Chapter 2 - Literature Review

Chapter 2: Literature Review

Chapter 2: Literature Review

Research Problem and Purpose

A successful large-scale cyberterrorism attack against the United States could have the potential to set off a widespread conventional military conflict. Because of this, the U.S. government may need to create a cyberterrorism specific plan to outline deterrence initiatives and draft proportional response options. Cyberterrorism prevention and response plans would serve to quickly and effectively bolster defenses or facilitate responses that are in line with all previously considered domestic and international guidelines and principles.

The purpose of this qualitative study was to explore the perceptions of terrorism and cybersecurity experts in the United States to better understand how the country might prevent and respond to large-scale cyberterrorism attacks. The U.S. government will act in an unpredictable manner following a successful large-scale cyberterrorism attack against the country because the attack would place the government in an unfamiliar position with limited guidance. Yet, no public U.S. research or legislation exists for prevention and response strategies related to a large-scale cyberterrorism attack. In this chapter, I give a detailed review of all publicly available information on cyberterrorism that I acquired using several approaches to ensure that all information was extracted.

Literature Search Strategy

A majority of the information referenced for this study consists of peer-reviewed journal articles relevant to cyberterrorism with an emphasis on research from 2016 to 2020. I primarily conducted research through online databases consisting of Academic Search Complete, Political Science Complete, Google Scholar, SAGE Premier, and ProQuest Central. I used Ulrich Periodicals to ensure that journals referenced in this study were peer-reviewed. The database search terms included cyberattack, cybercrime, cyberterrorism, cyberwar, hacking, information warfare, international, laws, NATO, national security, punctuated equilibrium theory, responses, state-sponsored, terrorism, United Nations, and United States. One hundred and twelve peer-reviewed studies from 2016 to 2020 supported the findings of the literature review and this study.

Theoretical Foundation

Overview and Key Framework Proposition

Democratic political processes are outwardly associated with long periods of relative stability. These governments follow rules and regulations for electing officials, formulating laws, and governing citizens. Yet, government operations during disasters, such as 9/11, shift to crisis management which often becomes the catalyst for rapid political change. Punctuated equilibrium theory shows that stability and change are important aspects of the political process and includes both into its framework (Baumgartner et al., 2018; Kuhlmann & Van der Heijden, 2018).

In this study, I used punctuated equilibrium theory to review the validity of improving U.S. cyberterrorism deterrence and response options. Cyberterrorism guidance is created by policymakers in either relative stability before a cyberterrorism attack or within an excited environment following a successful cyberterrorism attack. Terrorism and cybersecurity experts cannot make changes to U.S. policy without policymaker concurrence. These experts, therefore, must observe and navigate U.S. government institutional friction described by punctuated equilibrium theory in order to offer improvements for cyberterrorism deterrence and response guidelines. They must additionally work with policymakers for any cyberterrorism response plan drafted in the chaotic environment following a large-scale cyberterrorism attack. I used punctuated equilibrium theory to conceptualize expert cyberterrorism deterrence and response plan improvements in these two very different environments.

Punctuated equilibrium theory draws from political science approaches acknowledging that political processes mostly operate in stable environments defined by measured progress (Baumgartner et al., 2018; Koski & Workman, 2018; Noone, 2019). Yet, these same enviroments can also experience decisive change to resolve large political problems (Baumgartner et al., 2018; Noone, 2019). Punctuated equilibrium theory states that decisions are made through bounded rationality or within the cognative abilities and timeframes of policymakers and organizations (Kuhlmann & Van der Heijden, 2018). The theory emphasizes issue definition and agenda setting with respect to the policy process to help quantify the variation in change (Baumgartner et al., 2018; Koski & Workman, 2018).

Issues are addressed by priority in public agendas to either reinforce or question standing polices (Baumgartner et al., 2018; Koski & Workman, 2018). Reinforced policies can only be margionaly reformed, yet questioned policies can create an atmosphere for large change (Baumgartner et al., 2018). However, even when change is evident, institutional friction can present a barrier by making the policy change process difficult (Flink, 2017; Koski & Workman, 2018). This friction causes pressure to build which leads to a punctuation overtime (Flink, 2017; Koski & Workman, 2018). Punctuated equilibrium theory thus also offers reasoning for the sudden shifts in policy change.

Punctuated equilibrium theory was created to be widely applied to many policy venues and is recognized in the United States and throughout the world (Koski & Workman, 2018). Since 1993 the theory has appeared in 90 mostly U.S.-based journals covering public administration, public policy, U.S. politics, and comparative politics (Baumgartner et al., 2018; Kuhlmann & Van der Heijden, 2018). Kuhlmann and Van der Heijden (2018) identified 86 high quality articles not written by the punctuated equilibrium theory’s creators covering topics ranging from budget change, health, environmental and energy policy, tobacco policy, and education policy (Flink, 2017; Kuhlmann & Van der Heijden, 2018).

Communication and the flow of information play important roles in virtually all aspects of life and are integral for collective security and stability (Osawa, 2017). Nearly half of the world’s population is connected to the internet with access to information available through infrastructure consisting of networks, software, and facilities (Nye, 2017; Shad, 2018). However, increasing worldwide dependence on cyberspace has exposed mounting malicious cyber activities which has raised security concerns (Nye, 2017; Osawa, 2017).

Cyberattacks can be classified as either exploitation attacks on computer systems or destructive physical attacks using computer systems (Shad, 2018). The main culprits of cyberattacks are states, terrorist groups, terrorist sympathizers, anti-government hackers, and thrill-seekers (White, 2016). Taken wholly, the internet provides a massive target for criminals operating in relative safety to cause damage and disruption far exceeding any conventional attack (Albahar, 2019). In fact, a successful large-scale cyberattack could cost the United States upwards of $50 billion USD which is comparable to a severe natural disaster (Osawa, 2017). Cyberspace is still a largely unregulated domain and cybercriminals and cyberterrorists will continue to conduct increasingly brazen attacks and exploit cyberspace to their advantages until comprehensive policies are drafted to address these threats.

Rationale and Relevance of Framework

Punctuated equilibrium theory is relevant for justifying cyberterrorism deterrence and response plans during periods of relative stability before a successful large-scale cyberterrorism attack as well as in an environment primed for rapid political change following an attack. This theory is also relevant when comparing its concepts of constrained agendas and the cognitive ability limits of policymakers to the long attribution process and technical nature of cyberattacks. Data extracted through expert interviews clarified any past cyberterrorism policy attempts. Punctuated equilibrium theory also highlights the many barriers for successful political change as well as the reasoning for the rapid implementation of the Patriot Act following 9/11, which significantly altered U.S. counterterrorism guidelines. Finally, punctuated equilibrium theory was used as a lens to understand the relationship between policy information flow and political change to guide this study.

Punctuated equilibrium theory has been the chosen methodology for 59 peerreviewed journal articles with 66% of these articles published from 2010 to mid-2020. Yet, punctuated equilibrium theory related to terrorism, cyber, and security all yielded zero search returns in multiple academic peer-reviewed databases. However, punctuated equilibrium theory was the chosen methodology for eight publicly available terrorism dissertations, 84 policy dissertations, and eight security dissertations with 69% published from 2010 to mid-2020. Therefore, punctuated equilibrium theory is predominately coupled with policy focused peer-reviewed journal articles and dissertations, as was this study, and has been growing in popularity since its 1993 advent.

