

### Cyberspace and the Era of Persistent Confrontation

A collection of essays on cyber warfare and great power competition via cyberspace,  
by the author

JAMES R. VAN DE VELDE, Ph.D., LCDR, USNR

Copyright © 2019 James Van de Velde

ISBN-13: 978-0-578-58751-6

jamesvandevelde@gmail.com

All rights reserved.

Distributed by Smashwords

This ebook is licensed for your personal enjoyment only. This ebook may not be re-sold or given away to other people. If you would like to share this ebook with another person, please purchase an additional copy for each person you share it with. If you're reading this book and did not purchase it, or it was not purchased for your use only, then you should return to Smashwords.com and purchase your own copy. Thank you for respecting the hard work of this author.

Ebook formatting by ebooklaunch.com

**James R. Van de Velde** , Ph.D., is an Associate Professor at the National Intelligence University, where he teaches courses on Cyber Warfare, WMD-Terrorism, and Intelligence Collection and Analysis. He is also Adjunct Professor at the Georgetown Security Studies Program, School of Foreign Service, and Adjunct Faculty in the Global Security Studies Program at Johns Hopkins University. Dr. Van de Velde is a Lead Associate for the consulting firm, Booz Allen Hamilton, where he currently consults to the J5 (Strategy) Division of US Cyber Command. He is a former White House Appointee under President George H.W. Bush Sr., for nuclear weapons arms control; a former Lecturer of Political Science and Residential College Dean at Yale University; State Department Foreign Service Officer; and naval intelligence reserve officer. Dr. Van de Velde is an Associate Member of the International Institute of Strategic Studies and has held fellowships at the Center for International Security and Arms Control at Stanford University and the US-Japan Program at Harvard University. Dr. Van de Velde received his B.A. from Yale University in 1982 and his Ph.D. from the Fletcher School of Law and Diplomacy in 1988.

The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.

TABLE OF CONTENTS

MAKE CYBERSPACE GREAT AGAIN TOO!

WHAT IF WARFARE TODAY OCCURS ONLY IN PEACETIME?

How Our Adversaries 'Fight' In Peacetime

Russia's Hybrid Warfare Strategy

China's Salami Slicing Strategy

The Islamic State's iTerrorism Strategy

How To Fight During Peacetime

Counter Russia

Counter China

Counter Islamic State

WARFARE AND DETERRENCE IN THE ERA OF CYBERSPACE

Is the Cyber Domain Different?

The Fundamentals of Deterrence Do Indeed Apply to Cyberspace

The Danger in Not Inflicting Punishment

Deterring Kinetic Conflict via Cyberspace

CYBERSPACE'S FUTURE IS CLOUDY WITH A CHANCE OF PERSISTENT AUTHORITARIANISM

WHY 'CYBER NORMS' ARE DUMB

' **CRASH THEIR COMMS:' CONTEST AND DEFEAT THE ISLAMIC STATE'S CUTTING-EDGE USE OF SOCIAL MEDIA**

The Islamic State is Online and is OPSEC Savvy

Jihadi Cool

Command and Control Via App

Twitter-storm

A Modern Technology That Serves the Retrograde Islamic State Well

Success at Cyber Jihad 2.0 Suggests Things Are Only Going to Get Worse

What to Do

The Fifth Domain of Warfare Is Here, Whether We Like it or Not

TOP TEN STATEMENTS REGARDING JIHADIST USE OF THE INTERNET DESIGNED SPECIFICALLY TO UPSET MILLENNIALS!

THE MEDIA'S RESPONSIBILITY TO COMBAT TERRORISM VIA CYBERSPACE

HIGH TECH POSEURS

APPLYING CLASSICAL NOTIONS OF STRATEGY TO CYBERSPACE

WHAT COMES AFTER 'PERSISTENT ENGAGEMENT?' '3G:' Gates, Guards, and Guns

# MAKE CYBERSPACE GREAT AGAIN TOO![1]

President Obama's reluctance to punish malicious cyberspace actors gave us the cyber world we most wanted to avoid. Malicious governments now see cyberspace as a largely unconstrained space for political maneuver, disinformation, information operations, and occasional destruction; a few governments actively support cyber criminals who advance state interests (mostly against the United States).

Our most dangerous opponents in cyberspace are states, three of which – Russia, China, and North Korea – also use cybercrime as a tool of state power. Nation-states use cyberspace for espionage, industrial theft, coercion, and crime to advance their aims – most importantly, the dismantling of the liberal-democratic world order to replace it with something more favorable to their own interests.

Our opponents adopt unconventional strategies, leveraging cyberspace to ensure that their actions stay below the level that could trigger military conflict. Our adversaries and competitors have embraced cyber warfare precisely to avoid kinetic hostilities with the United States but still achieve their political objectives.

The United States in particular is engaged in almost continuous contact with adversaries in cyberspace, with often-ambiguous legal implications that frequently hamstring our ability to respond. The media has occasionally called it "virtual warfare," but a better term for the situation may be "persistent cyberspace confrontation," or "warfare during peacetime." Russia, China, North Korea, Iran, and the Islamic State/al Qa`ida use cyberspace to pursue a variety of goals, including operations that emplace cyber weapons on our critical infrastructure (both public and private), steal intellectual property, attack US industry, and enable terrorist acts. More recently, Russia has used such methods to interfere in presidential elections (not just in the United States) — a new threshold of audacity and political danger.

The Obama Administration's hopes that cyberspace would emerge as a peaceful domain where speech was open and free (where the internet would not be regulated or censored by states), and where proprietary and personal information was respected and safe through the acceptance of norms, were unambiguously dashed. Cyberspace is the domain where adversaries come to change the political _status quo_ via information operations, use our infrastructure to steal our information and wealth, and plan and execute terrorism. Adversaries no longer fear competing with us in cyberspace, believing either that we are self-restrained for legal or politically naïve reasons or we are not as capable as they thought we were.

Imagine if the air domain had just emerged and Russian, Chinese, Iranian, and North Korean aircraft flew unmolested above the skies of New York, San Francisco, Washington, DC, and every city and town in the United States, mapping our infrastructure, and stealing modest amounts of US wealth and proprietary information in each pass. Would the US practice good, 'risk-adverse' strategy by complaining but doing nothing – not threatening the aircraft, launching our own aircraft inside adversary airspace, or even simply sanctioning such states for their malicious actions? The conventional wisdom of rank and file US Government bureaucrats on cyberspace thinks it is being risk-adverse by not responding aggressively – by not pushing back on malicious cyberspace behavior. They fear escalation. Yet passivity invites escalation, not acceptance of our idealistic goals for cyberspace. Which risks escalation more: to hit a bully back or to _not_ hit a bully back?

During the past few years, the United States found itself reacting late, insufficient, or more often not-at-all to more nimble, authoritarian states. The United States needs to shape the cyber environment in order to affect the norms and behavior we expect: respect for sovereignty, respect for proprietary information, and the inviolability of critical infrastructure, not to mention protect the future gems of the state: intellectual property, data analytics, AI, algorithms, and cognition.

America's attackers in cyberspace are not interested in conducting a 'cyber 9/11.' The Chinese focus on industrial theft to enrich their state and leap frog ahead militarily and commercially. The Russians use cyberspace to pedal false narratives on social media and with international proxies and 'experts' to influence elections, leverage criminal groups to steal industrial information and western money, and stealthily emplace code on our civilian infrastructure for industrial espionage and to threaten such infrastructure in a time of crisis or war. Iran and North Korea use cyber operations against American companies to punish states and industry they oppose;[2] their goal is usually political coercion and signaling, though occasionally destruction. The Islamic State/al Qa`ida use the internet to post illegal speech that calls for the murder of innocents and for recruitment, weapons information sharing, inspiration, and crude command and control. Cyberspace is the one military domain where clear boundaries and red lines have not been established or defended by the United States.

China's Cybersecurity Law requires multinational companies to make data accessible to the Chinese Government and strengthens the Communist regime's control over web content it considers inappropriate. Internet 'sovereignty' to China is freedom from western influence via the internet. Chinese law requires tech companies operating in China to retain consumer data and provide the state access, while also filtering content deemed illegal. China will soon use such data to monitor all Chinese citizens. The tool the West may have thought would open totalitarian regimes has served such regimes very well in maintaining totalitarian control.

China's cyber law includes now a ban on foreign internet firms unwilling to comply with the country's policies on content removal — most notably Google, Facebook, and Twitter. This has led to domestic firms essentially imitating western business models, such as Google's Chinese counterpart, Baidu, or Renren, the Facebook of China, or Weibo and Twitter, while adhering to government restrictions. Perhaps the most important (and protectionist) policy within Chinese law is the requirement that companies cough up their source code so that the government may ensure that it is 'secure' and 'legal.' The Chinese then steal such source code and provide it to Chinese companies, who integrate it and subsequently push the American firms out of the market. Yet these American firms just cannot help themselves but comply. The US Government ought to admit to these companies that they cannot protect them in China from industrial espionage and that they are most likely to lose their intellectual advantage.[3]

Action in violence-free cyberspace is far easier for authoritarian and totalitarian states to conduct than liberal, consensus-building democracies. In short, the invention once thought as a panacea for advancing free speech and liberal democracy is instead the perfect tool to effect internal political control against dissidents and freedom seekers and asymmetrical warfare against the United States.

Cyberspace is sometimes referred to as the "Wild West" precisely because it has not been tamed by the United States and its allies. The shaping of cyberspace requires a combination of international norms promulgated on paper in international forums but also clear, well-signaled responses to unacceptable activities. The United States needs to introduce the concepts of dominating and 'winning' in cyberspace, first and foremost to protect internationally accepted notions of property and sovereignty.

The cyber world had expected President Trump to release the country from the previous administration's naive restraints. So far, strangely, there has been no change to cyber policy. We need to adopt a broken windows policy toward cyber or we will live forever with a level of crime and malicious activity that will forever sap the West of wealth, technological advantage, and political security. Our adversaries are using the very technology we invited to undermine us, enrich and empower themselves, and strengthen authoritarian rule, yet we do little about it.

The Trump Administration must demand and pre-approve more timely and bold defensive and offensive operations from DoD in order for cyberspace to cease being the domain where US and western interests, wealth, and proprietary information continue to be lost to malicious, adversary cyberspace activity. The country must shift to an operational mindset in the cyber domain, just as we would if US airspace or sea space were continually violated by adversaries to steal US wealth and information. Failing to do so will result in the very environment we fear – one where our adversaries and competitors take what they can via cyberspace, meddle in our politics, and shape new political realities, while we stand by naively expecting international law and norms regarding sovereignty, proprietary information, and wealth to be respected.

A Western response to such cyber activity should include elements of deterrence, capabilities that can de-escalate an international crisis, and the legal recognition that much of what the Islamic State publishes on the web is illegal (not just hate) speech.

We need to test and deploy offensive cyberspace capabilities, at scale, and in ways that make it clear that we can back up words with action, while reinforcing the ability of the US government to exercise power and defend the nation consistently with international law and norms. At present, our approach to the current period of continuous confrontation has been almost exclusively defensive, including the hardening of defenses of US government and DoD networks. The US approach to shaping norms of cyberspace will need to involve elements of offense, as well as the private sector if it is to be successful.

Cyberspace will favor authoritarian states that violate sovereignty, law, and international norms in 'peacetime' as long as the United States does not successfully impose costs for such warfare. The sooner we recognize how our adversaries 'fight' in peacetime, and what is required of us to compete and win in this new 'Phase 0' of warfare, the more successful we will be in defending our sovereignty and preventing conflicts from escalating to actual violence.

The west runs the very real risk of trivializing cyber-attacks, such as the November 2014 North Korean attack against Sony Pictures, the April 2015 denial of service attack against TV5Monde in France, or the December 2015 and 2016 cyber-attack against Ukraine's electrical power. Instead of retaliation, the Obama Administration labeled these events 'vandalism' and abstained from punishing the attackers appropriately to deter future activity.

'Cyber deterrence' may imply that deterrence of malicious cyber activity occurs through the employment of defensive and offensive _cyber_ capabilities. But malicious cyber activity does not have to be deterred necessarily by cyber activity. Malicious cyber activity can be deterred by defense and punishment through the other domains and through a whole of government approach, including sanctions, public attention, diplomacy, and private sector activity.

Until the United States demonstrates the willingness to use cyber or other capabilities to punish unacceptable behavior in cyberspace, threats of punishment alone will continue to ring hollow, and defense alone will be insufficient. It may sound contradictory, but if the United States wants to reduce the number and severity of malicious cyber-attacks against it, it must attack back more often. Without action, no discussion paper or thought piece is going to establish 'cyber deterrence.' What is needed is a 'J' curve of cyberspace activity: operations that, at first, may involve more activity before norms are clearly established and stability recovers and ultimately improves. Current US Government cyberspace leaders are so worried about stability that they eschew most any operation that involves pushing back against our adversaries and state thieves – sadly, the worst thing to do and precisely what our adversaries want us to do.

The cyber problem is not intellectual. The problem is bureaucratic and personnel. People with the wrong mindset, thinking cyberspace is just about defense and security, are in the US Government blocking cyberspace counter-preparation of the environment and requisite cyberspace operations necessary to restore cyberspace equilibrium, the defense of US intellectual property, and strategic stability. The blocking of requisite US cyberspace activity had led to drastic conclusions, as allegedly noted in the _US Nuclear Posture Review_ , which claims that the US might have to use nuclear weapons in response to strategic cyberspace attack by malign actors. This is likely the sad, largely desperate result of having abdicated a mutually assured disruption relationship with our state competitors. The United States sits by impotent and feckless, wondering why things do not get better on their own in cyberspace. Further, the United States wrongly concludes that rights involving proprietary information and what constitutes free vs. illegal speech are not internationally established. Yet such laws and norms are indeed well established but are not respected by our adversaries and nonstate (terrorist) actors who know that we choose not to react to their violations.

The Trump Administration must assume a larger role in defending the nation from malicious cyber actors, because both the President called for a greater role and because it is obvious that malicious state and nonstate cyber activity continues unabated. More response to malicious cyberspace activity is as important to the country as immigration reform, health care reform, and our war against Islamist terrorism. The era of US self-restraint must end.

# WHAT IF WARFARE TODAY OCCURS ONLY IN PEACETIME?[4]

What if warfare – the kind we see in World War II movies – never occurs again? The two great wars of Europe were total, unambiguous, and definitive. There was a beginning (a declaration), a prosecution of conflict, and a clear and declared end, including a postwar occupation and recovery. Histories of such conflict made great books.

Warfare today, however, seems almost always ambiguous, murky, confusing, ongoing and politically complicated – especially for the very legalistic United States. Warfare today is a combination of low intensity (military) conflict and a fight over information via cyberspace [5] – especially over 'narratives' that sway public opinion. And usually this warfare does not involve much violence.[6]

This isn't exactly new, however: warfare has always consisted of these elements. What is new is that our adversaries specifically fight and stay in this early stage of warfare of cyberspace operations,[7] information operations, and very limited or no kinetic conflict, careful never to escalate to state-on-state war. In short, our adversaries and competitors have embraced cyber warfare (more accurately _'warfare via cyberspace,'_ also known as _'cross domain warfare'_ ) precisely because they can avoid kinetic hostilities with the United States but still achieve their political objectives.[8]

Traditionally, the United States sees itself as either at peace or at war. Today, this divide is at best blurred and perhaps forever outdated. Today, we seem always in some sort of confrontation. 'Steady state' operations imply a _status quo_ (a time when little needs to be done), which implies relationships are static or that states are not contesting one another in the military domains. This may be an unhelpful legacy construct from the great wars in Europe and in the Pacific.

It is precisely because the United States enjoys dominance in many military domains that our adversaries compete against US interests _short_ of declared, mass, kinetic warfare, especially in the cyberspace domain. Russia, China, North Korea, Iran, the Islamic State, and al Qa`ida maneuver forces, conduct cyberspace operations, influence media, and pay for information all to shape a new environment and change the _status quo_ without resorting to direct kinetic conflict with the United States. Our adversaries today see the world in a constant state of conflict and competition; the United States prefers to see the world in a state of peace, with 'war' a deviation – something to be quickly forced back to the steady state of peace.

Cyberspace is a unique military domain in that the United States and adversary forces meet (and contest) every day. The United States is engaged in almost continual, daily contact with adversaries in cyberspace. Although since World War II we have had an almost continual succession of limited wars (a sine wave of conflict), cyberspace may have invited an 'era of persistent confrontation.'[9]

North Korea, Iran, Russia, China and the Islamic State/al Qa`ida use cyberspace during 'peacetime' to pursue a variety of national security goals, including operations that violate our sovereignty by emplacing tools (i.e., cyber weapons) on our critical infrastructure, steal intellectual property and resources, attack US industry, conspire to commit terrorism, and produce cyberspace effects on US private and government infrastructure. Adversary strategies combine traditional military forces and information operations to maneuver, influence, and use cyberspace to manipulate and control information. In short, the framework of 'peacetime' _or_ 'wartime' does not describe the world we live in today.

As a result, the United States is often hesitant to act (politically and militarily) from operating during these periods of 'peacetime,' even though our adversaries are not. (Our adversaries are well aware of how and why we find ourselves frozen.) We must recognize that there is a category of conflict which may not be easily recognized as 'war' by most, but which involves the violation of US sovereignty and interests, as well as theft of resources and treasure.

_Joint Publication 3-0_ , United States Joint Chiefs of Staff, 11 August 2011, p. V-6

The cyber domain did not usher in a new, definitive form of warfare, as some originally feared – just the opposite, in fact. Cyber is merely a warfare vector, like the air domain. Warfare did not change with the addition of the airspace domain. Cyberspace does not change warfare, as much as it shifts it 'to the left:' (i.e. more 'Phase 0-1' competition, including cyber-attacks) during peacetime. Adversaries escalate confrontation with the United States within Phase 0, but never past Phase 1. And since cyberspace is pervasive and is in everyone's environment, it is an especially seductive and effective military domain for adversaries — especially authoritarian states.

Because our adversaries know we see ourselves in either peacetime or wartime, they maneuver as aggressively as they can in 'Phase 0.' Cyberspace is the one domain where boundaries have not been established or defended. Decisive action in this phase is far easier for authoritarian states than liberal, consensus-building democracies. Yet the United States needs to shape (i.e., influence) the international environment constantly. 'Shaping' occurs constantly in peacetime. It occurs before, during, and following conflict. Cyberspace is sometimes referred to as the 'Wild West' precisely because it has not been shaped well by the United States and its allies. Norms are created through customary international law and the practices conducted and accepted by states. Such norms became the basis of the Law of the Sea, our conduct in space, and our treatment of combatants. Cyberspace intrusions conducted and left un-responded to will begin to enjoy a level of international acceptance, no matter how many norms are advocated diplomatically. Thus, good cyberspace shaping is a combination of international norms promulgated on paper in international forums but also clear, well-signaled responses in reply to certain unacceptable activities.

Since World War II, the Department of Defense (DoD) has concentrated on preventing wars through strength but less on shaping environments to advance US interests in periods short of all-out war. Likewise, the US military views risk as centered around the possibility of losing a kinetic conflict but fails to recognize how 'loss' can occur in peacetime through a gradual and methodical 'salami slicing' of US interests (i.e., incremental violations of sovereignty; small appropriations of US technology, proprietary information, and wealth; the use of social media to advance conspiracy to commit murder and terrorist planning). Being good at 'high-end' warfare does not ensure success in confrontations short of violence. The United States needs to conceive of concepts of dominating and winning in Phase 0 – i.e., 'winning in peacetime.'

The United States, therefore, ought to be careful not to adhere to an intellectual, almost binary construct that it is either in 'peace' or at 'war' – a construct which may have been devised to help us plan, but instead now works to fence ourselves off from countering adversary activity in Phase 0 of a conflict. In short, traditional warfare drives our intellectual, organizing and planning principles, but the era of persistent confrontation short of violence is the new normal.

Another way to look at the problem is to define Phase 0 actions by our adversaries as indeed violations of sovereignty and small acts of war, justifying comparable (i.e., legal and proportional) responses. In other words, the Phases of War construct ought not influence decionmakers in determining whether or not we are in 'conflict;' instead, adversary actions should justify and cue US counter (defensive) action. Adversary acts of war (however 'small') can, do, and are occuring today in Phase 0 of warfare. Phase 0 is no longer characterized by the absence of conflict; it is no longer a static, steady-state phase of warfare.

Cyber warfare is the delivery of effects[10] via cyberspace and can be as diminutive as collecting intelligence via cyberspace or delivering propaganda to disrupting government websites or stopping a civilian Supervisory Control and Data Acquisition (SCADA) system at a dam or an electrical power plant or air traffic control system, resulting in people being killed. Cyber attack consists of any hostile act using a computer or network system intended to disrupt or destroy an adversary's critical cyber systems, assets, or functions.

How Our Adversaries 'Fight' In Peacetime

Russia's Hybrid Warfare Strategy

Conflict today with Russia is largely a fight over information – who controls it, who can create it and who controls the 'narratives' that sway and shape opinion. Russian warfare today occurs in peacetime. Russia is in confrontation, but not conflict, with the West and maneuvers to avoid fighting NATO forces physically. But that doesn't mean Russia wishes the _status quo_ to continue. Instead, Russia achieves its military objectives through a more savvy, subtle and ambiguous form of warfare: 'hybrid warfare' (directed more at civilians than armed forces), with its weapon being the control of information and intimidation delivered largely via cyberspace. There are three broad elements to its strategy:

_Information Confrontation_ (the old Soviet 'Active Measures') of disinformation and planted information all packaged and delivered via the internet and social media and tailored to a specific, targeted civilian audience. Soviet-like theses of anti-Nazism, anti-Americanism, the threat to Russian civilization, and struggle against Western 'information aggression' are delivered today via video, social networks, internet trolls, 'experts,' and select, political cronies. Russia is the birthplace of a new, secretive, state-sponsored industry designed to spread pro-Russian propaganda, attack government critics, and sow domestic distrust about the internet – 'troll factories.' [11]

This information campaign is follow by clandestine political (but physical) _Destabilizing Operations_ , enabled by cyberspace, targeting an adversary's political state by seizing certain public media and state communications and attacking certain institutions — smearing them as agents of the illegitimate local state — and supplying weapons to separatists, the allegedly suppressed Russian minority of the targeted state (see Estonia 2007, Georgia 2008, and Ukraine 2014). These physical operations are usually executed by Russian SPETSNAZ ('special purpose') elements that act independently or, as in the case of Crimea and Ukraine, act as the nucleus of a separatist movement, which eventually transforms into a separatist conventional force, which provides Russia with cover to deny involvement.

