Intersecting Governance Models

Michael Bertoli Gregory Holm, J.D.
Joe Brewer Matthew Mascoe
Julie Cropper Robert McDyre, Jr.
Andrew Ericson Kristina Miller
D. Kyle Fowler John J. Walter
Faculty Advisor: Andrew Ross, Ph.D.
May 2015

Intersecting Governance Models: A Norms-Based Cyber Deterrence Strategy
! !
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

! !
Executive!Summary!
The cyber domain presents a multitude of vulnerabilities and opportunities for actors in
cyberspace. Inevitably, states will seek to dominate cyberspace and use it to their advantage. As
states seek opportunities to exploit cyberspace, cyber conflicts will arise. USCYBERCOM and
the U.S. Government must find a way to protect United States interests from cyber attacks of
significant consequence by deterring malicious actors.
The successful deterrence of cyber attacks requires offensive as well as defensive
capabilities. Defensive capabilities are sufficient to deter the vast majority of cyber threats and
limit damage from their attacks; however, defensive capabilities alone will not stop the most
capable adversaries. These high-level threats, characterized by high levels of commitment and
resources, represent the actors most likely to launch cyber attacks of significant consequence.
For these actors, a strategy of deterrence by punishment is necessary. However, the incentive to
conceal cyber capabilities makes credible threats difficult. The threat of cross-domain
punishment is therefore necessary to deter high-level threats. Moreover, norms are necessary to
make cross-domain threats credible. Norms offer a mechanism to establish generally accepted
principles that set a threshold, allowing a state to respond offensively following the violation of
that established threshold.
We propose a “4-Point Norms Plan” in conjunction with a deterrence strategy that will
effectively deter malicious actors in cyberspace and also serve as the foundation for further
cooperation to govern cyberspace. The norms incorporated in our plan are: (1) states shall not
attack another state’s civilian critical infrastructure; (2) states reserve the right to respond to
“grave and imminent” dangers; (3) states shall only respond in a manner that is reasonable and
proportional to the cyber threat; and (4) states must clearly communicate justifications for acting
offensively in response to malicious cyber activities by other states.
There are currently two competing cyberspace governance models. The United States
Department of State champions the “multistakeholder governance model” which seeks to include
all actors in the maintenance of a free, interoperable, and open Internet. Other states have
embraced a “sovereignty-based model,” in which the Internet is viewed as a domain to be
controlled and regulated within each state’s physical and electronic boundaries. These divergent
views indicate that Internet governance is still in its formative stages, but there exists a middle
ground between the two models. The 4-Point Norms Plan seizes upon this middle ground.
The norms included in the 4-Point Norms Plan will appeal to state and non-state
stakeholders alike, and if formalized, will ensure more clarity and establish space for potential
cooperation in the governance of cyberspace. These norms represent generally accepted
behaviors that will facilitate the employment of a successful deterrence strategy and will, over
time, build consensus among all stakeholders, lead to effective cooperation between states, and
serve as the foundation for a more formal approach to the governance of cyberspace.

! !
Acknowledgements!
The authors of this report benefited from the support and guidance of many individuals
and organizations in the research and writing of this project. The authors would first like to
thank U.S. Cyber Command and the Combined Action Group for the direction of the project.
The authors are grateful to Dr. Emily Goldman, Director of the Combined Action Group, and Dr.
Michael Warner, Command Historian, for their generous support, encouragement, and guidance
throughout the duration of this project.
The project itself would not have been possible without the support of the Bush School of
Government and Public Service at Texas A&M University. The authors particularly wish to
thank Ambassador Ryan Crocker, Dean of the Bush School, and Dr. F. Gregory Gause, Head of
the Department of International Affairs. The authors are also indebted to The Scowcroft Institute
for International Affairs, under the guidance of Andrew S. Natsios, for making funds available.
Many individuals at the Bush School contributed to the completion of this project. The authors
benefited from feedback from faculty members including Col. Don Bailey, Dr. Jasen Castillo,
Dr. Joseph Cerami, Ambassador Larry Napper, Dr. Joshua Shifrinson, and Dr. Gabriela Marin
Thornton. Additionally, the authors appreciate the continued support of their peers, the students
of the Bush School.
Last, but not least, the authors wish to thank their faculty advisor, Dr. Andrew L. Ross,
whose patience, policy expertise, and passion for the subject of cyber were a source of continued
support, inspiration, and guidance to the team.
The completion of this project was a great honor for the authors and it would not have
been possible with the contributions of these individuals and groups. The authors received a
great deal of guidance and support from many parties, but any errors or misinterpretations made
in this report are the fault of the authors alone. The authors sincerely hope this report contributes
to the growing field of cyber deterrence research.
Authors:
Michael Bertoli
Joe Brewer
Julie Cropper
Andrew Ericson
D. Kyle Fowler
Gregory Holm, J.D.
Matthew Mascoe
Robert McDyre, Jr.
Kristina Miller
John J. Walter
Faculty Advisor: Andrew L. Ross, Ph.D.

2
! ! !
Contents'
Executive)Summary)..............................................................................................................................)ii)
Acknowledgements).............................................................................................................................)iii)
Introduction).........................................................................................................................................)4)
Part)I:)Deterrence).................................................................................................................................)6)
A.!Deterrence!in!Cyberspace!....................................................................................................................!7!
1.!Traditional!Deterrence!Theory!.........................................................................................................!7!
2.!Deterrence!Concepts!in!the!Context!of!Cyberspace!........................................................................!9!
3.!Difficulties!Associated!with!Cyberspace!Deterrence!......................................................................!12!
B.!Cyber!Threat!Assessment!...................................................................................................................!14!
1.!HighHLevel!Threats!..........................................................................................................................!16!
2.!MidHLevel!Threats!...........................................................................................................................!17!
3.!LowHLevel!Threats!...........................................................................................................................!17!
C.!Deterrence!by!Punishment!................................................................................................................!17!
1.!Capability!Demonstration!...............................................................................................................!18!
2.!CrossHDomain!Response!.................................................................................................................!19!
3.!The!Necessity!of!Effective!Communication!....................................................................................!20!
Part)II:)Norms).....................................................................................................................................)21)
A.!Why!Norms?!Characteristics!of!Successful!Norms!.............................................................................!21!
B.!Norm!Development!............................................................................................................................!22!
C.!Trends!of!Norm!Development!in!Cyberspace!....................................................................................!23!
Part)III:)Dominant)Discourse)on)Internet)Governance).........................................................................)25)
A.!The!Multistakeholder!Governance!Model!.........................................................................................!25!
B.!Allies’!Objectives!in!a!Cyber!Norms!Regime!.......................................................................................!26!
1.!Privacy!and!Online!Rights!...............................................................................................................!27!
2.!Security!...........................................................................................................................................!28!
3.!Cybercrime!.....................................................................................................................................!28!
C.!SovereigntyHbased!Governance!Model!..............................................................................................!29!
D.!The!Role!of!IGOs!and!NGOs!in!a!Cyber!Norms!Regime!......................................................................!30!
E.!Existing!Structures!Applicable!to!Cyberspace!.....................................................................................!33!
1.!International!Law!of!War!................................................................................................................!34!
2.!Treaties!Governing!the!High!Seas!and!Outer!Space!.......................................................................!35!

3
! ! !
3.!Proliferation!Security!Initiative!.......................................................................................................!36!
4.!SALT!&!START!.................................................................................................................................!36!
5.!Espionage!Norms!............................................................................................................................!37!
Part)IV:)Recommendations)for)USCYBERCOM).....................................................................................)39)
Appendix)1:)Subject)Matter)Expert)Interview)List)...............................................................................)43)
Appendix)2:)Crisis)Stability)in)Cyberspace)...........................................................................................)44)
Appendix)3:)Cyberspace)Escalation)Dynamics).....................................................................................)47)
Appendix)IV:)About)the)Authors).........................................................................................................)51)
Bibliography).......................................................................................................................................)53)
!

4
! ! !
Introduction!
!
The cyber domain presents a multitude of vulnerabilities and opportunities for actors in
cyberspace.1
Inevitably, states will seek to dominate cyberspace and use it to their advantage and
as a tool of policy. As states take advantage of opportunities to exploit cyberspace, cyber
conflicts will arise. USCYBERCOM and the U.S. Government must find a way to protect United
States interests from cyber attacks of significant consequence, including “loss of life, significant
damage to property, serious adverse U.S. foreign policy consequences, or serious economic
impact on the United States,”2
by deterring malicious actors.
We suggest a cyberspace
deterrence strategy which integrates a
“4-Point Norms Plan” with offensive
and defensive capabilities. For the
majority of cyber threats faced by the
U.S., a defense-first approach is
sufficient. High-level threats, such as
those posed by Russia or China,
require a punishment-based
deterrence policy. These actors are
unlikely to be deterred by anything
but the threat of retaliation. In order
to make credible threats, cross-
domain response is necessary.
To establish and sustain such a strategy, the United Stated must promote several norms in
the international environment. This 4-Point Norms Plan will guide U.S. policies and enable
collective responses.3
The four norms incorporated in the plan are: (1) states shall not attack
other states’ civilian critical infrastructure; (2) the right to respond to “grave and imminent”
dangers; (3) responses must be reasonable and proportional; and (4) states should clearly
communicate justifications for acting offensively in response to malicious cyber activities.
Currently, there are two competing international models for the governance of
cyberspace: the multistakeholder and sovereignty-based models. The U.S. Department of State
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
1
U.S. Department of Defense, The DOD Cyber Strategy (Washington D.C.: Department of Defense, 2015), 1.
http://www.defense.gov/home/features/2015/0415_cyberstrategy/Final_2015_DOD_CYBER_STRATEGY_for
_web.pdf. “We are vulnerable in this wired world. Today our reliance on the confidentiality, availability, and
integrity of data stands in stark contrast to the inadequacy of our cybersecurity. The Internet was not originally
designed with security in mind, but as an open system to allow scientists and researchers to send data to one another
quickly.”
2
U.S. Department of Defense, The DOD Cyber Strategy, 5.
3
Ibid., 10. “As DoD builds its Cyber Mission Force and overall capabilities, DoD assumes that the deterrence of
cyberattacks on U.S. interests will not be achieved through the articulation of cyber policies alone, but through the
totality of U.S. actions, including declaratory policy…” (emphasis added). Ibid.

