FINAL_Report

Michael Bertoli Gregory Holm, J.D.
Joe Brewer Matthew Mascoe
Julie Cropper Robert McDyre, Jr.
Andrew Ericson Kristina Miller
D. Kyle Fowler John J. Walter
Faculty Advisor: Andrew Ross, Ph.D.
May 2015

Intersecting Governance Models: A Norms-Based Cyber Deterrence Strategy
! !
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

! !
Executive!Summary!
The cyber domain presents a multitude of vulnerabilities and opportunities for actors in
cyberspace. Inevitably, states will seek to dominate cyberspace and use it to their advantage. As
states seek opportunities to exploit cyberspace, cyber conflicts will arise. USCYBERCOM and
the U.S. Government must find a way to protect United States interests from cyber attacks of
significant consequence by deterring malicious actors.
The successful deterrence of cyber attacks requires offensive as well as defensive
capabilities. Defensive capabilities are sufficient to deter the vast majority of cyber threats and
limit damage from their attacks; however, defensive capabilities alone will not stop the most
capable adversaries. These high-level threats, characterized by high levels of commitment and
resources, represent the actors most likely to launch cyber attacks of significant consequence.
For these actors, a strategy of deterrence by punishment is necessary. However, the incentive to
conceal cyber capabilities makes credible threats difficult. The threat of cross-domain
punishment is therefore necessary to deter high-level threats. Moreover, norms are necessary to
make cross-domain threats credible. Norms offer a mechanism to establish generally accepted
principles that set a threshold, allowing a state to respond offensively following the violation of
that established threshold.
We propose a “4-Point Norms Plan” in conjunction with a deterrence strategy that will
effectively deter malicious actors in cyberspace and also serve as the foundation for further
cooperation to govern cyberspace. The norms incorporated in our plan are: (1) states shall not
attack another state’s civilian critical infrastructure; (2) states reserve the right to respond to
“grave and imminent” dangers; (3) states shall only respond in a manner that is reasonable and
proportional to the cyber threat; and (4) states must clearly communicate justifications for acting
offensively in response to malicious cyber activities by other states.
There are currently two competing cyberspace governance models. The United States
Department of State champions the “multistakeholder governance model” which seeks to include
all actors in the maintenance of a free, interoperable, and open Internet. Other states have
embraced a “sovereignty-based model,” in which the Internet is viewed as a domain to be
controlled and regulated within each state’s physical and electronic boundaries. These divergent
views indicate that Internet governance is still in its formative stages, but there exists a middle
ground between the two models. The 4-Point Norms Plan seizes upon this middle ground.
The norms included in the 4-Point Norms Plan will appeal to state and non-state
stakeholders alike, and if formalized, will ensure more clarity and establish space for potential
cooperation in the governance of cyberspace. These norms represent generally accepted
behaviors that will facilitate the employment of a successful deterrence strategy and will, over
time, build consensus among all stakeholders, lead to effective cooperation between states, and
serve as the foundation for a more formal approach to the governance of cyberspace.

! !
Acknowledgements!
The authors of this report benefited from the support and guidance of many individuals
and organizations in the research and writing of this project. The authors would first like to
thank U.S. Cyber Command and the Combined Action Group for the direction of the project.
The authors are grateful to Dr. Emily Goldman, Director of the Combined Action Group, and Dr.
Michael Warner, Command Historian, for their generous support, encouragement, and guidance
throughout the duration of this project.
The project itself would not have been possible without the support of the Bush School of
Government and Public Service at Texas A&M University. The authors particularly wish to
thank Ambassador Ryan Crocker, Dean of the Bush School, and Dr. F. Gregory Gause, Head of
the Department of International Affairs. The authors are also indebted to The Scowcroft Institute
for International Affairs, under the guidance of Andrew S. Natsios, for making funds available.
Many individuals at the Bush School contributed to the completion of this project. The authors
benefited from feedback from faculty members including Col. Don Bailey, Dr. Jasen Castillo,
Dr. Joseph Cerami, Ambassador Larry Napper, Dr. Joshua Shifrinson, and Dr. Gabriela Marin
Thornton. Additionally, the authors appreciate the continued support of their peers, the students
of the Bush School.
Last, but not least, the authors wish to thank their faculty advisor, Dr. Andrew L. Ross,
whose patience, policy expertise, and passion for the subject of cyber were a source of continued
support, inspiration, and guidance to the team.
The completion of this project was a great honor for the authors and it would not have
been possible with the contributions of these individuals and groups. The authors received a
great deal of guidance and support from many parties, but any errors or misinterpretations made
in this report are the fault of the authors alone. The authors sincerely hope this report contributes
to the growing field of cyber deterrence research.
Authors:
Michael Bertoli
Joe Brewer
Julie Cropper
Andrew Ericson
D. Kyle Fowler
Gregory Holm, J.D.
Matthew Mascoe
Robert McDyre, Jr.
Kristina Miller
John J. Walter
Faculty Advisor: Andrew L. Ross, Ph.D.

2
! ! !
Contents'
Executive)Summary)..............................................................................................................................)ii)
Acknowledgements).............................................................................................................................)iii)
Introduction).........................................................................................................................................)4)
Part)I:)Deterrence).................................................................................................................................)6)
A.!Deterrence!in!Cyberspace!....................................................................................................................!7!
1.!Traditional!Deterrence!Theory!.........................................................................................................!7!
2.!Deterrence!Concepts!in!the!Context!of!Cyberspace!........................................................................!9!
3.!Difficulties!Associated!with!Cyberspace!Deterrence!......................................................................!12!
B.!Cyber!Threat!Assessment!...................................................................................................................!14!
1.!HighHLevel!Threats!..........................................................................................................................!16!
2.!MidHLevel!Threats!...........................................................................................................................!17!
3.!LowHLevel!Threats!...........................................................................................................................!17!
C.!Deterrence!by!Punishment!................................................................................................................!17!
1.!Capability!Demonstration!...............................................................................................................!18!
2.!CrossHDomain!Response!.................................................................................................................!19!
3.!The!Necessity!of!Effective!Communication!....................................................................................!20!
Part)II:)Norms).....................................................................................................................................)21)
A.!Why!Norms?!Characteristics!of!Successful!Norms!.............................................................................!21!
B.!Norm!Development!............................................................................................................................!22!
C.!Trends!of!Norm!Development!in!Cyberspace!....................................................................................!23!
Part)III:)Dominant)Discourse)on)Internet)Governance).........................................................................)25)
A.!The!Multistakeholder!Governance!Model!.........................................................................................!25!
B.!Allies’!Objectives!in!a!Cyber!Norms!Regime!.......................................................................................!26!
1.!Privacy!and!Online!Rights!...............................................................................................................!27!
2.!Security!...........................................................................................................................................!28!
3.!Cybercrime!.....................................................................................................................................!28!
C.!SovereigntyHbased!Governance!Model!..............................................................................................!29!
D.!The!Role!of!IGOs!and!NGOs!in!a!Cyber!Norms!Regime!......................................................................!30!
E.!Existing!Structures!Applicable!to!Cyberspace!.....................................................................................!33!
1.!International!Law!of!War!................................................................................................................!34!
2.!Treaties!Governing!the!High!Seas!and!Outer!Space!.......................................................................!35!

3
! ! !
3.!Proliferation!Security!Initiative!.......................................................................................................!36!
4.!SALT!&!START!.................................................................................................................................!36!
5.!Espionage!Norms!............................................................................................................................!37!
Part)IV:)Recommendations)for)USCYBERCOM).....................................................................................)39)
Appendix)1:)Subject)Matter)Expert)Interview)List)...............................................................................)43)
Appendix)2:)Crisis)Stability)in)Cyberspace)...........................................................................................)44)
Appendix)3:)Cyberspace)Escalation)Dynamics).....................................................................................)47)
Appendix)IV:)About)the)Authors).........................................................................................................)51)
Bibliography).......................................................................................................................................)53)
!

4
! ! !
Introduction!
!
The cyber domain presents a multitude of vulnerabilities and opportunities for actors in
cyberspace.1
Inevitably, states will seek to dominate cyberspace and use it to their advantage and
as a tool of policy. As states take advantage of opportunities to exploit cyberspace, cyber
conflicts will arise. USCYBERCOM and the U.S. Government must find a way to protect United
States interests from cyber attacks of significant consequence, including “loss of life, significant
damage to property, serious adverse U.S. foreign policy consequences, or serious economic
impact on the United States,”2
by deterring malicious actors.
We suggest a cyberspace
deterrence strategy which integrates a
“4-Point Norms Plan” with offensive
and defensive capabilities. For the
majority of cyber threats faced by the
U.S., a defense-first approach is
sufficient. High-level threats, such as
those posed by Russia or China,
require a punishment-based
deterrence policy. These actors are
unlikely to be deterred by anything
but the threat of retaliation. In order
to make credible threats, cross-
domain response is necessary.
To establish and sustain such a strategy, the United Stated must promote several norms in
the international environment. This 4-Point Norms Plan will guide U.S. policies and enable
collective responses.3
The four norms incorporated in the plan are: (1) states shall not attack
other states’ civilian critical infrastructure; (2) the right to respond to “grave and imminent”
dangers; (3) responses must be reasonable and proportional; and (4) states should clearly
communicate justifications for acting offensively in response to malicious cyber activities.
Currently, there are two competing international models for the governance of
cyberspace: the multistakeholder and sovereignty-based models. The U.S. Department of State
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
1
U.S. Department of Defense, The DOD Cyber Strategy (Washington D.C.: Department of Defense, 2015), 1.
http://www.defense.gov/home/features/2015/0415_cyberstrategy/Final_2015_DOD_CYBER_STRATEGY_for
_web.pdf. “We are vulnerable in this wired world. Today our reliance on the confidentiality, availability, and
integrity of data stands in stark contrast to the inadequacy of our cybersecurity. The Internet was not originally
designed with security in mind, but as an open system to allow scientists and researchers to send data to one another
quickly.”
2
U.S. Department of Defense, The DOD Cyber Strategy, 5.
3
Ibid., 10. “As DoD builds its Cyber Mission Force and overall capabilities, DoD assumes that the deterrence of
cyberattacks on U.S. interests will not be achieved through the articulation of cyber policies alone, but through the
totality of U.S. actions, including declaratory policy…” (emphasis added). Ibid.

5
! ! !
proposes the multistakeholder governance model, which seeks a free and open internet. In
contrast, the sovereignty-based model seeks to ensure state control over their respective cyber
territory. These two opposing perspectives on regulation present a serious challenge for
policymakers seeking to establish governance of cyberspace.
The 4-Point Norms Plan seizes upon the intersection between the two governance
models. The significant differences in principles between these two models have the potential to
delay the development of an international consensus on cyberspace. The U.S. should continue to
advocate the multistakeholder model and an open Internet for the long-term. However, in the
short-term, the norms promoted in the 4-Point Norms Plan will appeal to states and non-state
stakeholders alike, and if formalized, will ensure more clarity and establish space for potential
cooperation in the governance of cyberspace. These norms represent generally accepted
behaviors that will facilitate the employment of a successful deterrence strategy and will, over
time, build consensus among all stakeholders, lead to effective cooperation between states, and
serve as the foundation for a more formal approach to the governance of cyberspace.
This report consists of four parts. The first part addresses deterrence in cyberspace, cyber
threats, and difficulties associated with cyber deterrence. Part II examines characteristics of
successful norms, norm development, and trends of norm development in cyberspace. Part III
addresses the dominant discourse on internet governance. Finally, Part IV provides
recommendations for USCYBERCOM.

6
! ! !
Part!I:!Deterrence!
The last five years have seen changes in the United States’ approach to cyber operations.
The 2011 Department of Defense Strategy for Operating in Cyberspace emphasizes defense
without mention or allusion to the need for offensive cyber capabilities. In this strategy, the
balance of capabilities promoted consists of good cyber hygiene at the lowest levels and active
cyber defense at the highest.4
The 2015 Department of Defense Cyber Strategy signals a shift
towards a cross-domain deterrence strategy. The new document names adversaries, highlights
enhanced attribution capabilities, and acknowledges the possibility of offensive cyber operations.
According to the document, “the Defense Department has! developed capabilities for cyber
operations and is integrating those capabilities into the full array of tools that the United States
government uses to defend U.S. national interests, including diplomatic, informational, military,
economic, financial, and law enforcement tools.”5
Unlike the 2011 strategy, the new 2015
strategy signals an increased willingness to engage in offensive cyber operations and engage in
deterrence via punishment.
The 2015 Department of Defense Cyber Defense Strategy clearly identifies Russia,
China, North Korea, and Iran as key cyber threats.6
This is a departure from the 2011
Department of Defense Strategy for Operating in Cyberspace which remains ambiguous as to
which states are considered ‘potential adversaries.’ By acknowledging that Russia, China, North
Korea, and Iran have “invested significantly in cyber as it provides them with a viable, plausibly
deniable capability to target the U.S homeland and damage U.S. interest,” the U.S. shortens the
list of likely suspects when seeking to attribute a cyber attack. 7
The U.S. communicates its ability to attribute cyber attacks through both declaratory
policy and actions. This contributes to a deterrence strategy by making threats of retaliation
credible. The 2015 Department of Defense Cyber Defense Strategy states that, “On matters of
intelligence, attribution, and warning, DoD and the intelligence community have invested
significantly in all source collection, analysis, and dissemination capabilities, all of which reduce
the anonymity of state and non-state actor activity in cyberspace.”8
Also of significance was the
2014 official U.S. attribution of the Sony hacks to North Korea and a U.S. response emphasizing
economic sanctions – a cross-domain response.
Although only acknowledging ‘offensive’ cyber operations by name once, the 2015
strategy makes several mentions of ‘cyber operations.’ For example, “DoD should be able to use
cyber operations to disrupt an adversary’s command and control networks, military-related
critical infrastructure, and weapons capabilities.” By communicating, even implicitly, that it has
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
4
Active Cyber Defense refers to “DoD’s synchronized real-time capability to discover, detect, analyze, and mitigate
threats and vulnerabilities.” U.S. Department of Defense, Department of Defense Strategy for Operations in
Cyberspace (Washington D.C.: Department of Defense, 2011), 7.
http://www.defense.gov/news/d20110714cyber.pdf.
5
U.S. Department of Defense, The DOD Cyber Strategy, (Washington D.C.: Department of Defense, 2015), 2.
6
Ibid., 9.
7
Ibid.
8
Ibid., 11-12.

7
! ! !
offensive cyber capabilities, the U.S adds another tool enhancing the credibility of punishment
threats.
The articulation of these trends in U.S declaratory policy communicates to potential
adversaries the intent of the U.S. to respond to cyber attacks of “significant consequence.”9
The
will to carry out this stated threat is demonstrated by costly signals, such as the creation of U.S.
Cyber Command. The rapid development of a U.S. cyber deterrence policy deserves recognition,
though more remains to be done. Although declaring that the U.S. will self-constrain cyber
operations “as required to protect human lives and to prevent the destruction of property,”10
neither the 2011 nor 2015 DoD cyber defense strategies address the role norms play in
deterrence, which is to establish commonly accepted thresholds of behavior. These thresholds
then determine when an adversaries’ behavior is no longer acceptable and may be met with a
response. Therefore, the Norms-Based Cyber Deterrence Strategy proposed in this paper fills a
gap in current U.S. cyber deterrence strategy.
A.)Deterrence)in)Cyberspace)
Deterrence is by no means a new concept. The history of international politics is rife with
instances of states and individuals using threats of violence to compel or deter. In this section, we
explore the core concepts of deterrence theory and apply them to cyberspace.
1.)Traditional)Deterrence)Theory)
Since the advent of nuclear weapons at the end of World War II, the national security
community has been wrestling with the strategic problems presented by nuclear weapons and
possible solutions to the challenges they create.11
Traditional deterrence theory is the product of
this discourse. At its simplest, deterrence is a bargaining process between adversaries. Charles
Glaser defines successful deterrence as the raising of an adversary’s costs and probable costs of
launching an attack above the benefits and probable benefits that could be achieved by that
attack.12
To simplify further, this can be distilled as:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
9
Ibid., 5.
10
Ibid, 6.
11
Thomas C. Schelling, Arms and Influence (New Haven: Yale University Press, 1966). Also see Albert Wohlstetter
“The Delicate Balance of Terror," Foreign Affairs 37, no. 2 (1958): 211-234; Bernard Brodie, Strategy in the Missile
Age (Princeton, NJ: Princeton University Press, 1959); Herman Kahn, On Thermonuclear War (Princeton, NJ:
Princeton University Press, 1960); Glenn Herald Snyder, Deterrence and Defense: Toward a Theory of National
Security, (Princeton, NJ: Princeton University Press, 1961); Robert Jervis, Perception and Misperception in
International Politics (Princeton, NJ: Princeton University Press, 1976); Robert Jervis, The Meaning of the Nuclear
Revolution: Statecraft and the Prospect of Armageddon (Ithaca: Cornell University Press, 1989); and Kenneth
Waltz, Theory of International Politics, (Addison-Wesley Pub. Co., 1979). On deterrence issues pre-nuclear
weapons, see George H. Quester, Deterrence Before Hiroshima (New York: Wiley, 1966); on conventional
deterrence see John J. Mearsheimer, Conventional Deterrence (Ithaca: Cornell University Press, 1983).
12
Charles L. Glaser, "Deterrence of Cyber Attacks and U.S. National Security," 2011 Developing Cyber Security
Synergy (2011): 1. See also Patrick M. Morgan, "Applicability of Traditional Deterrence Concepts and Theory to the
Cyber Realm," In Proceedings of a Workshop on Deterring Cyber Attacks: Informing Strategies and Developing
Options for US Policy 58, no. (2010): 55-56.

8
! ! !
P(C) x C > P(B) x B
Probability of Costs x Costs > Probability of Benefits x Benefits
As stated in the 2015 DoD Cyber Strategy, “deterrence is partially a function of perception. It
works by convincing a potential adversary that it will suffer unacceptable costs if it conducts an
attack on the United States, and by decreasing the likelihood that a potential adversary’s attack
will succeed.”13
Of course, this logic holds little power for policymakers if it cannot be manipulated.
There are two broad mechanisms for changing an adversary’s cost-benefit analysis: punishment
and denial. Deterrence by punishment is a mechanism in which pain or other consequences are
threatened in retaliation to a potential attack. Conversely, deterrence by denial is a proactive
method, requiring capabilities to either deny the adversary success or lead them to determine that
the probability of success is too low to achieve any potential benefits.14
The former method
chiefly affects the left side of the deterrence equation, while the latter affects the right.
Punishment and denial are not mutually exclusive; indeed, it would be foolish to ignore one in
favor of the other.
Both of the aforementioned deterrence strategies have basic requirements. These are
broken down into three categories.15
The first is communication, which is a necessary component
of the bargaining process between adversaries. Without communication, there is no bargaining
process and the other two requirements of deterrence are essentially meaningless. The second
requirement is capability. This requires that the defender actually possesses the capabilities to
retaliate effectively against an adversary in response to an attack, or at least convince the
adversary that retaliation is possible. The final and most difficult requirement of deterrence is
credibility. Credibility is a combination of both the perceived will to carry out a threat and the
ability to carry out such a threat.16
The question, then, is how one can determine whether a threat
is credible?
Darryl Press argues that credibility is determined by a combination of the balance of
power plus interests and not by the past behavior of adversaries.17
While much of this argument
is logical and persuasive, it does not successfully refute the argument that reputation is important
in bargaining, which has been continually demonstrated in international politics throughout
history.18
Credibility is always the most important yet the weakest link in the concept of
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
13
U.S. Department of Defense, The DOD Cyber Strategy, 11.
14
Glaser, "Deterrence of Cyber Attacks and US National Security,” 2 and Martin C. Libicki, Cyberdeterrence and
Cyberwar (Santa Monica: RAND Corporation, 2009), 7.
15
Glaser, "Deterrence of Cyber Attacks and US National Security," 2 and Kenneth Geers, "The Challenge of Cyber
Attack Deterrence," Computer Law & Security Review 26, no. 3 (2010): 299.
16
Glaser, "Deterrence of Cyber Attacks and US National Security," 2.
17
Darryl G. Press, Calculating Credibility: How Leaders Assess Military Threats, (Ithaca and London: Cornell
University Press, 2007), 6.
18
For an argument on the formation and effect of reputations see Jonathan Mercer, Reputation & International
Politics (Ithaca and London: Cornell University Press, 1996).

