Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Thanks to Alex M., Camelia, Christina, Dylan, Eugenia, Kalen, Jackie, Jasmine, and Tristen for all of their hard
work!
#GHJPXX
NOTES
Feel free to email me (khirn10@gmail.com) if you have any questions about the aff/neg.
AFF BACKGROUND
Please read this. It will answer 90% of your questions. This aff would be fairly confusing to
anyone who hasnt read about zero-day vulnerabilities or exploits, but it only takes a few
minutes to learn the basic background behind the aff.
Who or what is a zero-day? Is this some kind of weird K aff?
Zetter 14 [Kim, award-winning journalist who covers cybercrime and security for Wired, Hacker Lexicon:
What Is A Zero Day, Wired, April 15, 2014, http://www.wired.com/2014/04/obama-zero-day/]
ZERO DAY ACTUALLY refers to two thingsa zero-day vulnerability or a zero-day exploit .
Zero-day vulnerability refers to a security hole in softwaresuch as browser software or operating system
softwarethat is yet unknown to the software maker or to antivirus vendors . This means the
vulnerability is also not yet publicly known , though it may already be known by attackers who are quietly
exploiting it. Because zero day vulnerabilities are unknown to software vendors and to antivirus firms, there is
no patch available yet to fix the hole and generally no antivirus signatures to detect the exploit, though
sometimes antivirus scanners can still detect a zero day using heuristics (behavior-tracking algorithms that
spot suspicious or malicious behavior).
Zero-day exploit refers to code that attackers use to take advantage of a zero-day vulnerability. They use the
exploit code to slip through the hole in the software and plant a virus, Trojan horse or other malware onto a
computer or device. Its similar to a thief slipping through a broken or unlocked window to get into a house.
Okay. Why is it called a zero-day?
Zetter 14 [Kim, award-winning journalist who covers cybercrime and security for Wired, Hacker Lexicon:
What Is A Zero Day, Wired, April 15, 2014, http://www.wired.com/2014/04/obama-zero-day/]
The term zero-day refers to the number of days that the software vendor has known about the hole. The term
apparently originated in the days of digital bulletin boards, or BBSs, when it referred to the number of days
since a new software program had been released to the public. Zero day software was unreleased software and
was highly coveted by hackers who wanted to be the first to obtain it.
How many of these zero-days are out there?
Zetter 14 [Kim, award-winning journalist who covers cybercrime and security for Wired, Hacker Lexicon:
What Is A Zero Day, Wired, April 15, 2014, http://www.wired.com/2014/04/obama-zero-day/]
Zero day vulnerabilities used to be extremely rare. Out of more than a million pieces of malware security firms
discovered and processed each month, only about one or two were zero-day exploit code. These days, however,
more zero days are being used and discovered. Thats in part due to the emergence of a large market for
buying and selling zero-day vulnerabilities and exploits, driven largely by the demand from
government intelligence agencies .
What does any of this have to do with surveillance?
Mick 13 [Jason, news editor and columnist for the leading science and technology online publication, Tax and
Spy: How the NSA Can Hack Any American, Stores Data 15 Years, DailyTech, December 31, 2013,
http://www.dailytech.com/Tax+and+Spy+How+the+NSA+Can+Hack+Any+American+Stores+Data+15+Year
s/article34010.htm]
According to him, the
NSA has zero day vulnerabilities on hand that allow it to penetrate virtually any Wi-Fi router ,
Windows PC, external storage device, server, tablet, or smartphone.
Rather than give this data to private sector firms to offer increased security to users, the NSA turns
around and exploits these flaws to spy on everyone
save it."
The NSA calls its attack toolkit "FOXACID". FOXACID is packed with "QUANTUM" tools, which are NSA's digital
lockpicks. Like many clumsy picks, they can damage the lock they attack, but it appears the NSA isn't terribly concerned about that.
1AC
1AC INHERENCY
Obama announced that the US would disclose zero-day vulnerabilities, or unknown software
flaws, to their vendors --- but loopholes allow the NSA to stockpile zero-days and jeopardize
widespread cybersecurity
Soghoian and Roubini 2015 (Chris Soghoian, Principal Technologist and Senior Policy Analyst, American
Civil Liberties Union Speech, Privacy, and Technology Project & Sonia Roubini, ACLU Speech, Privacy, and
Technology Project, Feds Refuse to Release Documents on Zero-Day Security Exploits, March 3, 2015,
https://www.aclu.org/blog/feds-refuse-release-documents-zero-day-security-exploits)//CLi
Federal agencies served with a Freedom of Information Act request are refusing to release documents related to their purchase, use and disclosure of
zero-day exploits, keeping the American public in the dark about a practice that leaves the Internet and its users less secure. Zero-day exploits are special
software programs that take advantage of security vulnerabilities in software that are unknown to the softwares manufacturer. These exploits are
frequently used by intelligence agencies and the military as well as, we suspect, by federal law enforcement agencies. But they can be used by any
hackers, whether they work for the U.S. government, a foreign government, a criminal group, or anyone else. Zero-day vulnerabilities and
the tools that exploit them are extremely powerful, because there is very little that potential targets can do to
protect themselves. But the effectiveness of such exploits depends on their secrecy if the companies that make the
affected software are told about the flaws, they will issue software updates to fix them . Governments
thus have a strong incentive to keep information about the exploits they have developed or purchased secret from both the public and the companies who
create the software we all use. On February 5, we received a response from the Office of the Director of National Intelligence (ODNI) to a Freedom of
Information Act request we filed for the disclosure of guidance or directives related to the governments policies for the purchase, discovery, disclosure
and exploitation of zero-days. The ODNI claimed that these records are classified under Executive Order 13526, Section 1.4(c), which states that
information can be considered for classification if its disclosure could reasonably be expected to cause damage to national security issues pertaining to
intelligence activities (including covert action), intelligence sources or methods, or cryptology. This response is consistent with the Obama
administrations refusal to make public most information related to its surveillance and cybersecurity policies. The formal United States
policy regarding zero-day exploits, published in April 2014, states that federal agencies should reveal any major flaws in
Internet security to companies in order to ensure that they are promptly resolved. However, this policy
also carves out a broad exception
for flaws that are being exploited for national security or law enforcement purposes
loophole that effectively ensures that the government can and will continue to quietly exploit
zero-days without warning companies or individuals of their existence. It is also unclear whether this policy only applies to zero
days that government employees discover, or whether it also applies to vulnerabilities and exploits purchased from defense contractors, boutique
security firms and exploit brokers. While zero-day exploits are no doubt useful to U.S. law enforcement and intelligence agencies, their use raises
serious public policy concerns. Zero-days are also regularly used by foreign, hostile governments, criminals and hackers engaging in
cyberattacks. That means our governments choice to purchase, stockpile and use zero-day exploits
instead of promptly notifying manufacturers is effectively a choice to leave both the Internet
and its users less secure . This policy of prioritizing cyber offense over defense is highly problematic, particularly given Congress and the
White Houses recent focus on cybersecurity. On February 2, Obama pledged $14 billion towards improving cybersecurity defenses, and proposed new
legislation intended to help prevent cyberattacks, some form of which is expected to pass through Congress this legislative session. If, as we are told,
cybersecurity is such a top priority for the government , federal agencies should be doing everything in
their power to ensure that vulnerabilities are fixed as soon as they are discovered , not months or
years later after they have been fully exploited by law enforcement and intelligence agencies. At a time when
cybersecurity legislation that would weaken existing privacy laws is being pushed through Congress , the American public deserves to know
more about the governments policies regarding the purchase, use and disclosure of zero days . There is an important
public debate that must be had about the governments role in cybersecurity, but without documents like the ones we have requested, this debate cannot
take place.
Additionally, loopholes let the NSA stockpile zero-days purchased from the grey market
Zetter 14 [Kim, award-winning journalist who covers cybercrime, civil liberties, privacy, and security for
Wired, Obama: NSA must reveal bugs like Heartbleed, unless they help the NSA, Wired,
http://www.wired.com/2014/04/obama-zero-day/] //khirn
Healey notes that the public
statements on the new policy leave a lot of questions unanswered and raise the
possibility that the government has additional loopholes that go beyond the national security
exception . The statement by the Office of the Director of National Intelligence about the new bias toward disclosure, for example,
specifically refers
discovered and sold to the government by contractors , zero-day brokers or individual researchers ,
some of whom may insist in their sale agreements that the vulnerability not be disclosed . If purchased zero days
vulnerabilities dont have to be disclosed, this potentially leaves a loophole for the secret use of these
vulnerabilities and also raises the possibility that the government may decide to get out of the business of
finding zero days, preferring to purchase them instead . It would be a natural bureaucratic response for
the NSA to say why should we spend our money discovering vulnerabilities anymore if were going to have to
disclose them?' Healey says. You can imagine a natural reaction would be for them to stop spending money on
finding vulnerabilities and use that money to buy them off the grey-market where they dont have to
worry about that bias. The governments new statement about zero days also doesnt address whether it applies
only to vulnerabilities discovered in the future or to the arsenal of zero-day vulnerabilities the
government already possesses .
And that is a sort of notion of a Pearl Harbor-style attack and these day-to-day cybersecurity risks that our nation, both the government and the private
sector, faces. And a lot of people spend a lot of time talking about the Pearl Harbor scenario what happens when the power grid goes down, what
happens when the banking system goes down. As Quentin points out, thats a possibility, but its one that we focus on to our detriment. And its one that
we have to account for, one we have to prepare for and be ready to deal with. But theres a larger problem going on day-to-day, a
nation-state-driven problem that is much more present and much more threatening to our economic viability .
And that is the constant day-in and day-out , walking out the back door of every major U.S. company
of core intellectual property . And so, we know today . . . it has now been sort of publicly discussed: the very fact that there are major
nation-states, including China, that are targeting not only the U.S. government. Thats sort of standard that we expect that we, like a nation-state, go to
collect intelligence from our opponents around the world, and they collect intelligence on us. Thats an understood sort of concept, whether its
surveillance . . . putting aside all the controversy that Edward Snowden has created with his disclosures, other nation-states know that we
collect intelligence on them, and they collect intelligence on us thats just part of the game. Whats different today
though in cyberspace is the fact that at least one nation thats been publicly discussed and others that havent been China in the case of the one that
has been publicly discussed is not only targeting the government for collection, but it is, at a corporate national level, targeting
American private sector corporations, stealing our core intellectual property the very thing that drives
the American economy and makes us the most innovative, most diverse, most successful economy in the world
today and taking it and transferring it to Chinese corporations in the private sector, both the public and
private space. In China that distinction is blended, where the government provides a tremendous amount of
support to their industry, both in the form of stolen IP and in the form of low-interest or no-interest loans to
help them fund these efforts. And so, what we see is a very odd situation where a nation-state is engaged in an effort to take
private sector intellectual property, convert it to both public and private use there, thereby undermining our
ability to compete in the global marketplace. And what makes it a particularly hard challenge is: What is the U.S. government
going to do about it? How does the U.S. government respond to that threat ? For years we knew this was a fact and had
a hard time to even talk about it publicly because the way we knew was through intelligence accesses and the
like. Dare I say, by the way, that all of my remarks are my own thoughts and not those of my current or former bosses, so I dont get any of them in any
trouble, and I dont get myself fired. But weve known this for a long time. Weve known about this threat that both China and other nationstates pose to the U.S. private sector as well as the U.S. 12 government, but its been hard for us to talk about it. And weve finally now
realized 1) the threat is such that we need to talk about it and 2) the government cant do the protection of the private sector itself. The vast
majority of the Internet and the connected networks out there are owned and operated by the private sector. The
U.S. government simply has no insight into those networks. No matter what you hear about the U.S.
governments capabilities in signals intelligence and in cyberspace, the reality is that we cant, nor do we want to be,
nor do our laws permit us to, be on every network at all times to know whats going on . Its not something that the
American people want. Its not something the government wants to do, nor is it something we have the
capability to do. Hence, the question becomes: How can the government work with the private sector to enable
the private sector to better defend itself ? And how do private sector companies work with each other
internally to defend themselves from this very threat? A lot of people think that one of the best ways to achieve that goal is to have
the government intervene in the market and say, Look the private sector is not doing what it needs to do to protect itself. We need to tell them how to
do it, right? Here are some regulations. Here are some laws. Heres how you need to accommodate yourself to this new reality of nation-states
threatening you and your core intellectual property and your systems, either to avoid a Pearl Harbor-style attack or to avoid this walking out the back
door of your intellectual property. That, I think, is the discussion that was had over the last couple of years, and it has faded into the background in large
part because industry has shown a huge resistance to having government-imposed regulations and laws and for good reason. Industry and the U.S.
private sector are very innovative and oftentimes the government regulation in places where there is not a market failure can stifle innovation rather than
embolden it. The question becomes: How do you determine whether theres a market failure here, or not, in this industry? There can be no doubt that
industry could, and perhaps should, be better protected against cyber threats, particularly in the nation-state space. But the question is: Why is it not?
