YHTOMIT: 2 part assignment

8 Forum / Rethinking the Cyber Domain and Deterrence JFQ 77, 2 nd Quarter 2015 Rethinking the Cyber Domain and Deterrence By Dorothy E. Denning A s the Department of Defense (DOD) formulates strategy and doctrine for operating in cyberspace, it is vital to understand the domain and how it relates to the traditional domains of land, sea, air, and space. While cyberspace has dis -tinct technologies and methods, it shares many characteristics with the traditional domains, and some of the conventional wisdom about how cyber - space differs from them does not hold up under examination. These similarities are especially relevant when it comes to strategies for deterrence. Just as any attempt to de- velop a single deterrence strategy for all undesirable activity across the traditional domains would be fraught with difficulty, so too for cyberspace. Yet this is how many authors have approached the topic of deterrence in cyberspace. Instead, by focusing on particular cyber weapons that are amenable to deterrence or drawing Dorothy E. Denning is a Distinguished Professor in the Department of Defense Analysis, Graduate School of Operational and Information Sciences, at the Naval Postgraduat\ e School. The author thanks John Arquilla, Peter J. Denning, and Kalev Sepp for helpful comments on an earlier \ version of this paper. Secretary of Homeland Security Jeh Johnson hosts President Obama at National Cybersecurity and Communications Integration Center (DHS/Barry Bahler) JFQ 77, 2 nd Quarter 2015 Denning 9 from existing deterrence regimes, the issues become more tractable.

But first, two key attributes of cyber - space must be examined, as they show why cyberspace strongly resembles tradi- tional domains. These are the roles played by man vs. nature and the malleability of the domains. Other similarities across the domains are described later in the context of deterrence.

Man and Nature Conventional wisdom holds that cyberspace is made by man, whereas the traditional domains were created by nature. This is reflected in the Depart- ment of Defense Strategy for Operating in Cyberspace: “Although it is a man- made domain, cyberspace is now as relevant a domain for DoD activities as the naturally occurring domains of land, sea, air, and space.” 1 General Michael Hayden, USAF (Ret.), former Director of the National Security Agency and the Central Intelligence Agency (CIA), similarly noted: “the other domains are natural, created by God, and this one is the creation of man.” 2 This distinction of manmade vs. natu- ral permeates the cyber warfare literature.

Martin Libicki, a senior management scientist at the RAND Corporation and one of the leading thinkers about cyber warfare, writes, “Ever yone concedes that cyberspace is man-made. This is what makes it different from its predecessors.” 3 While it is certainly true that cy- berspace would not exist without the computers and networks created by man, all domains of warfare, with the possible exception of land, are fundamen- tally manmade. The maritime domain would not exist without boats, the air domain without planes, and the space domain without rockets and satellites.

Indeed, these domains, along with their respective militar y forces, were created only after the introduction of naval vessels, militar y aircraft, and spacecraft, respectively. Even the domain of land is substantially manmade. Although land forces could in principle fight it out with sticks and stones, and move only on foot or the backs of horses and camels, they instead deploy a plethora of manmade tools, vehicles, and weapons to support operations over terrain that has been substantially altered by man through the construction of roads, bridges, tunnels, buildings, canals, pipelines, and so on.

Indeed, urban warfare takes place in an environment that is predominantly man- made. Nature, and especially geography, still matter, but none of the traditional domains, including land, can be un- derstood, let alone operationalized, in today’s world without accounting for the artifacts of mankind and the changes man has made to the environment.

At the same time, cyberspace has a substantial natural component. It relies heavily on electromagnetic waves, as well as natural elements such as silicon.

Indeed, the electromagnetic spec- trum—that is, the range of all possible wavelengths and their associated frequen- cies, to include radio, infrared, and light waves—is crucial to communications in cyberspace. All communications, re- gardless of whether they are transmitted through the air or over wires or optical fibers, take the form of electromagnetic waves. And even though these waves are generated by manmade devices that con- vert digital information into continuously var ying wave forms, they have the same physical makeup and are constrained by the same laws of physics as the naturally occurring ones in background radiation.

Electromagnetic waves are to cyberspace much as land, water, air, and space are to the traditional domains of warfare.