9
! ! !
deterrence precisely due to its ambiguity and will likely always be a source of worry for policy
makers.
2.)Deterrence)Concepts)in)the)Context)of)Cyberspace)
This well-established logic gained prominence from nuclear strategy, but it applies
broadly across many domains. However, the inherent differences in those domains can lead to
varying conclusions when deterrent logic is applied. Before discussing the specifics of applying
deterrence theory to cyberspace, it is important to establish some definitions, as provided by the
Department of Defense and Department of Homeland Security:
Cyberspace: (DoD definition) A global domain within the information environment consisting
of the interdependent network of information technology infrastructures and resident data,
including the Internet, telecommunications networks, computer systems, and embedded
processors and controllers.19
Critical Infrastructure: (DHS definition) Critical infrastructure are the assets, systems, and
networks, whether physical or virtual, so vital to the United States that their incapacitation or
destruction would have a debilitating effect on security, national economic security, national
public health or safety, or any combination thereof.20
As previously discussed, the cyber domain is not quite like any other seen in history.
However, the recognition that differences exist between the cyber and nuclear realms does not
preclude drawing comparisons. In fact, cyber deterrence may have more in common with nuclear
and conventional deterrence than is generally thought. Deterrence, be it conventional, nuclear,
legal, cyber or otherwise, follows the same core logic laid out in the equation highlighted above.
As such, actors have the same tools, punishment and denial, available to them in constructing an
appropriate deterrence strategy. The only difference is that there is a spectrum of the
effectiveness of each tool. Depending on the type of deterrence, for example nuclear, cyber,
and/or conventional, the individual capability requirements associated with punishment and
denial will vary.
Punishment in the cyber realm has aspects unique to that type of battlespace. The basic
goal is unchanged: to impose costs unacceptable to an attacker as well as to effectively
communicate that capability to the attacker. The difference is how this goal is pursued.21
Broadly
speaking, there are two ways to accomplish this in cyberspace: retaliation by striking back,
directly causing damage, or some sort of legal or political action to impose costs on the attacker
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
19
Joint Staff, Joint Publication 1-02 2001: Department of Defense Dictionary of Military and Associated Terms
(Washington D.C: Joint Staff, 2001), 58 and Joint Staff, Joint Publication 3-12 2013: Cyberspace Operations
(Washington D.C: Joint Staff, 2013), V.
20
U.S. Department of Homeland Security, “What is Critical Infrastructure?” last modified November 1, 2013,
http://www.dhs.gov/what-critical-infrastructure.
21
Patrick M. Morgan, "Applicability of Traditional Deterrence Concepts and Theory to the Cyber Realm."
In Proceedings of a Workshop on Deterring Cyber Attacks: Informing Strategies and Developing Options for U.S
Policy 58 (2010): 61-62.

10
! ! !
through other mechanisms.22
While it may seem that these methods of retaliation are largely
state-focused, the current global war on terror demonstrates that such responses against non-state
actors and individuals are not outside the realm of possibility.23
Retaliation by striking back against an attacker need not remain in the cyber realm.
Assuming the source of the attack can be determined, a retaliatory response is possible through
informational, military, economic, and political means.24
The requirements of such a response
require a robust forensic capability to accurately identify the attacker, cyber capabilities for an
in-domain response, military capabilities for a kinetic response, or the economic and political
means to impose costs in those respective domains.
Retaliation using legal action or political action closely relates to striking back but
imposes costs through indirect means rather than direct action. For the more minor threats of
hacktivism, criminal hacking, and even espionage, this could be accomplished by simply
prosecuting the individuals responsible in the appropriate jurisdiction (which, of course, can be
difficult to determine).25
Another method is the practice of “naming and shaming”. The logic
behind this is similar to that of the Secretary of State’s list of “state sponsors of terrorism.”26
Identifying the perpetrators of cyber attacks exposes the acts to the international public
discourse, which can be manipulated to develop consequences for such actions in the
international community through multilateral institutions. These consequences could include the
imposition of economic sanctions against the attacker, the exclusion from international trade
talks and institutions, or suspension of economic or military aid if applicable. This type of action
can foster international cooperation in not only attribution investigations but also punishing
identified attackers.
Denial also applies in cyberspace. As discussed earlier, the goal of denial is to deny the
adversary success or lead them to determine that the probability of success is too low and
potential costs are too high to achieve any benefits. Limiting access and building system
resiliency accomplishes this in cyberspace. The Department of Defense Cyber Strategy posits
that basic cybersecurity procedures are typically enough to defend against the majority of
intrusions.27
One basic tactic to use in a strategy of denial is simply to limit access. Some of this
burden falls on individual users and the need to practice good cyber hygiene such as not opening
unfamiliar email attachments, controlling physical access to individual computer stations, and
other personnel-based security tactics. However, access-limiting functions can also be built into
networks and computers. The Trusted Internet Connections Initiative, which physically changes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
22
Eric Talbot Jensen, “Cyber Deterrence,” Emory International Law Review 26, no. 2 (2012): 792-793.
23
Eric Sterner, "Retaliatory Deterrence in Cyberspace," Strategic Studies Quarterly 5, no. 1 (2011): 71.
24
Morgan, "Applicability of Traditional Deterrence Concepts and Theory to the Cyber Realm," 75 and Jensen,
“Cyber Deterrence,” 793-794.
25
Jensen, “Cyber Deterrence,” 800-801.
26
Brian M. Mazanec and Bradley A. Thayer, Deterring Cyber Warfare: Bolstering Strategic Stability in Cyberspace
(Basingstoke: Palgrave Macmillan, 2015): 68.
27
U.S. Department of Defense, The DoD Cyber Strategy, 5.

11
! ! !
the network infrastructure of the United States Government, therefore limiting access points
available to outside sources, is an example of such a system.28
The combination of both cyber
hygiene and access-limiting functions prevents unauthorized access and the ability of attackers to
exploit said access.
Another important component to deterrence by denial in cyberspace is system resiliency.
A resilient system or network possesses the ability to recover or regenerate its performance after
an unexpected event or change degrades its performance.29
Key components of resilient systems
go beyond just hardware and software; they also include the operators who use them. All must be
capable of operating under degraded conditions, recovering from degradation quickly,
determining what went wrong, and designing a solution to improve the system and prevent such
a failure in the future.30
System redundancy is an additional key technical component of
resiliency in that it allows the continued capacity of the system to operate if some part of it is
forced offline or manipulated through some sort of attack.31
If a system is sufficiently resilient, it
can continue to operate securely and deny an attacker its goals to either break the system or
manipulate it to their ends. An example of this was the indirect assistance Google provided to
Georgia after the denial of service attacks it suffered in 2007. By moving the sites under attack to
Google infrastructure, the Georgian Government was able to keep its systems operating and thus,
the goals of the attacks were denied.32
Active cyber defense (ACD) is a unique mechanism in that it blurs the line between
punishment and denial. The official Department of Defense definition of ACD is as follows:
“Active cyber defense is DoD’s synchronized, real-time capability to discover, detect, analyze,
and mitigate threats and vulnerabilities…using sensors, software, and intelligence to detect and
stop malicious activity before it can affect DoD networks and systems.”33
Once an attack is
detected, an active defense system presents multiple options for dealing with it. First, it can use
forensics to determine the type and source of the attack. It can also track the attack in real time
and attempt to determine what the specific target is. Second, it could also deliberately lead an
attack towards false or useless information full of errors as part of a deception operation. Third,
the system can simply stop the attack in its tracks. Finally, it can use the attack to remotely gain
access to the attacker’s system and launch a counterattack.34
While possessing the ability to
counterattack, an active cyber defense system allows for a range of denial capabilities in addition
to the capability to impose punishment.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
28
Ibid., 61.
29
Igor Linkov et al., “Resilience Metrics for Cyber Systems,” Environment Systems and Decisions 33, no. 4
(December 2013): 471–76, doi:10.1007/s10669-013-9485-y.
30
Peter W. Singer and Allan Friedman, Cybersecurity and Cyberwar!: What Everyone Needs to Know (New York:
Oxford University Press, USA, 2013), 170-172.
31
Jensen “Cyber Deterrence,” 814.
32
K.A. Taipale, "Cyber-deterrence," Law, Policy and Technology: Cyberterrorism, Information, Warfare, Digital
and Internet Immobilization (Hershey, PA: IGI Global, 2010), 36-37.
33
U.S. Department of Defense, Department of Defense Strategy for Operations in Cyberspace, 7.
34
Irving Lachow, Active Cyber Defense: A Framework for Policymakers (Washington D.C: Center for New
American Security, 2013), 5-7.

12
! ! !
The ability to automatically counterattack can be problematic. Executed perfectly, “The
traceback capabilities of active defenses will ensure that these measures target only the source of
the cyber attack. This would greatly reduce collateral damage relative to that which would result
from the use of kinetic weaponry, thus helping to achieve proportionality; distinguish the
attacking system (the military objective) from protected places, property, and civilians; and
minimize the unnecessary suffering that would be the probable result of a kinetic use of force.”35
However, ACD technical limitations make tracking attacks back through intermediate systems
difficult. Even if a defender overcomes these technical limitations, and correctly identifies an
attack source, a system administrator would still be required to ‘map’ the attacking network.
Failure to do so “may well lead to accidental targeting of innocent systems, resulting in
unintended and excessive collateral damage” that could spark a dangerous escalating spiral of
retaliation and counter-retaliation.36
3.)Difficulties)Associated)with)Cyberspace)Deterrence)
According to the conventional wisdom, the cyber realm is offense-dominant. It is an
inherently asymmetric battlespace, where a “dozen determined computer programmers can, if
they find a vulnerability to exploit, threaten the United States’ global logistics networks, steal its
operational plans, blind its intelligence capabilities, or hinder its ability to deliver weapons on
target.”37
Offense is cheap, and the countries that rely on cyber capabilities most (such as the
United States) are the most vulnerable. As Peter Singer writes, “the nations most skilled at
throwing rocks live in the biggest glass houses.”38
If, as these arguments assert, cyberspace is offense-dominant, the implication is that
deterrence is difficult. Two key factors contribute to this offense-dominance assumption:
namely, the advantage of striking early and the difficulty of attribution. A discussion of these
factors follows, as well as reasons why the offense-dominance assumption may not be entirely
accurate.
Early-Strike Advantage. The highly specific nature of offensive cyber capabilities
favors a quick attack before a potential target can patch the hole necessary for successful attack.
According to Martin Libicki and David Gompert, “Because most cyber attacks exploit some
piece of vulnerable computer code, they can reveal the source of weakness, allowing…the
problem [to be] solved. The difficulty of duplicating cyber attacks supports the logic of early use
and prompt exploitation in order to maximize their effect.”39
There is, if not a first-strike
advantage, then an early-strike advantage inherent in cyber warfare. A Naval Postgraduate
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
35
David E. Graham, “Cyber Threat and the Law of War,” Journal of National Security Law and Policy 4, no. 87
(2010): 99.
36
Graham, “Cyber Threats and the Law of War,” 100.
37
William J. Lynn III, “Defending a New Domain: The Pentagon’s Cyberstrategy,” Foreign Affairs 89, no. 5
(September/October 2010): 98-99.
38
Singer and Friedman, Cybersecurity and Cyberwar, 152.
39
David C. Gompert and Martin C. Libicki, “Cyber Warfare and Sino-American Crisis Instability,” Survival: Global
Politics and Strategy 56, no. 4 (August-September 2014): 12.

13
! ! !
School paper employed game theory to examine the decision to “attack or wait” in cyberspace.
The paper assumes that if a player waits to launch a cyber attack, his payoff could be higher
based on the maturity of the munition, but he also risks the chance that his opponent discovers
the exploit, rendering the munition worthless. The authors conclude that success favors rapid
action and any capabilities that could offset the cost of waiting are generally unattainable.40
Stephen Van Evera, discussing offense dominance, argues that a first-strike advantage is
destabilizing and can lead to war. If there is a perceived first-strike advantage, “States grow more
trigger-happy, launching first strikes to exploit the advantage of the initiative, and to deny to an
opponent.”41
The incentive to launch a cyber attack before it becomes worthless also creates a
window of opportunity for the attacker and window of vulnerability for the target. Van Evera
argues that windows of vulnerability are larger in an offense-dominant environment, which
“bolsters arguments for shutting ‘windows of vulnerability’ by war.”42
Thomas Rid, however, does not dispute this characteristic but argues that it actually
makes cyberspace more defense-dominant. Once a weapon is used, Rid argues, it will be
defended against, possibly making it impossible to use again. “And a weapon, even a potent one,
is not much of a weapon if an attack cannot be repeated. Any political threat relies on the
credible threat to attack or to replicate a successful attack. If that were in doubt, the coercive
power of a cyber attack would be drastically reduced.”43
While the incentive to attack early does
exist, an attacker’s decision-making must also factor in that the use of that weapon will likely
neuter its coercive power.
Attribution. The anonymity of the Internet permits an attacker to “cover his tracks,”
making it difficult for the target to identify where the attack came from. “Packets can be bounced
through multiple machines on their way to the target. They can be routed through a bot that only
needs to erase the packet’s originating address and substitute its own to mask the true origin.
Attacks can be implanted beforehand in any machine that has been compromised.”44
Some
analysts argue that attribution is the most difficult problem in cyberspace. One hundred percent
certainty is almost impossible to achieve when determining the origin of an attack.45
An attacker
that is confident in its ability to mask its attack’s origins may feel immune to retaliation. If a state
cannot identify its attacker, it cannot launch a counteroffensive.
However, some analysts argue that attribution is challenging but not impossible. Martin
Libicki of the RAND Corporation argues that there are two components to attribution:
determining who perpetrated an attack and then proving that that entity did it.46
He goes on to
say the United States is able to establish a probability of who did it, but proving it publicly is
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
40
Harrison C. Schramm, David L. Alderson, W. Matthew Carlyle, and Nedialko B. Dimitrov, “A Game Theoretic
Model of Strategic Conflict in Cyberspace,” Military Operations Research 19, no. 1 (2014): 5-17.
41
Stephen Van Evera, “Offense, Defense, and the Causes of War,” International Security 22, no. 4 (Spring 1998): 9.
42
Ibid.
43
Thomas Rid, “Think Again: Cyberwar,” Foreign Policy 192, (2012): 80-84.
44
Martin C. Libicki, Cyberdeterrence and Cyberwar, 44.
45
Robert Chesney, interview by Gregory Holm and Robert McDyre, February 18, 2015.
46
Martin C. Libicki, interview by Andrew Ericson, Kyle Fowler, and Kristina Miller, March 6, 2015.

14
! ! !
more difficult.47
Thomas Rid and Ben Buchanan argue that the states most connected to the
Internet and thought to be the most vulnerable to cyber attack are conversely the ones that have
the resources to investigate and attribute attacks more effectively.48
Furthermore, Rid and
Buchanan echo a sentiment not uncommon among those within the government: attribution has
been happening successfully for a long time.49
Moreover, the argument that attribution is an insurmountable challenge ignores the
existence of outside information. Attribution can be difficult, but when taking the current
political climate and the sophistication of a hypothetical cyber attack into account, the number of
actors that could realistically be responsible is limited. If attribution is not nigh impossible, an
attacker cannot take for granted that they will escape undetected. Against a state with the
capabilities of the United States, “an intruder needs to make only one mistake, and the defender’s
forensic analysis could find the missing forensic clue to uncover an operation.”50
In addition, the
United States has made significant investments in all source intelligence, analysis of said
intelligence, and has increased its information dissemination capabilities, all of which eases the
burden required for attribution.51
While there are certainly challenges associated with attribution,
especially compared to the conventional or nuclear realms where attack origins are much clearer,
the political context and need for an attacker to perfectly cover its tracks makes attribution much
more feasible than some scholars admit.
Cyberspace cannot be easily categorized as simply offense- or defense-dominant. The
target of the cyber attack determines the dominance of cyber weapons. This is largely dependent
upon stakes. The lower the value of the target, the more offense dominates; conversely, defense
dominates when the stakes are higher.52
Due to this spectrum of stakes, categorizing cyber
weapons as offense- or defense-dominant is not particularly a useful exercise.
B.)Cyber)Threat)Assessment)
Given the wide range of actors operating in cyberspace, it is important to determine
which ones pose the largest threat to the United States. Any deterrent strategy used by the U.S.,
regardless of the domain, should primarily focus on the most serious threats first. As a function
of resources and commitment, cyber threats can be assessed and classified. A 2012 report from
Sandia National Laboratory presents a system for such an assessment illustrated in Table 1 below
and Table 2 on the following page. It is possible to sort actors into high-, medium-, and low-level
threat categories using this threat matrix. Since goals and capabilities vary across categories,
different approaches are required by the United States.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
47
Libicki, interview.
48
Thomas Rid and Ben Buchanan, “Attributing Cyber Attacks,” Journal of Strategic Studies 38, no. 1-2 (2015): 31.
49
Ibid.
50
Ibid., 32.
51
U.S. Department of Defense, Department of Defense Strategy for Operations in Cyberspace, 11.
52
Jon Lindsay, interview by John J. Walter, Andrew Ericson, and Michael Bertoli, March 17, 2015.

15
! ! !
Threat Level
Threat Profile
Commitment Resources
Intensity Stealth Time
Technical
Personnel
Knowledge
Access
Cyber Kinetic
1 H H Years to decades Hundreds H H H
2 H H Years to decades Tens of tens M H M
3 H H Months to years Tens of tens H M M
4 M H Weeks to months Tens H M M
5 H M Weeks to months Tens M M M
6 M M Weeks to months Ones M M L
7 M M Months to years Tens L L L
8 L L Days to weeks Ones L L L
Table 1: General Threat Matrix for Assessment of Cyber Threats53
Attribute Definitions
Commitment Resources
Term Definition Term Definition
Intensity The diligence or persevering
determination of a threat in
pursuit of its goal.
Technical
Personnel
The number of group members
that a threat is capable of
dedicating to the building and
deployment of technical
capability in pursuit of its goal.
Stealth The ability of the threat to
maintain a necessary level of
secrecy throughout the pursuit of
its goal.
Cyber
Knowledge
The threat's level of theoretical
and practical proficiency relating
to computers, information
networks, or automated systems.
Time The period of time that a threat is
capable of dedicating to
planning, developing, and
deploying methods to reach an
objective.
Kinetic
Knowledge
The threat's level of theoretical
and practical proficiency relating
to physical systems, the motion
of physical bodies, and the forces
associated with that movement.
Access The threat's ability to place a
group member within a restricted
system--whether through cyber
or kinetic means--in pursuit of
the threat's goal.
Table 2: Attribute Descriptions for Table 1 General Threat Matrix 54
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
53
Jason Neal Frye et al., Cyber Threat Metrics (Albuquerque: Sandia National Laboratories, 2012), 13-16.
54
Ibid.