Finally, Russian _Conventional Forces_ posture along the border to intimidate the targeted state's military, supply the separatists, and occasionally intervene directly into the targeted country when needed. Once the targeted country sees what it is facing, it agrees to compromise terms that sacrifices elements of its sovereignty. Russian then pockets the political victory and repeats the process.

The December 2015 cyber-attack against Ukraine's electrical power is a perfect example. Russia's goal is to keep the current pro-West Ukrainian Government off balance and to undermine its credibility. These unattributed cyber stacks on Ukrainian civilian infrastructure (an act of war) make the Government look incompetent, unstable, as well as less attractive to Western investment and support. Russia's goal is to exhaust Ukrainian patience with the pro-West Government and force it toward allegiance to Moscow – all without a declared war.

This unique form of Russian warfare is designed never to reach a large-scale shooting conflict with the targeted state and certainly not with NATO countries. It proceeds (and ends) in phases of conflict designed never to and provoke NATO's collective defense Article V.

A summary of Russia's strategic shift from traditional to hybrid warfare

This unique form of warfare is designed never to reach a full-scale conventional war with the targeted country and certainly not with NATO. Russia's hybrid warfare is designed to begin and end in the early phases of warfare that never reach conflict with US or NATO forces.

By creating a new _status quo_ , Russia successfully breaks international norms, creates indistinct (and new) borders, and lowers international expectations to curb its behavior. By making the conflict politically ambiguous, claiming no direct involvement and keeping hostilities small and protracted, Russia keeps direct outside involvement weak, off-balance and confused. Russia projects strength in ways designed to limit provocations with the West. It fuses psychological with kinetic operations to shape or confuse its adversary and Western perceptions of the conflict to dissuade involvement. This strategy complicates the ability of the international community to mobilize for an appropriate and timely response.

Cyberspace operations are integrated into all aspects of Russian military operations and involve three categories: psychological effects (the targeting of people) – employing diplomats, 'experts,' and academic elites to influence opinions and perceptions; effects via information operations (controlling the message); and technical effects (offensive cyber operations against computer and communications systems). Information is not used to persuade but to confuse, paralyze, and subvert. Russia's power is maintained not by persuasion (the American, liberal-democratic definition of the power of speech) but by making it clear that it can manipulate what it considers truth.[12]

China's Salami Slicing Strategy

The Chinese Government believes in internet freedom — that is, freedom _from_ Western online influence. That means YouTube, Facebook, Fox News, the BBC and Voice of America are as toxic to the Chinese Government as an ISIL beheading video is to Americans. Internet 'security' to China is defense against any online activity that threatens Party rule. (So, when China calls for internet 'security,' we ought not to mislead ourselves.) China views US manufacturing not as a competitor to Chinese industry but a resource from which to steal proprietary and business information (i.e., intellectual property) through cyberspace to advance China's economy to modernize Chinese industry and the military[13] and quell political dissent. The internet is a tool to protect the Party, advance economic growth, exert control over political competitors and Western influence, and aid the Chinese military for future conflict.

The Chinese Government considers Western influence delivered by private Western websites as weapons divined by the West; it doesn't care that the delivery vehicle is a private entity or that competing speech can easily be found or added online. It thinks our acceptance of speech we don't like (even on private websites) is a sign of weakness and leads not to a stronger state but to a decadent, prurient populace. Internet 'sovereignty' to the Government of China is control of information within its borders.

The Chinese conduct three types of state-sponsored cyber activity: national security espionage (like all nations do); economic espionage to aid Chinese industry (such activity is illegal; we do not do this); and internal information operations designed to control and manipulate information to manage what the Chinese people can view and say online (we do not do this).

_National security espionage_ (authorized state acquisition of information via clandestine means) is a state activity conducted and recognized by almost all states. Chinese espionage includes stealing government secrets, information regarding members of adversary intelligence communities, information related to weapon systems, and information related to national security strategy.

_Economic espionage_ consists of the theft of intellectual property and sensitive business information to aid Chinese industry and trade and business negotiations. This illegal activity is what China is especially well-known for and rightly so. Chinese economic espionage is likely greater than the economic espionage conducted by all other states against the United States combined. A 2013 McAfee study noted the annual high-end estimate loss to the United States from cybercrime and espionage at $100 billion (perhaps as much as 1 percent of US national income) and as many as 508,000 US jobs;[14] China accounts for most of this loss. The former Commander of US CYBER COMMAND, General Keith Alexander, described cybercrime as the "greatest transfer of wealth in modern history." Further, smaller returns from industrial R&D likely results in diminished investments in subsequent R&D.[15]

_Information operations_ , like in Russia, are conducted in China continuously against its own people, led by the 'Golden Shield Project' (aka the Great Chinese Firewall) — a massive censorship and surveillance system, operated by the Ministry of Public Security. This Chinese Government cyberspace tool is hyper active: it attacks and blocks certain websites, poisons cache, conducts speech and face recognition, sucks in closed-circuit television, smart cards, credit cards and other surveillance technologies; it indexes content around the world (in anticipation of filtering it when it heads to China), filters incoming content, blocks pro-democracy groups and certain content, such as anything to do with the Dalai Lama, Falun Gong or Taiwan, as well as news stories that embarrass the Government, along with Voice of America and many Western news sites, such as the Chinese edition of the BBC.

Such an ambitious cyber mission makes the Chinese Government extremely active on the web – the most active cyberspace state in the world, by far. (Chinese presence throughout our public and civilian computer networks for economic espionage includes the risk that such access could someday be used to attack our networks and infrastructure during or preceding conflict.)

The current Chinese President, Xi Jinping, puts the economy first so that it can modernize the Chinese military, ease social discontent (i.e., placate rising expectations by aiding Chinese industry), and increase China's stature internationally – but not to move the state toward liberal democracy. Xi believes Chinese socialist propaganda is good stuff, important food for the Chinese youth – and the internet and social media is its best delivery mechanism.

The Chinese Government uses the internet to conflate nationalism and Party rule and add to China's economic strength to imply the righteousness of the Party's existence (our stolen technology works to suppress democracy in China). It portrays the Great Chinese Firewall as a form of paternal protection from the prurient West.

The current Chinese leadership believes the United States is ahead in cyberspace and in overall military capabilities and views the _status quo_ in cyberspace as intolerable. It conducts a gradual 'salami-slicing' strategy: continual Phase 0 activity of espionage, industrial theft, and preparation for warfare but at a level that does not provoke a major, overt US response.

Further, the Chinese believe that cyber warfare is 'offense-dominate' and believe that as long as their vulnerability via cyberspace is low, they may want to act preemptively in a confrontation (such as in a scenario involving the defense of Taiwan) – especially in cyberspace. Thus, the more passive the United States remains in the face of China's hyper cyberspace activity disorder and salami slicing strategy, the more likely kinetic, violent conflict becomes.

At first, Western leaders thought the internet would be the death tool for authoritarian and totalitarian states. The internet has lost much of its veneer as the instrument of liberty. It may expand communication, but it is also a tool for espionage and industrial theft, a military domain, and a political weapon. China understands this well.

The Islamic State's iTerrorism Strategy

The invention once thought as a panacea for advancing free speech and liberal democracy is also the perfect tool to effect intolerance and totalitarianism for Islamists. The United States invented the very tool that was not just critical but singularly instrumental for the Islamic State to have succeeded. The internet affords its recruitment, organization, operational direction, ideological conformity, and pride. Its slick, online propaganda gives the Islamic State a sense of identity and inclusion. It uses social media to coordinate operations and advance attack planning and has built a sophisticated online strategy involving Facebook, Twitter, YouTube, and WhatsApp. Without the internet, no part of its success would have occurred.

The Islamic State understands and practices online operational security to stay anonymous. It advises online readers how to enhance their online anonymity. Its use of temporary accounts, the periodic changing of accounts, and use of TOR to mask IPs make the State's communications largely dark, hard to track and target, and resilient.

Through decentralization, it has largely secured its communications from the traditional warfare techniques of jamming or interception. It has crowd-sourced its communications. Videos of its message are created and uploaded onto Western media sites and its links are proliferated by Twitter feeds. And it created a new form of operational Command and Control: _'C2 via app'_ – a Twitter app ('the Dawn of Glad Tidings'), through which users gave permission to receive Islamic State messages, images of military success, and video feeds and, in return, afforded users news and updates on Islamic State battles.

In addition to official Islamic State social media accounts, there are hundreds of Islamic State sympathizers with private accounts, who are followed by thousands. Thus, official products are tweeted and then their hashtags re-tweeted by 'private' supporters, creating what is now known as 'Twitter storms.'

Islamic State radicalization is modern – a post-bin Laden phenomenon, made up of young men who were teenagers (or younger) when al Qa`ida attacked the World Trade Center and the Pentagon. Such men are children of the internet and social media; bin Laden and his colleagues were children of the Soviet invasion of Afghanistan. And the motivation for joining the Islamic State has more to do today with online social networking that provides identity and individual excitement than it does with coherent, religious understanding.

The social media strategy the Islamic State employs is specifically directed at youth worldwide. Tech-savvy cyber jihadists have been able to attract frustrated, marginalized, and vulnerable young people through the web to its ranks and convince them of their world vision. Thus, to defeat the Islamic State, we need to somehow supply an alternative identity to Muslim youth or undermine the identity the Islamic State affords its youth – a new prerequisite for successful warfare today.

Thus, it is not only that the Islamic State practices good operational security (which al Qa`ida did not) and uses tools and apps the West created to reach those searching for identity. It is not only that the Islamic State encrypts communications and takes numerous and advanced steps to avoid being detected by Western surveillance. It is not only that Islamic State media posts numerous detailed and comprehensive 'DIY' terrorism instructions online – inspiring violence remotely and anonymously. It is that mentoring – the requisite psychological activity for anyone searching for identity – is now conducted, not individually by a person in a small Koranic study group in the basement of the local Mosque, but by and through secure social media through the internet.

The terrorist world – more than any other – is flat. The Islamic State now reaches into every Western country, thanks to appealing social media. Individuals are killed monthly by lone wolves worldwide. (It is better to call them 'cyber wolves?') The internet allows tens of thousands to stay on message, hear the same sermons, view the same video messages, and marvel at the same beheading videos. The Islamic State has discovered that extremism generates publicity – and that's all that matters. Savagery is official policy since it generates massive, worldwide media buzz.

A new phenomenon has emerged through these high-quality, Islamic State snuff videos: brutality that engenders pride and a sense of psychological inclusion, rather than revulsion. Whereas al Qa`ida used the web to advance its message with online content (web 1.0), the Islamic State uses social media to pass imagery of savagery to project a sense of righteousness, modernity and, somehow, invitation (web 2.0+).

Al Qa`ida's no. 2 man at the time, Dr. Ayman al-Zawahiri, had to write an online letter to al Qa`ida followers in 2005 to apologize for al Qa`ida-in-Iraq leader Abu Musab al-Zarqawi's brutality. (He was beheading people and putting the video online.) Savagery was giving al Qa`ida a bad name. Today, Zarqawi's successors – the butchers of the Islamic State – showcase their beheadings, drownings, live-burnings, and stonings in 1080p video and make sure anyone in the world who wants to watch can see it. They could not be more proud of it. Even the Nazis tried to cover up their acts of torture and mass execution. We have little appreciation for this phenomenon – let alone a psychological counter to it. And we have nothing to counter it online.

Although we may have invented the internet, the Russians, Chinese and especially Islamist terrorists really know how to use it. We are utterly intellectually and strategically flummoxed in our attempt to address and defeat how the internet has allowed the Islamic State to make jihad 'cool.'

The Islamic State has an _'iTerrorism' Strategy_ : wear down the United States with constant threats, terror, imagery, and success so that the West will freeze politically and strategically. The Islamic State believes the West is incapable of sustaining battle for a long time and will implode politically, owing to its own moral collapse, social inequities, opulence, selfishness and priorities to worldly pleasures.

How To Fight During Peacetime

To protect US national interests from further attacks and the erosion of sovereignty during this period of persistent confrontation, the United States Government must first recognize how our adversaries act in peacetime. The President ought to have options and the legal framework to confront adversaries who use the internet to place weapons on US infrastructure, violate US sovereignty, steal industrial and proprietary information, and commit conspiracy to commit murder. A legal, appropriate, proportional US response to such adversary activity should include elements of deterrence, capabilities that can de-escalate an international crisis, and the legal recognition that much of what the Islamic State publishes on the web is illegal speech.

As a country, we must adapt to this changed reality of conflict and competition in cyberspace. We need synchronized interagency measures to bring all the powers and authorities of the US government to bear on malicious cyber actors and prevent rather than simply react to adversary threats. Undoubtedly, the US military plays a key role, including taking actions to signal US capability and resolve in instances short of conflict, just as the DoD does in the other domains. We must forge a consensus on when we can and should respond to attackers and exploiters that also clarifies the proper role of the military in a whole-of-nation approach to improving our security in the cyberspace domain. We need to test and deploy offensive cyberspace capabilities, at scale, and in ways that make it clear we can back up words with actions while building trust in the ability of the US government to exercise power and capability to responsibly defend the nation, consistent with international law and norms.

At present, our approach to the current period of continuous confrontation has been almost exclusively defense, such as the hardening of defenses of US Government and DoD networks. Good cyber deterrence policy is a combination of international norms promulgated on paper, in public, and in practice, but also clear, well-signaled responses in reply to certain unacceptable activities.

Current and ongoing activities by Russia, China, and ISIS demonstrate why the US military needs to reexamine the perhaps outdated Phases of Warfare construct, which depicts warfare as a series of US military responses to adversary escalations. Yet hostile activities today rarely align neatly with definable breakpoints. And, any particular Phase is determined by the activities of the adversary, rather than time. Commanders must recognize that some conditions do not align clearly with any Phase, especially given that the Phases construct was written to track the two great world wars of the previous century – a discernable form of conflict likely never to repeat itself. Commanders ought to be expected today to transition or maneuver quickly to meet any challenge. They need the support and understanding of the American people in order to act. Understanding warfare today is a prerequisite to defeat the new challenges to our sovereignty.

The era of persistent confrontation, of course, is not limited to the United States and its particular adversaries. This warfare is occurring worldwide – a form of low level, gray but global conflict via cyberspace every day. Thus, the United States must find like-minded allies and friends to wage this conflict in a coordinated, unified fashion to build the international customs and norms the West built in the last century in the other four domains. Further, although our national security policy and confrontation via cyberspace involves the whole of government, cyberspace involves the private sector just as much. Our approach to shape norms of cyberspace, therefore, will need to involve free enterprise and the private sector if we are to be successful.

The United States defends itself in all domains and uses military forces in all domains to defend itself in a manner and combination it chooses. There is nothing different or unique about cyber warfare, or more accurately, _'warfare via cyberspace.'_

The traditional (i.e., non-cyber) domains are relatively stable because of decades of US efforts to shape each domain; this shaping is badly needed in cyberspace. At first, many thought cyber warfare would occur often, separate from traditional warfare, and be enormously influential. That doesn't seem to be happening. It could be that cyber warfare will indeed be important, perhaps even decisive, but more likely it will serve as a complement to a state's military power, part of a larger political and military confrontation with states and non-state actors. That is, cyberspace operations may prove important but will likely be integrated into a state's national and military strategy – not fenced off from any larger strategy, confrontation, or conflict. But more importantly, cyberspace will favor authoritarian states that violate sovereignty, law, and proposed norms all in peacetime as long as the United States does not successfully impose costs for such warfare in peacetime.

The DoD is involved in cyber warfare in order to project power through this domain and because cyber-attack and cyber effects implicate the United States' inherent right of self-defense. Other US Departments, such as Justice, Homeland Security, Commerce, Energy, and the intelligence community at large, all have equities involved and a role – mostly in cyber defense. But cyber defense alone is insufficient to shape any military environment. Because states fight in cyberspace, the US warfighting right must be retained for instances where defense or law enforcement are insufficient or inappropriate to shape the cyber domain.

Whereas World War II began for the United States on December 8, 1941, when the United States declared war on Japan and on December 11, 1941, when it declared war on Germany, the United State may already be involved in warfare against certain adversaries today without such a declaration of war, which might or might not escalate into larger kinetic violence in the future. Adversaries conducted information operations in the past to complement their kinetic and maneuver warfare to seize territory. Today, Information Operations delivered via cyberspace are the means to manipulate new geo-political realities without having to occupy territory physically.

Cyberspace favors the less legalistic and those who like to conduct Information Operations, for cyberspace gives those actors a direct window to the individuals they wish to influence. The United States needs not become expert at propaganda or Russian-style trolling or Chinese industrial theft, but it does need to recognize how our adversaries have shifted warfare 'left' and figure out how to 'win' in the new era of persistent confrontation.

And how do we 'win' in peacetime against such adversaries? Many of the responses we need to consider may make us uncomfortable, given how confrontational they may appear during this period of peacetime:

Counter Russia

The best means to defeat Russian strategy first and foremost is to expose it (have academics discuss it; publish op-eds exposing it; brief allied states on it; identify and expose Russian propagandists). States along Russia's periphery live it already. NATO states need to acknowledge it, talk about it publicly, and confront it directly.

The second-best means is to better defend targeted states' cyber infrastructure from Russian networks, Russian control and infiltration. NATO states can deploy state or private cyber teams to shore up a state's defenses and collect on Russian activities. NATO states can expose Russian propagandists.

The third means is to contest propaganda (Russian trolls, misinformation and information operations) delivered through social media with antiseptic counter messaging. The Russian Government fears social media, which is why it attempts to manipulate it as much as possible. Overt counter-messaging could be conducted to expose the presence of Russian soldiers in Ukraine, the number of Russians killed in Ukraine (and the number of Ukrainians the Russian have killed) and to post inside Russia the Dutch Government's assessment blaming the downing of Malaysian Airlines Flight 17 (MH17) on Russian separatists, very possibly with the direct assistance of Russian military forces. To advance this counter propaganda effort, the United States could set up and fund more free media outside of Russia but that focuses (in Russian) on Russian Government activities.

The fourth means is to multiply internet sources inside Russian-targeted countries to defeat Russian internet blockages of those states (mobile WiMax; local hotspots; phone to phone internet).

A fifth means is to call on the private sector, which owns or controls most of this cyber infrastructure outside of Russia, to adhere to the Terms of Use guidelines that it claims govern the use of its media. Hate speech, libel, speech disparaging of certain groups ought to be immediately purged from its private sector sites. The private sector ought to be challenged to protect what it has created from Russian state manipulation.

The sixth means is to embrace our allies as much as possible to dissuade the initiation of Russian hybrid warfare at the outset.

The seventh means is to stop Russian propaganda institutions masquerading as journalism: require RT and Sputnik Television to register as foreign agents (Russia has already kicked out US NGOs which fund liberal projects; RT and Sputnik Television are propaganda media funded by the Russian Government.)

An eighth and particularly devastating move would be to kick Russia out of the Swift Program (the Society for Worldwide Interbank Financial Telecommunications).

Russia today is at least a cyber-peer to the United States; it is undoubtedly the most sophisticated and difficult challenge for states it wishes to destabilize. Russia recognizes the importance of cyber operations in all conflict today and invests in its continued use. It does not hesitate to use cyberspace in its warfare. Neither should we.

Counter China

Beyond the diplomatic (bilateral) attempts to date to dissuade Chinese economic espionage (bilateral statements pleading not to steal each other industrial secrets; indicting a handful of Chinese military personnel involve in such theft – forever denying them a vacation to Hawaii), the United States could inform US industry quite loudly and publicly that the US Government cannot protect US proprietary information from Chinese hackers and point out that business in or with China may ultimately cost more (much more) than US industry realizes; business in or with China may not be worth it. Many US industries in China today simply don't understand the magnitude of their proprietary loss – until a competitive Chinese company emerges out of nowhere (with its technology) to steal its market.

The President also has the power to consider economic sanctions in reply to Chinese industrial theft, in accordance with existing Executive Orders. He also could take the estimated economic loss to the World Trade Organization (he may not get the damages the American people deserve from the WTO, but at least the appeal would embarrass the Chinese Government). An especially audacious move might be to attempt to deduct the alleged proprietary loss (estimated by a third party) from the US debt owed to China. At the least, the United States could give favored nation status to nations that do not conduct economic espionage.

Like with Russia, the US Government could shame the Chinese with a very public, high visibility PR campaign, highlighting the numerous cases of intellectual and industrial, proprietary theft it has suffered. It could sponsor conferences highlighting the US economic loss to China, advising US industry to move closer to US shores (i.e., Latin America), where its proprietary information may be safer.

A defensive and painless move would be to conduct more offensive counter intelligence operations to poison Chinese collection by putting more fake industrial information online for the Chinese to steal. US industry could be advised to better protect its information too; US defense industries could be directed to mirror its genuine proprietary information with bad proprietary information.

A cyber-specific idea is to create and proliferate cyber tools to defeat the Great Chinese Firewall. Like with Russian leadership, the Chinese fear societal unrest most. Therefore, China's center of gravity in our cyberspace competition is likely defeating China's ability to control information internally.

Other more costly ideas include inflating the US dollar to reduce our debt with China (stop quantitative easing). And like with Russia, the United States and its allies (who are suffering equally from Chinese industrial theft) could kick China out of the Swift (financial telecommunications) Program.