They are a medium for movement, in this case digital objects instead of people and equipment. The waves themselves travel through land, water, air, or space, so in a sense they are a medium within the other media—but then so too are rivers and canals with respect to land. Computer networks, of course, are manmade. But they are like the manmade road and rail networks in the domain of land; both provide infrastructure over which much movement takes place.

Moreover, just as the placement of roads and train tracks is strongly influenced by geography, so too is the placement of cyber infrastructure such as cell towers and cables. There is another, perhaps even more fundamental reason why the man vs.

nature dichotomy breaks down: all of the domains encompass more than just their physical manifestations. They are domains of human practice and, as such, constrained by the actions and decisions of humans. For example, even though the borders separating one countr y from another often follow natural geographic formations such as mountain ranges and bodies of water, they are set by man, as are the boundaries that separate one property owner from another within a countr y. Moreover, the legitimacy of these borders relies on human agree- ments, which in turn are backed by manmade laws, regulations, and means of enforcement. International borders are often at the root of conflict, such as those involving Ukraine, Georgia, Kashmir, and islands in the South China Sea. But even when borders are not in dispute, conflict can emerge over other human agreements, especially those of national governance. The civil war in Syria and re- cent coup in Thailand illustrate this fact. Recognizing the role of humans in all domains of warfare is essential to understanding deterrence. Deterrence is fundamentally about influencing the decisions and actions (or inactions) taken by human beings, not nature. It is highly dependent on human agreements, both nationally and internationally. At the international level, the Charter of the United Nations (UN) together with other international agreements, including the Geneva and Hague con- ventions and customar y international law, form a body of agreements referred to as the Law of Armed Conflict (LOAC), which is concerned with state activity across all domains of warfare, prescribing conditions under which states may and may not use their militar y forces. State activity is also constrained by numerous other agreements that cover such areas as trade, travel, telecommunications, finance, the environment, energy, weap- ons, crime, and embassies. At the national level, domestic laws, regulations, contracts, and other types of agreements, together with various means of enforcement including police and the 10 Forum / Rethinking the Cyber Domain and Deterrence JFQ 77, 2 nd Quarter 2015 criminal justice system, restrict activity within a state’s borders. Within organiza- tions, policies, procedures, and personnel agreements restrict the actions of their employees.

As domains of human practice, all do- mains of warfare are further constrained by the skill and initiative of their human practitioners, and by the resources those practitioners are able to acquire to meet their objectives. Nature, by itself, will not engage a foreign adversar y. Militaries must plan, resource, and execute their operations, whether in cyberspace or a traditional domain of warfare. While some of the skills needed to operate ef- fectively in the cyber domain differ from those in other domains of warfare, other skills such as the ability to communicate effectively, work with others, build trust, and manage projects do not. It is tempting to think that it is easier, cheaper, and faster to act in cyberspace than in traditional domains. After all, it is just a matter of moving, processing, and storing bits—not people and physical objects. But resources and skillsets matter as much in cyberspace as any other do- main. Lacking adequate bandwidth, for example, it may be faster to move digital objects by downloading them to portable media and shipping the media than by sending them over a slow network. And surely one of the reasons why terrorists still prefer bombs to bytes is that it is easier for them to build and deploy explosives than to achieve comparable effects with cyber weapons. Developing a sophisticated cyber warfare capability requires considerable upfront investment. Malleability The manmade vs. nature distinction has led to a conclusion that cyberspace is easier to change than the traditional domains. General Hayden, for example, wrote, “Man can actually change this geography, and anything that happens there actually creates a change in someone’s physical space.” 4 Libicki emphasized the importance of this aspect: “What matters is that cyberspace is highly malleable by its owners, hence its defenders, in ways other media are not.” 5 If true, this would suggest that cyberspace might be more amenable to deterrence by denial, that is, through security defenses, than other domains of warfare. While some things are easy to change in cyberspace, the overall malleability of the domain is severely limited by standards, interoperability requirements, legacy software, regulations, and the resources and inertia needed to make changes. The switch from version 4 to version 6 of the Internet Protocol (IP), for example, has been taking years.

