Chapter 4 - Results | Publications

Chapter 4: Results

Chapter 4: Results

Introduction

The purpose of this qualitative study was to explore the perceptions of experts to better understand how the United States might better prevent and respond to large-scale cyberterrorism attacks. A major successful cyberterrorism attack has never been conducted against the United States, so it remains unseen what guidelines the country will use as the basis for a response. The current lack of guidance could leave the United States in a vulnerable position following a successful large-scale cyberterrorism attack given the unpredictability of potential responses. Through expert interviews, I addressed whether current policies are adequate to address large-scale cyberterrorism attack preparation and response guidelines, or if additional cyberterrorism specific policies should be created to ensure preemptive and palatable options.

A single research question guided this study: How do terrorism and cybersecurity experts perceive that the United States might better prevent, cope with, and respond to large-scale cyberterrorism attacks? One hundred and twelve peer-reviewed articles supported the findings of this study. A detailed literature review of all publicly available information related to cyberterrorism confirmed that the U.S. government has not openly considered prevention and response strategies for a large-scale terrorism attack. The scope of this study was nationwide, and 89 potential participants meeting expert criteria were contacted after IRB approval. Positive responses were received from nine experts which was slightly less than the predicted 11 responses calculated using an eight to one response rate.

I pilot-tested interview questions with three volunteer peers familiar with aspects of cyberterrorism from August 25–26, 2020 after IRB approval (08-24-20-0531149) but before conducting interviews with actual participants. I refined my interview questions and delivery through the pilot study, but I made no changes to data analysis strategies. The nine participants were then interviewed over a 6-week period from August 27 to October 3, 2020.

In Chapter 4, I discuss the results obtained from the analysis of primary data gathered through semistructured telephone interviews. This chapter begins with the setting and demographics. I then give a detailed description of the coding strategies used for data collection and data analysis before concluding with evidence of trustworthiness and the major themes cultivated from data analysis.

Study Setting

I conducted semistructured telephone interviews at a date and time of the participants’ choosing in order to give them the opportunity to identify a comfortable setting where they could respond fully and freely without time restrictions. All participants chose weekdays during normal work hours. I also recorded the interviews in various private and secluded settings with strong mobile phone and internet reception. All interviews were therefore completed with no distractions, interruptions, or time constraints as confirmed by a review of the verbatim transcripts. The participants did not identify any personal or organizational commitments that would have influenced them at the time of this study.

Demographics

Participant criteria for this study included experts who have worked professionally in two or all three cyber, terrorism, and national security career fields within the federal government for at least 10 years since September 2001. The timespan justification was to ensure that participants were active in their respective occupations since 9/11 and have practiced their profession over the course of at least two presidencies. I gathered data from nine experts with past federal government experience and with 138 and 72 years of cumulative cyber and terrorism experience, respectively. Demographics such as age, race, religion, and gender were not considered relevant to answering the research question. Applicable participant demographics are listed in Table 1.

Table 1 Demographics of Participants

Demographics of Participants

Data Collection

Walden University granted IRB approval for this study on August 24, 2020 with approval number 08-24-20-0531149. Following this approval, I sent invitation letters to 89 potential participants through individual e-mail and LinkedIn messages and received responses until September 17, 2020. I collected data from nine participants using semistructured telephone interviews from August 27 to October 3, 2020. I asked clarifying questions propagated from participant answers to the semistructured interview questions located in Appendix B in order to gain a complete understanding of each answer as well as to explore deeper meanings to answers. The interviews ranged from 20 to 61 minutes, averaged 38 minutes, and totaled 5 hours and 48 minutes. I recorded each interview on a digital voice recorder which I then downloaded to a password protected external hard drive. I secured this hard drive in a personal safe when not in use. I had the recordings transcribed verbatim to Microsoft Word using the transcription service TranscribeMe which yielded 108 pages of transcriptions. I compared the recordings to each transcription to ensure accuracy before deleting the recordings. I then sent the transcriptions to the participants to make any changes they felt necessary. Only one participant responded with edits. Data collection went as planned and no unusual circumstances were encountered. Individual interview details are described in Table 2.