According to the 2017 _Report of the Commission on the Theft of American Intellectual Property_ , the _annual_ cost to the U.S. economy from intellectual property theft exceeds $225 billion and could be as high as $600 billion. In 2015, the Office of the Director of National Intelligence estimated that economic espionage through hacking costs Americans $400 billion per year. Chinese Government is estimated to be responsible for 50 to 80 percent of cross-border intellectual property theft worldwide.[16] And a 2013 Verizon report claimed China is responsible for 90 percent of cyber-enabled economic espionage in the United States.[17]

Many experts, academics, Western governments, and cyber firms have identified this theft. All who have worked in China knows this is true but virtually no one proposes anything to remedy the loss. The US Government seems to have adopted the attitude that it is something Americans just have to swallow year after year.

Americans have enjoyed some success in suing states that have sponsored terrorism. Multi-billion dollar judgments have been awarded to US plaintiffs in now numerous lawsuits against states, such as Iran, which have directed, sponsored, or financed terrorist acts. US industry, therefore, ought to model such lawsuits to recover the intellectual property lost to the Chinese Communist Government via cyberspace-enabled espionage as well as against the financial institutions that launder money accrued from such theft. Congress could incentivize this straightforward remedy by amending the _Economic Espionage Act_ to provide a private cause of action to allow private entities to take legal action against the state of China for such intellectual property loss.

Roughly 20 percent of the value of most U.S. businesses resides in physical assets but 80 percent in information assets. The profit China derives from stolen commercial secrets is so great that it likely accounts for a large portion of China's often touted miraculous economic growth.

Instead of embracing Western institutions and the rule of law, the Chinese Communist Government cynically uses them when in their interests and flouts them when they can. The Chinese Communist Government knows well how difficult it is for states that adhere to democratic principles to react to such brazen law breaking and thus knows the US Government may never get around to blocking or punishing Chinese intellectual property theft, let alone recover the economic loss from the last decade of such unchecked Chinese economic espionage. In short, the current situation favors and encourages the law-breaking, totalitarian state of China.

Economic espionage consists of the theft or private, industrial (proprietary) information and sensitive business information to aid Chinese industry and trade and business negotiations. This illegal activity is what China is especially well-known for and rightly so. Chinese-government economic espionage is likely greater than the economic espionage conducted by all other states against the United States combined. A 2013 MacAfee study estimated the annual loss for the United States from cybercrime and espionage amounted to as much as 1 percent of US national income and as many as 508,000 US jobs; China accounts for most of this loss. The US-China Economic and Security Review Commission concluded that Chinese espionage comprises the single greatest threat to US technology.

Further, China's Cybersecurity Law, implemented in 2017, now requires personal information held by "critical information infrastructure" to be stored on servers in China and data deemed important be given a "security assessment" before it can be transferred abroad ( _meaning such information won't be allowed to be transferred_ ). Any US business that wants to do business in China must agree to Chinese cybersecurity laws that require its data to be housed in China ( _which means US intellectual property will be lost once it rests inside China_ ). Such requirements, beyond the obvious targeting of US intellectual property, form a formidable (if not Orwellian) barrier to fair trade and international digital commerce: any data stored in China is Chinese data (' _what's mine is mine; what's yours is also mine_ ').

As former Director of the National Security Agency and the CIA, Michael Hayden, recently said, ' _the US Cyber Calvary ain't coming to save any US business._ ' The private sector ought to realize that its best remedy may be the Court system to seek damages and ultimately deter future Chinese industrial theft. Further, the US Government ought to encourage US industry to set up intellectual honeypots (pockets of false intellectual property), which the Chinese could hack into and steal in order to effect a level of deterrence and doubt into the Chinese intellectual property espionage effort. Nothing legally prevents them from creating such false information now and US industry would be foolish if it is not already doing this.

Chinese cyberspace enabled economic theft has not only damaged US companies but has also helped China save on research and development expenses, while catching up on critical industries. The cumulative effect has been to erode the United States' long-term position as a world leader in science and technology.

Counter Islamic State

The Islamic State will be defeated only when it becomes de-legitimized within the Muslim communities in which it is bred. That requires competing voices and opinions to reach existing and vulnerable Muslim audiences.

Cyberspace operations must shut down Islamic State communications completely. The Islamic State's center of gravity is likely cyberspace – its principle means to recruit, train, inspire, and transmit finances and weapons technology. No counter Islamic State strategy can ignore the cyberspace domain. No counter Islamic State strategy will succeed if the State remains online to reemerge again someday.

Counter Islamic State strategies include offensive information operations to sow discord, confusion, and rivalry among terrorists and their sponsors. Our Information Operations must recast the image of Islamic State leaders. They must find ways to redirect the alienation among Muslim youth that is fueling recruitment.

Cyberspace operations must turn Muslim public opinion against extremists. They must support Muslim religious leaders and movements that compete with the extremist movement in terms of mass appeal and popularity among the youth. They must support sustained and direct involvement of moderate Muslims and clerics in countering the Salafists interpretation, which is paramount in attacking the root causes of extremism. In short, our war with the Islamic State may involve the cyber domain more than any other.

All forms of confrontation and warfare today involve the fifth domain of war – cyberspace – whether we like it or not. And the future of warfare may involve even more peacetime maneuver and information manipulation and less violence than we see today. The sooner we recognize how our adversaries 'fight' in peacetime today, and what is required of us to compete and win in this new Phase 0, the more successful we will be in defending our sovereignty and preventing conflicts from escalating to violence.

# WARFARE AND DETERRENCE IN THE ERA OF CYBERSPACE[18]

Although cyberspace may have been declared the fifth domain of warfare by the DoD, many wonder if the concepts of warfare and deterrence apply to this domain. Is the domain somehow different from the others? Can states achieve new political outcomes by the clever use of cyberspace alone? Can deterrence effected through cyberspace alone halt warfare?

At first, some analysts, such as Richard Clarke in his 2011 book on cyberspace, _Cyber War_ , posited that cyberspace would be definitive – that end states (the final stage of a military operation) could be achieved through the clever manipulation of computer systems alone. Later, that view was contrasted by analysts such as Thomas Rid in his 2012 piece in _Foreign Policy,_ entitled "Think Again: Cyberwar," in which he argued that cyberspace might have little ability to achieve new end states at all, and might merely pose nuisances for states in their quest to change the _status quo_.

I will argue that cyberspace as a domain of warfare is neither a definitive nor insignificant domain – it neither will win wars alone or be utterly useless during conflict. Similarly, deterrence is best pursued when states use all domains to deliver elements of defense and punishment, i.e., _'cross domain deterrence.'_ Thus, cyberspace ought not to be viewed as a decisive, separate, unique, or meaningless domain, but instead as one domain working in tandem with the others through which power is exercised to pursue an end state. Cyberspace's role in warfare has yet to be properly integrated into US war planning, largely due to this earlier debate over whether it will prove decisive or inconsequential. It is neither. Further and correspondingly, deterrence will best be pursued through all military domains. Cyberspace will not be able to deliver cyber effects and threats that, alone, will shape adversary behavior. But if delivered in tandem with other domains, their effects will be meaningful. In other words, 'cyber deterrence,' like 'air deterrence' or 'sea deterrence' is real, but, applied alone, may connote exaggerated notions of its likely effectiveness.

Although cyberspace is now considered the 'fifth' domain of warfare by the DoD (the others being land, sea, air, and space), cyberspace operations ought not to be viewed as separate, stand-alone military options apart from the other domains. Many analysts often view and analyze cyberspace as a military domain in which states fight and remain in exclusive of the other domain. But in fact, the United States defends itself in all domains and uses military forces in all domains to defend itself, in a manner and combination it chooses. There is (or should be) nothing different about cyber warfare,[19] or more accurately, _'warfare via cyberspace.'_ Warfare involves all the domains; the addition of the cyber domain does not change how warfare is conducted – all domains can be or should be involved all the time.

Scholars originally treated the introduction of cyberspace as if it were different from the other domains. At first, many thought cyber warfare would occur often, separate from traditional (i.e., kinetic) warfare, and be enormously impactful. That does not seem to be happening. It could be that cyber warfare will indeed be impactful, but more likely serve as a complement to the other domains in a conflict, part of a larger political and military confrontation with states and non-state actors. That is, cyberspace operations may prove important but will likely be integrated into a state's military strategy, like all other military domains – not fenced off from any larger strategy, confrontation, or conflict.

Is the Cyber Domain Different?

'Cyberspace operations' are the employment of cyber capabilities where the primary purpose is to achieve objectives in or through cyberspace. Commanders conduct cyberspace operations[20] to retain freedom of maneuver in cyberspace, accomplish a joint force commander's objectives, deny freedom of action to adversaries, and enable other operational activities.[21] Cyberspace operations involve the delivery of effects[22] (any change to a condition, behavior, or degree of freedom) via cyberspace and can be as diminutive as collecting intelligence or delivering propaganda to as harmful as disrupting government websites or stopping a civilian Supervisory Control and Data Acquisition (SCADA) system (computer-based systems that monitor and control an industrial plant or equipment) at a dam, an electrical power plant, or an air traffic control system.[23]

A 'strategic attack' is an act which renders a decisive effect or a catastrophic effect on the outcome of a conflict, renders catastrophic effects on civilian infrastrucuture or population, or which has a significant impact on US power or prestige. A strategic attack is an offensive action conducted by command authorities aimed at generating effects that most directly achieve national security objectives by affecting an adversary's leadership, conflict-sustaining resources, and/or strategy.[24] A 'cyberspace attack' (or 'cyber attack') consists of any hostile act using a computer or network system intended to disrupt, manipulate, or destroy an adversary's critical cyber systems, assets, or functions to achieve a decisive effect on the overall conflict. (Decisive effects, however, do not necessarily translate into decisive outcomes: North Korea conducted a decisive cyber-attack[25] on the infrastructure at SONY pictures in November 2014 but did not change the overall political _status quo_ between the United States and North Korea.) Cyberspace attacks are actions that create various direct denial effects in cyberspace (i.e., degradation, disruption, or destruction) that manifests in the physical domains.[26]

The nation is under constant cyber exploitation[27] (intelligence collection) by state and non-state (i.e., terrorists/criminal groups) actors. Russia, China, North Korea, Iran, and the Islamic State/al Qa`ida use cyberspace during 'peacetime' to pursue a variety of national security goals, including operations that violate US sovereignty by employing cyber capabilities against US critical infrastructure, stealing intellectual property, attacking US industry, conspiring to commit terrorism, and producing cyberspace effects on US private and government infrastructure. Adversary strategies combine traditional military forces and information operations to maneuver, influence, and manipulate information.

Cyberspace competition[28] is occurring every day. The effects cyber weapons have and can have on infrastructure is quite real. Cyber weapons can make weapon systems fail and critical infrastructure, such as air traffic control, rail lines, traffic lights, electrical power grids, hydro-electric dams, purification systems, mass media networks, communications networks, and financial systems "go dark," or become disrupted. These weapons, however, are rarely used by states. The two notable exceptions were STUXNET in 2010 – a targeted attack against Iranian computer controls of the country's uranium enrichment centrifuges – and the attack on Ukrainian electrical grids in 2015. (Both acts could have been viewed as acts of war by the states affected.) Cyber capabilities to conduct espionage, steal proprietary information, or transmit terrorism information, however, are exercised frequently.

Cyber effects alone – apart from warfare in the other military domains – can kill thousands as secondary effects, should cyber weapons be directed to disrupt civilian infrastructure (such as electrical grids, hospitals, or gas lines) and be persistent, not allowing the attacked to reconstitute its civilian networks. But such attacks would not change the political _status quo_ between states. (Should Russia attack US electrical grids, causing thousands of Americans to die in traffic accidents and hospital failures, the tragedy would be enormous but not likely lead to US military failure or the loss of any political alliance or territory to Russia.) Further, such attacks out-of-the-blue and divorced from a serious political confrontation are as unlikely as an adversary using just one domain in a period of peace to attack the United States. In short, a nation-state is just not likely to use cyberspace alone to attack the civilian infrastructure of a competitor in peacetime. Although such 'strategic cyber-attack' is conceivable, it is unlikely in the extreme – as unlikely as a US foe using only the air domain to send one airplane into the United States to destroy one element of US civilian infrastructure.

Extremely targeted, independent cyber-attacks on private sector infrastructure (divorced from any kinetic violence) have occurred, however. The most notable was the North Korean attack on Sony Pictures on November 24, 2014. Personally identifiable information of Sony Pictures Entertainment (SPE) employees and their dependents, email messages among employees, information about executive salaries at the company, copies of unreleased Sony films, and other information were obtained and released by a hacker group under the moniker 'Guardians of Peace' or 'GOP.' SPE claimed names, addresses, social security numbers, driver's license numbers, passport numbers, bank account information, credit card information, and other employment-related information was stolen. The hackers involved claim to have taken over 100 terabytes of data from Sony. The attack caused millions of dollars of damage to Sony computer systems.[29]

North Korea's cyberspace attack on Sony was an attack as well an act of 'compellence' – an effort to compel Sony not to release its movie, _The Interview_ , which placed North Korea's leader, Kim Jun-un, in a perceivably bad light. A state threatening individuals within a US private company does not fall neatly into US definitions of crime or warfare; cyberspace may now allow for such micro-targeting of individuals worldwide for extremely narrow state goals. The attack may have been successfully performed by North Korea but likely had little to no overall effect on the United States-North Korean relationship. Sony Pictures may have been successfully intimidated to a small degree, but the United States Government as a whole likely was not.

Cyber effects can, however, affect a nation's confidence in its weapon systems or its communications, or its ability to supply troops or feed civilians. They may create moments of doubt and pause or popular disquiet when directed at the government for failing to maintain such systems. A disruption of computer systems in the United States would likely cause a significant disruption to daily life. A lack of confidence in US computer systems – such as with one's bank account or regional air traffic control system – would indeed affect confidence but would not, alone, decisively change state relationships.

The Fundamentals of Deterrence Do Indeed Apply to Cyberspace

Deterrence[30] is based on the elements of _denial_ (denying an adversary's attempt to attack our interests) and _punishment_ (inflicting unacceptable costs to the attacker in reply for having conducted the attack). At present, most US cyber deterrence efforts have been defensive. And, so far, the United States has yet to reply to a cyber-intrusion with punishment via a cyber operation. Although a state could pursue deterrence via defense alone, without both elements – denial and punishment – deterrence will be weak or fail. To date, cyberspace operations worldwide have been dominated by the offense by malicious actors and the absence of retaliatory punishment by the United States.

Deterrence via denial alone is hard and, without an enormously increased commitment, likely impossible. The cyber victim is always in the hopeless position of trying to discern what adversary accesses exist to one's networks and stop such malicious intrusions. Adversary capabilities are written specifically to enter these networks surreptitiously and conduct malicious operations in secret. But deterrence via punishment is hard, too. Many cyber response operations cause little pain to the attacker. And a deep commitment to international law makes it difficult for the United States to contemplate and conduct cyber operations that might violate state or third-party sovereignty or inflict enough pain that subsequent attacks are successfully deterred.

Successful deterrence requires the demonstration of both defensive and offensive capabilities (e.g., exercises, technology demonstrations, and so forth) in order to signal and warn adversaries. Successful deterrence is not achieved by a robust, threatening public statement alone. Deterrence was effective in the nuclear age, for example, not by the publication of declaratory policy, but by the fielding of thousands of protected, redundant, and openly tested nuclear weapons, all supported by a robust Command and Control apparatus, exercised frequently at the highest levels of the US Government. US resolve was proven through its clear capabilities to retaliate against potential attackers.

The goal for cybersecurity, therefore, should not be to appear non-threatening _,_ but to appear extremely capable in cyberspace (like in the nuclear world) in order to deter malicious and destructive cyberspace actions through the credible threat of retaliation. Additionally, this goal must include demonstrating that capability when necessary. Were the United States to suffer a renewed high crime rate, for instance, it could not expect to improve such a climate without policing malicious behavior. The same applies in cyberspace. The United States cannot expect to improve the current climate where many malicious actors use cyberspace to utilize weapons against US critical infrastructure, steal intellectual property, or advance terrorism planning and recruitment without an established and prepared form of retaliatory punishment.

Furthermore, the United States cannot develop norms in cyberspace unless it has developed and exercised capabilities for the domain. A state cannot develop norms at sea, for instance, unless it has ships at sea and the will and the means to enforce norms. The United States cannot achieve the outcome it desires without conditioning the behavior it expects. There are many ways to set the parameters for a contested space, such as attributing shame for and, if necessary, punishing activities that go beyond accepted norms. Norms are created through common state practice; over time, some norms are codified into customary international law – practices mutually conducted and accepted by states. Such norms became the basis of the Law of the Sea, conduct in space, and treatment of warships at sea. Thus, good cyber security (deterrence) policy is a combination of both international norms established on paper within international forums and clearly executed and well-signaled responses to unacceptable activity.

In the cyberspace domain, however, the United States cannot demonstrate its cyber capabilities to the world at an airshow or weapons fair or in retaliation to an attack without revealing (and therefore forever losing) such capabilities. In the nuclear age, tests and fielded weapons made nuclear deterrence real and credible. In the cyber age, a state cannot reveal its cyber code and accesses into adversary networks without losing both to the adversary. Thus, the United States has generally refrained from establishing clearly marked red lines in the cyber world, opting instead to lead by example by not stealing proprietary information or attacking critical infrastructure of another state.

Thus, the United States runs the very real risk of trivializing cyber-attacks, such as during the instance of the November 2014 North Korean attack against Sony, the denial of service attack against TV5Monde in France in April 2015, or the December 2015 cyber-attack against Ukraine's electrical power. Instead of retaliation, the United States labeled these events as 'vandalism' and abstained from punishing the attackers. In response to such attacks, the United States often dithers on both a cyber and whole-of-government reply, thereby sending the message that such activities will not be met by any sort of robust, punitive US response – cyber or otherwise.

Heavy reliance on the internet for many aspects of contemporary life may render the United States especially vulnerable to cyber-attack, but it does not change the characteristics of deterrence. Denial and punishment remain at the core of deterrence. Cyberspace is but one delivery mode (only one domain) for capabilities to inflict punishment on an adversary, though punishment need not necessarily come through the cyber domain in response to a cyber-domain attack. Almost always warfare involves most or all military domains; the introduction of the cyber domain will not change this fact. Deterrence is effected through defense and the threat of punishment via all domains; cyberspace does not change this reality either. There likely will be no 'cyber deterrence' strategy that claims cyberspace alone can deter all wars, control theater conflict, dissuade states and non-state actors away from espionage or intellectual property theft, or deter terrorist use of the internet.

The Danger in Not Inflicting Punishment

There is, however, a perverse danger to not acting in response to malicious cyber activity. Although it may be hard to deter states and non-state actors from many forms of malicious cyberspace activity, it is imperative that the United States respond to such activity.

Adversary states likely assume today that the United States has at least the cyber capability and intent that _they_ have (if not superior capabilities). In fact, most states likely assume the United States is the world leader in cyberspace capabilities, whether it is or not. Therefore, and somewhat perversely, assuming that our adversaries likely _think_ the United States is already in their networks, or at least could be during a crisis, our adversaries might become emboldened to escalate a crisis if the United States were to _not_ use cyberspace capabilities to control a crisis. Since we are more capable, they assume, inactivity would be evidence of a lack of capability. (Why wouldn't the United States hit back following a cyber-attack or severe malicious cyber activity?)

Similarly, assuming that adversaries _think_ that the United States is already in their networks, in a crisis, adversaries might assume that the United States is going to attack their networks and, therefore, believe they ought to preempt such an attack in cyberspace. Therefore, by not having such a cyber-attack capability ready or a policy in place to retaliate against unacceptable cyber activity, the United States may only place itself at greater risk of escalation. As a crude analogy, if the US voluntarily were to eschew use of airpower in confrontations with adversaries, where it was assumed US airpower was highly capable, the United States might suggest over time that its airpower was not as strong as thought. The US may not be advancing good cyberspace behavior, therefore, by not responding to cyber-attacks via cyberspace from time to time.

Commanders today assume that suspicious outages in cyberspace may be part of a conflict or confrontation with a capable state or non-state actor, given that cyberspace is a warfighting domain through which attacks can and occasionally do occur. Such a fact could work in the US favor: if adversary Commanders assumed that the slightest, direct confrontation with the United States might lead to complicated and subtle cyber failures in their networks and critical infrastructure, just as the advent of nuclear weapons made even small, direct conflict between the United States and the former Soviet Union far more dangerous since theoretically escalation could lead to nuclear war, states may conclude that they must avoid any and all confrontation with the United States, lest they risk complicated cyberspace attack in response.

Deterrence is a function of establishing redlines, denying benefits, and imposing costs. Each military domain contributes differently to warfare; operating in each domain carries costs and benefits. All such domains work best when they work together. The United States must provide international leadership for the development of functional peacetime norms in cyberspace. If the United States does not contribute to shaping the domain, it will inevitably be forced to react to norms set by others, favorable or not. Whereas most nations tend to respect the traditional rules of peacetime behavior in the land, sea, air, and space domains, many adversaries exploit cyberspace today and ignore traditional rules of conduct, warfare, and sovereignty. If nations cannot agree diplomatically on general concepts and rules of behavior in the cyberspace domain, the United States cannot realistically expect malicious actors to respect the norms it voluntarily imposes on itself in cyberspace. Malicious actors will have to be made to see the benefits of adhering to a stable international relationship within the cyber domain.

At the moment, according to the former Director of National Intelligence, James Clapper, adversaries are putting cyberspace weapons and capabilities on US networks and threatening its critical infrastructure and key resources.[31] If the United States were not to do the same, adversaries would enjoy a perverse advantage. In a sense, the United States may be behind some adversaries in a new era of ' _Mutual Disruption_ ' (where states can threaten mutual strategic cyber-attack on each other). If the United States does not move to a relationship that is indeed mutually threatening, it may very well create the very instability it seeks to avoid. It would be akin to thinking that in order to deter nuclear war with the former Soviet Union, the United States should have never built nuclear weapons.

