“We have been handicapped however by a popular attachment to the concept of a basic difference between peace and war, by a tendency to view war as a sort of sporting contest outside of all political context.”
– George Kennan, 1948
American cybersecurity policy remains disjointed in implementation between the private, government, and national security spheres. Attacks in and from the cyber domain raise difficult questions about the roles of the military, federal civilian agencies, and private industry in protecting Americans. Leaders charged with implementing cybersecurity policy face the familiar challenge of keeping Americans safe without violating their civil liberties.
The gaps in our cybersecurity policy exist due to American unwillingness to grasp the importance of competition outside traditional warfare. Current policy is dependent on United States Cyber Command (USCYBERCOM) for deterrence and a defensive posture on federal networks to keep out anyone who cannot be deterred. However, this approach can only work to prevent attributable nation-state attacks and unsophisticated criminal activity.
Instead of conceptualizing offensive activity in the cyber domain as either war or crime, American policymakers should understand it as what George Kennan dubbed political warfare: peacetime interstate competition that calls for a whole-of-government coordination.[1] I argue that the United States can only deter cyberattacks by establishing the capacity and resolve to extend political warfare to the cyber domain. Such an approach requires the military, to deter attributable nation-state attacks; the Department of State, to influence adversary behavior; the Department of Treasury, to reduce the rewards for ransoming and privateering; and the Cybersecurity and Infrastructure Security Agency (CISA), to provide guidance and coordinate national defenses.[2]
In this paper, I highlight the weaknesses of leaving deterrence to the military alone and contrast the American and Russian approaches. I then explore the state of U.S. cybersecurity policy today before proposing policy options to realize a whole-of-government approach to deterring cyberattacks. Such an approach must include three elements. First, the United States must strengthen federal protections for government networks and extend those offered to companies in critical infrastructure sectors. Second, the federal government must establish legal and normative frameworks for the defense of U.S.-based networks. Finally, the federal government must centralize its approach to competing in cyberspace, which can be achieved by strengthening CISA and promoting the Department of State’s leading role in managing relations with adversaries.
I recognize that not every cyberattack is orchestrated by states or other politically-motivated actors; my argument aims to encourage the federal government to recognize that adversaries could use creative and obfuscated means to achieve political goals. The United States must orchestrate a suite of punitive capabilities, military and non-military, to achieve credible deterrence. Alternate policies, including reliance solely on the military or the initiative of private business, cannot suffice to deter motivated nation-state actors from striking America’s broad attack surface.
Competition: Conflict, Espionage, and Crime
The first challenge of security policy is to understand the threats the government faces. As international legal frameworks surrounding cybersecurity remain immature or imperfectly applied, the U.S. government must rely on its own institutions for punishing or deterring cyberattacks committed by foreign actors.[3] Due to the size of the nation’s attack surface, many federal agencies must work together to defend Americans against destructive cyberattacks, cyber espionage operations, and criminal cyber activity.
Policymakers should realize that each of these threats—cyber conflict, espionage, and crime—are more complex than the Department of Defense (DOD) can handle alone. Cyberattacks occur in the context of strategic competition. This competition may involve overt and covert activities, but these phenomena were common elements of American foreign policy for the latter half of the 20th century.[4] The United States did not consider itself “at war” with the Soviet Union (USSR) from the 1940’s to the 1990’s. Nonetheless, the country marshalled its resources to compete with the USSR, resulting in a successful containment of Russian aggression. This section explores how the United States can compete with adversaries relying on various cyber capabilities without resorting to war.
Cyber Conflict
To deter destructive attacks in the cyber domain, scholars and policymakers must resist the temptation to label tactical or even operational innovations as new kinds of war. Many have already failed; new studies of war bear little resemblance to what Carl von Clausewitz describes in his book On War, which is otherwise “enshrined in Western militaries as a bible.”[5]
Clausewitz defines war as a phenomenon composed of a “paradoxical trinity” of human emotion, chance, and policy.[6] Emotion drives humans to commit or credibly threaten violence, chance explains the surprising outcomes of human interactions while managing that violence, and policy represents the rational objective of the violent activity. Within the framework of the trinity, the character of any war will depend on the physical and temporal context in which it is fought. Combatants may be state or non-state actors, warriors may use clubs or rifles, and campaigns may be conducted through jungle or desert. These factors will change the way that war is fought, but will not change the nature of war itself.