Cyberwarfare

There is currently no consensus on what defines a cyberwar or when a cyberattack could be considered an armed attack. Further debate arises on if a cyberattack constitutes a casus belli or if just war theory would apply to cyberconflict (Sleat, 2017). States must currently defer to domestic and international guidelines relating to cybercrime and armed conflict for guidance since no binding international frameworks exist to address cyberwarfare. The difficulty to apply laws that were created before the invention of computers while considering the complex nature of cyberspace will limit the abilities of some states to act while others will use the inevitable ambiguities for their own advantages (Fenton, 2019).

International Reception Multilateral institutions are largely incapable of addressing the evolving issues of cyberspace related crime and conflict. The Council of Europe’s Convention on Cybercrime, also known as the Budapest Convention, is currently the only binding international treaty dedicated to cybercrimes (Van Dine, 2020). The intent of the Budapest Convention is to provide a common legal basis to minimize barriers for international prosecution (Van Dine, 2020). Since 2004 64 states including the United States have ratified the Budapest Convention. Signature parties have integrated aspects of this Convention into their own domestic laws, yet the Convention’s main purpose is to offer frameworks for states to use as guidelines to construct their own cyber related criminal legislation (Van Dine, 2020). The two international groups most active in defining cyberwarfare standards are the United Nations (UN) and the North Atlantic Treaty Organization (NATO; Mazanec, 2016).

UN Article 2(4) of the UN Charter prohibits the use of force or the threat of force against another state (UN, 1945). This Article essentially bans UN members from using force on all but the two following conditions articulated by the Charter. Article 42 states that force can be used when the Security Council authorizes it in order to restore peace (UN, 1945). Additionally, Article 51 permits using force for the purposes of individual or collective self-defense following an armed attack (UN, 1945). An armed attack is viewed as a higher level of transgression than use of force highlighted in Article 2(4) (Dev, 2015). It is generally accepted that a state can exercise its right to self-defense in Article 51 following a cyberattack if that attack meets armed attack thresholds (Dev, 2015). Yet, legal ambiguities exist on whether Article 2(4) and Article 51 apply to non-state actors conducting cyberterrorism attacks (Efrony & Shany, 2018). There is also uncertainty on when a cyberattack would be considered use of force prohibited by Article 2(4) (Efrony & Shany, 2018). However, the UN occasionally clarifies cyber related Charter ambiguities with policy releases.

In 2013 the UN adopted cybercrime and cybersecurity principles to standardize policy and facilitate UN assistance for cyberspace related issues (Dorn, 2018). In 2014 the UN declared that self-defense could be used in response to a cyberattack under Article 51 of the UN Charter (Hodgkinson, 2018). Yet, discussions in 2017 concerning responsible state behavior in cyberspace failed to produce a report or even reach an agreement (Boeke & Broeders, 2018).

The UN is currently composed of 193 Member States, omitting only the Holy See (metonymically known as Vatican City) and Palestine. Not surprisingly then, worldwide consensus on vague or controversial topics can be difficult. Additionally, the 15 member UN Security Council must unanimously agree to adopt resolutions. The five permanent members of the Security Council are China, France, Russia, the United Kingdom, and the United States. The varying ideologies of these governments make unanimous agreements on cyberspace measures problematic. However, NATO is an international organization better suited to respond to cyberspace related issues given its collective defense conception.

NATO NATO is a military alliance consisting of 30 North American and European states. The Alliance opened the Cyber Defence Center of Excellence in Tallinn, Estonia in 2008 one year after a 3-week long suspected Russian cyberattack against the country (László, 2018; Marsili, 2019). NATO subsequently made cyber defense and preparing for cyberspace conflict a priority at the Alliance’s 2010 Lisbon Summit (László, 2018). NATO implemented additional cyber related policies, plans, and response cells at the 2012 Chicago Summit (László, 2018). Following this Summit, NATO’s Cyber Defence Center of Excellence released the Tallinn Manual on the International Law Applicable to Cyber Warfare in 2013 which is now used as a basis for all cyber actions (László, 2018).

The Tallinn Manual contains cyber conflict and security topics including sovereignty, jus ad bellum, and international humanitarian law as interpreted by international experts (Barrett, 2017; László, 2018; Marsili, 2019). The manual addresses the difficulties of legally framing cyberattacks as well as defining attacks as criminal or political and attributing them to state or non-state actors (Marsili, 2019). An updated and significantly expanded “Tallinn Manual 2.0” was released in 2017 which also explores how international law relates to peacetime cyber operations and to cyberattacks that would not be considered armed attacks (Efrony & Shany, 2018; Hodgkinson, 2018; Marsili, 2019).

At the 2014 NATO Summit in Wales, the Alliance agreed that international law extended to cyberspace and acknowledged that cyberattacks could be as dangerous as conventional attacks thereby making cyber defense an integral part of NATO’s collective security (Hodgkinson, 2018; Marsili, 2019; Osawa, 2017). As a result, cyberattacks against a member state meeting armed attack criteria would invoke Article 5 which requires NATO to collectively aid any attacked member (Hodgkinson, 2018; Marsili, 2019). Finally, NATO elevated cyberspace to a fourth operational dimension of warfare along with air, sea, and land at the Alliance’s 2016 Warsaw Summit (László, 2018; Marsili, 2019). The United States, NATO’s primary partner, has created cyber policy largely in parallel with NATO to both enhance international cooperation and to unilaterally address cyberthreats.

United States’ Reception U.S. technological innovation was accelerated by the rapid electronic developments following World War II (Bracken, 2017). New inventions improved many individual and collective aspects of the country. Yet, the proliferation of technical knowledge was also inevitably used for nefarious purposes.

The United States first addressed concerns regarding U.S. networked computer systems in President Ronald Regan’s 1984 National Security Decision Directive 145 which acknowledged that networked systems were vulnerable to exploitation and called for a plan to secure them (Boys, 2018). By the mid-1980s it became clear that foreign governments and terrorist organizations were in fact infiltrating networked computer systems throughout the United States (Boys, 2018). In the early-1990s the U.S. National Research Council and the National Academy of Sciences reiterated U.S. computer vulnerabilities and identified the possibility of a deliberate cyberattack against the country (Boys, 2018). President George H.W. Bush addressed these concerns in National Security Directive 42 which outlined a coordinated national security defense structure to guard against foreign threats (Boys, 2018; Tabansky, 2018).

By the mid-1990s government officials began to recognize the significant cyberspace risks to U.S. national security and President Bill Clinton signed six cybersecurity related executive orders from 1993 to 1999 (Boys, 2018). These executive orders created various organizations to address a range of developing issues including information networks, foreign access to U.S. technology, critical infrastructure protection, encryption export controls, and internet regulation (Boys, 2018). Yet, President Clinton’s most comprehensive cybersecurity document was Presidential Decision Directive 63, released in 1998, that created directorates, offices, and groups to ensure economic and critical infrastructure cyberspace protection (Boys, 2018). This Directive also highlighted cyberwarfare as a threat to U.S. military superiority (Boys, 2018; Tabansky, 2018).

Cyberspace rapidly expanded throughout the 1990s as the popularity of personal computers and the internet increased worldwide. President George W. Bush released the National Strategy to Secure Cyberspace in 2003 which called for private and public cooperation to create an emergency response system for cyberattacks (Wilner, 2020). He also released the still classified National Security Presidential Directive 38 relating to cyberspace security that same year (Wilner, 2020). President Bush expanded his 2003 Cyberspace Strategy in the 2008 Comprehensive National Cybersecurity Initiative established by National Security Presidential Directive 54 (Wilner, 2020). This Initiative provisioned cybersecurity roles to government agencies such as U.S. government network protection to the Department of Homeland Security, attack deterrence to the Department of Defense, information coordination to the Federal Bureau of Investigation, and counterintelligence development to the Director of National Intelligence (Wilner, 2020). Present Barack Obama made cybersecurity a priority and expanded and completed President Bush’s Comprehensive National Cybersecurity Initiative in 2009 with the creation of the U.S. Cyber Command under the Department of Defense to unify and strengthen cyberspace operations (Wilner, 2020).