Deterring Kinetic Conflict via Cyberspace

'Cyber deterrence' may seem to imply that deterrence of malicious cyber activity only occurs through the employment of defensive and offensive _cyber_ capabilities. But malicious cyber activity does not have to be deterred necessarily by cyber activity. Malicious cyber activity can be deterred by defense and punishment through the other domains and through a whole of government approach, including sanctions, public attention, diplomacy and private sector activity.

Likewise, malicious (kinetic) activity by adversaries outside of the cyber domain (in any of the other four domains) may be deterred – at least in part – by US cyberspace operations. The United States, therefore, ought to consider use of cyberspace capabilities, as well as kinetic capabilities or other instruments of power, to deter malicious cyberspace activity by its adversaries. In other words, the United States ought to use both kinetic and cyberspace capabilities to deter traditional kinetic conflicts. This is what is meant by the phrase, ' _cross domain deterrence_.'

Malicious cyber actors are currently shaping cyber norms. If the United States aims to develop credible deterrence, it must act, and preferably act in all domains. There is much that can and must be done, consistent with international law, to deter cyber or traditional conflict through the cyber domain. Cyberspace is merely one of five warfighting domains through which the traditional elements of military power can be applied.

# CYBERSPACE'S FUTURE IS CLOUDY WITH A CHANCE OF PERSISTENT AUTHORITARIANISM[32]

The world's malicious cyber actors — Russia, China, Iran, and North Korea – have despoiled cyber's original, idealistic vision and instead use cyberspace to advance competitive interests to undermine Western laws and norms and pursue a clandestine means (cyber theft) to catch up with the West in technology, political influence, and wealth. Further, they are perfecting cyberspace as a tool for political control internally. In short, the cyber world so far has given us many good things but also many bad and never delivered the profound political change many predicted; overall, to date, one could argue it's been a disappointment.

Cyberspace operations today are hard to discern and even harder to attribute and forensics and attribution are likely only to get especially hard for these malevolent states that do not adhere to international law, Western notions of liberal democracy, or accepted norms of behavior. It is entirely possible that the United States and its allies will not be able to discern or deter numerous — if not most — adversary cyberspace operations in the future as malicious cyber activity becomes more surreptitious, numerous, automated, and normalized. In short, cyberspace is Paradise Lost, and its future is gloomy with a chance of frequent, un-attributable assault.

Although it sounds contradictory, states 'fight' today in 'peacetime' via cyberspace below the legal threshold of armed conflict. They conduct 'warfare in peacetime.' US Government legal departments failed to keep up with this clever, adversary, asymmetric strategy to permit a requisite reply.

States have discerned how to compete via the manipulation of narratives, facts, information operations, and occasional cyberspace attack that injure or kill no one and usually do not elicit a strong counter attack (assuming they are even discerned). Yet through these cyberspace operations, political realities change, borders change, and technology and wealth is stolen. In response to these challenges (in Ukraine; across the Taiwan Strait; against the US defense industrial base; from cyber criminals who enjoy state protection) the United States often finds itself legally confused, jelly-legged, and politically fractured.

Russia and China are not 'great power' competitors – they are autocracies – authoritarian and totalitarian states that use Western institutions when in their interests and violate them when they are not. This is not 19th century Britain, Spain, and France competing for continental dominance or colonial empires. The United States is not in an era of great power competition; it is in an era of the rise of global authoritarian and totalitarian states, which are purposefully undermining the rule of Western law and norms of international behavior to create new political realities and false images of themselves. They smear the United States in a perceived zero-sum competition for global influence. These states now believe their own talking points that the United States is some sort of global colonial power. Like with all authoritarian states, their rulers are more and more deluded by their own megalomania and information operations (which is why authoritarianism is so dangerous).

Cyberspace norms are being created by default as the United States and Western democracies fail to push back violations of their sovereignty and defend against the theft of Western wealth and proprietary information or deny the use of the internet by terrorist groups. Adversaries no longer fear competing with the United States in cyberspace, believing that we are either self-restrained for legal or political reasons or we are not as capable as they thought we were. Consequently, there is no risk or serious repercussions for malicious activity. Adversaries hide behind anonymity.

Some analysts claim that there are no 'defined rules of engagement in cyberspace yet.' But that's not quite right. There are already many rules, including the Law of Armed Conflict, proprietary law, trade law, concepts of sovereignty ... but they are often not respected by the malicious cyber actors. And there are no repercussions for their violations, though many are unambiguously illegal: proprietary information theft, cyberspace attack on civilian infrastructure in peacetime, safe haven for ransomware attackers, or overt support to criminal groups. Therefore, these malicious cyber actors will continue to press forward unless and until they are punished (it's not that their malicious activities are ambiguous or undefined). But if they are not punished, you can expect no change in cyberspace or in the behavior of the malevolent states.

Both China and Russia enjoy an 'asymmetry of interest.' Both believe they care more about their foreign policy, national security, and cyberspace interests than do the United States and Americans generally. This asymmetry – which they foster — allows more maneuver and malicious activity. If warfare is a test of will, our adversaries currently enjoy more of it (at least they believe they do).

Currently, cyberspace promises an asymmetry of the offense over the defense. Further, there is no balance of power (or balance of terror) in cyberspace – small state and non-state actors can and do wield strategic power against much larger states. Worse, adversaries and the United States play by different rules: adversaries by pressing boundaries; the United States by expecting respect for international law. There is currently little fear of US counter-engagement in cyberspace that would make the malicious actor regret its initial malicious cyberspace operations.

The US policy of restraint — a naïve attempt to demonstrate to adversaries that all states should refrain from militarizing cyberspace — is in contradiction with the expectation that malicious cyberspace actors should somehow be deterred from malicious activity. You cannot deter adversaries in a domain in which you do not act or defend sufficiently, or in which you do not punish transgressors with unacceptable costs. Cyberspace has been militarized by our adversaries precisely because of US passivity.

The United States considers itself a _status quo_ power globally. This is also a problem. Competitors have maneuvered the United States to appear as a stale, defensive power and often a cyber menace, claiming it violates other states' sovereignty and the privacy of Americans via cyberspace. By definition, _status quo_ powers decline (and are expected to decline). Being defensive in cyberspace means constantly apologizing or self-limiting. Russia and China have largely succeeded in integrating into the minds of many that the United States is often malicious, 'colonialist,' or not particularly better than its alleged competitors (i.e., them). Many Americans today no doubt believe the United States is no better than Russia or China in cyberspace.

China is also now 'out-cycling' the United States, thanks primarily to its cyberspace operations. The Chinese may soon perform acquisition faster than the United States can develop and field new defense technology. This means China may soon be able to steal (or at least learn of) US technological plans and developments (via cyberspace) and develop counter measures to US defenses faster than the US can conceive of and field 'Third Offset' technology – technology that aims to generate and sustain strategic advantage by acquiring technologically more-advanced weapons to defeat adversary advancements. This may be especially true in cyberspace where acquisition favors the fast — not necessarily the most advanced — technology.

It will soon be impossible for the United States to compete with China via numbers. China will soon outnumber US forces in every sector, including cyberspace forces. The United States, therefore, will have to discern an asymmetrical cyberspace strategy toward China and perhaps Russia and Iran too, as these states place the highest priority on advancing and funding their cyberspace forces. Worse, all these states share a common political enemy and cyberspace nemesis: the United States and its influence and leadership worldwide.

Russia conducts information operations via cyberspace to change the political _status quo_ in Europe, the United States, and the Middle East. Because cyberspace activity results in little or no casualties, traditional notions of warfare are becoming antiquated and obsolete. What does US air or sea dominance, for instance, give us relative to the political future of Crimea or Ukraine? Or whether Taiwan is absorbed by China through incremental intimidation or the changing of global attitudes toward Beijing it manipulates? Or whether the United States rips itself apart via its own media, competing political narratives, China-compliant-movies that imply the US Government is the global problem, or academia that is corrupted by an obsession with victimization, tribalism, and foreign influence it refuses to admit? Russia and China believe the United States is currently politically ill (but revel in our malady).

Russia's SORM ('System for Operative Investigative Activities') is Russia's social media/information control mechanism for the interception of telecommunications and telephone networks operating in Russia. It allows the Putin Government to monitor all dissent or threats to the regime. It is Russia's Great Firewall, only less obvious and heavy-handed than China's, but more subtly threatening. Russia bought out (against his will) Russia's equivalent of Mark Zuckerberg and Facebook (VKontakte) in order to absorb social media into its state monitoring and control mechanism. (Yet Russia paints the United States as a cyber menace.)

Russia sees no guardrails in cyberspace. It uses Ukraine as a cyber test bed to conduct offensive operations against the Ukrainians in order to try to discredit the government to intimidate or shame the Ukrainian people back under Russian hegemony. But Russian offensive cyberspace operations sometimes spill out of Ukraine to infrastructure in other states. Notpetya – a variant of the Petya code – was reconfigured from ransomware to destroy Ukrainian civilian systems it infected. It spread from Ukraine – its principle target — to dozens of other countries.

Malicious cyberspace operations have moved from writing and inserting malicious code, Trojan horses, worms, and viruses to stealing credentials (the username and password) of users and maneuvering inside networks with authentic authorizations. This makes forensics harder to discern, since there is often less malicious, foreign code to analyze, which normally helps discern attribution to a state. (Malicious code has a syntax that can often easily be attributed to states, if not specific individuals.) And if this stealing of credentials becomes automated or conducted by AI (AI speech has already passed the Turing test), there may be far less faith in our systems and cyber defenses in the future, not more.

The introduction of artificial intelligence may permit an automated and masked approach to offensive cyberspace activity by states – most especially by the legally unconstrained authoritarian states (which will especially serve to obscure their operations). If AI can discern vulnerabilities autonomously and attack through them, AI will usher in a new area of constant adversary attack, not just an era of persistent competition. It is not a coincidence that the states that are heavily investing in AI are Russia and China. AI may usher in an era of near constant malicious cyberspace activity of un-attributable origin and change our expectations of privacy and political freedom in cyberspace.

The near future of cyberspace is Balkanization (aka 'splinterization') – the fracturing and dividing of internet networks into separate, independent networks, usually defended by a firewall, inspired ostensibly by state concerns over technology or intelligence loss, commerce, politics, or sovereignty. This Balkanization is being driven by the authoritarian states of the world (Russia, China, Iran, North Korea) who wish to control information inside their borders and enable and harbor criminal cyber activity focused against the United States, as well steal Western industrial technology, which they will want to protect, once stolen. Balkanization is the next stage of the cyber world because the original vision for cyberspace – that it would emerge as a global commons and a global good for the sharing of information and political discourse – was unambiguously crushed by these authoritarian states and the criminals they harbor. Cyber Balkanization is a zero-sum authoritarian approach to information control and theft of Western proprietary information and wealth. There may be some good, legitimate reasons for data to be localized (so that good states can prosecute citizens with data they can find on servers inside their states), but Balkanization will serve authoritarian states and criminal elements especially well.

By Balkanizing the internet, these authoritarian states are encouraging Western states to retreat in cyberspace into a more bunkered mentality. The US vision for a global cyber commons has been utterly subverted into the opposite — the internet is now a terrific tool for autocracy: steal, damage, retreat, and shelter. There is a crude convergence of opinion now that cyber Balkanization is happening worldwide whether we like it or not, driven by disparate state interests in either data control ('data sovereignty') or information control (China's definition of 'internet sovereignty'). Even New York City has, now, its own Cyber Command — a form of Balkanization.

Balkanization promises states both 'security' and 'information control' because cyberspace has been so abused by malign actors; 'splinterization' is now the new, inevitable internet end state following the naive attempt to create a global cyber commons. There are competing (Balkanization) models now for the world: the EU model (data centers to house data in-country) or the PRC model (total information control). But no one is discussing the 'US model' because there is no US model or vision for cyberspace now for the future. The EU model will likely become the model for regulators while the China model will become the model for autocracies to effect information control and regime sovereignty. Most states will adopt at least the EU model; many will like and import the China model too.

At first, Western leaders thought the web would be the death tool for authoritarian and totalitarian states. President Clinton once famously said that China controlling the internet would be like trying to 'nail Jell-O to the wall.' (Mr. President: see wall.) In fact, the internet – the tool thought to advance free speech and liberalism – is instead today the perfect tool to effect control for many states. Many social scientists and academics predicted the demise of the totalitarian state of China 20 years ago, arguing that _per capita_ wealth would create demand for freedom and the internet would provide the democratization wedge that would pry open the State. Instead, wealth has increased pride inside China and placated discontent (as well as in Russia). States manipulated the internet to advance nationalism, suppress dissent, steal Western wealth, smear the West, and monitor outside news and political opposition.

The internet has lost the veneer that it is the instrument of liberty. It may expand communications but it is also a tool for espionage and industrial theft, a force multiplier for autocracies, a military domain, and a political control instrument, sensor, and weapon. Worse, smaller states see how the malicious states have been able to steal wealth and proprietary information with impunity and are, sadly, beginning to emulate them. And as the number of internet users increases, so does the attack surface. In short, the trends are not getting better.

Cyberspace's very nature guarantees that the future will involve persistent – if not continuous – confrontation with authoritarian states and never-ending challenges to defend Western wealth and security as long as these authoritarian autocracies and totalitarian states exist. The United States voluntarily eschewed using offensive cyberspace operations to wedge open these dangerous autocracies, yet these very states have no compunction in using cyberspace to undermine the United States and Western democracies.

Cyberspace's very nature thus demands that the United States engage in continuous cyberspace maneuver and competition – actively confronting forward (i.e., inside adversary networks) in real time to defeat adversary operations, while remaining cyber resilient and well-defended at home. This will require greater partnership with industry, internet service providers, and private security firms, as well as a more sophisticated (i.e., realistic) understanding by the American public of the challenges cyberspace poses to our way of life. All this coordination and activity has to move quickly to meet what Secretary of Defense James Mattis calls the "speed of relevance." Cyberspace's future may promise many things, but persistent adversity is likely one of them.

# WHY 'CYBER NORMS' ARE DUMB[33]

During the Cold War era, there was an adage that arms controllers hated but proved prophetic, _"When relations are bad, you don't want arms control; when relations are good, you don't need arms control."_

Cyberspace today is a mess: what some US policymakers thought would happen – that the internet would prove an unstoppable information wedge that would pry open totalitarian and authoritarian states – proved largely the opposite. Cyberspace tools have allowed such states to control information, steal Western proprietary information and wealth, enable cybercrime, and place weapons on our critical infrastructure to serve as disabling capabilities and deterrents against us in times of crisis or war.

The Obama State Department thought the internet should be treated as a Global Commons – like a public library for the world, where states would take a hands-off approach for the greater good. This was naive in the extreme. It was the equivalent of thinking that states would leave 'airspace' an un-militarized global commons, once the advent of aeronautics allowed intercontinental air travel within hours.

Cyber norms are especially naïve. The Obama White House proposed: _"A state should not conduct or knowingly support online activity that intentionally damages critical infrastructure or otherwise impairs the use of critical infrastructure to provide service to the public."_ (White House 29 October 2014.)[34]

According to the former Director of National Intelligence, James Clapper, adversaries are putting cyberspace weapons and capabilities on our networks and threatening our critical infrastructure and key resources. A 2017 Pentagon Defense Science Board noted the same emerging world.

Norms are created through customary international law — specifically the practices mutually conducted and accepted by states. But if the Russians and other malign cyber actors are emplacing weapons on our critical infrastructure and we can't discern or disable all of them, unlike the norms practiced at sea or in the air — which are transparent, cyber norms will have the effect of limiting the United States but not malign actors. Unlike the air and sea domains, cyberspace is marked by stealth and ambiguity.

Who would believe that Putin would abide by a norm (really it's an arms control 'pledge' – not a norm, since it is not mutually practiced today) *not* to do something that he can do covertly and largely get away with? And who thinks such a pledge would not limit the legalistic United States in return? Such a norm would have the effect of greenlighting adversaries and limiting the United States.

Further, the 'norm' is really bad arms control: in many cases, the United States would not demarche states that violate the norm (since you don't want to burn the cyber forensic method used to discern the weapon) or be capable of discerning all violations. And no forensic or confidence building method is going to be perfect, let alone shared, which means the United States will likely suffer ongoing Russian and other malign efforts to emplace weapons on our infrastructure and yet be constrained from doing the same back by the very arms control method we advocated.

There is history to back this fear: when the United States identified Russia in the past for its bots targeting US critical infrastructure, Russia yawned.[35] Why, then, if the norm is formalized, would things be any different?

But let's say the norm is successfully advocated and the United States were to demarche Russia or other malign actors if/or when we discern some Russian malware on our infrastructure. And what if such states took a ' _who me?_ ' attitude back, denying the act? There aren't red hammers and sickles attached to these weapons platforms (its code). And even if the US State Department were convinced that Russia was behind such violations, what would it be prepared to do in response? Break the very norm it advocated?

And what about cyberspace espionage – a practice conducted today by the United States. Will the State Department complain about US capabilities devised for espionage that *could* be used for cyberspace attack and therefore veto them for the US Intelligence Community? The difference between an espionage and an attack capability is pretty much one of intent and perspective. The norm very likely will have the perverse effect of neutering US offensive cyberspace capabilities _as well as cyber espionage_ , which serves as a stabilizing function by discerning adversary capability, indications and warning, and in some cases intent.

Should Russia find US espionage cyber tools on its it's networks and demarche the United States after signing up to the US cyber norms accord, would State dismiss the demarche and claim such tools are not the same as attack tools and are therefore permitted?

Fat chance. State will demand US 'compliance' with our norms.

If the intent of the norm – advocated principally by the US Department of State — is to advance the obvious, " _States should not destroy things in peacetime_ ," then it is a typical State Department nonsense statement. Of course, states should not damage things in peacetime. That is already a norm: it's called peacetime. Damaging critical infrastructure in peacetime is already illegal! No state has a 'right' to damage anything in peacetime – nor do they have any interest to do so. What is the political effect of advancing a 'norm' that is already illegal (and already followed)? But when warfare erupts, these norms default to the law of armed conflict, and the norm goes out the window. At least we ought to assume the norm will not necessarily be followed in wartime.

The 'norm' that states should not damage critical infrastructure is a pledge – a promise, but in warfare no party would necessarily follow the pledge. And since cyberspace capabilities need to be emplaced on adversary systems in advance of a crisis, the pledge will serve adversary interests beautifully by limiting us but very likely not them.

If the United States falls further behind in a relationship with Russia or other malign cyberspace actors where they can threaten US critical infrastructure with cyberspace tools and we cannot, we advance instability by making the cyberspace world more predictable for adversaries and less understood and predictable for us – pretty much the textbook definition of strategic foolishness.

The history of arms control suggests that it is always a bad idea to advance meaningless agreements. The history of arms control also suggests that State often naively thinks it can change behavior by signing states up to regimes and legalisms.

The United States risks falling behind some adversaries in a new era of 'Mutually Assurance _Disruption_.' If we don't move to a relationship that is indeed mutually threatening (and thus mutually restraining), we may very well create the very instability we want to avoid. It would be akin to thinking that in order to deter nuclear war with the former Soviet Union, the United States should pledge to never build nuclear weapons.

We understand well today how Russia's strategy against the United States is to complicate our foreign policy with disinformation, ambiguity, self-doubt, and internal strife. Those who advance cyber norms are tools of the Russian playbook since they advance Russian cyberspace goals and limit the United States.

# 'CRASH THEIR COMMS:' CONTEST AND DEFEAT THE ISLAMIC STATE'S CUTTING-EDGE USE OF SOCIAL MEDIA[36]

The Islamic State would not exist today were it not for its nearly unfettered use of the internet and social media. Al Qa`ida would have likely died years ago had its appeal not survived on websites around the world and through social media. Without contesting extremist use of the internet, the West will fail to defeat the Islamic State, eliminate al Qa`ida and its affiliates and their collective narrative that the West is at war with Muslims, and end Islamist terrorism.

'Cyber terrorism' or simply 'terrorist use of the internet' is the use of the internet for terrorist activities, including acts of deliberate, large-scale disruption of computer networks, by means of tools, such as computer viruses or the deliberate destruction, disruption or distortion of digital data or information flows with widespread effect for political, religious or ideological reasons. Cyber terrorism also includes overt use of the internet by terrorist groups to recruit, train, inform, inspire, direct, finance and commit terrorist acts. Islamist extremists use the internet for information operations – a traditional element of warfare. As defined, the Islamic State and al Qa`ida conduct terrorism on the internet every day.

The internet is a strategic resource that enables Islamist extremists to fight the West. Lacking infrastructure and resources of a nation-state, Islamist extremists uses the web to redress strategic deficits to plan, operate, train, recruit, inspire and finance activities targeted against the West. At the moment, the web is more or less a sanctuary or safe haven for Islamist extremists. And extremists will likely continue to move to the web to maintain a global presence and reach.

Islamist extremists have a quite significant internet presence on the web. There are official Islamic State and al Qa`ida websites, 'wanna-be sites' (by groups that want to be recognized as aligned) and mirror sites (groups or individuals who merely re-post their favorite extremist content). It is through the internet that these groups are able to maintain a global following. Through the internet, these groups also maintain an organizational structure and a somewhat organized Command and Control structure.

Given the very heavy physical stress the West has placed on al Qa`ida in particular since 2001, some argue that al Qa`ida's leadership has devolved into *only* a media organization which now only occasionally practices terrorism. It is a 'terrorism pornography studio' today and not much else. Al Qa`ida leaders today are more or less now information pimps, and no longer strategic planners, plotters, facilitators, logisticians, operators or execution managers.

Al Qa`ida was denied physical safe havens free from Western harassment and so established virtual safe havens instead. The Islamic State also established an internet sanctuary but added much more savvy operational security (OPSEC) to its communications, especially through social media. And it rejected al Qa`ida's squeamishness toward the murder of Muslims and made such murder the centerpiece of its online message. Murder is now a form of performance art for the Islamic State to advance the State's brand and alleged success.

