationally wrongful acts attributable to them. The 2014-2015 UN GGE also made progress on issues related to international law by affirming the applicability of the inherent right to self-defense as recognized in Article 51 of the UN Charter, and noting the law of armed conflict's fundamental principles of humanity, necessity, proportionality, and distinction.

Norms of responsible state behavior. The United States is also building consensus on a set of additional, voluntary norms of responsible state behavior in cyberspace that define key areas of risk that would be of national and/or economic security concern to all states and should be off-limits during times of peace. If observed, these stability measures – which are measures of self-restraint – can contribute substantially to conflict prevention and stability. The United States was the first state to propose a set of specific peacetime cyber norms, including the cybersecurity of critical infrastructure, the protection of computer security incident response teams (CSIRTs), and cooperation between states in responding to appropriate requests in mitigating malicious cyberactivity emanating from their territory. In May 2015, Secretary of State Kerry highlighted these norms in his speech in Seoul, South Korea, on an open and secure Internet. The 2015 UN GGE report's most significant achievement was its recommendation for voluntary norms of state behavior designed for peacetime, which included concepts championed by the United States.

Confidence Building Measures. Together with our work on law and voluntary norms, cyber CBMs have the potential to contribute substantially to international cyber stability. CBMs have been used for decades to build confidence, reduce risk, and increase transparency in other areas of international concern. Examples of cyber CBMs include transparency measures, such as sharing national strategies or doctrine; cooperative measures, such as an initiative to combat a particular cyber incident or threat actor; and stability measures, such as committing to refrain from a certain activity of concern. Cyber CBMs are being developed, and are in the first stages of implementation, in two regional venues – the Organization for Security and Cooperation in Europe (OSCE) and the ASEAN Regional Forum, where agreement was reached in 2015 on a detailed work plan with a proposed set of CBMs for future implementation.

Although many of the elements of the framework I have described above may seem self-evident to an American audience, it is important to recognize that cyber issues are new to many states, and as I describe later in my testimony, there are also many states that hold alternative views on how we should promote cyber stability. Notwithstanding these headwinds, as well as the fact that diplomatic negotiations on other issues can take many years, if not decades, the United States and its allies have made substantial progress in recent years towards advancing our strategic framework of international cyber stability. At this point, I would like to highlight examples from last year that reflect our progress.

U.S.-China Cyber Commitments

The United States strongly opposes the use of cyber technology to steal intellectual property for commercial advantage, and has raised this concern with Chinese interlocutors for several years. In 2014, the United States indicted five members of the Chinese military for hacking, economic espionage, and other offenses directed at six US entities. This led China to suspend the US-China Cyber Working Group. The United States and China, however, reached an agreement during President Xi Jinping's state visit in September 2015 on several key commitments on cyber issues. These commitments are

both governments agreed to cooperate and provide timely responses to requests for information and assistance regarding malicious cyberactivity emanating from their territories,

neither country's government will conduct or knowingly support cyber-enabled theft of intellectual property for commercial advantage,

both governments will work together to further identify and promote appropriate norms of state behavior in cyberspace and hold a senior experts group on international security issues in cyberspace, and

both governments will establish a ministerial-level joint dialogue mechanism on fighting cybercrime and related issues.

Two weeks ago today – on May 11 – the United States hosted the first meeting in Washington of the senior experts group on international security issues in cyberspace, which provided a forum to further engage with China on its views and seek common ground regarding norms of state behavior in cyberspace and other topics. The Department of State led the US delegation that included participation from the Department of Defense and other US government agencies. The senior experts group helps us advance the growing international consensus on international law and voluntary cyber norms of state behavior. We also have encouraged China to join us in pushing for other states to affirm these principles in international forums like the Group of Twenty (G20), and will continue to do so.

To implement other commitments reached during President Xi's visit, the United States and China held the first ministerial-level dialogue on cybercrime and other related issues in Washington on December 1, 2015. Attorney General Loretta Lynch and Homeland Security Secretary Jeh Johnson, together with Chinese State Councilor Guo Shengkun, co-chaired the first US-China High-Level Joint Dialogue on Cybercrime and Related Issues to foster mutual understanding and enhance cooperation on law enforcement and network protection issues. The second dialogue is scheduled to occur next month in Beijing, China.