And I would posit that the
reason that industry is not as well positioned today to defend itself is because industry
fundamentally doesnt understand the threat it faces. Its only recently, in the last year or two, that weve begun,
as a government, talking about the very real threat that industry faces from nation-states which have very highend capabilities and both the capability and the desire to go into these companies. So, its only recently that
companies have begun coming around to the realization that the IP is walking out the back door, and there is
potential for a Pearl Harbor or lesser attack on their networks. And even today I think everyone would admit whether youre in
industry or the government that the government doesnt tell industry enough about what it knows .
So, the
government knows a lot about the zero-days that might come up against them . They know a
lot about what the threat looks like. And they have a very hard time talking about it to companies , either
at an unclassified or even at a highly-classified level. Its only when things get to a really hot boil that the
government will be willing 13 to part with its deepest, darkest sort of most sensitive intelligence collection and
even then it will only tell industries absolutely what they need to know in order to deal with that
immediate threat. And thats something that fundamentally has to change . And I think the governments on its way
there. I think that General [Keith B.] Alexander has made changes while he was at NSA, and Im hoping that Admiral [Michael] Rogers will continue
those changes, too, to think through how best to work with industry. But its not simply government working with industry, because
it will be a
great thing if we can get to a place where we can pass some sort of information-sharing
legislation that allows the government to share with industry what it knows is a threat.
But the
reality is that today without the government having a sense for what industry is seeing on the 98 percent, or 95 or 96 percent, of networks that it
owns and operates its
hard for the government to know where to focus its collection activities. For instance, today we
know about the Chinese cyber actors coming up against our networks. So, its easy for us to target that person
and try to go after his system and figure out what he or she is doing. We know for a fact that sitting right next to that
person, very likely, is another hacker government-funded going after the U.S. private sector, but we dont see that
person, because were not on the private sector networks looking for that. Until industry has the ability and the
desire and the willingness to share with the government what theyre seeing, its hard for the government to turn
around and say, Were going to go try to target that person to see if we can figure out what theyre doing, too, in
order to provide back to industry the best capabilities the U.S. government has at its disposal . And so, thats one thing
. . . its sort of freeing up that information sharing gap between public and private and creating that
trust between the government and private sector to share that kind of information .
IP theft destroys military operations --- the impact is primacy
Warikoo 13 professor of Himalayan and Central Asian Studies at the University of Colorado (Arun, CYBER
WARFARE: CHINA'S ROLE AND CHALLENGE TO THE UNITED STATES p. 67-8, Jul-Dec 2013, ProQuest)
| js
4.1 Intellectual Property (IP) Protection and Enforcement Intellectual
The Department of Defense's DODs 2013 annual report to the Congress indicates the grave threat posed by the Chinese in collecting intelligence
against US industries that support US defense programs.31 In one instance, a news report in 2011 revealed that malware
had penetrated
networks used to control U.S. military drones .32 In another report, it is alleged that the Chinese are hacking into
US electricity networks and inserting malware that could be activated later to shut down the electric grid.33 Richard
Clarke, White House Cyber Security Advisor (October 2001 - March 2003), in an interview on PBS Frontline stated as follows: "We, as a country, have
put all of our eggs in one basket. The reason that we're successfully dominating the world economically and militarily is
because of systems that we have designed, and rely upon, which are cyberbased. It's our Achilles heel . It's an overused
phrase, but it's absolutely true. It could be that, in the future, people will look back on the American empire, the
economic empire and the military empire, and say, "They didn't realize that they were building their whole
empire on a fragile base . They had changed that base from brick and mortar to bits and bytes, and they
never fortified it. Therefore, some enemy some day was able to come around and knock the whole empire over. That's the fear."34 4.3 Threat to US
Industry China's cyber espionage against U.S. commercial firms poses a significant threat to U.S. business interests and
competiveness in key industries. A classic example is that of the American Superconductor Corporation that had its wind-energy software code
stolen by a major customer in China resulting is not only loosing that customer but also 90% of its stock value.35 In another instance, a U.S.
metallurgical company lost technology to China's hackers that cost $1 billion and 20 years to develop.36
instance, where the ambitions of Russia and Austria-Hungary clashed. But todays great powers are rising in a very different international environment,
largely because of the unique role the United States has played since the end of the Second World War. The United States has been not simply
a regional power, but rather a regional power in every strategic region . It has served as the maintainer of
regional balances in Europe, Asia, and the Middle East . The result has been that, in marked contrast to past
eras, todays great powers do not face fundamental threats to their physical security. So, for example, Russia
objectively has never enjoyed greater security in its history than it has since 19 89. In the 20th century, Russia was
invaded twice by Germany, and in the aftermath of the second war could plausibly claim to fear another invasion unless adequately protected.
(France, after all, had the same fear.) In the 19th century, Russia was invaded by Napoleon, and before that Catherine the Great is supposed
to have uttered that quintessentially Russian observation, I have no way to defend my borders but to extend them. Today that is not true.
Russia faces no threat of invasion from the West. Who would launch such an invasion? Germany, Estonia, Ukraine? If Russia faces threats,
they are from the south, in the form of militant Islamists, or from the east, in the form of a billion Chinese standing across the border from an empty
Siberia. But for the first time in Russias long history, it does not face a strategic threat on its western flank. Much the same can be said of
China, which enjoys far greater security than it has at any time in the last three centuries . The American role in East
Asia protects it from invasion by its historic adversary, Japan, while none of the other great powers around Chinas periphery have the strength or desire
now or in the foreseeable future to launch an attack on Chinese territory. Therefore, neither Chinese nor Russians can claim that a
sphere of influence is necessary for their defense. They may feel it necessary for their sense of pride. They may feel it is necessary as a
way of restoring their wounded honor. They may seek an expanded sphere of influence to fulfill their ambition to become more formidable powers on the
international stage. And they may have concerns that free, nations on their periphery may pass the liberal infection onto their own populaces and thus
undermine their autocratic power. The question for the United States, and its allies in Asia and Europe, is whether we should
tolerate a return to sphere of influence behavior among regional powers that are not seeking security but are in search of
status, powers that are acting less out of fear than out of ambition. This question, in the end, is not about idealism, our commitment to a rules-based
international order, or our principled opposition to territorial aggression. Yes, there are important principles at stake: neighbors shouldnt invade their
neighbors to seize their territory. But before we get to issues of principle,
affects the world in terms of basic stability On that score, the historical record is very clear. To return to
a world of spheres of influencethe
the great power conflicts of past centuries . Revisionist great powers are never satisfied . Their
sphere of influence is never quite large enough to satisfy their pride or their expanding need for security. The
satiated power that Bismarck spoke of is rareeven his Germany, in the end, could not be satiated. Of course, rising great powers always express some
historical grievance. Every people, except perhaps for the fortunate Americans, have reason for resentment at ancient injustices, nurse grudges against
old adversaries, seek to return to a glorious past that was stolen from them by military or political defeat. The worlds supply of grievances is
inexhaustible. These grievances, however, are rarely solved by minor border changes. Japan, the aggrieved have-not nation of the
1930s, did not satisfy itself by swallowing Manchuria in 1931. Germany, the aggrieved victim of Versailles, did
when other great powers decide they have had enough. We know those moments as major power wars .
The best and easiest time to stop such a dynamic is at the beginning . If the United States wants to maintain a
benevolent world order, it must not permit spheres of influence to serve as a pretext for aggression . The
United States needs to make clear nowbefore things get out of handthat this is not a world order that it will accept. And we need to be clear what that
response entails. Great powers of course compete across multiple spheres economic, ideological, and political, as
well as military. Competition in most spheres is necessary and even healthy. Within the liberal order, China can compete economically
and successfully with the United States; Russia can thrive in the international economic order uphold by the
liberal powers, even if it is not itself liberal. But security competition is different . It is specifically because Russia
could not compete with the West ideologically or economically that Putin resorted to military means . In so doing,
he attacked the underlying security and stability at the core of the liberal order . The security situation undergirds
everythingwithout it nothing else functions. Democracy and prosperity cannot flourish without security. It remains true today as
it has since the Second World War that only the United States has the capacity and the unique geographical
advantages to provide this security . There is no stable balance of power in Europe or Asia
without the United States . And while we can talk about soft power and smart power, they have been and
always will be of limited value when confronting raw military power. Despite all of the loose talk of American
decline, it is in the military realm where U.S. advantages remain clearest. Even in other great powers
backyards, the United States retains the capacity, along with its powerful allies, to deter challenges to the
security order. But without a U.S. willingness to use military power to establish balance in far-flung regions of
the world, the system will buckle under the unrestrained military competition of regional powers.
Russian IP theft now --- they cant be deterred --- bolstering cyberdefense is key
Bennett 4/12/15 cybersecurity reporter for The Hill (Cory, Russias cyberattacks grow more brazen 4/12/15,
http://thehill.com/policy/cybersecurity/238518-russias-cyberattacks-grow-more-brazen) | js
Russia has ramped up cyber attacks against the United States to an unprecedented level since President Obama
imposed sanctions last year on President Putin's government over its intervention in Ukraine. The emboldened attacks are
hitting the highest levels of the U.S. government , according to reports, in what former officials call a dramatic shift in strategy. The
efforts are also targeting a wide array of U.S. businesses, pilfering intellectual property in an attempt to level the playing
field for Russian industries hurt by sanctions. They're coming under a lot of pressure from the sanctions their financial industry,
their energy industry said Dmitri Alperovitch, co-founder of cybersecurity firm CrowdStrike, which monitors critical infrastructure attacks. And
they're obviously trying to leverage cyber intrusion and cyber espionage to compensate for that . Crowdstrike
recorded over 10,000 Russian intrusions at companies worldwide in 2015 alone. Thats a meteoric rise from the
dozens per month that Alperovitch said the firm noted this time last year, just as the U.S. was imposing its sanctions. Many see the
has
recent reports that Moscow infiltrated the State Department and White House networks giving them access to President Obamas full schedule as a
turning point in Russian government hacking. Moscow doesnt care as much about being caught, perhaps in an attempt to prove its cyber
prowess, some speculate. I think that the calculus for them has changed, said Will Ackerly, an eight-year National Security Agency vet who co-founded
encryption firm Virtru in 2012. It seems that theyre definitely behaving dramatically different in that regard .The attitude, Ackerly said, is
much more brazen than previous Russian efforts to lift intelligence information. For years, Russian hacking has operated on two
tracks. On one track, Moscow has orchestrated quiet, targeted digital hits on the U.S. government to collect scraps of intelligence data. On the other, a
large community of Russian cyber criminals, not necessarily affiliated with the government, has peppered the American banking industry for commercial
gain. Experienced Russian hackers often tend to target financial data, said Tom Brown, who served until 2014 as chief of the Cyber Crime Unit at the
U.S. Attorneys Office for the Southern District of New York. Last year, Russians were charged with hacking into Nasdaq, Americas second largest stock
exchange. Going further back, a notorious Russian Internet gang made off with tens of millions of dollars from Citibank in 2009. These were just two of
the Russian incidents Brown helped investigate. Russian cyber crooks, he said, uniformly launch relatively sophisticated attacks. On the governmentsponsored side, researchers at security firm FireEye discovered evidence of Russian intelligence-gathering cyber campaigns stretching back to at least
2007. Moscow was searching for communications, emails, memos, phone calls and schedules that could smear adversaries reputations or simply shed
light on their plans. Laura Galante, threat intelligence manager at FireEye, said she has seen a resurgence in these types of Russian government-backed
cyberattacks since late February. They really see this as much more broadly than just a tool, a piece of malware or a distinct
type of activity, said Galante. They see this as
a broader quest to get the information they need to portray themselves and their
in the best light in the world.And as Russias economy sags under the weight of U.S. sanctions imposed in March 2014, the mercenary,
criminal track has started to blur with the government-directed track, analysts said. What theyre basically doing is in effect saying internally,
Thats fine, youre going to sanction us, so were going to use cyber to steal your intellectual property and give it to
our industry, Alperovitch said. The digital barrage has caught the attention of top U.S. officials. President Obama repeatedly asked his advisors
efforts
whether a massive data breach at JPMorgan last fall was Russian retaliation for the sanctions, according to reports. The aides couldnt give the president
a definitive answer. Indeed, the security community is not united in its belief Russia was behind the attack. Former intelligence officials have also
speculated that information discreetly passed to the media laying blame on the Russians for the State Department and White House hacks is a White
House attempt to send a message to Russian authorities: Were on to you. Director of National Intelligence James Clapper acknowledges the U.S. was
caught off guard by this Russian hacking surge. The Russian cyber threat is more severe than we have previously assessed,
he told a Senate committee in February. During an October speech, Clapper even said Russia has replaced cyber powerhouse China
as his
top concern. Ackerly said the State Department and White House intrusions are a striking example of the new Russian mentality.The attack was
much larger in breadth than historic Russian cyber espionage efforts. Theyre much more willing to do things which theres a high probably of
detection, Ackerly said. They are willing to know that going in and say, Were going to do that anyway. Moscows intelligence agencies can still collect
their information, while making a public point, said Christopher Cummiskey, a former acting under secretary for management at the Department of
Homeland Security in 2014 who oversaw a number of the agencys cyber efforts. I think from their perspective its like, Well guess what, weve shown
the world that were able to actually penetrate the very sensitive systems in the U.S. government, he said . Until the government improves
its detection capabilities, the Russians will not be deterred , Cummiskey said. Its not as easy to pick up on these things
today with the way were configured as hopefully it will be in the future, he said. So weve got some work to do.
secrets stolen from US industry and government networks could give China and Russia military
advantages worth billions .