16
! ! !
1.)HighWLevel)Threats)
The high-level threats comprise threat levels 1-3 on the matrix. These actors possess a
high level of commitment and moderate-to-high levels of resources. Examples of the highest
threat level (1) would be Russia and China. These countries have a history of successfully
completing complex cyber attacks. Possibly the most nefarious group in China, People’s
Liberation Army (PLA) Unit 61398, targeted 141 companies in 20 major industries over a period
of at least 7 years, and stole a large volume of intellectual property.55
Russia, on the other hand,
has orchestrated well-publicized attacks on the governments of Georgia and Estonia.
Actors classified into threat levels 2 and 3 share the same high level of commitment as
those at threat level 1, yet lack the resources to launch truly devastating attacks. Prominent
examples of these types of actors are North Korea and Iran. These countries have also
successfully launched complex cyber attacks (targeting Sony Entertainment Pictures America
and Saudi Aramco, respectively), but probably would not find that same success in targeting
United States Government infrastructure. These countries lack the ability to launch a devastating
attack on the United States, but likely aspire to achieve the degree of technical ability to do so.
China, Russia, North Korea, and Iran all possess cyber ambitions driven by political and
military aspirations. These regimes often consider cyberspace a mechanism for regime security,56
as well as a means to possibly counter the warfighting advantage of conventionally superior
adversaries.57
Notable in the descriptions of this high-level threat group is the lack of any non-
state actors. Indeed, no non-state actors have the capabilities of this group at present. Those that
do likely are not driven by the same international political concerns that motivate these states.
These regimes cannot ensure survival or lessen a conventional warfighting advantage by
engaging in attacks that are merely a nuisance for the United States. A denial-only strategy is
unlikely sufficient to deter these actors, as they can devote the necessary resources to developing
an effective cyber munition. Therefore, a strategy of deterrence by punishment is necessary when
attempting to limit these actors in cyberspace. The high-level nature of their targets requires
USCYBERCOM to develop a strong deterrent strategy, which can only be achieved through
punishment.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
55
Mandiant, APT 1: Exposing One of China’s Cyber Espionage Units, February 2013,
http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf.
56
See, Nikolas K. Gvosdev, “The Bear Goes Digital: Russia and its Cyber Capabilities,” in Cyberspace and
National Security: Threats, Opportunities, and Power in a Virtual World, ed. Derek S. Reveron. (Washington, D.C.:
Georgetown University Press, 2012), 173-189; Amy Chang, Warring State: China’s Cybersecurity Strategy (Center
for a New American Security, December 2014), 7-12, http://www.cnas.org/sites/default/files/publications-
pdf/CNAS_WarringState_Chang_report_010615.pdf.; Gabi Siboni and Sami Kronenfeld, “Iran and Cyberspace
Warfare,” Military and Strategic Affairs 4, no. 3 (December 2012): 77–100.
57
Nir Kshetri, “Cyberwarfare in the Korean Peninsula: Asymmetries and Strategic Responses,” East Asia 31, no. 3
(September 2014): 183–201, doi:10.1007/s12140-014-9215-1 and Chang, Warring State.

17
! ! !
)
2.)MidWLevel)Threats)
The mid-level threats are comprised of threat levels 4-6, reflecting moderate levels of
both commitment and resources. These actors are lower-threat states or well organized non-state
actors. These types of non-state actors include transnational criminal organizations, terrorist
groups, and political/activist groups who have some skill in cyberspace. Examples of these actors
are Venezuela, Anonymous and the Islamic State of Iraq and the Levant (ISIL).
The actors in threat levels 4-6 seek to accomplish more limited goals in cyberspace,
compared with the high-level threat group. State actors in this classification, by definition, do not
have the same level of resources or commitment as a Russia or China. Criminal organizations in
cyberspace are primarily concerned with generating profits and accomplishing financial goals.58
Evidence shows that terrorists primarily use cyberspace not as an avenue for attack, but rather for
recruitment, communication, fundraising, and propaganda.59
Because these actors have more limited aims, they are less likely to embark on a mission
to harm the national security of the United States through cyberspace. If they did embark on such
a mission, they likely do not have the resources to accomplish that goal. However, these actors
are capable of causing economic damage. Therefore, to lessen the impact of these actors,
defensive measures are recommended. Measures such as intelligence, law enforcement,
improved private sector security, resiliency, and individual cyber hygiene should suffice in
limiting the damage done by these attacks, so a focused deterrent strategy from USCYBERCOM
is not necessary for these mid-level threats.
3.)LowWLevel)Threats))
Threat levels 7-8 are characterized by small groups of actors with even fewer resources
and personnel than the other groups. These are non-state actors with poor organization, poor
cyber capabilities, or both. The threat posed by these actors is a nuisance at worst; therefore,
personal cyber hygiene, improved private sector security, and overall resilience in networks
should be adequate to limit the damage done at this threat level. No USCYBERCOM deterrent is
necessary.
C.)Deterrence)by)Punishment)
Assessing cyberspace threats leads to two conclusions for the United States. First, for the
vast majority of threats, a defense-first strategy should be adequate. Such a posture may deter
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
58
Roderic Broadhurst, et al. “Organizations and Cyber Crime: An Analysis of the Nature of Groups Engaged in
Cyber Crime,” International Journal of Cyber Criminology 8, no. 1 (January 2014): 1–20.
59
Singer and Friedman, Cybersecurity and Cyberwar, 99.

18
! ! !
some actors from attacking, but, as Martin Libicki argues, if deterrence fails and the attack is
denied by defenses, the deterrence failure is irrelevant to the attacked state.60
The essence of
defense is limitation of damage. If fewer attacks are launched because of a deterrent effect, so
much the better.
Second, the threats that require deterrence are unlikely to be deterred by denial only.
These actors have such a high degree of commitment to orchestrating cyber attacks and resources
to find exploits that only perfect defenses could keep them out. Cyber defenses will likely never
be completely perfect; therefore, deterrence by punishment is required for these actors.
This conclusion raises the question of how best to deter via punishment. Any threat of
punishment must take into account escalation risks. Perhaps the least escalatory retaliation is one
that is strictly in-kind, i.e., a cyber attack merits a strictly cyber retaliation. However, as
previously noted, it can be difficult to demonstrate cyber offensive capabilities, which may
diminish the deterrent ability of such a policy. The next section addresses these difficulties.
1.)Capability)Demonstration)
Through public disclosures and revelations, a range of offensive cyberspace capabilities
has become evident. These capabilities exist on a spectrum between two extremes: at one end are
less sophisticated, common, rather inexpensive munitions such as botnets; at the other end are
high-sophisticated, rare, and expensive capabilities like Snake.61
Less sophisticated attacks can
be considered part of the cost of doing business in cyberspace,62
and their ubiquity and relatively
low impact renders investing significant effort into communicating or attributing these attacks a
poor value. These types of attacks are ill suited for use as a retaliatory measure. The actors that
necessitate a strategy of deterrence would unlikely be deterred by low-impact attacks such as
these.
Highly sophisticated weapons, on the other hand, if they can reach the target system, are
much more damaging. These capabilities are resource-intensive and, therefore, not common;
their mechanism to exploit a target’s defenses relies on an exploit not being repaired, and only a
few of these highly-sophisticated weapons will be operating at any given time against any given
target, for fear of detection. After pinpointing one of these capabilities, repairing the exploit
prevents future exploitation of the same mechanism. While these types of capabilities are most
useful for deterrence, because they can cause the most damage and therefore raise costs
considerably, their specialized nature makes communication difficult.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
60
Libicki, interview.
61
Snake, or Ouroboros, is malware that provides control of a system to a remote user; its design suggests that its
designers have “an arsenal of infiltration tools”, and that it contains “all the hallmarks of a high-sophisticated cyber
operation.” “BAE Systems Applied Intelligence Unveils Extent of Venomous Nature of ‘Snake’ Operation”, BAE
Systems, http://www.baesystems.com/article/BAES_165734/bae-systems-applied-intelligence-unveils-extent-of-
venomous-nature-of-‘snake’-operation/.
62
Sites like http://www.digitalattackmap.com show real-time cyberspace attacks, with some degree of attribution.

19
! ! !
Capabilities cannot serve as a deterrent if those capabilities are not revealed. However,
offensive cyber capabilities cannot be revealed in full detail for risk of them no longer being
useful. Therefore, when brandishing offensive capabilities, a balance must be struck between
giving enough information to convince the adversary of a capability but not enough to allow that
adversary to block it. Incomplete information is a necessity for a state attempting to deter by
punishment strictly in the cyber realm. However, incomplete information can also breed crisis
instability and escalation.
2.)CrossWDomain)Response)
A better option for American policymakers wishing to avoid inadvertent escalation is to
leave open the possibility of cross-domain response for certain egregious cyber offenses. This
concept is not novel in American foreign policy; as President Barack Obama stated in response
to the alleged North Korean hacking of Sony Pictures, “We [the United States] will respond
proportionally, and we’ll respond in a place and time and manner that we chose” (emphasis
added).63
Indeed, American retaliation for that particular attack took the form of economic
sanctions.
Maintaining the option of retaliation in the political, economic, and military realms leaves
much less chance for miscalculation from the adversary. While an actor may not be fully aware
of the United States’ offensive cyber capabilities (likely intentionally so), probably would have a
much firmer grasp of U.S. political influence, economic power, and conventional military
superiority. Communication of specific capabilities is not necessary when an understanding of
these types of power already exists in the minds of American adversaries.
Responding outside of the cyber domain could be perceived as escalatory, as some actors
may view the response as disproportional. However, responses can be proportional without being
in-kind. A more appropriate, and accurate, way to view proportionality is to focus on in-kind
effects of retaliation. For instance, a cyber attack that destroys part of the U.S power grid could
be met with a retaliatory air strike against the attacking state’s power grid. Although in this
hypothetical scenario the U.S. response is in a different domain than the attack, it meets the
criteria for proportionality because its effects are in-kind.
However, despite efforts to maintain proportionality and therefore limit escalation risks,
proportionality is still in the eye of the beholder. What may seem proportional to the United
States may seem escalatory to an adversary. Cross-domain response and the potential escalation
it carries may signal to an adversary that the United States is prepared to respond, despite the
costs of doing so. This enhances the deterrent ability of cross-domain threats. While efforts
should be made to keep effects of retaliation proportional, the chance of escalation does not
necessarily weaken the deterrent strategy and may in fact strengthen it. Consistent statements by
United States officials such as President Obama’s response to the alleged Sony hack by North
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
63
Barack Obama, “Remarks by the President in the Year-End Press Conference,” The White House December 19,
2014.

20
! ! !
Korea help reinforce the credibility of cross-domain response by demonstrating to potential
adversaries that such threats of punishment are credible.64
Consistency in statements and retaliatory responses benefit cyber deterrence in two key
ways. First, consistently showing the United States will act in a time, place, and manner of its
own choosing in a potentially highly escalatory environment signals to potential adversaries that
such a response will be forthcoming regardless of escalation risk and shifts the burden of a last
clear chance to avoid potential escalation to the adversary.65
Second, it reinforces the norm that
cyber aggression that crosses the threshold set by the United States’ statements and responses
will not be tolerated. Over time, this expectation will have a greater effect on the behavior of all
states and will move toward becoming generally accepted behavior.
3.)The)Necessity)of)Effective)Communication)
A recurring theme in this
discussion of deterrence by punishment
is the need for communication of
capabilities. Like the doomsday
machine in Stanley Kubrick’s Dr.
Strangelove, a deterrent mechanism
that the adversary is unaware of is
useless. If USCYBERCOM wants to
deter the actors most capable of causing
the country harm, it must clearly
communicate that certain offenses will
not be tolerated and that those offenses
will be met with a response in the
domain of the United States’ choosing.
While it is possible to do this via
consistent declaratory statements, establishing these thresholds and the right to retaliate may be
facilitated by the application of existing norms. The establishment of norms regarding the use of
cyber attacks would provide a framework that can assist in the gradual move toward officially
codified understandings of behavior, setting the basis of a very effective deterrence by
punishment strategy.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
64
Forrest E. Morgan, First-Strike Stability in Space: A Preliminary Assessment (Santa Monica, CA:
RAND Corporation, 2010), 43.
65
Ibid., 43.

21
! ! !
Part!II:!Norms!
A.)Why)Norms?)Characteristics)of)Successful)Norms)
!
The promulgation of norms is vital to a successful cyber deterrence model and successful
governance of cyberspace. Social scientists define norms as “shared expectations of proper
behavior.”66
Norms are vital to building expectations and behaviors that foster generally
accepted principles. Scholars argue that norms lead to multiple positive outcomes for three of
reasons. First, successful norms enacted at the state level encourage other states to adopt the
same norms.67
Additionally, non-compliance with established norms can lead to pressure from
non-governmental organizations, private companies, and other states.68
Finally, successful norm-
implementation permits the application of diplomatic pressure through sanctions or other
measures to influence offending state behavior.69
Three conditions must be met for the implementation of a successful norm.70
The norms
must be “clear, useful, and do-able.”71
Clear norms are structured around established principles.
Norm utility requires that those affected be able to see “clear connections between norm-
following and desired outcomes.”72
Norm implementation in the cyber domain will likely
involve effectively demonstrating that “complying with the proposed norm would actually
produce desired results.”73
Finally, norms must be do-able; that is, it must be easy to for states to
comply. Attaining results in this final prong of norm implementation is often the most difficult
because norm implementation can be expensive, politically risky, or require non-existent
technological infrastructure such as a power grid or extensive access to the Internet.74
This final
prong is particularly difficult too when regarding cyberspace in particular, as norms that may be
desirable for Western, liberal democracies, may be wholly undesirable to non-western and less
democratic states.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
66
Martha Finnemore. “Cultivating International Cyber Norms,” in America's Cyber Future: Security and Prosperity
in the Information Age, 100. 89th ed. Vol. 1, ed. Kristin M. Lord et al. (Washington, D.C: Center for a New
American Security, 2011), 90. See also Merriam-Webster. http://www.merriam-webster.com/dictionary/norms. The
dictionary defines norms as “standards of proper or acceptable behavior.” Ibid.
67
Mark Philips, Jennifer Cole and Jennifer Towers. “Cyber Norms of Behaviour,” 1-9.
https://www.rusi.org/downloads/assets/Cyber_norms_of_behaviour_report_-_Executive_Summary.pdf. 2.
68
Ibid.
69
Ibid.
70
Finnemore, “Cultivating International Cyber Norms,” 91.
71
Ibid.
72
Ibid.
73
Ibid., 92.
74
Ibid., 93.

22
! ! !
)
B.)Norm)Development)
Norms develop in three stages. First, norm promulgation usually involves developing or
“grafting” norms on existing frameworks. A range of suggestions exists for this process in the
cyber realm. Some cyber analysts suggest that existing international law or treaties will provide a
solid foundation for norm grafting, while others point towards norms governing the safety and
use of nuclear weapons and missile technologies. The United States Department of State (State
Department) in its 2014 Report on a Framework for International Cyber Stability, argues that the
State Department should consider proposing models analogous to existing weapons control
agreements such as the Proliferation Security Initiative (PSI).75
Second, following norm promulgation, norm dissemination is required to gain followers
and extend the norm’s influence.76
A challenge to norm dissemination is achieving sufficient
penetration across both the public and private sectors. Due to the interconnectedness of
cyberspace, any adopted norms regime must target a wide array of actors including the private
sector, society, local governments, and the U.S. government as a whole (including federal and
military institutions).77
The third stage of norm cultivation is the institutionalization and socialization of the
norm.78
The institutionalization phase requires that norm adherents develop methods to certify
compliance with the norm. Clearly, this process is made much easier if the norms are codified in
law. However, the creation of international norms is not an easy process. States have different
perspectives on how to use cyberspace as a tool of foreign policy.79
Additionally, states disagree
on the scope and breadth of the term “cybersecurity.” For some states, cybersecurity means
protecting networks from intrusions and for others it is only protecting information.80
There are
two alternatives in overcoming these challenges: a commonly accepted set of norms, or a formal
agreement or treaty.81
For the institutionalization of a norm, it must be socialized as generally
accepted behavior. Alexander Wendt of The Ohio State University argues that institutionalized
norms “are often codified in formal rules and norms, but these have motivational force only in
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
75
International Security Advisory Board, Report on a Framework for International Cyber Stability (Washington,
D.C: U.S. Department of State, 2014), 1-22, http://www.state.gov/documents/organization/229235.pdf and
“Proliferation Security Initiative.” U.S. Department of State. http://www.state.gov/t/isn/c10390.htm.
76
Finnemore, “Cultivating International Cyber Norms,” 91. In a chapter of this work, Finnemore articulates the
primary difficulty with this stage, “the actors least in need of the norm are the first to adopt; actors who most need to
adopt are often the recalcitrants.” Ibid., 96.
77
Ibid.
78
Ibid.
79
Phillips, Cole and Towers, “Cyber Norms of Behaviour,” 1.
80
Charles J. Dunlap Jr, "Perspectives for Cyber Strategists on Law for Cyberwar" Strategic Studies Quarterly 5,
no.1 (2011): 82.
81
Phillips, Cole, and Towers, “Cyber Norms of Behaviour,” 1.

23
! ! !
virtue of actors' socialization to and participation in collective knowledge.”82
Wendt goes on to
argue that collective knowledge extends beyond those individuals and institutions that currently
adhere to or embody the norm.83
This phase is perhaps the most vital to the success of norms as it
represents the process whereby societies move from thinking in individualistic terms to thinking
collectively. Thus, this institutionalization and socialization phase ensures the survivability of the
norm and makes it a more likely candidate for serving as the foundation for a formalized
agreement. The norms incorporated in the 4-Point Norms Plan outlined in Part IV afford
USCYBERCOM the latitude it needs while also working to establish an accepted international
framework for the governance of cyberspace.
C.)Trends)of)Norm)Development)in)Cyberspace)
In the past, efforts to formalize norms of acceptable behavior in cyberspace achieved
mixed results. While in 2013, nations, including China, agreed as part of a UN Group of
Government Experts report that international law should govern behavior in cyberspace
(including promoting peace, stability, and freedom). China also maintained its right to
sovereignty over its cyberspace when it noted, “it is impossible for all countries to do everything
in the same style… [and] it is unfair for one country to criticize others according to its own
policies.”84
Efforts such as these have thus resulted in grand declarations, which have the
potential of contributing to the stability of cyberspace. However, when states begin to add
caveats about how they may choose to adhere to such agreements, those agreements risk
becoming ineffectual.
Even if official efforts to lay out the “rules of the road” for cyberspace have sometimes
been uneven, general norms of what states considered acceptable behavior are emerging. No
state has ever reported that civilians have died because of a cyberattack.85
While a number of
states have the ability to cause death and real damage to civilian infrastructure via cyberattacks,
deaths and highly destructive attacks would likely elevate a situation to cyberwar. The fact that
states seem to be operating with restraint is indication of a norm at work. The United States itself
concedes this point in its new DoD Cyber Strategy.
Indeed, the highest profile examples of a state possibly approaching the threshold of this
norm are the cases of cyberattacks against Estonia in 2007 and Georgia in 2008, widely believed
to have been carried out by Russia.86
While these attacks did not directly lead to death, they were
hugely disruptive to the functioning of Estonian and Georgian societies and they were viewed as
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
82
Alexander Wendt, "Anarchy Is What States Make of It: The Social Construction of Power Politics." International
Organization 46, no 2 (391-425): 399.
83
Ibid.
84
Chang, “Warring State,” 29.
85
Sydney J. Freedburgh, Jr., “’Cyberwar’ is Overhyped: It Ain’t War Til Someone Dies,” Breaking Defense,
September 10, 2013, accessed April 27, 2014, http://breakingdefense.com/2013/09/cyberwar-is-over-hyped-it-aint-
war-til-someone-dies/.
86
IHS Jane’s Intelligence Review, “West accuses Russia of cyber-warfare,” IHS Jane’s 360, December 28, 2014,
accessed March 4, 2015, http://www.janes.com/article/47299/west-accuses-russia-of-cyber-warfare.

24
! ! !
a shot across the bow in cyberspace. These two instances were no doubt some of the influential
factors in many of the security developments in cyberspace thereafter: the creation of NATO
Cooperative Cyber Defense Center of Excellence in Estonia in 2008, the creation of U.S. Cyber
Command in 2009, and the articulation by NATO in 2014 that cyberattacks against NATO
members could trigger Article V.87
Implicit in these developments is that states will take steps to
defend themselves from attacks similar to those launched against Estonia and Georgia. The right
to self-defense is alive and well in cyberspace.
Another component of acceptable behavior in cyberspace is that states tend to respond to
attacks against themselves in a relatively proportional fashion. According to reporting in the New
York Times, the U.S. appears to believe that Iran was the actor behind the 2012 attack against
Saudi Aramco, which destroyed 30,000 computers, as well as distributed denial of service
attacks against JPMorgan and Bank of America in response to apparent Western actions in Iran’s
sphere.88
For high-profile attacks, such as the one launched by North Korea against Sony,
communication also played a role in demonstrating a “proportional response.”89
States benefit by
laying out the rationale for any actions in the international realm, including cyberspace.
While there is still no formal agreement between states regarding appropriate behavior,
these shared understandings of acceptable behavior are emerging and encourage states to act
with restraint, transparency, and reasonableness. The more clear a state’s motivations for actions
in cyberspace, the lower the likelihood of miscalculations and inadvertent escalation—a result
that benefits of every state connected via the worldwide web.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
87
NATO Cooperative Cyber Defense Centre of Excellence, “About Us: History,” https://ccdcoe.org/history.html;
U.S. Strategic Command, “U.S. Cyber Command,” http://www.stratcom.mil/factsheets/2/Cyber_Command/; David
E. Sanger, “NATO Set to Ratify Pledge on Joint Defense in Case of Major Cyberattack,” New York Times, August
31, 2014, accessed April 27, 2015, http://www.nytimes.com/2014/09/01/world/europe/nato-set-to-ratify-pledge-on-
joint-defense-in-case-of-major-cyberattack.html?_r=1.
88
David E. Sanger, “Document Reveals Growth of Cyberwarfare Between the U.S. and Iran,” New York Times,
February 22, 2015, accessed March 4, 2015, http://www.nytimes.com/2015/02/23/us/document-reveals-growth-of-
cyberwarfare-between-the-us-and-iran.html.
89
A phrase President Obama used when signing an executive order for sanctions against North Korea in response to
the attack as reported by David E. Sanger and Michael S. Schmidt, “More Sanctions on North Korea After Sony
Case,” New York Times, January 2, 2015, accessed April 27, 2015, http://www.nytimes.com/2015/01/03/us/in-
response-to-sony-attack-us-levies-sanctions-on-10-north-koreans.html?ref=topics.

