2 Chapter 2: A Conceptual Overview: Fundamental Characteristics of Cybersecurity 2 Chapter 2: A Conceptual Overview: Fundamental Characteristics of Cybersecurity
Purpose: This chapter is designed to provide an introduction and conceptual overview to fundamental characteristics of Cybersecurity. It begins by providing an overview of a series of case studies that demonstrate different forms of attack and response, and select national security concerns that arise from the cyber domain. The chapter also introduces several analytical frameworks through which case studies can be analyzed (economic, diplomatic etc.) and provides on overview of the concept of Cyber Power. Concepts Covered: Select Case Studies (Estonia, Ghostnet, Olympic Games, Flame, Economic Theft, Hactivism); Characteristics of the Cyber Problem (The Threat and Skeptics, Cyber-Asymmetries, Difficulties Inherent to Cyber Domain (Attribution, Deterrence, Metrics, Ability to Predict/Control Effects); Blurring of Distinctions (Public/Private, Domestic/International, Attack/Exploitation); Cyber Power (International Relations in Cyberspace, Jurisdiction and Territoriality)
2.1 2.1 Select Case Studies 2.1 2.1 Select Case Studies
2.1.1 3.1.1 Estonia 2.1.1 3.1.1 Estonia
2.1.1.1. Estonia Case Study - Berkman Cybersecurity Wiki
2.1.1.2. Ian Traynor, Russia Accused of Unleashing Cyberwar to Disable Estonia, Guardian, May 16, 2007
2.1.2 Ghostnet 2.1.2 Ghostnet
2.1.2.1. Ghostnet Case Study - Berkman Cybersecurity Wiki
2.1.2.2. John Markoff, Vast Spy System Loots Computers in 103 Countries, NY Times, Mar 28, 2009
2.1.3 Olympic Games 2.1.3 Olympic Games
2.1.3.1. Olympic Games Case Study - Berkman Cybersecurity Wiki
2.1.3.2. David E. Sanger, Obama Ordered Sped Up Wave of Cyberattacks Against Iran, NY Times, Jun 1, 2012
2.1.4 Flame 2.1.4 Flame
2.1.4.1. Flame Case Study - Berkman Cybersecurity Wiki
2.1.4.2. Ellen Nakashima et al., U.S., Israel Developed Flame Computer Virus to Slow Iranian Nuclear Efforts, Officials Say, Washington Post, Jun 19, 2012
2.1.5 Economic Theft 2.1.5 Economic Theft
2.1.5.1. Economic Theft Case Studies - Berkman Cybersecurity Wiki
2.1.5.2. Office of the National Counterintelligence Executive, Foreign Spies Stealing US Economic Secrets in Cyberspace, Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011, October, 2011
2.1.6 Hacktivism 2.1.6 Hacktivism
2.1.6.1. Hacktivism Case Studies - Berkman Cybersecurity Wiki
2.1.6.2. Part I: Saki Knafo, Anonymous And The War Over The Internet, Huffington Post, Jan 2012.
2.1.6.3. Part II: Saki Knafo, Anonymous And The War Over The Internet, Huffington Post, Jan 2012
2.2 2.2 Characteristics of the Cyber Problem 2.2 2.2 Characteristics of the Cyber Problem
2.2.1 2.2.1 The Threat and Skeptics 2.2.1 2.2.1 The Threat and Skeptics
2.2.1.1. Richard Clarke and Robert Knake, Cyber War: The next Threat to National Security and What to Do About It, 2010
2.2.1.2. Jack Goldsmith, The New Vulnerability, The New Republic, Jun 7, 2010
2.2.1.3. Joel Brenner, America the Vulnerable: Inside the New Matrix of Digital Espionage, Crime, and Warfare, 2011
2.2.1.4. Thomas Rid, Think Again: Cyberwar, Foreign Policy, March/April 2012
2.2.1.5. Dinei Florencio and Cormac Herley, The Cybercrime Wave that Wasn’t, New York Times, Apr 14, 2012
2.2.1.6. Peter Maass and Megha Rajagopalan, Does Cybercrime Really Cost $1Trillion?, Mother Jones, Aug 2, 2012
2.2.1.7. Julie J.C.H. Ryan and Theresa I. Jefferson, The Use, Misuse, and Abuse of Statistics in Information Security Research, Management National Conference, ASEM 2003.
2.2.2 2.2.2 Cyber-Asymmetries 2.2.2 2.2.2 Cyber-Asymmetries
2.2.2.1. Jack Goldsmith, The New Vulnerability, The New Republic, Jun 7, 2010
2.2.2.2 2.2.2.a Failure of Market Incentives (cost-burden asymmetry) 2.2.2.2 2.2.2.a Failure of Market Incentives (cost-burden asymmetry)
2.2.2.2.1. Seymour E. Goodman and Herbert S. Lin, Toward a Safer and More Secure Cyberspace, Ch. 6.4: The Economics of Cybersecurity, National Research Council, 2007, pp. 142-165
2.2.2.2.2. Tyler Moore, Introducing the Economics of Cybersecurity: Principles and Policy Options, Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy, 2010
2.2.3 2.2.3 Difficulties Inherent to Cyber Domain 2.2.3 2.2.3 Difficulties Inherent to Cyber Domain
2.2.3.1 2.2.3.a Attribution 2.2.3.1 2.2.3.a Attribution
2.2.3.1.1. David Clark and Susan Landau, Untangling Attribution, Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy, 2010.
2.2.3.2 2.2.3.b Deterrence 2.2.3.2 2.2.3.b Deterrence
2.2.3.2.1. Martin C. Libicki, Cyberdeterrence and Cyberwar: Ch. 3: Why Cyberdeterrence is Different , RAND, 2009
2.2.3.2.2. Kugler, Richard L., Cyberpower and National Security, Ch. 13: Deterrence of Cyber Attacks, eds. Kramer, Starr, and Wentz, 2009
2.2.3.3 2.2.3.c Metrics 2.2.3.3 2.2.3.c Metrics
In the absence of good cybersecurity metrics, it is largely impossible to quantify cost-benefit trade-offs in implementing security features. Even worse, it is very difficult if not impossible to determine if System A is more secure than System B.