Moreover, regarding the commitment that neither government will conduct or knowingly support cyber-enabled theft for commercial gain, Deputy Secretary of State Blinken testified last month before the full Committee on Foreign Relations that the United States is "watching very closely to ensure this commitment is followed by action."

The outcomes of last year's Xi-Obama summit focus on concrete actions and arrangements that will allow us to hold Beijing accountable to the commitments they have made. These commitments do not resolve all our challenges with China on cyber issues. However, they do represent a step forward in our efforts to address one of the sharpest areas of disagreement in the US-China bilateral relationship.

Group of Twenty (G20) Antalya Summit

In November 2015, the leaders of the G20 met in Antalya, Turkey, to discuss and make progress on a wide range of critical issues facing the global economy. At the conclusion of the Antalya Summit, the strong final communique issued by the G20 leaders affirmed the US-championed vision of international cyber stability and its pillars.

Among other things, the G20 leaders affirmed in their statement that "no country should conduct or support the ICT-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors." They also highlighted the "key role played by the United Nations in developing norms" and the work of the UN GGE and its 2015 report. Addressing our overall framework, the G20 leaders stated that they "affirm that international law, and in particular the UN Charter, is applicable to state conduct in the use of ICTs and commit ourselves to the view that all states should abide by norms of responsible state behavior in the use of ICTs…"

The G20 leaders' communique represents a remarkable endorsement of our approach to promoting stability in cyberspace. Still, there is still more to do. The United States will continue to work within the G20 and in other bilateral and multilateral engagements to promote and expand these policy pronouncements regarding responsible state behavior in cyberspace.

Organization for Security and Cooperation in Europe

As a result of the leadership by the United States and like-minded countries, the 57 member states of the OSCE, which includes not only Western allies but also Russia and other former Soviet states, reached consensus in March 2016 on an expanded set of CBMs. This expanded set, which includes five new CBMs, builds upon the 11 CBMs announced by the OSCE in 2013 that member states are already working to implement.

The initial 11 CBMs were primarily focused on building transparency and putting in place mechanisms for de-escalating conflict. For example, there were CBMs calling upon participating states to identify points of contact that foreign governments could reach out to in the event of a cyber incident emanating from the state's territory and put in place consultation and mediation mechanisms. The additional five CBMs focused more on cooperative measures focusing on issues like cybersecurity of critical infrastructure and developing public-private partnerships. Secure and resilient critical infrastructure, including in the communications sector, requires the integration of cyber, physical, and human elements. Since most critical infrastructure is privately owned, public-private partnerships are essential for strengthening critical infrastructure. Given the distributed nature of critical infrastructure, these efforts also require international collaboration. Work will continue this year to strengthen implementation of the previous CBMs and to begin implementing the new ones as well. This will build on the cooperation we have underway with many international partners in this and other similar fora. We also hope that this further success within the OSCE context can serve to strengthen CBMs as a model that other regional security organizations can adopt.

In addition to our work with governmental organizations, the Department of State engages extensively with a range of stakeholders outside of government, who play critical roles in helping to preserve and promote the same vision of cyberspace held by the United States. Nongovernment stakeholders are often part of our delegations to key meetings, for which there is intensive consultation, and we often engage with our stakeholders before and after key events to hear their views and to inform them of our activities. We also engage extensively with the stakeholder community ahead of and immediately following major cyber conferences, such as the Global Conference on Cyberspace, most recently in The Hague, the Netherlands, and previously in Seoul, South Korea.

Policy Challenge: Alternative Views of the Internet

One challenge to the implementation of our cyberspace strategy is a competing and alternative view of the Internet. The United States and much of the broader international community support the open flow and movement of data on the Internet that drives economic growth, protects human rights, and promotes innovation. The United States believes in a multistakeholder approach whereby governments, private sector, civil society, and the technical and academic communities cooperate to address both technical and policy threats through inclusive, transparent, consensus-driven processes.

China's approach to cyberspace in the international context is propelled by its desire to maintain internal stability, maintain sovereignty over its domestic cyberspace, and combat what it argues is an emerging cyber arms race and "militarization" of cyberspace. China has been willing to consider cyber confidence building measures, and has affirmed that international law applies in cyberspace, but has not been willing to affirm more specifically the applicability of the law of armed conflict or other laws of war, because it believes it would only serve to legitimize state use of cyber tools as weapons of war.