As of May 2014, the bulk of Internet traffic is still carried in version 4 packets, including over 96 percent of the traffic connecting to Google ser vers. 6 There are NASA’s Mid-Infrared Instrument has camera and spectrograph that see light in \ mid-infrared region of electromagnetic spectrum (NASA/Chris Gunn/Rob Gutro) JFQ 77, 2 nd Quarter 2015 Denning 11 many reasons for the slow adoption, but a sur vey of industr y professionals found that the top reasons were transition costs, compatibility issues, and security con- cerns. 7 The security issues are interesting; while version 6 mandates support for en- cr yption and authentication, it effectively breaks security products such as firewalls and intrusion prevention systems that were developed for version 4. There are numerous other examples demonstrating the slow adoption of new Internet protocols and standards, in- cluding ones that would thwart many of the cyber attacks that plague cyberspace today, such as denial-of-ser vice and phish- ing attacks that rely on spoofing an IP address, email account, or organization in cyberspace. 8 In addition, organizations can be slow to adopt improved versions of operating systems and application software, as illustrated by the many in- stallations still running Windows XP and applications built for it, and they can be slow to install security patches for pub- lished vulnerabilities. This lag in adoption is seen in indus- trial control systems that operate critical infrastructure such as power generation and distribution, oil and gas distribution, and water treatment and distribution.

Many of these systems run legacy soft- ware that offers practically no security, but meets performance, reliability, and safety objectives that drove decisions be- fore the threat of cyber attacks became an issue. To make matters worse, these sys- tems are often connected to the Internet, exposing them to cyber threats for which they lack defenses. Operators may be reluctant to update and patch these sys- tems for fear of breaking something and disrupting essential ser vices. Within the Federal Government, the ability to acquire new cyber technologies is hampered by procurement regulations.

Acquisition delays of 5 to 10 years are not uncommon in the militar y. The malleability of cyberspace is also constrained by the time and resources required to install infrastructure such as cables and satellites, as well as by the laws of nature. Fred Cohen, for example, showed three decades ago that it was im- possible to develop a computer program that would detect any computer virus by either its appearance or its behavior. 9 At the same time, traditional do- mains of warfare, especially land, can be reasonably malleable. While building highways and bridges can take consid- erable time, and mountains and forests are immovable, it can be relatively easy to make certain types of changes in some geographic areas—for example, to install sur veillance equipment, plant and detonate explosives, and reposition troops—all of which can significantly im- pact militar y operations. In all domains, militaries have to contend with change and uncertainty brought on by adversar y actions and nature. Cyberspace itself is also increasing the malleability of other domains of warfare. With additive manufacturing, also known as three-dimensional (3D) printing, it becomes possible to transform digital blueprints into physical weapons and other types of devices. Instead of building a device in a manufacturing plant in one countr y and then shipping it to a facility in another, a digital blueprint can be transmitted to a 3D printer at the intended destination. Cyberspace has an advantage over the traditional domains in that if a cyber operation alters digital objects without affecting objects external to cyberspace, its effects can be undone by restoring the original bits. Thus, if a cyber operation shuts down a power generator by tam- pering with bits in its control system, for example, it may be possible to restore power simply by resetting the bits. By contrast, if the generator is shut down with a bomb, it must be physically rebuilt or replaced. Additive manufacturing, however, may someday remove even some of this advantage. Deterrence in Cyberspace The literature on cyber deterrence reveals many challenges to the ver y concept. 10 These include the: •difficulty of attributing cyber attacks to their perpetrators •ease of acquiring cyber weapons and conducting cyber attacks •broad scope of state and nonstate actors who engage in cyber attacks for a multitude of reasons and against both state and nonstate targets •short shelf life of many cyber weapons •difficulty of establishing thresholds and red lines for cyber aggression •difficulty of setting and enforcing international norms regarding cyber behavior •challenges associated with avoiding escalation.