25
! ! !
Part!III:!Dominant!Discourse!on!Internet!Governance!!
A.)The)Multistakeholder)Governance)Model)
While some states view cyberspace as a landscape regulated by individual states (a
sovereignty-based approach), others see cyberspace as a loosely controlled, interconnected
network of public and private infrastructure and interests (a multistakeholder approach). These
approaches are not entirely mutually exclusive and they can co-exist (albeit uneasily) with one
another; however, the creation of a successful cyber norms regime is critical to the U.S.
maintaining its current position in global politics. The challenge states now face is the adoption
of cyber norms and governance regimes that will prevent destructive attacks, reduce uncertainty
in cyberspace, prevent the proliferation and misuse of cyber weapons, and preserve the integrity
of cyberspace’s openness and accessibility.90
There are few explicit rules that govern cyberspace and attempts to corral activity in
cyberspace foreseeably leads to debates between stakeholders about the best form of
governance.91
Thus, in order for the U.S. to deter destructive attacks from state actors and
minimize risks of miscalculations in cyberspace, the creation of a cyber norms and governance
regime is necessary to stabilize the domain for the future. The long-term goal of an international
regime is a formal agreement to solidify and enforce norms. Therefore, in the immediate future,
the U.S. should clarify the norms required for flexibility, security, and deterrence in cyberspace.
We propose a simple 4-Point Norms Plan that will contribute to effective deterrence in
cyberspace. Additionally, this plan considers existing international norms, particularly the U.S.
State Department’s multistakeholder governance model, which may assist or influence the
creation of a widely accepted norms regime. In addition, we examine the role of
USCYBERCOM in establishing, expanding, and sustaining such norms.
Diplomatic efforts serve as the foundation for promoting and sustaining norms. The
White House elected to focus on diplomacy in its International Strategy for Cyberspace stating:
“The United States will work to create incentives for, and build consensus
around, an international environment in which states - recognizing the intrinsic
value of an open, interoperable, secure, and reliable cyberspace - work together
and act as responsible stakeholders.”92
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
90
International Security Advisory Board, Report on a Framework for International Cyber Stability, 8.
91
Shane Harris, @WAR: The Rise of the Military-Internet Complex (New York: Houghton Mifflin Harcourt, 2014),
52. Harris remarks that in a 2010 cyberwar game, U.S. military leaders’ confusion over cyber procedures led to a
lack of alternatives to war. This reflects a tendency of military responses in the cyber domain to include offensive
reactions, even when not well suited to the threat.
92
National Security Council; United States. Executive Office of the President, International Strategy for
Cyberspace: Prosperity, Security, and Openness in a Networked World (Washington D.C.: Executive Office of the

26
! ! !
The strategy that underlies this diplomatic objective is to strengthen partnerships to create
responsible behaviors. The goal of this multistakeholder model is to include states, international
and non-governmental organizations, and private entities in the discussion to maximize
participation and involvement of all actors who use and shape the Internet. An additional aspect
of the International Strategy for Cyberspace is the role of “Defense,” noted as “dissuading and
deterring.” The strategy lists the Defense Objective as:
The United States will, along with other nations, encourage responsible behavior
and oppose those who would seek to disrupt networks and systems, dissuading
and deterring malicious actors, and reserving the right to defend these vital
national assets as necessary and appropriate.93
Thus, even though diplomatic efforts are the primary vehicle for promoting norms in
cyberspace, defense agencies do have a role in creating a governance model in dissuading and
deterring malicious actors. The actions (and restraints on actions) of defense agencies,
USCYBERCOM in particular, play a role in the formation of norms and have a strong influence
on the potential success of this model.
In addition to the multistakeholder governance model, the White House’s International
Strategy for Cyberspace creates a wish-list of what it would like included in a norms regime. The
objective is “to promote an open, interoperable, secure, and reliable information and
communications infrastructure that supports international trade and commerce, strengthens
informational security, and fosters free expression and innovation.”94
Per the strategy, the United
States seeks to accomplish these goals through the development of norms. Three underlying
principles are emphasized: “promoting order and peace, advanc[ing] basic human dignity, and
promot[ing] freedom in economic competition.” 95
These essential goals must be present in any
cyber governance regime or treaty.
B.)Allies’)Objectives)in)a)Cyber)Norms)Regime)
As the Internet evolved, different states promoted different norms based on their own
internal interests and the level of openness and neutrality the regimes dictated for its users.
Currently, “states are establishing the bounds of their sovereign control in the virtual world in the
name of security and economic sustainability.”96
Due to shared political, economic, and national
security values, the U.S. has had greater success in finding common ground in building norms of
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
President of the United States, National Security Council, 2011), 11,
https://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf.
93
National Security Council, International Strategy for Cyberspace, 12.
94
Ibid., 8.
95
Ibid., 10-11
96
Chris Demchak and Peter Dombrowski, “Rise of a Cybered Westphalian Age,” Strategic Studies Quarterly 5,
no.1 (Spring 2011): 32.

27
! ! !
responsible cyber behavior with already established allies and other liberal democracies who
share a minimal set of expectations for cyber related behaviors.97
While U.S. allies may not agree
with all U.S. actions in cyberspace, many of them seek, in their own ways, to support the
openness and “bottom-up” nature of private innovation that has driven the Internet’s
multistakeholder governance model. Ultimately, domestic policies and international declarations
demonstrate that U.S. allies are generally concerned with issues related to privacy and online
rights, security, and combating cybercrime.
1.)Privacy)and)Online)Rights)
The largest rift in cyber norms and governance between the U.S. and its allies was a
result of the revelations by former government contractor Edward Snowden that alleged the U.S.
used its advanced cyber capabilities to spy not only on enemies and terrorists, but allies as well.
This, to many allies, was a breach of trust by the U.S. and harmed its reputation abroad,
especially in light of its public advocacy for an open and secure Internet. Some allies responded
by advocating freedoms for Internet users. For example, following an example set by the
Netherlands and Chile, Brazil passed the Marco Civil, an Internet bill of rights, which elevated
privacy and human rights of Brazilian citizens above data collection. Germany, especially stung
by revelations that Chancellor Angela Merkel’s cell phone was tapped,98
has also led the charge
in advocating for online privacy, and sponsored, with Brazil, the UN General Assembly
Resolution on the Right to Privacy in the Digital Age, adopted in 2013.99
Even in light of these privacy concerns, however, support for the cyber multistakeholder
governance model over a sovereignty-based governance model has remained relatively stable.
For example, when Brazil hosted NETmundial, an international multistakeholder conference on
the future of Internet governance, one of the conference’s principles stated upon its conclusion
was that “internet governance should be built on democratic multistakeholder processes,
ensuring the meaningful and accountable participation of all stakeholders, including
governments, the private sector, civil society, the technical community, the academic community
and users.”100
Additionally, Germany also chooses to work through international institutions to
strengthen cooperation and reject the sovereignty-based governance model.101
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
97
Roger Hurwitz, “An Augmented Summary of The Harvard, MIT and U. of Toronto Cyber Norms Workshop”
(paper presented at Cambridge, MA, October 19-21, 2011), 7.
98
Phillip Oltermann, “Germany Opens Inquiry into Claims NSA Tapped Angela Merkel’s Phone,” The Guardian,
June 4, 2014, http://www.theguardian.com/world/2014/jun/04/germany-inquiry-nsa-tapping-angela-merkel-phone.
99
Christian Schaller and Johannes Thimm, “Internet Governance and the ITU: Maintaining the Multistakeholder
Approach,” Council on Foreign Relations, October 22, 2014, http://www.cfr.org/internet-policy/internet-
governance-itu-maintaining-multistakeholder-approach/p33654.
100
John Savage and Bruce McConnell, “Exploring Multi-Stakeholder Internet Governance” (paper presented at the
annual North American International Cyber Security Summit, Detroit, Michigan, November 17, 2004),
http://www2.ewi.info/sites/default/files/Exploring%20MultiStakeholder%20Internet%20Governance_McConnell%2
0and%20Savage%20BG%20Paper.pdf.
101
Schaller and Thimm, “Internet Governance and the ITU.”

28
! ! !
2.)Security)
The most notable development in an allied response to a cyber incident occurred in the
fall of 2014 when NATO members created the Enhanced Cyber Defense Policy that stipulated
that if a member state were attacked by a cyber weapon, Article V could be invoked for
collective defense. This policy focuses on prevention, detection, resilience, recovery, and
defense.102
In former years conventional attacks by land, air, or maritime would have been the
most likely forms of attacks; however, the Alliance has been forced to adapt to new technologies
and the emerging dangers of the cyber threat. Defense against this threat requires adjustments to
existing policies.
Some countries are forming closer relationships due to shared security concerns. For
example, the trade agreement entered into by Japan and Israel in 2014, includes provisions for
cybersecurity cooperation. This agreement “stipulates the dispersion of funds to Israeli and
Japanese companies and research centers to conduct a wide range of research including on
information and cybersecurity.”103
3.)Cybercrime)
Developed countries such as those in Europe, Asia, and South America face a multitude
of cyber threats including online scams, cybercrime, and digital surveillance. Cybercrime is an
issue around which it is relatively easy to build consensus. It is an arena in which countries such
as Japan and Brazil have set up cyber security systems that mimic U.S. security agencies. Japan’s
strategy to counter cybercrimes includes a version of the National Cyber-Forensics and Training
Alliance similar to the FBI; Brazil created the Brazilian Army’s Center for Cyber Defense
(CDCiber). CDCiber will promote recommendations by the Brazilian National Defense Strategy,
which is comprised of cyber, space, and nuclear defense. 104
In sum, allies have a role to play in building upon the 4-Point Norms Plan. Allies already
abide by norms including not attacking critical infrastructure, and reasonable and proportional
response to cyber attacks. In addition, states’ national security strategies that include those norms
as policy reflect allied support of the multistakeholder governance model.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
102
“Wales Summit Declaration,” North Atlantic Treaty Organization, accessed April 9, 2015
http://www.nato.int/cps/en/natohq/official_texts_112964.htm
103
Franz-Stefan Gady, “Japan and Israel to Work Together in Cyberspace,” The Diplomat, January 15, 2015,
accessed April 9, 2015, http://thediplomat.com/2015/01/japan-and-israel-to-work-together-in-cyberspace/.
104
Modulo, Solutions for GRC. “Cyber Defense & Critical Infrastructure,” accessed April 9, 2015,
http://modulo.com/modulo/wp-content/uploads/2013/09/cyberd-efense-and-critical-infrastructure-apac.pdf.

29
! ! !
)
C.)SovereigntyWbased)Governance)Model)
In January 2015, China, Russia, Kazakhstan, Kyrgyzstan, Tajikistan, and Uzbekistan
issued an “update” to their “international code of conduct for information security” at the United
Nations that placed a higher premium on state sovereignty over the Internet than an earlier
iteration.105
The phrase “All States must play the same role in, and carry equal responsibility for,
international governance of the Internet” was included, in addition to references to the
sovereignty-based (rather than “multistakeholder”) model to governance. Some scholars argue
that this new language points to an increasingly persistent effort by these governments to move
towards an Internet that is more state-centric, less dominated by U.S. and Western values, and
one managed by ruling elites rather than stakeholders from governments, NGOs, IGOs, and the
private sector. Additionally, it could lead to more compartmentalized and government–censored
internets, wherein regimes have the ability and right to police rhetoric viewed as inflammatory or
threatening to those in power.106
This concept of the Internet is promulgated through overt policies and covert cyber
attacks linked to states such as China, Russia, Iran, and North Korea. These states that propose
alternative governance models and norms than those proposed by the U.S. government have a
few key points in common. These states have a tendency to:
•! View internal dissent and challenges to the current regimes as a national
security threat, on par with an attack that might originate from a hostile
foreign nation;
•! Seek to actively curb, undermine, or reverse U.S. dominance, both
geopolitically and technologically, through asymmetric tactics, such as
intellectual property theft, diplomatic inertia, or disruptive attacks;
•! Demand sovereignty over the Internet, as it exists within their geographic and
population borders.
The sovereignty-based governance model seeks to curtail U.S. cyber dominance by
designating more power to individual states to manage the oversight, technology, and discourse
of the Internet within their borders, thereby increasing their own capacity. These beliefs run
counter to the US multistakeholder governance model, which, at its core, seeks to maintain U.S.
and Western de facto control of the Internet through its dominance of the private sector
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
105
United Nations General Assembly, “Developments in the Field of Information and Telecommunications in the
Context of International Security,” January 13, 2015, accessed April 9, 2015,
https://ccdcoe.org/sites/default/files/documents/UN-150113-CodeOfConduct.pdf.
106
Adam Segal, “Will China and Russia’s Updates Code of Conduct Get More Traction in a Post-Snowden Era?”
Net Politics (blog), Council on Foreign Relations, January 28, 2015, accessed April 12, 2015,
http://blogs.cfr.org/cyber/2015/01/28/will-china-and-russias-updated-code-of-conduct-get-more-traction-in-a-post-
snowden-era/.

30
! ! !
technology and innovation upon which the Internet runs, as well as the Internet’s “culture”—
conceived of as the free flow of information between corporations, governments, and peoples—
itself.
The free, open, and multistakeholder governance model advocated by the U.S. could be
viewed as an existential threat to the ruling elites in countries like China, Russia, and Iran. The
model threatens these opposition states’ power and impedes their future capabilities to quash
dissent and neutralize U.S. technological dominance. Yet, there are signs that there may be room
for these states, the U.S., and allies to agree upon mutually accepted norms. Examples of such
norms are a prohibition on attacks against civilian critical infrastructure and the necessity of
cooperation against cybercrimes. These areas trouble every state to a certain degree. However, it
is unlikely that the U.S. will be able to alter the primary, survival-based drivers of its
adversaries’ policies while the current authoritarian regimes of China, Russia, Iran, and North
Korea remain in power.
D.)The)Role)of)IGOs)and)NGOs)in)a)Cyber)Norms)Regime)
Non-governmental (NGOs) and intergovernmental organizations (IGOs) play an
important role in the current discussion regarding cyber norms and the adaptation or rejection of
the multistakeholder governance model. The United Nations, for example, organizes an annual
Internet Governance Forum (IGF)107
which serves as a forum for dialogue on public policy
issues related to the Internet.108
The IGF regularly produces reports on various issues of public
policy pertaining to the Internet, often presented by panels of experts. These reports have
covered issues such as developing countries participation in Internet governance, privacy, and
cybercrime. The most recent IGF forum convened in Istanbul, and covered topics such as Net
Neutrality and transition of stewardship of the Internet Assigned Numbers Authority (IANA).109
The IGF has succeeded in its main goal: to foster a legitimate venue for Internet-related public
policy issues when there was none. However, it has been hampered by a fluid, undefined
membership, which, in turn, has been charged with addressing Internet governance issues in an
ad-hoc, isolated basis.110
Arguably, this dynamic makes U.S. efforts to create cyber norms by
pushing for solutions that align with its national security concerns unfeasible. However, the IGF
can still serve as a forum wherein the U.S. can identify the concerns and intentions of other states
regarding norm creation and Internet governance.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
107
United Nations, “Tunis Agenda for the Information Society”, World Summit on the Information Society,
November 18, 2005, paras 29-82, http://www.itu.int/wsis/docs2/tunis/off/6rev1.html.
108
United Nations General Assembly, Resolution 60/252, “World Summit on the Information Society,” March 27,
2006, http://www.un.org/ga/search/view_doc.asp?symbol=A/RES/60/252.
109
UN Internet Governance Forum, “Connecting Continents for Enhanced Multistakeholder Governance,”
September 2-5, 2014, http://www.intgovforum.org/cms/documents/igf-meeting/igf-2014-istanbul/308-igf-2014-
chairs-summary-final/file.
110
Jerry Malcolm, “Appraising the Success of the Internet Governance Forum,” Multistakeholder Governance and
the Internet Governance Forum, September 8, 2008.
http://www.intgovforum.org/Substantive_3rd_IGF/Jeremy%20Malcolm%20submission.pdf

31
! ! !
Additionally, the Internet Corporation for Assigned Names and Numbers (ICANN) is a
private nonprofit established in 1998. ICANN manages the global Domain Name System (DNS),
a worldwide network of databases mapping domain names to IP addresses, allowing users to
send and receive information to other devices. It remains under the authority of the Department
of Commerce. It is primarily responsible for the functioning and maintenance of the DNS root
zone, a point from which the DNS system is organized into subdomains and one of the few
centralized points of control over the Internet.
At the 2012 World Conference on International Telecommunications, Russia, China,
Saudi Arabia, and Sudan endorsed a proposal that gave member states much of the traditional
duties of ICANN.111
In early 2014, the Obama Administration announced plans to relinquish its
stewardship over ICANN to the global multistakeholder Internet community when its contract
with ICANN expires in September 2015, a transition the Administration claims has been planned
since ICANN’s formation in 1998.112
However, the Department of Commerce has stipulated that
it would not transition stewardship to any government or an IGO.113
Any future steward must
have consensus from the multistakeholder community, ensure the security and stability of the
DNS Root zone, meet the needs and expectation of customers and partners of the IANA, and
maintain the openness of the Internet. Additionally, any transition must be consistent with a 2013
Congressional resolution affirming United States support for a multistakeholder model of
Internet governance.114
There is speculation as to how this may affect U.S. operations in
cyberspace, and its impact on U.S. standing as a formidable power in the cyber domain. Despite
the suspicions of foreign powers, ICANN has never been an asset ensuring achievement of any
U.S. national security objectives. Since the U.S. has always taken a hands-off stance regarding
ICANN, its transition does not have any impact on the U.S.’s ability to operate in the cyber
domain.
Finally, the International Telecommunication Union (ITU) was originally founded in
1906 as the International Telegraph Union. However, it changed its name to the International
Telecommunications Union to reflect its shift in responsibility in governing both wireless and
wired communication. In 1947, The United Nations agreed to accept the ITU as an agency
charged with regulating international telephonic, telegraphy, and radio communications. With
the advent of the Internet, some countries, such as Russia, China, India, Iran, and Saudi Arabia
advocated for the ITU to have its powers expanded to include regulation of the Internet.115
It is
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
111
“World Conference on International Telecommunications (WCIT-12,)” International Telecommunication Union,
http://www.itu.int/en/wcit-12/Pages/default.aspx.
112
The Economist, “Doing the ICANN-can,” March 22, 2014,
http://www.economist.com/news/international/21599385-america-promises-release-its-grip-internets-phone-
bookand-opens-up-debate.
113
Jonathan Masters, “What Is Internet Governance?” Council of Foreign Relations, April 23, 2014,
http://www.cfr.org/internet-policy/internet-governance/p32843.
114
National Telecommunications and Information Administration, “NTIA Announces Intent to Transition Key
Internet Domain Name Functions,” United States Department of Commerce, March 14, 2014,
http://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-internet-domain-name-functions.
115
Saran Samir, “The ITU and Unbundling Internet Governance”, Council of Foreign Relations, October 22, 2014.
http://www.cfr.org/internet-policy/itu-unbundling-internet-governance/p33656.