Table 2 Interview Statistics

Interview Statistics

Data Analysis

Participant transcriptions were exported into NVivo software which I used as a data analysis aid. I then subsequently coded the transcriptions to highlight patterns in the data to generate categories which were analyzed for connections. Saldaña (2016) explained that qualitative data coding involves dividing, grouping, reorganizing, and linking codes in order to search for meanings and to develop explanations. Coding for this study was an iterative process that utilized both precodes and emergent codes. I incorporated a variety of coding methods selected to best synthesize data throughout the coding process.

I formed precodes during literature review which I chose based on the study’s research question, framework, and approach. I used the structural coding method for precodes which resembled broad topics gathered for the purpose of more detailed analysis (Saldaña, 2016). I reviewed all transcripts exclusively for precodes before emergent codes were identified. The precode list was based on the interview questions and comprised of the following codes: awareness alignment, common understanding, cyberattack probability, cyberattack understanding, decision-maker priorities, international law, national security priorities, policy issue drivers, policymaker perceptions, possible responses, precautionary measures, and U.S. preparations. Precodes allowed me to loosely sort the data by research question in order to approach the data from another perspective.

I then identified emergent codes through coding and recoding in both first and second-cycle coding. Saldaña (2016) explained that first-cycle coding is initial coding that is used as a baseline to see what direction the study will take. I incorporated in vivo and process coding methods in first-cycle coding. In vivo codes, or verbatim codes, are generated from the actual language of participants and are identified by quotation marks. Process coding focuses on the changing and repetition of action as well as the disruptions that occur within human goal setting or problem-solving interactions and are identified with gerunds (Saldaña, 2016). I used the process coding method judiciously in this study for coding punctuated equilibrium theory related participant responses.

I recoded the transcripts using first-cycle coding methods to ensure that all emergent codes were applied throughout each transcript. First-cycle in vivo and process coding generated 232 emergent codes. I then used second-cycle coding to reorganize and reanalyze data gathered through first-cycle coding methods. Here, I predominately used pattern coding which condensed codes into a smaller number of categories by merging codes together while dropping others. Saldaña (2016) recommended 50 to 100 total codes, 15 to 20 categories, and five to seven major themes. Data analysis for this study produced results similar to Saldaña’s recommendation with 87 total codes grouped into 11 categories and six major themes.

First and second cycle coding development is illustrated in Figure 1. The study’s themes, categories, and respective code sums are presented in Appendix C which also lists amplifying information of all 87 second cycle codes including participant contributions, interview questions utilized, and associated first cycle code frequencies.

Figure 1 Code Development

Code Development

Discrepant Cases

Two discrepant cases involving one participant emerged from the study. This participant believed that terrorists do not need state assistance to conduct a large-scale cyberterrorism attack and also believed that a large-scale cyberterrorism attack was likely in the near future. Six other participants disagreed with this assessment and felt that state assistance is required to conduct a large-scale cyberterrorism attack although any attack is unlikely. The divergent participant contributed to data saturation in all other areas despite deviating from the majority in the identified discrepant cases.

Evidence of Trustworthiness

I achieved trustworthiness of this study through acknowledging discrepant cases as well as through credibility, transferability, dependability, and confirmability.

Credibility

Credibility in a qualitative study relates to the degree that the results reflect the experiences of the participants. To facilitate open and honest responses, I ensured that participants were aware that no identifying information would be used in the study and that they could opt out at any stage. I also ensured that all data were creditable by comparing each transcription to its audio recording for complete accuracy. I then sent the transcriptions to the participants to review and edit before using the final transcriptions for data analysis. Additionally, each potential participant went through multiple iterations of scrutiny before being included in the final list of 89 experts which resulted in the elimination of 61 individuals from the original 150-member list.

Transferability

Transferability of this study is possible since I described in detail the rationale, structure, and justification of the study, as well as participant demographics. While the participants were not directly identified in this study, I provided sufficient detail to highlight their levels of expertise. Cyberterrorism and U.S. interventions are respectively global and nationwide by definition. The transferability of this study is therefore possible to a multitude of government, cyber, and terrorism focused organizations throughout the world.