President Obama’s 2011 International Strategy for Cyberspace stated that the United States will use all necessary means for cyberattack defense but will limit military force as a last resort (Mazanec, 2016; Wilner, 2020). President Obama combined this Strategy with his 2012 top-secret Presidential Policy Directive 20 (made public by Edward Snowden in 2013) outlining a cybersecurity framework to establish principles and processes for offensive U.S. cyber capabilities (Hodgkinson, 2018; Marsili, 2019). Finally, President Obama reiterated strengthening critical infrastructure cybersecurity frameworks with Presidential Policy Directive 21 in 2013 as well as in his 2015 National Security Strategy (Kosseff, 2018; Tabansky, 2018). Cyberspace security was perceived to be a very real threat in the United States following Russian interference in the 2016 U.S. presidential election, and President Donald Trump continued to strengthen U.S. cybersecurity frameworks created by his predecessors after taking office.

President Trump issued Executive Order 13800 on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure four months after his 2017 inauguration to grow and sustain a cybersecurity workforce to achieve cyberspace objectives (Marsili, 2019; Osawa, 2017). President Trump then released the National Cyber Strategy of the United States of America a year later in 2018 which updated President Bush’s 2003 National Strategy to Secure Cyberspace (Wilner, 2020). Following Executive Order 13800 and the 2018 Cyber Strategy, the Department of State released presidential guidance for prioritizing cyberthreats in domestic and foreign policy and strengthening international cyberspace cooperation (Marsili, 2019; Wilner, 2020). Finally, in 2018 President Trump rescinded Presidential Policy Directive 20 to loosen restrictions that President Obama had placed on cyber operations while also elevating Cyber Command to one of the Department of Defense’s eleven Unified Combatant Commands (Marsili, 2019; Wilner, 2020). Presidential directives, executive orders, and strategies assign cyberspace related tasks to many U.S. government departments. Yet, the three departments leading U.S. cyberspace policy and execution are the Department of Defense, the Department of State, and the Department of Homeland Security.

The Department of Defense is predictably responsible for the defense of cyberspace and the deterrence of cyberattacks. Like NATO, the Department of Defense views cyberspace a separate operational domain (Marsili, 2019; Tabansky, 2018). However, the Department of Defense is subservient to the Department of Homeland Security concerning domestic cyber operations and can only act after the Department of Homeland Security requests assistance following an emergency in accordance with the U.S. Defense Support of Civil Authorities (Tabansky, 2018).

The Department of Homeland Security is therefore responsible for guarding domestic U.S. computer networks from threats. Specifically, the Department of Homeland Security protects civilian government information systems with assistance from agencies such as the Federal Bureau of Investigation under the U.S. Department of Justice and through the Central Intelligence Agency as part of the greater 16 agency U.S. Intelligence Community (Marsili, 2019; White, 2016). The Department of Homeland Security does share cyber related information with the private sector, yet the Department cannot regulate private cyber processes (Kosseff, 2018).

While the Department of Homeland Security is concerned exclusively with domestic cyber matters, the Department of State concentrates on international engagement. In line with its diplomatic purpose, the Department of State promotes an open and secure cyberspace to support cyberspace goals and shape cyber norms worldwide. The Department of State did create the Office of the Coordinator for Cyber Issues to address international cyberspace related issues and acceptable behaviors, yet that office was disbanded in February 2018 by then Secretary of State Rex Tillerson and has not yet been replaced as of 2020 (Marsili, 2019).

United States’ Cyber Evolution The National Security Agency began exploiting computers and networks as early as 1985, realizing that they must keep pace with dynamic computer and information technological advances (Loleski, 2019). In 1994 the Agency began to define information intelligence and computer intelligence as an offshoot to the already established signals intelligence on which the Agency was founded (Loleski, 2019). Still, in 1997 the Senate Intelligence Committee questioned the National Security Agency’s ability to adapt to technological advancements in a punitive report (Loleski, 2019). As a result, in 1999 the National Security Agency began agency wide reorganization and replaced their passive signals intelligence collection concept with a new active digital hacking network intelligence concept (Loleski, 2019).

United States cyber espionage operations were largely made public through Julian Assange’s WikiLeaks and through former National Security Agency contractor Edward Snowden (Shad, 2018; Hellmuth, 2018a). Information amongst the hundreds of thousands of classified documents that WikiLeaks released in 2010 suggested that the United States was spying on foreign government officials (Shad, 2018). Further, Snowden’s 2013 leaks revealed that the United States conducted thousands of cyber operations against both hostile and friendly states (Hellmuth, 2018b; Shad, 2018). Finally, it is assumed that the United States and Israel were responsible for the Stuxnet computer virus in 2010 that damaged centrifuges at Iran’s Natanz nuclear facility which likely caused significant damage to Iran’s nuclear program (Nye, 2017; Shad, 2018). The Stuxnet attack is notable because it was the first cyberattack to cause physical damage to a government operated critical infrastructure facility (Dinniss, 2018; Osawa, 2017).

Notable States’ Cyber Praxes States are increasingly exploiting cyberspace to achieve political and military objectives including information operations, espionage, propaganda, and attacks against critical infrastructure (Shad, 2018). A wide range of cyberattacks occur against an even wider range of targets throughout the world. More than 10 million daily attacks are attempted against the Pentagon alone (Nye, 2017). A vast majority of these cyberattacks are inconsequential, yet some are destructive and demand the attention of governments to formulate potential responses (Nye, 2017). Security experts believe that the United States, the United Kingdom, Israel, Russia, and China have the ability to conduct offensive cyber operations and are thus known as cyber superpowers while North Korea and Iran are also aggressively pursuing offensive cyber capabilities (Shad, 2018).

Russia Russia has demonstrated on multiple occasions that it will continue to conduct cyber operations against a range of targets in many different countries (Mazanec, 2016). Cyberwarfare is an important aspect of Russian military operations and the country invests immense amounts of resources to increase cyberattack capabilities (Baram & Menashri, 2019). Russia initially limited its cyberattacks to post-Soviet states but has also begun to engage the West following President Vladimir Putin’s rise to power in 2012 (Shad, 2018).

In fact, the first instance of a state-sponsored cyberattack was conducted by Russia against Estonia in 2007 which stemmed from Estonia’s removal of a Red Army statue (Hodgkinson, 2018; Osawa, 2017). Russia responded with a series of cyberattacks by successfully shutting down many of Estonia’s important government and institutional websites as well as all banking services for two of Estonia’s largest banks (Osawa, 2017). A year later, in 2008 Russia was accused of a more complex cyberattack that compromised over 300 Lithuanian websites with pro-Russian messages and symbols (Osawa, 2017). Also, in 2008 vast denial-of-service attacks, or information flooding, were seen in Georgia to coincide with the invasion of Russian troops which shut down many important websites (Nye, 2017; Osawa, 2017). Lastly, in 2009 Kyrgyzstan’s two largest internet companies providing over 80% of the country’s internet received sustained Russian denial-of-service attacks and were forced to temporarily cut service (Osawa, 2017).