32
! ! !
important to recognize that, as it has in the past, the U.S. can most effectively gain allies to
strengthen the multistakeholder model “by accepting limits on the exercise of its own hegemonic
power.”116
Some countries want to use ITU as a registry for IP addresses, while others would
desire for it to act as a legal venue through which countries could operate surveillance programs
within their respective borders.117
Western countries, most notably the U.S., have been vocal against the prospect of ITU
regulation of the Internet. These countries believe the prosperity and success of the Internet is
linked to its open, free, deregulated and privatized nature. In 2013, the U.S. Congress, in
response to the ITU proposal, unanimously passed a motion to oppose any move by the United
Nations - and by extension the ITU - to gain regulatory powers over the Internet. Congress
maintained that in the interest of the freedom of expression, access to information, trade and
commerce, and human rights, the United States should continue to advance a multistakeholder
governance model, which affirms all of these principles. 118
It is increasingly necessary for U.S.
leaders to embrace “institutional binding” to mutually constrain itself and secondary states to
reassure America’s partners it will not abandon or dominate them.119
The U.S. relinquishment of
a dominant role in ICANN in 2015 is evidence of this effort towards constraint.
IGOs and NGOs seek consensus among advocates of both the multistakeholder and
sovereignty-based governance models. These organizations:
•! Recognize that legitimacy regarding Internet governance cannot stem from a
single country;
•! Facilitate the dialogue of relevant issues regarding Internet governance;
•! Serve as a forum for countries voicing concerns and proposing governance
models for cyberspace;
•! Reinforce generally accepted international norms.
IGOs and NGOs have a role to play in the articulation of the norms found in the 4-Point Norms
Plan. These organizations serve as fora in which states and stakeholders can debate and adopt
norms.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
116
G. John Ikenberry, After Victory: Institutions, Strategic Restraint, and the Rebuilding of Order after Major Wars
(New Jersey: Princeton University Press, 2001), 199.
117
Monika Ermert, “ITU Plenipotentiary Conference: Internet Governance Diplomacy on Display,” Intellectual
Property Watch, May 11, 2014, http://www.ip-watch.org/2014/11/05/itu-plenipotentiary-conference-internet-
governance-diplomacy-on-display/.
118
To affirm the policy of the United States regarding Internet governance, H.R. 1580, 113th
Cong. (2013).
https://www.congress.gov/bill/113th-congress/house-bill/1580.
119
Ibid., 199.

33
! ! !
)
E.)Existing)Structures)Applicable)to)Cyberspace)
Given USCYBERCOM’s specified role in the national security infrastructure, the
opportunity to work within the same spaces as IGOs and NGOs would most likely be negligible.
Cyber Command can observe and identify the concerns and intentions of other states regarding
their commitment to work cooperatively in fostering cyber norms that come about as a byproduct
of working in spaces with NGOs and IGOs, and structure its response accordingly. However, the
international effort to shape rules and norms will likely be led by diplomats and policymakers.
Governance regimes serve as the eventual objective for any norms addressing the
regulation of cyberspace. Robert Keohane defines governance as “the making and
implementation of rules, and the exercise of power, within a given domain of activity.”120
As
previously noted, the State Department endorses a “multi-stakeholder vision of Internet
governance” that involves contributions from a variety of interested parties.121
Specifically, the
U.S.-led multistakeholder model advocates for shared participation and responsibility in
designing Internet governance procedures.122
On the other hand, China and Russia promote a
sovereignty-based model to Internet governance.123
This approach involves extensive domestic
regulation aimed at quieting civil unrest and neutralizing perceived threats.124
On the
international level, it is likely that neither model will be cleanly adopted, but rather a normative
framework will emerge eventually leading to the ratification of a cyber treaty or codification in
international law.125
Governance frameworks that arguably offer a good starting point for the
development of cyber governance models include the international law of war, treaties of the
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
120
Robert O. Keohane, “Global Governance and Democratic Accountability.” January 1, 2002, 3,
http://www.lse.ac.uk/PublicEvents/pdf/20020701t1531t001.pdf.
121
Kristen Eichensehr, “The Cyber-Law of Nations,” The Georgetown Law Review 103, no. 2 (2015): 317-80. 330.
The author puts forth the division of cyber regulations into two groups, the first being the model put forth by the
U.S. and other Western nations, and the second being the model put forth by China and Russia. See also The White
House, “Charter of the Subcommittee on Global Internet Governance Committee on Technology National Science
and Technology Council,” April 6, 2012,
http://www.whitehouse.gov/sites/default/files/microsites/ostp/gig_charter_signed.pdf.
122
The White House, “Charter of the Subcommittee on Global Internet Governance Committee on Technology
National Science and Technology Council,” 1.
123
Eichensehr, 330.
124
Ibid.
125
Ibid., 380. “[I]n the absence of existing customary law or a limited number of motivated states, an omnibus cyber
treaty will be more difficult to achieve in general, and impossible in light of the current gulf between the
sovereignty-focused conception of cyber espoused by Russia and China, and the multistakeholder view espoused by
the United States and its allies.” The author continues by arguing that “norm developments provides a workable path
forward” and could eventually lower hostilities between countries. Ibid.

34
! ! !
high seas and outer space.126
In addition to the State Department’s suggestion for using the
Proliferation Security Initiative (PSI) as a grafting source, Richard Clarke argues for a norms
regime modeled after the Strategic Arms Limitations Treaty (“SALT”) and the Strategic Arms
Reduction Treaty (“START”).127
The section below examines these suggestions.
1.)International)Law)of)War)
The International Law of War may be the most obvious, yet least understood, regime to
apply to the cyber domain. The basic tenets of the international law of war are Jus in Bello (Law
of Armed Conflict) and Jus ad Bellum (Law on the Use of Force).128
Currently, there are two
methods for applying the Law of War to cyberspace: it can either be ignored or evaluated as
crucial to the norm building process.
In thinking about the confluence of international law and war-like operations in the cyber
domain, one must consider whether “cyberwar” is actually “war” thus invoking the Law of
Armed Conflict. Many legal scholars argue the conventional laws of war do apply to
cyberspace.129
For example, in 2013 a UN Group of Governmental Experts agreed that the Law
of Armed Conflict and the UN Charter apply in cyberspace. In addition, a NATO-led group
published the Tallinn Manual, which evaluates how the Law of Armed Conflict applies to
cyberspace. The Tallinn Manual was a response to the evolving interests and capabilities of
NATO countries. While the Tallinn Manual is not binding and does not reflect the official views
of NATO, it represents a positive step towards using the Law of Armed Conflict to create a
norms regime for cyberspace.130
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
126
Ibid., 335-40. See also U.S Department of Defense, “Department of Defense Strategy for Operating in
Cyberspace,” 5, http://www.defense.gov/news/d20110714cyber.pdf. The main difference between cyberspace and
other domains is that cyberspace is man-made. Ibid.
127
International Security Advisory Board, “Report on a Framework for International Cyber Stability,” 1-22. See also
Richard A. Clarke and Robert K. Knake. “The Agenda,” In Cyber War: The Next Threat to National Security and
What to Do About It (New York: Ecco, 2010).
128
Mark W. Janis and John E. Noyes, Cases and Commentary on International Law. “Chapter 9: International Law
and the Use of Force.”(West Group Publishing, 2006), 565-688. The trajectory of the International Law of War
shows how norms can become international law as the International Law of War itself evolved from a dialogue
regarding the prevention of war. Ibid., 608. The idea to condemn “recourse to war for the solution of international
controversies” and to renounce war “as an instrument of national policy” began with the Kellogg-Briand Pact after
World War I and despite the failure of the League of Nations, the notion of a collective set of norms against war
remained after World War II. After the devastation of World War II, the norms against the use of force remained
and the UN Charter was created, with one of the goals to prevent another world war.
129
Dunlap Jr., “Perspectives for Cyber Strategists on Law for Cyberwar," 81-82. Dunlap argues that the basic tenets
of the International Law of Armed Conflict are enough to address the main issues in cyberspace. Because there is an
inherent fog of war, there will always be legal uncertainty in battle, but he paraphrases a comment by Former
Secretary of Defense Donald Rumsfeld that you go to war with the LOAC you have and not the LOAC you always
want.
130
Michael N. Schmitt, ed. Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge:
Cambridge University Press, 2013).

35
! ! !
Finally, the extent to which norms already influence or govern war in cyberspace should
be considered. Some analysts argue that offensive cyber operations like Russia’s DDoS attack on
Estonia constitutes a cyberwar, or that the Stuxnet virus, because it caused physical damage to
machinery, were acts of cyberwar.131
Others believe that the United States made strategic
decisions to avoid the use of offensive cyber capabilities in Iraq, Libya, and other recent
conflicts.132
This reveals that nations might be reluctant to call an attack an act of cyberwar
because such labeling will set a precedent for what constitutes a cyberwar in the future. Thus,
until a cyber operation is internationally labeled as an act of cyber warfare or international
consensus reaches a definition of what constitutes cyber warfare, speculation about how to apply
the Law of War to the cyber domain will continue. In the meantime, the U.S. must continue
searching for a normative framework that will build upon the 4-Point Norms Plan discussed
above and promote the multistakeholder governance model.
2.)Treaties)Governing)the)High)Seas)and)Outer)Space)
Treaties governing existing domains provide examples of how pre-existing norms can be
applied to cyberspace. Examples of these treaties include those governing the seas, air, and outer
space. The UN Convention on the Law of the Sea (UNCLOS) offers poignant guidance for
grafting cyber norms. Those states that have ratified this treaty agree that “[n]o State may validly
purport to subject any part of the high seas to its sovereignty” and that the “high seas shall be
reserved for peaceful purposes.”133
Most notable is that UNCLOS signatories agree that the
“high seas are open to all States, whether coastal or land-locked.”134
An analysis of the language
of UNCLOS points to two key norms. First, UNCLOS accepts that no state owns or may regulate
the high seas. This provision holds promise for cyberspace as countries like the United States
make almost identical arguments about cyberspace. Second, UNCLOS signatories agree that the
high seas “shall only be reserved for peaceful purposes.” The potential for armed conflict on the
high seas does not negate this provision. This provision simply codifies the assertion that the seas
shall be reserved for peaceful purposes. This norm is directly applicable to cyberspace even
though it is foreseeable that cyber conflict of some form will happen in the future.
A second set of rules and norms governs outer space. The Treaty on Principles Governing
the Activities of States in the Exploration and Use of Outer Space (“Treaty on the Use of Outer
Space”) puts forth similar requirements to those of UNCLOS in that outer space is not subject to
claims of sovereignty.135
The Treaty on the Use of Outer Space declares that “[o]uter space… is
not subject to national appropriation by claim of sovereignty, by means of use or occupation, or
by any other means.”136
Clearly, the Treaty on the Use of Outer Space restricts any and all claims
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
131
Richard A. Clarke and Robert K. Knake, Cyber War.
132
Joseph S. Nye, "The Regime Complex for Managing Global Cyber Activities," Global Commission on Internet
Governance Paper Series, (2014):1.
133
Eichensehr, "The Cyber-Law of Nations," 317-80. 330. See also UNCLOS, Articles. 89, 88,
http://www.un.org/depts/los/convention_agreements/texts/unclos/part7.htm.
134
UNCLOS, Articles. 87, http://www.un.org/depts/los/convention_agreements/texts/unclos/part7.htm.
135
Ibid.
136
Ibid.

36
! ! !
to sovereignty in outer space. Moreover, this Treaty requires that outer space be used for
“peaceful purposes.” Specifically, it states that “[t]he establishment of military bases,
installations and fortifications, the testing of any type of weapons and the conduct of military
maneuvers (sic.) on celestial bodies shall be forbidden.”137
The plain text of this Treaty mandates
that outer space cannot be subjected to claims of sovereignty nor can it be used for purposes that
are not peaceful.
3.)Proliferation)Security)Initiative)
The State Department, during the administration of President George W. Bush, argued
for the adoption of the PSI.138
This initiative was a response to the seizure of a North Korean
vessel carrying weapons of mass destruction (WMD).139
Specifically, the objective of PSI
adoptees is to “create a web of counter-proliferation partnerships through which proliferators will
have difficulty carrying out their trade in WMD and missile-related technology.”140
A hallmark
of the PSI is that states agree to modify existing domestic legal regimes to allow for the
interdiction and destruction of WMD. Moreover, the PSI allows participants to board and search
vessels suspected of carrying WMD in territorial waters.141
The purpose of the PSI is two-fold.
First, it encourages signatories to modify their own legal regimes to criminalize the possession
and proliferation of WMD within their own legal regimes. Second, the PSI permits expanded
cooperation, through vessel-boarding agreements and information sharing, among participants.
Applied to the cyber realm, the elements of expanding legal authorities and increased
information sharing will serve as vital grafting concepts gleaned from the PSI.
4.)SALT)&)START)
The Strategic Arms Limitations Talks (SALT) versions I and II were held between the U.S. and
Soviet Union during the Cold War.142
The purpose of SALT was to limit the number of nuclear
weapons and delivery systems held by the two countries.143
Both sides reached an agreement
regarding the specific number of nuclear weapons and delivery systems.144
President Ronald
Reagan, upon assuming office agreed to accept the negotiated terms of his predecessors while
also working to negotiate the Strategic Arms Reduction Treaty (START) with his counterpart in
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
137
United Nations, “Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer
Space, including the Moon and Other Celestial Bodies,” Article IV, 4,
http://www.unoosa.org/pdf/publications/STSPACE11E.pdf.
138
Bureau of Nonproliferation, “The Proliferation Security Initiative,” U.S. Department of State, May 26, 2005,
http://2001-2009.state.gov/t/isn/rls/other/46858.htm.
139
Ibid.
140
John Bolton, Testimony to the House International Relations Committee, March 30, 2004,
https://www.fas.org/sgp/crs/nuke/RL34327.pdf.
141
Ibid.
142
Office of the Historian, “Strategic Arms Limitations Talks/Treaty (SALT) I and II,” Milestones: 1969–1976, U.S.
Department of State, last modified October 31, 2013, https://history.state.gov/milestones/1969-1976/salt.
143
Ibid.
144
Ibid.

37
! ! !
the U.S.S.R.145
The terms of START elapsed in late 2009 at which time the “New START”
agreement was reached between Presidents Barack Obama and Dmitry Medvedev. The terms of
the New START provision 18 “on-site inspections” to be performed by visiting delegations from
either the U.S. or Russia.146
These inspections vary in scope but are designed to increase the
transparency and verification provisions of the New START agreement.147
A primary objective
of these regimes is to promote transparency through mutual cooperation. This normative
behavior is also applicable to cyberspace. Provided states are willing to share information
regarding their cyber capabilities, uncertainty can be reduced in a similar manner. However, as
previously discussed, states have an incentive to conceal their cyber capabilities.
5.)Espionage)Norms)
Finally, in addition to the Law of War and international agreements, norms consensus can be
built around espionage norms. Interestingly, domestic laws punish espionage in almost every
state but espionage does not violate international law.148
There are however, normative
frameworks that govern espionage activities in the physical domain. Historically, state-state
espionage activities led to the creation of rules, limits, and in some situations punishments for
violators.149
Espionage in cyberspace is much different from its traditional counterpart; a cyber
spy can collect information from anywhere. Therefore, while there is a foundational framework
for creating norms for cyber warfare, no such foundation exists for cyber espionage, and the
relative safety and acceptance of espionage may allow cyber espionage to become the accepted
norm.
Assuming cyber espionage requires that one consider what espionage targets are
acceptable. For example, China and Russia have an increasing interest in economic secrets and
have been conducting operations against the U.S. economy. This was evidenced by the
discussion between President Obama and Chinese President Xi Jinping in 2013 about the theft of
intellectual property.150
This discussion implies that it is possible to create a wedge between
national security espionage and commercial espionage. In May 2014, the U.S. Department of
Justice took a bold stance towards this goal by indicting five Chinese hackers connected to the
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
145
Ibid.
146
“New START,” U.S. Department of State, http://www.state.gov/t/avc/newstart/index.htm.
147
Ibid. According to the State Department, “Type One inspections focus on sites with deployed and non-deployed
strategic systems; Type Two inspections focus on sites with only non-deployed strategic systems. Permitted
inspection activities include confirming the number of reentry vehicles on deployed ICBMs and deployed SLBMs,
confirming numbers related to non-deployed launcher limits, counting nuclear weapons onboard or attached to
deployed heavy bombers, confirming weapon system conversions or eliminations, and confirming facility
eliminations. Each side is allowed to conduct ten Type One inspections and eight Type Two inspections annually.”
Ibid.
148
Ian Wallace, “The Military Role in National Cyber Security Governance.” Opinion. Brookings Institution,
December 16, 2013. Electronic theft of intellectual property is widely viewed as a significant challenge to
cybersecurity. Many scholars also consider intellectual property theft to be one of the greatest challenges to national
security. Ibid.
149
Nye, "The Regime Complex for Managing Global Cyber Activities," 10.
150
Ibid.

38
! ! !
People’s Liberation Army accusing them of economic espionage.151
This calculated action
suggests the U.S. is drawing a boundary for accepted cyber espionage.152
It is unlikely a tit-for-
tat response will alleviate the problem of espionage in the cyber domain, even though such
maneuvers were effective in establishing espionage norms during the Cold War. The most
effective process to reach a solution will be bilateral and multilateral discussions regarding cyber
espionage.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
151
United States Department of Justice, “U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against
U.S. Corporations and a Labor Organization for Commercial Advantage,” Department of Justice, May 19, 2014.
152
Ellen Nakashima, “Indictment of PLA Hackers is Part of a Broad U.S. Strategy to Curb Chinese Cyberspying.”
The Washington Post, May 22, 2014.

39
! ! !
Part!IV:!Recommendations!for!USCYBERCOM!
•! Cyber deterrence requires a combination of offensive and defensive capabilities and
norms.
Given the difficulties presented by the cyber domain to deterrence, successfully deterring
attacks will require a strategy that employs both punishment and denial. Such a strategy requires
both offensive and defensive capabilities; however, capabilities are not enough to block all the
threats facing the United States, nor is a focus on capabilities alone a cost effective solution to
the complex problem of cyber deterrence. Additionally, there is an ever-present credibility
problem in deterrence. To address these weaknesses and ease the material and financial burden
they place on the United States, the development and application of norms to the cyber realm is
necessary. Therefore, the best way forward in addressing the cyber deterrence problem is a
combination of defensive capabilities, offensive capabilities, and norms to fill the capabilities
gaps.
•! Defensive capabilities are sufficient to address the vast majority of threats in
cyberspace.
The United States faces a variety of cyber threats, but very few can cause significant
damage. Defensive capabilities should be adequate to address the vast majority of those threats.
The actors who pose these lower-level threats tend to be the hacktivists, criminal organizations,
terrorist organizations, and other non-state actors. While these actors possess capabilities, they
generally cannot launch the type of attacks that are the most destructive to the United States. As
these actors’ targets tend to be less complex, it is easier to build redundancies, resiliency, and
improve physical security through simple user cyber hygiene. While low-level actors are difficult
to deter, building and maintaining robust cyber defenses should be adequate to deter some
attacks, block others and limit damage on any attacks that manage to make it through.
•! However, strictly defensive capabilities will not stop the most capable of actors.
While defense is adequate to handle the lower level threats, defensive capabilities alone
will not stop the upper echelon of actors. This minority of actors presently consists solely of
highly capable states, though non-state actors could eventually reach this threat level. These
actors are the most capable and the most determined. If they desire to attack, they possess the
capability to find holes and get through defenses. These actors also target high-importance
targets, such as critical infrastructure. At this level of capability, defense is no longer enough and
offensive capabilities are necessary in order to deter these actors through the threat of
punishment.