That causes Russian aggression
Isachenov 15 [Vladimir Isachenkov, Associated Press, Business Insider, Feb. 4, 2015, Russia continues
massive military modernization despite economic woes, http://www.businessinsider.com/russia-continuesmassive-military-modernization-despite-economic-woes-2015-2#ixzz3eVw3maaO] //khirn
MOSCOW (AP) Hundreds
of new Russian aircraft, tanks and missiles are rolling off assembly lines. Russian jets
roar through European skies under NATO's wary eye. Tens of thousands of troops take part in war games
showing off the military's readiness for all-out war . The muscle flexing suggests that Russia's economic woes so far are
having no impact on the Kremlin's ambitious military modernization program. Most Russian economic sectors face a 10
percent cut this year as Russia heads into recession. The military budget, meanwhile, rose by 33 percent to about 3.3 trillion rubles (some $50 billion).
The buildup reflects President Vladimir Putin's apparent readiness to raise the ante in a showdown with the West over Ukraine but it is unclear
whether Russia can afford the modernization drive amid slumping oil prices and Western sanctions. The new Russian military doctrine,
endorsed by Putin in December, names
NATO as a top threat to Russia and lays out a response to what the Kremlin sees
as the alliance's expansion into Russia's sphere of interests . In the Ukraine crisis, Moscow for the first time demonstrated its new
capacity for what experts call "hybrid" warfare, a combination of military force with a degree of deniability, sleek propaganda and political and economic
pressure. It is not only in Crimea the strategic peninsula that Russia annexed from Ukraine that the nation's 1-million strong
military is beefing up its presence. Russia is also reviving Soviet-era airfields and opening new military bases in
the Arctic . Last fall the military rattled sabers by briefly deploying state-of-the art missiles to Russia's
westernmost Baltic exclave
Kaliningrad and
far as the Caribbean and the Gulf of Mexico . The West first got a sense of Russia's revived military might during last February's
Crimea invasion. The U.S. and its NATO allies were caught off guard when waves of Russian heavy-lift military transport planes landed on the Black Sea
peninsula days after the ouster of Ukraine's former Moscow-friendly president, unloading special forces which swiftly took over key facilities in the
region and blocked Ukrainian troops at their bases. Dressed in unmarked uniforms and equipped with state-of-the art weapons, the Russian troops were
a far cry from a ragtag demoralized force the military was just a few years ago. The Kremlin first claimed they were local volunteers, but Putin recognized
after the annexation that they were Russian soldiers. Another surprise for the West came a few weeks later, when well-organized groups of gunmen took
over local government offices and police stations in several cities across Ukraine's mostly Russian-speaking eastern industrial heartland, triggering a
rebellion that evolved into a full-scale war that killed more than 5,300 since April. As fighting escalated in the east, the Russian military showed its agility
by quickly deploying tens of thousands troops near the border with Ukraine. Ukraine and the West said that thousands of them crossed into Ukraine,
helping turn the tide in rebels' favor. The Kremlin denies that, although it has acknowledged that Russian volunteers have joined the insurgency. Unlike
the past, when the Russian military was filled through unpopular conscription, the force has grown more professional and
motivated. Relatively high salaries have attracted an increasing number of contract soldiers, whose number is set to exceed 350,000 this year from
295,000 in 2014. Russian Defense Minister Sergei Shoigu said that by the end of this year all battalion tactical groups the core units in the Army, the
Airborne Forces and the Marines will be manned entirely by professional soldiers. And in sharp contrast to the early post-Soviet years, when combat
jets were grounded and navy vessels rusted dockside for lack of fuel, the military has dramatically increased both the scope and frequency of its drills.
Ground forces conducted massive maneuvers near the Ukrainian border involving tens of thousands of troops, while navy ships sailed on regular
missions and combat jets flew regular patrols near European borders to probe NATO's defenses. The alliance said it intercepted Russian aircraft more
than 400 times last year and complained they posed a danger to civilian flights. In Crimea, Russia had leased a major naval base even before the
annexation. Now it has deployed dozens of combat jets, including nuclear-capable long-range bombers, along with air defense missiles, modern drones
and other weapons. It is also preparing to dispatch more troops there. Another key priority for the military is the Arctic, where global rivalry for major
untapped oil and gas reserves is intensifying as polar ice melts. The military has restored long-abandoned Soviet-era airfields and other bases in the
region after two decades of neglect. It formed a separate Arctic command to oversee its troops in the region. Russia's weapons modernization
plan envisages spending 20 trillion rubles on new weapons in 2011-2020. It produced some highly visible results last year, with the
military receiving the highest numbers of new planes, missiles and armor since the 1991 Soviet collapse: Last year, the Russian armed forces obtained a
record number of 38 nuclear-tipped intercontinental ballistic missiles. This year they are to get another 50, allowing the military to fulfill its ambitious
goal of replacing Soviet-built nuclear missiles, which are approaching the end of their lifespan. Officials say the new ICBMs have the capacity to
penetrate any prospective missile defenses. In a major breakthrough, the Russian navy finally conducted a series of successful test launches of the
Bulava, a new submarine-based intercontinental ballistic missile, proving its reliability after a long and troublesome development. The navy
already has two submarines equipped with the Bulava, and is to commission a third one next yea r. Five more are to
follow. The ground forces are receiving large batches of Iskander missiles , which are capable of hitting enemy targets up to
500 kilometers (310 miles away) with high precision. Russian officials said the missiles, which can be equipped with a nuclear or conventional warhead,
could be used to target NATO's U.S.-led missile defense sites. In a show of force, Iskanders were briefly deployed in December to the Kaliningrad exclave
bordering NATO members Poland and Lithuania. The Russian air force received more than 250 new planes and helicopters last year and is set to
receive more than 200 this year numbers unseen since Soviet times. They include new models such as Su-34 bombers, Su-35 fighter jets and Mi-28
helicopter gunships equipped with sophisticated electronics and high-precision missiles. The Russian army this year is set to receive a new tank, which
also will be used as the basis for a lineup of other armored vehicles. The model called Armata will be shown to the public during a Red Square parade in
May. It surpasses all Western versions in having a remotely controlled cannon and a superior level of crew protection. Its security enhanced by
a new-look military , the Kremlin can be expected to pursue a defiant course in Ukraine and may
raise the stakes further if the peace process fails . The threat for Putin who has insisted that Russia will not be
whether the massive military buildup will stretch the nation's economic
potential beyond the limit.
drawn into a costly arms race with the West is
spearhead unit of 5,000 troops for immediate deployment in a crisis.450 Jean-Claude Juncker, the head of the European Commission has raised the
subject of a European Army.451 It is imperative for many reasons that Europe achieve a greater level of political integration452 and a European Army
may serve that long-term goal as well as the more immediate matter of addressing Russian aggression. The United States is also rising to the
military challenge posed by Russian expansionism in Eastern Europe. A military convoy has been sent on a show-the-flag
tour of six East European countries.453 Large numbers of soldiers and large quantities of supplies have now landed in Latvia to
participate in multinational training exercises with Latvia, Estonia, and Lithuania.454 American military hardware and personnel are now stationed
just yards from Russian territory in the Baltics.455 A Patriot anti-missile battery, together with the crew to man it, has been moved to Poland.456 Ashton
Carter, President Obamas nominee to serve as Secretary of Defense, has declared his support for providing arms to
the Ukrainian military.457 Victoria Nuland has called for the creation of NATO command-and-control centers in Bulgaria, Romania, and other
nations of Eastern Europe.458 And how has Putin responded? He destroyed the city of Debaltseve in Ukraine with a savagery and
barbarity unknown in Europe since the days of World War II. Virtually every building in the city has been damaged or destroyed.459 Some 40,000
people (out of a population of 45,000) have been forced to flee.460 Dogs, it is said, have begun to eat the bodies of the unburied dead.461 Whole classes
of persons -- Tatar Muslims who might threaten the regime, and others who fall under suspicion of State Security -- are being abducted, tortured, and
being made to disappear at alarming rates.462 And Putin has renewed, once again, his threats against world order. He has dispatched
nuclear-capable strategic bombers to Crimea.463 He has sent
could be another major war in Europe responded: Such a scenario shouldnt even be considered. Such a war today would inevitably lead to a nuclear
war. But the statements from both sides and the propaganda lead me to fear the worst .
atmosphere, then we wont survive the coming years .473 Thus has Putins culture of terror brought us to
the brink of the unthinkable, a nuclear standoff where the risk of miscalc ulation is large. International law, over
the last two decades, has moved decisively in the direction of delegitimizing even the threat of the offensive use of nuclear weapons. Vladimir Putins
loose talk and his aggressive military posturing are returning us to the dark days of an older generation, when
nuclear threats
hung heavy over the planet. We must make sure such threats do not emanate again from a world leader.
international law here exemplified by the Paris Convention of 1883, of which both China and the U.S. are signatories but also of
international rules, such as the WTOs TRIPS agreement. Given that this problem is prevalent, pernicious, and clearly prohibited,
the question becomes: How do we address it? There are at least two principle categories of action, neither of which are exhaustive or exclusive of each
other. One possible avenue is a legal offensive. At first glance, this seems to be a problematic because, while China has acceded to the Paris Convention, it
has done so with the stipulation that it not be bound to the Conventions provisions for dispute resolution. This abrogates the legal grounds by which to
seek arbitration by the International Court of Justice. That said, Chinas actions appear to clearly violate the TRIPS agreement, which counts the
aforementioned Paris Convention among its primary legal referents. And unlike the Convention, the TRIPS agreement, accedence to which is implicit in
WTO membership, has a robust enforcement mechanism. As a rapidly developing and expanding economy, China has a vested interest in maintaining its
ability to work within the WTO not only because that provides it a place at the table in international trade negotiations, but because it wants to
preserve its ability to settle economic disputes through WTO arbitration, which it has done frequently. Because of these factors, China will probably feel
compelled to address these complaints as it already did in a previous dispute involving DVD piracy and may be more likely to fully and genuinely
implement the arbitrations ruling. Additionally, there is, in the nascent Transatlantic Trade and Investment Partnership (TTIP) and Transpacific
Partnership (TPP), hope that China can be checked by the combined economic leverage that the U.S., EU, and others would gain from their conclusion.
The TTIP, whose focus is the creation of a massive trade bloc between the U.S. and EU, has the potential to change the current dynamics of the global
economy by boosting the competitiveness and expanding [the] market share of U.S. and EU companies. Because Europe and the U.S. are Chinas
largest export markets, they could make things very difficult for China if it were to oppose them on an important issue like IP theft. And the economic
boost and harmonization that may emerge from the TTIP would increase this leverage. Chinese products [would already be] less competitive in [those]
markets, as a result of the TTIP, and if the U.S. and EU wanted to, they could effectively [bottle] up [Chinas exports] within its shores. This is not to
suggest that the TTIP could, or should, be used to impose unfair trade conditions, or to begin a trade war, but the extraordinary amount of influence it
would provide would undoubtedly alter the Chinese calculus. And, in combination with the TPP, it would probably be enough to extract at least a
modicum of compliance from them. The TPP, which could eventually include most of Southeast Asia, East Asia, and Australia, but might not include
China, has obvious consequences for the Chinese economy, regardless of outcome. If China does join the TPP, [it will be] on US terms [because it is] a
creature fashioned largely by Washington. While Chinas presence in the TPP would be valuable, the Partnership would nonetheless remain a viable and
powerful economic coalition and could easily carry on in its absence. China, on the other hand, [already] suffering from diminishing competitiveness,
[should be] keen to avoid any further hits to its trade position, and it also wouldnt want to risk exclusion from the benefits of a successful and
extensive TPP, [such as] tariff-free orreduced [exports]. To avoid having its regional economic dominance undermined, China will need to accept
Washingtonsstrong standards [for protection of] intellectual property, labor and [the] environment along with [regulating] state-owned enterprises.