Given that al Qa`ida and the Islamic State use cyberspace to attack us, it follows that cyberspace should enjoy no special sanctuary for our enemy. Adversaries should not enjoy a sense of refuge by placing communications or websites outside the area of kinetic hostilities. At present, al Qa`ida and the Islamic State enjoy the most uncontested presence in cyberspace than in any other domain.

The internet provides today a 'GPS' for 'Drive-thru' (online) radicalization, where anyone from anywhere can read the radical ideology of al Qa`ida and now the Islamic State and get their fill of such speech, advocacy, ideological inspiration, pseudo-intellectual ideological defense and bomb making instructions and then travel abroad in search of specific training or personal connections. And once in theater, clever use of social media allows the Islamic State to use temporary email account, twitter accounts, and hashtag re-postings to communicate crude operational commands.

The internet has become a means to bring the ideological seeker and mentor together – virtually and allows the Islamic State to operationalize its forces via an infrastructure the West developed, paid for and installed. It provides that sense of identity and belonging in a community, which is required for the disaffected and psychologically vulnerable to move to the stage of violence. In other words, the internet is the new jihadist mentor – a 'virtual spiritual sanctioner.'[37] It provides that support group and a false sense of religious justification that marks and characterizes all jihadist cells.[38] As a result of the internet, the time frame between the beginning of radicalization and the onset of terrorist activity has also decreased substantially.[39] Radicalization via online mentoring can move faster than mentoring in person.

The Islamic State is Online and is OPSEC Savvy

The Islamic State uses the internet, dedicated websites and social media, such as YouTube, Twitter and Facebook, to propagate its ideology, history, recruitment and claims of success. (There are almost 3 million Facebook members in Iraq, over 1 million in Syria; 10,000 Twitter users in Iraq, 8 thousand in Syria. The Islamic State has over 50,000 Twitter followers.[40]) It uses such media to coordinate operations and advance attack planning. Through social media in particular, it proclaims to the world that it is the successor to Osama bin Laden's legacy and is fulfilling the original group's goal of establishing a caliphate.[41] On December 2, 2014, the US Department of State claimed that 16,000 foreign fighters had travelled to Syria/Iraq from more than ninety different countries since January 2012. These individuals are inspired by a sense of adventure, heroism and sense of purpose/importance. They were reached via the internet.

According to the cyber security company Zerofox, the Islamic State has built a sophisticated online propaganda strategy using many social media networks, including but not limited to Facebook, Twitter, YouTube and WhatsApp. The group employs experts in the areas of marketing, PR and visual content production to ensure the legitimate appearance of its messages.[42] [43] Indeed, without the internet, no part of its success would have occurred, its success in recruiting fighters worldwide would not have occurred, and it would have been at best a regional, illegitimate and dysfunctional terrorist group, appropriately branded as such.

The Islamic State understands and practices online operational security to attempt to stay anonymous. It advises readers (online) how to enhance its online anonymity. Use of temporary accounts, the periodic changing of accounts, and use of TOR to mask IPs make the State's communications largely dark, hard to track or target, and resilient. Is also produces high quality video, which chronicles the group's alleged historical success and records its violence, including executions, beheadings and attacks, to intimidate opponents and the regimes it attempts to topple. It blends recent history, such as the supposed success against American occupation forces in Iraq post-Hussein, with historical illusions to the great apocalyptic Sunni struggle against opponents of Islam to imply to would-be recruits that now is the time to join the great, successful Islamic State struggle.

The Islamic State practices careful operational security. The State's self-proclaimed leader, Abu Bakr al Baghdadi, and his followers have proven exceptionally difficult to track because they are allegedly encrypting their communications and taking steps to avoid being detected by Western surveillance. The Islamic State is also likely using FireChat — a commercially available service that permanently deletes messages sent via the Internet, making them nearly impossible to intercept.[44] The State likely follows Western media carefully, including the history of Western counter terrorism operations against al Qa`ida.

Most Islamic State supporters today were teenagers when 9/11 occurred and are children of the internet and social media. Their radicalization is modern — a post-bin Laden phenomenon. Their motivation for joining the Islamic State has more to do with the dynamics of a social network that provides direction, identity, purpose, belonging, empowerment and excitement, than it does with religious understanding. The Islamic State offers recruits the opportunity to join something new.[45] Most foreign fighters in Iraq and Syria today have been radicalized through the internet and social media. The internet and social media strategy the Islamic State employs is directed purposefully at the youth worldwide.

Jihadi Cool

These videos take the traditional Western counter narratives that Islamist extremists kill Muslims and are wanton, heretical murderers and stand them on their heads, making such images of murder the centerpiece of its new message. Its production quality is so good, it has spawned a new term, 'jihadi cool.' Whereas al Qa`ida produced rather flat websites that merely posted radical content ('cyber jihad 1.0'), the Islamic State produces videos and online magazines that are on par in quality, editing and message delivery with current, Western media.[46] It practices 'cyber jihad 2.0' through its production quality and cutting-edge use of social media and keeps pace with advances in Western media production. Its video production in particular is constantly uploaded, taken down but then uploaded again to numerous video sites such that ultimately it reaches its intended audience. Its success not only advances the State's propaganda but likely disheartens opposition forces.[47]

Islamic State videos proclaim righteous victory over the Shia and other so-called non-believers. Acts of brutality are showcased on video, propagated worldwide, to imply the righteousness of its cause and the success it supposedly enjoys. A new phenomenon has somehow emerged through these high-quality videos and magazines: brutality that engenders pride and a sense of inclusion, rather than revulsion. The West ignores this psychological phenomenon at its peril.

By maintaining multiple official and non-official accounts, the Islamic State promotes its message, solicits funds, recruits followers and maintains a crude organizational structure. Although such use is contrary to Twitter policy, the geometric propagation of messages via use of hashtags with links (much like a reserve Ponzi scheme) to advance perishable messages and images has allowed the Islamic State to maintain a resilient, secure, disposable communications structure to connect with supporters even if accounts are subsequently shut down by Western or local internet service providers. Through decentralization, it has largely secured its communications from traditional warfare techniques of jamming or interception. In a sense, it has crowd-sourced its communications.[48] Videos of its message are created and uploaded onto Western media sites and its links are proliferated by Twitter feeds.[49]

Command and Control Via App

All of the Islamic State's productions fall under the main umbrella of 'Al-Furqan Media;' another media organization associated with IS, 'Fursan Al-Balagh Media,' works on video transcriptions, giving viewers the chance to both read and watch all productions.[50] And whether by accident or design, the Islamic State has created a new form of operational Command and Control: _'C2 via app.'_ Thousands of Twitter followers downloaded a Twitter app – the Dawn of Glad Tidings – through which users give permission to receive Islamic State messages, images of military success, and video feeds, affording the State a sense of cutting-edge technical (Hollywood-quality) sophistication, military capability, communications and competence.[51] [52] The application, flagged by Twitter as "potentially harmful," requests user data and personal information.[53] After downloading it, the app sends news and updates on ISIS fighting in Syria and Iraq. According to its own supporters, the Islamic State is comprised of individuals who are expert at Adobe and video production. Each Islamic State region has its own dedicated social media accounts[54] and supporters worldwide provide a redundancy to guarantee its message gets to Western media.

Twitter-storm

In addition to official Islamic State social media accounts, there are hundreds of Islamic State sympathizers with private accounts who are followed by thousands of Internet followers.[55] And once produced, these Islamic State media products are tweeted and then its hashtags re-tweeted by supporters, enablers and voyeurs, using the power of social media to project an image beyond its true capability, creating what is now-known as a 'Twitter storm' (a.k.a. 'Twitter bombs').[56] Imagery, slogans, success stories are all crowd-sourced, allowing quality production to rise to the top through the power of social media. It is equivalent to allowing individual experts in Hollywood, Silicon Valley, Manhattan and worldwide all to advance a positive image of America independently of any government oversight or direction.

Examples of these terrorist tactics illustrate the cleverness of the State's media operations, which have propelled the Islamic State far beyond the other al Qa`ida afffiliate groups in the effectiveness of their information operations:

• One Islamic State supporter tweet wrote during the 2014 World Cup, 'This is our ball,' along with a photo of a de-capitated head and the #WorldCup hashtag, which ensured that it would pop up on news feeds on the World Cup.[57]

• On July 4, 2014, Abu Bakr al Baghdadi appeared unexpectedly via social media. His sermon to his followers was pre-posted via Twitter before his video was uploaded onto YouTube to guarantee its dissemination.[58]

• A video series named 'Mujatweets' shows the life of Muslims in the Islamic State and testimonials from Western militants reporting their alleged commitment to the new Islamic State.[59]

• The Islamic State Newspaper, _The ISN_ (the Islamic State News), a new, online State publication in English, provides news, information and inspirational stories to readers worldwide (including, of course, the Western media).

• Launched in May 2014, a new Islamic State media branch, Al-Hayat Media, distributes materials in several languages, including video with subtitles, as well as articles, news reports, and translated jihadi materials. Its main Twitter account is in German, but it also publishes materials in English and French, as well as Turkish, Dutch, French, German, Indonesian and Russian. Al-Hayat Media's videos and materials are also distributed via Archive.org and other free web hosting services and are regularly listed on _justepaste.it_ , a web service for sharing free user-created contents,[60] as well as lesser known social media such as Quitter and diaspora.

• On July 8, 2014, _The ISR_ (Islamic State Report), also known as "An Insight Into the Islamic State," which contains articles on Islamic State events, first began to release its showcase online magazine, _Dabiq_ , consisting of detailed, well-written stories in fluent English. It resembles the well-known but cruder English-language magazine, _Inspire_ , published by al Qa`ida in the Arabian Peninsula, famous for providing bombing-making instructions (in slightly broken English) to inspire local terrorism worldwide.[61] According to the publication, _Dabiq_ is named after the area Halab (Aleppo) in Sham (Syria), mentioned in the _hadith_ as the place for _Malahim_ ('Armageddon') – an illusion to the site of a major 16th century battle that saw the Ottomans defeat its enemies and establish the first caliphate.[62]

In short, the Islamic State's information operations are slick, redundant, clever, secure, de-centralized and resilient, designed to withstand private sector account cancellations for violation of a user's Terms of Use. It has propelled the State to the forefront of information operations success.

A Modern Technology That Serves the Retrograde Islamic State Well

Through its media services, websites and individuals social media accounts, the Islamic State, al Qa`ida and al Qa`ida affiliates upload pleas for readers to conduct local and worldwide terrorism, manuals on how to create improvised explosive devices, invitations to join the fight in the Middle East and claims of success and ideological purity. Someday, it may disseminate cyber weapons via the web, should they acquire or devise such weapons. These groups use their media services, websites and social media accounts to intimidate opponents, fundraise, coordinate flash-mob-like attacks against targets in northern Iraq and Syria, and plea for wanton attacks by sympathizers against civilians anywhere in the West.

At the moment, Islamist extremists use the web for:

• Inspiration

• Recruitment

• Planning

• Information Sharing

• Organization

• Web Posting

So far, the West more or less tolerates this us of the internet by extremists, though maybe not entirely and Western patience is wearing thin. At the moment, the West largely allows this form of warfare by these enemy groups.

The second level of Islamist extremists' use of the web would be:

• Computer Network Exploitation (CNE), now known as Cyberspace Intelligence, Surveillance and Reconnaissance (CISR) and Cyberspace Operational Preparation of the Environment (COPE)

• Probes

• Persistent Distributed Denial of Service (DDOS)

• Persistent Web Defacement

These acts would likely not be acceptable to the West and would likely be met with some sort of cyberspace response. But at the moment, Islamist extremists do not yet conduct this level of cyberspace attack or exploitation.

The third level of cyberspace operations would be:

• Weapons Directed at Supervisory Control and Data Acquisition (SCADA) systems to destroy, disrupt such systems to cause physical casualties

• DDOS attacks that lead to destruction, risk of death, or death

• BOTS/Implants inside Western cyberspace infrastructure

These acts too would be considered highly threatening and intolerable to the West and likely would be met with a significant cyberspace response, both defensive and offensive perhaps, by the West. Currently, extremist groups have demonstrated the intent but not so much the capability to launch crippling cyber-attacks against critical infrastructure targets. But that may soon change.

Success at Cyber Jihad 2.0 Suggests Things Are Only Going to Get Worse

In a sense, at the moment, the web presence of Islamist extremists is a sort of 'gateway drug' into the cyber world. If the West does not address it now, it may have to accept more and more extremist cyber activity, with greater cyberspace consequences. Terrorist use of cyberspace also works to internationalize the Islamist fight, given that the web is worldwide. In a sense, the 'cyber jihad' world is flat, connecting individuals worldwide who might not have been so connected and getting us used to extremists on the web as something we have to live with.

Social networking technologies are very conducive to cyber jihad and to operational security generally, given their distributed nature. If Islamist extremists turn their attention to disruption and destruction through the web, they are likely to conduct DDOS attacks and threaten the controls for electric power grids, oil pipelines and precious water systems. Should their current social media accounts be used to disseminate cyber weapons, Islamists would find themselves well-positioned to disseminate such weapons successfully.

Soon, should the Islamic State survive, consolidate its gains and govern successfully, it could turn to more sophisticated cyber tools and move from its '2.0' web presence to defacement of Western websites and programs that wipe, stop or destroy code. But unlike with weapons of mass destruction, the delivery methods of such cyber programs are much easier and have little to no lead-time (no lengthy research and development phase). In short, the West would not likely see it coming.

Threat is a function of expertise and access. Luckily, Islamic State cyber expertise (overall) is low, as is its access. But unlike with the development of WMD, both expertise with and access to cyber capabilities can change almost overnight, should a capable state or individual assist the Islamic State, knowingly or not. With WMD, the West had a research and development phase during which the West could discern, evaluate and plan accordingly against emerging nuclear adversaries. With cyber, space, time, and geography are no longer defenses for the West.

Technical Ability v Access  
(Relative Comparison)

Although states have superior technical ability and greater access, it does not take much for a small entity or terrorist group to gain either ability or access, especially should it be given such technology by an expert. Islamic State interest in cyber weapons can change suddenly.

There are some reasons to suspect this is coming. A 2013 edition of the online jihadist magazine, _Inspire_ , produced by al Qa`ida in the Arabian Peninsula (AQAP), called for jihadists to burn parked cars, make oil slicks to cause individual car accidents and puncture tired with nails hammered into blocks of wood. It used to be al Qa`ida wanted a spectacular follow-on attack to 9/11 and attempted to take on the West as a whole. It did not just want any attack; it wanted a good one. Today, al Qa`ida affiliates seem to be calling for any attack, even individuals picking up an AK-47 or using their private vehicles to run over people. The Islamic State's online magazine, _Dabiq_ , likewise, has called for Westerners to attack law enforcement and government officials and rise up individually. It too seems to have abandoned the long-sought-after al Qa`ida 'spectacular' follow-on attack to 9/11. It will take any attack against the West by a group or individual. Therefore, its attitude toward cyber weapons may change too.

Should al Qa`ida or the Islamic State and an expert member of the worldwide cyber hacker group link up or should just the right expert join the Islamic State and provide cyber weapons for money or sympathy, then al Qa`ida or the Islamic State could move overnight from a cyber nuisance to a serious cyber power.

It is also not inconceivable that rivals to the United States, Israel or the West (such as Iran) might provide such cyber weapons to al Qa`ida or even its enemy the Islamic State as a means to fight the United States asymmetrically or to divert US attention from its nuclear weapons program or support to Shia terrorists worldwide, or to create simply a deeply distracting economic nuisance and drain for the United States. It is also possible that criminal hacker groups – or even just one criminal hacker – could provide al Qa`ida or the Islamic State a cyber weapon unwittingly or for money that could cause significant infrastructure nuisance or damage.

Further, the forensic attribution problem for the West, should in fact a cyber weapon be used against it, would be horrendous. The cyber weapon might look like a Russian or Chinese or Iranian-made (cyber) capability (because originally it might have come from code written in these states). But just because such code was originally written in a certain state does not mean the weapon was delivered by that state, given how easy it would be for such weapons to be transferred out of such states to third parties or individuals who may be acting on their own. Regardless of whether al Qa`ida or the Islamic State took credit for it, the United States might be confused as to who created such a cyber weapon, who sent it and why, and how to defend against it.

Unlike nuclear weapons programs, neither al Qa`ida nor the Islamic State need to develop anything indigenously for a cyber-capability. And they do not need necessarily to train anyone in computer science. Either group just needs access to a weapon and an explanation of how to use it, or to hire someone to do it for them.

So far, the Islamic State has not been too interested in cyber weapons probably for three reasons: cyber weapons are not spectacular enough in their destruction (messing with websites and infrastructure is not as powerful an image as a beheading video); the Islamic State probably does not quite have the technical ability to create such weapons (at least not yet); 'cyber jihad 2.0' is serving it quite well – the State is currently flush with success and satisfaction with the current state of affairs, having created a caliphate and branding the West as the aggressors.

What to Do

The strategic goal of the US Government is to defeat al Qa`ida and the Islamic State. To do so, the United States must shut down its insidious and false message and contest its presence on the internet. The focus of counter Islamist efforts, therefore, must include a priority focus on shutting down its militant websites and social media, which today enjoy a form of sanctuary worldwide.

Well-meaning professionals argue that these websites and social media better serve as sites to monitor to identify individuals visiting the sites or to aid in writing assessments about these jihadist groups. But the argument that the intelligence 'loss' outweighs the 'gain' of contesting these site is unsupported by any metric or study and confuses the end-state goal: denying the enemy use of the internet to recruit, support operations, pass weapons information and formulae and promote extremist ideology that encourages terrorism. The goal, we need to remind ourselves, is to end the threat from these extremists – not write reports about them.

Shutting down this media is technically feasible for internet service providers, host nations, allies and all those who oppose al Qa`ida's and the Islamic State's message of violence on the internet. There exists an assumption among much of the media, punditry, intelligence and defense communities that contesting al Qa`ida and the Islamic State online is somehow technically challenging. Although web administrators can pop up new sites quickly, the DoD, as well as other US Government, allied and host nation elements can just as quickly contest them. And should the competition between al Qa`ida or the Islamic State and the West devolve into 'whack-a-mole,' such a result would be overwhelming to the West's advantage, given how viewership would drop precipitously if forum members had to try to re-acquire al Qa`ida or Islamic State sites day after day. Viewers and members would quickly give up.

Further, it is a myth that extremist websites come back quickly, if contested. In fact, in the past, when some websites were contested by ISPs or host countries, many never came back at all. And those that do come back often return in a diminished manner, with far fewer members and more limited exposure. And since most militant sites merely post content from the top extremist sites, should the top sites go down, the smaller sites will be starved of content (and non-militant content may enjoy more readership).

Al Qa`ida and the Islamic State are increasingly dependent on a coherent and clear message conveyed through the internet. If they are perceived as contradictory, weak or inept at delivering that message (or can't deliver it), its appeal will falter.

There are several other secondary, but important, advantages to contesting the extremist message on the internet.

• Interfering with extremist websites and social media stimulates communications and chatter ('hey, what's going on?').

• Curtailing the aggregate number of such websites allows more moderate, credible, Muslim voices to be heard among the discussion groups and above the din of the militant ones.

• Contesting such websites forces the adversary to expend valuable time, resources, infrastructure and technical expertise to engage in such a competition.

• Challenging the al Qa`ida/Islamic State internet presence is not technically difficult for host nations, allies and the United State (we simply choose not to do so for political reasons or because of the myth that such actions would be futile).

The principal means of recruitment for the Islamic State today is the internet. Recent attempts of violence by al Qa`ida affiliates to attack Americans or Europeans all involved recruitment of individuals already abroad and through the internet.

Confronting websites that advocate violence does not undermine our nation's call for internet freedom. We can distinguish between speech that advocates violence from speech that calls for freedom. And confronting ISPs that host content that violates their own terms of use does not undermine any right or law. Disrupting al Qa`ida speech that advocates violence does not chill political speech and is not hypocritical of American values, policies of freedoms.

Al Qa`ida and the Islamic State are much greater threats as socio-political movements than as static organizations, as they recruit an amalgamation of disaffected, marginalized and otherwise exploitable Muslims. Allowing moderate, non-violent Muslims authorities to compete with their message on the internet will provide a message that better represents the silent, non-violent, Muslim majority. The US Government has long recognized that it must promote these credible voices within the Muslim community. To date, such voices have been drowned out by the overwhelmingly larger number of militant voices, even though they represent a fraction of Muslims worldwide.

The Fifth Domain of Warfare Is Here, Whether We Like it or Not

To paraphrase Leon Trotsky: 'You may not be interested in cyber jihad, but cyber jihad is interested in you!'

We may tell ourselves that the Islamic State's success on the internet is merely the concern of Western intelligence agencies or Internet Service Providers, but because it exists on private infrastructure with worldwide access, it involves everyone, whether we like it or not. Everyone should care that the internet and our social media – devised, invented and refined by mostly Western ingenuity and finance — is being used by the Islamic State and al Qa`ida affiliates to murder, oppress, coordinate and promote its message; worse, their cyber presence and sophistication is likely to evolve successfully.

The cyber world is now the fifth domain of warfare, as proclaimed by the DoD. But what is unique about this domain is the fact that Islamist extremist activity on the web (it is indeed 'warfare') takes place in this new domain every day. Certainly 'information operations (IO)' – an element of warfare — occurs every day, all day, by Islamist extremists, al Qa`ida affiliates and the Islamic State on our infrastructure, which we paid for. And cyber-attacks can amount (in their significance) to armed attacks, subject to international humanitarian law and the rules of war.

What is also unique about this domain is that the private sector more or less owns most of this infrastructure. Imagine if the major airlines, such as American, El Al, Lufthansa, all 'owned' airspace. And imagine if Islamist extremists flew through the privately-owned airspace every day. Might we expect industry to do something about it?

Likewise, if you exist on Facebook, YouTube, Instagram, or Twitter, you ought to have a much diminished expectation of privacy now on such sites. The Islamic State exists in the cyber domain and specifically in these social media sites. Unless we demand that these companies cleanse themselves of all extremist content, we all need to get used to the fact that Western counter terrorism cyber forces will fight in this domain and through this media as well.