5
! ! !
proposes the multistakeholder governance model, which seeks a free and open internet. In
contrast, the sovereignty-based model seeks to ensure state control over their respective cyber
territory. These two opposing perspectives on regulation present a serious challenge for
policymakers seeking to establish governance of cyberspace.
The 4-Point Norms Plan seizes upon the intersection between the two governance
models. The significant differences in principles between these two models have the potential to
delay the development of an international consensus on cyberspace. The U.S. should continue to
advocate the multistakeholder model and an open Internet for the long-term. However, in the
short-term, the norms promoted in the 4-Point Norms Plan will appeal to states and non-state
stakeholders alike, and if formalized, will ensure more clarity and establish space for potential
cooperation in the governance of cyberspace. These norms represent generally accepted
behaviors that will facilitate the employment of a successful deterrence strategy and will, over
time, build consensus among all stakeholders, lead to effective cooperation between states, and
serve as the foundation for a more formal approach to the governance of cyberspace.
This report consists of four parts. The first part addresses deterrence in cyberspace, cyber
threats, and difficulties associated with cyber deterrence. Part II examines characteristics of
successful norms, norm development, and trends of norm development in cyberspace. Part III
addresses the dominant discourse on internet governance. Finally, Part IV provides
recommendations for USCYBERCOM.

6
! ! !
Part!I:!Deterrence!
The last five years have seen changes in the United States’ approach to cyber operations.
The 2011 Department of Defense Strategy for Operating in Cyberspace emphasizes defense
without mention or allusion to the need for offensive cyber capabilities. In this strategy, the
balance of capabilities promoted consists of good cyber hygiene at the lowest levels and active
cyber defense at the highest.4
The 2015 Department of Defense Cyber Strategy signals a shift
towards a cross-domain deterrence strategy. The new document names adversaries, highlights
enhanced attribution capabilities, and acknowledges the possibility of offensive cyber operations.
According to the document, “the Defense Department has! developed capabilities for cyber
operations and is integrating those capabilities into the full array of tools that the United States
government uses to defend U.S. national interests, including diplomatic, informational, military,
economic, financial, and law enforcement tools.”5
Unlike the 2011 strategy, the new 2015
strategy signals an increased willingness to engage in offensive cyber operations and engage in
deterrence via punishment.
The 2015 Department of Defense Cyber Defense Strategy clearly identifies Russia,
China, North Korea, and Iran as key cyber threats.6
This is a departure from the 2011
Department of Defense Strategy for Operating in Cyberspace which remains ambiguous as to
which states are considered ‘potential adversaries.’ By acknowledging that Russia, China, North
Korea, and Iran have “invested significantly in cyber as it provides them with a viable, plausibly
deniable capability to target the U.S homeland and damage U.S. interest,” the U.S. shortens the
list of likely suspects when seeking to attribute a cyber attack. 7
The U.S. communicates its ability to attribute cyber attacks through both declaratory
policy and actions. This contributes to a deterrence strategy by making threats of retaliation
credible. The 2015 Department of Defense Cyber Defense Strategy states that, “On matters of
intelligence, attribution, and warning, DoD and the intelligence community have invested
significantly in all source collection, analysis, and dissemination capabilities, all of which reduce
the anonymity of state and non-state actor activity in cyberspace.”8
Also of significance was the
2014 official U.S. attribution of the Sony hacks to North Korea and a U.S. response emphasizing
economic sanctions – a cross-domain response.
Although only acknowledging ‘offensive’ cyber operations by name once, the 2015
strategy makes several mentions of ‘cyber operations.’ For example, “DoD should be able to use
cyber operations to disrupt an adversary’s command and control networks, military-related
critical infrastructure, and weapons capabilities.” By communicating, even implicitly, that it has
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
4
Active Cyber Defense refers to “DoD’s synchronized real-time capability to discover, detect, analyze, and mitigate
threats and vulnerabilities.” U.S. Department of Defense, Department of Defense Strategy for Operations in
Cyberspace (Washington D.C.: Department of Defense, 2011), 7.
http://www.defense.gov/news/d20110714cyber.pdf.
5
U.S. Department of Defense, The DOD Cyber Strategy, (Washington D.C.: Department of Defense, 2015), 2.
6
Ibid., 9.
7
Ibid.
8
Ibid., 11-12.

7
! ! !
offensive cyber capabilities, the U.S adds another tool enhancing the credibility of punishment
threats.
The articulation of these trends in U.S declaratory policy communicates to potential
adversaries the intent of the U.S. to respond to cyber attacks of “significant consequence.”9
The
will to carry out this stated threat is demonstrated by costly signals, such as the creation of U.S.
Cyber Command. The rapid development of a U.S. cyber deterrence policy deserves recognition,
though more remains to be done. Although declaring that the U.S. will self-constrain cyber
operations “as required to protect human lives and to prevent the destruction of property,”10
neither the 2011 nor 2015 DoD cyber defense strategies address the role norms play in
deterrence, which is to establish commonly accepted thresholds of behavior. These thresholds
then determine when an adversaries’ behavior is no longer acceptable and may be met with a
response. Therefore, the Norms-Based Cyber Deterrence Strategy proposed in this paper fills a
gap in current U.S. cyber deterrence strategy.
A.)Deterrence)in)Cyberspace)
Deterrence is by no means a new concept. The history of international politics is rife with
instances of states and individuals using threats of violence to compel or deter. In this section, we
explore the core concepts of deterrence theory and apply them to cyberspace.
1.)Traditional)Deterrence)Theory)
Since the advent of nuclear weapons at the end of World War II, the national security
community has been wrestling with the strategic problems presented by nuclear weapons and
possible solutions to the challenges they create.11
Traditional deterrence theory is the product of
this discourse. At its simplest, deterrence is a bargaining process between adversaries. Charles
Glaser defines successful deterrence as the raising of an adversary’s costs and probable costs of
launching an attack above the benefits and probable benefits that could be achieved by that
attack.12
To simplify further, this can be distilled as:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
9
Ibid., 5.
10
Ibid, 6.
11
Thomas C. Schelling, Arms and Influence (New Haven: Yale University Press, 1966). Also see Albert Wohlstetter
“The Delicate Balance of Terror," Foreign Affairs 37, no. 2 (1958): 211-234; Bernard Brodie, Strategy in the Missile
Age (Princeton, NJ: Princeton University Press, 1959); Herman Kahn, On Thermonuclear War (Princeton, NJ:
Princeton University Press, 1960); Glenn Herald Snyder, Deterrence and Defense: Toward a Theory of National
Security, (Princeton, NJ: Princeton University Press, 1961); Robert Jervis, Perception and Misperception in
International Politics (Princeton, NJ: Princeton University Press, 1976); Robert Jervis, The Meaning of the Nuclear
Revolution: Statecraft and the Prospect of Armageddon (Ithaca: Cornell University Press, 1989); and Kenneth
Waltz, Theory of International Politics, (Addison-Wesley Pub. Co., 1979). On deterrence issues pre-nuclear
weapons, see George H. Quester, Deterrence Before Hiroshima (New York: Wiley, 1966); on conventional
deterrence see John J. Mearsheimer, Conventional Deterrence (Ithaca: Cornell University Press, 1983).
12
Charles L. Glaser, "Deterrence of Cyber Attacks and U.S. National Security," 2011 Developing Cyber Security
Synergy (2011): 1. See also Patrick M. Morgan, "Applicability of Traditional Deterrence Concepts and Theory to the
Cyber Realm," In Proceedings of a Workshop on Deterring Cyber Attacks: Informing Strategies and Developing
Options for US Policy 58, no. (2010): 55-56.

8
! ! !
P(C) x C > P(B) x B
Probability of Costs x Costs > Probability of Benefits x Benefits
As stated in the 2015 DoD Cyber Strategy, “deterrence is partially a function of perception. It
works by convincing a potential adversary that it will suffer unacceptable costs if it conducts an
attack on the United States, and by decreasing the likelihood that a potential adversary’s attack
will succeed.”13
Of course, this logic holds little power for policymakers if it cannot be manipulated.
There are two broad mechanisms for changing an adversary’s cost-benefit analysis: punishment
and denial. Deterrence by punishment is a mechanism in which pain or other consequences are
threatened in retaliation to a potential attack. Conversely, deterrence by denial is a proactive
method, requiring capabilities to either deny the adversary success or lead them to determine that
the probability of success is too low to achieve any potential benefits.14
The former method
chiefly affects the left side of the deterrence equation, while the latter affects the right.
Punishment and denial are not mutually exclusive; indeed, it would be foolish to ignore one in
favor of the other.
Both of the aforementioned deterrence strategies have basic requirements. These are
broken down into three categories.15
The first is communication, which is a necessary component
of the bargaining process between adversaries. Without communication, there is no bargaining
process and the other two requirements of deterrence are essentially meaningless. The second
requirement is capability. This requires that the defender actually possesses the capabilities to
retaliate effectively against an adversary in response to an attack, or at least convince the
adversary that retaliation is possible. The final and most difficult requirement of deterrence is
credibility. Credibility is a combination of both the perceived will to carry out a threat and the
ability to carry out such a threat.16
The question, then, is how one can determine whether a threat
is credible?
Darryl Press argues that credibility is determined by a combination of the balance of
power plus interests and not by the past behavior of adversaries.17
While much of this argument
is logical and persuasive, it does not successfully refute the argument that reputation is important
in bargaining, which has been continually demonstrated in international politics throughout
history.18
Credibility is always the most important yet the weakest link in the concept of
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
13
U.S. Department of Defense, The DOD Cyber Strategy, 11.
14
Glaser, "Deterrence of Cyber Attacks and US National Security,” 2 and Martin C. Libicki, Cyberdeterrence and
Cyberwar (Santa Monica: RAND Corporation, 2009), 7.
15
Glaser, "Deterrence of Cyber Attacks and US National Security," 2 and Kenneth Geers, "The Challenge of Cyber
Attack Deterrence," Computer Law & Security Review 26, no. 3 (2010): 299.
16
Glaser, "Deterrence of Cyber Attacks and US National Security," 2.
17
Darryl G. Press, Calculating Credibility: How Leaders Assess Military Threats, (Ithaca and London: Cornell
University Press, 2007), 6.
18
For an argument on the formation and effect of reputations see Jonathan Mercer, Reputation & International
Politics (Ithaca and London: Cornell University Press, 1996).