However, heresies seem to arise when new technology is introduced to the battlefield.[7] Recent works such as Lieutenant Colonel (Ret.) Frank Hoffman’s Contemporary Spectrum of Conflict exemplify the problems introduced by conceptualizing war according to the technology du jour. Hoffman lays out a dizzying array of types of war (irregular, hybrid, limited, major theater) and not-war (gray zone, ambiguous conflict, unconventional) for the national security apparatus to contend with.[8] Over-analysis of operational or tactical art divorces military activities from political objectives. American political and military leaders have frequently lost sight of the strategic context of their wars in exactly this fashion over the last 50 years, with unfortunate consequences in places like Vietnam and Afghanistan.[9]
An excellent piece in the Winter 2020 Naval War College Review dispels confusion over “gray zone conflict and hybrid war” by adopting a Clausewitzian understanding of war and reinforcing the distinction between competition at peace and competition at war. War is one method of achieving political ends, but there are myriad alternative levers of national power that states can use in competition. “In the end, the problem is that analysts writing about the so-called gray zone are confusing war with subversion (in the case of the U.S. relationship with Russia) while forgetting (in the case of Russia’s war against Ukraine) that subversion and its tools are used both in peace and in war.” Attempting to categorize such types of subversion becomes an exercise in naming new tactics: “Hybrid war is at best simply a neologism for tactical innovation.”[10] Tactical innovation is a difficult and important task for militaries to undertake, but generals and policymakers should not fixate on one particular tactic as a driver of military or national strategy. The United States must be prepared for subversive activities in the cyber domain in the course of peaceful competition with adversaries.
Competition in the cyber domain may not be war, but the military still has an important role to play in keeping America safe. General Nakasone’s Defend Forward strategy for USCYBERCOM enables the United States to shift to “proactively observing, pursuing, and countering adversary operations and imposing costs to change adversary behavior.”[11] Disrupting adversary activity is a key pillar of the Cyberspace Solarium Commission’s proposal for a cybersecurity framework and should continue to be part of U.S. policy. But as the rest of this section will explain, the United States cannot rely on the military alone to deter cyberattacks.
Espionage
Acts of cyber espionage are best understood in the context of the competitive strategies employed by our adversaries, as opposed to the isolated incidents they sometimes appear to be. The data collected, stored, and communicated over the public internet and private networks presents endless opportunities for intelligence operations targeted at the people, businesses, and government of the United States. Furthermore, every successful breach enables future operations, attracts federal attention and resources, and reduces American confidence in the ability of the government to keep them safe.
The 2020 SolarWinds breach demonstrates the dangers and costs of cyber espionage operations. In this attack, Russia’s premier civilian foreign intelligence agency (SVR) gained privileged access to so many organizations that it hand-picked only the most important for full exploitation.[12] Even as U.S. government agencies implemented systems to provide perimeter defense (Einstein) and defense in depth (the Continuous Diagnostics and Mitigation Program), SVR infiltrated a long software supply chain to infect victims through the very same security update process that is supposed to keep users secure. The attackers had privileged access to victim networks for at least six months before being detected. Known impacts of this attack include stolen source code and other information from major organizations like Microsoft, which will aid in future attacks. The unknown impacts could spell graver consequences, as the attackers may have used their longstanding and pervasive presence to create backdoors that will allow persistent access.[13]
However, any one breach must be viewed through the lens of strategic competition, as the persistent security threat of espionage operations adds to the costs of extensive remediation that will burden businesses and taxpayers for years to come. Such thinking is not without precedent: Kennan’s theory of containment called for firm resistance to Soviet expansion while “increas[ing] enormously the strains under which Soviet policy must operate” in anticipation of the Marxist-Leninist political system imploding.[14] Though the U.S. government does not suffer the structural weaknesses of the USSR, U.S. adversaries understand the strategic logic of imposing costs in order to undermine America’s ability to fulfill security commitments at home and abroad. U.S. theorists and policymakers must look beyond the tactical level and study the strategic implications of recurring espionage incidents.
Crime
The theft, encryption, or destruction of data by non-state actors also challenges American security. As citizens and corporations further incorporate internet-dependent services into their daily routines, the attack surface presented to criminal organizations only grows. Pilfering corporate information and scientific discoveries has benefitted the Chinese government at the expense of American innovators. The ransom of sensitive data by online criminals has forced American hospitals and schools to pay millions through either extortion or precautionary ransomware insurance premiums.