Dependability

I ensured the dependability of this study by aligning the research question to the study’s problem and purpose. I also derived the interview questions from the purpose of the study while considering the study’s theoretical foundation. Additionally, I conducted an exhaustive literature and located 112 predominately peer-reviewed journal articles using detailed search criteria in multiple databases. I also remained cognizant of the scope of the study through the iterative and thorough data analysis process.

Conformability

Lastly, conformability relates to the objectivity of the study. I was exclusively responsible for all data collection and analysis. I first collected data in an objective manner after identifying potential researcher biases and implemented bracketing techniques. I then coded data using precodes and emergent codes through primary and secondary cycle coding and recoding. This iterative coding process resulted in five coding revisions for each transcript to ensure that all data were objectively extracted.

Study Results

Six themes emerged from the data analysis relating to the study’s single research question: How do terrorism and cybersecurity experts perceive that the United States might better prevent, cope with, and respond to large-scale cyberterrorism attacks? Five of the six themes contained two or more categories which resulted in 11 categories containing 87 total codes for the study as seen in Figure 2. A detailed code list is located in Appendix C.

Figure 2 Themes, Categories, and Codes

Themes, Categories, and Codes

Data were generated from nine participants through 18 interview questions located in Appendix B. All interview questions were aligned with the research question by considering the study’s problem, purpose, structure, and theoretical foundation. The six themes generated from data analysis are as follows:

Theme 1: Terrorists’ Cyber Capabilities

The first theme that emerged was related to the current cyber capabilities of terrorist organizations. The literature review indicated that terrorist organizations are capable of successfully manipulating cyberspace to their advantages, and the study’s research question suggested that terrorist groups are likewise capable of carrying out a large-scale cyberterrorism attack against the United States. Terrorist groups have long desired to gain capabilities in cyberspace which they continue to successfully pursue, yet most participants believed that terrorists currently do not possess the capability to conduct a large-scale cyberterrorism attack against the United States without state assistance. Given this, the discussion of a pending large-scale cyberterrorism attack is incomplete at present without the inclusion of states.

Participant J6 stated that terrorists are not yet able to produce kinetic-like effects through the cyber realm. Likewise, participant P9 felt that terrorist groups would need to hire out the capability to have a sustained effect over time in cyberspace since they lack the sophistication to do it on their own. Participant C4 stated that, “the organic capability is generally limited for international terror groups. They’re digitally okay and not dumb, so they can serve as proxies for some of the major players: Russia, North Korea, China, and Iran among others.” He also noted that they can still do damage with a radicalized insider.

Further, participants E1 and C4 felt that terrorists would need assistance from states to have any chance of successfully conducting a large-scale cyberterrorism attack against the United States, though there is no evidence that states are currently augmenting the cyber capabilities of terrorist organizations. Participant P3 highlighted that even the NotPetya attacks against Ukraine conducted by a state (Russia) were only effective for a few days, so it is unlikely that an even more sophisticated attack could be conducted by a non-state actor against any country with respectable cyber defenses.

However, participant B2 argued that terrorists could actually possess the capabilities to conduct an unassisted large-scale cyberterrorism attack against the United States since only a few smart people are needed to create a cyberattack mechanism. Yet, he did note that terrorist organizations do not need capability organic to their organization which “leaves the door open for a lot of potential mischief by terrorist organizations, whether they build their own capability, or they borrow it, or buy it from somebody else.”

Theme 2: Large-Scale Cyberterrorism Attack Probability

Predictably, the six participants who felt that terrorist organizations lack the ability to unilaterally conduct large-scale cyberterrorism attacks also believed that such an attack against the United States is low. The exception is participant B2 who felt that the United States will fall victim to a successful large-scale cyberterrorism attack within the next few years. However, most participants still acknowledged that smaller scale cyberattacks are being conducted against the United States on a regular basis. The first category in this theme addresses the low probability of a large-scale cyberterrorism attack against the United States while the second category focuses on problematic cyber activities currently being conducted against the country.

Low Probability Participant E1 was skeptical about the threat of a major cyberterrorism attack that might kill scores of U.S. citizens and instead views cyber as exclusively a state threat. Participant C4 also felt that a major cyberterrorism attack is unlikely and not nearly as realistic as “a death by a thousand cuts” which relates to the second category in this theme, activity below war threshold.