9
! ! !
deterrence precisely due to its ambiguity and will likely always be a source of worry for policy
makers.
2.)Deterrence)Concepts)in)the)Context)of)Cyberspace)
This well-established logic gained prominence from nuclear strategy, but it applies
broadly across many domains. However, the inherent differences in those domains can lead to
varying conclusions when deterrent logic is applied. Before discussing the specifics of applying
deterrence theory to cyberspace, it is important to establish some definitions, as provided by the
Department of Defense and Department of Homeland Security:
Cyberspace: (DoD definition) A global domain within the information environment consisting
of the interdependent network of information technology infrastructures and resident data,
including the Internet, telecommunications networks, computer systems, and embedded
processors and controllers.19
Critical Infrastructure: (DHS definition) Critical infrastructure are the assets, systems, and
networks, whether physical or virtual, so vital to the United States that their incapacitation or
destruction would have a debilitating effect on security, national economic security, national
public health or safety, or any combination thereof.20
As previously discussed, the cyber domain is not quite like any other seen in history.
However, the recognition that differences exist between the cyber and nuclear realms does not
preclude drawing comparisons. In fact, cyber deterrence may have more in common with nuclear
and conventional deterrence than is generally thought. Deterrence, be it conventional, nuclear,
legal, cyber or otherwise, follows the same core logic laid out in the equation highlighted above.
As such, actors have the same tools, punishment and denial, available to them in constructing an
appropriate deterrence strategy. The only difference is that there is a spectrum of the
effectiveness of each tool. Depending on the type of deterrence, for example nuclear, cyber,
and/or conventional, the individual capability requirements associated with punishment and
denial will vary.
Punishment in the cyber realm has aspects unique to that type of battlespace. The basic
goal is unchanged: to impose costs unacceptable to an attacker as well as to effectively
communicate that capability to the attacker. The difference is how this goal is pursued.21
Broadly
speaking, there are two ways to accomplish this in cyberspace: retaliation by striking back,
directly causing damage, or some sort of legal or political action to impose costs on the attacker
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
19
Joint Staff, Joint Publication 1-02 2001: Department of Defense Dictionary of Military and Associated Terms
(Washington D.C: Joint Staff, 2001), 58 and Joint Staff, Joint Publication 3-12 2013: Cyberspace Operations
(Washington D.C: Joint Staff, 2013), V.
20
U.S. Department of Homeland Security, “What is Critical Infrastructure?” last modified November 1, 2013,
http://www.dhs.gov/what-critical-infrastructure.
21
Patrick M. Morgan, "Applicability of Traditional Deterrence Concepts and Theory to the Cyber Realm."
In Proceedings of a Workshop on Deterring Cyber Attacks: Informing Strategies and Developing Options for U.S
Policy 58 (2010): 61-62.

10
! ! !
through other mechanisms.22
While it may seem that these methods of retaliation are largely
state-focused, the current global war on terror demonstrates that such responses against non-state
actors and individuals are not outside the realm of possibility.23
Retaliation by striking back against an attacker need not remain in the cyber realm.
Assuming the source of the attack can be determined, a retaliatory response is possible through
informational, military, economic, and political means.24
The requirements of such a response
require a robust forensic capability to accurately identify the attacker, cyber capabilities for an
in-domain response, military capabilities for a kinetic response, or the economic and political
means to impose costs in those respective domains.
Retaliation using legal action or political action closely relates to striking back but
imposes costs through indirect means rather than direct action. For the more minor threats of
hacktivism, criminal hacking, and even espionage, this could be accomplished by simply
prosecuting the individuals responsible in the appropriate jurisdiction (which, of course, can be
difficult to determine).25
Another method is the practice of “naming and shaming”. The logic
behind this is similar to that of the Secretary of State’s list of “state sponsors of terrorism.”26
Identifying the perpetrators of cyber attacks exposes the acts to the international public
discourse, which can be manipulated to develop consequences for such actions in the
international community through multilateral institutions. These consequences could include the
imposition of economic sanctions against the attacker, the exclusion from international trade
talks and institutions, or suspension of economic or military aid if applicable. This type of action
can foster international cooperation in not only attribution investigations but also punishing
identified attackers.
Denial also applies in cyberspace. As discussed earlier, the goal of denial is to deny the
adversary success or lead them to determine that the probability of success is too low and
potential costs are too high to achieve any benefits. Limiting access and building system
resiliency accomplishes this in cyberspace. The Department of Defense Cyber Strategy posits
that basic cybersecurity procedures are typically enough to defend against the majority of
intrusions.27
One basic tactic to use in a strategy of denial is simply to limit access. Some of this
burden falls on individual users and the need to practice good cyber hygiene such as not opening
unfamiliar email attachments, controlling physical access to individual computer stations, and
other personnel-based security tactics. However, access-limiting functions can also be built into
networks and computers. The Trusted Internet Connections Initiative, which physically changes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
22
Eric Talbot Jensen, “Cyber Deterrence,” Emory International Law Review 26, no. 2 (2012): 792-793.
23
Eric Sterner, "Retaliatory Deterrence in Cyberspace," Strategic Studies Quarterly 5, no. 1 (2011): 71.
24
Morgan, "Applicability of Traditional Deterrence Concepts and Theory to the Cyber Realm," 75 and Jensen,
“Cyber Deterrence,” 793-794.
25
Jensen, “Cyber Deterrence,” 800-801.
26
Brian M. Mazanec and Bradley A. Thayer, Deterring Cyber Warfare: Bolstering Strategic Stability in Cyberspace
(Basingstoke: Palgrave Macmillan, 2015): 68.
27
U.S. Department of Defense, The DoD Cyber Strategy, 5.

11
! ! !
the network infrastructure of the United States Government, therefore limiting access points
available to outside sources, is an example of such a system.28
The combination of both cyber
hygiene and access-limiting functions prevents unauthorized access and the ability of attackers to
exploit said access.
Another important component to deterrence by denial in cyberspace is system resiliency.
A resilient system or network possesses the ability to recover or regenerate its performance after
an unexpected event or change degrades its performance.29
Key components of resilient systems
go beyond just hardware and software; they also include the operators who use them. All must be
capable of operating under degraded conditions, recovering from degradation quickly,
determining what went wrong, and designing a solution to improve the system and prevent such
a failure in the future.30
System redundancy is an additional key technical component of
resiliency in that it allows the continued capacity of the system to operate if some part of it is
forced offline or manipulated through some sort of attack.31
If a system is sufficiently resilient, it
can continue to operate securely and deny an attacker its goals to either break the system or
manipulate it to their ends. An example of this was the indirect assistance Google provided to
Georgia after the denial of service attacks it suffered in 2007. By moving the sites under attack to
Google infrastructure, the Georgian Government was able to keep its systems operating and thus,
the goals of the attacks were denied.32
Active cyber defense (ACD) is a unique mechanism in that it blurs the line between
punishment and denial. The official Department of Defense definition of ACD is as follows:
“Active cyber defense is DoD’s synchronized, real-time capability to discover, detect, analyze,
and mitigate threats and vulnerabilities…using sensors, software, and intelligence to detect and
stop malicious activity before it can affect DoD networks and systems.”33
Once an attack is
detected, an active defense system presents multiple options for dealing with it. First, it can use
forensics to determine the type and source of the attack. It can also track the attack in real time
and attempt to determine what the specific target is. Second, it could also deliberately lead an
attack towards false or useless information full of errors as part of a deception operation. Third,
the system can simply stop the attack in its tracks. Finally, it can use the attack to remotely gain
access to the attacker’s system and launch a counterattack.34
While possessing the ability to
counterattack, an active cyber defense system allows for a range of denial capabilities in addition
to the capability to impose punishment.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
28
Ibid., 61.
29
Igor Linkov et al., “Resilience Metrics for Cyber Systems,” Environment Systems and Decisions 33, no. 4
(December 2013): 471–76, doi:10.1007/s10669-013-9485-y.
30
Peter W. Singer and Allan Friedman, Cybersecurity and Cyberwar!: What Everyone Needs to Know (New York:
Oxford University Press, USA, 2013), 170-172.
31
Jensen “Cyber Deterrence,” 814.
32
K.A. Taipale, "Cyber-deterrence," Law, Policy and Technology: Cyberterrorism, Information, Warfare, Digital
and Internet Immobilization (Hershey, PA: IGI Global, 2010), 36-37.
33
U.S. Department of Defense, Department of Defense Strategy for Operations in Cyberspace, 7.
34
Irving Lachow, Active Cyber Defense: A Framework for Policymakers (Washington D.C: Center for New
American Security, 2013), 5-7.