One example is the ransomware attack on Colonial Pipeline, in which a moderately sophisticated non-state actor crippled the southeastern United States. The attack caused a spike in gas prices and disrupted commodities markets after the attackers targeted the pipeline company’s billing data.[15] As gas shortages mounted and the U.S. government began to intervene, the attacking group issued a statement claiming that their motivations were financial rather than social or geopolitical.[16] Taken at face-value, this statement implies that the group only incidentally wreaked havoc across the Southeast (though the statement may have been issued in an attempt to avoid reprisals from the U.S. government). Intentions aside, this incident disrupted the lives of millions of Americans.
The Colonial pipeline attack demonstrates that international cybercrime is not purely a problem of policing or defending networks, but a national security challenge that forms an important element of competition with state adversaries. Whether criminal groups are primarily motivated by money, ideology, or politics, states can introduce opportunities and constraints that will shape their behavior.[17] One oft-cited example is the tacit protection that the Russian government provides criminal organizations. By turning a blind eye to criminal activity as long as they “don’t work in .ru,” Russia is allowing a robust criminal industry to flourish that will impose tactical and strategic costs on the United States.[18]
The View from Moscow
With a long history of authoritarian, state-centric governance, Russia understands how to use all elements of state power to achieve political objectives. Soviet theory for using non-combat operations to produce competitive advantages was refined throughout the Cold War, particularly in the theory of activities that constitute active measures. This theory includes the use of “propaganda and disinformation, agents of influence, military and paramilitary operations, covert operations, economic levers, and even education” to influence the behavior of state and non-state actors.[19]
Russia continues to employ active measures in its attempts to undermine the U.S.-led international order. Enabled by modern connectivity and information-dependency, Russia directly employs both its civilian intelligence (SVR) and military intelligence (GU, formerly GRU) agencies to compete with the West by the active measures playbook. Russia supplements this state-directed activity by cultivating an ecosystem of criminal groups to target victims outside of Russia, which further complicates attribution and allows Russia to inflict damage on adversaries without incurring much cost. Relying on the theory of active measures, Russia realizes that conflict, espionage, and crime can all be deployed in service of achieving victories in competition against the United States.
The View from Washington
American cybersecurity policy relies on the military alone for deterrence with limited federal guidance as a defensive backstop, which limits our ability to respond to the range of actions available to our adversaries. Military theorists demonstrate this dissonance by fragmenting war into many subcategories when the specter of “cyber” is raised, missing the forest of strategic competition for the trees of tactical innovation. Business leaders and civilian cybersecurity analysts focus on implementing defenses on their own networks, seeing the wider internet as hopelessly large and thoroughly compromised.[20] Both camps could better achieve their goals of safeguarding Americans and American interests by recognizing that a diverse array of cyber threats can be managed under the umbrella of competition.
Though the Cold War is 30 years behind us, we cannot yet close the book on George Kennan; his assessment of political warfare applies to our continuing competition with Russia and China. Kennan describes political warfare as “the logical application of Clausewitz’s doctrine in time of peace. In broadest definition, political warfare is the employment of all the means at a nation’s command, short of war, to achieve its national objectives.” For Kennan, political warfare is not a subdivision of war, but a term that extends to peacetime the logic of using any means available to a state to achieve political goals. He writes, “We have been handicapped however by a popular attachment to the concept of a basic difference between peace and war, by a tendency to view war as a sort of sporting contest outside of all political context, by a national tendency to seek a political cure-all, and by a reluctance to recognize the realities of international relations.”[21] U.S. leaders and policymakers must recognize that political warfare continues today. To compete and win, the United States must employ all the means at the nation’s command in the cyber domain.
Building a Credible Deterrent
Policymakers must centralize the federal government’s approach to competing in cyberspace. Without a coordinated whole-of-government approach, the United States will expend far more resources than necessary responding to tactical defeats brought about by ceding the strategic initiative to its adversaries. To compete in the cyber domain, the United States needs to embrace the whole-of-government approach theoretically outlined by Kennan and recommended by both the Government Accountability Office (GAO) and the Cyberspace Solarium Commission. A whole-of-government approach requires improving federal protections for government networks and critical infrastructure sectors, establishing legal and normative frameworks for defending U.S.-based networks, and promoting the Department of State’s leading role in managing political warfare.