This has led to a set of external policies that reinforces traditional Chinese foreign policy priorities of noninterference in internal affairs, national sovereignty over cyberspace, and "no first use" of weapons. China views its expansive online censorship regime – including technologies such as the Great Firewall – as a necessary defense against destabilizing domestic and foreign influences, and it has promoted this conception internationally. China also urges creation of new "cyber governance" instruments, which would, inter alia, create new binding rules designed to limit the development, deployment, and use of "information weapons"; promote speech and content controls; seek to replace the framework of the Council of Europe Convention on Cybercrime (Budapest Convention); elevate the role of governments vis-à-vis other stakeholders; and likely give the United Nations authority for determining attribution and responding to malicious cyberactivity. While the United States and its partners seek to focus our cyber policy efforts on combatting threats to networks, cyber infrastructure, and other physical threats from cyber tools, China also emphasizes the threats posed by online content. In addition, some of these policies stand in sharp contrast to the U.S. view that all stakeholders should be able to contribute to the making of public policy regarding the Internet.

Russia's approach to cyberspace in the international context has focused on the maintenance of internal stability, as well as sovereignty over its "information space." While Russia co-authored the Code of Conduct, with China and other Shanghai Cooperation Organization members, Russia's ultimate goal is also a new international cyber convention, which they pair with criticism of the Budapest Convention.

Russia has nonetheless found common ground with the United States on our approach of promoting the applicability of international law to state conduct in cyberspace as well as voluntary, nonbinding norms of state behavior in peacetime. Russia has also committed to the first ever set of bilateral cyber confidence building measures with the United States, as well as the first ever set of cyber CBMs within a multilateral institution, at the OSCE in 2013 and 2016 that I previously discussed.

We counter these alternative concepts of cyberspace policy through a range of diplomatic tools that include not only engagement in multilateral venues, but also direct bilateral engagement and awareness-raising with a variety of state and non-state actors. I now would like to discuss some of the technical challenges and threats the United States faces and some of the tools we have to respond to and prevent cyber incidents.

Responding to and Preventing Cyber Incidents

Continuing Cyberthreats

Cyberthreats to US national and economic security are increasing in frequency, scale, sophistication, and severity. In 2015, high-profile cyber incidents included the breach of health insurance company Anthem, Inc.'s IT system, resulting in the theft of account information for millions of customers; an unauthorized breach of the Office of Personnel Management's systems, resulting in the theft of approximately 22 million personnel files; and hackers launching an unprecedented attack on the Ukraine power grid that cut power to hundreds of thousands of customers.

Overall, the unclassified information and communications technology networks that support US government, military, commercial, and social activities remain vulnerable to espionage and disruption. As the Department noted in the Strategy we submitted last month, however, the likelihood of a catastrophic attack against the United States from any particular actor is remote at this time. The Intelligence Community instead foresees an ongoing series of low-to-moderate level cyber operations from a variety of sources, which will impose cumulative costs on US economic competitiveness and national security, pose risks to federal and private sector infrastructure in the United States, infringe upon the rights of US intellectual property holders, and violate the privacy of US citizens.

In February, Director of National Intelligence James Clapper testified before Congress on the 2016 Worldwide Threat Assessment of the US Intelligence Community, and stated "Many actors remain undeterred from conducting reconnaissance, espionage, and even attacks in cyberspace because of the relatively low costs of entry, the perceived payoff, and the lack of significant consequences." He highlighted the malicious cyber activities of the leading state actors, non-state actors such as Da'esh, and criminals who are developing and using sophisticated cyber tools, including ransomware for extortion and malware to target government networks.

The Intelligence Community continues to witness an increase in the scale and scope of reporting on malicious cyberactivity that can be measured by the amount of corporate data stolen or deleted, personally identifiable information compromised, or remediation costs incurred by U.S. victims. The motivation to conduct cyberattacks and cyberespionage will probably remain strong because of the gains for the perpetrators.

Tools Available to Counter Cyberthreats

The United States works to counter technical challenges through a whole-of-government approach that brings to bear its full range of instruments of national power and corresponding policy tools – diplomatic, law enforcement, economic, military, and intelligence – as appropriate and consistent with applicable law.