Activity Below War Threshold Participant T5 stated that the United States is being attacked right now, but not to the level of 9/11, and from adversaries who are either attempting to cause disruption or are probing the U.S. cyber network. Similarly, participant E1 believed that terrorist organizations are intensely probing the United States in a multitude of ways, including testing the country’s critical infrastructure, while participant A7 felt that terrorists prefer to gather information through cyber means from vulnerable businesses to use for intimidation purposes. Lastly, participant C4 reiterated that most digitally connected organizations throughout the world who could help terrorist organizations would rather practice cyber espionage with the goal of having no reaction from the countries being probed. Because of this, he felt that aggressive offensive cyber actions against the United States are unlikely.

Participant B2 clarified that while cyber espionage needs to be addressed, it is not cyberterrorism but simply an extension of “old-fashioned spying” which is not illegal in international law. Yet, participant T8 is concerned that organizations have been conducting* intelligence preparation of the environment* with the intention of folding cyber into any future conflicts. Similarly, participant P9 explained that the United States is concerned with attacks generated from weaponizing capabilities gained from cyber espionage since these types of threats, such as national election interference, have the potential to undermine the very basis for democracy. However, participant E1 argued that the United States still does not know exactly how to respond to harmful attacks against the country that utilize only “zeros and ones.” Participant C4 lastly felt that organizations can destabilize a country with ease if they conduct cyber operations just below the threshold of warfare since those operations do not galvanize citizens or gain the attention of policymakers.

Theme 3: Large-Scale Cyberterrorism Attack Likely Responses

Most participants felt that the United States will conduct a forceful and kinetic response to a successful large-scale cyberterrorism attack since the effects of both a large-scale cyberattack and a large-scale conventional attack would be similar. However, most participants also acknowledged that attribution must first be levied in a timely manner which is predictably much more difficult in the cyber realm. Given this, the first category in this theme is attribution considerations.

Attribution Considerations Participants E1, J6, and T8 argued that the United States possesses the forensic abilities to very accurately attribute cyberattacks, and participants B2 and P9 felt that U.S. cyber attribution is improving but acknowledged that it still takes too long to lay blame. Participant J6 clarified that the U.S. government is often reluctant to revel attribution sources since he likened this action to “blowing a human asset conducting a covert operation.” Participant B2 further clarified that it is easy for countries to disguise attacks, such as Russia routing cyberattacks through China, which could hinder the attribution process. Lastly, participant P3 explained that most private companies are actually not concerned with attribution since their focus is on stopping the cyberattack, minimizing the event, and preventing future vulnerabilities. He clarified that private companies cannot conduct offensive cyber operations, so they are not concerned with identifying their attackers which minimizes offensive private sector cyber innovation. The second category in this theme is lethal response.

Lethal Response Despite attribution difficulties, most participants agreed that the United States would respond quickly, aggressively, and lethally in response to any successful largescale cyberterrorism attack. Participants E1 and P9 argued that the United States would leverage all powers of government following a successful attack, including using the full weight of the military. Further, participant T8 believed that a response would be “lethal for the offending country,” participant C4 felt that the United States would respond “forcibly and kinetically,” and participant J6 similarly believed the country would respond with “overwhelming forces.” Finally, participant B2 stated that the United States will use any means to go after everyone responsible for the successful cyberterrorism attack and would not minimize the response in an attempt to match a cyberattack with a cyber-response.

Theme 4: Cyberterrorism Prevention Measures

All participants agreed that the United States must do a better job aligning different aspects of government to prevent large-scale cyberattacks, to include cyberterrorism attacks. Additionally, most participants agreed that the United States must drastically improve large-scale cyberattack preparations, while some participants highlighted that having a public cyber deterrence policy would help thwart cyberattacks before they begin. The two categories in this theme, collective coordination and preparation, are the second and third largest categories in this study but make up the most cumulative codes of all themes.

Collective Coordination

Most participants agreed that the United States does not defend as a nation in cyberspace. Participants P3 and J6 stated that the country continues to rely on companies to defend themselves against cyberattacks. For example, participant J6 explained that, “you would never expect Target or Walmart to defend against Russian Bear bombers” since “it’s the job of the U.S. government to buy surface-to-air missiles.” And yet “in cyberspace, not only Target and Walmart, but every little mom-and-pop shop must individually defend for themselves.” Because of this, participant E1 argued that every city, state, and locality must currently take charge of its own cyber defenses.