Protecting Federal Networks
Current policy for defending federal civilian agencies’ networks is defensive and reactive, being overly reliant on static network defenses and incident reporting. President Biden’s Executive Order (EO) on cybersecurity, issued May 2021, exemplifies how far the government has to go before it achieves strong cybersecurity.[22] The EO is primarily focused on incident information reporting, regulatory compliance, and supply chain dependencies, and it represents an ambitious effort with much to applaud. However, its effective realization will be a Herculean task. One particular challenge is the Software Bill of Materials (SBOM) reporting requirement for selling software to the government. Although visibility on every component of software and its vulnerabilities would be invaluable, attaining and maintaining this visibility will require large resource investments by every link in the supply chain and will be difficult to standardize for ingest by automated systems.[23] Implementing SBOM and similar reporting requirements will take time, and in that time federal networks will remain vulnerable.
Even when federal requirements are set, they are frequently not met. Although the National Institute of Standards and Technology (NIST) has issued strong standards for cybersecurity, adoption has been slow across the government. In December 2020, GAO released a report asserting that none of the 23 federal agencies reviewed had fully implemented recommended supply chain risk management practices.[24] This leaves government systems at risk of infiltration via attacks like the SolarWinds breach.
The federal government’s current defensive focus can stop unsophisticated attacks and may eventually catch persistent intelligence operations, but the lack of maturity and coordination between government agencies leaves the government vulnerable to sophisticated actors. The Department of Homeland Security (DHS) and its subsidiary CISA are given the leading role in defending federal networks and are each partially responsible for solving this problem. DHS needs to complete the initiative to transform and strengthen CISA, which began in 2018 and was supposed to be completed by 2020.[25]
While CISA is gaining strength, the agency requires a rapid expansion of its budget and authorities to mount a coherent response to competition in the cyber domain. The Cyberspace Solarium Commission offers recommendations that begin to address this problem, with the goal of making CISA “the central coordinating element to support and integrate federal, state and local, and private-sector cybersecurity efforts.”[26] These recommendations include strengthening the director, expanding the budget, creating multiple bodies for collaboration with other federal agencies, and codifying responsibilities to defend the nation and manage incident response processes. With one agency leading the tactical and operational defense of America’s networks from incursion, other agencies (such as the Department of State) will be free to manage the broader strategic competition with our adversaries.
Unless CISA is fully resourced and can centralize the defense of federal networks, ongoing policy efforts risk splintering authorities and creating vulnerabilities across the government and critical industries. For example, the Department of State entrenched interagency gaps with its January 2021 decision to establish the Bureau of Cyberspace Security and Emerging Technologies (CSET). The Department of State did not adequately coordinate with other federal agencies and generally caught the rest of the government by surprise, according to the GAO.[27] Similar conflicts and divisions of authority will continue to appear until CISA can take the lead.
Protecting the Private Sector
The government is failing in its commitment to defend American people and businesses, creating a gap in our security that Americans pay for in ransoms to criminal groups and downtime in critical systems. The United States has identified 16 sectors as critical infrastructure, which means they are “considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security.”[28]The government has fallen behind in its ability to keep these sectors safe. Of the 80 recommendations for defending these sectors made by GAO since 2010, fewer than half have been implemented.[29] Both GAO and the Cyberspace Solarium Commission highlight the need for more centralization in the federal agencies and regulations overseeing these industries, as the landscape is becoming fragmented and confused.[30]
Without protection from the government, U.S. businesses are turning to the private cybersecurity industry for incident response and remediation. For example, Colonial Pipeline reached out to Mandiant before it contacted CISA after the ransomware attack in May 2021.[31] The private sector also outshone the government in the SolarWinds breach, which was discovered only after FireEye detected the exfiltration of its penetration testing tools by a malicious actor.[32] Even where the government does offer help, existing regulatory policy does not incentivize businesses to take it. The Transportation Security Administration (TSA) maintains authority for keeping pipelines secure from attack. However, the security reviews offered by TSA are voluntary, and TSA had limited resources to encourage participation. Colonial delayed conducting a security review three times in the year before the cyberattack shut down the pipeline.[33] The inefficiencies created by the gap between government promises of security and delivery on those promises incur strategic costs that our adversaries can exploit.