No Western, counter-Islamic State national strategy that ignores the extremist use of the internet and social media will succeed. No military strategy or comprehensive 'whole of government' approach to addressing the Islamic State will succeed without addressing the Islamic State's use of the internet and social media. All warfare today includes this fifth domain, whether we like it or not, and whether we are comfortable fighting in it or not. The sooner we recognize its importance to our adversaries, the sooner we will begin to address the threat seriously. If we do not include extremist use of the internet in our planning and efforts, we will not defeat the Islamic State.

On September 18, 2012, at the US CYBER COMMAND Inter-Agency Legal Conference, Harold Koh, the Legal Advisor for the US Department of State, claimed publicly and for attribution that

• the principles of international law apply to cyberspace

• cyber activities can sometime constitute a use of force

• a State may respond to a computer network attack by exercising a right of national self-defense

• the law of armed conflict applies to regulate the use of cyber tools in hostilities

• states are legally responsible when cyber acts are undertaken through proxies

In other words, cyber warfare is warfare. The information operations of the Islamic State are equivalent to any propaganda produced by a declared enemy of the United States. Yet little is being done to address the Islamic State's information operations. The Islamic State fosters a positive image of itself and insulates itself from ideological attacks with dismissive but shallow references to Koranic verses. Its success on the ground afforded it a concurrent success of its ideology, though one has nothing to do with the other. Thus, the State's information operations will have to be defeated if the State is to be defeated physically and ideologically as well.

# TOP TEN STATEMENTS REGARDING JIHADIST USE OF THE INTERNET DESIGNED SPECIFICALLY TO UPSET MILLENNIALS!

10. The internet has helped terrorists more than it has successfully suppressed them!

• The Islamic State and AQ, at least in their current levels of individuals and power, would not exist without the internet.

• Can you imagine if, say the air, land, sea domain were helping the Islamic State more than those of us opposing it?

9. Good counterterrorism cyberspace operations must include the delivery via cyberspace of narratives that advance liberal democracy, given that Islamist terrorist groups come from closed, self-reinforcing totalitarian echo chambers.

• No counterterrorism, counter-cyberspace operations will succeed if jihadist ideology continues successfully unmolested and unchallenged on the internet. Somehow, we must offer a sense of Western identity and inclusion for these disaffected young Muslims via the internet inside their echo chambers to dissuade them from greater and greater radicalization, given how the internet has become the new mentor, enabler for, and defender of jihadism.

8. Only Nixon could go to China but only Republicans can challenge Arab and Asian autocracies that fuel extremism; only Democrats can challenge jihadist extremist rhetoric at home and promote notions of universal (natural law) rights; only Democrats can shut down illegal jihadist and extremist speech at home and abroad.

• But, sadly, the two parties don't run against their alleged identities to do these things.

7. Violent non state actors leverage our cyberspace (which we created and continue to subsidize) to advance their ideology, recruit, proselytize, share weapons information, publish online journals, and spread enticement to violence in their home states and in Western, liberal democratic, open states and we all know it but are helpless or impotent to stop it.

• We created, paid for, and continue to support with taxpayer money the very Command, Control and Communications backbone of these organizations.

6. The United States can target for death members of the Islamic State and al Qaida but Facebook can make money off their jihadist websites and Google can make money off of their YouTube advertisements. Google, AT&T, CISCO, YouTube, Twitter, Snapchat ... are terrorism enabling apps. Many Western IT companies are in denial as to how much they are enablers of modern terrorism.

• Since material support to terrorism is already a crime, why are these platforms not prosecuted? If a US paper company knowingly sold paper to AQ or the Islamic state, would we not prosecute it? Why do we have this attitude that we can't expect IT companies to deny their services to these terrorist groups?

• Counter terrorism is as much the responsibility of the private sector as it is to the US Government, given that so much of the cyber domain exists on private sector infrastructure.

• US social media companies post jihadist content and often even sell such content on their websites through their automated uploading of 'advertisements.' Americans are viewing or subsidizing to a small degree ISIS or al Qa`ida beheading videos, sniper videos, glorification of jihadist violence, the transfer of weapons technology, and exaltations to violence against Americans and innocents worldwide.

• In 2011, Google agreed to pay $500 million to avoid prosecution for helping overseas pharmacies illegally market prescription drugs into the United States. Can Americans sue Google for profiting from jihadist content?

5. The internet does not have to be everywhere.

• The internet did not exist in Germany in 1944; why did it have to exist in Syria in 2017?

• Encryption was not a natural law right in Japan in 1944, why does it have to be available to terrorists in 2020?

• Why do we have this attitude that a warfighting domain that is manmade and which the West created must be available to all states and non-state actors around the world?

4. Almost all Islamic State and AQ web content is either illegal speech or the information operations of a declared enemy and therefore ought to be technically wacked as soon as it appears anywhere in the world.

• Would we allow American citizens to hand out Nazi propaganda on Times Square in April 1944? Such material support for a declared enemy would have been an illegal act. One would have been arrested for handing out Nazi propaganda in Times Square in 1944.

• Why do we allow ISPs, networks, and nations to host the information operations of an entity that, in 1998, specifically declared war against us?

3. In America today, it is easier to accrue authorities to kill a high value individual than it is to disrupt his website or curtail his speech on the internet.

• Anwar al-Awlaki, killed in 2011, can still be viewed on countless video channels around the world today. Bin Laden remains a highly googled name worldwide.

2. Since biological and chemical weapons are banned, the US military or intelligence agencies ought to hack into websites around the world that display their formulae and change them (or suppress them). CRISPR Technology, certain additive manufacturing (3-D printing), nano biology all should be banned from the internet.

• Would we allow the technology to exist on the internet to allow 3-D printing of smallpox? Or to allow nuclear weapons technology to be developed?

• There is no public good to allow these formulae to exist on the internet uncontrolled.

• We ban child pornography; it is not true that a vibrant liberal democracy cannot ban certain images or information. Why do we have this attitude that there is nothing we can do about the march of technology? Should we not at least try to suppress this information from reaching the eyes of terrorist groups?

And the number 1 statement regarding jihadist use of the internet designed specifically to upset millennials is...

1. A Clausewitz-ian understanding of the term suggests that the 'Center of Gravity' in our fight against violent extremist organizations is not ideology but the delivery mechanism of extremist content and command and control; that is, the center of gravity for terrorism today is in fact the internet.

• No counter terrorism strategy or campaign will succeed as long as terrorist presence on the interest is not successfully addressed.

Warfare today is complicated and involves issues of speech, private sector rights, third party sovereignty and technology creep, but US Government better adopt 'net-speed' in addressing the warfare challenges posed by jihadist use of the interest, or it is going to continue to be one step behind these non-state actors. The US Government ought to write and adopt pre-determined authorities in advance of emerging technologies to allow Department of Defense or covert actions against jihadist use of the interest or it is going to risk greater degrees of terrorism.

Its science fiction today, but what if a few, fairly well-educated but misguided individuals posted on the internet how one could use CRIPR technology to alter monkeypox virus to make it virulent to humans? Or what if the DNA sequence to smallpox was posted on the internet along with a means to create it in a laboratory? Would it be wise and acceptable for the US Government to hold 3 months of interagency meetings debating what the USG should do about such internet posts?

Americans would be wrong to conclude that the lesson terrorists have taken is that the United States was simply slow to discern how the internet provided them a force multiplier and a means to pursue their goals. The lesson terrorists learned is that the United States is * _always slow_ * to react to asymmetric warfare, given that terrorist groups do whatever they want on the web in great contrast to liberal democracies, which are slowed by consensus building, political concerns and timetables, risk-adverse general officers and State Department diplomats, bureaucratic inertia, competing legal interpretations, private sector concerns, and competing personalities.

Allowing jihadist content on the web, on social media, YouTube, Facebook, Google Plus, Twitter, was one of the largest strategic blunders of the West in the last 50 years – maybe the single, biggest mistake in US counter terrorism strategy. I can even point to the time and date of the blunder: July 2010, when the West faced _Inspire Magazine_ on the web and became so utterly policy constipated as to what to do about it that it allowed the magazine to exist and propagate on the web. The British, according to the press, knew what to do: they switched AQ's URL for _Inspire Magazine 1_ to a cupcake recipe. The United States Government did nothing. The golden years for al Qa`ida and Islamic State media organizations were thus born.

Such content should never have been permitted. It is not speech – it is conspiracy to commit murder or the information operations of a declared enemy and is as illegal as illegal content can be. But worse, it clearly meets the private sector's threshold of impermissible speech and thus violates the private sector's much more conservative limits on content in their Terms of Use agreements. Yet such illegal content is very often not caught and, worse, sometimes uploaded for money.

Social media companies complain that they cannot stop a lot of jihadist content, given limits to their ability to monitor all content. But is that really an acceptable excuse? We have to subsidize jihadist websites, ads, and videos, which inspire violence and advance the recruitment of individuals the US military and law enforcement often kill because these companies cannot figure out how to keep illegal content off their websites? (Because they are too poor to address the problem internally?) Who believes social media cannot do a better job? If they are unwilling to do a much better job, is not regulation the logical next step? The country did not answer the question as to whether social media is a 'pipe' or a 'publisher.' We continue to pay a heavy price for not answering that question coherently.

Facebook's algorithms and monitoring systems miss a lot of jihadist content. But worse, Facebook often does not delete jihadist content forwarded to them by third parties and instead arbitrarily claims such content doesn't violate their terms of use – even though the content of an ISIS-inspired, ISIS-sympathetic, or ISIS member advances ISIS's cause.

Why isn't any speech of an ISIS member or sympathizer automatically deleted? The speech of a declared enemy is an element of informational operations – a weapon of the declared enemy. The United States has every constitutional right to deny such speech, just as it had the right to confiscate Nazi handbills in Times Square in 1994 even if such paper was handed out by American citizens. Al Qa`ida declared war on the United States in 1998; ISIS is a more violent branch element of al Qa`ida. No one should be confused to believe that its information is legal speech.

In 2019, it remains easier for the United States Government to kill members of ISIS and al Qaida than it is to get social media to purge their illegal and jihadist content from websites around the world. Something is still wrong.

Cyberspace is one of the few areas of national security where the public has a better, more intuitive and forward leaning attitude than the US Government. Jihadist use of the internet is decried by democrat and republican, progressive and conservative, autocrat and liberal democrat. No one argues today that we ought not act more aggressively against jihadism on the web. The biggest obstacle is government inertia and a strange, suspicious genuflection toward Silicon Valley billionaires.

The Islamic State and al Qaida's principal means of recruitment is the Internet, and its principal tactic is to inspire recruits already abroad via the internet. Recent attacks on Americans or Europeans all involved recruitment of individuals or communications via the internet, which likely is today the 'Center of Gravity' – its source of his strength — for these terrorist groups. If the US private sector cannot keep the information operations of a declared enemy off cyberspace, then the US Government has a responsibility to do so.

# THE MEDIA'S RESPONSIBILITY TO COMBAT TERRORISM VIA CYBERSPACE

The Islamic State of Iraq and the Levant (ISIL) reaches thousands of followers through its propaganda efforts to advance its recruitment, share weapons technology, inspire lone wolf terrorism, and provide a crude command and control mechanism. But after having posted its propaganda to a few thousand members, the Western media and social media amplify these minority, violent voices exponentially by reporting on them as news or allowing them to spread virally through social media, turning a small media effort into a narrative juggernaut, reaching hundreds of millions. This is the precise goal of these terrorists.

The Western media is a strategic asset for these _mufsidun_ (evil doers) to strike the United States and Europe. Lacking infrastructure and resources of a traditional nation-state, the Islamic State and al Qa`ida (AQ) recognize that they do not have the capability to act like a state. Instead, they use our very institutions and communications infrastructure to propel their narratives and images to reach vulnerable youth and create the violence they want. They don't need to build a communications network; they use ours.

These new terrorists are part of a post-9/11 – post-bin Laden generation. They grew up on Twitter feeds, Google, Instagram, and Facebook. They don't read Fatwas or 40-page treatises on the impermissibility to kill innocents by respected clerics of Islam; they read their Twitter hashtags, watch beheading and Anwar al-Awlaki videos, read the jihadist _Inspire_ and _Daqib_ webmagazines, and sympathize with those extremists online who claim Westerners and Shia are responsible for their isolation and backwardness. In many cases, they simply want to be part of 'jihadi cool' or 'gangsta jihad' or some sort of community or adventure. Through the media, those curious about ISIL and AQ have easy access to a small number of aberrational extremists but little true understanding of their religion. Violent Islamist messages dominate the online world.

Islamic State savagery is a form of performance art. It does not work unless it is shown. And showing it advances the enemy's information operations by implying its power, success, and decisiveness. Beheading videos, forced drownings, burnings, and shootings imply clarity of purpose and power and successfully inspire recruits. Online Islamic State and al Qaida magazines call for Muslims to kill anyone they can; show how to make explosives at home; and call for scientifically-capable jihadists to make WMD.

Such media is not free speech – it is the information operations of a declared enemy, as legally permissible for the United States Government to deny as denying Nazi propaganda in 1944. And if such content is not considered 'hate speech' by social media, then there is no such thing as hate speech. Previous Islamic State and al Qaida propaganda have called for the killing of specific Americans; a plea to mow down pedestrians with trucks fitted with swords affixed to the front grill; how to use an AK-47; and the infamous, 'How to build a bomb in the kitchen of your Mom,' tutorial.

It is imperative, therefore, that the Western media recognizes that it has both a responsibility to report and a responsibility not to advance the enemy's information operations. The _hirabah_ (sinful warfare) of Islamist terrorists is news but, beyond reporting on it, additional media attention becomes the terrorists' objective.

First, the social media and traditional media must recognize that they are being played. Overall coverage of terrorists events should be 'one and done:' once covered and then no more. Dwelling on the event, discussing hypotheticals, and manipulating fear is not responsible journalism.

Second, neither terrorist groups nor individuals within these groups ought to receive any individual recognition or sensationalism. Followers of the Islamic State and al Qaida maintain a heretical devotion to certain people and claim religious legitimacy; they glorify a cadre of ideologues – terrorism celebrities — most notably their own self-declared experts and successful attackers. Such praise is heresy. These religious charlatans follow _tawassuf_ , the practice of revering religious figures who act as intercessors with God. Such cults are anathema to Sunni Islam. Providing these figures name recognition, air time, in-depth studies, or any recognition whatsoever play into their heretical success at achieving legitimacy. In short, beyond identifying the individual as an Islamist terrorist, the media ought to provide no names; ISIL and AQ leaders ought to enjoy no special media attention. They are serial murderers.

Third, there may often be situations where the media ought to adopt a policy of 'strategic silence:' the choice not to provide attention to a development, event, or call for violence, lest such attention advance the operation or inspire copycat or 'wanna-be' attacks. The media, generally, does not report on suicides, since it recognizes that there is no public good to such news and that reporting on suicides can encourage more suicides. It may be difficult for the media to balance, but the media ought to report on _hirabah_ and then move on, since evil occurs every day but should enjoy no celebrity and certainly not serve the objective of the terrorist group by successfully inspiring violence.

If the traditional media is the Islamic State and al Qaida's dissemination mechanism, it is social media that is the groups' center of gravity – that which gives them power. Facebook, Twitter, Google, Whatsapp, Instagram, YouTube, LiveLeak give the Islamic State crude organization and wartime command and control.

Google, along with all other search engines and video hosting sites, could today, on its own, re-direct seekers of radical content to sites that preach moderation and nonviolence; that is, direct them not to the sites they seek, but to sites we want them to see. This capability exists today. Google could also easily manipulate its algorithm to raise moderate voices and lower extremist sites in its search results (known as 'search engine optimization' and 'Google burying').

At the moment, it is easier for the West to kill members of the Islamic State and al Qaida than it is to shut down their propaganda on the internet. Something is very wrong with this picture. The media has a role to play in this fight; it must recognize that it is no innocent third party. It is the enabling function of ISIL and AQ's operations. The Western media often begs the question about the appropriate way the United States Government ought to defeat Islamist terrorism. Its responsibility is just as real and not too hard to discern.

# HIGH TECH POSEURS

If a policeman shoots a man holding a gun to the head of a child, is it police 'offense?' Are the almost daily counter terrorism operations conducted by US Special Forces around the world acts of 'offense?'

Microsoft pledges not to cooperate with the US government with cyber 'offense' and challenges private industry to make a similar pledge. What does that mean?

Its sounds like Microsoft doesn't want to be involved in wrongful attacks on civilian infrastructure, or malicious criminal activity, like placing ransomware on hospitals networks. But who does? Who's asking them to? It's like pledging not to kick puppies and challenging others to make a similar pledge.

Notpetya – a variant of the Petya code, which took advantage of a Windows vulnerability – was reconfigured from ransomware to destroy systems it infected. It spread from Ukraine – its principle target — to dozens of other countries. If the US Government had discerned that a malicious actor (i.e., Russia) was about to launch this destructive code and it wanted Microsoft's help to preempt it, would Microsoft have declined? The WannaCry malware, also using a Windows vulnerability, affected 150 countries and 200,000 computers, including some in the UK health sector. Does Microsoft oppose neutering illegal ransomware?

The issue of offense v defense is hardly new. It's as old as military strategy. All the military domains – including cyberspace – have defensive acts that could be argued or perceived as 'offense' or 'defense.' But whether they are or not depends on intent and the perspective of the victim.

Defensive Cyberspace Operations ('DCO') are missions executed to defend against threats in cyberspace (see Joint Staff, _Cyberspace Operations_ , Joint Publication 3-12, 8 June 2018). Defensive Cyberspace Operations-Response Actions (DCO-RA) are missions where actions are taken external to the defended network or portion of cyberspace without the permission of the owner of the affected system. DCO-RA actions are normally in foreign cyberspace. Some DCO-RA missions may include actions that rise to the level of use of force, including physical damage or destruction of enemy systems. DCO-RA missions require a properly coordinated military order and careful consideration of scope, rules of engagement (ROE), and measurable objectives ( _Ibid_ p II-4).

If Microsoft could aid the US government in neutering IPs that are about to inflict destructive code on hospitals, electrical grids, traffic systems, airline control systems or other civilian infrastructure around the world, would it refuse, because such operations are 'offense?' Or are they a form of DCO?

Microsoft claims cyber offense and defense can be segregated. How, exactly? Is it differentiated by intent or by the insertion (vs blocking) of code? If a police sniper kills a hostage taker, did he commit offense because he inserted a bullet into the attacker?

These questions are not semantics or linguistic tricks. The issue comes down to intent. A police offer who shoots a would-be murder is not committing murder. Perhaps some Russians think Russia is committing 'defense' by cyber attacking Ukraine, in order to pressure Ukrainians away from the West. Defining 'offense' is therefore better driven by discerning overall intent rather than simply by looking at code.

Cyberattacks occur inside the United States on private infrastructure daily now. So where and when does cyberspace 'defense' begin? (Answer: it often begins by neutering those who are about to attack.) And since defense against attack must often involve preemption (cyber-attacks are rather binary in their execution: either they happen or they don't), cyber preemption can be a form of defense.

If Microsoft is happy to assist in cyberspace defense – including acts that neuter code on systems abroad, then the pledge is benign. If Microsoft means it doesn't want to be involved in any cyber act on another state's systems, then it is troubling and naive.

If Microsoft was involved (and I assume they weren't) in the cyber-attack on Iranian nuclear centrifuges, would it have been ashamed? If it were involved in a preemptive neutering of Russian bots that were poised to attack Ukrainian electrical grids (operations that were designed to shut down power to civilian infrastructure), would it have been ashamed?

If we want a sophisticated discussion on cyberspace rules of the road, Microsoft's pledge is rather meaningless word posturing. It shouldn't propose posing against cyber 'offense,' as if such activity can be easily discerned.

Further, let's be honest about who is doing what:

The Russians are attacking the civilian infrastructure of Ukraine in an attempt to destroy Ukrainians' faith and support of its Government, to attempt to push the Ukraine people under Russian hegemony. (The Russians also use Ukraine as a cyber test bed for cyber capabilities they may use against the West; operations the Russians have conducted have bled outside of Ukraine to infect other states' civilian infrastructure.) Russia also conducts cyberspace-enabled information operations, including political 'destabilizing operations' (a form of warfare), against adversaries to confuse facts and attribution, create false narratives, and inject notions of moral equivalence. It is competing with the United States globally and rejects the Western, liberal world order, and is attempting to undermine the Government of Ukraine.

The Chinese conduct economic and proprietary theft via cyberspace to aid Chinese industry. China also conducts information operations to control and manipulate what the Chinese people can view and say online. The Great Chinese Firewall blocks websites, poisons cache, conducts speech and face recognition, sucks in closed-circuit television, smart cards credit cards and other surveillance technologies and indexes content around the world in anticipation of filtering it when it heads to China.

The Iranians conduct cyberspace attacks on competitor state civilian infrastructure. The North Koreans steal the wealth of vulnerable individuals and states and attacks states and private entities (Sony Pictures) that threaten its regime with sarcasm (The Interview), causing millions of dollars' worth of damage and chilling our free speech rights.

The United States may have been involved in an attempt to slow the Iranian nuclear weapons program via cyberspace attack – an operation that killed no one. The United States has also likely messed with the websites and social media of the Islamic State.

Are the acts all morally equivalent? Which ones were offense? As any student of warfare will tell you, all states claim their acts of warfare are elements of self-defense.

Microsoft is posing and it is not sophisticated, enlightened, or intelligent. Its virtue posturing to advance a supposed brand. But does it sell more software to shun 'offense?' Is Microsoft indifferent to the world's problems, or its challenges, or the state of cyberspace? Does it believe the United States advances no better of a world than Russia or China, Iran, or North Korea?

In his most recent book, _New York Times_ reporter David Sanger points out how elements the Silicon Valley generation are refusing to cooperate with the Department of Defense. He contrasts this with the Cold War generation and begs the question whether the new generation is the more virtuous one.