12
! ! !
The ability to automatically counterattack can be problematic. Executed perfectly, “The
traceback capabilities of active defenses will ensure that these measures target only the source of
the cyber attack. This would greatly reduce collateral damage relative to that which would result
from the use of kinetic weaponry, thus helping to achieve proportionality; distinguish the
attacking system (the military objective) from protected places, property, and civilians; and
minimize the unnecessary suffering that would be the probable result of a kinetic use of force.”35
However, ACD technical limitations make tracking attacks back through intermediate systems
difficult. Even if a defender overcomes these technical limitations, and correctly identifies an
attack source, a system administrator would still be required to ‘map’ the attacking network.
Failure to do so “may well lead to accidental targeting of innocent systems, resulting in
unintended and excessive collateral damage” that could spark a dangerous escalating spiral of
retaliation and counter-retaliation.36
3.)Difficulties)Associated)with)Cyberspace)Deterrence)
According to the conventional wisdom, the cyber realm is offense-dominant. It is an
inherently asymmetric battlespace, where a “dozen determined computer programmers can, if
they find a vulnerability to exploit, threaten the United States’ global logistics networks, steal its
operational plans, blind its intelligence capabilities, or hinder its ability to deliver weapons on
target.”37
Offense is cheap, and the countries that rely on cyber capabilities most (such as the
United States) are the most vulnerable. As Peter Singer writes, “the nations most skilled at
throwing rocks live in the biggest glass houses.”38
If, as these arguments assert, cyberspace is offense-dominant, the implication is that
deterrence is difficult. Two key factors contribute to this offense-dominance assumption:
namely, the advantage of striking early and the difficulty of attribution. A discussion of these
factors follows, as well as reasons why the offense-dominance assumption may not be entirely
accurate.
Early-Strike Advantage. The highly specific nature of offensive cyber capabilities
favors a quick attack before a potential target can patch the hole necessary for successful attack.
According to Martin Libicki and David Gompert, “Because most cyber attacks exploit some
piece of vulnerable computer code, they can reveal the source of weakness, allowing…the
problem [to be] solved. The difficulty of duplicating cyber attacks supports the logic of early use
and prompt exploitation in order to maximize their effect.”39
There is, if not a first-strike
advantage, then an early-strike advantage inherent in cyber warfare. A Naval Postgraduate
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
35
David E. Graham, “Cyber Threat and the Law of War,” Journal of National Security Law and Policy 4, no. 87
(2010): 99.
36
Graham, “Cyber Threats and the Law of War,” 100.
37
William J. Lynn III, “Defending a New Domain: The Pentagon’s Cyberstrategy,” Foreign Affairs 89, no. 5
(September/October 2010): 98-99.
38
Singer and Friedman, Cybersecurity and Cyberwar, 152.
39
David C. Gompert and Martin C. Libicki, “Cyber Warfare and Sino-American Crisis Instability,” Survival: Global
Politics and Strategy 56, no. 4 (August-September 2014): 12.

13
! ! !
School paper employed game theory to examine the decision to “attack or wait” in cyberspace.
The paper assumes that if a player waits to launch a cyber attack, his payoff could be higher
based on the maturity of the munition, but he also risks the chance that his opponent discovers
the exploit, rendering the munition worthless. The authors conclude that success favors rapid
action and any capabilities that could offset the cost of waiting are generally unattainable.40
Stephen Van Evera, discussing offense dominance, argues that a first-strike advantage is
destabilizing and can lead to war. If there is a perceived first-strike advantage, “States grow more
trigger-happy, launching first strikes to exploit the advantage of the initiative, and to deny to an
opponent.”41
The incentive to launch a cyber attack before it becomes worthless also creates a
window of opportunity for the attacker and window of vulnerability for the target. Van Evera
argues that windows of vulnerability are larger in an offense-dominant environment, which
“bolsters arguments for shutting ‘windows of vulnerability’ by war.”42
Thomas Rid, however, does not dispute this characteristic but argues that it actually
makes cyberspace more defense-dominant. Once a weapon is used, Rid argues, it will be
defended against, possibly making it impossible to use again. “And a weapon, even a potent one,
is not much of a weapon if an attack cannot be repeated. Any political threat relies on the
credible threat to attack or to replicate a successful attack. If that were in doubt, the coercive
power of a cyber attack would be drastically reduced.”43
While the incentive to attack early does
exist, an attacker’s decision-making must also factor in that the use of that weapon will likely
neuter its coercive power.
Attribution. The anonymity of the Internet permits an attacker to “cover his tracks,”
making it difficult for the target to identify where the attack came from. “Packets can be bounced
through multiple machines on their way to the target. They can be routed through a bot that only
needs to erase the packet’s originating address and substitute its own to mask the true origin.
Attacks can be implanted beforehand in any machine that has been compromised.”44
Some
analysts argue that attribution is the most difficult problem in cyberspace. One hundred percent
certainty is almost impossible to achieve when determining the origin of an attack.45
An attacker
that is confident in its ability to mask its attack’s origins may feel immune to retaliation. If a state
cannot identify its attacker, it cannot launch a counteroffensive.
However, some analysts argue that attribution is challenging but not impossible. Martin
Libicki of the RAND Corporation argues that there are two components to attribution:
determining who perpetrated an attack and then proving that that entity did it.46
He goes on to
say the United States is able to establish a probability of who did it, but proving it publicly is
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
40
Harrison C. Schramm, David L. Alderson, W. Matthew Carlyle, and Nedialko B. Dimitrov, “A Game Theoretic
Model of Strategic Conflict in Cyberspace,” Military Operations Research 19, no. 1 (2014): 5-17.
41
Stephen Van Evera, “Offense, Defense, and the Causes of War,” International Security 22, no. 4 (Spring 1998): 9.
42
Ibid.
43
Thomas Rid, “Think Again: Cyberwar,” Foreign Policy 192, (2012): 80-84.
44
Martin C. Libicki, Cyberdeterrence and Cyberwar, 44.
45
Robert Chesney, interview by Gregory Holm and Robert McDyre, February 18, 2015.
46
Martin C. Libicki, interview by Andrew Ericson, Kyle Fowler, and Kristina Miller, March 6, 2015.

14
! ! !
more difficult.47
Thomas Rid and Ben Buchanan argue that the states most connected to the
Internet and thought to be the most vulnerable to cyber attack are conversely the ones that have
the resources to investigate and attribute attacks more effectively.48
Furthermore, Rid and
Buchanan echo a sentiment not uncommon among those within the government: attribution has
been happening successfully for a long time.49
Moreover, the argument that attribution is an insurmountable challenge ignores the
existence of outside information. Attribution can be difficult, but when taking the current
political climate and the sophistication of a hypothetical cyber attack into account, the number of
actors that could realistically be responsible is limited. If attribution is not nigh impossible, an
attacker cannot take for granted that they will escape undetected. Against a state with the
capabilities of the United States, “an intruder needs to make only one mistake, and the defender’s
forensic analysis could find the missing forensic clue to uncover an operation.”50
In addition, the
United States has made significant investments in all source intelligence, analysis of said
intelligence, and has increased its information dissemination capabilities, all of which eases the
burden required for attribution.51
While there are certainly challenges associated with attribution,
especially compared to the conventional or nuclear realms where attack origins are much clearer,
the political context and need for an attacker to perfectly cover its tracks makes attribution much
more feasible than some scholars admit.
Cyberspace cannot be easily categorized as simply offense- or defense-dominant. The
target of the cyber attack determines the dominance of cyber weapons. This is largely dependent
upon stakes. The lower the value of the target, the more offense dominates; conversely, defense
dominates when the stakes are higher.52
Due to this spectrum of stakes, categorizing cyber
weapons as offense- or defense-dominant is not particularly a useful exercise.
B.)Cyber)Threat)Assessment)
Given the wide range of actors operating in cyberspace, it is important to determine
which ones pose the largest threat to the United States. Any deterrent strategy used by the U.S.,
regardless of the domain, should primarily focus on the most serious threats first. As a function
of resources and commitment, cyber threats can be assessed and classified. A 2012 report from
Sandia National Laboratory presents a system for such an assessment illustrated in Table 1 below
and Table 2 on the following page. It is possible to sort actors into high-, medium-, and low-level
threat categories using this threat matrix. Since goals and capabilities vary across categories,
different approaches are required by the United States.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
47
Libicki, interview.
48
Thomas Rid and Ben Buchanan, “Attributing Cyber Attacks,” Journal of Strategic Studies 38, no. 1-2 (2015): 31.
49
Ibid.
50
Ibid., 32.
51
U.S. Department of Defense, Department of Defense Strategy for Operations in Cyberspace, 11.
52
Jon Lindsay, interview by John J. Walter, Andrew Ericson, and Michael Bertoli, March 17, 2015.

15
! ! !
Threat Level
Threat Profile
Commitment Resources
Intensity Stealth Time
Technical
Personnel
Knowledge
Access
Cyber Kinetic
1 H H Years to decades Hundreds H H H
2 H H Years to decades Tens of tens M H M
3 H H Months to years Tens of tens H M M
4 M H Weeks to months Tens H M M
5 H M Weeks to months Tens M M M
6 M M Weeks to months Ones M M L
7 M M Months to years Tens L L L
8 L L Days to weeks Ones L L L
Table 1: General Threat Matrix for Assessment of Cyber Threats53
Attribute Definitions
Commitment Resources
Term Definition Term Definition
Intensity The diligence or persevering
determination of a threat in
pursuit of its goal.
Technical
Personnel
The number of group members
that a threat is capable of
dedicating to the building and
deployment of technical
capability in pursuit of its goal.
Stealth The ability of the threat to
maintain a necessary level of
secrecy throughout the pursuit of
its goal.
Cyber
Knowledge
The threat's level of theoretical
and practical proficiency relating
to computers, information
networks, or automated systems.
Time The period of time that a threat is
capable of dedicating to
planning, developing, and
deploying methods to reach an
objective.
Kinetic
Knowledge
The threat's level of theoretical
and practical proficiency relating
to physical systems, the motion
of physical bodies, and the forces
associated with that movement.
Access The threat's ability to place a
group member within a restricted
system--whether through cyber
or kinetic means--in pursuit of
the threat's goal.
Table 2: Attribute Descriptions for Table 1 General Threat Matrix 54
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
53
Jason Neal Frye et al., Cyber Threat Metrics (Albuquerque: Sandia National Laboratories, 2012), 13-16.
54
Ibid.