The United States believes that deterrence in cyberspace is best accomplished through a combination of "deterrence by denial" – reducing the incentive of potential adversaries to use cyber capabilities against the United States by persuading them that the United States can deny their objectives – and "deterrence through cost imposition" – threatening or carrying out actions to inflict penalties and costs against adversaries that conduct malicious cyberactivity against the United States. It is important to note that there is no one-size-fits-all approach to deterring or responding to cyberthreats. Rather, the individual characteristics of a particular threat determine the tools that would most appropriately be used.

The president has at his disposal a number of tools to carry out deterrence by denial. These include a range of policies, regulations, and voluntary standards aimed at increasing the security and resiliency of U.S. government and private sector computer systems. They also include incident response capabilities and certain law enforcement authorities.

With respect to cost imposition, the president is able to draw on a range of response options from across the United States government.

Diplomatic tools provide a way to communicate to adversaries when their actions are unacceptable and to build support and greater cooperation among, or seek assistance from, allies and like-minded countries to address shared threats. Diplomatic démarches to both friendly and potentially hostile states have become a regular component of the United States' response to major international cyberincidents. In the longer term, US efforts to promote principles of responsible state behavior in cyberspace, including peacetime norms, are intended to build increasing consensus among like-minded states that can form a basis for cooperative responses to irresponsible state actions.

Law enforcement tools can be used to investigate crimes and prosecute malicious cyber actors both within the United States and abroad. International cooperation is critical to cybercrime investigations, which is why the United States has promoted international harmonization of substantive and procedural cybercrime laws through the Budapest Convention, created an informal channel for data preservation and information sharing through the G7 24/7 network, and promoted donor partnerships to assist developing nations.

Economic tools, such as financial sanctions, may be used as a part of the broader U.S. strategy to change, constrain, and stigmatize the behavior of malicious actors in cyberspace. Since January 2015, the president has provided guidance to the Secretary of the Treasury to impose sanctions to counter North Korea's malicious cyber-enabled activities. Executive Order 13687 was issued, in part, in response to the provocative and destructive attack on Sony Pictures Entertainment, while Executive Order 13722 targets, among others, significant activities by North Korea to undermine cybersecurity, in line with the recently-signed North Korea Sanctions and Policy Enhancement Act of 2016. Aside from these North Korea-specific authorities, in April 2015, the president issued Executive Order 13694, Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities, which authorizes the imposition of sanctions against persons whose malicious cyber-enabled activities could pose a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.

Military capabilities provide an important set of options for deterring and responding to malicious cyberactivity. The Department of Defense continues to build its cyber capabilities and strengthen its cyber defense and deterrence posture. As part of this effort, the Department of Defense is building its Cyber Mission Force, which is already employing its capabilities to defend Department of Defense networks, defend the nation against cyberattacks of significant consequence, and generate integrated cyberspace effects in support of operational plans and contingency operations. In addition, Secretary of Defense Ashton Carter announced earlier this year that US forces are using cybertools to disrupt Da'esh's command and control systems and to negatively impact its networks.

Intelligence capabilities are also an important tool at the President's disposal in detecting, responding to, and deterring malicious activities in cyberspace, particularly given the unique challenges associated with attributing and understanding the motivation behind such malicious activities.

Even with this broad range of tools, deterring cyberthreats remains a challenge. Given the unique characteristics of cyberspace, the United States continues to work to develop additional and appropriate consequences that it can impose on malicious cyber actors.

Capacity Building

In addition to the tools that I have just outlined, the ability of the United States to respond to foreign cyberthreats and fight transnational cybercrime is greatly enhanced by the capabilities and strength of our international partners in this area. Therefore, the Department of State is working with departments and agencies, allies and multilateral partners to build the capacity of foreign governments, particularly in developing countries, to secure their own networks as well as investigate and prosecute cybercriminals within their borders. The Department also actively promotes donor cooperation, including bilateral and multilateral participation in joint cyber capacity building initiatives.

In 2015, for example, the United States joined the Netherlands in founding the Global Forum on Cyber Expertise, a global platform for countries, international organizations, and the private sector to exchange best practices and expertise on cyber capacity building. The United States partnered with Japan, Australia, Canada, the African Union Commission, and Symantec on four cybersecurity and cybercrime capacity building initiatives. The Department also provided assistance to the Council of Europe, the Organization of American States, and the United Nations Global Program on Cybercrime to enable delivery of capacity building assistance to developing nations. Many traditional bilateral law enforcement training programs increasingly include cyber elements, such as training investigators and prosecutors in the handling of electronic evidence. Much of our foreign law enforcement training on combating intellectual property crime focuses on digital theft.