Authors who have compared cyber deterrence with nuclear deterrence have generally found that the principles that have made nuclear deterrence effective for over half a centur y fall apart in cyberspace. 11 One reason why the concept of cyber deterrence raises so many challenges is that the term is extremely broad. In no other domain of warfare do we address the topic of deterrence across an entire domain. There is no notion of “land deterrence,” “sea deterrence,” “air deter - rence,” or “space deterrence.” Rather, we direct our attention to particular weapons and activity. Some of these may be tied to specific domains of warfare and even geographic areas, such as deterrence of Somali pirates in the Gulf of Aden, but others are not, such as deterrence of state-level aggression generally. Consider nuclear deterrence. It is about a specific type of weapon, not a domain of warfare. In fact, it crosses all domains of warfare, as nuclear weap- ons can be launched from land-based missiles, fired from submarines, or dropped from bombers against targets in any domain. The success of nuclear deterrence is contingent on the nature of the weapon, which inherently limits its casual development and deployment.

Nuclear deterrence is directed primar - ily at nation-states and, by extension, state-sponsored terrorists. It relies primarily on retaliation or punishment, including nuclear counterstrikes leading to mutually assured destruction. But nuclear deterrence also depends on restricting the states that have nuclear 12 Forum / Rethinking the Cyber Domain and Deterrence JFQ 77, 2 nd Quarter 2015 arsenals and the spread of the knowledge and materials required to develop the weapons, sometimes called “deterrence by denial.” This in turn is supported by the establishment of international norms and agreements that limit the acquisition and use of nuclear technologies, such as the Nuclear Non-Proliferation Treaty of 1968. Both denial and norms can have a deterrent effect by dissuading parties from even attempting to acquire nuclear weapons.

In traditional domains of warfare, there are all sorts of nefarious activity that one would like to deter, including bomb- ings, chemical and biological attacks, genocide, terrorism, armed invasions by foreign militar y forces, theft, briber y, fraud, extortion, embezzlement, insider trading, political corruption, arson, mur - der, espionage, vandalism, kidnapping, sexual assault, child and elder abuse, and animal abuse. Some of this activity falls in the area of national security and militar y operations, but other activity falls in the area of domestic crime and law enforce- ment. Given the enormous scope of the actors and activities involved, it would be difficult to develop an effective deterrence strategy that covered it all. Attempting to do so would inevitably raise many of the same problems that have surfaced in studies of cyber deterrence. For example, like many cyber weapons, many physical weapons, to include knives and guns, are easy to acquire and difficult to control.

Street crimes such as vandalism, arson, and theft can be easy to commit but diffi- cult to prevent and attribute. Cyberspace is becoming as rich a domain of activity as land. It supports a large and ever growing set of operations relating to communication, finance, busi- ness, commerce, education and training, research, entertainment, health care, the environment, energy, government, militar y operations, and more. And, like all domains of warfare, it is used for both civilian and militar y activity. To get our hands around deterrence in cyber - space, we need to move beyond general statements about the domain as a whole to statements about situations where deterrence could play a meaningful role.

One might argue that cyber deterrence is really about a particular type of weapon and not the domain, and in that regard its focus is similar to nuclear deterrence. But the comparison is not fair. Cyber weapons constitute the entire set of methods and tools that can produce effects in cyber - space, ranging from simple weapons that are readily acquired and used by “script kiddies” with no real skill in the domain, to those that require an advanced capa- bility to develop and successfully deploy, such as was the case with Stuxnet. They also range from weapons whose effects are minor to ones that could potentially lead to death. By contrast, nuclear weapons are a highly lethal subset of all explosives, and explosives in turn are just a subset of all the physical weapons that can produce effects in traditional domains. Just as we do not sweep all physical weapons into a single strategy of de- terrence, we should not tr y to sweep all cyber weapons into a single strategy.

Rather, we need to narrow our treatment of deterrence as it relates to cyberspace.

The following suggests two approaches:

one centered on particular cyber weap- ons, the other on existing deterrence regimes. These are not exclusive, but rather orthogonal or complementar y.

Others have advocated tackling the de- terrence issues by taking into account the geopolitical context 12 and applying princi- ples of tailored deterrence, both of which can be used with the ones suggested in this article. 13 Deterrence for Classes of Cyber Weapons The first approach is to focus on rela- tively narrow classes of cyber weapons where deterrence might be feasible.

For example, consider nuclear electro- magnetic pulse weapons, sometimes referred to as nuclear EMPs or simply NEMPs. These are nuclear weapons that would be detonated at high alti- tudes above Earth with the objective of damaging electronic devices rather than killing persons or blowing up buildings.