Participant P3 explained that cyber coordination varies amongst government organizations, though every organization wants a role including the National Security Agency, the Department of Homeland Security, and the Cybersecurity and Infrastructure Agency. Yet, the general lack of coordination amongst all government organizations poses a risk. Participants C4 and J6 agreed that the National Security Agency has the most cybersecurity expertise within the U.S. government, but other government organizations are slowed by “relentless and grinding bureaucracy.” Participant C4 highlighted that his job is focused on weaving U.S. organizations together into a collective cyber defense. Through this, he noted that every private and public organization have their own self-interests and therefore push their own agendas which range from innovative to entrenched and archaic thinking. Participant P9 saw the most cyber innovation in economic and national security organizations, though he believed the expertise drops off drastically within manufacturing and energy based organizations. He also noted that organizations all speak their own languages and do not fully understand each other. Finally, participant T5 believed that coordination between different government agencies is slowly happening but felt there is still a lot that must be done before organizations could be considered integrated.

Participant C4 argued that the United States needs to bridge the public-private divide and shift thinking from the multitude of ad hoc efforts to supporting a national cyber strategy backed by strong leadership. However, participant J6 cautioned that the country might not yet be ready to think in collective cyber defense terms. For example, participant P9 explained that Cyber Command is developing and expanding its own capabilities, clandestine organizations such as the Central Intelligence Agency and elements of Joint Special Operations Command continue to run their own operations in seclusion, and the Federal Bureau of Investigation largely works on their own with the help of National Security Agency operators. Participant J6 highlighted that this channelized mindset often causes overlap in cyberspace which has been a hindrance to the successful coordination of cyber operations. Finally, participant E1 stated that the growth of Cyber Command is a positive step for the Department of Defense, but he explained that there is no comparable organization for the broader U.S. infrastructure since the Department of Homeland Security does not have the authority over civilian federal government systems in the same way that Cyber Command does over the Department of Defense.

Most participants felt that the U.S. government must do more to improve collective cyber measures. Participants B2, J6, and P9 argued that the government should limit compartmentalized information and share cyber intelligence with the private sector in real time. Yet, participant B2 felt that the government is plagued with a culture of secrecy which hinders private sector cooperation. For example, he stated that the government, for the most part, gathers information from the private sector, classifies it, and then does not share any results. He explained that because of this, some of the best cybersecurity experts in the world do not want to deal with the U.S. government since they view the government as an illegitimate partner.

Nevertheless, participant P9 felt that the government must be more directive with at least some parts of the private sector in terms of what cyber security they adapt. He acknowledged that the government has attempted to get the private sector to do more, though only through voluntary initiatives since, as participant C4 explained, the government legally cannot do much to force cyber protection on private companies.

Participants P3 and C4 therefore stated that private companies are largely fighting individually and are on their own. Participant C4 believed that companies with strong resources understand the cyber risk and are generally trying to defend themselves against cyberattacks. For example, he explained that the financial sector recognizes the problem. “They can hire and fire cyber people. They can fund salaries that are super competitive. And they’ve therefore built some of the best security on the planet.” However, participant P9 explained that cyber protection tapers off in other government sectors for reasons including limited cyber resources and outdated infrastructure such as old railroad technology

Preparation Most participants agreed that the United States can improve large-scale cyberterrorism attack preparations through an overarching strategy and a set policy. Participant P9 felt that the United States should advertise a cyber strategy to ensure that adversaries are aware of potential U.S. responses to any actions, while participant E1 believed that the United States would not be able to respond as effectively to any cyberattack without a set policy. Participants C4 and T8 were generally not satisfied with U.S. preparations for a large-scale terrorism attack, and participant P3 felt that the United States is only prepared well for things that easily transition into mitigating circumstances and is unprepared for cyberterrorism attacks that are not clearly understood and might also take longer to develop. However, he acknowledged that there are venues that exist to bring together federal, state, and military cyber groups to discuss cyberattack preparations.