In another example of capacity building, the Department of State, through its Bureau of International Narcotics and Law Enforcement Affairs, manages five International Law Enforcement Academies (ILEAs) worldwide, and one additional Regional Training Center. These six facilities provide law enforcement training and instruction to law enforcement officials from approximately 85 countries each year. The ILEA program includes a wide variety of cyber investigation training courses, from basic to advanced levels, taught by subject matter experts from the US Secret Service and other agencies and policy-level discussions with senior criminal justice officials. This serves as a force multiplier to enhance the capabilities of the international law enforcement community to collaborate in the effort to fight cybercrime.

The Department of State is committed to continuing its capacity building initiatives as another effective way to counter international cyberthreats and promote international cyber stability.

Looking ahead

Cybersecurity will continue to be a challenge for the United States when we take into consideration the rapidly expanding environment of global cyberthreats, the increasing reliance on information technology and number of "smart devices," the reality that many developing nations are still in the early stages of their cyber maturity, and the ongoing and increasingly sophisticated use of information technology by terrorists and other criminals. Thus, the Department of State anticipates a continued increase and expansion of our cyber-focused diplomatic and capacity building efforts for the foreseeable future.

The Department will continue to spearhead the effort to promote international consensus that existing international law applies to state actions in cyberspace and build support for certain peacetime norms through assisting states in developing technical capabilities and relevant laws and policies, to ensure they are able to properly meet their commitments on norms of international cyber behavior.

The Department of State remains appreciative of this Subcommittee's continued support. Thank you for the opportunity to testify today. I am happy to answer your questions.

Licenses and Attributions

International Cybersecurity Strategy: Deterring Foreign Threats and Building Global Cyber Norms by Christopher Painter comprises public domain material from the U.S. Department of State. UMGC has modified this work.

Global Cybersecurity Threats

Cybersecurity threats can originate from any geographic region, can affect any geographic region, can achieve relative anonymity on the global infrastructure known as the internet, and can have varying degrees of sophistication and motivation.

Geographically, cybersecurity threats and associated threat actors are more prevalent in some regions than others. Threats with Middle Eastern origins include rogue and/or state-sponsored actors who leverage capabilities, either indigenously produced or stolen, against global targets.

The motivation of these threat actors is varied, from theft of intellectual property for their own national purposes, to using threats to send political or social messages, to theft for the purposes of financial gain, to even terrorism. Cybersecurity threats from Russia are generally characterized as sophisticated and stealthy, while threats from other European nations vary as determined by their national policies, political pressures, and impacts to their populations.

Asian Cybersecurity Threats

Among foreign threats, the Chinese are among the most capable and active. China has used fairly sophisticated tools and techniques to attack a wide range of targets. In 2010, Chinese actors attacked Adobe Systems, Yahoo, Symantec, Northrop Grumman, Morgan Stanley, and Dow Chemical (Bengali, et. al) using an advanced persistent threat (APT) that appeared to be based in Beijing. The massive theft of tens of millions records from the Office of Personnel Management (OPM) in 2014 is attributed to the Chinese, as is the 2015 theft of millions of records from Anthem. This represented the most significant theft of healthcare records to date. Chinese attacks against US interests became so prolific and bold that the US took the unprecedented step of publicly accusing China of attacking US government systems.

The Guardians of Peace—an alleged North Korean hacker group—has been identified as the perpetrators of the 2014 attack on Sony networks, which wiped out servers and stole terabytes of data. The 2013 attack on South Korean banks is also attributed to North Korean actors.

References

Bengali, S., Dilanian, K., Zavis, A. (2013). Chinese Cyber Attack Disclosures. The Los Angeles Times. Retrieved from http://timelines.latimes.com/la-fg-china-cyber-disclosures-timeline/

African Cybersecurity Threats

While Africa has lagged in developing and implementing cybersecurity measures, cybersecurity threats from Africa are on the rise, largely due to rampant criminal activities that can be enhanced with illicit access to networks and data. African networks are easier targets because African networks are less protected. Threat actors from Africa are taking advantage of this relative ease of access to successfully gain access to networks and data. The prime motives are criminal, and largely for the purposes of financial gain. There is little evidence that African-inspired cyber threat actors pose significant threats outside of African borders.