Given the multimodal nature of political warfare, the federal government must play the leading role in defending the nation even as private security companies develop the latest offensive and defensive cyber tools. Scholars such as Joshua Rovner rightly identify the core advantages of the private sector in certain areas of defending American internet infrastructure and helping to remediate breaches.[34] However, the private sector is limited in two important ways. First, it lacks the ability to pose behavior-changing costs or incentives to America’s adversaries, an ability which relies on diplomatic, military, or financial inducement.[35] Second, private markets and corporations dedicated to cybersecurity lack the scale to evenly protect the entire country against sophisticated threat actors. The state of the fledgling ransomware insurance industry is particularly concerning, as insurance companies currently have the resources to pay ransoms but are only beginning to incentivize businesses to adopt better cybersecurity practices. As a result, criminal organizations have intentionally targeted businesses with ransomware insurance because they are guaranteed to be paid.[36] Both the private- and public-sector initiatives to protect U.S. businesses would benefit from a centralized federal system for responding to cyber threats.
As the federal government offers opportunities for collaboration and information sharing to the private sector, it must provide incentives for doing so. These could include direct financial incentives, tax breaks, and remediation assistance in return for compliance with federal recommendations for responding to ransomware attacks. The government must do more to understand and disincentivize behaviors that perpetuate cyber-crimes and drive up the rate of attacks. One option is to expand breach disclosure requirements to include informing the government of the amount of ransom paid to attackers.[37] The Department of Treasury could further disincentivize ransom payment by expanding the list of organizations and individuals designated by the Office of Foreign Assets Control, unfortunately triggering penalties for victim organizations that pay ransoms but removing profit incentives from known ransomware groups.[38] Greater awareness of the frequency, targets, and severity of attacks could help the government protect targeted sectors and guide victims through recovery processes.
Managing Political Warfare
The most difficult gap to close is that between the private sector’s need for a free and open internet and the government’s responsibility to protect the nation. Modern legal challenges and intense public criticism are shrinking the legal ground on which the U.S. government collects the signals intelligence needed to defend American networks. Debates rage over the extent to which the Fourth Amendment covers personal data, and foreign adversaries take advantage of vulnerabilities exposed by the limitations we place on government agencies.[39] The internet was not designed for privacy, and the government continues to seek a remedy without eroding the efficiency of internet services or impinging upon American civil liberties.
USCYBERCOM and the National Security Agency (NSA) disrupt foreign adversaries intent on attacking the United States through the Defend Forward strategy, which aims to stop cyberattacks preemptively on foreign servers.[40] Defend Forward has been widely praised by security experts, and the strategy has been cited in disrupting major cyber campaigns planned by U.S. adversaries.[41] Apart from its operational success, Defend Forward is designed to avoid reliance on intelligence collection that would infringe upon American civil liberties.
The success of Defend Forward is laudable, but it is insufficient to wholly deter cyberattacks. Russia has already demonstrated its ability to take advantage of geographic restrictions imposed on NSA and USCYBERCOM: in the SolarWinds attack, SVR established command-and-control nodes on cloud servers located within the United States. By operating on American soil, they were able to avoid detection while delivering malware payloads partially because the NSA is forbidden to use monitoring tools on American communications.[42] Russia also bypasses the deterrent effect of Defend Forward by fostering an ecosystem of criminal groups willing to attack the United States, as discussed earlier. Although military solutions can succeed, they are not sufficient for deterring state actors who can obfuscate responsibility for their attacks.
NSA may soon be further limited by a recent Supreme Court decision precluding the U.S. government from purchasing location data harvested from personal cell phones.[43] This challenged the “third-party doctrine” established by the Court in the 1970s, which allows the U.S. government to purchase data that may include signals from U.S. persons if it is commercially available.[44]
If the third-party doctrine is dismantled, the government must maintain methods of scrutinizing traffic connecting to U.S.-based cloud infrastructure from foreign clients. A January 2021 Executive Order and Department of Commerce final rule demonstrate the first steps of what such a policy may entail. EO 13984 mandates that cloud infrastructure service providers maintain records of foreign customers and users, while the rule allows the Department of Commerce to deny transactions involving specific hardware or software from named adversaries (including Russia).[45] Without legal means of collecting signals intelligence on foreign connection to U.S. networks, the government may have to consider burdensome regulation on cloud providers to prevent adversaries from launching attacks.