40
! ! !
•! Cross-domain responses are required in cyberspace.
Throughout the history of warfare, there has existed a constant back-and-forth between
offensive and defensive capabilities. Whenever an offensive capability is revealed, defensive
capability to counter that threat is eventually developed, though at varying speeds. In this
regard, cyber weapons are like weapons in other domains. However, the time required to
build defenses against a specific cyber weapon is much shorter. Because these munitions are
so specific, an adversary only has to block a vulnerability or patch an exploit to render the
munition worthless.
Therefore, offensive cyber capabilities are difficult to reveal in the conventional sense.
The true capabilities of offensive cyber weapons are unlikely to be fully revealed otherwise
defenses will quickly be developed reducing any advantage such an offense weapon may
possess. Cyber-only punishment requires extrapolation and assumption by the opponent. When
you rely on the opponent to make judgments about your capabilities, miscalculation can occur,
then escalation. Escalation is difficult to manage when attempting to deter these states through
strictly cyber means.
This highlights a limitation that is prevalent in the cyber discourse: the tendency to view
cyber deterrence through a cyber-only lens. In order to deter the most serious attacks facing the
United States, cross-domain responses are necessary. It must be communicated to potential
adversaries that they will be punished for attacks against critical-infrastructure targets through
whatever means the U.S. deems necessary, whether economic, political, and/or military in
nature. These are capabilities which really do not need demonstration as the world is well aware
of the economic, political, and military capabilities the United States possesses. The only
question remaining is how to make such threats credible.
•! Norms are necessary to make cross-domain threats credible.
In order to make a cross-domain punishment threat credible, norms are necessary. Norms
establish generally accepted thresholds and the right to respond when those thresholds are
crossed. The right to respond need not specify a particular domain for that response but it should
be proportional. There will always be questions surrounding the idea of what is proportional but
the existence of international norms helps mitigate this problem through international buy-in.
The natural response to this recommendation is to ask what norms are necessary for such
a strategy and how norms are created. Norm creation is a difficult process, requiring generations
to be established. Therefore, to establish norms in the short term, they must be based upon
existing expectations of behavior. States like China and Russia are unlikely to embrace the
multistakeholder governance model championed by the United States or the maintenance of a
free and open Internet. These ideas are seen as national security threats to those regimes and are
simply not obtainable. Despite this, they may be more open to the idea of norms like the idea that
attacks on critical infrastructure will not be tolerated, which arguably already exists.

41
! ! !
Admiral Michael Rogers, the Commander of USCYBERCOM and the Director of the
National Security Agency, recently argued that, “when you look at the application of cyber as an
offensive tool, it must fit within a broader legal framework -- the law of armed conflict,
international law, the norms we have come to take for granted… in the application of kinetic
force.”153
It can be argued that the Law of Armed Conflict and the Law of War are assumed to
apply to cyberspace and that in many ways, those principles already govern actions in
cyberspace. Given that the law of armed conflict and international law are assumed to apply to
cyberspace, the best opportunity for a cyber deterrence strategy for the U.S. lies in the promotion
of a simple and concise normative framework that relies on the explicit recognition of four pre-
existing norms that, if violated, allow the U.S. (through USCYBERCOM) to respond to threats,
attacks, or all out cyberwar. This 4-Point Norms Plan permits offensive actions if states engage
in activities that violate these norms. The four norms included in the plan are:
1.! States shall not attack another state’s civilian critical infrastructure. The
Department of Defense 2015 Cybersecurity Strategy assumes that during a
conflict, adversaries will seek to attack critical infrastructure.154
Analysts have
argued that critical infrastructure should be viewed as “common resources” thus
justifying its defense through offensive measures.155
The Executive Branch’s
International Strategy for Cyberspace echoes these claims: “[d]igital
infrastructure is increasingly the backbone of prosperous economies… Critical
life-sustaining infrastructures that deliver electricity and water, control air traffic,
and support our financial system all depend on networked information
systems.”156
The interconnectedness of these infrastructures justifies U.S. action
to prevent interference by malicious actors.
2.! States possess the right to respond to “grave and imminent” dangers. Article
34 of The International Law Commission’s Draft Articles on State Responsibility
stipulates that such a response must be “immediate and incapable of being
countered by other means.”157
These actions, taken out of “necessity” do not
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
153
Cheryl Pellerin, “Rogers Discusses Cyber Operations, ISIL, Deterrence,” United States Department of Defense.
March 2, 2015, accessed April 11, 2015,
http://www.defense.gov/news/newsarticle.aspx?id=128278http://www.defense.gov/news/newsarticle.aspx?id=12827
8. See also, Henry Farrell, “Why It’s so Hard to Create Norms in Cyberspace,” Washington Post, April 6, 2015,
accessed April 11, 2015, http://www.washingtonpost.com/blogs/monkey-cage/wp/2015/04/06/why-its-so-hard-to-
create-norms-in-cyberspace/?wpisrc=nl_cage&wpmm=1.
154
U.S Department of Defense, “The DoD Cyber Strategy,” 2.
155
Jamal Henry, “Reducing the Threat of State-to-State Cyber Attack against Critical Infrastructure through
International Norms and Agreements,” Digital Repository at the University of Maryland (2010), 25,
http://cissmdev.devcloud.acquiasites.com/sites/default/files/papers/reducing_the_threat_of_statetostate_cyber_attack
_against_critical_infrastructure__120910.pdf.
156
National Security Council, International Strategy for Cyberspace, 9.
157
See Article 34, United Nations. International Law Commission, The International Law Commission’s Draft
Articles on State Responsibility (Leiden: Martinus Nijhoff Publishers, 1991), 369.

42
! ! !
violate international legal regimes and serve as a foundational pillar of
international norms.158
3.! States shall only respond in a manner that is reasonable and proportional to
the cyber threat. This norm, although not explicit, is generally accepted as a
principle of acting in self-defense.159
4.! States must clearly communicate justifications for acting offensively in
response to malicious cyber activities by other states. This communication
must convey that the failure to cease a certain behavior will be met with a
response from the United States potentially in a cross-domain fashion to be
determined by the specific circumstances surrounding such an attack.
•! The U.S. should continue to advocate for the multistakeholder governance model.
This 4-Point Norms Plan represents the intersection between the multistakeholder
governance model and the sovereignty-based governance model. The multistakeholder
governance model, proposed by the U.S. Department of State, advocates keeping cyberspace free
and open and enabling both the private and public sector to have active input regarding
governance. The sovereignty-based model is more state-centric and would allow individual states
to govern their own corner of cyberspace and regulate it as they see fit. This latter model has the
potential to facilitate censorship of government opposition groups. These significant differences
in principles between these two approaches have the potential to delay the establishment of
international consensus for cyberspace. The U.S. should continue to advocate for the
multistakeholder model and an open Internet for the long-term. However, in the short-term, we
have chosen norms that benefit states on both sides of the debate and that have a greater chance
of reaching consensus. Thus, these norms are reasonable for states and stakeholders and will
ensure more clarity and stability for the United States. Moreover, provided this plan is adopted,
the U.S. will possess an effective deterrent strategy for operating in cyberspace.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
158
Ibid.
159
Article 57(4). “Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the
Protection of Victims of International Armed Conflicts (Protocol I), June 8, 1977,” International Committee of the
Red Cross, accessed May 1, 2015, https://www.icrc.org/ihl/WebART/470-750073?OpenDocument.
In the conduct of military operations at sea or in the air, each Party to the conflict shall, in conformity with its rights
and duties under the rules of international law applicable in armed conflict, take all reasonable precautions to avoid
losses of civilian lives and damage to civilian objects. Ibid. See also, Michael N. Schmitt, “Precision Attack and
International Humanitarian Law,” International Review of the Red Cross 87, no. 859 (2005): 445-66. 461; Article 51
UN Charter, http://www.un.org/en/documents/charter/chapter7.shtml; Anthony Arend, “International Law and the
Preemptive Use of Military Force,” The Washington Quarterly, (Spring 2003): 96; Scott J. Shackelford, Managing
Cyber Attacks in International Law, Business, and Relations: In Search of Cyber Peace (Cambridge: Cambridge
University Press, 2014), 294 and Catherine Lotrionte, “State Sovereignty and Self-Defense in Cyberspace: A
Normative Framework for Balancing Legal Rights,” Emory International Law Review 26, no. 2 (2012): 892.

43
! ! !
Appendix!1:!Subject!Matter!Expert!Interview!List!
The authors of this report would like to thank the below experts for their time and for sharing
their invaluable insight into issues surrounding cyber deterrence, norms, and governance.
Dmitri Alperovitch, Co-Founder, CrowdStrike, Inc.
Neil Chanowski, Deputy Foreign Policy Advisor, USCYBERCOM
Robert Chesney, J.D., University of Texas – Austin
Danny W. Davis, Ph.D., Texas A&M University, The Bush School of Government and Public
Service
Chris C. Demchack, Ph.D., U.S. Naval War College
Roger Hurwitz, Ph.D., Massachusetts Institute of Technology
Andrew F. Krepinevich, Ph.D., President, Center for Strategic and Budgetary Assessments
Martin Libicki, Ph.D., RAND Corporation
Herbert Lin, Ph.D., Stanford University, Center for International Security and Cooperation
John H. Lindsay, Ph.D., University of California – San Diego, Institute on Global Conflict and
Cooperation
Michelle Markoff, Deputy Coordinator for Cyber Issues, Office of the Coordinator for Cyber
Issues, U.S. Department of State
Michael Schmitt, J.D., U.S. Naval War College
Gregory B. White, Ph.D., University of Texas – San Antonio, Director for Center for
Infrastructure Assurance and Security (CIAS)

44
! ! !
Appendix!2:!Crisis!Stability!in!Cyberspace!
One of the prominent concepts in the realm of nuclear deterrence is that of crisis stability.
The term refers to the degree to which one state has an incentive to launch a first strike, thereby
ensuring a better outcome in an imminent conflict. A situation in which neither side would
benefit from striking first is considered crisis-stable; likewise, one in which a considerable first-
strike advantage exists is considered crisis-instable.
A crisis, however, is much simpler to conceptualize in the nuclear realm. Tensions rise,
units are mobilized, and bombers are fueled and loaded. The political and military elements of a
crisis are quite evident, and the result can look something like the Cuban Missile Crisis.
However, key differences exist in the cyber realm. The political aspect still exists between state
adversaries, but no mobilization signals preparation for a cyber attack. Indeed, secrecy is
paramount in the cyber realm. Given that cyber capabilities are often concealed, what constitutes
a crisis in cyberspace?
Martin Libicki takes a fairly limited view of cyber crisis. He describes it as “an event or
events that force a state to take action in a relatively short period or face the fraught
consequences of inaction.”160
While the events he envisions are broader than his definition may
seem, including things such as a key power in cyberspace (such as a country like China or
Russia, which has significant cyber capability and wields considerable clout) withdrawing from
United Nations negotiations on establishment of rules for the cyber road,161
his conceptualization
requires a trigger. This trigger is a concrete indicator, similar to mobilizations in the nuclear
realm. However, one could reasonably question whether or not this concept truly captures the
full spectrum of potential crises in cyberspace.
The previously mentioned early-strike advantage creates a form of crisis instability that is
not present in the first definition. Even without a distinct trigger, an actor may sense a need to
launch a cyber attack before the cyber munition can be defended against. While this early-strike
advantage is present in all situations, it may have a greater effect in times of crisis. When conflict
seems likely, an actor’s calculus on whether or not to launch an attack may shift.
This is not to say, however, that Libicki’s “trigger” definition is inadequate. Indeed, it
captures crises that may arise solely because of an action that was intended with relatively
benign designs. Libicki and Gompert describe a scenario in which cyber espionage is mistaken
as an attempt to degrade a network in preparation for a kinetic attack.162
In this case, no cyber
attack is waged (regular espionage is generally tolerated, and that norm currently extends to the
cyber realm163
), yet the possibility for misperception and resultant escalation could easily be
considered a crisis. Of course, a detected incursion may actually be an attempt to prepare the
battlespace, in which case mistaking the intent of the incursion may have far more disastrous
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
160
Martin Libicki, Crisis and Escalation in Cyberspace (Santa Monica: RAND Corporation, 2012), 1.
161
Libicki, Crisis and Escalation in Cyberspace, 5.
162
Gompert and Libicki, “Cyber Warfare and Sino-American Crisis Instability,” 13.
163

45
! ! !
consequences. The presence of a trigger event creates a difficult crisis of decision-making in
which mistakes can yield serious costs.
Perhaps the most concise definition of crisis stability comes from examination through
the lens of game theory. Glenn Kent and David Thaler, also of RAND, wrote in 1989 about first-
strike stability in the nuclear realm, but the concepts used apply to cyber war as well.164
Kent and
Thaler make the assumption that if an actor (in their case, either the United States or the Soviet
Union) attacks first, the other will surely retaliate with whatever capabilities remain. Therefore,
each has a cost associated with attacking first or second. If the ratio of the costs of going second
to going first is close to one, the system is stable because neither has incentive to attack first.165
This first-or-second dichotomy can also be represented as an attack-or-wait dichotomy; an actor
cannot unilaterally decide to act second, but has to wait and see if its adversary attacks first. Kent
and Thaler differentiate between first-strike instability and crisis instability, the latter of which
may arise from factors such as “psychological stress, ambiguous or incorrect information,
erroneous assessments of enemy intent, miscalculation, and misperception” while the former is
solely a function of force postures.166
All of these conceptualizations raise important issues that should be considered when
discussing cyber conflict. However, a unified concept of cyber crisis that includes the strongest
elements of each would be helpful in assessing crisis stability in cyberspace. Consider the
following: A cyber crisis occurs between two states when political tensions rise to the degree that
kinetic conflict seems likely but not imminent. In this conceptualization, there is no need for a
distinct trigger event, though such an event is not precluded. The attack-or-wait choice is also
present for both actors. The requisite political tensions in this concept also account for the
different types of actors with cyber capabilities. A Chinese incursion in the United States’ critical
infrastructure could very well be considered a crisis, while an incursion from Uruguay might not.
The next question, now that a definition of cyber crisis has been established, is whether
the domain is crisis-stable or crisis-instable. If cyberspace is offense-dominant, as many seem to
assume it is, it is likely crisis-instable as well. The difficulty of attribution means an attacker may
feel he can likely escape undetected, and the early-strike advantage emphasizes attacking over
waiting. When the perceived costs of attacking first (unlikely detection) are lower than the costs
of attacking second (possible obsolescence of the cyber weapon), cyber attacks may start flying
very quickly in a crisis.
However, as previously discussed, these assumptions are open to challenge. Attribution is
not impossible, meaning no actor can be absolutely sure that they will not be detected.
Furthermore, one crucial difference between the nuclear and cyber domains is particularly salient
here: the possibility of disarming an opponent by striking first does not exist in cyberspace.
Martin Libicki argues that only four inputs are necessary to carry out cyber warfare: clever
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
164
Glenn A. Kent and David E. Thaler, First Strike Stability: A Methodology for Evaluating Strategic Forces (Santa
Monica: RAND Corporation, 1989).
165
This game is most concisely described in a paper from the Naval Postgraduate School, which explicitly considers
the concept in cyber. Schramm et al., A Game Theoretic Model of Strategic Conflict in Cyberspace.
166
Kent and Thaler, First Strike Stability, 2.

46
! ! !
hackers, intelligence on the target's operations and vulnerabilities, a computing device, and
network connections.167
A cyber attack could only take the latter two offline, and then only
temporarily. Even if an offensively purposed computer were attacked, in the worst case, it would
need to be rebooted, restored to factory settings, or replaced. “If a first strike cannot disarm its
intended target, there is no advantage to going first: when the cyberdust clears, the attacker is no
better off than before, even relative to its foe. Indeed, it may be worse off a week later.”168
For these reasons, plus the political tensions inherent in a crisis as defined here,
cyberspace is largely crisis-stable. If a state were to desire to launch a cyber first strike, there
would likely be no chance of disarmament and no guarantee of evading detection. If it decided to
launch the first strike, despite the chance of being detected, it could risk a retaliatory cyber attack
or cross-domain response, potentially escalating the conflict.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
167
Martin C. Libicki, “The Nature of Strategic Instability in Cyberspace,” Brown Journal of World Affairs 18, no. 1
(2011): 73.
168
Libicki, “The Nature of Strategic Instability in Cyberspace,” 73.

47
! ! !
Appendix!3:!Cyberspace!Escalation!Dynamics!
Escalation, as a series of interactions between actors, has multiple causes and different
dimensions. The causes of escalation range along a spectrum of intentionality, from accidental to
deliberate. Between these two extremes lie inadvertent and catalytic escalation. These four
mechanisms at any given point may operate individually or simultaneously and in either a
horizontal or vertical fashion to produce escalation dynamics. While all of these mechanisms can
produce escalation risks, the policies required to mitigate them vary.
Accidental escalation can occur in two ways. First, it may be a pure accident and a
“consequence of events that were not intended in the first place.”169
Second, it can “occur when
some operational action has direct effects that are unintended by those who ordered them.”170
In
kinetic operations, bombs may land off target and frontline units may accidentally cross
geographic or political boundaries, leading to escalation. In cyber space the risk of accidental
escalation is most likely due to the latter. Individual cyber operators may act on their own
accord, perhaps misinterpreting directions from their superiors, and start an escalatory conflict.
Inadvertent escalation “occurs when a combatant’s intentional actions are unintentionally
escalatory, usually because they cross a threshold of intensity or scope in the conflict or
confrontation that matters to the adversary but appears insignificant or is invisible to the party
taking the action.”171
In kinetic operations, a state may trigger inadvertent escalation by striking
new targets for purely operational purposes that the target state views as an expansion of the
conflict. Operations outside of, but near, an adversary’s home territory may require suppression
of air defense networks, resulting in strikes on that adversary’s territory. In cyber space, the risks
of inadvertent escalation stem from unpredicted effects of cyber operations. Attempts to disrupt a
single computer, or network, may spread beyond the initial target, as did the Stuxnet worm.
Although it was never intended to leave the Natanz enrichment facility’s air-gapped network, an
error in the Stuxnet code caused it to self-replicate and spread to the internet once an infected
computer was taken from the facility.172
Vincent Manzo poses insightful hypothetical questions
about what the consequences of this could have been if the destruction was serious enough:
“Would Iran have retaliated via terrorist attacks or conventional weapons? Would widespread
damage to Iranian civilian infrastructure have weakened international support for sanctions?
How would other countries have reacted if Stuxnet damaged their infrastructure, especially once
they discovered who created the worm?”173
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
169
Forrest E. Morgan et al., Dangerous Thresholds: Managing Escalation in the 21st
Century (Rand Corporation,
2008), 26.
170
Herbert Lin, “Escalation Dynamics and Conflict Termination in Cyberspace,” Strategic Studies Quarterly 6, no.
3 (2012): 53.
171
Morgan et al., Dangerous Thresholds, 23.
172
For more on Stuxnet, see David E. Sanger, Confront and Conceal: Obama’s Secret Wars and Surprising Use of
American Power (New York: Crown, 2012).
173
Vincent Manzo, “Stuxnet and the Dangers of Cyberwar,” The National Interest, January 29, 2013.

48
! ! !
Catalytic escalation “occurs when some third party succeeds in provoking two parties to
engage in conflict.”174
Escalation of this nature could conceivably, though improbably, happen if
a third party was to conduct a WMD attack on one state with material from a second state. If the
victim state were to attribute the attack to the uninvolved state, resulting in a conflict, then
catalytic escalation would have been successfully triggered by the third party. In the cyber realm,
a non-state actor or third party state, through proxy servers and botnets, can mask the origin of a
cyber attack and implicate another state.
Deliberate escalation “occurs when the actions of a state cross an escalatory threshold in
a conflict or confrontation more or less intentionally.”175
This is because states may perceive the
benefits from escalation outweigh the costs. They may also believe that they can exercise
‘Escalation Dominance’ over their adversary.176
Operational benefits may include escalating to a
level where the state has an asymmetric advantage and escalating geographically to overstretch
the adversary. Deliberate escalation may also be used to signal commitment. As Thomas
Schelling explains, “Breaking the rules is more dramatic, and communicates more about one’s
intent, precisely because it can be seen as a refusal to abide by rules.”177
Horizontal escalation refers to “expanding the geographic scope of a conflict.”178
A
historical example would be U.S. operations into Cambodia during the Vietnam War. While this
was seen by the U.S. as undertaking operations in a territory already used by the adversary, it
was perceived at home and abroad as highly escalatory. In cyberspace, horizontal escalation is
both more likely and less consequential. It is more likely because “It is difficult to know who is
not a combatant in cyberspace at any point in time” and it is less consequential because “the
entry of others may not matter nearly as much as it does in conventional conflict, in which
numbers matter.”179
This point is highlighted in the case of the suspected Iranian cyber attack on
Saudi Aramco and RasGas in retaliation for the alleged U.S. and Israeli Stuxnet attack on the
Natanz enrichment facility.180
Vertical escalation refers to “an increase in the intensity of armed conflict or
confrontation.”181
In kinetic warfare this could be the introduction of a more destructive weapon
or delivery system, or expanding target sets to include locations more critical to the adversary. In
cyberspace this could be an escalation from “taking down a single military or commercial
system… [to] isolating a nation’s leaders from their forces…or shocking the economy.”182
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
174
Lin, “Escalation Dynamics and Conflict Termination in Cyberspace,” 53.
175
176
On escalation dominance, see Herman Kahn, On Escalation: Metaphors and Scenarios (New York: Praeger:
1965).
177
Thomas Shelling, Arms and Influence (New Haven: Yale University Press, 1966), 150-151.
178
Morgan et al., Dangerous Thresholds, 18
179
180
Nicole Perlroth, “In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back,” The New York Times, October 23,
2012, http://nyti.ms/1A1ljkf accessed, April 4, 2015.
181
182
Lawrence J. Cavaiola, David C. Gompert, and Martin C. Libicki, “Cyber House Rules: On War, Retaliation and
Escalation,” Survival 57, no.1 (2015): 83.