Russia was again accused of a series cyberattacks, this time against Ukraine, in 2015 following the annexation of Crimea (Kosseff, 2018; Osawa, 2017). Russia initially targeted a power grid company which caused 225,000 Ukrainian citizens to temporarily lose power on Christmas Day (Nye, 2017; Osawa, 2017). This attack was notable because it was the first proven cyberattack by one country against the critical infrastructure of another (Osawa, 2017). A similar cyberattack occurred a year later in 2016 in the Ukrainian capital of Kiev after which Ukraine declared that Russia was conducting a cyberwar against them (Osawa, 2017). Still, Ukraine was again attacked six months later in 2017 (Efrony & Shany, 2018; Osawa, 2017). This cyberattack was known as the Petya/NotPetya attack and targeted Ukrainian government agencies, banks, power grids, and railway and subway systems (Efrony & Shany, 2018; Osawa, 2017). Petya/NotPetya spread globally and affected more than 60 countries, including the United States, and companies reported losses in the hundreds of millions of dollars (Efrony & Shany, 2018). The United States called this cyberattack the most costly and destructive in history up to that point (Efrony & Shany, 2018). At the same time Russia was interfering with Ukrainian computer networks, they were also directly targeting United States’ systems.

Russia was accused of manipulating public opinion to sway the 2016 U.S. presidential election by using social networking services to display fake media and by leaking inside information against the Democratic National Committee (Osawa, 2017). Russia also hacked into voting related databases and systems in 39 U.S. states (Kosseff, 2018). The United States accused Russia of state involvement in these cyberattacks and released a report directly identifying President Putin as the approver (Shad, 2018). As a result, President Obama expelled 35 Russian diplomats from the United States, closed two Russian backed facilities, and levied targeted economic sanctions against Russia itself (Efrony & Shany, 2018; Shad, 2018; Wilner, 2020). In fact, from 2007 to 2017 there were 34 known state-sponsored cyberattacks including eight against the United States (Osawa, 2017).

In 2018 the Department of Homeland Security and the Federal Bureau of Investigation warned that, beginning in 2014, Russian government cyber actors had targeted many aspects of U.S. critical infrastructure such as water supply, aviation, and nuclear power plant systems of which 90% are privately owned (Weiss & Jankauskas, 2018). Following this revelation, the United States imposed sanctions and indictments against 12 Russian Main Intelligence Directorate (GRU) operatives, Russian government hackers, and 17 government officials with close ties to President Putin (Efrony & Shany, 2018).

China China initially developed and expanded its military cyber capabilities to use for asymmetrical advantages (Baram & Menashri, 2019). Yet, the country now incorporates cyber technologies in all national security initiatives in the economic, diplomatic, and military realms (Mazanec, 2016). China’s cyber capabilities are thus postured for economic damage, critical infrastructure attacks, and kinetic conflict (Mazanec, 2016). However, China only regularly conducts cyber espionage and, unlike Russia, has shown restraint in damaging cyberattacks (Mazanec, 2016)

The U.S. government believes China began conducting U.S. intellectual property theft through cyberspace as early as 2002 including intrusions in the Department of Defense network (Mori, 2019). In fact, a 2013 investigation uncovered at least 141 Chinese military cyberattacks against U.S. government and civilian agencies (Mazanec, 2016). Many other countries also accuse China of cyber espionage including Australia, Canada, and India. The United States classified China as the most active international perpetrator of espionage in 2014 after five Chinese military hackers were indicted by the Department of Justice for cyber exploitation within the United States (Mazanec, 2016).

In 2015 the United States and China appeared to come to agreement on certain aspects of cybercrime by mutually banning intellectual property theft, yet there was no mention of cyber espionage which both countries generally recognize as fair game (Mazanec, 2016). However, there is evidence that China’s exploitation cyberattacks against the United States continue and China is thus still considered the main cyber threat to the United States (Mazanec, 2016; Tabansky, 2018). Because of this, since 2018 the United States has shifted away from engagement and even imposed a series of tariffs on China that affected 67% of Chinese imports while China reciprocated by levying tariffs on 60% of U.S. imports (Congressional Research Service, 2019; Mori, 2019).

North Korea North Korea has been developing offensive cyber weapons mainly to augment its outdated conventional military force (Boo, 2017). North Korea is one of the poorest countries in the world with only a few thousand computers connected to its rudimentary internet (Boo, 2017). Yet, the country has still been able to launch complex cyberattacks against the United States and South Korea (Boo, 2017).

In 2013 South Korea faced a sophisticated cyberattack against its television stations and three major banks which were taken offline for several hours (Osawa, 2017). South Korea blamed North Korea for the attack which occurred during increased tensions on the Korean Peninsula (Osawa, 2017). A year later, in 2014 North Korea infiltrated nearly half of Sony Pictures Entertainment’s computers and servers located in the United States and publicly released scores of confidential information which resulted in the United States levying additional sanctions against the country (Kosseff, 2018; Osawa, 2017; White, 2016). These North Korean hackers, known as Guardians of Peace, were also accused of cyberattacks against South Korean targets, including a nuclear power plant, in 2015 and 2016 (Efrony & Shany, 2018). Lastly, North Korea was blamed for the 2017 WannaCry cyberattack which affected hundreds of thousands of computers in over 150 countries including Russia, China, the United States, and the United Kingdom (Efrony & Shany, 2018). This ransomware attack encrypted data on affected systems which could only be unlocked with a Bitcoin ransom payment (Efrony & Shany, 2018).

Iran From 2011 to 2013 the United States witnessed a total of 176 days of Iranian cyberattacks against 46 U.S. financial institutions including the New York Stock Exchange, the Bank of America, Wells Fargo, and AT&T (Efrony & Shany, 2018). The cyberattacks, known as Operation Ababil, were conducted by a self-proclaimed Arab Muslim group named Izz ad-Din al-Qassam Fighters (Efrony & Shany, 2018). In 2016 the United States accused Iran’s Islamic Revolutionary Guards Corps of these attacks in addition to infiltrating the command and control systems of the Bowman Dam in New York three years earlier (Hodgkinson, 2018). However, the head of Iran’s cyber police denied responsibility for these attacks (Efrony & Shany, 2018).

Iran was also suspected of accessing Sands Casino computer systems in 2014 which significantly affected the casino’s operations (Efrony & Shany, 2018). The casino’s owner, Sheldon Adelson, stated a year earlier that he wanted to detonate a nuclear bomb in the Iranian desert to demonstrate U.S. strength which was likely the catalyst for the cyberattack (Efrony & Shany, 2018). The Sands Casino cyberattack occurred nine months before North Korea’s Sony Entertainment cyberattack making the Ababil operation the first destructive cyberattack by a state against a private U.S. company (Efrony & Shany, 2018).

Terrorism

By the late 19th century, advances in technology and communication offered inexpensive travel and near instantaneous information flow (Rapoport, 2016). These advances, in part, allowed the rise of global terrorism which began in the 1880s with the spread of the Russian anarchist movement to other countries (Rapoport, 2013). The end of the 19th century witnessed many anarchist motivated shootings and bombings which included the assassinations of a French president and an Italian king (Hughes, 2011). Yet, Russian Tsar Alexander II’s assassination in 1881 was the most famous and inspired revolutionary violence throughout the country and subsequently the world (Hughes, 2011). However, the anarchist movement was only the beginning element of modern terrorism.

David Rapoport (2013) argued that the world has subsequently witnessed three new characterizations of terrorism that developed throughout the 21st century with the emergence of ani-colonialism terrorism, revolutionary terrorism, and the current religious terrorism. He explained that each of these waves last approximately a generation and appear in expansion and contraction cycles, including the current religious wave (Rapoport, 2013). A wave contracts when organizations can no longer inspire successor groups, or groups change tactics to become relevant in another wave (Rapoport, 2013). However, organizations can also transcend multiple waves such as the still active Irish Republican Army which emerged in 1916 (Rapoport, 2013).