Given these challenges, the US must rely on agencies beyond the DOD to wage political warfare. As Kennan advocated in 1948, the Department of State should play a leading role in implementing a whole-of-government strategy for competing with our adversaries.[46] The growing influence of the National Security Council (NSC) and a diminished role in the past administration have weakened the Department of State, but it remains our best tool for managing relations with allies and adversaries alike.[47] A 2018 RAND report recommended a series of improvements to the Department of State that would allow the department to again take the lead in coordinating interagency activity in competition with our adversaries. Specifically, the Department of State needs to be better funded, to have better lines of communication with the DOD to improve planning and coordination, to organize interagency planning around region-specific initiatives, and to ensure diplomats have training or experience with other agencies.[48]
Conclusion
History suggests tempting analogies to police or military activities for stopping criminals and deterring hostile states, but these models only roughly apply in the context of the internet. Relying on the military and defensive systems alone to defend federal networks allows adversaries to pick their way through or around American defenses. Businesses in critical infrastructure sectors are offered little protection from the sophisticated state actors targeting them. America’s adversaries can rely on technologies and proxy organizations that frustrate attribution efforts, simultaneously sidestepping the deterrent effect of our military capabilities and raising the costs of investigating and remediating breaches.
By remembering George Kennan’s lessons about political warfare at the dawn of the Cold War, we can successfully compete against modern adversaries. Although current thinking and policy tend to categorize malicious cyber activity as either crime or war, a more successful policy regime would group different cyber activities as only tactical or operational innovations within a broader strategy. Locked in competition with near-peer competitors, American leaders must devise a strategy that incorporates cyber deterrence into the broader suite of tools at the government’s disposal.
Tim Hofmockel is a Research Engineer at Palo Alto Networks, where he leads a team of engineers and technical analysts working to map and defend online attack surfaces. He is simultaneously pursuing his master’s degree in Security Studies at the Georgetown University Walsh School of Foreign Service, concentrating in U.S. national security policy. Tim was a fellow in the 2020-2021 Security and Strategy Seminar Russia track, which allowed him to engage with practitioners and scholars dedicated to understanding Russian military and political thought.
_________________
Image: Petya cyberattack screenshot, from unknown. Retrieved from: https://commons.wikimedia.org/wiki/File:2017_Petya_cyberattack_screenshot.png, used under Wikimedia Commons.
[1] George F. Kennan, “The Inauguration of Organized Political Warfare” [Redacted Version],’ 30 April 1948, History and Public Policy Program Digital Archive, Obtained and Contributed by A. Ross Johnson.
[2] Jonathan Welburn and Quentin Hodgson, “How the United States Can Deter Ransomware Attacks,” RAND Corporation, 9 August 2021, https://www.rand.org/blog/2021/08/how-the-united-states-can-deter-ransomware-attacks.html.
[3] Michael Fischerkeller, “Current International Law Is Not an Adequate Regime for Cyberspace,” Lawfare, 22 April 2021, https://www.lawfareblog.com/current-international-law-not-adequate-regime-cyberspace.
[4] Kennan, “The Inauguration of Organized Political Warfare.”
[5] Sean McFate, The New Rules of War: Victory in the Age of Durable Disorder (Harper Collins Publishers, 2019).
[6] Carl von Clausewitz, On War, trans. Peter Paret and Michael Howard, 1976.
[7] Michael Lippert, “Precision-Guided Diminishing Returns: Why Airpower Alone Can’t Win America’s Small Wars,” Small Wars Journal, accessed 14 November 2021, https://smallwarsjournal.com/jrnl/art/precision-guided-diminishing-returns-why-airpower-alone-can%E2%80%99t-win-america%E2%80%99s-small-wars.
[8] Frank G Hoffman, “The Contemporary Spectrum of Conflict: Protracted, Gray Zone, Ambiguous, and Hybrid Modes of War,” 2016, 12.
[9] Robert Cassidy and Jacqueline Tame, “The Wages of War without Strategy, Part I: Clausewitz, Vietnam, and the Roots of Strategic Confusion,” War on the Rocks, 5 January 2017, https://warontherocks.com/2017/01/the-wages-of-war-without-strategy-part-i-clausewitz-vietnam-and-the-roots-of-strategic-confusion/.
[10] Donald Stoker and Craig Whiteside, “Blurred Lines: Gray-Zone Conflict and Hybrid War—Two Failures of American Strategic Thinking,” Naval War College Review 73, No. 1, Article 4 (Winter 2020), 13, 19.
[11] Angus King and Michael Gallagher, “Cyberspace Solarium Commission Final Report” (US Cyberspace Solarium Commission, March 2020), https://www.solarium.gov/report, 24.
[12] “Threat Brief: SolarStorm and SUNBURST Customer Coverage,” Unit42 (blog), 15 December 2020, https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/; “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims with SUNBURST Backdoor,” FireEye, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html.