Middle-Eastern Cybersecurity Threats

One of the most devastating Middle-Eastern cybersecurity attacks occurred in 2012, when the Cutting Sword of Justice group launched a virus attack against the Saudi Arabian oil company Aramco, disabling 30,000 desktop computers. At the time, this was one of the most destructive attacks ever against a company. Threats from the Middle East continue to manifest, with threat actors developing and delivering payloads, launching phishing schemes to gain unauthorized access, and stealing terabytes of data.

Today, cyberattacks within and from the Middle East are a mix of hacktivism—attacks focused on promoting political agendas—and state-sponsored attacks. Economics significantly influences the motivations of Middle-Eastern cybersecurity attacks, with the global issues of gas and oil resources helping to stimulate malicious acts. Iranian threat actors are prominent, according to a report by a California security firm, Cylance: "Since at least 2012, Iranian actors have directly attacked, established persistence in, and extracted highly sensitive materials from the networks of government agencies and major critical infrastructure companies in the following countries: Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, United Arab Emirates, and the United States"(Cylance, 2015).

Iranian threat actors continue to develop sophisticated capability. This was evidenced in Operation Cleaver, a massive series of malware attacks launched in 2014, reported to be linked to Tehran and demonstrating Iran's growing cyberattack capabilities. Iran is also suspected of "...flat lining the in-house networks" of the Las Vegas Sands casino corporation "in retaliation for public comments made by its CEO, who said the U.S. should threaten a nuclear attack on Tehran to keep its nuclear program in check" (Risen, 2015).

References

Cylance. (2015). Operation cleaver. Retrieved from https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf

Risen, T. (2015, December 15). Iran's growing cybersecurity threat. Retrieved from http://www.usnews.com/news/articles/2014/12/15/irans-growing-cybersecurity-threat

Russian Cybersecurity Threats

Russia has emerged as the top global cybersecurity threat and is considered home of some of most sophisticated threats operating in cyberspace. Among the more prominent Russian-backed cyberattacks was the May 2007 attack on Estonia, largely attributed to Russian hacktivism. This attack was in response to a conflict between Russia and Estonia, which resulted in Estonia deciding to remove a historic Russian monument. With its relatively cheap labor pool, and wealth of well-trained computer specialists, Russia has demonstrated its capacity and willingness to conduct cyberattacks.

Russia is structurally posturing to attack command and control systems and conduct cyber-related propaganda operations, and Russian actors have developed the capability to target industrial control systems (ICS). They employ this access to attack electric power grids, air-traffic control, and oil and gas distribution. According to Director of National Intelligence James Clapper, "Russian actors have successfully compromised the product supply chains of three ICS vendors so that customers download exploitative malware directly from vendors' websites along with routine software updates" (Statement for the Record of James R. Clapper 2015).

The significant increases in the scope and scale of Russian cybersecurity threats have impacted global economies and cyber defense efforts around the world. Particularly, it has created opportunities for cyber defenders. Kevin Mandia, CEO of Fireeye, said in response to an increase in company earnings in November 2016, "I think Russia's operating at its fullest scale and scope right now, and for the first time in maybe 15 years, in my opinion, we're responding to more state actor intrusions from Russia than China" (Balakrishnan 2016).

While Russia's inherent cybersecurity threats are cause for concern, it is important to also be wary of the expansion of Russian threats to other nations or threat actors. "Particularly concerning for the former Soviet republics, the United States, and others who find themselves in disagreement with Russia are the growing sophistication of the attacks; the possible expansion of attackers' recruits to Russian expats; and the possibility of Russian cyber warriors selling their skills, labor, and expertise to other states (such as Iran) or organizations (such as Hamas or Hezbollah, which enjoy sympathy and support in Russia" (Flook 2009).

References

Balakrishnan, A. (November 2016). Fireeye pops 12% as requests to fight Russian cyberthreats, email hacks boosts business. CNBC. Retrieved from http://www.cnbc.com/2016/11/04/fireeye-pops-15-as-requests-to-fight-russian-cyberthreats-email-hacks-boost-business.html

Flook, K. (May 2009). Russia and the cyber threat. Retrieved from http://www.criticalthreats.org/russia/russia-and-cyber-threat

Statement for the Record of James R. Clapper. (February 2015). Worldwide threat assessment. Retrieved from http://www.widener.edu/about/campus_resources/wolfgram_library/documents/apa_govt_guide.pdf