16
! ! !
1.)HighWLevel)Threats)
The high-level threats comprise threat levels 1-3 on the matrix. These actors possess a
high level of commitment and moderate-to-high levels of resources. Examples of the highest
threat level (1) would be Russia and China. These countries have a history of successfully
completing complex cyber attacks. Possibly the most nefarious group in China, People’s
Liberation Army (PLA) Unit 61398, targeted 141 companies in 20 major industries over a period
of at least 7 years, and stole a large volume of intellectual property.55
Russia, on the other hand,
has orchestrated well-publicized attacks on the governments of Georgia and Estonia.
Actors classified into threat levels 2 and 3 share the same high level of commitment as
those at threat level 1, yet lack the resources to launch truly devastating attacks. Prominent
examples of these types of actors are North Korea and Iran. These countries have also
successfully launched complex cyber attacks (targeting Sony Entertainment Pictures America
and Saudi Aramco, respectively), but probably would not find that same success in targeting
United States Government infrastructure. These countries lack the ability to launch a devastating
attack on the United States, but likely aspire to achieve the degree of technical ability to do so.
China, Russia, North Korea, and Iran all possess cyber ambitions driven by political and
military aspirations. These regimes often consider cyberspace a mechanism for regime security,56
as well as a means to possibly counter the warfighting advantage of conventionally superior
adversaries.57
Notable in the descriptions of this high-level threat group is the lack of any non-
state actors. Indeed, no non-state actors have the capabilities of this group at present. Those that
do likely are not driven by the same international political concerns that motivate these states.
These regimes cannot ensure survival or lessen a conventional warfighting advantage by
engaging in attacks that are merely a nuisance for the United States. A denial-only strategy is
unlikely sufficient to deter these actors, as they can devote the necessary resources to developing
an effective cyber munition. Therefore, a strategy of deterrence by punishment is necessary when
attempting to limit these actors in cyberspace. The high-level nature of their targets requires
USCYBERCOM to develop a strong deterrent strategy, which can only be achieved through
punishment.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
55
Mandiant, APT 1: Exposing One of China’s Cyber Espionage Units, February 2013,
http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf.
56
See, Nikolas K. Gvosdev, “The Bear Goes Digital: Russia and its Cyber Capabilities,” in Cyberspace and
National Security: Threats, Opportunities, and Power in a Virtual World, ed. Derek S. Reveron. (Washington, D.C.:
Georgetown University Press, 2012), 173-189; Amy Chang, Warring State: China’s Cybersecurity Strategy (Center
for a New American Security, December 2014), 7-12, http://www.cnas.org/sites/default/files/publications-
pdf/CNAS_WarringState_Chang_report_010615.pdf.; Gabi Siboni and Sami Kronenfeld, “Iran and Cyberspace
Warfare,” Military and Strategic Affairs 4, no. 3 (December 2012): 77–100.
57
Nir Kshetri, “Cyberwarfare in the Korean Peninsula: Asymmetries and Strategic Responses,” East Asia 31, no. 3
(September 2014): 183–201, doi:10.1007/s12140-014-9215-1 and Chang, Warring State.

17
! ! !
)
2.)MidWLevel)Threats)
The mid-level threats are comprised of threat levels 4-6, reflecting moderate levels of
both commitment and resources. These actors are lower-threat states or well organized non-state
actors. These types of non-state actors include transnational criminal organizations, terrorist
groups, and political/activist groups who have some skill in cyberspace. Examples of these actors
are Venezuela, Anonymous and the Islamic State of Iraq and the Levant (ISIL).
The actors in threat levels 4-6 seek to accomplish more limited goals in cyberspace,
compared with the high-level threat group. State actors in this classification, by definition, do not
have the same level of resources or commitment as a Russia or China. Criminal organizations in
cyberspace are primarily concerned with generating profits and accomplishing financial goals.58
Evidence shows that terrorists primarily use cyberspace not as an avenue for attack, but rather for
recruitment, communication, fundraising, and propaganda.59
Because these actors have more limited aims, they are less likely to embark on a mission
to harm the national security of the United States through cyberspace. If they did embark on such
a mission, they likely do not have the resources to accomplish that goal. However, these actors
are capable of causing economic damage. Therefore, to lessen the impact of these actors,
defensive measures are recommended. Measures such as intelligence, law enforcement,
improved private sector security, resiliency, and individual cyber hygiene should suffice in
limiting the damage done by these attacks, so a focused deterrent strategy from USCYBERCOM
is not necessary for these mid-level threats.
3.)LowWLevel)Threats))
Threat levels 7-8 are characterized by small groups of actors with even fewer resources
and personnel than the other groups. These are non-state actors with poor organization, poor
cyber capabilities, or both. The threat posed by these actors is a nuisance at worst; therefore,
personal cyber hygiene, improved private sector security, and overall resilience in networks
should be adequate to limit the damage done at this threat level. No USCYBERCOM deterrent is
necessary.
C.)Deterrence)by)Punishment)
Assessing cyberspace threats leads to two conclusions for the United States. First, for the
vast majority of threats, a defense-first strategy should be adequate. Such a posture may deter
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
58
Roderic Broadhurst, et al. “Organizations and Cyber Crime: An Analysis of the Nature of Groups Engaged in
Cyber Crime,” International Journal of Cyber Criminology 8, no. 1 (January 2014): 1–20.
59
Singer and Friedman, Cybersecurity and Cyberwar, 99.

18
! ! !
some actors from attacking, but, as Martin Libicki argues, if deterrence fails and the attack is
denied by defenses, the deterrence failure is irrelevant to the attacked state.60
The essence of
defense is limitation of damage. If fewer attacks are launched because of a deterrent effect, so
much the better.
Second, the threats that require deterrence are unlikely to be deterred by denial only.
These actors have such a high degree of commitment to orchestrating cyber attacks and resources
to find exploits that only perfect defenses could keep them out. Cyber defenses will likely never
be completely perfect; therefore, deterrence by punishment is required for these actors.
This conclusion raises the question of how best to deter via punishment. Any threat of
punishment must take into account escalation risks. Perhaps the least escalatory retaliation is one
that is strictly in-kind, i.e., a cyber attack merits a strictly cyber retaliation. However, as
previously noted, it can be difficult to demonstrate cyber offensive capabilities, which may
diminish the deterrent ability of such a policy. The next section addresses these difficulties.
1.)Capability)Demonstration)
Through public disclosures and revelations, a range of offensive cyberspace capabilities
has become evident. These capabilities exist on a spectrum between two extremes: at one end are
less sophisticated, common, rather inexpensive munitions such as botnets; at the other end are
high-sophisticated, rare, and expensive capabilities like Snake.61
Less sophisticated attacks can
be considered part of the cost of doing business in cyberspace,62
and their ubiquity and relatively
low impact renders investing significant effort into communicating or attributing these attacks a
poor value. These types of attacks are ill suited for use as a retaliatory measure. The actors that
necessitate a strategy of deterrence would unlikely be deterred by low-impact attacks such as
these.
Highly sophisticated weapons, on the other hand, if they can reach the target system, are
much more damaging. These capabilities are resource-intensive and, therefore, not common;
their mechanism to exploit a target’s defenses relies on an exploit not being repaired, and only a
few of these highly-sophisticated weapons will be operating at any given time against any given
target, for fear of detection. After pinpointing one of these capabilities, repairing the exploit
prevents future exploitation of the same mechanism. While these types of capabilities are most
useful for deterrence, because they can cause the most damage and therefore raise costs
considerably, their specialized nature makes communication difficult.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
60
Libicki, interview.
61
Snake, or Ouroboros, is malware that provides control of a system to a remote user; its design suggests that its
designers have “an arsenal of infiltration tools”, and that it contains “all the hallmarks of a high-sophisticated cyber
operation.” “BAE Systems Applied Intelligence Unveils Extent of Venomous Nature of ‘Snake’ Operation”, BAE
Systems, http://www.baesystems.com/article/BAES_165734/bae-systems-applied-intelligence-unveils-extent-of-
venomous-nature-of-‘snake’-operation/.
62
Sites like http://www.digitalattackmap.com show real-time cyberspace attacks, with some degree of attribution.

19
! ! !
Capabilities cannot serve as a deterrent if those capabilities are not revealed. However,
offensive cyber capabilities cannot be revealed in full detail for risk of them no longer being
useful. Therefore, when brandishing offensive capabilities, a balance must be struck between
giving enough information to convince the adversary of a capability but not enough to allow that
adversary to block it. Incomplete information is a necessity for a state attempting to deter by
punishment strictly in the cyber realm. However, incomplete information can also breed crisis
instability and escalation.
2.)CrossWDomain)Response)
A better option for American policymakers wishing to avoid inadvertent escalation is to
leave open the possibility of cross-domain response for certain egregious cyber offenses. This
concept is not novel in American foreign policy; as President Barack Obama stated in response
to the alleged North Korean hacking of Sony Pictures, “We [the United States] will respond
proportionally, and we’ll respond in a place and time and manner that we chose” (emphasis
added).63
Indeed, American retaliation for that particular attack took the form of economic
sanctions.
Maintaining the option of retaliation in the political, economic, and military realms leaves
much less chance for miscalculation from the adversary. While an actor may not be fully aware
of the United States’ offensive cyber capabilities (likely intentionally so), probably would have a
much firmer grasp of U.S. political influence, economic power, and conventional military
superiority. Communication of specific capabilities is not necessary when an understanding of
these types of power already exists in the minds of American adversaries.
Responding outside of the cyber domain could be perceived as escalatory, as some actors
may view the response as disproportional. However, responses can be proportional without being
in-kind. A more appropriate, and accurate, way to view proportionality is to focus on in-kind
effects of retaliation. For instance, a cyber attack that destroys part of the U.S power grid could
be met with a retaliatory air strike against the attacking state’s power grid. Although in this
hypothetical scenario the U.S. response is in a different domain than the attack, it meets the
criteria for proportionality because its effects are in-kind.
However, despite efforts to maintain proportionality and therefore limit escalation risks,
proportionality is still in the eye of the beholder. What may seem proportional to the United
States may seem escalatory to an adversary. Cross-domain response and the potential escalation
it carries may signal to an adversary that the United States is prepared to respond, despite the
costs of doing so. This enhances the deterrent ability of cross-domain threats. While efforts
should be made to keep effects of retaliation proportional, the chance of escalation does not
necessarily weaken the deterrent strategy and may in fact strengthen it. Consistent statements by
United States officials such as President Obama’s response to the alleged Sony hack by North
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
63
Barack Obama, “Remarks by the President in the Year-End Press Conference,” The White House December 19,
2014.