Moreover, if China declines to join the Partnership, either through unwillingness or an inability to meet these demanding standards, it will be so much
the worse for it. The TPP, absent China, has the potential to undo much of its regional power by making the regions marketsbetter integrated and
more competitive, which could see Chinese products and labor being bypassed for cheaper options. China has undertaken its quest to
modernize through stolen intellectual property with relative impunity because there has been no real
mechanism or response to deter it. With the threat of losing ground in its biggest export markets, locally and
farther afield, it would be forced to heed much more serious warnings to halt its illicit activities. While these
agreements are far from finalized and have a multiplicity of moving parts, both of which confound efforts to
predict their utility as a viable method of coercion, it nonetheless seems like they, in conjunction with WTO
arbitration, should give the U.S., EU, and others the ability to successfully press for Chinas compliance.
That leads to global nuclear war
Twomey 2009 (Christopher, co-directs the Center for Contemporary Conflict and is an assistant professor in
the Department of National Security Affairs, both at the Naval Postgraduate School, Monterey, California,
Arms Control Association, Chinese-U.S. Strategic Affairs: Dangerous Dynamism,
http://www.armscontrol.org/act/2009_01-02/china_us_dangerous_dynamism#Twomey) // JRW
China and the United States are not in a strategic weapons arms race. Nonetheless,
have the potential to move toward a tightly coupled arms race and certainly have already worsened threat
perceptions on each side. The potential for conflict is not simply that of inadvertent escalation; there are
conflicts of interests between the two. Heightening threat perceptions in that context greatly complicates
diplomacy. Further, the dangers of inadvertent escalation have been exacerbated by some of these moves .
Chinese SSBN deployment will stress an untested command-and-control system. Similar dangers in the Cold War were mitigated,
although not entirely overcome, over a period of decades of development of personnel and technical solutions.
China appears to have few such controls in place today. U.S. deployment of highly accurate nuclear warheads is
consistent with a first-strike doctrine and seems sized for threats larger than "rogue" nations. These too would
undermine stability in an intense crisis.
currently find information sharing with their government partners in the national intelligence and law
enforcement communities very, very difficult because it raises sensitive and complex issues . Individuals value their
privacy, particularly when the Government is involved. But the fact remains that the cyber defense of our critical
infrastructure simply is not possible without cyber threat information sharing between those
three communities. One example from awhile back, related in congressional testimony, told of an incident in which the National Security Agency
detected a foreign entity trying to steal three gigabytes of information from an American defense contractor. The information-sharing rules
would not let the NSA warn the contractor of what was about to happen to them. The head of the NSA at that
time likened it to seeing a cyber-intrusion happen at network speed but then being required to warn the
company under attack with a letter sent through the conventional mail. Legislative efforts to deal with the information-sharing
issue occur every few years. Currently, another effort seems to be building . Those of us who watch this issue have our fingers
crossed. Im guardedly optimistic. First, because this issue has been elevated by recent cyber attacks on large companies : Sony,
J.P. Morgan, Target, Anthem, Home Depot and others. And they have focused attention on the issue among the most powerful people in America the
taxpayers voters who feel less and less secure about their personal information and bank accounts. The other reason Im optimistic is because,
legislation or not, government and the private sector have not been idle. What hampered the last legislative effort
were concerns over the regulatory burden. In the wake of that last legislative effort, the National Institute of Science and Technology
NIST for short worked together with industry to develop and issue a framework for improving critical cyber
security infrastructure. It was intended as a voluntary set of guidelines. But now at its one-year mark, it has become the de facto
standard for private sector cyber security as viewed by regulators and lawyers. The framework helps a company
to critically assess its cyber security health, capabilities and efforts; then the company can perform a risk/return analysis to
determine where it wants its cyber security capabilities to be, and when. It then develops a plan to get itself from its current state, to its intended end
point. Companies utilizing this framework are motivated toward improvement because, in the event of a
successful attack against them, any company would have to explain to customers and creditors why it chose not
to participate in a security improvement program that its competitors are likely using. It also doesnt hurt that the
framework is being used as an industry baseline for cyber insurance underwriting .
Zero-days are key --- inadequate cooperation risks multiple critical sectors --- like electricity
and water
Stockton and Golabek-Goldman 13 [Paul and Michele, " Curbing the market for cyber weapons," Yale
Law & Policy Review, Forthcoming, pg. 108-109 <http://ssrn.com/abstract=2364658>] /eugchen
day exploits are dual-use.24 They can be deployed by good-willed researchers to test computer systems for
vulnerabilities and therefore safeguard systems against attacks .25 However, they can also be deployed to gather
sensitive commercial or intelligence information, incapacitate computer systems, or inflict widespread physical
damage. For example, a weaponized day exploit targeting the air traffic control system could send false
signals to planes in the air, causing them to crash or collide.26 Department of Transportation audits have confirmed that the U.S.
air traffic control system remains highly vulnerable to cyberattacks. 27 An attack on the electric grid could leave entire
regions of the country in the dark for weeks, incapacitating the economy and resulting in numerous
casualties.28 As the threats to the air traffic control system and electric grid make clear, the most potent and dangerous day-
exploit attacks are those that target the nations critical infrastructure sectors. The 2013 Presidential Policy
Directive on Critical Infrastructure Security and Resilience defines critical infrastructure as systems and assets, whether physical or virtual, so vital to
the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security,
national public health or safety, or any combination of those matters.29 The air-traffic control system and other transportation
systems are considered critical infrastructure , along with the chemical, communications, emergency
services, financial, water , power , and nuclear reactor sectors.30 A high percentage of Americas critical infrastructure is
private civilian companies .31 These companies generally operate and monitor critical
infrastructure by relying on industrial-control systems , including Supervisory Control and Data Analysis (SCADA) systems,
owned and operated by
distributed-control systems, and programmable-logic controllers.32 These systems enable companies to open and shut water pump valves, react to
pressure, and change volume levels automatically and remotely.33 As technology has evolved, companies have sought to improve operational efficiency
by designing ICS systems that are Internet compatible.34 Internet connectivity has rendered these systems and their
applications layer much more susceptible to day-exploit attacks since perpetrators can access and penetrate
them more easily.35 Todays day-exploit attacks are especially targeted at the vulnerable applications layer.36
In spite of this increased threat, private companies have failed to adequately invest in cyber measures
to secure critical infrastructure from attack. The government has also failed to provide sufficient
support to private companies to safeguard the nations critical infrastructure. According to the Department of
Homeland Securitys recent Inspector General Report, the United States Computer Emergency Readiness Team (US-CERT) is understaffed and lacks
the legal authority to require private companies to implement stronger protections against cyber intrusions.37
Grid attacks take out command and control ---causes retaliation and nuclear war
Tilford 12 [Robert, Graduate US Army Airborne School, Ft. Benning, Georgia, Cyber attackers could shut
down the electric grid for the entire east coast 2012, http://www.examiner.com/article/cyber-attackers-couldeasily-shut-down-the-electric-grid-for-the-entire-east-coa] //khirn
To make matters worse a
cyber attack that can take out a civilian power grid, for example could also cripple the U.S.
military. The senator notes that is that the same power grids that supply cities and towns, stores and gas stations, cell towers and heart monitors also
power every military base in our country. Although bases would be prepared to weather a short power outage with backup diesel generators,
within hours, not days, fuel supplies would run out, he said. Which means military command and control centers
could go dark . Radar systems that detect air threats to our country would shut Down completely .
between commanders and their troops would also go silent. And many weapons systems
would be left without either fuel or electric power, said Senator Grassley. So in a few short hours or days, the
mightiest military in the world would be left scrambling to maintain base functions , he said. We contacted the Pentagon
Communication
and officials confirmed the threat of a cyber attack is something very real. Top national security officialsincluding the Chairman of the Joint Chiefs, the
Director of the National Security Agency, the Secretary of Defense, and the CIA Director have said, preventing a cyber
attack and improving the nations electric grids is among the most urgent priorities of our country (source:
Congressional Record). So how serious is the Pentagon taking all this? Enough to start, or end a war over it, for sure (see video: Pentagon declares war on
cyber attacks http://www.youtube.com/watch?v=_kVQrp_D0kY&feature=relmfu ). A cyber attack today against the US could very
well be seen as an Act of War and could be met with a full scale US military response. That could include the use
of nuclear weapons , if authorized by the President.
US water security on the brink now
Dimick 14 (Dennis Dimick is National Geographic's Executive Editor for the Environment. National
Geographic: If You Think the Water Crisis Can't Get Worse, Wait Until the Aquifers Are Drained published
August 21st, 2014. Accessed June 25th, 2015. http://news.nationalgeographic.com/news/2014/08/140819groundwater-california-drought-aquifers-hidden-crisis/#) KalM
This coincides with a
nationwide trend of groundwater declines. A 2013 study of 40 aquifers across the United States by the
rate of groundwater depletion has increased dramatically since 2000, with almost
25 cubic kilometers (six cubic miles) of water per year being pumped from the ground . This compares to about 9.2 cubic
kilometers (1.48 cubic miles) average withdrawal per year from 1900 to 2008. Scarce groundwater supplies also are being used for
energy. A recent study from CERES, an organization that advocates sustainable business practices, indicated that competition for water by
hydraulic fracturinga water-intensive drilling process for oil and gas known as " fracking"already occurs in dry regions of the
United States. The February report said that more than half of all fracking wells in the U.S. are being drilled in regions
experiencing drought, and that more than one-third of the wells are in regions suffering groundwater depletion. Satellites have allowed us to
U.S. Geological Survey reports that the
more accurately understand groundwater supplies and depletion rates. Until these satellites, called GRACE (Gravity Recovery and Climate Experiment),
were launched by NASA, we couldn't see or measure this developing invisible crisis. GRACE has given us an improved picture of groundwater worldwide,
revealing how supplies are shrinking in several regions vulnerable to drought: northern India, the North China Plain, and the Middle East among them.
As drought worsens groundwater depletion, water supplies for people and farming shrink, and
this scarcity can set the table for social unrest . Saudi Arabia, which a few decades ago began pumping deep underground
aquifers to grow wheat in the desert, has since abandoned the plan, in order to conserve what groundwater supplies remain, relying instead on imported
wheat to feed the people of this arid land.
Water supplies are uniquely vulnerable to cyber-attacks
Ginter 15 (Andrew Ginter is the vice president of industrial security at Waterfall Security Solutions, a provider
of Unidirectional Security Gateways for industrial control networks and critical infrastructures.
WaterWorld.com: High-Tech Threats: Top Cybersecurity Issues Facing Water Utility Control Systems.