The main goal of every terrorist organization in every wave is revolution to either encourage national self-determination, construct a new form of authority, or inspire a new source of legitimacy (Rapoport, 2013). Religion has always played an important role in modern terrorism since ethnic and religious identities often overlap (Rapoport, 2013). However, the current wave of religious terrorism is centered around Islam and aims for a religious state as opposed to a secular one (Rapoport, 2013). Yet, there are still many active and dangerous nonreligious terrorist groups including state-sponsored terrorist organizations. For example, nonreligious terrorist groups make up approximately 20% of the U.S. Department of State’s Foreign Terrorist Organizations list containing over 80 different groups as of 2020 and should thus also be considered in U.S. counterterrorism guidelines (Bureau of Counterterrorism, n.d.).

States began drafting legislation against terrorism related acts in the 18th century stemming from the French Revolution of 1789 to 1799 (Rich, 2013; Shor, 2016). Laws largely included the term terrorism by the 20th century, and a new wave of counterterrorism legislation appeared in the 21st century following the attacks of 9/11 (Shor, 2016). Seventeen international conventions have convened since 1920 to discuss terrorism, yet none developed an agreed definition of the term reflecting states’ desires to retain domestic control of the meaning to preserve unilateral response options (Fidler, 2016; Marsili, 2019). Terrorism then is a subjective term that has evolved over time and varies in meaning depending on the endorsing party (Hellmuth, 2018b). Yet, terrorism is generally defined as violence against civilians by non-state actors to obtain a political objective (Gaibulloev & Sandler, 2019; Hoffman, 2017). Examples of terrorism include politically motivated bombings, kidnappings, armed attacks, and assassinations (Gaibulloev & Sandler, 2019).

Modern terrorism research began in the 1960s and 1970s focusing on Algeria and Indochina (Rich, 2013; Roberts, 2015). Terrorism and counterterrorism literature have continued to grow and are now included in the studies of international relations, politics, history, and sociology (Roberts, 2015). However, terrorism study is still controversial which is highlighted by the fact that no absolute terrorism definition exists (Hoffman, 2017; Roberts, 2015). Additionally, terrorism methodologies are also questioned since researchers are unable to produce significant datasets on individual terrorists which leaves the data open to criticism (Roberts, 2015).

There are also conflicting opinions on the effectiveness of counterterrorism legislation (Shor, 2016). Some believe this legislation allows states to protect themselves by drafting response plans for both preemptive deterrence and to rapidly execute following an attack (Shor, 2016). Others feel that counterterrorism legislation has no effect on terrorist actions and that countries mainly adopt these policies for a variety of political reasons other than fighting terrorism (Shor, 2016). A final group believes that counterterrorist legislation makes terrorism worse since the legislation violates human rights, creates criticisms, and advertises post-attack responses to potential adversaries (Shor, 2016).

International Response Direct conflict amongst states has largely given way to proxy wars and statesponsored terrorism since the mid-20th century. The United States has been in scores of conflicts since World War II but most recently issued a war declaration in 1942 against Bulgaria, Hungry, and Romania. Additionally, terrorist organizations have risen from within states to counter what they view as outside threats or internal suppression. The UN Charter’s first purpose is to maintain peace and security worldwide, and the Organization has realized the need to adapt to evolving international conflicts (UN, 1945). The UN has therefore updated their doctrine to counter terrorist organizations in order to fulfil their Charter obligations (Hansen et al., 2020).

The UN first discussed terrorism in September 2001 with Security Council Resolution 1373 that established a mandate for all member-states to address terrorism (Karlsrud, 2017). Further, the Responsibility to Protect Doctrine drafted in 2005 and the Global Counter-Terrorism Strategy created in 2006 improved civilian protection and peacekeeper integration for UN counterterrorism efforts (Hansen et al., 2020; Karlsrud, 2017). The UN’s definition of terrorism also changed to violent extremism and, in 2015, then UN Secretary-General Ban Ki-moon issued his Plan of Action to Prevent Violent Extremism (Karlsrud, 2017). UN peacekeeping missions have likewise evolved to aid counterterrorism efforts (Karlsrud, 2017).

The UN Multidimensional Integrated Stabilization Mission in Mali, deployed in 2013, was the first insertion of a UN peacekeeping force during an already ongoing counterterrorism operation (Karlsrud, 2017). UN forces, working closely with the French operation, were tasked with regaining control of terrorist held areas in Mali (Hansen et al., 2020; Karlsrud, 2017). The UN has therefore been in ongoing and open conflict with various terrorist groups and has suffered 227 fatalities as of October 2020 making the Mali mission the deadliest in UN history (Fatalities, n.d.; Hansen et al., 2020).

NATO has also played a role in expanding global counterterrorism frameworks in line with UN policies (Federica, 2018). The Alliance accepted its first Military Concept for Defence against Terrorism in 2002 in reaction to Article 5’s invocation (Federica, 2018). NATO further released its Counter Terrorism Policy Guidelines in 2012 focusing on building capabilities and strengthening partner engagement and created a robust Action Plan in 2017 to review NATO’s current counterterrorism strategy and recommendations for future actions (Federica, 2018). The Military Concept for Defence against Terrorism was updated in 2015 to include the 2006 UN Global Counter Terrorism Strategy and the 2012 Policy Guidelines which allows NATO to contribute more efficiently to counterterrorism operations (Federica, 2018).

In 2016 NATO acknowledged that terrorism represented a direct threat to all member states which led to the 2017 Action Plan (Federica, 2018). This plan recognizes that every state has different approaches to terrorism and thus allows states to retain authority for their own domestic security while offering ways that the Alliance can still provide value (Federica, 2018). Since 2017 NATO has taken many steps to counter terrorism threats including establishing a Terrorism Intelligence Cell, creating a common biometric data policy, and generally working with regional and international organizations such as the UN, the European Union, and the African Union to improve cooperation efforts (Federica, 2018). The Action Plan, updated in 2018, also continues to support military operations in Afghanistan that began with the International Security Assistance Force in 2001 (Federica, 2018).

The UN Security Council established the NATO led International Security Assistance Force in December 2001 with Resolution 1386 which was initially focused on Kabul, Afghanistan but spread throughout the country by 2006 (Hellmuth, 2018a). This mission concluded in 2015 and was replaced with the Resolute Support Mission which is considered a non-combat training operation for Afghanistan’s security forces and institutions (Federica, 2018). NATO has also been training and advising members of Iraq’s government and military since 2018 at the request of the country’s prime minister (Federica, 2018). In fact, NATO forces have been conducting counter-ISIS operations in Iraq since 2015 which was officially sanctioned by the Alliance’s 2017 Action Plan (Federica, 2018).

United States’ Response Terrorism has become a household name in the United States as a result of 9/11. The word terrorism itself invokes strong feelings for many U.S. citizens shaped by personal experiences and patriotism. Whether through ignorance or apathy, the U.S. government has not accurately defined or categorized terrorism amongst its many laws and guidelines despite the term persisting for as long as the United States itself.

The United States reduced terrorism research funding following the collapse of Soviet Union affiliated terrorist organizations in the 1990s despite the proliferation of religious terrorist groups beginning in the 1980s (Hellmuth, 2018a; Rapoport, 2016). Consequently, U.S. government reports attributed the 1998 U.S. embassy bombings in Tanzania and Kenya and the 9/11 attacks partially on government indifference toward terrorist organizations (Rapoport, 2016).