Here's the answer: No. Such attitudes are pathetic and shameful.

The Greatest Generation gave birth to the parents of the Most Intellectually Lazy Generation.

The most insidious change in US culture and the worst form of political meddling our adversaries have conducted – very cleverly fostered by our two principle ideological adversaries, Russia and China — is the notion that the United States is no better than they are.

# APPLYING CLASSICAL NOTIONS OF STRATEGY TO CYBERSPACE

'National Security Policy' or 'Grand Strategy' or 'National Strategy' consists of

1. 'Military Policy,' which consists of

a. _Operational_ ('battlefield') _strategy_ and

b. _Program_ _strategy_ (what weapon systems you will buy) and

2. 'Foreign Policy,' which consists of:

a. _Economic policy_

b. _Political policy_ and

c. _Diplomatic policy_

Cyberspace strategy, of course, fits into all elements of National Strategy and Military Policy in particular. The cyber domain is unlike the other military domains, however, but classical notions of strategy can be applied to the domain.

• • •

**Carl von Clausewitz:** _On War_

" _Strategy is the use of engagement for the purposes of war. The best strategy is to be very strong, first everywhere, and then at the decisive point."_

The key goals in operational (battlefield) strategy, according to von Clausewitz, are:

1. annihilation of the enemy's force

2. concentration of effort at the decisive point

3. the overriding importance of moral force

4. reliance on the local commander

5. flexibility in tactical method

It is not the occupation of a slice of territory, von Clausewitz argued, but the destruction of the enemy that will decide the outcome of the war. In war, he adds, defense has an advantage.

If we were to apply his strategic goals to cyberspace, the United States might be led to the following strategic goals:

• **Superior cyber forces**

• **The identification of adversary cyber nodes that prove to be centers of gravity (decisive points)**

• **A loud, public, cyber policy that defends internet freedom, while noting accepted notions of unacceptable cyber behavior**

• **Entrusting cyber operations decisions to the local Combatant Commander**

• **Establishing authorities in advance to permit Commanders to remain flexible in their campaigns**

Von Clausewitz's general insights into good leadership and operational strategy can also apply to cyberspace operations:

Military genius, he claimed, requires courage, a strong mind, a grasp of national policy, imagination in battle, an inquiring mind, a comprehensive approach and a calm head. Training, rather than doctrine, is decisive. Flexibility and a small chain of command add to likely victory. Defense has numerous advantages.

Do not to start a war, he added, unless you know what you want to achieve. Estimate what is required of your state; estimate the strength and morale of the enemy. If opposing a greater force, attack the center of gravity—the hub of all power and movement on which all depends.

• • •

**Liddell Hart:** _The Indirect Approach_

" _The purpose of strategy is to reduce resistance. Ultimate strategy achieves your objective and avoids loss."_

Military theorist, Captain Liddell Hart, championed the importance of maneuver to achieve one's objective with the least amount of violence necessary to achieve one's objective. The 'indirect approach,' he advised, is often a superior strategy.

Applying this principle to cyberspace, the United States ought to demonstrate its cyber superiority from time to time (especially its ability to maneuver with agility) to establish notions of deterrence, lest adversaries believe that they can maneuver in cyberspace successfully and with impunity. Instead of hiding our capability, some level of openness, much like our openness with our air and sea forces, is necessary to demonstrate our commitment to internet freedom.

• • •

**Niccolo Machiavelli:** _The Prince_

" _There must be good laws where there are good arms."_

In _The Prince_ , Niccolo Machiavelli argues the importance of a close relationship between political and military institutions. For the military to succeed, it needs a sympathetic political leadership that understands what it can contribute to the national strategy. Political institutions, he argues, must create favorable preconditions for the functioning of the military organization.

Short and crisp war is the goal, which demands discipline. Furthermore, there must be 'good laws' where there are 'good arms.' Political institutions must create favorable preconditions for the functioning of the military organization.

Machiavelli advises us, therefore, to have authorities and pre-approved TTPs in place before conflict begins and to make sure our cyber forces enjoy the political support of the public and leadership.

• • •

**Antoine-Henri Jomini:** _Treatise on Grand Military Operations; The Art of War_

" _Direct the greatest offensive force against weaker enemy forces at the decisive point."_

A 'decisive point,' Jomini argues, is that point, if attacked or captured, would imperil or weaken the enemy. 'Strategic maneuver' is the movement of armies to face the decisive point. He who does this best, wins. In short:

1. throw the mass of an army upon the decisive points of a theater as well as the communications of the enemy

2. maneuver to engage factions of the enemy with the bulk of your forces

3. attack the enemy's most important faction early

In short, you win by defeating your opponent's forces.

Jomini was also famous for admonishing not to disperse forces; 'do not allow your enemy to dictate the pace or direction of the conflict.' Aggressive, offensive action deprives your enemy of the opportunity to think. A skilled commander, therefore, divides a superior enemy, finds himself in the position of the 'interior' of forces and directs his superior force against the divided smaller forces, one battle at a time. If your opponent resists dividing his forces, then he must be deceived or enticed to do so.

Our cyber forces, therefore, ought to be overwhelming to the adversary. We must not shirk at attacking the strength of our opponents and must identify those nodes, which – if attacked — would elicit defeat of the adversary. Our operations must be decisive and focused on the adversaries' strength.

• • •

**Alfred Thayer Mahan:** _The Influence of Sea Power upon History, 1660-1783_

" _Never divide the fleet."_

'Concentration' is the predominant principle of naval warfare. Whether engaging in strategic deployment or tactical maneuver, the correct course of action, according to Mahan, is that of distributing your force as to be superior to the enemy in one quarter...and holding the other quarter in check. 'Power plus position' is decisive. Since power is the goal, the total power of the fleet is the determining factor, not necessarily the power of one ship. Thus one must concentrate the fleet for maximum power; maximum offensive power of the fleet, not of the battleship, is important in deciding military procurement.

'The objective of all naval action is the destruction of the enemy's organized force and the establishment of one's control of the water.' Thus strategically and tactically, Mahan's sea power legacy is to employ navies offensively. 'Coastal defense is defensive; the Navy is offense.' 'The best protection against the enemy's fire is well directed fire from our own guns.' Using fleets as defense is a prescription for defeat.

As Jomini too implicitly argues, cyber power, therefore, ought to be used decisively and, when necessary, offensively. Defense alone is, ultimately, a prescription for defeat since, without defeating your adversary with offensive operations, he will return time and again. Like Jomini, Mahan advocated directing fire against the adversary's strength. 'Successful combat is the control of the sea and of the air (and now by implication of cyber) and the subsequent introduction of land forces for a joint and total victory.'

• • •

The Nuclear Strategists

• The 'advantage of the offense.'

• The emergence of the _'Offense-Defense' – 'Action-Reaction'_ phenomenon.

• The emergence of notions of deterrence.

• The struggle for 'stability.' Two types:

1. Arms control stability ( _what systems to buy to discourage an adversary's attempt to defeat it with superior forces_ )

2. Crisis stability ( _what systems to buy to discourage their use in a crisis out of a fear that a side must 'use or lose' their weapon systems in a brief, furious exchange_ )

• 'Unacceptable damage' was calculated at 25 percent of the Soviet population and 50 percent of its industrial capacity.

• The emergence of notions of 'Escalation' and 'Escalation Dominance.'

• The emergence of 'Mutually Assured Destruction' as a reality.

Deterrence: A threat to inflict costs on the aggressor large enough as to discourage the aggressor from pursuing an objective. There are two types of 'deterrence:' punishment and denial.

1. Deterrence based on _punishment_ ("if you attack you will be obliterated"/costs outweigh gains).

2. Deterrence based on _denial_ ("if you attack, your attack will fail/you will be defeated/thwarted militarily so you better not try").

The invulnerability of forces and 'second-strike forces' are necessary to prevent a preemptive strike.

Applying to cyber forces, a state needs, therefore:

• **Survivable, redundant cyber forces**

• **Forces that can both defend against attack from adversaries, such that such attacks are not attempted, and offensive forces that will cause unacceptable damage to adversary forces**

• **The creation and demonstration of cyber forces that will discourage smaller adversaries from attempting to develop competitive forces (arms race stability)**

• **Forces that will control (i.e., dominate) escalation (crisis stability)**

• **Forces that will discourage – not encourage – a cyber exchange**

• **A strong commitment to cyber R &D to insure that US forces remain technically superior**

# WHAT COMES AFTER 'PERSISTENT ENGAGEMENT?'  
_'3G:' Gates, Guards, and Guns_ [63]

Now that the Commander, US Cyber Command, has told the world (published in a Joint Forces Quarterly article - JFQ 92, 1st Quarter 2019)[64] that United States Department of Defense cyber forces will be pushing back against cyber adversaries wherever possible, including defending against malicious activity inside adversary and third-party networks, has the cyber domain challenge been solved?

No one should be thinking that the adversary will now be resigned to defeat. It is unlikely in the extreme that Russian and Chinese cyber experts are now thinking, 'it was great while it lasted; our advantage in cyberspace is over.'

In fact, Americans would be wrong to conclude that the lesson our cyber adversaries have taken is that the United States was simply slow to recognize how cyber provided them a means to change political realities below the level of armed conflict. Many US analysts discerned cyberspace as the domain for autocracies as early as 2015.[65] No, the lesson our adversaries learned is that the United States is * _always late_ * to react to adversary, asymmetric maneuver, given that authoritarian regimes can act more quickly than liberal democracies, which are slowed by consensus building, political concerns and timetables, risk-adverse general officers and State Department diplomats, bureaucratic inertia, opposing legal interpretations, and competing personalities.

Russian and Chinese cyber officials, therefore, will most certainly maneuver to continue their advantage in cyberspace and prepare for Cyber Command's 'persistent engagement' policy. Our task now is to anticipate how such adversaries will react and position ourselves to take advantage of the likely next era. US DoD officials need to discern the _next_ , next era and be there before the adversary shapes it to its advantage.

In short, the next era of cyberspace strategy must include a form of US Balkanization (' _Gates_ ') (to protect US public _and_ private technology and wealth) _plus_ numerous, smaller, private-sector segmented firewalls (' _Guards_ ') against malicious cyberspace activities (particularly IP theft) and significant US cyberspace active defense and offense (' _Guns_ ') to re-shape cyberspace back to acceptable levels.

From 'Wild Wild Web' to 'Balkanization' in a Decade

Those who helped create cyberspace confronted the nation with a unique strategic challenge: how would the United States introduce and establish shared norms governing the use of this manmade domain. Three crude models were discerned and considered to tame the 'Wild Wild Web:

1. **National Firewalls ('Great Walls')** : Countries build intrusion detection and deep packet inspection capabilities around key communication nodes to address security and/or filter content, resulting in a less open, but more secure web: see China.

2. **Secure Internal Enclaves** **('Internal Gates')** : Private sector entities create secure and trusted enclaves of internet networks ( _networks within larger networks_ ) to manage communication and collaboration, resulting in a less open web: see Russia.

3. **Mutually-Respected, Norm-Driven Open Web ('Global Commons')** : Global norms and behaviors are codified in treaties and laws and model behavior, with greater transparency and accountability for malicious behavior, resulting in an open (' _hands off_ ') web; the web is a 'public library' for the world: see United States.

At first, the United States led a noble, albeit naïve, effort to inspire international respect for cyberspace, attempting to shape norms and behavior away from malicious activity, state vs state competition, and away from national or private sector enclaves. Cyberspace was to serve all mankind as a form of global commons – a sort of virtual public library. The internet was to stimulate economic growth, share health information, advance technology for development, and pry open authoritarian states by providing information to those masses suffering from government information control. Malicious and authoritarian states were expected to be deterred from conducting their malign cyberspace activity by the fear that the United States (the more technically capable state) would retaliate with more advanced cyberspace operations.

Paradise Lost

Unfortunately, criminal groups and malign states quickly discerned that the United States was legally, politically, and organizationally slow — if not paralyzed — from responding to malicious state and criminal activity. Malicious activity swelled and malicious capabilities proliferated to malign states and non-state actors. The malign actors turned the Open Web into an open season to advance their particular economic and political goals.

• Russia conducted strategic coercion via cyberspace to undermine political rivals — including the United States, taking advantage of or enhancing political divisions within democracies in order to weaken them overall. Russia applied its '3D' strategy of cyberspace-delivered Disinformation, political Destabilization, and (threat of) Destruction to weaken opponents and get them to change the political _status quo_. The United States has yet to address this Russian cyberspace strategy successfully, at least abroad.

• China weaponized cyberspace and business, stole (and continues to steal) US intellectual property in the billions and is integrating cyberspace to defend its notion of sovereignty to dis-inform and destabilize rivals, such as the Republic of Taiwan, and to use cyberspace offensively when faced with likely kinetic conflict with adversaries, including potentially the United States. China's aggressive integration of cyberspace into its national security strategy – weaponizing business, stealing Western technology, and intimidating political rivals into silence – has left the United States strategically flatfooted. The United States has yet to address this malicious Chinese use of cyberspace successfully, nor has the country figured out how it should deal with a communist China that has successfully resisted pressures and incentives to democratize.

• North Korea conducted cyber-crime in order to sustain its totalitarian regime. Its cyber-crime sustains it nuclear program, its totalitarian regime, and allows it to survive its failed-state status. North Korea may not have survived this decade had not the internet afforded it the opportunity for massive, global cybercrime.

The Malign Cyber Actors Shaped the Cyber World

Nation-states today use cyberspace for espionage, industrial theft, disinformation, coercion, and crime to advance their aims but, most importantly, for the dismantling of the liberal-democratic world order to replace it with something more favorable to their own interests. Our adversaries leverage cyberspace to ensure that their actions stay below the level that could trigger military conflict.

America's opponents in cyberspace are not interested in conducting a 'cyber 9/11.' The Chinese focus on weaponizing business and industrial (technology) theft to enrich their state and leap frog ahead of the United States militarily and commercially. The Russians use cyberspace to pedal false narratives on social media and with international proxies and 'experts' to influence elections, leverage cooperative criminal groups to steal industrial information and western money, and stealthily emplace code on our civilian infrastructure to threaten such infrastructure in a time of crisis or war. Iran and North Korea use cyber operations against American companies to steal money, punish states or industry they oppose, and occasionally conduct cyberspace attack to commit physical destruction (see the Sony Pictures and Sands Las Vegas Corporation cyberspace attacks in 2014). The Islamic State/al Qa`ida use the internet to post illegal speech that calls for the murder of innocents and for recruitment, weapons information sharing, inspiration, and crude command and control.

Some studies suggest that the rise in US GNP as a result of the internet was offset by the massive loss of US technology and wealth as a result of state-sponsored espionage and crime. Equally disturbing, malign states perceived that cyberspace enabled them to pursue and achieve their political goals and maintain regime survivability without having to resort to violence. In short, the tool the West thought would open totalitarian regimes served such regimes better for stealing wealth and technology, advancing their political influence abroad, and maintaining internal totalitarian control. Cyberspace was the asymmetric tool they needed to defeat (or more accurately to make irrelevant) US military superiority.

In short, the era of the Open Web was despoiled by:

• massive intellectual property theft

• the rise of huge cyber-criminal groups

• massive, state-sponsored cyber espionage

• adversary state use of cyber proxies

• state-sponsored, cyber-enabled political influence campaigns

• hybrid warfare and information confrontation

• jihadist use of the internet for recruitment, inspiration, and crude Command and Control

• the development and preparation of strategic cyber-attack capabilities

What we need today is not so much cyber experts, but experts in ' _all-phase_ ' warfare; more specifically, the phase of warfare to the 'left' of actual violence, given that cyberspace competition occurs short of actual violence or damage. In fact, 'conventional war' is an almost quaint, minor, and rarely-used element of 'warfare' today with Russia and China, given that their goal is to change political realities _without_ violence. We are today engaged in an intellectual arms race with Russia and China (ideology, business, AI, technology, quantum, cyber capabilities, narratives, influence operations) more so than weapon systems, whether we acknowledge it or not and whether we accept it explicitly or not.

The Future of the Cyberspace is '3G' ('Gates,' 'Guards,' and 'Guns')

' _Gates:' Balkanization_

The future of cyberspace is now likely to include a form of Balkanization (aka 'splinterization') – the fracturing and dividing of internet networks into separate, independent networks, defended by state-wide and additional internal state firewalls, inspired ostensibly by state concerns over technology or intelligence loss, commerce, politics, or sovereignty. This Balkanization is being driven by the authoritarian states of the world (Russia, China, Iran, North Korea) who wish to control information inside their borders and enable and harbor criminal cyber activity focused against the United States, as well steal Western industrial technology, which they will want to protect, once stolen. Cyber Balkanization is a zero-sum authoritarian approach to information control and theft of Western proprietary information and wealth. _('What's yours is mine, but once stolen, it's only mine. I can conduct info ops in your country but you can't in mine.')_ There may be some good, legitimate reasons for data to be localized (so that good states can prosecute citizens with data they can find on servers inside their states), but Balkanization will serve authoritarian states and criminal elements especially well.

By Balkanizing the internet, these authoritarian states are encouraging states to retreat in cyberspace into a more bunkered mentality. There is a crude convergence of opinion now that cyber Balkanization is happening worldwide (whether we like it or not), driven by disparate state interests in either data control ('data sovereignty') or information control for internal political control (China's definition of 'internet sovereignty').

There are competing (Balkanization) models now for the world: the EU model (mildly protective data centers to house data in country) or the PRC model (total information control). However, no one is discussing the 'US model' because there is no US model or vision for cyberspace for the future. The EU model will likely become the model for regulators, while the China model will become the model for autocracies to effect information control and regime sovereignty (which means it will appeal to many states). Most states will adopt at least the EU model; many will like and import the China model.

' _Guards:' More Private Sector Defense_

The former Director of the National Security Agency and the CIA, Michael Hayden, famously said, ' _the US Cyber Calvary ain't coming to save any US business._ ' The challenge to US business is too great at the moment for the US Government to handle alone. Since US private sector loss to economic espionage is often hidden and incremental, the United States almost always defaults to a passive, dismissive attitude and does nothing. At the very least, the US Government ought to inform US industry that it cannot protect US proprietary information from Chinese government hackers and point out that business in or with China will likely ultimately cost more than they realize (such as loss of their source code as well as any intellectual property advantage they may have).

' _Guns:' Escalation Dominance to Force a More Benign Cyber World_

In the future, the United States must use offensive cyberspace capabilities in ways that make it clear that it will back up words with action, while reinforcing the ability of the US government to exercise power and defend the nation consistently with international law and norms. At present, our approach to the era of continuous confrontation has been almost exclusively defensive: whining and mere hardening of defenses of US government and DoD networks. The US approach to shaping norms of cyberspace will need to involve many more elements of active defense and offense, as well as involve the private sector if it is to be successful.

Cyberspace will continue to favor authoritarian states that violate sovereignty, law, and international norms in 'peacetime' as long as the United States does not successfully engage to defend and impose costs for such activity. The sooner we recognize how our adversaries 'fight' in peacetime, and what is required of us to compete and win in this new 'Phase 0' of warfare, the more successful we will be in defending our sovereignty and preventing conflicts from escalating to actual violence.

Until the United States demonstrates the willingness to use cyber or other capabilities to punish unacceptable behavior in cyberspace, threats of punishment alone will continue to ring hollow, while defense alone will be insufficient. The United States needs to shape (i.e., influence) the international environment constantly — a combination of international norms promulgated on paper in international forums but also clear, well-signaled responses in reply to certain unacceptable activities. It may sound contradictory, but if the United States wants to reduce the number and severity of malicious cyber-attacks against it, it must attack back more often.

In short, the United States will have to become temporarily the meanest cyberspace dog in the neighborhood to dissuade malicious state activity downward. It must adopt its 2018 elections mindset worldwide to break the state and criminal group addiction to malicious cyberspace activity.

What is needed is an **inverted 'J' curve** [66] of US cyberspace activity ('cyberspace operations' vs 'time'): a mix of overt, clandestine, public and nonpublic cyberspace operations that, at first, will involve much more active defense/offensive activity before norms are clearly established and stability recovers and ultimately improves to a parietal optimal levels.[67] Current US Government cyberspace leaders in the past were so worried about cyberspace stability that they eschewed most any operation that involved pushing back against adversaries and state thieves – precisely what our adversaries want us to do. Today, democrats and republicans, industry and government all agree that to get the cyberspace world we want, the United States will have to act, and that means act offensively. In other words, if you are worried about cyber instability, although it may sound counter intuitive at first, one has to conduct much more activity _and escalation_ at first to hammer cyberspace back down to acceptable malicious limits.

In short, the next era of cyberspace strategy must include a form of US Balkanization (yet devised) (to protect US public _and_ private technology and wealth) _plus_ US firewalls against malicious cyberspace activities (particularly IP theft). But, in addition, the next era will require significant US cyberspace active defense and offense to re-shape cyberspace back to acceptable levels.

Elements of Activity within the Inverted J Curve

The White House's _2018_ _National Cyber Strategy_ (NCS) describes a path for America's vision of the Internet to enable the free flow of information and to respond to competitor and adversary exploitation of cyberspace capabilities. The NCS calls for a more aggressive way-ahead based on confronting and combating adversary cyberspace activity via cost imposition (i.e., punishment) and by using cyber capabilities to achieve national security objectives.

The NCS, like the _2017 National Security Strategy_ (NSS), explicitly describes cyber threats posed by Russia, Iran, North Korea, and China as actors of primary interest. Sadly, cyberspace has emerged as the domain of continuous competition with these adversaries and has created a strategic environment in which political power is challenged without resort to armed conflict.

Both strategies will fail unless the United States successfully conducts cyberspace escalation dominance. To advance such competition, and in order to demonstrate the new-founded US commitment to establishing appropriate norms in cyberspace, the US Government as a whole must conduct, advance, adopt, or encourage the following complementary, national-level, cyberspace-related operations and policies.