49
! ! !
Some policymakers may be tempted by the objective of escalation dominance. Since
today we are “[in] an era in which the United States has achieved unprecedented military
preeminence, it is seductively easy to regard escalation as a problem of the past and to focus on
escalation as a potential coercive lever but not a dangerous possibility requiring attentive
management.”183
However, once escalation dynamics take hold, the original political motives for
a conflict may become subsumed by misinformation, anger, and fear. What was once a limited
conflict, over limited objectives, may become an end unto itself. The ability to potentially
dominate escalation does not reduce the value of escalation management. For this reason, it is
important to determine the conditions under which escalation can be managed.
Proportionality of response is key to creation of conditions under which escalation can be
managed. While there are legal, normative, and ethical reasons for responding to an attack ‘in-
kind,’ it also has a dampening effect on escalation dynamics. As Schelling explains
proportionality, “To relate the reaction to the original action, to impose a pattern of events,
probably helps to set limits and bounds. It shows a willingness to accept limits and bounds. It
avoids abruptness and novelty of a kind that might startle and excessively confuse an opponent.
It maintains a sense of communication, of diplomatic contact, of a desire to be understood rather
than misunderstood.184
This however, doesn’t mean that adversaries will have the same
perspective on what entails proportionality. Perceptions of proportionality occur in the minds of
state leaders; as such, cultural, historical, and organizational influences must be considered for
each potential state adversary. It can not be assumed that the way one state perceives
proportionality is the same as all others.
Threshold creation and norm development is a complex field and largely poorly
understood. It is, however, possible to recognize certain general norms and thresholds emerging
in cyber space. This includes not causing casualties and not attacking civilian critical
infrastructure. Thomas Rid notes that a cyber attack that takes a life is yet to occur.185
These are
norms that have emerged in peacetime and may not hold in a time of war between major powers,
where one or both sides may perceive incentives for crossing these thresholds. It is particularly
important to uphold these norms even in the absence of significant conflict or crisis. This is
because the stakes in any existing cyber conflict don’t merit escalation beyond these thresholds
and they preserve a red line that the U.S may later wish to cross in a conflict to signal resolve,
and enhance deterrence.
Accidental escalation prevention today can prevent dangerous escalation dynamics
tomorrow. Creating an effective cyber command and control system would help mitigate the
risks of individuals or lower level units conducting attacks without authorization. An effective
cyber command and control system would not only “not have the freedom to escalate, but [lower
level units] would also require additional authority to conduct attacks that could cause collateral
damage and thus lead to either vertical or horizontal escalation.”186
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
183
184
Schelling, Arms and Influence, 149.
185
Rid, “Think Again: Cyberwar.”
186
Cavaiola, Gompert, and Libicki, “Cyber House Rules On War, Retaliation and Escalation.” 92.

50
! ! !
Cyberspace is particularly prone to inadvertent escalation, due to the complex and
interconnected nature of networks and the services they host. A cyber attack with a specific
objective, and with ‘tit-for-tat’ intentions, may create unanticipated effects that the adversary
perceives as escalatory. Caution before undertaking offensive cyber operations, and detailed
knowledge of adversary networks and linkages are necessary to mitigate the risks of U.S.-caused
inadvertent escalation. It must also be remembered that inadvertent escalation caused by
adversaries “Cannot be deterred, because it is not the result of decision-makers choosing to
escalate but, rather, failing to realize there is a choice to be made… To reduce the risk of
inadvertent escalation, the adversary does not need to be frightened but, instead enlightened.”187
Successful catalytic escalation requires attribution of cyber attacks to be both difficult
and easy. A third-party state seeking to instigate a conflict between the U.S. and another state,
must feel assured that attribution is so difficult that it, the third-party state, won’t be linked to the
cyber attack and face retaliation from the victim of its attack. However, at the same time it must
feel able to create false evidence of an attack that the victim of its attack will attribute to another
state. Demonstrating that the U.S. is able to attribute major cyber attacks to their perpetrator will
deter states from attempting catalytic and other types of cyber attacks, because it reduces the
perceived benefits of the attack.
In articulating a strategy to manage deliberate escalation, it is important to remember the
incentives states have to escalate. Managing the risk of a U.S. adversary deliberately escalating
falls into the realm of deterrence. It requires the U.S. to sufficiently manipulate an adversary’s
cost-benefit analysis so the adversary calculates the costs of an attack will outweigh the benefits.
If the goal of escalation management is to prevent tensions from erupting into war, there
is a narrow window where managing cyber escalation is both needed and possible. This is in a
crisis, where political tensions have created an international environment where previously minor
incidents can spark escalation and war. Before this period, during peacetime, escalation
management is possible, but not required. Cyber conflict occurs at low levels, but peacetime
norms of not causing casualties attacking civilian critical infrastructure are in effect. After a
crisis period, wartime, escalation management is needed but not likely. The observed norms of
peacetime are ignored and cyber attacks and escalation dynamics become meshed with
conventional warfare and are difficult or impossible to manage.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
187
Ibid.

51
! ! !
Appendix!IV:!About!the!Authors!
Michael Bertoli graduated from Texas A&M University with degrees in Biochemistry and
Genetics, and conducted his undergraduate research in viral genomics. He then ran the
geochemistry laboratory aboard R/V JOIDES Resolution for almost five years. His studies at the
Bush School centered on deterrence, intelligence, and military and policy affairs. He also studies
Persian.
Joe Brewer graduated from Dallas Baptist University in 2006 with a degree in Philosophy and
Biblical Studies. In July 2007, he joined the United States Army and served as an intelligence
analyst and non-commissioned officer until September 2012. He served in leadership positions
for over 20 months in South Korea and Iraq and he is currently serving in the Texas Army
National Guard while completing his Master of International Affairs at the Bush School.
Julie A. Cropper earned a dual Bachelor of Arts in Middle Eastern Studies and Government
from the University of Texas in 2009. She has extensive Arabic language training, including in
Syrian and Egyptian dialects. In 2014, she was awarded a Critical Language Scholarship from
the U.S. Department of State to further study Arabic in Morocco. Prior to graduate school, Julie
served for five years as an active duty U.S. soldier in the Army Band and has participated in
charity work to help rebuild Haiti after its 2010 earthquake. Julie is a 2015 Presidential
Management Fellows Program finalist.
Andrew Ericson is from Dallas, Texas and earned a Bachelor of Arts in History from Texas
A&M University in 2012. At the Bush School, Andrew studied nuclear deterrence and military
policy. He was awarded a full-tuition scholarship through the Robertson Foundation and he was
a graduate research assistant to international relations theorist Dr. Christopher Layne. Andrew
has previous internship experience at Los Alamos National Laboratory, where he studied the
nuclear doctrine of the Russian Federation.
Gregory Holm will earn a Master of International Affairs from the Bush School of Government
and Public Service at Texas A&M University in 2015. Prior to attending the Bush School,
Gregory worked as an attorney in Iowa, where he specialized in criminal, family, and tax
law. Gregory attended the Hamline University School of Law in St. Paul, Minnesota and passed
the Iowa Bar Exam after graduating in 2012. Gregory attended the University of Iowa and
earned his Bachelor’s Degree in International Studies and French in 2009.
Kyle Fowler is from the Tampa, Florida area. He completed his undergraduate studies at Florida
State University, earning degrees in chemical science and international affairs. While there, he
participated in a study abroad trip to Istanbul, Turkey. He was awarded a Robertson Fellowship,
a competitive full-tuition scholarship, and he worked as a graduate research assistant to Dr.
Charles Hermann, who served on the National Security Council under Dr. Henry Kissinger. At
the Bush School, Kyle focused his studies on nuclear security. He has internship experience with
the Government Accountability Office and has worked for the Florida Department of Law

52
! ! !
Enforcement. He will begin a fellowship at the National Nuclear Security Administration in
2015.
Matthew Mascoe has focused his studies at the Bush School on issues surrounding intelligence
and diplomacy, with a particular interest in transnational security issues. He earned a Bachelor of
Arts from Florida State University in 2012, majoring in International Affairs with a minor in
Economics. He has accepted an offer for a position at the U.S. Department of State in the Bureau
of Diplomatic Security.
Robert McDyre will graduate with a Master’s Degree in International Affairs at the Bush
School of Government and Public Service at Texas A&M University in 2015. He graduated cum
laude from the University of Pittsburgh with a Bachelor of Science in Psychology and a minor in
Administration of Justice in 2012. While at the University of Pittsburgh, he captained the
University’s ice hockey team. Prior to beginning his Master’s Degree at the Bush School, he
was employed as an Investigator for the Montgomery County Detective Bureau in Montgomery
County, Pennsylvania.
Kristina Miller earned a Bachelor of Arts in English Literature and History from the University
of Virginia in 2005. She has almost a decade of experience in communications in New York,
where she worked primarily as a book publicist at Random House and Hyperion Books. She has
worked closely with authors such as Salman Rushdie, Maya Angelou, and David Brooks, as well
as on a book by the Rolling Stones, for their 50th
anniversary. Kristina grew up partly abroad and
has lived in Italy, Germany, Turkey, and Finland. Her graduate studies focused on diplomacy,
intelligence, and critical infrastructure protection.
John J. Walter graduated summa cum laude from Cleveland State University in December 2012
with a Bachelor of Arts in International Relations and a minor in Middle Eastern Studies. He
was selected as a College of Liberal Arts and Social Sciences Scholar and was a finalist for
selection as college valedictorian. John has studied Arabic at the University of Jordan and the
Middlebury Summer Arabic Language School. He has nine years of experience in the legal
field, having worked as a contract paralegal for the Department of Health and Human Services.
At the Bush School and as a graduate research assistant to Dr. Jasen J. Castillo, John focused his
research on nuclear deterrence, nuclear technology, international security studies, and military
affairs. In June 2015, he will begin interning at the Pentagon in the Office of the Deputy
Assistant Secretary of Defense for Nuclear Matters.

53
! ! !
Bibliography!
"APT 1: Exposing One of China’s Cyber Espionage Units." Mandiant. January 1, 2013. Accessed April 23, 2015.
http://intelreport.mandiant.com/.
Arend, Anthony C. "International Law and the Preemptive Use of Military Force." 26, no. 2 (2003).
"Article 51 UN Charter." Charter of the United Nations. Accessed April 23, 2015.
http://www.un.org/en/documents/charter/chapter7.shtml.
Article 57(4). “Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of
Victims of International Armed Conflicts (Protocol I), June 8, 1977,” International Committee of the Red
Cross, accessed May 1, 2015, https://www.icrc.org/ihl/WebART/470-750073?OpenDocument.
"BAE Systems Applied Intelligence Unveils Extent of Venomous Nature of ‘Snake’ Operation." Article. Accessed
April 23, 2015. http://www.baesystems.com/article/BAES_165734/bae-systems-applied-intelligence-
unveils-extent-of-venomous-nature-of-‘snake’-operation/.
Bennett, Cory. “China Suspends Rollout of Controversial Cyber Rules,” The Hill, March 30, 2015, accessed April 2,
2015 via http://thehill.com/policy/cybersecurity/237380-china-suspends-portion-of-controversial-cyber-
rules.
Bolton, John. Testimony to the House International Relations Committee, March 30, 2004,
Broadhurst, Roderic. "Organizations and Cyber Crime: An Analysis of the Nature of Groups Engaged in Cyber
Crime." International Journal of Cyber Criminology 8:1 (2014): 1-20.
Brodie, Bernard. Strategy in the Missile Age. Princeton, NJ: Princeton University Press, 1959.
Bureau of Nonproliferation, “The Proliferation Security Initiative,” U.S. Department of State, May 26, 2005,
http://2001-2009.state.gov/t/isn/rls/other/46858.htm.
Cavaiola, Lawrence J., David C. Gompert, and Martin C. Libicki. "Cyber House Rules: On War, Retaliation and
Escalation." Survival 57:1 (2015): 83-92.
Chang, Amy. Warring State: China’s Cybersecurity Strategy. Washington, DC: Center for a New American
Security, December, 2014: 1-44.
Chesney, Robert. Interview by Gregory Holm and Robert McDyre, February 18, 2015.
“China’s ‘New Normal’ of Sharpened Control,” China Digital Times, February 2, 2015, accessed February 3, 2015
via http://chinadigitaltimes.net/2015/02/chinas-new-normal-sharpened-control.
Clarke, Richard A., and Robert K. Knake. Cyber War: The Next Threat to National Security and What to Do About
It. New York: Ecco, 2012.
"Connecting Continents for Enhanced Multistakeholder Governance." Internet Governance Forum. September 1,
2014. Accessed April 22, 2015. http://www.intgovforum.org/cms/documents/igf-meeting/igf-2014-
istanbul/308-igf-2014-chairs-summary-final/file.

54
! ! !
Demchak, Chris, and Peter Dombrowski. "Rise of a Cybered Westphalian Age." Strategic Studies Quarterly, (2011):
32-61.
Department of Justice Office of Public Affairs. "Justice News: U.S. Charges Five Chinese Military Hackers for
Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage." U.S.
Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor
Organization for Commercial Advantage. May 19, 2014. Accessed April 23, 2015.
http://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-
corporations-and-labor.
"Digital Attack Map." Digital Attack Map. Accessed April 23, 2015. http://www.digitalattackmap.com.
"Doing the ICANN-can." The Economist. March 22, 2014. Accessed April 23, 2015.
http://www.economist.com/news/international/21599385-america-promises-release-its-grip-internets-
phone-bookand-opens-up-debate.
Dunlap Jr., Charles J. "Perspectives for Cyber Strategists on Law for Cyberwar"" Strategic Studies Quarterly
(2011): 81-99.
The Economist. “Doing the ICANN-can,” March 22, 2014,
http://www.economist.com/news/international/21599385-america-promises-release-its-grip-internets-
phone-bookand-opens-up-debate.
Eichensehr, Kristen. "The Cyber-Law of Nations." The Georgetown Law Review 103 (2015): 317-80.
Ermert, Monika. "ITU Plenipotentiary Conference: Internet Governance Diplomacy On Display." Intellectual
Property Watch. November 5, 2014. Accessed April 23, 2015. http://www.ip-watch.org/2014/11/05/itu-
plenipotentiary-conference-internet-governance-diplomacy-on-display/.
Farrell, Henry. "Why It’s so Hard to Create Norms in Cyberspace." Washington Post, April 6, 2015. Accessed April
22, 2015. http://www.washingtonpost.com/blogs/monkey-cage/wp/2015/04/06/why-its-so-hard-to-create-
norms-in-cyberspace/?wpisrc=nl_cage&wpmm=1.
Finnemore, Martha. "Cultivating International Cyber Norms." In America's Cyber Future: Security and Prosperity
in the Information Age, edited by Kristin M. Lord and Travis Sharp, 87-102. Washington, D.C.: Center for
New American Security, 2011.
Freedburgh, Jr., Sydney J. “’Cyberwar’ is Overhyped: It Ain’t War Til Someone Dies,” Breaking Defense,
September 10, 2013, accessed April 27, 2014, http://breakingdefense.com/2013/09/cyberwar-is-over-
hyped-it-aint-war-til-someone-dies/.
Frye, Jason Neal. Cyber Threat Metrics. Albuquerque: Sandia National Laboratories, 2012. 1-39.
Gady, Franz-Stefan. “Japan and Israel to Work Together in Cyberspace,” The Diplomat, January 15, 2015, accessed
April 9, 2015, http://thediplomat.com/2015/01/japan-and-israel-to-work-together-in-cyberspace/.
Gao, Helen. “China Sharpens Its Censorship Blade,” New York Times, February 2, 2015, accessed February 2, 2015
via http://www.nytimes.com/2015/02/03/opinion/china-sharpens-its-censorship-blade.html.
Geers, Kenneth. "The Challenge Of Cyber Attack Deterrence." Computer Law & Security Review 26, no. 3 (2010):
298-303.
Glaser, Charles. Deterrence of Cyber Attacks and US National Security:2011 Developing Cyber Security Synergy.
Washington DC: Cyber Security Policy and Research Institute, 2011.

55
! ! !
Glaser, Charles L. Rational Theory of International Politics the Logic of Competition and Cooperation. Princeton:
Princeton University Press, 2010. 2.
Goldsmith, Jack L., and Tim Wu. Who Controls the Internet?: Illusions of a Borderless World. New York: Oxford
University Press, 2008.
Gompert, David C., and Martin C. Libicki. "Cyber Warfare and Sino-American Crisis Instability." Survival: Global
Politics and Strategy, no. 56:4 (2014): 7-22.
Graham, David E. “Cyber Threat and the Law of War,” Journal of National Security Law and Policy 4, no. 87
(2010): 87-102.
Grigsby, Alex. "Will China and Russia’s Updated Code of Conduct Get More Traction in a Post-Snowden Era?"
Council on Foreign Relations. January 28, 2015. Accessed April 22, 2015.
http://blogs.cfr.org/cyber/2015/01/28/will-china-and-russias-updated-code-of-conduct-get-more-traction-in-
a-post-snowden-era/.
Gvosdev, Nikolas. "The Bear Goes Digital: Russia and Its Cyber Capabilities." In Cyberspace and National Security
Threats, Opportunities, and Power in a Virtual World, 173-189. Washington, DC: Georgetown Univ Press,
2012.
Harris, Shane. @WAR: The Rise of the Military-Internet Complex. New York, New York: Houghton Mifflin
Harcourt., 2014.
Henry, Jamal. "Reducing the Threat of State-to-State Cyber Attack against Critical Infrastructure through
International Norms and Agreements." Reducing the Threat of State-to-State Cyber Attack against Critical
Infrastructure through International Norms and Agreements. December 1, 2010. Accessed April 23, 2015.
http://www.cissm.umd.edu/publications/reducing-threat-state-state-cyber-attack-against-critical-
infrastructure-through-0.
Hurwitz, Roger. “An Augmented Summary of The Harvard, MIT and U. of Toronto Cyber Norms Workshop.”
Paper presented at Cambridge, MA, October 19-21 (2011) 1-23.
IHS Jane’s Intelligence Review, “West accuses Russia of cyber-warfare,” IHS Jane’s 360, December 28, 2014,
accessed March 4, 2015, http://www.janes.com/article/47299/west-accuses-russia-of-cyber-warfare.
Ikenberry, G. John. After Victory: Institutions, Strategic Restraint, and the Rebuilding of Order after Major Wars.
Princeton, New Jersey: Princeton University Press, 2001.
International Security Advisory Board. Report on a Framework for International Cyber Stability (2014). Accessed
April 23, 2015 via U.S. State Department website at
http://www.state.gov/documents/organization/229235.pdf.
Janis, Mark W., and John E. Noyes. "Chapter 9: International Law and the Use of Force." In Cases and Commentary
on International Law, 565-688. 3rd ed. St. Paul, MN: West Group Publishing, 2006.
Jensen, Eric Talbot. "Cyber Deterrence." Emory International Law Review 26 (2012): 792-814.
Jervis, Robert. The Meaning of the Nuclear Revolution: Statecraft and the Prospect of Armageddon. Ithaca: Cornell
Jervis, Robert. Perception and Misperception in International Politics. Princeton, N.J.: Princeton University Press,
1976.