Participants E1 and B2 felt that U.S. government cyber efforts should focus more on the defensive side, and participant T5 also believed the government should expand cyber measures to improve pre-attack intelligence. Lastly, participant B2 explained that almost everything industrial operates on computers which means that all systems are all vulnerable, including air gapped systems not directly connected to the internet. Because of this, participant T8 felt that improving software would help limit these vulnerabilities while participant P9 argued the United States needs to do a better job hardening potential cyber targets that the country is most dependent on.

Finally, most participants agreed that the United States is not prepared to deter in cyberspace. The reasons include hesitation, unwillingness to expose classified information, attribution uncertainty, a lack of preparation, and general unfamiliarity with cyberspace operations. These participants also felt that the United States cultivates a more dangerous future every time the country does not respond publicly to known cyberattacks.

Participant J6 believed that the United States has allowed too much to go on in the cyber realm without responding. He used the Sony Pictures Entertainment cyberattack by North Korean hackers as an example and explained that the United States would respond if North Korean soldiers physically attacked Sony Pictures and started destroying computers. Yet, there was no public U.S. retaliation for the physical damage caused by the North Koreans using cyber means within the United States. Participant J6 further stated that the United States has never announced how the country would retaliate from a large-scale cyberattack which raises the risk that an adversary might wrongly assume they can get away with something that would subsequently force the United States to act.

Theme 5: Cyberterrorism Policy Agendas

Many experts cannot independently create change and must rely on decisionmakers to action their ideas. All participants in this study have national security experience and have therefore all interacted with leaders and lawmakers at some level to facilitate change. Cyberspace is a new and constantly evolving dimension that only the most technical savvy individuals completely understand. Yet, incorporating technical heavy cyberterrorism related information into senior decision-makers’ already constrained agendas poses a challenge for cyber and terrorism experts which is highlighted in this theme. Policymaker problems and suggested cyber related improvements are relayed in the theme’s three categories: technical knowledge, policymaker consciousness, and agenda change factors. These categories contain approximately one-third of the study’s codes reflecting the importance given to cyber policy agendas by the study’s participants.

Technical Knowledge All participants felt that there is not enough cyber understanding on the part of decision-makers. Participant E1 pointed out that may individuals holding high-level government positions have no experience with intelligence issues, so even explaining the differences between the Central Intelligence Agency and the National Security Agency, for example, would be required before progressing to the more technical aspects of cyberspace. Participant C4 similarly felt that cyber policy construction is difficult if policymakers do not understand the technical aspects. Participant A7 took this idea a step further and stated that decision-makers generally have trouble even parsing out the conception of cyberterrorism itself. She felt the challenge is for senior leaders to conceptualize topics consisting of complicated technology with enough nuance and understanding. For example, decision-makers should be able to navigate cyberthreats of completely different types, problems, capabilities, and actors. However, participant P9 believed there is some misunderstanding that cyber policy is more technical than it is in reality. Lastly, participant C4 explained that part of the reason that there are a shortage of decision-makers with technical knowledge is because technologically inclined individuals prefer to stay away from policymaking, so it is also incumbent for these individuals to learn policymaking just as it is for policymakers to become familiar with cyber’s technical aspects.

Policymaker Consciousness This category highlights decision-maker improvements related to cyber policy as witnessed by participants, as well as discussing what generally garners the most attention amongst decision-makers in each participant’s respective field. Participant P9 stated that decision-makers are afraid of cyber to some extent. He explained that, “you don’t have to be a coder to understand the policy implications of cyber issues just as you don’t have to be a nuclear scientist to understand nuclear policy implications.” He felt that while people are still hesitant to get involved in cyber topics, involvement has been improving through long term learning and education. Participant P9 also saw a parallel from the private sector in that the appreciation of cybersecurity issues amongst CEOs has also been slowly improving. However, he noted that cyber concerns are very uneven among industries and sectors and felt that there is still a long way to go before cybersecurity is seen as a core issue of national security and diplomacy. Participant E1 felt that cybersecurity will not be seen as a core issue until the topic is raised sufficiently by a U.S. president which he believed has yet to happen.