[13] Thomas P. Bossert, “Opinion | I Was the Homeland Security Adviser to Trump. We’re Being Hacked,” New York Times, 17 December 2020, sec. Opinion, https://www.nytimes.com/2020/12/16/opinion/fireeye-solarwinds-russia-hack.html.
[14] George F. Kennan, “The Sources of Soviet Conduct,” Foreign Affairs, July 1947, https://www.foreignaffairs.com/articles/russian-federation/1947-07-01/sources-soviet-conduct.
[15] Natasha Bertrand, Evan Perez, Zachary Cohen, Geneva Sands and Josh Campbell, “Colonial Pipeline Did Pay Ransom to Hackers, Sources Now Say,” CNN, https://www.cnn.com/2021/05/12/politics/colonial-pipeline-ransomware-payment/index.html.
[16] Joseph Menn and Raphael Satter, “Pipeline Hackers Say Their Aim Is Cash, Not Chaos,” Reuters, 10 May 2021, https://www.reuters.com/business/energy/statement-suspected-us-pipeline-hackers-say-they-dont-want-cause-problems-2021-05-10/.
[17] Lillian Ablon, “Data Thieves: The Motivations of Cyber Threat Actors and Their Use and Monetization of Stolen Data,” § The Committee on Financial Services Subcommittee on Terrorism and Illicit Finance (2018), https://www.rand.org/content/dam/rand/pubs/testimonies/CT400/CT490/RAND_CT490.pdf.
[18] Andrew E. Kramer, Michael Schwirtz, and Anton Troianovski, “Secret Chats Show How Cybergang Became a Ransomware Powerhouse,” New York Times, 29 May 2021, sec. World, https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html.
[19] Ross Babbage, Thomas Mahnken, and Gillian Evans, “Winning Without Fighting” (Center for Strategic and Budgetary Assessments, 2019), 13.
[20] Michael Sulmeyer, “What the Rise of Russian Hackers Means for Your Business,” Harvard Business Review, 12 May 2017, https://hbr.org/2017/05/what-the-rise-of-russian-hackers-means-for-your-business.
[21] Kennan, “The Inauguration of Organized Political Warfare,” 1.
[22] “Improving the Nation’s Cybersecurity,” Executive Order No. 14028 (2021), https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.
[23] Tom Temin, “What’s an ‘SBOM’ and What Does It Have to Do with Federal Cybersecurity?,” Federal News Network, 30 June 2021, https://federalnewsnetwork.com/cybersecurity/2021/06/whats-an-sbom-and-what-does-it-have-to-do-with-federal-cybersecurity/; Marjorie Dickman, “Cybersecurity Executive Order Is a Game Changer but Not a Panacea,” Text, The Hill, 14 May 2021, https://thehill.com/opinion/cybersecurity/553513-cybersecurity-executive-order-is-a-game-changer-but-not-a-panacea.
[24] Government Accountability Office, “Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks,” Report to Congressional Requesters (December 2020), https://www.gao.gov/assets/gao-21-171.pdf.
[25] Government Accountability Office, “Federal Government Needs to Urgently Pursue Critical Actions.”
[26] King and Gallagher, “Cyberspace Solarium Commission Final Report,” 3.
[27] Government Accountability Office, “Federal Government Needs to Urgently Pursue Critical Actions.”
[28] “Critical Infrastructure Sectors | CISA,” Cybersecurity & Infrastructure Agency, 21 October 2020, https://www.cisa.gov/critical-infrastructure-sectors.
[29] Government Accountability Office, “Federal Government Needs to Urgently Pursue Critical Actions.”
[30] King and Gallagher, “Cyberspace Solarium Commission Final Report.”
[31] Justin Doubleday, “CISA under Pressure to Put More Teeth in Cyber Requirements Following Colonial Pipeline Attack,” Federal News Network, 17 June 2021, https://federalnewsnetwork.com/cybersecurity/2021/06/cisa-under-pressure-to-put-more-teeth-in-cyber-requirements-following-colonial-pipeline-attack/.
[32] William Turton and Kartikay Mehrotra, “FireEye Discovered SolarWinds Breach While Probing Own Hack,” Bloomberg, 14 December 2020, https://www.bloomberg.com/news/articles/2020-12-15/fireeye-stumbled-across-solarwinds-breach-while-probing-own-hack.
[33] Ellen Nakashima, Lori Aratani, and Douglas Macmillan, “Colonial Hack Exposed Government’s Light-Touch Oversight of Pipeline Cybersecurity,” Washington Post, 30 May 2021, https://www.washingtonpost.com/business/2021/05/30/colonial-pipeline-tsa-regulation/.