In retaliation for the embassy attacks, the United States bombed a training camp in Afghanistan and a pharmaceutical plant in Sudan (Hellmuth, 2018a). However, this was an exception to U.S. counterterrorism policy at the time since the 1996 Khobar Towers bombing in Saudi Arabia by Hezbollah and the al Qaeda led suicide attack against the USS Cole in 2000 only generated criminal investigations and indictments (Hellmuth, 2018a). However, the United States response to the 9/11 attacks was swift and aggressive and would have lasting consequences for years to come when combined with the political fallout and subsequent military interventions that followed.

The United States has concentrated on preventing terrorism from reaching its borders since 2001 through multiple invasions, housing detainees offshore, and creating sweeping legislative reform (Hellmuth, 2018a; Roberts, 2015). The Patriot Act was passed six weeks after 9/11 making terrorism data collection and cross-agency information sharing improvements as well as expanding investigative authority for government agencies (Hellmuth, 2018a). In November 2001 President Bush signed a Military Order authorizing convictions through military commissions and indefinite detention of al Qaeda detainees at Guantanamo Bay, Cuba (Hellmuth, 2018a). Further, the Department of Homeland security was created in November 2002 which consolidated 22 domestic protection agencies such as the U.S. Coast Guard, the Secret Service, and the Transportation Security Administration (Hellmuth, 2018a). The last initial reform was the 2004 Intelligence Reform Act that broadly affected U.S. federal terrorism laws and established the cabinet-level position of the Director of National Intelligence to coordinate U.S. intelligence efforts (Hellmuth, 2018a). Yet, the country did meet internal resistance to some counterterrorism measures.

The executive branch’s 2002 Homeland Security Act, 2005 Patriot Reauthorization Acts, and 2008 Foreign Intelligence Surveillance Amendment Act all met some form of congressional resistance (Hellmuth, 2018a). Additionally, in 2004 the U.S. Supreme Court established jurisdiction in Guantanamo Bay by agreeing that detainees had writ of habeas corpus rights, or determining the validity of detention, and also required a mandate for the military commissions prosecuting detainees (Hellmuth, 2018a). Congress subsequently passed the 2006 Military Commissions Act in an attempt to counter these Supreme Court measures (Hellmuth, 2018a).

The United States also began more closely monitoring border security and tightening visa programs as measures to keep potential terrorists out of the country (Hellmuth, 2018a). Additional programs were created or improved to monitor the status of foreigners once in the country such as the 2003 Student and Exchange Visitor Information system to track foreigners, the 2004 Visitor and Immigrant Status Indicator Technology program to store biometric data, and the 2009 Electronic System for Travel Authorization approval program (Hellmuth, 2018a). Other measures included no-fly lists and physical border fences (Hellmuth, 2018a). All initial government effort was focused on keeping foreign terrorists out of the United States and closely monitoring foreigners suspected of being terrorists.

The United States did not begin focusing on domestic religious terrorism until 2009 (Hellmuth, 2018a). However, 16 Islamic lone-wolf terrorism attacks have been attempted in the United States since 2009 including the 2013 Boston Marathon bombings and the 2015 and 2016 mass shootings in San Bernardino and Orlando, respectively (Hellmuth, 2018a; Jasko et al., 2017; Rapoport, 2016). The only surviving perpetrator of these attacks was Dzhokhar Tsarnaev who was found guilty of using a weapon of mass destruction and causing damage to property resulting in death.

Other notable domestic but non-religious terrorism shootings included the 2015 Charleston church shooting by a white supremist and the 2017 congressional baseball shooting by a political opponent. U.S. domestic terrorist attacks in the first two decades of the 21st century were either lone-wolf attacks or conducted by a few individuals. Because of this, reactions focused mainly on gun control measures as opposed to increased counterterrorism actions. This observation is relevant since a destructive U.S. cyberterrorism attack could also be conducted by a lone-wolf domestic terrorist, and the internet would be the weapon.

Cyberterrorism

Like terrorism, cyberterrorism has no accepted domestic or international definition (Boys, 2018; Klein, 2015; Marsili, 2019). Scholars debate whether or not cyberterrorism specific research should simply be incorporated into cybercrime studies (Albahar, 2019; Boys, 2018). Nonetheless, cyberterrorism is generally defined as terrorism in cyberspace that features attacks against computers and networks by subnational groups or individuals through violence or fear to coerce or intimidate a state’s government or citizens to further political or social objectives (Jenkins & Godges, 2011; Klein, 2015; Marsili, 2019; Warf & Fekete, 2016). Terrorists realize the many advantages that can be gained in cyberspace and seek to exploit the dimension for their own advantage.

Cyberterrorism is inexpensive considering a computer and an internet connection is all that is typically required (Klein, 2015). The 9/11 Commission Report stated that al Qaeda spent between $300,000 to $400,000 USD in total to carry out their four separate attacks on September 11, 2001 (National Commission of Terrorist Attacks upon the United States, 2004). Yet, a cyberattack of comparable caliber could be even cheaper and would negate all logistical obstacles making it feasible for a cyberterrorist to conduct a devastating attack within the United States from anywhere in the world (Albahar, 2019).

Cyberterrorism is also more anonymous than conventional terrorism given the problems of attribution following a geographically separated cyberattack (Klein, 2015). Governments and private organizations can generally identify the source of cyberattacks to a large degree of certainty. However, any government counterattack would require indisputable evidence which is often difficult to produce (Tehrani, 2017).

The United States often publicly condemns Chinese hacking, has protested Russian interference in the 2016 U.S. presidential election, and has blamed North Korea for their Sony Pictures Entertainment cyber infiltration (Schulzke, 2018). Yet, officials in each of these countries have denied any involvement, calling the accusations groundless and false justifications for U.S. sanctions (Schulzke, 2018). It is relatively easy to decipher the source of a kinetic attack but cyberattack evidence varies (Schulzke, 2018).

There are a far greater number of viable cyberspace targets than tangible ones since cyberattacks render location and physical security irrelevant (Klein, 2015). It is therefore not out of the question for cyberterrorists to strike at the core of any large country or corporation displaying the most formidable physical defenses. Still, no terrorist group has successfully conducted a large-scale cyberterrorism attack against the United States as of 2020, but terrorists have made great strides exploiting the internet to facilitate communication, fundraising, propaganda, radicalization, and recruiting (Albahar, 2019; Dinniss, 2018; Fidler, 2016). Nevertheless, computer-assisted crime does not alone constitute cyberterrorism which is also distinct from cyberwarfare (Tehrani, 2017).

Cybercrime and cyberterrorism both involve illegal activities in cyberspace, yet they have different motivations and are therefore defined differently (Tehrani, 2017). Cybercrimes are broadly defined crimes committed by cybercriminals through information technology with no political or social motivations (Tehrani, 2017). Cyberterrorists, on the other hand, conduct cyberattacks using similar or identical methods to cybercriminals but with more violent and long-term political objectives (Dinniss, 2018). Further, non-violent cybercrimes committed for political purposes, are generally considered acts of hacktivism, or hacking for political activism (Klein, 2015). These hacktivists cannot be succinctly defined as cybercriminals or cyberterrorists and operate either independently or through state direction. Lastly, cyberterrorism is also different from cyberwarfare in that the main objective of cyberterrorism is to cause fear and harm while cyberwarfare focuses on more specific objectives encompassing nonconventional military attacks (Tehrani, 2017).