Copyright date is 2015. Accessed June 25th, 2015. http://www.waterworld.com/articles/print/volume29/issue-10/editorial-features/high-tech-threats-top-cybersecurity-issues-facing-water-utility-controlsystems.html) KalM
Recent Department of Homeland Security reports have highlighted poor security among the nation's water
utilities, where operations networks and control systems are inadequately protected . The security situation in critical
infrastructure is raising ratepayer concerns and prompting utilities to ask hard questions about which actions can truly improve their cybersecurity
situations. Are firewalls - the most common form of security in the market - capable of combatting modern threats? Would water system utilities be
better protected if they completely isolated their control-system networks from public networks? Or is there a third option that would retain the
efficiencies and cost savings that come from access to real-time operations information, while also protecting plants from cyber attacks? Technology that
routinely protects industrial control networks in power plants and other critical infrastructures can help water utilities answer these questions. Firewalls
and Modern Security Threats Firewalls are a staple of industrial cybersecurity programs, but they have many inherent
flaws that water facilities must identify, consider and address. Firewalls are complex software systems because they are difficult to
configure, and their configurations are difficult to understand and verify. The smallest error in these configurations can introduce
vulnerabilities. Defects are frequently discovered in firewall software and in the complex operating systems
underlying that software, some of which can be exploited as security vulnerabilities . In order to prevent
exploitation of known defects and vulnerabilities, firewall vendors issue a steady stream of security updates, which must be applied promptly. Even
worse, because the firewalls provide not only real-time data but also online access to mission-critical systems and networks, the firewalls fundamentally
expose these environments to numerous types of attacks. For example, phishing attacks send email through a firewall to persuade recipients to either
reveal passwords or to download and run malware. Meanwhile, vulnerabilities as simple as hard-coded passwords and hard-coded encryption keys have
been reported in industrial firewalls. In addition, cross-site scripting vulnerabilities in HTTP-based "VPN" proxy servers are difficult or impossible to fix
because they are essential to the design of the firewall's features. Waterfall Security Solutions. Defects are frequently discovered in firewall software and
in the complex operating systems underlying that software, some of which can be exploited as security vulnerabilities. Photo courtesy of Waterfall
Security Solutions. Even if connections through firewalls are initiated from the control network side, once the connections are established,
they permit bi-directional data to flow through the firewalls. Any of those flows can be used to launch attacks
back to systems on the protected network. This means that utilities cannot deliver any confidence that their
operational assets are adequately protected by firewalls. The level of risk is unacceptably high , and water utilities must
compensate for it.
could pose a major threat to global security. "People do not have the luxury of living
without water and when faced with a life or death decision, people tend to do whatever they must to survive," the report said. "In this
manner, changes in fundamental hydrology are likely to cause new kinds of conflict , and it can be expected that both water
scarcity and flooding will become major transboundary water issues ." Global warming is causing extreme weather events
that are nudging water supply issues from bad to desperate. On their own, vanishing rivers or droughts could devastate a year's worth of crops but
combined and over time, they pose a civilizational threat. At
with water isn't about total volume it's about distribution. Water isn't always where people need it when they need it, and all societies need it for
everything: health, sanitation, agricultural production, energy and industry. The ability to handle distribution to meet these demands is largely a function
of wealth. While affluent countries are generally able to manage the resources to meet demand, poorer countries frequently lack the infrastructure to
deliver clean, safe water. Their economies also tend to rely disproportionately on deregulated and dirty extractive industries like coal mining that
contaminate already-scarce water supplies. Impoverished nations are already suffering from serious water woes. Three-quarters of a billion people lack
access to clean water, and water-related disease takes the lives of about 840,000 a year, according to Water.org. Women and children spend 140 million
hours a day collecting usable water, often from unclean sources. A growing problem: As the world's population grows and endures increasingly volatile
weather patterns, water management problems are on the brink of becoming far worse for much larger swathes of the global population. "The ways we
need water and the way the environment provides water are increasingly not matching up, because things like climate change make it less and less
predictable," Janet Redman, the climate policy director at the Institute for Policy Studies in Washington D.C., told Mic. "We built our society around
when we can get water, when we can grow food, how we have to house ourselves, because we understand the environment around us after living in it for
hundreds and hundreds and hundreds of generations. "The problem now, partly due to climate change, we can't predict the patterns, of rainfall, where
water is going to be when, when things melt, how floods and droughts work we're out of sync with the environment because we've changed the
environment in a pretty significant way." How shortages breed conflict: The decline in our ability to predict the flow of the world's water based on
historical patterns, called "relative hydrological stationarity" in the scientific community, is a game changer. "The loss of stationarity is playing poker
with a deck in which new cards you have never seen before keep appearing more and more often, ultimately disrupting your hand to such an extent that
the game no longer has coherence or meaning," the report said. That trickling in of new cards is dangerous. Lack of water has played a role in countless
conflicts on a sub-national level. The Pacific Institute has documented hundreds of instances of water-related conflict in the past half-century which
range from Kenyan tribes clashing over water amidst droughts to riots in South Africa over lack of access to clean water. As water supply experts Shira
Yoffe and Aaron Wolf have noted, scarcity of clean freshwater has contributed to many episodes of acute violence on a small geographic scale across the
world, such as bloody conflict between states within India over access to the Kaveri River. Adel Darwish, co-author of Water Wars: Coming Conflicts in
the Middle East, has argued that access to water has played a significant role in the Arab-Israeli conflict, including the 1967
war.
More recent conflicts include a hidden element of water scarcity to them. Inter-ethnic conflict in Sudan in the
2000s was also driven by warring over access to clean water. Today, the militant Islamist State group is reportedly using control of water in
Iraq and Syria as a tool of war. It affects everyone: It's increasingly clear that even rich countries cannot keep their water supplies safe from the
consequences of climate change and extreme weather events or from the instability that follows. In recent years California has experienced its worst
drought in recorded history, which has rippled through both the local and national economy. Floods in the Canadian province of Manitoba in 2011 and
2014 caused the government's budget deficit to swell and ultimately led to political leaders resigning, according to the U.N. report. Insecurity can bubble
up in even the places that are taken for granted as stable. The world's water supply crisis is a serious one: By 2050, sustaining the planet will require at
least 50% more water than it does today, according to the New Yorker.
surprised cyber-experts is the speed with which cyber-attack capabilities are now
proliferating. No-one was surprised that the first tier of cyber-states - the US, UK, China, Israel and Russia - were capable
of carrying out destructive attacks on infrastructure, but the speed with which others - such as Iran - were able
to do the same has caused consternation and is a sign of how far cyber-attack can be a force-equaliser between different
nations who might otherwise have wildly different capabilities. Capabilities
Islamic State . There are fears the use of destructive attacks against industrial control systems - like
Stuxnet - could also spread. Closing down a city At a recent Cyber Security Challenge, Dr Kevin Jones, from Airbus, showed me how a model city
group calling itself
connected up to the internet could have its power switched off remotely. "Unless we put a security architecture in place, this is very possible," he says. A
German government report said a steel mill had been damaged by a cyber-attack last year - the perpetrators were unknown. Dr Jones believes the
attackers got in through the regular corporate infrastructure, although it is not clear how far they deliberately targeted the control systems for the blast
furnace that was damaged. When it comes to the cyber-arms race, are Western countries still in the lead? Some argue the top end of cyber-
espionage tools may well still be in the hands of the US. The security firm Kaspersky Labs, for instance, recently revealed the work of
hackers they called the Equation Group, who were highly sophisticated. "The Equation Group are masters of cloaking and hiding," says Costin Raiu,
director of the Global Research and Analysis Team at Kaspersky Labs, pointing to the ability of the group to get inside the firmware of machines and then
launch highly advanced attacks. "This is insanely complicated to be honest," he says. Kaspersky Labs will not directly point the finger, but the widespread
assumption is that the Equation Group is linked to America's National Security Agency (there are links with the codes
used in Stuxnet as well). Documents released by the American whistle-blower Edward Snowden have also raised the profile of Britain's cyber-activities.
"GCHQ has formidable resources," says Eric King, of the group Privacy International, whose concern lies in the lack of a transparent framework of
accountability over offensive hacking. "In the last year and a half, we've seen their malware. The depth of the work and where they are going is very
formidable." He says: "We have non-existent policies, practices, legal safeguards to oversee this." (GCHQ always maintains its activities are lawful and
subject to oversight). Commercially available Another concern is the way in which such some of these cyber-espionage capabilities are
now commercially available and being used by more authoritarian states. "Companies are providing
surveillance as a consultancy service," says Mr King, who adds foreign law enforcement and intelligence agencies
can then use the bought services to hack dissidents and activists based in the UK. The capabilities may be spreading to more and
more actors but a small handful of states still operate at the highest level. One senior Western intelligence official believes the Russians are
already ahead of the US and UK - partly because of the level of resources, mainly people - they throw at finding and
exploiting vulnerabilities. That official, of course, may be bluffing, but they also said they did not think it would be long before the
Chinese had also not just caught up but moved ahead .
That goes nuclear due to command and control hacking, crisis instability, and fracturing
nuclear agreements
Austin 13 [Director of Policy Innovation at the EastWest Institute, Costs of American Cyber Superiority,
8/6, http://www.chinausfocus.com/peace-security/costs-of-american-cyber-superiority/] //khirn
The United States is racing for the technological frontier in military and intelligence uses of cyber space. It is
ahead of all others, and has mobilized massive non-military assets and private contractors in that effort. This
constellation of private sector opportunity and deliberate government policy has been aptly labeled in recent
months and years by so many credible observers (in The Economist, The Financial Times and the MIT Technology
Review) as the cyber industrial complex. The United States is now in the unusual situation where the head of a spy
agency (NSA) also runs a major military unified command (Cyber Command). This is probably an unprecedented alignment of
Praetorian political power in any major democracy in modern political history . This allocation of such political
weight to one military commander is of course for the United States to decide and is a legitimate course of
action. But it has consequences. The Snowden case hints at some of the blow-back effects now visible in public. But there are others, less visible. The
NSA Prism program exists because it is technologically possible and there have been no effective restraints on its international targeting. This lack of
restraint is especially important because the command and control of strategic nuclear weapons is a
potential target both of cyber espionage and offensive cyber operations . The argument here is not to suggest a
similarity between the weapons themselves, but to identify correctly the very close relationship between cyber operations
and nuclear weapons planning. Thus the lack of restraint in cyber weapons might arguably affect
(destabilize) pre-existing agreements that constrain nuclear weapons deployment and possible use. The cyber
superiority of the United States, while legal and understandable, is now a cause of strategic instability between nuclear
armed powers. This is similar to the situation that persisted with nuclear weapons themselves until 1969 when
the USSR first proposed an end of the race for the technological frontier of potential planetary devastation.
After achieving initial capability, the U.S. nuclear missile build up was not a rational military response to each
step increase in Soviet military capability. It was a race for the technological frontier by both sides with insufficient recognition of the
consequences. This conclusion was borne out by a remarkable Top Secret study commissioned in 1974 by the U.S. Secretary of Defense, Dr James
Schlesinger. By the time it was completed and submitted in 1981, it assessed that the nuclear arms build-up by both sides was driven not by a supposed
tit for tat escalation in capability of deployed military systems but rather by an unconstrained race for the technological limits of each sides military
potential and by its own military doctrinal preferences. The decisions of each side were not for the most part, according to this now declassified study, a
direct response to particular systems that the other side was building. In 1969, the USSR acted first to propose an end to the race for the technological
frontier of nuclear weapons because it knew it was losing the contest and because it knew there was political sentiment in the United States and in its
Allied countries that supported limitations on the unbridled nuclear fetish. As we ponder the American cyber industrial complex of
today, we
see a similar constellation of opposition to its power emerging. This constellation includes not just the
political rivals who see they are losing in cyber space (China and Russia), but nervous allies who see themselves
as the likely biggest victims of the American race for cyber superiority , and loyal American military commanders who can see
the risks and dangers of that quest. It is time for the United States to take stock of the collateral damage that its quest for cyber military power, including
its understandable quest for intelligence superiority over the terrorist enemy, has caused amongst its allies. The loss has not yet been seen at the high
political level among allies, in spite of several pro forma requests for information from countries such as Germany. The loss of U.S. credibility has
happened more at the popular level. Around the world, once loyal supporters of the United States in its war on terrorism had a reasonable expectation to
be treated as faithful allies. They had the expectation, perhaps nave, that privacy was a value the Americans shared with them. They did not expect to be
subject to such a crude distinction (you are all non-Americans now). They did not want to know that their entire personal lives in cyber space are now
recoverable should someone so decide by the running of a bit of software in the NSA. After the Prism revelations, so many of these foreign citizens
with an internationalist persuasion and solidarity for the United States now feel a little betrayed. Yet, in the long run, the most influential
voice to end the American quest for cyber military superiority may come from its own armed forces. There are
military figures in the United States who have had responsibility for nuclear weapons command and control systems
and who, in private, counsel caution. They advocate the need to abandon the quest for cyber dominance
and pursue a strategy of mutual security in cyber space though that has yet to be defined. They cite military
exercises where the Blue team gets little or no warning of Red team disruptive cyber attack on systems that
might affect critical nuclear command and control or wider war mobilization functions. Strategic nuclear
stability may be at risk because of uncertainty about innovations in cyber attack capability . This
question is worth much more attention. U.S. national security strategy in cyber space needs to be brought under
stronger civilian oversight and subject to more rigorous public scrutiny . The focus on Chinese cyber
espionage has totally preempted proper debate about American cyber military power . Most in the United States Congress
have lined up to condemn Snowden. That is understandable. But where are the critical voices looking at the bigger picture of strategic instability in
cyberspace that existed before Snowden and has now been aggravated because of him? The Russian and Chinese rejections of reasonable U.S. demands
for Snowdens extradition may be every bit as reasonable given their anxiety about unconstrained American cyber superiority.