Because so much critical infrastruc- ture depends on computers and other electronic devices, the effects of a well-placed NEMP attack could be dev- astating not only to cyberspace but also to all domains of activity and society as a whole. Testifying before Congress, former CIA Director James Woolsey noted that a nuclear warhead, launched with a medium-range missile from the Gulf of Mexico and detonating at an altitude of 400 kilometers, would gen- erate an EMP field on the ground with a radius of 2,200 kilometers, “covering all of the contiguous 48 United States, causing a nationwide blackout and collapse of the critical infrastructures ever ywhere.” 14 Because NEMPs are nuclear weapons, they automatically fall under the umbrella of nuclear deterrence. In addition, unlike nuclear weapons that detonate directly against their targets, their effects can be denied, as electronics can be hardened against the damaging radiation emitted by these weapons. While such hardening may not be practical for all electronic devices, it might be worth applying to critical infrastructures vital to society. Numerous cyber weapons lend themselves to deterrence by denial, including any weapon that can be thwarted with the adoption of existing security technologies and practices. As noted earlier, many denial-of-ser vice and phishing attacks can be stopped with anti-spoofing technologies that already exist. Deterrence strategy could focus on stimulating greater adoption of these technologies and on developing additional ones. In addition, many cyber weapons exploit vulnerabilities in existing systems for which there are patches or fixes. Deterrence strategy could promote more rapid and widespread adoption of these fixes. Strong defenses can convince would-be perpetrators that a cyber attack will likely fail and, therefore, is not worth implementing. Some classes of cyber weapons might be suitable for deterrence by punishment.

Even though many cyber attacks are difficult to attribute and therefore punish, others are not. Cyber activists operating under the banner of Anonymous, for example, used a cyber weapon called the Low Orbit Ion Cannon to conduct deni- al-of-ser vice attacks against targeted Web sites. This tool did not, however, give its JFQ 77, 2 nd Quarter 2015 Denning 13 users anonymity, and 19 people who used it during “Operation Payback” in 2011 against PayPal, Mastercard, and Visa were identified and arrested, including 14 in the United States. 15 Still other types of cyber weapons might be suitable for deterrence by norms and agreements. NEMPs, as nuclear weapons, fall in this categor y. If a cyber weapon is ever developed that could cause massive deaths, it might be similarly categorized. Deterrence Through Established Regimes A second approach to deterrence in cyberspace is through the application of deterrence regimes established for other kinds of activity. As already noted, we can do this with NEMPs, drawing on existing strategies and mechanisms for nuclear deterrence. But we can also do it more broadly and apply established strategy for deterring state-level aggres- sion and crime by nonstate actors.

LOAC is particularly relevant to de- terring state-level aggression. Although it predates cyberspace, government officials, scholars in the area of international law, and cyber experts generally agree that it applies to cyberspace. A UN group of government experts affirmed this:

“International law, and in particular the United Nations Charter, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible” cyberspace. 16 The Tallinn Manual, sponsored by the North Atlantic Treaty Organization, offers rules for applying LOAC to cy- berspace, 17 and DOD has stated that its actions in cyberspace will be governed by LOAC and all other applicable domestic and international legal frameworks. 18 LOAC supports deterrence by both norms and punishment by establishing principles for the use of force by states and for responses by the international community to state acts of aggression.

In addition to LOAC, other interna- tional agreements might ser ve to deter certain activity. One such agreement is the World Trade Organization (WTO) Agreement on Trade-Related Aspects of Intellectual Property Rights, which requires participating nations to protect trade secrets. Both the United States and China are members of WTO, and in response to the indictments of five members of China’s People’s Liberation Army for stealing trade secrets, Senator Charles Schumer called on the U.S.

representative to the WTO to file suit at the WTO against China for state-backed cyber espionage. 19 Well-tempered statecraft can deter aggressive state behavior in all domains of warfare. Also, to the extent that the affairs of states are intertwined, especially Shelby Cobra—approximately 1,400-pound vehicle containing 500 pounds \ of printed parts made of 20 percent carbon fiber—produced by Big Area Additive Manufacturing Machine, which manufactures strong, lightweight c\ omposite parts in sizes greater than 1 cubic meter (DOE) 14 Forum / Rethinking the Cyber Domain and Deterrence JFQ 77, 2 nd Quarter 2015 economically, there is some deterrence by interdependency or entanglement; if one state harms another, it will also harm itself.