20
! ! !
Korea help reinforce the credibility of cross-domain response by demonstrating to potential
adversaries that such threats of punishment are credible.64
Consistency in statements and retaliatory responses benefit cyber deterrence in two key
ways. First, consistently showing the United States will act in a time, place, and manner of its
own choosing in a potentially highly escalatory environment signals to potential adversaries that
such a response will be forthcoming regardless of escalation risk and shifts the burden of a last
clear chance to avoid potential escalation to the adversary.65
Second, it reinforces the norm that
cyber aggression that crosses the threshold set by the United States’ statements and responses
will not be tolerated. Over time, this expectation will have a greater effect on the behavior of all
states and will move toward becoming generally accepted behavior.
3.)The)Necessity)of)Effective)Communication)
A recurring theme in this
discussion of deterrence by punishment
is the need for communication of
capabilities. Like the doomsday
machine in Stanley Kubrick’s Dr.
Strangelove, a deterrent mechanism
that the adversary is unaware of is
useless. If USCYBERCOM wants to
deter the actors most capable of causing
the country harm, it must clearly
communicate that certain offenses will
not be tolerated and that those offenses
will be met with a response in the
domain of the United States’ choosing.
While it is possible to do this via
consistent declaratory statements, establishing these thresholds and the right to retaliate may be
facilitated by the application of existing norms. The establishment of norms regarding the use of
cyber attacks would provide a framework that can assist in the gradual move toward officially
codified understandings of behavior, setting the basis of a very effective deterrence by
punishment strategy.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
64
Forrest E. Morgan, First-Strike Stability in Space: A Preliminary Assessment (Santa Monica, CA:
RAND Corporation, 2010), 43.
65
Ibid., 43.

21
! ! !
Part!II:!Norms!
A.)Why)Norms?)Characteristics)of)Successful)Norms)
!
The promulgation of norms is vital to a successful cyber deterrence model and successful
governance of cyberspace. Social scientists define norms as “shared expectations of proper
behavior.”66
Norms are vital to building expectations and behaviors that foster generally
accepted principles. Scholars argue that norms lead to multiple positive outcomes for three of
reasons. First, successful norms enacted at the state level encourage other states to adopt the
same norms.67
Additionally, non-compliance with established norms can lead to pressure from
non-governmental organizations, private companies, and other states.68
Finally, successful norm-
implementation permits the application of diplomatic pressure through sanctions or other
measures to influence offending state behavior.69
Three conditions must be met for the implementation of a successful norm.70
The norms
must be “clear, useful, and do-able.”71
Clear norms are structured around established principles.
Norm utility requires that those affected be able to see “clear connections between norm-
following and desired outcomes.”72
Norm implementation in the cyber domain will likely
involve effectively demonstrating that “complying with the proposed norm would actually
produce desired results.”73
Finally, norms must be do-able; that is, it must be easy to for states to
comply. Attaining results in this final prong of norm implementation is often the most difficult
because norm implementation can be expensive, politically risky, or require non-existent
technological infrastructure such as a power grid or extensive access to the Internet.74
This final
prong is particularly difficult too when regarding cyberspace in particular, as norms that may be
desirable for Western, liberal democracies, may be wholly undesirable to non-western and less
democratic states.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
66
Martha Finnemore. “Cultivating International Cyber Norms,” in America's Cyber Future: Security and Prosperity
in the Information Age, 100. 89th ed. Vol. 1, ed. Kristin M. Lord et al. (Washington, D.C: Center for a New
American Security, 2011), 90. See also Merriam-Webster. http://www.merriam-webster.com/dictionary/norms. The
dictionary defines norms as “standards of proper or acceptable behavior.” Ibid.
67
Mark Philips, Jennifer Cole and Jennifer Towers. “Cyber Norms of Behaviour,” 1-9.
https://www.rusi.org/downloads/assets/Cyber_norms_of_behaviour_report_-_Executive_Summary.pdf. 2.
68
Ibid.
69
Ibid.
70
Finnemore, “Cultivating International Cyber Norms,” 91.
71
Ibid.
72
Ibid.
73
Ibid., 92.
74
Ibid., 93.

22
! ! !
)
B.)Norm)Development)
Norms develop in three stages. First, norm promulgation usually involves developing or
“grafting” norms on existing frameworks. A range of suggestions exists for this process in the
cyber realm. Some cyber analysts suggest that existing international law or treaties will provide a
solid foundation for norm grafting, while others point towards norms governing the safety and
use of nuclear weapons and missile technologies. The United States Department of State (State
Department) in its 2014 Report on a Framework for International Cyber Stability, argues that the
State Department should consider proposing models analogous to existing weapons control
agreements such as the Proliferation Security Initiative (PSI).75
Second, following norm promulgation, norm dissemination is required to gain followers
and extend the norm’s influence.76
A challenge to norm dissemination is achieving sufficient
penetration across both the public and private sectors. Due to the interconnectedness of
cyberspace, any adopted norms regime must target a wide array of actors including the private
sector, society, local governments, and the U.S. government as a whole (including federal and
military institutions).77
The third stage of norm cultivation is the institutionalization and socialization of the
norm.78
The institutionalization phase requires that norm adherents develop methods to certify
compliance with the norm. Clearly, this process is made much easier if the norms are codified in
law. However, the creation of international norms is not an easy process. States have different
perspectives on how to use cyberspace as a tool of foreign policy.79
Additionally, states disagree
on the scope and breadth of the term “cybersecurity.” For some states, cybersecurity means
protecting networks from intrusions and for others it is only protecting information.80
There are
two alternatives in overcoming these challenges: a commonly accepted set of norms, or a formal
agreement or treaty.81
For the institutionalization of a norm, it must be socialized as generally
accepted behavior. Alexander Wendt of The Ohio State University argues that institutionalized
norms “are often codified in formal rules and norms, but these have motivational force only in
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
75
International Security Advisory Board, Report on a Framework for International Cyber Stability (Washington,
D.C: U.S. Department of State, 2014), 1-22, http://www.state.gov/documents/organization/229235.pdf and
“Proliferation Security Initiative.” U.S. Department of State. http://www.state.gov/t/isn/c10390.htm.
76
Finnemore, “Cultivating International Cyber Norms,” 91. In a chapter of this work, Finnemore articulates the
primary difficulty with this stage, “the actors least in need of the norm are the first to adopt; actors who most need to
adopt are often the recalcitrants.” Ibid., 96.
77
Ibid.
78
Ibid.
79
Phillips, Cole and Towers, “Cyber Norms of Behaviour,” 1.
80
Charles J. Dunlap Jr, "Perspectives for Cyber Strategists on Law for Cyberwar" Strategic Studies Quarterly 5,
no.1 (2011): 82.
81
Phillips, Cole, and Towers, “Cyber Norms of Behaviour,” 1.

23
! ! !
virtue of actors' socialization to and participation in collective knowledge.”82
Wendt goes on to
argue that collective knowledge extends beyond those individuals and institutions that currently
adhere to or embody the norm.83
This phase is perhaps the most vital to the success of norms as it
represents the process whereby societies move from thinking in individualistic terms to thinking
collectively. Thus, this institutionalization and socialization phase ensures the survivability of the
norm and makes it a more likely candidate for serving as the foundation for a formalized
agreement. The norms incorporated in the 4-Point Norms Plan outlined in Part IV afford
USCYBERCOM the latitude it needs while also working to establish an accepted international
framework for the governance of cyberspace.
C.)Trends)of)Norm)Development)in)Cyberspace)
In the past, efforts to formalize norms of acceptable behavior in cyberspace achieved
mixed results. While in 2013, nations, including China, agreed as part of a UN Group of
Government Experts report that international law should govern behavior in cyberspace
(including promoting peace, stability, and freedom). China also maintained its right to
sovereignty over its cyberspace when it noted, “it is impossible for all countries to do everything
in the same style… [and] it is unfair for one country to criticize others according to its own
policies.”84
Efforts such as these have thus resulted in grand declarations, which have the
potential of contributing to the stability of cyberspace. However, when states begin to add
caveats about how they may choose to adhere to such agreements, those agreements risk
becoming ineffectual.
Even if official efforts to lay out the “rules of the road” for cyberspace have sometimes
been uneven, general norms of what states considered acceptable behavior are emerging. No
state has ever reported that civilians have died because of a cyberattack.85
While a number of
states have the ability to cause death and real damage to civilian infrastructure via cyberattacks,
deaths and highly destructive attacks would likely elevate a situation to cyberwar. The fact that
states seem to be operating with restraint is indication of a norm at work. The United States itself
concedes this point in its new DoD Cyber Strategy.
Indeed, the highest profile examples of a state possibly approaching the threshold of this
norm are the cases of cyberattacks against Estonia in 2007 and Georgia in 2008, widely believed
to have been carried out by Russia.86
While these attacks did not directly lead to death, they were
hugely disruptive to the functioning of Estonian and Georgian societies and they were viewed as
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
82
Alexander Wendt, "Anarchy Is What States Make of It: The Social Construction of Power Politics." International
Organization 46, no 2 (391-425): 399.
83
Ibid.
84
Chang, “Warring State,” 29.
85
Sydney J. Freedburgh, Jr., “’Cyberwar’ is Overhyped: It Ain’t War Til Someone Dies,” Breaking Defense,
September 10, 2013, accessed April 27, 2014, http://breakingdefense.com/2013/09/cyberwar-is-over-hyped-it-aint-
war-til-someone-dies/.
86
IHS Jane’s Intelligence Review, “West accuses Russia of cyber-warfare,” IHS Jane’s 360, December 28, 2014,
accessed March 4, 2015, http://www.janes.com/article/47299/west-accuses-russia-of-cyber-warfare.