U.S. and Russian commanders Thursday called for scrapping hair-trigger alerts on
especially
in an age of
cyberattacks .Retired military officers from the United States, Russia and other nuclear powers issued a report warning of the mounting dangers
of the short fuses that allow hundreds of atomic weapons to be launched within minutes. The high alert status is a legacy of outdated
Cold War doctrine, when U.S. and Soviet leaders feared a devastating first strike that could decapitate an
entire nuclear force, according to the report sponsored by the disarmament group Global Zero.Hundreds of missiles carrying
nearly 1,800 warheads are ready to fly at a moments notice , said the report. These legacy postures of the Cold War
are anachronisms but they remain fully operational.The hair-trigger alert, which applies to half of the U.S. and
Russian arsenals, is particularly dangerous in an era when warning and decision timelines are getting shorter ,
and consequently the potential for fateful human error in nuclear control systems is growing larger. The
also exacerbates the risks of the alert status, opening the way for false alarms or even a hijacking of the
control systems for the weapons, it said.Vulnerability to cyber attack . . . is a new wild card in the deck, it said.The report calls for the
United States and Russia to renounce the prompt-alert arrangements and to require 24 to 72 hours before a nuclear weapon could be launched. And it
also urges forging a binding agreement among all countries to refrain from putting their nuclear forces on high alert.There are a set of vulnerabilities
particularly for the U.S. and Russia in these systems that were built in the fifties, sixties, seventies and eighties, said James Cartwright, the retired fourstar general who once was in charge of the U.S. nuclear arsenal. Many
Cartwright said at a news conference.
And, low response times means theres a greater timeframe and probability than traditional
nuclear escalation
Dycus 10 [Stephen is a Professor of national security law at Vermont Law School, former member of the
National Academies committee on cyber warfare, LLM, Harvard University, LLB, BA, Southern Methodist
University, Congress Role in Cyber Warfare, Journal of National Security Law & Policy, 4(1), 2010, p.161164, http://www.jnslp.com/read/vol4no1/11_Dycus.pdf] //khirn
In other ways, cyber
weapons are critically different from their nuclear counterparts . For one thing, the time
frame for response to a cyber attack might be much narrower. A nuclear weapon delivered by a land-based ICBM
could take 30 minutes to reach its target. An electronic attack would arrive instantaneously, and leave no time
to consult with or even inform anyone outside the executive branch before launching a counterstrike , if that were U.S.
policy.
show that we're putting security ahead of surveillance, we can begin to restore that trust . And by
making the decision process much more public than it is today, we can demonstrate both our trustworthiness and the
value of open government. An unpatched vulnerability puts everyone at risk, but not to the same degree. The U.S. and
other Western countries are highly vulnerable, because of our critical electronic infrastructure , intellectual property,
and personal wealth. Countries like China and Russia are less vulnerableNorth Korea much lessso they have considerably less incentive to see
vulnerabilities fixed. Fixing
vulnerabilities isn't disarmament; it's making our own countries much safer. We
also
regain
the moral authority to negotiate any broad international reductions in cyber-weapons ; and we
can decide not to use them even if others do. Regardless of our policy towards hoarding vulnerabilities, the most important
thing we can do is patch vulnerabilities quickly once they are disclosed . And thats what companies are doing, even without any
government involvement, because so many vulnerabilities are discovered by criminals. We also need more research in automatically finding and fixing
vulnerabilities, and in building secure and resilient software in the first place. Research over the last decade or so has resulted in software vendors being
able to find and close entire classes of vulnerabilities. Although there are many cases of these security analysis tools not being used, all of our security is
improved when they are. That alone is a good reason to continue disclosing vulnerability details, and something the NSA can do to vastly improve the
security of the Internet worldwide. Here again, though, they would have to make the tools they have to automatically find vulnerabilities available for
defense and not attack. In
today's cyberwar arms race , unpatched vulnerabilities and stockpiled cyber-weapons are
inherently destabilizing , especially because they are only effective for a limited time. The world's militaries are investing more money in
finding vulnerabilities than the commercial world is investing in fixing them. The vulnerabilities they discover affect the security of
us all. No matter what cybercriminals do, no matter what other countries do, we in the U.S. need to err on the side of security and fix almost all the
vulnerabilities we find. But not all, yet.
efficiency through processes that could well be useful in regulating cyber activities. Transnational agreements that contribute to
cybersecurity will only be possible, however, if they take into account the substantial differences that exist between activities regulated by established
international regimes and cyber systems. Many states will be unprepared at this time to agree to limit their control of cyber activities they regard as
essential to their national security interests. International agreements will also be impossible where irreconcilable differences in policies exist among
states, particularly regarding political uses of the Internet, privacy, and human rights. But, while these factors limit the potential scope and utility of
international cyber-security agreements, they do allow for international cooperation on many issues that could prove
beneficial. The potential for improving cyber security through international agreements can best be realized through a program that identifies: the
activities likely to be subjects of such agreements and those that are not; the measures likely to be used by parties to improve cyber security in each area
of activity appropriate for international cooperation; and the form which any international body that may be utilized or established for this purpose
should assume, the authority such a body would be assigned, and the basis upon which its activities would be governed .
agreements
International
economic and national security interests. "Countries or individuals that engage in cyber attacks should face consequences and
international condemnation," she warned, alluding to the China-Google kerfuffle. We should "create norms of behavior among states
and encourage respect for the global networked commons." Perhaps so. But the problem with Clinton's call for
accountability and norms on the global network -- a call frequently heard in policy discussions about cybersecurity -- is the
enormous array of cyberattacks originating from the United States. Until we acknowledge these attacks
and signal how we might control them, we cannot make progress on preventing cyberattacks
emanating from other countries. An important weapon in the cyberattack arsenal is a botnet, a cluster of thousands and sometimes millions
of compromised computers under the ultimate remote control of a "master." Botnets were behind last summer's attack on South Korean and American
government Web sites, as well as prominent attacks a few years ago on Estonian and Georgian sites. They are also engines of spam that can deliver
destructive malware that enables economic espionage or theft. The United States has the most, or nearly the most, infected botnet computers and is thus
the country from which a good chunk of botnet attacks stem. The government could crack down on botnets, but doing so would raise the cost of software
or Internet access and would be controversial. So it has not acted, and the number of dangerous botnet attacks from America grows. The United States is
also a leading source of "hacktivists" who use digital tools to fight oppressive regimes. Scores of individuals and groups in the United States design or
employ computer payloads to attack government Web sites, computer systems and censoring tools in Iran and China. These efforts are often supported
by U.S. foundations and universities, and by the federal government. Clinton boasted about this support seven paragraphs after complaining about
cyberattacks. Finally, the
U.S. government has perhaps the world's most powerful and sophisticated
offensive cyberattack capability . This capability remains highly classified. But the New York Times has reported that the Bush
administration used cyberattacks on insurgent cellphones and computers in Iraq, and that it approved a plan for attacks on computers related to Iran's
nuclear weapons program. And the government is surely doing much more. " We have U.S. warriors in cyberspace that are deployed
overseas" and "live in adversary networks," says Bob Gourley, the former chief technology officer for the Defense Intelligence Agency.
These warriors are now under the command of Lt. Gen. Keith Alexander, director of the National Security Agency. The NSA, the
world's most powerful signals intelligence organization , is also in the business of breaking into and extracting data from offshore
enemy computer systems and of engaging in computer attacks that, in the NSA's words, "disrupt, deny, degrade, or destroy the information" found in
these systems. When the Obama administration created "cyber command" last year to coordinate U.S. offensive cyber capabilities, it nominated
Alexander to be in charge. Simply put, the United States is in a big way doing the very things that Clinton criticized. We are not,
like the Chinese, stealing intellectual property from U.S. firms or breaking into the accounts of democracy
advocates. But we are aggressively using the same or similar computer techniques for ends we deem
worthy. Our potent offensive cyber operations matter for reasons beyond the hypocrisy inherent in undifferentiated condemnation of cyberattacks.
Even if we could stop all cyberattacks from our soil, we wouldn't want to. On the private side, hacktivism can be a tool of liberation. On the public side,
the best defense of critical computer systems is sometimes a good offense. "My own view is that the only way to counteract both criminal and espionage
activity online is to be proactive," Alexander said last year, adding that if the Chinese were inside critical U.S. computer systems, he would "want to go
and take down the source of those attacks." Our adversaries are aware of our prodigious and growing offensive cyber
capacities and exploits. In a survey published Thursday by the security firm McAfee, more information technology experts from critical
infrastructure firms around the world expressed concern about the United States as a source of computer network
attacks than about any other country. This awareness, along with our vulnerability to cyberattacks, fuels a dangerous
public and private cyber arms race in an arena where the offense already has a natural advantage .
1AC SOLVENCY
The plan solves effective information sharing between the government and private sector --- a
signal of clear commitment and a steady flow of actionable disclosure is key to cooperative
cyberdefense --- overcomes legal barriers
Rosenzweig 12 [Paul, leading cybersecurity expert, founder of Red Branch Consulting PLLC, a homeland
security consulting company, and a Senior Advisor to The Chertoff Group, Cybersecurity and Public Goods:
The Public/Private Partnership, An Emerging Threats Essay, Hoover Institution, Stanford] //khirn
Information Sharing, Public Goods, and the Law This economic understanding of cybersecurity suggests why a
these legal limitations may be less constricting than they are perceived to be. In the end, what really restricts
cooperation are the inherent caution of lawyers who do not wish to push the envelope of legal authority and/or
policy and economic factors such as proprietary self-interest that limit the desire to cooperate. The information in question will relate, broadly speaking,
either to specific threats from external actors (for example, knowledge from an insider that an intrusion is planned) or to specific vulnerabilities (for
example, the identification of a security gap in a particular piece of software). In both situations, the evidence of the threat or vulnerability can come in
one of two forms: either non-personalized information related to changes in types of activity on the network, or personalized information about the
actions of a specific individual or group of individuals.48 Needless to say, the sharing of the latter category of Personally Identifiable Information (PII) is
of greater concern to civil libertarians than the sharing of network traffic information.49 Information Sharing from the Government to the Private Sector
Some suggest that the principal barriers to an effective public/private partnership in combating cyber threats are limitations on the governments ability
to share threat and vulnerability information with the private sector . Sometimes the government has collected this information
using sources and methods that are classified, and disclosure of the information risks compromising those
sources and methods. Less frequently, the existence of the threat or vulnerability is itself classified information, since disclosure of its existence
or scope might adversely affect security. In general, classification rules serve a salutary purposethey protect information whose
disclosure reasonably could be expected to cause exceptionally grave damage to the national security.50 That instinct against disclosure,
however, conflicts with a newer post-9/11 standard of enhanced information sharing . In the realm of cybersecurity,
these conflicting impulses are a constant source of tension. For example, the Government Accountability Office reported last year that a survey of
and actionable cyber threat and alert information [that is,] providing the right information to the right
persons or groups as early as possible to give them time to take appropriate action. However, only 27 percent of
private sector survey respondents reported that they were receiving timely and actionable cyber threat
information and alerts to a great or moderate extent.51 Likewise, private sector actors report that they do not routinely
receive the security clearances required to adequately receive and act upon classified threat information. 52 For the
most part, these problems are ones of policy, rather than law . No legal barrier prevents provision of the requisite security clearances
it is simply a matter of inadequate resources. Likewise, the untimeliness of US-CERTs alert process is more the product of the need for internal review
and the governments insistence on accuracy over timeliness than it is of any legal barrier to sharing. And, indeed, this policy choice may be the right one,
since inaccuracy will erode the governments credibilitybut the cautious impulse still makes government information sharing less effective. Still, there
may be some legal restrictions beyond classification that do interfere with information sharing. According to the GAO, DHS officials report that USCERTs ability to provide information is impacted by restrictions that do not allow individualized treatment of one private sector entity over another
private sector entitymaking it difficult to formally share specific information with entities that are being directly impacted by a cyber threat.53 The
apparent need to avoid the appearance of favoritism amongst private sector actors may be a barrier that needs re-consideration (though this reference is
the only time the author has seen this problem identified, raising a question about its general applicability).54 Even this limited legal prohibition seems
to have had little practical effect. As Googles request for assistance to the NSA demonstrates, there are plainly situations in which
company-specific assistance can be rendered by the government. Indeed, the Google experience is in the midst of
being generalized. Recently the Department of Defense announced the continuation of a pilot project wherein it
would share threat signature information with Internet Service Providers (ISPs) which, in turn, would use that
information to protect the systems of private corporations that are part of the Defense Industrial Base (DIB).55
This pilot program is voluntary and involves only the one-way transfer of information from the government to
the private sectora structure that alleviates most, if not all, of the legal concerns about government
surveillance activities.56 More broadly, the Obama administrations draft cybersecurity proposal would codify
authority for DHS to provide assistance to the private sector upon request.57 Thus, these problems are not likely
place an official rule that the NSA should have a "bias" towards revealing the flaws and helping to fix them, but
leaves open a massive loophole: But Mr. Obama carved a broad exception for a clear national security or law enforcement need, the officials
said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design
cyberweapons. Amusingly, the NY Times initially had a title on its story saying that President Obama had decided that the NSA should "reveal, not
exploit, internet security flaws," but the title then changed to the much more accurate: "Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say."