Crimes committed by nonstate actors have been deterred traditionally through norms via religious and moral teachings as well as crime statutes; by punishment via law enforcement and the criminal justice system; and by denial via fences, locks, alarms, guards, and other mecha- nisms that control entr y into protected spaces. In addition, sur veillance devices such as security cameras can help catch criminals such as shoplifters, muggers, and vandals who would other wise not be identified and caught, thereby strengthening deterrence by punishment.

Community policing, especially in “hot spots,” and neighborhood watch groups can also deter street crime. Cyber crimes can be deterred by the same types of mechanisms. In the United States, the Computer Fraud and Abuse Act of 1986, together with its amendments and other laws that apply to cyberspace, set norms for acceptable behavior in cyberspace. Many of these norms appear in the domestic crime laws of other countries as well. In addi- tion, they are included in the Council of Europe (COE) Convention on Cybercrime. As of March 2014, 42 coun- tries had ratified the Convention and 11 more had signed it, showing strong inter - national consensus regarding much cyber activity. 20 While these laws obviously have not deterred those persons who commit cyber crimes, they likely deter those who view themselves as law-abiding citizens. At least one study has shown that deterrence by punishment applies to cyber crime. Researchers at the National University of Singapore found a 36 per - cent reduction in cyber attacks relating to 49 reports of government enforcement actions in eight countries. 21 However, more studies are needed to validate (or refute) these results and to determine factors that can make a difference. While it would be overly optimistic to assume that the persons behind all cyber attacks could be caught and punished, improved methods of cyber forensics and attribu- tion, coupled with greater international cooperation such as that facilitated by the COE Convention on Cybercrime, could lead to greater deterrence by punishment.

Deterrence by denial is practiced ever y day in cyberspace via cyber security mechanisms and practices, including the regular installation of security patches, the use of strong methods for authentication, and the application of firewalls, black and white lists, intrusion prevention systems, antivirus tools, encr yption, and so forth.

We can aim for even more effective cyber security in the future by placing greater emphasis on security during the design, development, installation, and operation of new cyber technologies, but it is not likely to ever be completely foolproof, for Research engineers use 3-D printer in their work at FDA (FDA/Michael J.\ Ermarth) JFQ 77, 2 nd Quarter 2015 Denning 15 much the same reason that crime overall will never be fully eliminated. Still, denial offers the best means of deterrence, whether in cyberspace or not, in those situations where it can be applied and is cost effective. Much of the literature on deterrence in cyberspace recognizes this.

Conclusions Cyber technologies are inherently different from those that define the traditional domains of warfare. After all, they are used to move, process, and store digital objects across computer networks—not people and physical objects across land, sea, air, and space.

But technology aside, cyberspace shares many of the same characteristics as other domains of warfare. All have both manmade and natural elements, and the malleability of all is subject to consid- erable constraint. Importantly, all are domains of human practice, character- ized by a wide range of activity by both state and nonstate actors, some of which is hard to attribute, and by a variety of weapons ranging in availability, cost, and effects produced. Because cyberspace is such a rich do- main, studies of “cyber deterrence” raise as many problems as would be raised by a comparable study of “land deterrence.” This does not mean that deterrence in cyberspace is impossible, only that a more focused approach is needed, as has been followed in traditional domains of warfare. One possible approach is to con- sider classes of cyber weapons that lend themselves to deterrence. Another is to consider existing deterrence regimes, in- cluding international regimes governing nation-states and domestic regimes gov- erning nonstate criminal behavior. These approaches can be combined with others that are tailored to particular actors or geopolitical contexts. Together, they may offer a tractable approach to deterrence in cyberspace. JFQ Notes 1 Department of Defense Strategy for Operat- ing in Cyberspace (Washington, DC: Depart- ment of Defense, July 2011), 5, available at

pdf>. 2 Michael V. Hayden, “The Future of Things ‘Cyber,’” Strategic Studies Quarterly (Spring 2011), 4, available at .