While there was agreement amongst all participants that decision-makers must devote more attention to cybersecurity issues, there was no agreement on what primarily drives decision-makers. The study’s participants have been exposed to similar areas and similar levels of the U.S. government, yet this category demonstrates that policymakers have varying motivations which makes it difficult to adapt one cyber strategy to trigger policymaker interest.

Participant T5 believed that public opinion mainly drives policymakers, while participants B2 and C4 felt that both the press and individuals in inner circles have the most influence on policymakers. Participant B2 also stated that loss of life, loss of capital, or loss in infrastructure will always get policymakers’ attention, and participant C4 similarity felt that a response to an attack will always take priority. Participant P3 believed policymakers tend to focus on money and perception issues since they do not want to lose money or be perceived badly. Similarly, participant P9 also felt that perception and focusing on any major threats mostly consume policymakers. Participants B3 and J6 stated that immediacy, or the biggest threat of the day, always captures policymakers’ attentions, while participant A7 argued that problems are the main drivers for policymakers. Lastly, participant T5 believed that information received through intelligence often has the potential to become the primary focus of policymakers.

Agenda Change Factors In this category, participants discussed what would cause cyber policy, to include cyberterrorism policy, to align with mainstream U.S. government agendas. Participant C4 felt that the government contains many well-intentioned and smart people concerned with the country’s cybersecurity, yet something severe would need to happen through cyberspace in order to get leadership focused on the issue. Participants B2 and A7 stated that big negative events would need to occur to capture the attention of decision-makers, though participant B2 was hopeful that cyber professionals are continuing to work hard behind the scenes to move agendas as much as they can in absence of upper-level decision-maker support.

Participant J6 worried that moving the cyber agenda will take a mass causality event or another major crippling event. He explained his logic using the NotPetya attack released by the Russians that caused over 10 billion USD worth of damage worldwide, including hundreds of millions of dollars in the United States, yet caused no large public reactions within the U.S. government. Lastly, participant P9 believed that continued and effective cyberattacks against the United States would at least get policymakers to rethink the country’s current stance on cyber activities, while participant T5 hoped that policymakers are growing more concerned with how cyber actions are aiding countries in their worldwide goals that are not in line with U.S. policy, such as the Russian annexation of Crimea.

Theme 6: International Cyberterrorism Considerations

No international law directly addresses cyberterrorism, and it is also not clear how the Geneva Conventions and the greater laws of armed conflict apply to cyberterrorism (Baram & Menashri, 2019; Fidler, 2016; Marsili, 2019). There are additionally no U.S. or international laws directly related to self-defense in cyberspace (Cook, 2018). Given these considerations, the first category in this theme, international law validity, addresses to what level the United States should consider international law when drafting cyber plans, to include cyberterrorism plans; while the second category, international law integration, gauges the likelihood for agreed upon worldwide cyber regulations.

International Law Validity Most participants agreed that the United States must acknowledge international law when drafting cyber related deterrence and response plans regardless of how difficult or inconvenient the task. Participant P9 stated that the United States should articulate how international law applies in cyberspace just like in every other area. He further stated that the United States should strive to be champions of the rule of law in all aspects and noted that violating international law in cyberspace would hurt the country’s international status. Participant P9 also felt that advertising strong cyber deterrence and response initiatives that follow international law would encourage other countries to do the same and would also serve as a point of emphasis for countries that choose not to follow international law in cyberspace. He lastly pointed out that there are over 40 countries developing offensive cyber capabilities which is why global cyber discussions on cyber norms related to international law are so important, though he did not feel that international law needs to be rewritten for cyberspace.

Participant T5 stated that cyber is global in the sense that any malware released, for example, will spread worldwide regardless of its targeted audience. Given that, he felt that the United States needs to consider international law because any cyber response against one country could have unintended consequences in other countries. Participant P3 highlighted this sentiment by explaining how Russia ceased cyberattacks against Georgia in 2008 after Georgia moved their backup servers to a cloud-based website in the United States that Russia was not willing to attack. Given that, he felt that international law applies when searching through the networks of other countries to identify weaknesses for future attacks or to even stop an ongoing large-scale cyberattack.