56
! ! !
Johnson, Jeannie L. and Matthew T. Berrett, “Cultural Topography: A New Research Tool for Intelligence
Analysis,” Studies in Intelligence 55 (2011): 1-22.
Joint Staff. Joint Publication 1-02 2001: Department of Defense Dictionary of Military and Associated Terms
(2001).
Joint Staff. Cyberspace Operations 3-12 (R) (2013).
Joint Staff. Department of Defense Dictionary of Military and Associated Terms 1-02 (2015).
Kahn, Herman. On Escalation: Metaphors and Scenarios. New York: Praeger, 1965.
Kahn, Herman. On Thermonuclear War. Princeton, N.J.: Princeton University Press, 1960.
Keohane, Robert O. "Global Governance and Democratic Accountability." Spring, 2002. Accessed April 22, 2015.
http://www.lse.ac.uk/publicEvents/pdf/20020701t1531t001.pdf..
Kent, Glenn A., and David E. Thaler. First Strike Stability: A Methodology for Evaluating Strategic Forces. Santa
Monica: RAND Corporation, 1989. 2.
Kshetri, Nir. "Cyberwarfare in the Korean Peninsula: Asymmetries and Strategic Responses." East Asia 31:3 (2014):
183–201.
Lachow, Irving. Active Cyber Defense: A Framework for Policymakers. Washington, DC: Center for a New
American Security, 2013. 1-13.
Libicki, Martin C. Interview by Andrew Ericson, Kyle Fowler, and Kristina Miller, March 6, 2015.
Libicki, Martin C. Crisis and Escalation in Cyberspace. Santa Monica, CA: RAND Corporation, 2012. 1-87.
Libicki, Martin C. Cyberdeterrence and Cyberwar. Santa Monica, CA: RAND Corporation, 2009. 7-52.
Libicki, Martin C. "The Nature of Strategic Instability in Cyberspace." Brown Journal of World Affairs 18:1 (2011):
73.
Lieberthal, Kenneth and Peter W. Singer, “Cybersecurity and US-China Relations,” Brookings Institution (2012),
http://www.brookings.edu/~/media/Research/Files/Papers/2012/2/23%20cybersecurity%20china%20us%
20singer%20lieberthal/0223_cybersecurity_china_us_lieberthal_singer_pdf_english.PDF
Lin, Herbert. "Escalation Dynamics and Conflict Termination in Cyberspace." Strategic Studies Quarterly 6:3
(2012): 53.
Lindsay, Jon. Interview by John J. Walter, Andrew Ericson, and Michael Bertoli, March 17, 2015.
Linkov, Igor, Daniel A. Eisenberg, Kenton Plourde, Thomas P. Seager, Julia Allen, and Alex Kott. "Resilience
Metrics for Cyber Systems." Environment Systems and Decisions, 2013, 471-76.
Lotrionte, Catherine. "“State Sovereignty and Self-Defense in Cyberspace: A Normative Framework for Balancing
Legal Rights." Emory International Law Review 26 (2012): 892.
Lynn III, William J. "Defending a New Domain: The Pentagon’s Cyberstrategy." Foreign Affairs 89:5 (2010).

57
! ! !
Malcolm, Jerry. “Appraising the Success of the Internet Governance Forum.” Multistakeholder Governance and the
Internet Governance Forum. September 12, 2008. Accessed April 22, 2015.
http://www.intgovforum.org/Substantive_3rd_IGF/Jeremy%20Malcolm%20submission.pdf
Manzo, Vincent. "Stuxnet and the Dangers of Cyberwar." The National Interest, 2013.
Masters, Jonathon. "What Is Internet Governance?" Council on Foreign Relations. April 22, 2014. Accessed April
23, 2015. http://www.cfr.org/internet-policy/internet-governance/p32843.
Mazanec, Brian M., and Bradley A. Thayer. Deterring Cyber Warfare: Bolstering Strategic Stability in Cyberspace.
Basingstoke: Palgrave Macmillan, 2015.
McConnell, Bruce and Savage, John. “Exploring Multi-Stakeholder Internet Governance.” Paper presented at the
annual North American International Cyber Security Summit, Detroit, Michigan, November 17, 2004.
Mearsheimer, John J. Conventional Deterrence. Ithaca: Cornell University Press, 1983.
Mercer, Jonathon. Reputation & International Politics. Ithaca and London: Cornell University Press, 1996.
Modulo, Solutions for GRC. “Cyber Defense & Critical Infrastructure,” accessed April 9, 2015,
http://modulo.com/modulo/wp-content/uploads/2013/09/cyberd-efense-and-critical-infrastructure-apac.pdf.
Morgan, Forrest E. Dangerous Thresholds Managing Escalation in the 21st Century. Santa Monica, CA: RAND
Project Air Force, 2008. 18-42.
Morgan, Patrick M. "Applicability of Traditional Deterrence Concepts and Theory to the Cyber Realm." In
Proceedings of a Workshop on Deterring Cyber Attacks: Informing Strategies and Developing Options for
US 58 (2010): 55-75.
Nakashima, Ellen. "Indictment of PLA Hackers Is Part of a Broad U.S. Strategy to Curb Chinese Cyberspying." The
Washington Post, May 22, 2014, Accessed April 23, 2015.
http://www.washingtonpost.com/world/national-security/indictment-of-pla-hackers-is-part-of-broad-us-
strategy-to-curb-chinese-cyberspying/2014/05/22/a66cf26a-e1b4-11e3-9743-bb9b59cde7b9_story.html.
National Security Council, International Strategy for Cyberspace: Prosperity, Security, and Openness in a
Networked World (Washington D.C.: Executive Office of the President of the United States, National
Security Council, 2011), 11,
National Telecommunications and Information Administration, “NTIA Announces Intent to Transition Key Internet
Domain Name Functions,” United States Department of Commerce, March 14, 2014,
http://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-internet-domain-name-
functions.
NATO Cooperative Cyber Defense Centre of Excellence, “About Us: History,” https://ccdcoe.org/history.html.
"New START." U.S. Department of State Diplomacy in Action. April 15, 2015. Accessed April 23, 2015.
http://www.state.gov/t/avc/newstart/index.htm.
"NTIA Announces Intent to Transition Key Internet Domain Name Functions." March 14, 2014. Accessed April 23,
2015. http://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-internet-domain-
name-functions.

58
! ! !
Nye, Joseph S. "Introduction." In The Regime Complex for Managing Global Cyber Activities Global Commission
on Internet Governance Paper Series, 1-10. Waterloo, Ontario: Chatham House, 2014.
Obama, Barack. “Remarks by the President in the Year-End Press Conference,” The White House, December 19,
2014, accessed via https://www.whitehouse.gov/the-press-office/2014/12/19/remarks-president-year-end-
press-conference.
Office of the Historian, “Strategic Arms Limitations Talks/Treaty (SALT) I and II,” Milestones: 1969–1976, U.S.
Department of State, last modified October 31, 2013, https://history.state.gov/milestones/1969-1976/salt.
Oltermann, Phillip. "Germany Opens Inquiry into Claims NSA Tapped Angela Merkel's Phone." The Guardian.
June 4, 2014. Accessed April 23, 2015. http://www.theguardian.com/world/2014/jun/04/germany-inquiry-
nsa-tapping-angela-merkel-phone.
Pellerin, Cheryl. "Rogers Discusses Cyber Operations, ISIL, Deterrence." U.S. Department of Defense. March 2,
2015. Accessed April 23, 2015. http://www.defense.gov/news/newsarticle.aspx?id=128278.
Perlroth, Nicole. "In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back." The New York Times. October 23,
2012. Accessed April 23, 2015. http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-
oil-firm-disquiets-us.html?smid=pl-share&_r=0.
Phillips, Mark, Jennifer Cole, and Jennifer Towers. "Cyber Norms of Behaviour: Executive Summary of the RUSI
Analysis." Royal United Services Institute. January 1, 2015. Accessed April 23, 2015.
https://www.rusi.org/downloads/assets/Cyber_norms_of_behaviour_report_-_Executive_Summary.pdf. 2.
Pitikin, Mary Beth. "In Proliferation Security Initiative (PSI) 'Testimony to the House International Relations
Committee' by John Bolton." Congressional Research Service. June 15, 2012. Accessed April 23, 2015.
Prakash, Rahul and Darshana M. Baruah, “The UN and Cyberspace Governance,” Observer Research Foundation
(2014): 4. Accessed via
http://orfonline.org/cms/export/orfonline/modules/issuebrief/attachments/issuebrief68_1394871027354.pdf.
Press, Daryl Grayson. Calculating Credibility: How Leaders Assess Military Threats. Ithaca, N.Y.: Cornell
"Proliferation Security Initiative." U.S. Department of State. Accessed April 23, 2015.
http://www.state.gov/t/isn/c10390.htm.
Quester, George H. Deterrence before Hiroshima; the Airpower Background of Modern Strategy. New York: Wiley,
1966.
Rid, Thomas, and Ben Buchanan. "Attributing Cyber Attacks." Journal of Strategic Studies 38:1-2 (2015): 4-37.
Rid, Thomas. “Think Again: Cyberwar.” Foreign Policy 192 (2012): 80-84.
Samir, Saran. "The ITU and Unbundling Internet Governance." Council on Foreign Relations. October 22, 2014.
Accessed April 23, 2015. http://www.cfr.org/internet-policy/itu-unbundling-internet-governance/p33656.
Sanger, David E. Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power. New York:
Crown, 2012.

59
! ! !
Sanger, David E. “Document Reveals Growth of Cyberwarfare Between the U.S. and Iran,” New York Times,
February 22, 2015, accessed March 4, 2015, http://www.nytimes.com/2015/02/23/us/document-reveals-
growth-of-cyberwarfare-between-the-us-and-iran.html.
Sanger, David E. and Michael S. Schmidt, “More Sanctions on North Korea After Sony Case,” New York Times,
January 2, 2015, accessed April 27, 2015, http://www.nytimes.com/2015/01/03/us/in-response-to-sony-
attack-us-levies-sanctions-on-10-north-koreans.html?ref=topics.
Sanger, David E. “NATO Set to Ratify Pledge on Joint Defense in Case of Major Cyberattack,” New York Times,
August 31, 2014, accessed April 27, 2015, http://www.nytimes.com/2014/09/01/world/europe/nato-set-to-
ratify-pledge-on-joint-defense-in-case-of-major-cyberattack.html?_r=1.
Savage, John and Bruce McConnell, “Exploring Multi-Stakeholder Internet Governance” (paper presented at the
annual North American International Cyber Security Summit, Detroit, Michigan, November 17, 2004),
http://www2.ewi.info/sites/default/files/Exploring%20MultiStakeholder%20Internet%20Governance_McC
onnell%20and%20Savage%20BG%20Paper.pdf.
Schaller, Christian, and Johannes Thimm. "Internet Governance and the ITU: Maintaining the Multistakeholder
Approach." Council on Foreign Relations. October 22, 2014. Accessed April 23, 2015.
http://www.cfr.org/internet-policy/internet-governance-itu-maintaining-multistakeholder-approach/p33654.
Schelling, Thomas C. Arms and Influence. New Haven: Yale University Press, 1966.
Schmitt, Michael N. “Precision Attack and International Humanitarian Law,” International Review of the Red Cross
87, no. 859 (2005): 445-66.
Schmitt, Michael N. Tallinn Manual on the International Law Applicable to Cyber Warfare: Prepared by the
International Group of Experts at the Invitation of the NATO Cooperative Cyber Defence Centre of
Excellence. Cambridge University Press, 2013.
Schramm, Harrison C., David L. Alderson, W. Matthew Carlisle, and Nedialko B. Dimitrov. "A Game Theoretic
Model of Strategic Conflict in Cyberspace." Military Operations Research 19:1 (2014): 5-17.
Segal, Adam. “Cyberspace: The New Strategic Realm in US-China Relations,” Strategic Analysis (2014).
Segal, Adam. “What to Do About China’s New Cybersecurity Regulations,” Council on Foreign Relations,
February 2, 2015, accessed February 2, 2015 via http://blogs.cfr.org/cyber/2015/02/02/what-to-do-about-
chinas-new-cybersecurity-regulations.
Segal, Adam. “Will China and Russia’s Updates Code of Conduct Get More Traction in a Post-Snowden Era?” Net
Politics (blog), Council on Foreign Relations, January 28, 2015, accessed April 12, 2015,
http://blogs.cfr.org/cyber/2015/01/28/will-china-and-russias-updated-code-of-conduct-get-more-traction-in-
a-post-snowden-era/.
Shackelford, Scott J. "Managing Cyber Attacks in International Law, Business, and Relations: In Search of Cyber
Peace." 2003.
Shafa, Eric K. “Iran’s Emergence as a Cyber Power” Strategic Studies Institute, August 20, 2014, accessed March 4,
2015 via http://www.strategicstudiesinstitute.army.mil/index.cfm/articles/Irans-emergence-as-cyber-
power/2014/08/20.
Shears, Matthew. "Center for Democracy & Technology | Keeping the Internet Open, Innovative and Free."
Snowden and The Politics of Internet Governance. February 21, 2014. Accessed April 23, 2015.
https://cdt.org/blog/snowden-and-the-politics-of-internet-governance/.

60
! ! !
Siboni, Gabi, and Sami Kronefeld. "Iran and Cyberspace Warfare." Military and Strategic Affairs 4:3 (2012): 77-
100.
Singer, P. W., and Allan Friedman. Cybersecurity and Cyberwar: What Everyone Needs to Know. New York, NY:
Oxford University Press, 2013.
Snyder, Glenn H. Deterrence and Defense: Toward a Theory of National Security. Princeton, N.J.: Princeton
Sterner, Eric. "Retaliatory Deterrence in Cyberspace." Strategic Studies 5, no. 1 (2011): 71.
"Strategic Arms Limitations Talks/Treaty (SALT) I and II - 1969–1976 - Milestones - Office of the Historian."
Office of the Historian. U.S. Department of State. October 31, 2013. Accessed April 23, 2015.
https://history.state.gov/milestones/1969-1976/salt.
“The Supreme Council of Cyberspace: Centralizing Internet Governance in Iran,” Iran Media Program, University
of Pennsylvania, accessed via http://iranmediaresearch.org/en/blog/227/13/04/08/1323.
Taipale, K.A. “Cyber-deterrence," Law, Policy and Technology: Cyberterrorism, Information, Warfare, Digital and
Internet Immobilization. Hershey, PA: IGI Global, 2010. 36-37.
United Nations. "Charter, United Nations, Chapter VII: Action with Respect to Threats to the Peace, Breaches of the
Peace and Acts of Aggression: Articles 39-51." UN News Center. Accessed April 23, 2015.
http://www.un.org/en/documents/charter/chapter7.shtml.
United Nations General Assembly. “Developments in the Field of Information and Telecommunications in the
Context of International Security,” January 13, 2015, accessed April 9, 2015,
https://ccdcoe.org/sites/default/files/documents/UN-150113-CodeOfConduct.pdf.
United Nations General Assembly. Resolution 60/252, “World Summit on the Information Society,” March 27,
2006, http://www.un.org/ga/search/view_doc.asp?symbol=A/RES/60/252.
UN Internet Governance Forum, “Connecting Continents for Enhanced Multistakeholder Governance,” September
2-5, 2014, http://www.intgovforum.org/cms/documents/igf-meeting/igf-2014-istanbul/308-igf-2014-chairs-
summary-final/file.
United Nations. The International Law Commission’s Draft Articles on State Responsibility (2001): Article 34.
United Nations. "Preamble to the United Nations Convention on the Law of the Sea." UN News Center Part VII:
High Seas Articles 86-120. Accessed April 23, 2015.
http://www.un.org/depts/los/convention_agreements/texts/unclos/part7.htm.
United Nations. “Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space,
including the Moon and Other Celestial Bodies,” Article IV, 4,
http://www.unoosa.org/pdf/publications/STSPACE11E.pdf
United Nations, “Tunis Agenda for the Information Society”, World Summit on the Information Society, November
18, 2005, http://www.itu.int/wsis/docs2/tunis/off/6rev1.html.
United Nations. "United Nations. Letter Dated 9 January 2015 from the Permanent Representatives of China,
Kazakhstan,Kyrgyzstan, the Russian Federation, Tajikistan and Uzbekistan to the UN Addressed to the
Secretary General." Accessed April 23, 2015. https://ccdcoe.org/sites/default/files/documents/UN-150113-
CodeOfConduct.pdf.

61
! ! !
United Nations. "United Nations Official Document." UN News Center. April 27, 2006. Accessed April 23, 2015.
http://www.un.org/ga/search/view_doc.asp?symbol=A/RES/60/252.
United Nations. "United Nations Treaties and Principles on Outer Space: Text of Treaties and Principles Governing
the Activities of States in the Exploration and Use of Outer Space, Adopted by the United Nations General
Assembly." January 1, 2002. Accessed April 23, 2015.
http://www.unoosa.org/pdf/publications/STSPACE11E.pdf.
United States Department of Justice, “U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against
U.S. Corporations and a Labor Organization for Commercial Advantage,” Department of Justice, May 19,
2014.
U.S. Department of Defense. Defense.gov News Article: DOD Releases First Strategy for Operating in Cyberspace.
July 14, 2011. Accessed April 23, 2015. http://www.defense.gov/news/newsarticle.aspx?id=64686.
U.S. Department of Defense, Department of Defense Strategy for Operations in Cyberspace (Washington D.C.:
Department of Defense, 2011).
U.S. Department of Defense, The DoD Cyber Strategy, (Washington D.C.: Department of Defense, 2015).
U.S. Department of Homeland Security, “What is Critical Infrastructure?” last modified November 1, 2013,
http://www.dhs.gov/what-critical-infrastructure.
U.S. Department of State. “Proliferation Security Initiative.” http://www.state.gov/t/isn/c10390.htm.
U.S. Strategic Command, “U.S. Cyber Command,” http://www.stratcom.mil/factsheets/2/Cyber_Command/
Van Evera, Stephen. “Offense, Defense, and the Causes of War,” International Security 22, no. 4 (Spring 1998): 5-
43.
Walden, Greg. "H.R.1580 - To Affirm the Policy of the United States regarding Internet Governance.113th
Congress (2013-2014)." H.R.1580. May 15, 2013. Accessed April 23, 2015.
https://www.congress.gov/bill/113th-congress/house-bill/1580.
"Wales Summit Declaration Issued by the Heads of State and Government Participating in the Meeting of the North
Atlantic Council in Wales." NATO. Accessed April 23, 2015.
http://www.nato.int/cps/en/natohq/official_texts_112964.htm.
Wallace, Ian. "The Military Role in National Cybersecurity Governance." The Brookings Institution. December 16,
2013. Accessed April 23, 2015.
http://www.brookings.edu/research/opinions/2013/12/16-military-role-national-cybersecurity-governance-wallace.
Waltz, Kenneth N. Theory of International Politics. Reading Mass.: Addison-Wesley Pub. Co., 1979.
Wendt, Alexander "Anarchy Is What States Make of It: The Social Construction of Power Politics." International
Organization 46, no 2 (1992): 391-425.
The White House. "Charter of the Subcommittee on Global Internet Governance Committee on Technology
National Science and Technology Council." The White House. April 6, 2012. Accessed April 23, 2015.
https://www.whitehouse.gov/sites/default/files/microsites/ostp/gig_charter_signed.pdf.

62
! ! !
The White House, International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World
(Washington D.C.: Executive Office of the President of the United States, National Security Council,
2011),
The White House. "Remarks by the President in Year-End Press Conference." The White House. December 19,
2014. Accessed April 23, 2015. https://www.whitehouse.gov/the-press-office/2014/12/19/remarks-
president-year-end-press-conference.
Wohlstetter, Albert. "The Delicate Balance Of Terror." Survival, no. 37 (1959): 211-234.
"World Conference on International Telecommunications (WCIT-12)." International Telecommunication Union.
Accessed April 22, 2015. http://www.itu.int/en/wcit-12/Pages/default.aspx.

FINAL_Report

More Related Content

What's hot (19)

Viewers also liked (20)

Similar to FINAL_Report (20)

FINAL_Report