3 Martin C. Libicki, “Cyberspace Is Not a Warfighting Domain,” I/S: A Journal of Law and Policy for the Information Society 8, no. 2 (2012), 324, available at .

4 Hayden, 4.5 Libicki, 324.6 IPv6 Statistics, accessed May 14, 2014, at

html#tab=ipv6-adoption>.

7 Aman Yadav et al., “IPv6 Protocol Adop- tion in the U.S.: Why Is It So Slow?” Capstone paper, University of Colorado, May 4, 2012, available at .

8 Examples of protocols and standards that would significantly improve cyber security include the Network Ingress Filtering standard, which would put an end to many large-scale de- nial-of-ser vice attacks that rely on Internet Pro- tocol address spoofing; the Domain Name Sys- tem Security Extensions, which protect against cyber attacks such as domain spoofing and hijacking; the Secure Border Gateway Protocol (BGP), which addresses serious security issues with BGP that can lead to network blackouts and make traffic more vulnerable to adversar y eavesdropping; and Domain-Based Message Authentication, Reporting and Conformance for authenticating email, which would combat many email security issues such as phishing and spam that rely on spoofing the sender.

9 Fred Cohen, “Computer Viruses: Theor y and Experiments,” University of Southern Cal- ifornia, August 31, 1984, available at .

10 See, for example, Martin C. Libicki, Cy- berdeterrence and Cyber war (Santa Monica, CA:

RAND, 2009); Martin C. Libicki, “Deterrence in Cyberspace,” High Frontier 5, no. 3 (May 2009), 15–20; “Letter Report for the Com- mittee on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S.

Policy,” Washington, DC, National Research Council, March 25, 2010; Jonathan Solomon, “Cyberdeterrence Between Nation-States:

Plausible Strategy or a Pipe Dream?” Strate- gic Studies Quarterly 5, no. 1 (Spring 2011); and Emilio Iasiello, “Is Cyber Deterrence an Illusor y Course of Action?” Journal of Strategic Security 7, no. 1 (2013), 54–67.

11 See, for example, David Elliott, “De- terring Strategic Cyberattack,” IEEE Security & Privacy (September/October 2011), 36–39.

12 Will Goodman, “Cyber Deterrence:

Tougher in Theor y Than in Practice,” Strategic Studies Quarterly (Fall 2010), 102–135.

13 Richard L. Kugler, “Deterrence of Cyber Attacks,” in Cyberpower and National Security, ed. Franklin D. Kramer, Stuart H. Starr, and Larr y K. Wentz (Washington, DC: NDU Press, 2009), 309–340. 14 James R. Woolsey, “Testimony Before the House Committee on Energy and Commerce,” Washington, DC, May 21, 2013, available at

PsBE9is7.dpbs>.

15 Frazier McGinn, “Anonymous Arrested for DDoS Against PayPal,” Examiner.com, July 19, 2011, available at .

16 Report of the Group of Governmental Experts on Developments in the Field of Informa- tion and Telecommunications in the Context of International Security, Report A/68/69 (New York: United Nations General Assembly, June 24, 2013).

17 Michael Schmitt, ed., The Tallinn Manu- al on the International Law Applicable to Cyber Warfare (Cambridge: Cambridge University Press, 2013).

18 Department of Defense Cyberspace Policy Report: A Report to Congress Pursuant to the National Defense Authorization Act for Fiscal Year 2011, Section 934 (Washington, DC: De- partment of Defense, November 2011).

19 Press release from the office of Senator Charles E. Schumer, United States Senator for New York, May 22, 2014.

20 Council of Europe, “Convention on Cybercrime,” available at

coe.int/Treaty/Commun/QueVoulezVous.

asp?NT=185&CM=8&DF=&CL=ENG>.

21 I.P.L Png and Chen-yu Wang, “The Deterrent Effect of Enforcement Against Computer Hackers: Cross-Countr y Evidence,” Workshop on the Economics of Information Security, March 2007, available at . R epro duce d w ith p erm is sio n o f th e c o pyrig ht o w ner. F urth er r e pro ductio n p ro hib ite d w ith out p erm is sio n.