Of course, the cold war analogy used by people in the article seems... wrong: We dont eliminate nuclear weapons until the Russians do, one senior
intelligence official said recently. You are not going to see the Chinese give up on zero days just because we do. Except,
it's meaningless that no one expects the Chinese (or the Russians or anyone else) to give up zero days. The simple
fact is that if the NSA were helping to stop zero days that would better protect everyone against anyone else using
those zero days. In fact, closing zero days is just like disarming both sides , because it takes the
vulnerability out of service . It's not about us giving up our "weapons," it's about building a better
defense for the world. And yet the NSA isn't willing to do that. Because they're not about protecting anyone
-- other than themselves.
US is the lynchpin of the zero-days market---that sustains the arms race and global cyberattacks
the plan reverses that and reduces the market drastically
Perlroth and Sanger 13 (Nicole Perlroth covers cyberattacks, hackers and the cybersecurity industry for
The Timess business news section. She is a graduate of Princeton University, Stanford Universitys Graduate
School of Journalism and is a guest lecturer at Stanfords graduate schools of business and communications.
David Sanger is the chief Washington correspondent of The New York Times. Nations Buying as Hackers Sell
Flaws in Computer Code, July 13, 2013, http://www.nytimes.com/2013/07/14/world/europe/nations-buyingas-hackers-sell-computer-flaws.html)//CLi
Now,
the market for information about computer vulnerabilities has turned into a gold rush .
the United States is
among the buyers of programming flaws. But it is hardly alone. Israel, Britain, Russia, India and Brazil are some of the biggest spenders. North
Disclosures by Edward J. Snowden, the former N.S.A. consultant who leaked classified documents, made it clear that
Korea is in the market, as are some Middle Eastern intelligence services. Countries in the Asian Pacific, including Malaysia and Singapore, are buying,
too, according to the Center for Strategic and International Studies in Washington. To connect sellers and buyers, dozens of well-connected brokers now
market information on the flaws in exchange for a 15 percent cut. Some hackers get a deal collecting royalty fees for every month their flaw is not
discovered, according to several people involved in the market. Some individual brokers, like one in Bangkok who goes by the Grugq on Twitter, are
well known. But after the Grugq spoke to Forbes last year, his business took a hit from the publicity, according to a person familiar with the impact,
primarily because buyers demand confidentiality. A brokers approach need not be subtle. Need code execution exploit urgent, read the subject line of
an e-mail sent from one contractors intermediary last year to Billy Rios, a former security engineer at Microsoft and Google who is now a director at
Cylance, a security start-up. Dear Friend, the e-mail began. Do you have any code execution exploit for Windows 7, Mac, for applications like Browser,
Office, Adobe, SWF any. If yes, the e-mail continued, payment is not an issue. For start-ups eager to displace more established military contractors,
selling vulnerabilities and expertise about how to use them has become a lucrative opportunity. Firms like Vupen in Montpellier, France; Netragard
in Acton, Mass.; Exodus Intelligence in Austin, Tex.; and ReVuln, Mr. Auriemmas and Mr. Ferrantes Maltese firm, freely advertise that they sell
knowledge of the flaws for cyberespionage and in some cases for cyberweapons. Outside Washington, a Virginia start-up named Endgame in which a
former director of the N.S.A. is playing a major role is more elusive about its abilities. But it has developed a number of tools that it sells primarily to
the United States government to discover vulnerabilities, which can be used for fighting cyberespionage and for offensive purposes. Like ReVuln, none of
the companies will disclose the names of their customers. But Adriel Desautels, the founder of Netragard, said that his clients were strictly U.S. based
and that Netragards exploit acquisition program had doubled in size in the past three years. The average flaw now sells from around $35,000 to
$160,000. Chaouki Bekrar, the founder of Vupen, said his company did not sell to countries that are subject to European Union, United States or United
Nations restrictions or embargoes. He also said revenue was doubling every year as demand surged. Vupen charges customers an annual $100,000
subscription fee to shop through its catalog, and then charges per sale. Costs depend on the sophistication of the vulnerability and the pervasiveness of
the operating system. ReVuln specializes in finding remote vulnerabilities in industrial control systems that can be used to access or disrupt water
treatment facilities, oil and gas pipelines and power plants. They are engaging in willful blindness, said Christopher Soghoian, a senior policy analyst at
the American Civil Liberties Union. Many technology companies have started bug bounty programs in which they pay hackers to tell them about bugs
in their systems rather than have the hackers keep the flaws to themselves or worse, sell them on the black market. Nearly a decade ago the Mozilla
Foundation started one of the first bounty programs to pay for bugs in its Firefox browser. Since then, Google, Facebook and PayPal have all followed
suit. In recent months, bounties have soared. In 2010, Google started paying hackers up to $3,133.70 the number is hacker code for elite for bugs
in its Web browser Chrome. Last month, Google increased its cash prize to $20,000 for flaws found in some of its widely used products. Facebook began
a similar program in 2011 and has since paid out $1 million. (One payout included $2,500 to a 13-year-old. The most it has paid for a single bug is
$20,000.) The program undermines the incentive to hold on to a bug that might be worth nothing in a day, said Joe Sullivan, Facebooks chief security
officer. It had also had the unintended effect of encouraging ethical hackers to turn in others who planned to use its bugs for malicious use. Weve seen
people back-stab other hackers by ratting out a bug that another person planned to use maliciously, he said. Microsoft, which had long resisted such a
program, did an about-face last month when it announced that it would pay hackers as much as $150,000 for information about a single flaw, if they also
provided a way to defend against it. Apple still has no such program, but its vulnerabilities are some of the most coveted. In one case, a zero-day exploit
in Apples iOS operating system sold for $500,000, according to two people briefed on the sale. Still, said Mr. Soghoian of the A.C.L.U., The bounties
pale in comparison to what
the government
the market . In many ways, the United States government created the market . When the United
States and Israel used a series of flaws including one in a Windows font program to unleash what became known as the Stuxnet
worm, a sophisticated cyberweapon used to temporarily cripple Irans ability to enrich uranium, it showed the world what was possible. It also
became a catalyst for a cyberarms race . When the Stuxnet code leaked out of the Natanz nuclear enrichment plant in Iran in the
summer of 2010, the flaws suddenly took on new value. Subsequent discoveries of sophisticated state-sponsored computer viruses named Flame and
Duqu that used flaws to spy on computers in Iran have only fueled interest. I think it is fair to say that no one anticipated where this was going, said
one person who was involved in the early American and Israeli strategy. And today, no one is sure where it is going to end up. In a prescient paper in
2007, Charlie Miller, a former N.S.A. employee, described the profitable alternatives for hackers who may have otherwise turned their information about
flaws over to the vendor free, or sold it for a few thousand dollars to programs like Tipping Points Zero Day Initiative, now run by Hewlett-Packard,
which used them to enhance their security research. He described how one American government agency offered him $10,000 for a Linux bug. He asked
another for $80,000, which agreed too quickly, Mr. Miller wrote. I had probably not asked for enough. Because the bug did not work with a
particular flavor of Linux, Mr. Miller eventually sold it for $50,000. But the take-away for him and his fellow hackers was clear: There was serious money
to be made selling the flaws. At their conventions, hackers started flashing signs that read, No more free bugs. Hackers like Mr. Auriemma, who once
gave away their bugs to software vendors and antivirus makers, now sound like union organizers declaring their rights. Providing professional work for
free to a vendor is unethical, Mr. Auriemma said. Providing professional work almost for free to security companies that make their business with your
research is even more unethical. Experts say there is limited incentive to regulate a market in which government agencies
are some of the biggest participants.
Disclosing vulnerabilities amounts to disarming the NSA --- zero-days are key
Kehl et al. 14 [Danielle Kehl is a Policy Analyst at New Americas Open Technology Institute (OTI). Kevin
Bankston is the Policy Director at OTI, Robyn Greene is a Policy Counsel at OTI, and Robert Morgus is a
Research Associate at OTI, New America is a nonprofit, nonpartisan public policy institute that invests in new
thinkers and new ideas to address the next generation of challenges facing the United States, Policy Paper,
Surveillance Costs: The NSAs Impact on the Economy, Internet Freedom & Cybersecurity, July 2014,
https://www.newamerica.org/oti/surveillance-costs-the-nsas-impact-on-the-economy-internet-freedom-andcybersecurity/] //khirn
In April 2014, Bloomberg reported that the NSA had known for at least two years about the Heartbleed bug, a security vulnerability in the OpenSSL
protocol that reportedly affected millions of websites worldwide, and regularly used it to gather critical intelligence.282 Although the allegations
which the Office of the Director of National Intelligence quickly deniedappear to be false,283 the story turned the spotlight on one of the least reported
NSA practices: that the agency
can later exploit the vulnerabilities to collect information or infect target devices with malware,
rather than disclosing the vulnerabilities to companies so that they can be patched.284 The practice was referred to indirectly or in
passing in a number of the stories about the NSA programs, particularly in the December 2013 Der Spiegel series describing the
behavior of the NSAs Tailored Access Operations Unit.285 But the emphasis at that time was on the malicious activity the NSA
was able to carry out as a result of those vulnerabilities, and not on the security risk created by the stockpiling
itself, which leaves companies and ordinary users open to attack not just from the NSA but from anyone
who discovers or learns about the flaws . In recent years, a substantial market for information about
security vulnerabilities has sprung up, with governments joining companies and security researchers in hunting
for and trading information about how to exploit holes in mass-market software and services .286
According to the leaks, the
NSA and related branches of the U.S. intelligence apparatus spend millions of dollars looking
for software flaws and other vulnerabilities , targeting everything from the commercial software sold by
American companies to widely used open-source protocols like OpenSSL.287 The NSA employs more than a
thousand researchers and experts using a variety of sophisticated techniques to look for bugs.288
Zero-day
exploits , a term that refers to vulnerabilities that have been discovered but have not yet been disclosed to the public or the
vendor,289 are
particularly coveted because it is much harder to protect systems from an attack against an
unknown weakness. Not surprisingly, officials at the N.S.A. and at its military partner, the United States Cyber Command, warned
that giving up the capability to exploit undisclosed vulnerabilities would amount to unilateral
disarmament , wrote cybersecurity expert David E. Sanger.290 According to Sanger, one senior White House official told him, I cant imagine
the president any president entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting
war.291 In theory, the NSAs dual mission of carrying out signals intelligence (SIGINT) and protecting communications security (COMSEC) for military
and diplomatic communications should be mutually beneficial when it comes to vulnerabilities and exploits, because SIGINT could inform COMSEC
about potential weaknesses and vice versa. However, as Steven Bellovin, Matt Blaze, Sandy Clark, and Susan Landau write, reality is in fact very
different. COMSECs awareness of the need to secure certain communications channels has often been thwarted by SIGINTs desire that patching be
delayed so that it can continue to exploit traffic using the vulnerability in question.292 When the NSA discovers vulnerabilities in
communications technologies and other products, it
vulnerabilities to the companies since the companies will patch them, forcing the NSA to look for new
ways to access the information it seeks. Thusas in the case of encryption standardsthe NSAs signals intelligence mission
has interfered with the NSAs information assurance mission, and the agency has built a massive catalogue of
software and hardware vulnerabilities that is has stockpiled for its own purposes rather than disclosing
them to vendors so that they can be fixed. 293 The Director of National Intelligence recently revealed the existence of an
interagency processreferred to as the Vulnerabilities Equities Processdesigned to facilitate the responsible disclosure of vulnerabilities,294 but the
extent to which the NSA provides information through the process is unclear.295 NSA Director and Commander of U.S. Cyber Command Vice Admiral
Michael S. Rogers explained to the Senate Armed Services Committee during his confirmation that within NSA, there is aprocess for handling 0-day
vulnerabilities discovered in any commercial product or system (not just software) utilized by the U.S. and its allies [where] all vulnerabilities
discovered by NSA are documented, subject to full analysis, and acted upon promptly.296
The status quo provides incentives for writing software with vulnerabilities --- the signal of the
plan is crucial to long-term cybersecurity
Schneier 12 [Bruce, security expert with 13 books, fellow at the Berkman Center for Internet & Society at
Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute and the
CTO of Resilient Systems, The Vulnerabilities Market and the Future of Security, Forbes, 5/30/2012,
http://www.forbes.com/sites/bruceschneier/2012/05/30/the-vulnerabilities-market-and-the-future-ofsecurity/] //khirn
Recently, there have been several articles about the new market in zero-day exploits: new and unpatched computer vulnerabilities. Its not just software
companies, who sometimes pay bounties to researchers who alert them of security vulnerabilities so they can fix them. And its not only criminal
organizations, who pay for vulnerabilities they can exploit. Now there are governments, and companies who sell to governments, who buy
vulnerabilities with the intent of keeping them secret so they can exploit them . This market is larger
than most people realize, and its becoming even larger. Forbes recently published a price list for zero-day exploits, along with the story of a
hacker who received $250K from a U.S. government contractor (At first I didnt believe the story or the price list, but I have been convinced that they
both are true.) Forbes published a profile of a company called Vupen, whose business is selling zero-day exploits. Other companies doing this range from
startups like Netragard and Endgame to large defense contractors like Northrop Grumman, General Dynamics, and Raytheon. This is very different than
in 2007, when researcher Charlie Miller wrote about his attempts to sell zero-day exploits; and a 2010 survey implied that there wasnt much money in
selling zero days. The market has matured substantially in the past few years. This new market perturbs the economics of finding security vulnerabilities.