Needed and Likely Elements of the Next Cyber Era:

' **Guards'**

1. **Devise and embrace a form of US cyberspace Balkanization**. The world is moving to wall off its states, just as they walled off airspace. It was naive in the extreme to think states would allow unfettered access to virtually anything via cyberspace. Instead, cyberspace has become a boondoggle for criminals and authoritarian states. We sit by, watch Balkanization happen, and thereby encourage China to become the mentor for developing states who want some level of cyber security.

2. **Discourage US business from doing business in China (** _do business in Latin America_ **).** US technology is inevitably lost to the Chinese Government, which has weaponized business to extract intellectual property and supplant US business wherever possibly worldwide.

' **Gates'**

3. **Create firewalls for citizens and US business (encourage US businesses to do the same)**. The US Government protects Americans in the domains of land, sea, air, space but claim Americans are on their own in cyberspace. Yet many cyber threats are too sophisticated for US citizens to discern. It is an abdication of responsibility to state or imply that cyberspace is the one domain of warfare that the US Department of Defense will not defend for the American people.

4. **Pass a law to requiring automatic cyber security upgrading on all private systems by IT firms**. The NSA, Cyber Command, FBI, and DHS should better assist public and private sector entities from malicious cyberspace activity from abroad by sharing more intelligence; the private sector must be required to auto upgrade security. Require two-factor authentication for communications. Everyone carries a cell phone or a watch anyway; the addition of a token or a second authentication via cell phone would pose an insignificant burden on the public.

' **Guns'**

5. **Escalate to de-escalate.** The United States must conduct targeted cyberspace offense against malicious state actors to dissuade them from continuing their currently unmolested and successful cyberspace activities.

6. **Attack cyber criminals abroad, just as we used to attack pirates at sea**. Ransomware, sophisticated phishing, state-sponsored cyber-attack via proxies, terrorist use of the internet and the weaponization of business are all far beyond the average American to perceive on the internet, let alone defend against. It is the responsibility of the US government to attack these attackers, just as the US military did against lawless pirates on the high seas.

7. **Take down ISIS and AQ communications anywhere and everywhere**. Encourage other states to do the same. The speech of a declared enemy of the United States is the information operations of a combatant. States that house ISIS or AQ speech are advancing the information operations of a nonstate actor in declared war with the United States. We have the legal right to contest this speech.

8. **Greenlight a limited degree of private sector 'hack back.'** Since our adversaries allow 'private' entities to conduct malicious cyberspace operations, allow US private entities to conduct a level of hack back as well (to develop a level of deterrence). If successful, new norms could be subsequently negotiated with adversaries and – indirectly – with even criminal groups. In short, since the USG has admitted to the US private sector that it cannot defend all private sector equities, the USG should allow and advocate a level of gray-space, private sector 'hack-back.' If not, US private sector entities will forever suffer a significant level of proprietary loss to cyberspace adversaries every year (with no chance of recovery), which the US Government will do nothing about.

9. **Release (declassify) much more malicious, adversary, cyberspace intelligence**. Via the DNI, the DoD ought to leverage attribution studies and intrusion intelligence to shape foreign policy (i.e., declassify and release adversary intelligence intrusion reports strategically to allies, partners, and to the public in high profile releases on a case by case basis in order to shape adversary activities). Such information is perishable anyway. Releasing such activity will deter such activity generally, educate the world, and is often worth the intelligence loss even if the adversary can discern some US cyberspace forensic methods better. Similarly, the US government ought to produce many more high-profile public releases (op-eds, articles, expert conferences) of Russian Information Confrontation and Chinese proprietary theft to reveal adversary cyberspace.

10. **Hire a US firm to conduct counter-trolling (to counter-troll – by exposing — Russian trolling most especially).** The US private sector ought to be challenged to contribute financially to this effort to create better standards in social media and in journalism generally. The US government ought also to reveal publicly Russian 'experts' who are, in fact, paid Russian Government spokesmen (i.e., expose phony experts)..

Competition with adversary cyber states is not only likely, it is today persistent and tireless. Competition today is a combination of military posturing and a struggle over information (narratives), technology, and wealth via cyberspace. Our adversaries specifically fight and stay in this stage of warfare of cyberspace operations, information operations, military posturing and limited kinetic conflict, careful never to escalate to state-on-state war. In short, our adversaries and competitors have embraced 'nonviolent warfare' precisely because they can achieve their political goals better, quicker, with less cost and avoid kinetic hostilities with the United States.

As a country, we must adapt to this changed reality of conflict and competition in cyberspace. We need synchronized interagency measures to bring all the powers and authorities of the US government to bear on malicious cyber actors and prevent rather than simply react to adversary threats. Undoubtedly, the US military plays a key role, including taking actions to signal US capability and resolve in instances short of conflict, just as the DoD does in the other domains. The United States must forge a consensus on when we can and should respond to attackers and exploiters that also clarifies the proper role of the military in a whole-of-nation approach to improving our security in the cyberspace domain.

### Endnotes

[1] Re-printed by permission: "Make Cyberspace Great Again Too!," _Real Clear Defense_ , July 23, 2018

[2] See Saudi Aramco 2012 and Sony Pictures 2014.

[3] These policies provoke further questions: Why don't these American companies go to Latin America, which desperately needs development assistance, and help our immigration problem? Why doesn't the Congress pass legislation to encourage them to do so?

[4] Re-printed by permission: "'War in Peace:' Cyberspace and the Era of Persistent Confrontation," _The American Interest_ , September 5, 2016

[5] **Cyberspace:** A global domain within the information environment consisting of the interdependent network of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. Joint Publication 1-02, Department of Defense _Dictionary of Military and Associated Terms_ , 8 November 2010, (As Amended Through 15 January 2015), p. 58.

[6] Activity in the early phases of warfare has been described as unconventional war, guerilla war, irregular war, hybrid war, non-linear war, next generation war, ambiguous war, asymmetric war, limited war, shadow war, indirect war, small war, the gray zone, low-intensity conflict, 'Military Operations Other Than War' (MOOTW). The last time the United States formally declared war was June 5, 1942, against Bulgaria, Romania and Hungary.

[7] **Cyberspace operations:** The employment of cyberspace capabilities to achieve objectives in or through cyberspace.

[8] **Cyber warfare:** Armed conflict conducted in whole or in part by cyber means; military operations conducted to deny an opposing force the effective use of cyberspace systems and weapons in a conflict. It includes cyber attack, cyber defense, and cyber enabling actions. (Not all cyber attack is cyber warfare, but all cyber warfare is armed conflict.)

[9] In speeches in September and October 2007, Army Chief of Staff General George Casey coined the phrase "era of persistent conflict," referring to the then period of 'protracted confrontation among states, non-states, and individual actors, who are increasingly willing to use violence to achieve their political and ideological ends.'

[10] **Effect:** Any change to a condition, behavior, or degree of freedom. See Department of Defense, _Dictionary of Military and Associated Terms_ , Joint Publication 1-02, 8 November 2010. (As Amended Through 15 January 2015), p. 75.

[11] A _New York Times_ article exposed this burgeoning industry, commonly referred to as a "Troll Factory," and described how "they work for government authorities at all levels." See Adrian Chen, "The Agency," _The New York Times_ , June 2, 2015. See also Catherine A. Fitzpatrick, "Russian Blogger Finds Pro-Kremlin 'Troll Factories,'" _The Daily Beast_ , August 20, 2015; Sam Matthew, 'Revealed: How Russia's 'Troll Factory' Runs Thousands of Fake Twitter and Facebook Accounts to Flood Social Media With Pro-Putin Propaganda," _The Daily Mail_ , March 28, 2015; Norman Hermant, "Inside Russia's Troll Factory: Controlling Debate and Stifling Dissent in Internet Forums and Social Media," _News_ (Australia), August 12, 2015.

[12] Peter Pomerantsev, Michael Weiss, _The Menace of Unreality: How the Kremlin Weaponizes Information, Culture and Money_ , Institute of Modern Russia, 2014, p. 10

[13] Such illicit technology transfers accelerates Chinese military modernization, improvements in indigenous industrial and technical capabilities, and damages trade imbalances, national income and jobs, according to _Net Losses: Estimating the Global Cost of Cybercrime: Economic Impact of Cybercrime II_ , McAfee (An Intel Company), Center for Strategic and International Studies, June 2014, p. 13.

[14] _The Economic Impact of Cybercrime and Cyber Espionage_ , McAfee (An Intel Company), Center for Strategic and International Studies, July 2013, p. 4. The McAfee study claims that if its estimates are correct, cybercrime extracts between 15-20 percent of the value created by the internet.

[15] Opportunity costs associated with cybercrime include reduced investment in R&D, risk adverse behavior by industry, and increased spending on cyberspace defense.

[16] Dennis C. Blair and Jon M. Huntsman, Jr., "The Report of the Commission on the Theft of American Intellectual Property," _National Bureau of Asian Research_ , May 2013, page 3.

[17] "2013 Data Breach Investigations Report," _Verizon_ , 2013, page 21.

[18] "How Deterrence Fundamentals Operate in Cyberspace," _The Cipher Brief,_ October 4, 2017

[19] The US Department of Defense does not use the term 'cyber warfare,' since 'warfare' is a policy condition decided by the President and Congress. An unofficial DoD definition of the term can be found in James E. Cartwright, _Joint Terminology for Cyberspace Operations_ , The Vice Chairman of the Joint Chiefs of Staff: **cyber warfare:** Armed conflict conducted in whole or in part by cyber means; military operations conducted to deny an opposing force the effective use of cyberspace systems and weapons in a conflict. It includes cyber-attack, cyber defense, and cyber enabling actions. (Not all cyber-attack is cyber warfare, but all cyber warfare is armed conflict.)

[20] **Cyberspace operations:** The employment of cyberspace capabilities to achieve objectives in or through cyberspace.

[21] Joint Publication 3-12, _Cyberspace Operations_ , February 5, 2013, p vi.

[22] Department of Defense, _Dictionary of Military and Associated Terms_ , Joint Publication 1-02, 8 November 2010. (As Amended Through 15 January 2015), p. 75.

[23] Presidential Policy Directive 21 (PPD-21) on Critical Infrastructure Security and Resilience identifies 16 critical infrastructure sectors of key importance to the United States Government: chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, materials, and waste, transportation systems, and water and wastewater systems.

[24] CSAF Symposium, Strategic Attack Panel, 8-12 April 2002, Montgomery AL, as cited by Russell C. Barnes, Lt Col, USAF, Air University, _Strategic Attack: Defined And Refined_ , A Research Report Submitted to the Faculty In Partial Fulfillment of the Graduation Requirements , December 2002, p. 4.

[25] A **cyber-attack** is an attempt to deny, disrupt, disable, degrade, destroy, or otherwise affect the confidentiality, integrity, or availability of computer systems, networks, or data.

[26] Joint Publication 3-12 (R), _Cyberspace Operations_ , February 5, 2013, p. 11-5. Specific actions are:

(a) **Deny.** To degrade, disrupt, or destroy access to, operation of, or availability of a target by a specified level for a specified time. Denial prevents adversary use of resources.

1. **Degrade.** To deny access (a function of amount) to, or operation of, a target to a level represented as a percentage of capacity. Level of degradation must be specified. If a specific time is required, it can be specified.

2. **Disrupt.** To completely but temporarily deny (a function of time) access to, or operation of, a target for a period of time. A desired start and stop time are normally specified. Disruption can be considered a special case of degradation where the degradation level selected is 100 percent.

3. **Destroy.** To permanently, completely, and irreparably deny (time and amount are both maximized) access to, or operation of, a target.

(b) **Manipulate.** To control or change the adversary's information, information systems, and/or networks in a manner that supports the commander's objectives

[27] Computer Network Exploitation (CNE) – Enabling operations and intellective collection capabilities conducted through the use of computer networks to gather data about target or adversary automated information systems or networks, _Memorandum for Chiefs of the Military Services, Commanders of the Combatant Commands, Directors of the Joint Staff Directorates, Subject: Joint Terminology for Cyberspace Operations_ , p. 4.

[28] See James Van de Velde, "'War in Peace:' Cyberspace and the Era of Persistent Confrontation," _The American Interest_ , September 5, 2016.

[29] Edgar Alvarez, Sony Pictures hack: the whole story, _Engadget_ , December 10, 2014  https://www.engadget.com/2014/12/10/sony-pictures-hack-the-whole-story/ and Elyse Betters, "Sony Pictures hack: here's everything we know about the massive attack so far," _Pocket-lint_ , February 5, 2015  http://www.pocket-lint.com/news/131937-sony-pictures-hack-here-s-everything-we-know-about-the-massive-attack-so-far

[30] **Deterrence:** The prevention of action by the existence of a credible threat of unacceptable counteraction and/or belief that the cost of action outweighs the perceived benefits. _Joint Publication 1-02, Department of Defense Dictionary of Military and Associated Terms_ , 8 November 2010 (as amended through 15 January 2015) p. 67.

[31] James R. Clapper, _Statement for the Record Worldwide Threat Assessment of the US Intelligence Community_ , Senate Select Committee on Intelligence, March 12, 2013.

[32] "Cyber's Future is Cloudy With a Chance of Persistent Authoritarianism," _The Cipher Brief_ , August 22, 2018

[33] "Why Cyber Norms Are Dumb and Advance Russian Interests," _The Cipher Brief_ , June 6, 2018

[34] G7 DECLARATION ON RESPONSIBLE STATES BEHAVIOR IN CYBERSPACE,  https://securityaffairs.co/wordpress/57932/cyber-warfare-2/g7-declaration-responsible-states-behavior-cyberspace.html

[35] US CERT, GRIZZLY STEPPE - Russian Malicious Cyber Activity.  https://www.us-cert.gov/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity

[36] Reprinted by permission: "How to Defeat ISIS: Crash Their Comms," _The American Interest_ , June 10, 2015.

[37] Mitchell D. Silber, Director of Intelligence Analysis, New York City Police Department, _Statement before the Senate Homeland Security and Governmental Affairs Committee,_ November 19, 2009.

[38] _Counterterrorism Lessons from the U.S. Government's Failure to Prevent the Fort Hood Attack_ , Joseph I. Lieberman, Chairman and Susan Collins, Ranking Member, United States Senate Committee on Homeland Security and Government Affairs, February 8, 2011.

[39] _Gary Reid, Deputy Assistant Secretary of Defense, Special Operations and Combating Terrorism, Statement before the Senate Armed Services Subcommittee on Emerging threats and Capabilities_ , March 10, 2010, p. 4.

[40] Richard Barrett, _The Islamic State_ , The Soufan Group, November 2014, p. 54.

[41] For an analysis of jihadist political-military strategy, see Michael W. S. Ryan, _Decoding al-Qaeda's Strategy: The Deep Battle Against America_ , (New York: Columbia University Press, 2013).

[42] 'ISIS: Terror Has Gone Social,' Zerofox, August 12, 2014.  http://www.zerofox.com/whatthefoxsays/islamic-state-isis-terror-has-gone-social-infographic/#.VGSzE1fF991:

**#Hashtagehijacking:** ISIS activists will use a popular trending hashtag as a means of infiltrating conversations by adding that hashtag onto one of their unrelated tweets. They can also mass tweet using their own designated hashtags, which gets them to trend.

**Personal Account Exploitation:** ISIS has created its own app, an Arabic-language Twitter app called "The Dawn of Glad Tidings" (or just "Dawn"). When users sign up, they give ISIS permission to send tweets through their own personal accounts. This allows ISIS's tweets to reach hundreds or thousands more accounts, giving the perception that their content is bigger and more popular than it might actually be.

**Bot Armies:** ISIS uses networks of computers it has infiltrated ("bots") to carry out its campaigns via remote control, making those behind the activities unidentifiable. Because these bot armies are so widespread, as governments and social media networks continue to thwart ISIS's maneuvers, the group is always one step ahead as they use the bots to continually regenerate accounts.

**Western Trend Manipulation:** ISIS distributes propaganda specifically designed to target a Western audience, for instance by using hashtags that they are sure the Western world is searching for – like #worldcup2014 #fifaworldcup – for the purposes of recruitment or inciting fear.

**Education:** The Dawn app is used as an education tool, distributing news and information about ISIS to its users. In addition to promoting information about its group, ISIS also educates its social media followers on how to access information that has been blocked by governments and social media sites through TOR/anonymizer tutorials.

[43] See also, Ali, Lorraine. 2014. "Islamic State's soft weapon of choice: Social Media." _The Los Angeles Times_. September 22, 2014.  http://www.latimes.com/entertainment/la-et-islamic-state-media-20140922-story.html

[44] Shane Harris and Noah Shachtman, ISIS Keeps Getting Better at Dodging U.S. Spies, _The Daily Beast_ , November 14, 2014  http://www.thedailybeast.com/articles/2014/11/13/isis-keeps-getting-better-at-dodging-u-s-spies.html

[45] Richard Barrett, _The Islamic State_ , The Soufan Group, November 2014, p. 9.

[46] See 'ISIS jihadists put out Hollywood-style propaganda film,' _France 24_ , June 13, 2014.  http://observers.france24.com/content/20140613-hollywood-fim-jihadist-propaganda-isis

[47] See 'ISIS jihadists put out Hollywood-style propaganda film,' _France 24_ , June 13, 2014.  http://observers.france24.com/content/20140613-hollywood-fim-jihadist-propaganda-isis

[48] Richard Barrett, _The Islamic State_ , The Soufan Group, November 2014, p. 51.

[49] Richard Barrett, _The Islamic State_ , The Soufan Group, November 2014, p. 51.

[50] Ali Hashem, 'The Islamic State's social media strategy,' al-Monitor, August 18, 2014.  http://www.al-monitor.com/pulse/originals/2014/08/is-clinton-atrocities-social-media-baghdadi-mccain.html#

[51] Patrick Kingley, Who is behind Isis's terrifying online propaganda operation?, _The Guardian_ , June 23, 2014,  http://www.theguardian.com/world/2014/jun/23/who-behind-isis-propaganda-operation-iraq

[52] 'Iraq crisis: ISIS social media blitz could be its downfall,' CBD News, July 2, 2014.  https://ca.news.yahoo.com/iraq-crisis-isis-social-media-blitz-could-downfall-090000527.html

[53] Ajabaili, Mustapha. "How ISIS Conquered Social Media." Al Arabiya News. June 24, 2014. Accessed November 22, 2014.  http://english.alarabiya.net/en/media/digital/2014/06/24/How-has-ISIS-conquered-social-media-.html

[54] Ali Hashem, 'The Islamic State's social media strategy,' al-Monitor, August 18, 2014.  http://www.al-monitor.com/pulse/originals/2014/08/is-clinton-atrocities-social-media-baghdadi-mccain.html#

[55] Ali Hashem, 'The Islamic State's social media strategy,' al-Monitor, August 18, 2014.  http://www.al-monitor.com/pulse/originals/2014/08/is-clinton-atrocities-social-media-baghdadi-mccain.html#

[56] Trowbridge, Alexander. 2014. "ISIS swiping hashtags as part of propaganda efforts." CBS News, August  http://www.cbsnews.com/news/isis-hijacks-unrelated-hashtags-in-attempt-to-spread-message/

[57] David Lerman, Beheading #WorldCup Shows Islamic State's Online Savvy,' _Bloomberg_ , July 7, 2014.  http://www.bloomberg.com/news/2014-07-07/beheading-worldcup-shows-islamic-state-s-online-savvy.html

[58] Ali Hashem, 'The Islamic State's social media strategy,' al-Monitor, August 18, 2014.  http://www.al-monitor.com/pulse/originals/2014/08/is-clinton-atrocities-social-media-baghdadi-mccain.html#

[59] Richard Barrett, _The Islamic State_ , The Soufan Group, November 2014, p. 55.

[60] 'New ISIS Media Company Addresses English, German and French-Speaking Westerners,' _MEMRI_ , June 23, 2014.  http://www.memrijttm.org/new-isis-media-company-targets-english-german-and-french-speaking-westerners.html

[61] Richard Barrett, _The Islamic State_ , The Soufan Group, November 2014, p. 56.

[62] Jean Marc Moron, 'Dabiq: the smiling face of Iraq-Syria 'caliphate,' _Yahoo News_ , July 10, 2014.  http://news.yahoo.com/dabiq-smiling-face-iraq-syria-caliphate-081415767.html

[63] Re-printed by permission: "What Comes After 'Persistent Engagement?' '3G' ('Gates,' 'Guards,' and 'Guns')," _The Cipher Brief,_ August 28, 2019

[64] See <https://ndupress.ndu.edu/JFQ/Joint-Force-Quarterly-92.aspx>

[65] See Jessikka Aro, _The Cyberspace War: Propaganda and Trolling as Warfare Tools_ , Wilfried Martens Centre for European Studies, May 10, 2016; James Andrew Lewis, 'Compelling Opponents to Our Will': The Role of Cyber Warfare in Ukraine, NATO Cooperative Cyber Defence Centre of Excellence; Andrei Soldatov,? Irina Borogan, _The Red Web: The Kremlin's Wars on the Internet_ , PublicAffairs; Reprint edition, 2017; Kevin N. McCauley, _Russian Influence Campaigns against the West: From the Cold War to Putin_ , CreateSpace Independent Publishing Platform, 2016; Peter Pomerantsev and Michael Weiss, "The Menace of Unreality: How the Kremlin Weaponizes Information, Culture and Money," Institute of Modern Russia, Session 22, 2014; China's Non Traditional Espionage Against The United States; William G. Pierce, Douglas G. Douds, and Michael A. Marra," Understanding Coercive Gradualism," _Parameters_ 45(3) Autumn 2015; James Van de Velde, "'War in Peace:' Cyberspace and the Era of Persistent Confrontation," _The American Interest_ , September 5, 2016.

[66] A **J-curve** refers to a J-shaped section of an 'x vs. time' graph in which the curve falls into negative territory and then gradually rises to a higher level than before the decline.

[67] Is there a ' _cyber_ _pareto optimality?' —_ the condition where no state can conduct malicious activity without precipitating an unacceptable counter offense, thus making itself worse off.