[34] Joshua Rovner, “Should the Military Protect the Election?,” War on the Rocks, 26 October 2020, https://warontherocks.com/2020/10/should-the-military-protect-the-election/.
[35] Ariel Levite, Scott Kannry, and Wyatt Hoffman, “Addressing the Private Sector Cybersecurity Predicament: The Indispensable Role of Insurance,” Carnegie Endowment for International Peace, n.d., https://carnegieendowment.org/2018/11/07/addressing-private-sector-cybersecurity-predicament-indispensable-role-of-insurance-pub-77622.
[36] Rachel Lerman and Gerrit De Vynck, “Ransomware Claims Are Roiling an Entire Segment of the Insurance Industry,” Washington Post, 17 June 2021, https://www.washingtonpost.com/technology/2021/06/17/ransomware-axa-insurance-attacks/.
[37] John Davis, Megan Stifel, Michael Phillips, Kemba Walden, Jen Ellis, Chris Painter, Michael Danie, Philip Reiner, “Combatting Ransomware” (Institute for Security and Technology: Ransomware Task Force, April 2021), https://securityandtechnology.org/ransomwaretaskforce/report/.
[38] “In the Wake of Colonial Pipeline Cyber Incident, President Issues Executive Order on Improving the Nation’s Cybersecurity – What Will It Do?,” JD Supra, 21 May 2021, https://www.jdsupra.com/legalnews/in-the-wake-of-colonial-pipeline-cyber-8353369/.
[39] John Yoo, “Technology and the Fourth Amendment | AEI,” American Enterprise Institute – AEI (blog), 19 May 2021, https://www.aei.org/articles/technology-and-the-fourth-amendment/; David E. Sanger, Nicole Perlroth, and Julian E. Barnes, “As Understanding of Russian Hacking Grows, So Does Alarm,” New York Times, 2 January 2021, sec. U.S., https://www.nytimes.com/2021/01/02/us/politics/russian-hacking-government.html.
[40] Nina Kollars and Jacquelyn Schneider, “Defending Forward: The 2018 Cyber Strategy Is Here,” War on the Rocks, 20 September 2018, https://warontherocks.com/2018/09/defending-forward-the-2018-cyber-strategy-is-here/.
[41] King and Gallagher, “Cyberspace Solarium Commission Final Report.”; Patrick J Murphy and Erica Borghard, “To Defend Forward, US Cyber Strategy Demands a Cohesive Vision,” Fall 2020, 15.
[42] Sanger, Perlroth, and Barnes, “As Understanding of Russian Hacking Grows, So Does Alarm.”
[43] Murphy and Borghard, “To Defend Forward, US Cyber Strategy Demands a Cohesive Vision,” 15.
[44] Robert Koch, “Privacy for Sale? The Third-Party Doctrine in the Digital Age,” American Bar, 12 March 2021, https://www.americanbar.org/groups/litigation/committees/appellate-practice/articles/2021/spring2021-privacy-for-sale-the-third-party-doctrine-in-the-digital-age/.
[45] “Executive Order on Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities,” EO 13984 (2021), https://trumpwhitehouse.archives.gov/presidential-actions/executive-order-taking-additional-steps-address-national-emergency-respect-significant-malicious-cyber-enabled-activities/; “A National Security Parting Gift to the New Administration: Additional Burdens for IT Supply Chains and Infrastructure as a Service,” JD Supra, n.d., https://www.jdsupra.com/legalnews/a-national-security-parting-gift-to-the-2266296/.
[46] Kennan, “The Inauguration of Organized Political Warfare.”
[47] Michael Goldfien, “How the NSC Hijacked U.S. Foreign Policy,” Text, The National Interest (The Center for the National Interest, 30 March 2016), https://nationalinterest.org/feature/how-the-nsc-hijacked-us-foreign-policy-15625; Kelly Magsamen, “Trump’s NSC, State Department, and Pentagon Need to Play Together,” Foreign Policy, 21 February 2017, https://foreignpolicy.com/2017/02/21/trumps-nsc-state-department-and-pentagon-need-to-play-together/.
[48] Linda Robinson, Todd C. Helmus, Raphael S. Cohen, Alireza Nader, Andrew Radin, Madeline Magnuson, Katya Migacheva, “Modern Political Warfare” (RAND, 2018), https://www.rand.org/pubs/research_reports/RR1772.html.