International Preparation Despite ongoing concerns, international law does not directly address cyberterrorism since the lack of cyberattacks from terrorist organizations offers little incentive to draft such legislation (Baram & Menashri, 2019; Fidler, 2016). Creating international law related to cyberterrorism would be complex given the range of legal issues involved with the terms terrorism and cyber and by the inclusion of rapidly evolving technological advancements (Baram & Menashri, 2019; Boeke & Broeders, 2018; Fidler, 2016). It is also not clear how the Geneva Conventions and the greater laws of armed conflict apply to cyberterrorism (Marsili, 2019).

Laws regarding humane treatment in armed conflict are dictated in Common Articles 2 and 3 of the Geneva Conventions (Marsili, 2019). Specifically, Common Article 2 applies to international conflict between states and Common Article 3 applies to all forms of non-international conflict (Marsili, 2019). The self-defense statutes of Article 51 of the UN Charter and Article 5 of NATO could both apply if a destructive cyberattack comparable to a conventional attack occurred. However, international cyberwarfare conducted by non-state actors, such as cyberterrorists, does not fit neatly in the Geneva Conventions since Common Article 2 applies only to state conflict and Common Article 3 applies only to non-international conflict (Marsili, 2019). Therefore, there is no common article directly addressing international conflict by non-state actors which gives individual states discretion on how to apply elements of the Geneva Conventions; such as how the United States currently characterizes unlawful enemy combatants in the country’s current War on Terrorism.

United States’ Preparation Attacks against U.S. infrastructure are not uncommon, but none have qualified as cyberterrorism as of 2020 (Klein, 2015). However, criminals continue to sell increasingly destructive black-market hacking tools and terrorist organizations are successfully achieving goals through cyber means making cyberterrorism attacks more probable (Klein, 2015; Nye, 2017). The United States has no domestic laws relating to a largescale cyberterrorism attack thereby forcing the country to prosecute cyberterrorists using existing cybercrime or terrorism legislation (Tehrani, 2017). Domestic cyberterrorists would likely be tried through domestic law, but the issue becomes more complicated for international cyberterrorists.

The United States could deem transnational cyberterrorism attacks as cybercrimes under U.S. Code, Title 18, section 1030 Fraud and Related Activity in Connection with Computers (Tehrani, 2017). In this case, the United States could extradite offenders for domestic trials or apply extraterritorial jurisdiction to try cyberterrorists in absentia. The maximum fine for section 1030 offenses is 20 years imprisonment, though damage causing death would fall under section 225 of the Homeland Security Act amending section 1030 to authorize a lifetime sentence (Tehrani, 2017). Additionally, the Patriot Act discusses cyberterrorism in section 814. However, this section only relates to computer fraud offensives and would not be applicable to a large-scale cyberterrorism attack (Podgor, 2002). The United States could also declare international perpetrators of a destructive cyberterrorist attack terrorists. Assuming civilian deaths, these individuals would likely be accused of war crimes and be tried through military tribunals as unlawful enemy combatants. U.S. cyberterrorism legislation is incomplete, yet the country is not ignorant to the dangers of cyberterrorism.

Domestic Concerns. Many critical infrastructure control systems are susceptible to cyberterrorist attacks since the systems’ complexities make eliminating all weaknesses virtually impossible (Klein, 2015). In 2012 then U.S. Secretary of Defense Leon Panetta warned that the United States was becoming increasingly vulnerable to extremist attacks that could harm the country’s financial networks, transportation systems, and power grids (Naím, 2017; Nye, 2017). Further, in 2013 the Department of Defense’s Science Board stated that the country should not assume that critical systems can be defended from a well-resourced cyberattack (Mazanec, 2016). In 2014 then Director of National Intelligence, James Clapper, even ranked cyber threats above terrorism as the top U.S. security risk (Tabansky, 2018). Realizing these vulnerabilities, in 2015 the Department of Defense began crafting a cyber deterrence strategy that greatly expanded offensive capabilities (Osawa, 2017; Wilner, 2020). Still, in 2016 Mr. Clapper stated that evolving cyber capabilities were outpacing a common understanding of its norms of behavior which could increase the chances of misunderstandings and lead to unintentional escalation (Mazanec, 2016). The Defense Science Board also reaffirmed their position in 2017 stating that offensive cyber capabilities of potential adversaries will likely far exceed the United States’ ability to defend them for the next five to ten years (Wilner, 2020).

Deterrence

History continues to witness the evolution of warfare. New technologies forge innovative offensive weapons that are immensely successful at first until comparable deterrence is created through like modernization and policy. Deterrence typically involves the threat of punishment through retaliation and works best against rational and predictable adversaries (Wilner, 2020). U.S. deterrence has significantly evolved since 2003 and currently focuses on near-peer adversaries, rogue and weak states possessing limited weapons of mass destruction, and violent non-state actors (Wilner, 2020). Yet, cyber deterrence on an international level can be complex and must draw from elements of national security, international crime, espionage, and international conflict (Matwyshyn, 2018; Wilner, 2020).

Joseph Nye lists the four factors of cyberspace deterrence as the threat of retaliation, denial, fear of entanglement, and norms (Nye, 2017; Shad, 2018). Attribution is the main barrier to cyber retaliation needed for deterrence by punishment since it is often difficult to identify both the attacker and the source of the cyberattack (Hodgkinson, 2018; Nye, 2017; Shad, 2018). Deterrence by denial is best realized when a state has a resilient cyber defense capable of preventing or quickly recovering from a cyberattack (Nye, 2017; Shad, 2018). Entanglement deterrence is supported through international agreements such as the Budapest Convention and by international organizations such as NATO (Shad, 2018). Lastly, norms work by naming and undermining perpetrators of cyberattacks (Shad, 2018). U.S. cyber deterrence policy has shifted from denial under President Bush to a punishment approach under President Obama and President Trump. The United States regularly reviews cyber deterrence options against non-state actors and evaluates ways to deter Russia, China, North Korea, and Iran from conducting cyberattacks against the country (Klein, 2015). However, the number of cyberattacks aimed at U.S. targets has steadily risen for the past 15 years (Wilner, 2020).

State and non-state actors have infiltrated U.S. systems and caused damage and theft without crossing the government’s threshold for escalation or retaliation short of sanctions (Bracken, 2017). These attacks, then, could either be viewed as a failure of deterrence or falling into the gray zone between war and peace (Nye, 2017). The United States is particularly at a disadvantage compared to cyberterrorists and authoritarian regimes since these organizations are not bound by legal or political constraints (Mazanec, 2016; Naím, 2017). An asymmetry also exists in that weak, rogue, or non-state actors with limited cyber platforms have the least to lose and the most to gain from cyber conflict (Wilner, 2020).

Enforcement German philosopher Immanuel Kant wrongly concluded in the late 1700s that states would eventually seek peace through international governance due to the everincreasing violence of war (Barrett, 2017). However, international governance has yet to materialize and existing transnational organizations are not completely in sync with evolving threats. In practice, states prefer to preserve their relative power by conducting actions that fall under the threshold for conflict (Barrett, 2017). Challenges that must be overcome to increase international agreement on cyber cooperation are trust, perceptions, and state sovereignty (Baram & Menashri, 2019). There is nearly international consensus that cyberattacks could be considered acts of war depending on the circumstances and that proportionality permits conventional retaliation to cyberattacks (Hodgkinson, 2018). Relating cyberattacks to acts of war should encourage states to create robust self-defense plans to prevent such attacks. Yet, cyber self-defense is still a new and evolving topic.