24
! ! !
a shot across the bow in cyberspace. These two instances were no doubt some of the influential
factors in many of the security developments in cyberspace thereafter: the creation of NATO
Cooperative Cyber Defense Center of Excellence in Estonia in 2008, the creation of U.S. Cyber
Command in 2009, and the articulation by NATO in 2014 that cyberattacks against NATO
members could trigger Article V.87
Implicit in these developments is that states will take steps to
defend themselves from attacks similar to those launched against Estonia and Georgia. The right
to self-defense is alive and well in cyberspace.
Another component of acceptable behavior in cyberspace is that states tend to respond to
attacks against themselves in a relatively proportional fashion. According to reporting in the New
York Times, the U.S. appears to believe that Iran was the actor behind the 2012 attack against
Saudi Aramco, which destroyed 30,000 computers, as well as distributed denial of service
attacks against JPMorgan and Bank of America in response to apparent Western actions in Iran’s
sphere.88
For high-profile attacks, such as the one launched by North Korea against Sony,
communication also played a role in demonstrating a “proportional response.”89
States benefit by
laying out the rationale for any actions in the international realm, including cyberspace.
While there is still no formal agreement between states regarding appropriate behavior,
these shared understandings of acceptable behavior are emerging and encourage states to act
with restraint, transparency, and reasonableness. The more clear a state’s motivations for actions
in cyberspace, the lower the likelihood of miscalculations and inadvertent escalation—a result
that benefits of every state connected via the worldwide web.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
87
NATO Cooperative Cyber Defense Centre of Excellence, “About Us: History,” https://ccdcoe.org/history.html;
U.S. Strategic Command, “U.S. Cyber Command,” http://www.stratcom.mil/factsheets/2/Cyber_Command/; David
E. Sanger, “NATO Set to Ratify Pledge on Joint Defense in Case of Major Cyberattack,” New York Times, August
31, 2014, accessed April 27, 2015, http://www.nytimes.com/2014/09/01/world/europe/nato-set-to-ratify-pledge-on-
joint-defense-in-case-of-major-cyberattack.html?_r=1.
88
David E. Sanger, “Document Reveals Growth of Cyberwarfare Between the U.S. and Iran,” New York Times,
February 22, 2015, accessed March 4, 2015, http://www.nytimes.com/2015/02/23/us/document-reveals-growth-of-
cyberwarfare-between-the-us-and-iran.html.
89
A phrase President Obama used when signing an executive order for sanctions against North Korea in response to
the attack as reported by David E. Sanger and Michael S. Schmidt, “More Sanctions on North Korea After Sony
Case,” New York Times, January 2, 2015, accessed April 27, 2015, http://www.nytimes.com/2015/01/03/us/in-
response-to-sony-attack-us-levies-sanctions-on-10-north-koreans.html?ref=topics.

25
! ! !
Part!III:!Dominant!Discourse!on!Internet!Governance!!
A.)The)Multistakeholder)Governance)Model)
While some states view cyberspace as a landscape regulated by individual states (a
sovereignty-based approach), others see cyberspace as a loosely controlled, interconnected
network of public and private infrastructure and interests (a multistakeholder approach). These
approaches are not entirely mutually exclusive and they can co-exist (albeit uneasily) with one
another; however, the creation of a successful cyber norms regime is critical to the U.S.
maintaining its current position in global politics. The challenge states now face is the adoption
of cyber norms and governance regimes that will prevent destructive attacks, reduce uncertainty
in cyberspace, prevent the proliferation and misuse of cyber weapons, and preserve the integrity
of cyberspace’s openness and accessibility.90
There are few explicit rules that govern cyberspace and attempts to corral activity in
cyberspace foreseeably leads to debates between stakeholders about the best form of
governance.91
Thus, in order for the U.S. to deter destructive attacks from state actors and
minimize risks of miscalculations in cyberspace, the creation of a cyber norms and governance
regime is necessary to stabilize the domain for the future. The long-term goal of an international
regime is a formal agreement to solidify and enforce norms. Therefore, in the immediate future,
the U.S. should clarify the norms required for flexibility, security, and deterrence in cyberspace.
We propose a simple 4-Point Norms Plan that will contribute to effective deterrence in
cyberspace. Additionally, this plan considers existing international norms, particularly the U.S.
State Department’s multistakeholder governance model, which may assist or influence the
creation of a widely accepted norms regime. In addition, we examine the role of
USCYBERCOM in establishing, expanding, and sustaining such norms.
Diplomatic efforts serve as the foundation for promoting and sustaining norms. The
White House elected to focus on diplomacy in its International Strategy for Cyberspace stating:
“The United States will work to create incentives for, and build consensus
around, an international environment in which states - recognizing the intrinsic
value of an open, interoperable, secure, and reliable cyberspace - work together
and act as responsible stakeholders.”92
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
90
International Security Advisory Board, Report on a Framework for International Cyber Stability, 8.
91
Shane Harris, @WAR: The Rise of the Military-Internet Complex (New York: Houghton Mifflin Harcourt, 2014),
52. Harris remarks that in a 2010 cyberwar game, U.S. military leaders’ confusion over cyber procedures led to a
lack of alternatives to war. This reflects a tendency of military responses in the cyber domain to include offensive
reactions, even when not well suited to the threat.
92
National Security Council; United States. Executive Office of the President, International Strategy for
Cyberspace: Prosperity, Security, and Openness in a Networked World (Washington D.C.: Executive Office of the

26
! ! !
The strategy that underlies this diplomatic objective is to strengthen partnerships to create
responsible behaviors. The goal of this multistakeholder model is to include states, international
and non-governmental organizations, and private entities in the discussion to maximize
participation and involvement of all actors who use and shape the Internet. An additional aspect
of the International Strategy for Cyberspace is the role of “Defense,” noted as “dissuading and
deterring.” The strategy lists the Defense Objective as:
The United States will, along with other nations, encourage responsible behavior
and oppose those who would seek to disrupt networks and systems, dissuading
and deterring malicious actors, and reserving the right to defend these vital
national assets as necessary and appropriate.93
Thus, even though diplomatic efforts are the primary vehicle for promoting norms in
cyberspace, defense agencies do have a role in creating a governance model in dissuading and
deterring malicious actors. The actions (and restraints on actions) of defense agencies,
USCYBERCOM in particular, play a role in the formation of norms and have a strong influence
on the potential success of this model.
In addition to the multistakeholder governance model, the White House’s International
Strategy for Cyberspace creates a wish-list of what it would like included in a norms regime. The
objective is “to promote an open, interoperable, secure, and reliable information and
communications infrastructure that supports international trade and commerce, strengthens
informational security, and fosters free expression and innovation.”94
Per the strategy, the United
States seeks to accomplish these goals through the development of norms. Three underlying
principles are emphasized: “promoting order and peace, advanc[ing] basic human dignity, and
promot[ing] freedom in economic competition.” 95
These essential goals must be present in any
cyber governance regime or treaty.
B.)Allies’)Objectives)in)a)Cyber)Norms)Regime)
As the Internet evolved, different states promoted different norms based on their own
internal interests and the level of openness and neutrality the regimes dictated for its users.
Currently, “states are establishing the bounds of their sovereign control in the virtual world in the
name of security and economic sustainability.”96
Due to shared political, economic, and national
security values, the U.S. has had greater success in finding common ground in building norms of
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
President of the United States, National Security Council, 2011), 11,
https://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf.
93
National Security Council, International Strategy for Cyberspace, 12.
94
Ibid., 8.
95
Ibid., 10-11
96
Chris Demchak and Peter Dombrowski, “Rise of a Cybered Westphalian Age,” Strategic Studies Quarterly 5,
no.1 (Spring 2011): 32.