Participant J6 explained that cyber is another domain of warfare, and there are standard rules of warfare that the United States has agreed to that also generally translate to the cyber realm. He therefore felt that cyber is not a fundamentally different domain where the entire rules of warfare need to be rewritten. Participant C4 suggested that the country should even consider international law throughout all cyber related preplans, missions, and activities, while participant E1 acknowledged that cyber is still a developing area but the United States must at least pay attention to and understand how international law relates. Finally, participant B2 argued that international law related to cyberspace is not that helpful but felt that the United States must still consider it in order to demonstrate a willingness to cooperate.

International Law Integration While most participants agreed that international law applies in cyberspace, they were not optimistic that cyberspace rules or norms will ever be agreed upon in the current international environment. Participant A7 felt that there will never be a cyber treaty between the major world powers given the fundamental disconnects in worldviews. Participant J6 also did not believe there will be a major international-level agreement on cyber issues due to the fundamental divisions between the Western view of the cyber domain and the Russian and Chinese views. For example, participants P3 and J6 stated that China wants cyber treaties that allow them to have power and leverage over their own people and anyone else that they have influence over, and likewise with Russia who sees cyber agreements as a way of ensuring people stay out of their way.

Participant P9 explained that these differences drive huge divisions in intergovernmental forms such as in the UN where major disagreements are seen between Russia and China and Western democracies coupled with Japan, Australia, and others. Participant T8 acknowledged the international cyber divide but pointed out that the United States has also voted down proposals regarding cyber laws and legislation in the UN which participant E1 felt puts the country in an awkward position when it comes to aspects of international law and cyber.

Lastly, participant P9 suggested taking cyber “out of this kind of boutique bubble it is in” and looking at the overall relationship with other countries. To back up this argument, he articulated that one of the reasons China agreed to an intellectual property agreement with the United States in 2015 was because President Obama did not categorize the issue as a cyber issue but instead categorized it as a core economic and national security issue. President Obama was thus willing to have friction over U.S.- China relations as a whole in order to resolve a cyber matter.

Summary

The purpose of this qualitative study was to explore the perceptions of U.S. terrorism and cybersecurity experts with demonstrated federal government experience to understand how the country might better prevent and respond to a successful large-scale cyberterrorism attack. Data were generated through one-on-one semistructured telephone interviews and were coded and categorized into themes in order to draw conclusions. The findings successfully answered the study’s research question: How do terrorism and cybersecurity experts perceive that the United States might better prevent, cope with, and respond to large-scale cyberterrorism attacks?

An answer would be incomplete without first conceptualizing the abilities of terrorists to carry out large-scale cyberterrorism attacks which was articulated in Theme 1. Here, most participants agreed that terrorist cyber capabilities were weak, and the probability of a large-scale cyberterrorism attack was therefore low which was expressed in Theme 2. Theme 3 presented a consensus that the United States would respond quickly, aggressively, and lethally in the event terrorists were able to carry out a successful large-scale terrorism attack. Yet, participants unanimously agreed in Theme 4 that the United States could do much more to prevent destructive cyberattacks, including cyberterrorism attacks, against the country which focused on working together as a nation to form a collective cyber defense front.

However, any U.S. cyberterrorism prevention and response guidelines would require policymaker backing and coordination which was the focus of this study’s theory. Punctuated equilibrium theory was designed to be broadly applied to a range of policymaking initiatives during protracted periods of stability coupled with bouts of immediate change. The theory was thus relevant to this study given that U.S. policymakers are responsible for selecting improved cyberterrorism defense and response policies.

Participants highlighted the lack of technical knowledge amongst policymakers and discussed ways to overcome policymaker cyber shortcomings in Theme 5, though most participants worried that cyber considerations would only be thrust into mainstream national policy discourse following a successful large-scale cyberterrorism attack. The internet, cyber, and most terrorist elements are global by definition, so Theme 6 categorized to what level the United States should consider international law when preparing for or responding to a large-scale cyberterrorism attack. Most participants agreed that international law must be considered regardless of how difficult or inconvenient the task even though an internationally agreed upon cyber treaty is unlikely. Chapter 5 presents the interpretations of the findings. It also discusses the study’s limitations, recommendations, and implications and lastly outlines conclusions for this study.