There are currently no domestic or international laws addressing self-defense in cyberspace (Cook, 2018). However, in 2003 the United States published The Strategy to Secure Cyberspace which implies that the country reserves the right to respond to a cyberattack through kinetic or non-kinetic actions (Klein, 2015). Also, President Obama’s 2011 International Strategy for Cyberspace stated that the United States will use all necessary means for cyberattack defense but will limit military force as a last resort (Mazanec, 2016; Wilner, 2020). Because of this, the United States has a wide variety of retaliatory options available including conventional options authorized solely by the president under the Authorization for Use of Military Force (Marsili, 2019). In 2012 the U.S. government stated that a cyberattack could be viewed as an armed attack implying that the country could come to the defense of other states in accordance with Article 51 of the UN Charter or Article 5 of NATO (Hodgkinson, 2018; Klein, 2015).

Additionally, for the first time in February 2016 the United States began conducting open offensive military cyberattacks against ISIS to augment ongoing conventional operations (Fidler, 2016; Hatch, 2018). The nature of these attacks remains classified but U.S. Cyber Command targeted the terrorist organization’s ability to spread propaganda, recruit, and control operations in Iraq and Syria (Fidler, 2016). The United States claimed that its actions were in accordance with international law given that domestic cyber doctrine states that all actions must conform to U.S. laws and regulations while being cognizant of international law (Brantly, 2016; Fidler, 2016). The U.S. military has demonstrated that active cyber operations can be effective. However, this expertise has not yet transitioned to U.S. private businesses including operators of U.S. critical infrastructure.

The preferred universal method of cybersecurity involves passive defense measures such as anti-virus software and intrusion detection systems (Van Dine, 2020). Yet, the overwhelmingly high number of successful cyberattacks suggests that passive defense security measures could be improved (Van Dine, 2020). However, active cyber defense operations conducted by private U.S. corporations is currently considered illegal without consent which also generally correlates with the Budapest Convention’s interpretation of the issue (Cook, 2018; Van Dine, 2020). Active cyber-defense measures would also likely be in violation of the U.S. Computer Fraud and Abuse Act that prohibits accessing computers without authorization to obtain information, transmit code, or cause damage (Cook, 2018).

However, members of the U.S. government are attempting to expand the cyber powers of private industry. In 2019 Representative Tom Graves introduced a congressional bill for the Cyber Defense Certainty Act that would grant authority for private organizations to infiltrate the networks of their cyber attackers (H.R.3270 - Active Cyber Defense Certainty Act, n.d.). This Act would let private companies loiter in foreign networks to identity their attackers and discover their methods which is known as hacking back (Cook, 2018). Hacking back is part of active cyber defense which encompasses operating inside and outside of defenders’ networks to discover and degrade aggressor capabilities (Cook, 2018; Van Dine, 2020).

In absence of active cyber defense measures for private U.S. industry, many feel that public and private sector cybersecurity matters should not be siloed since a breach in either could affect both (Healey, 2018; Matwyshyn, 2018). However, some critical infrastructure components, such as air traffic control systems and nuclear power plants, already encompass both public and private sector security elements known as reciprocal security vulnerability (Matwyshyn, 2018). The private sector has also worked with government organizations on a range of cyber related issues through public-private partnerships created in 1998 by President Clinton’s Presidential Decision Directive 63 (Healey, 2018). Additionally, the Cybersecurity Act of 2015 provides a framework for public and private sectors to cooperate with the intent of working toward the common goal of cybersecurity through voluntary information sharing (Kosseff, 2018; Matwyshyn, 2018). Expanding active cyber defense into the U.S. private sector could bolster critical infrastructure cybersecurity and reduce the number of successful cyberattacks through measures such as hacking back and information synthesis between the public and private sectors. However, some feel that no amount of preparation can deter a cyberterrorism attack against the United States.

Counterarguments

A majority of cyberterrorism literature focuses on preparation and deterrence through the direction of domestic and international laws, but other aspects suggest that the United States will always be vulnerable to asymmetric cyberattacks (Klein, 2015). This literature indicates that cyberattacks against U.S. public and private information technologies is a daily occurrence and the government subsequently conducts little to no public responses since a vast majority of the attacks are unsuccessful (Klein, 2015). Additional counterarguments believe that cyberterrorists motivated by ideology based on religion or factionalism that embraces death are not concerned with repercussions and may be undeterrable (Klein, 2015). It would also be very difficult to create proportional and creditable deterrence options against adversaries will high risk tolerances (Klein, 2015). Additionally, choosing military targets following a cyberterrorism attack from a non-state actor could be problematic since terrorists are not bound by geographical borders and largely operate amongst civilians (Klein, 2015). The final counterargument is that terrorists might even exploit any law or proportional response plan to their advantage since they would already know the methodologies of their targets (Klein, 2015). Statefocused cyber deterrence against North Korea, Russia, and China is also occasionally discouraged.

North Korea became a nuclear power in 2006 to presumably counter the comparatively superior military power of the United States (Bracken, 2017). At the opposite end of the spectrum, the country is also advancing their cyber capabilities (Bracken, 2017). Some scholars believe that if North Korea had the ability to launch a decisive large-scale cyberattack against United States, they would likely still refrain since the cyberattack could easily be countered with a conventional military response from the United States and potentially create a conflict that North Korea could not win (Bracken, 2017). Additionally, China and Russia have successfully gained territory in the South China Sea and in Ukraine and Crimea, respectively, by operating under the threshold for triggering U.S. and international reactions which they have a practice of doing in all actions including in cyberspace (Bracken, 2017). These two countries would fare better than North Korea in a conventional war with the United States, but a deadly war would also not be in their national interests (Bracken, 2017).

The 20th century was defined by conventional wars, whereas the 21st century has so far been dominated by asymmetric hostilities including terrorism and cyber threats. Countless examples of failed deterrence initiatives exist throughout history which will continue into the future against a multitude of seen and unexpected adversaries. When deterrence fails, having deliberate response plans could increase the chances of successful retaliation while mitigating escalation. Adversaries might also be deterred from aggression after examining an unpalatable but pending response. However, announcing what cyberattacks would warrant military responses could allow adversaries to design attacks just short of the kinetic response threshold.

Summary

The rules of war have been discussed for thousands of years but integrating cyber and terrorism into the discussion has only recently begun following the invention of the internet and following the 9/11 attacks. It is improbable that terrorism and cyberwarfare will be conceptually defined at the international level any time soon since it is unlikely that states will conclusively agree to alter existing regulations. Most states will therefore continue to act in accordance with domestic doctrine imbedded in their own ideologies to the frustration of others.

Currently, no country can assume victory against the U.S. military which drives asymmetric developments for potential U.S. adversaries including cyberspace operations and state-sponsored terrorism. Additionally, terrorist organizations continue to search for all conceivable ways to gain advantages against much more powerful adversaries. Because of this, cyberterrorism is developing as a dangerous new threat that has possibly been inadequately addressed due to reasons outlined using the punctuated equilibrium theory.

It is also unclear how the United States would react to a successful damaging cyberterrorism attack against the country. The United States could respond to these attacks in a variety of ways through military or diplomatic channels using overt or covert methods and by means of kinetic or non-kinetic actions. Therefore, more cyberterrorism deterrence and response research might be needed to avoid reactionary decisions made in an emotionally charged environment following a successful destructive cyberterrorism attack.

In Chapter 2, I provided a summary of literature on all available information concerning the development of the cyber domain and terrorism, and the U.S. and international attitudes toward them. I also gave examples of how states have been nefariously using cyberspace to their advantages and highlighted ambiguities in domestic and international legislation related to the subjects. I finally identified a gap in literature concerning the lack of cyberterrorism response guidelines and addressed why the United States might need to preemptively draft cyberterrorism deterrence and response guidelines. I introduce the research design and approach for the study in Chapter 3.