27
! ! !
responsible cyber behavior with already established allies and other liberal democracies who
share a minimal set of expectations for cyber related behaviors.97
While U.S. allies may not agree
with all U.S. actions in cyberspace, many of them seek, in their own ways, to support the
openness and “bottom-up” nature of private innovation that has driven the Internet’s
multistakeholder governance model. Ultimately, domestic policies and international declarations
demonstrate that U.S. allies are generally concerned with issues related to privacy and online
rights, security, and combating cybercrime.
1.)Privacy)and)Online)Rights)
The largest rift in cyber norms and governance between the U.S. and its allies was a
result of the revelations by former government contractor Edward Snowden that alleged the U.S.
used its advanced cyber capabilities to spy not only on enemies and terrorists, but allies as well.
This, to many allies, was a breach of trust by the U.S. and harmed its reputation abroad,
especially in light of its public advocacy for an open and secure Internet. Some allies responded
by advocating freedoms for Internet users. For example, following an example set by the
Netherlands and Chile, Brazil passed the Marco Civil, an Internet bill of rights, which elevated
privacy and human rights of Brazilian citizens above data collection. Germany, especially stung
by revelations that Chancellor Angela Merkel’s cell phone was tapped,98
has also led the charge
in advocating for online privacy, and sponsored, with Brazil, the UN General Assembly
Resolution on the Right to Privacy in the Digital Age, adopted in 2013.99
Even in light of these privacy concerns, however, support for the cyber multistakeholder
governance model over a sovereignty-based governance model has remained relatively stable.
For example, when Brazil hosted NETmundial, an international multistakeholder conference on
the future of Internet governance, one of the conference’s principles stated upon its conclusion
was that “internet governance should be built on democratic multistakeholder processes,
ensuring the meaningful and accountable participation of all stakeholders, including
governments, the private sector, civil society, the technical community, the academic community
and users.”100
Additionally, Germany also chooses to work through international institutions to
strengthen cooperation and reject the sovereignty-based governance model.101
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
97
Roger Hurwitz, “An Augmented Summary of The Harvard, MIT and U. of Toronto Cyber Norms Workshop”
(paper presented at Cambridge, MA, October 19-21, 2011), 7.
98
Phillip Oltermann, “Germany Opens Inquiry into Claims NSA Tapped Angela Merkel’s Phone,” The Guardian,
June 4, 2014, http://www.theguardian.com/world/2014/jun/04/germany-inquiry-nsa-tapping-angela-merkel-phone.
99
Christian Schaller and Johannes Thimm, “Internet Governance and the ITU: Maintaining the Multistakeholder
Approach,” Council on Foreign Relations, October 22, 2014, http://www.cfr.org/internet-policy/internet-
governance-itu-maintaining-multistakeholder-approach/p33654.
100
John Savage and Bruce McConnell, “Exploring Multi-Stakeholder Internet Governance” (paper presented at the
annual North American International Cyber Security Summit, Detroit, Michigan, November 17, 2004),
http://www2.ewi.info/sites/default/files/Exploring%20MultiStakeholder%20Internet%20Governance_McConnell%2
0and%20Savage%20BG%20Paper.pdf.
101
Schaller and Thimm, “Internet Governance and the ITU.”

28
! ! !
2.)Security)
The most notable development in an allied response to a cyber incident occurred in the
fall of 2014 when NATO members created the Enhanced Cyber Defense Policy that stipulated
that if a member state were attacked by a cyber weapon, Article V could be invoked for
collective defense. This policy focuses on prevention, detection, resilience, recovery, and
defense.102
In former years conventional attacks by land, air, or maritime would have been the
most likely forms of attacks; however, the Alliance has been forced to adapt to new technologies
and the emerging dangers of the cyber threat. Defense against this threat requires adjustments to
existing policies.
Some countries are forming closer relationships due to shared security concerns. For
example, the trade agreement entered into by Japan and Israel in 2014, includes provisions for
cybersecurity cooperation. This agreement “stipulates the dispersion of funds to Israeli and
Japanese companies and research centers to conduct a wide range of research including on
information and cybersecurity.”103
3.)Cybercrime)
Developed countries such as those in Europe, Asia, and South America face a multitude
of cyber threats including online scams, cybercrime, and digital surveillance. Cybercrime is an
issue around which it is relatively easy to build consensus. It is an arena in which countries such
as Japan and Brazil have set up cyber security systems that mimic U.S. security agencies. Japan’s
strategy to counter cybercrimes includes a version of the National Cyber-Forensics and Training
Alliance similar to the FBI; Brazil created the Brazilian Army’s Center for Cyber Defense
(CDCiber). CDCiber will promote recommendations by the Brazilian National Defense Strategy,
which is comprised of cyber, space, and nuclear defense. 104
In sum, allies have a role to play in building upon the 4-Point Norms Plan. Allies already
abide by norms including not attacking critical infrastructure, and reasonable and proportional
response to cyber attacks. In addition, states’ national security strategies that include those norms
as policy reflect allied support of the multistakeholder governance model.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
102
“Wales Summit Declaration,” North Atlantic Treaty Organization, accessed April 9, 2015
http://www.nato.int/cps/en/natohq/official_texts_112964.htm
103
Franz-Stefan Gady, “Japan and Israel to Work Together in Cyberspace,” The Diplomat, January 15, 2015,
accessed April 9, 2015, http://thediplomat.com/2015/01/japan-and-israel-to-work-together-in-cyberspace/.
104
Modulo, Solutions for GRC. “Cyber Defense & Critical Infrastructure,” accessed April 9, 2015,
http://modulo.com/modulo/wp-content/uploads/2013/09/cyberd-efense-and-critical-infrastructure-apac.pdf.

29
! ! !
)
C.)SovereigntyWbased)Governance)Model)
In January 2015, China, Russia, Kazakhstan, Kyrgyzstan, Tajikistan, and Uzbekistan
issued an “update” to their “international code of conduct for information security” at the United
Nations that placed a higher premium on state sovereignty over the Internet than an earlier
iteration.105
The phrase “All States must play the same role in, and carry equal responsibility for,
international governance of the Internet” was included, in addition to references to the
sovereignty-based (rather than “multistakeholder”) model to governance. Some scholars argue
that this new language points to an increasingly persistent effort by these governments to move
towards an Internet that is more state-centric, less dominated by U.S. and Western values, and
one managed by ruling elites rather than stakeholders from governments, NGOs, IGOs, and the
private sector. Additionally, it could lead to more compartmentalized and government–censored
internets, wherein regimes have the ability and right to police rhetoric viewed as inflammatory or
threatening to those in power.106
This concept of the Internet is promulgated through overt policies and covert cyber
attacks linked to states such as China, Russia, Iran, and North Korea. These states that propose
alternative governance models and norms than those proposed by the U.S. government have a
few key points in common. These states have a tendency to:
•! View internal dissent and challenges to the current regimes as a national
security threat, on par with an attack that might originate from a hostile
foreign nation;
•! Seek to actively curb, undermine, or reverse U.S. dominance, both
geopolitically and technologically, through asymmetric tactics, such as
intellectual property theft, diplomatic inertia, or disruptive attacks;
•! Demand sovereignty over the Internet, as it exists within their geographic and
population borders.
The sovereignty-based governance model seeks to curtail U.S. cyber dominance by
designating more power to individual states to manage the oversight, technology, and discourse
of the Internet within their borders, thereby increasing their own capacity. These beliefs run
counter to the US multistakeholder governance model, which, at its core, seeks to maintain U.S.
and Western de facto control of the Internet through its dominance of the private sector
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
105
United Nations General Assembly, “Developments in the Field of Information and Telecommunications in the
Context of International Security,” January 13, 2015, accessed April 9, 2015,
https://ccdcoe.org/sites/default/files/documents/UN-150113-CodeOfConduct.pdf.
106
Adam Segal, “Will China and Russia’s Updates Code of Conduct Get More Traction in a Post-Snowden Era?”
Net Politics (blog), Council on Foreign Relations, January 28, 2015, accessed April 12, 2015,
http://blogs.cfr.org/cyber/2015/01/28/will-china-and-russias-updated-code-of-conduct-get-more-traction-in-a-post-
snowden-era/.

30
! ! !
technology and innovation upon which the Internet runs, as well as the Internet’s “culture”—
conceived of as the free flow of information between corporations, governments, and peoples—
itself.
The free, open, and multistakeholder governance model advocated by the U.S. could be
viewed as an existential threat to the ruling elites in countries like China, Russia, and Iran. The
model threatens these opposition states’ power and impedes their future capabilities to quash
dissent and neutralize U.S. technological dominance. Yet, there are signs that there may be room
for these states, the U.S., and allies to agree upon mutually accepted norms. Examples of such
norms are a prohibition on attacks against civilian critical infrastructure and the necessity of
cooperation against cybercrimes. These areas trouble every state to a certain degree. However, it
is unlikely that the U.S. will be able to alter the primary, survival-based drivers of its
adversaries’ policies while the current authoritarian regimes of China, Russia, Iran, and North
Korea remain in power.
D.)The)Role)of)IGOs)and)NGOs)in)a)Cyber)Norms)Regime)
Non-governmental (NGOs) and intergovernmental organizations (IGOs) play an
important role in the current discussion regarding cyber norms and the adaptation or rejection of
the multistakeholder governance model. The United Nations, for example, organizes an annual
Internet Governance Forum (IGF)107
which serves as a forum for dialogue on public policy
issues related to the Internet.108
The IGF regularly produces reports on various issues of public
policy pertaining to the Internet, often presented by panels of experts. These reports have
covered issues such as developing countries participation in Internet governance, privacy, and
cybercrime. The most recent IGF forum convened in Istanbul, and covered topics such as Net
Neutrality and transition of stewardship of the Internet Assigned Numbers Authority (IANA).109
The IGF has succeeded in its main goal: to foster a legitimate venue for Internet-related public
policy issues when there was none. However, it has been hampered by a fluid, undefined
membership, which, in turn, has been charged with addressing Internet governance issues in an
ad-hoc, isolated basis.110
Arguably, this dynamic makes U.S. efforts to create cyber norms by
pushing for solutions that align with its national security concerns unfeasible. However, the IGF
can still serve as a forum wherein the U.S. can identify the concerns and intentions of other states
regarding norm creation and Internet governance.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
107
United Nations, “Tunis Agenda for the Information Society”, World Summit on the Information Society,
November 18, 2005, paras 29-82, http://www.itu.int/wsis/docs2/tunis/off/6rev1.html.
108
United Nations General Assembly, Resolution 60/252, “World Summit on the Information Society,” March 27,
2006, http://www.un.org/ga/search/view_doc.asp?symbol=A/RES/60/252.
109
UN Internet Governance Forum, “Connecting Continents for Enhanced Multistakeholder Governance,”
September 2-5, 2014, http://www.intgovforum.org/cms/documents/igf-meeting/igf-2014-istanbul/308-igf-2014-
chairs-summary-final/file.
110
Jerry Malcolm, “Appraising the Success of the Internet Governance Forum,” Multistakeholder Governance and
the Internet Governance Forum, September 8, 2008.
http://www.intgovforum.org/Substantive_3rd_IGF/Jeremy%20Malcolm%20submission.pdf

Intersecting Governance Models

Intersecting Governance Models

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (19)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie Intersecting Governance Models

Ähnlich wie Intersecting Governance Models (20)

Intersecting Governance Models