And it does so to the detriment of us all. Ive long argued that the process of finding vulnerabilities in software system increases
overall security. This is because the economics of vulnerability hunting favored disclosure . As long as the
principal gain from finding a vulnerability was notoriety , publicly disclosing vulnerabilities was the only
obvious path. In fact, it took years for our industry to move from a norm of full-disclosure announcing the vulnerability
publicly and damn the consequences to something called responsible disclosure: giving the software vendor a head start in
fixing the vulnerability. Changing economics is what made the change stick: instead of just hacker notoriety, a successful vulnerability finder could land
some lucrative consulting gigs, and being a responsible security researcher helped. But regardless of the motivations, a disclosed vulnerability
is one that at least in most cases is patched. And a patched vulnerability makes us all more secure. This is why the
new market for vulnerabilities is so dangerous; it results in vulnerabilities remaining secret and unpatched . That its even
more lucrative than the public vulnerabilities market means that more hackers will choose this path . And unlike the
previous reward of notoriety and consulting gigs, it gives software programmers within a company the incentive
to deliberately create vulnerabilities in the products theyre working on and then secretly sell them
to some government agency . No commercial vendors perform the level of code review that would be
necessary to detect, and prove mal-intent for, this kind of sabotage. Even more importantly, the new market for security
vulnerabilities results in a variety of government agencies around the world that have a strong interest in those
vulnerabilities remaining unpatched . These range from law-enforcement agencies (like the FBI and the German
police who are trying to build targeted Internet surveillance tools,
to build mass Internet surveillance tools , to military organizations who are trying to build cyber-weapons. All of these agencies
have long had to wrestle with the choice of whether to use newly discovered vulnerabilities to protect or to attack. Inside the NSA, this was traditionally
known as the equities issue, and the debate was between the COMSEC (communications security) side of the NSA and the SIGINT (signals intelligence)
side. If they found a flaw in a popular cryptographic algorithm, they could either use that knowledge to fix the algorithm and make everyones
communications more secure, or they could exploit the flaw to eavesdrop on others while at the same time allowing even the people they wanted to
protect to remain vulnerable. This debate raged through the decades inside the NSA. From what Ive heard, by 2000, the COMSEC side had largely won,
but things flipped completely around after 9/11. The whole point of disclosing security vulnerabilities is to put pressure on
vendors to release more secure software. Its not just that they patch the vulnerabilities that are made public
the fear of bad press makes them implement more secure software development processes. Its another economic process; the cost of designing software
securely in the first place is less than the cost of the bad press after a vulnerability is announced plus the cost of writing and deploying the patch. Id be
the first to admit that this isnt perfect theres a lot of very poorly written software still out there but its the best incentive we have.
Weve always expected the NSA, and those like them, to keep the vulnerabilities they discover secret . We have been
counting on the public community to find and publicize vulnerabilities, forcing vendors to fix them. With the rise of these new pressures to
keep zero-day exploits secret, and to sell them for exploitation, there will be even less incentive on software
vendors to ensure the security of their products. As the incentive for hackers to keep their vulnerabilities secret grows, the
incentive for vendors to build secure software shrinks. As a recent EFF essay put it, this is security for the 1%.
And it makes the rest of us less safe.
TOPICALITY
both patent
defined as: activities necessary to identify and analyze flaws and vulnerabilities of encryption technologies applied to copyrighted works, if these
activities are conducted to advance the of knowledge in the field of encryption technology or to assist in the development of encryption products... n382
NSA has zero day vulnerabilities on hand that allow it to penetrate virtually any Wi-Fi router,
Windows PC, external storage device, server, tablet, or smartphone. Rather than give this data to private
sector firms to offer increased security to users, the NSA turns around and exploits these flaws to spy on
everyone -- sort of a digital equivalent of "sometimes you have to burn a village to save it." The NSA calls its attack toolkit
"FOXACID". FOXACID is packed with "QUANTUM" tools, which are NSA's digital lockpicks . Like many clumsy picks, they
can damage the lock they attack, but it appears the NSA isn't terribly concerned about that.
vulnerabilities are inherently dual use. They can be used by criminals on the one hand, but are also useful to defenders and researchers.
For example, computer and network system administrators routinely use tools that attempt to exploit vulnerabilities to test the security of their own
systems and to verify that their defenses are effective. Researchers who discover new security vulnerabilities or attack methods often develop "proof of
concept" attack software to test and demonstrate the methods they are studying. It is not unusual for software that demonstrates a new attack method to
be published and otherwise made freely available by academics and other researchers. Such software is quite mainstream in the computer science
research community. n272 [*63] P192 The software used by malicious, criminal attackers to exploit vulnerabilities can
thus be very difficult to meaningfully distinguish from mainstream, legitimate security research and testing
tools. It is a matter of context and intent rather than attack capabilities per se, and current law appears to reflect this. P193 Current wiretap law
does not generally regulate inherently dual-use technology. The provision of Title III concerned with wiretapping equipment, 18
USC 2512, generally prohibits possession and trafficking in devices that are "primarily useful" for
"surreptitious interception" of communications, n273 which does not appear to apply to a wide range of current
software exploit tools developed and used by researchers. We believe this is as it should be . The security
research community depends on the open availability of software tools that can test and analyze software
vulnerabilities. Prohibiting such software generally would have a deleterious effect on progress in
understanding how to build more secure systems, and on the ability for users to determine whether their
systems are vulnerable to known attacks. In addition, we note that given that the majority of vulnerability markets are outside the U.S.,
and that national security agencies are heavy purchasers of these vulnerabilities, n274 regulating them is not a plausible option. P194 The specialized
tools developed by law enforcement to collect and exfiltrate evidence from targets' computers, however, might fall
more comfortably under the scope of 18 U.S.C. 2512 (2006) as it is currently written. These tools would not be developed
to aid research or test systems, but rather to accomplish a law enforcement interception goal . They
would have narrowly focused features designed to make their installation surreptitious and their ongoing
operation difficult to detect. They would also have features designed to identify and collect specific data, and
would have no alternative use outside the surreptitious interception application for which they were developed.
Such tools, unlike those used by researchers, could more easily meet section 2512's test of [*64] being "primarily
useful" for "surreptitious interception," and thus would be unlawful if someone "manufactures, assembles,
possesses, or sells" them except under the circumstances spelled out in that section .
targeted access to the suspects device. This can be achieved by legal or less legal means, by either physical seizing the equipment or perform a technical
infiltration. It would be fair to assume that governmental agencies choose to adhere to laws and stay as much as possible within the policies and
regulations that they have. Alternatives for targeted cyber surveillance are described in Section 4.2.2. Targeted Cyber Surveillance In order
to perform targeted cyber surveillance it would in most cases be necessary to somehow examine information on
their targets device. There are different ways that the governmental agencies could access this information. Possible ways to do this is to seize the
device, or exploit it either locally or remotely. This section explains options we observed that could be used for performing targeted cyber surveillance by
nation-states. Seizing of devices Seizing of devices is an approach that enables the nation-state to get a hold of the
device. This can be done in a legal way where a warrant is required to seize the device [68]. The less legal way is also
optional, in which the device is simply being stolen from their target. Seizing devices is not a part of a cyber-operation, but it is an
effective way to get a hold of devices that store important information. Device exploitation The alternative to
physically seizing the device is to use a semi-legal approach to infiltrate the device locally or remotely, e.g. phishing,
and then rely on some sort of surveillance software or hardware installations for data collection. For most
exploitation, there is a need to get a hold of exploits that can be used on vulnerable targets. In order to make sure that
the exploit has a high rate of success it could be necessary to use zero-day exploits , i.e. exploits that are not yet disclosed to the
world, and therefore not yet been patched [69, p. 1]. Such zero-day exploits can exploit vulnerabilities in software and hardware. Options for acquisition
of exploits are shown in Table 4.
clashes with Mitnicks new image as a privacy advocate; His forthcoming book titled The Art of Invisibility promises to teach readers
cloaking and countermeasures against Big Brother and big data.
Vulnerability exploitation is a type of electronic surveillance
Bellovin et al. 14 [Steven M. Bellovin, Matt Blaze, Sandy Clark, and Susan Landau, Lawful Hacking: Using
Existing Vulnerabilities for Wiretapping on the Internet, 12 Nw. J. Tech. & Intell. Prop. 1 (2014),
http://scholarlycommons.law.northwestern.edu/njtip/vol12/iss1/1] //khirn
Vulnerability exploitation has more than a whiff of dirty play about it; who wants law enforcement to be developing and using
malware to break into users machines? We agree that this proposal is disturbing. But as long as wiretaps remain an authorized
investigatory tool, law enforcement will press for ways to accomplish electronic surveillance even in
the face of communications technologies that make it very difficult. We are at a crossroads where the choices are to
reduce everyones security or to enable law enforcement to do its job through a method that appears questionable but that does not actually make us less
secure. In this debate, our proposal provides a clear win for both innovation and security.
data and conversations of their citizens on an unprecedented scale. Until recently, the global trade in
equipment enabling electronic surveillance was largely unchecked. It first entered the spotlight after the Arab uprisings. When
the archives of fallen Arab regimes opened to the public, they provided a unique insight into those regimes inner workings and trade relationships. As a
result, the French government opened a judicial inquiry into Amesys, a French company that sold surveillance technology to Gadhafis security forces.
Remnants of Blue Coat operating systems , sold by an American company, were also uncovered in Syria. This made it clear that companies in the U.S.
and Europe were providing these technologies to regimes with dubious human rights records that used them against their citizens. The global
market for surveillance tools has ballooned in recent years . According to the Wall Street Journal , the retail market for these
technologies sprung up from nearly zero in 2001 to around $5 billion a year in 2011. This explosion in demand reflects the shifting
dynamics of surveillance associated with the move online. While these technologies, such as Hacking Teams Remote
Control System and Gamma Internationals FinFisher, can be useful for law enforcement purposes, they become problematic
when exported to countries without the rule of law and with little respect for human rights . Recent reports even suggest
that the Ethiopian government used kits supplied by European firms to spy on people living in the United States and the United Kingdom.
dramatic.
Cyberwar instruments are topical --- the NSA uses them for surveillance
Ranger 15 [Steve Ranger, May 6, 2015, The impossible task of counting up the world's cyber armies, ZDNet,
UK editor-in-chief, TechRepublic and ZDNet] //khirn
Calculating the scale of the world's cyber-warfare forces is a tricky business. Even for Western governments
which are relatively open about the scale of their armed forces, cyber warfare is one area where most
clam up.
That's partly because they are reluctant to tip off potential adversaries about their capabilities, but the bigger
issue is that it's intelligence agencies like the NSA and GCHQ that have been pioneering the use of the
internet for surveillance and have the highest-level skills. As spies like to operate in the shadows, that means
that a veil of secrecy is thrown over most details of military cyber operations, even though the scale of the
investment and operations continues to grow.
1AR TOPICALITY
Technical precision w/r/t surveillance definitions is impossible --- prefer guiding the topic by
centering debate around core literature controversies
Fidler 14 [Mailyn, Stanford University, Anarchy or regulation: Controlling the global trade in zero-day
vulnerabilities, thesis submitted to the Interschool Honors Program in International Security Studies, May
2014, https://stacks.stanford.edu/file/druid:zs241cm7504/Zero-Day%20Vulnerability%20Thesis%20by
%20Fidler.pdf] //khirn
The distinction also raises technical questions. When
limited encryption research exception has been criticized for imposing too restrictive
operative conditions . These range from the narrow conception of what encryption research entails , n395 to
the requirement that researchers must first seek authorization of copyright owners prior to engaging in
research, n396 to the ostensible exclusion of non-academic researchers (such as non-affiliated individual researchers or
"hobbyists") from the list of qualified encryption researchers , n397 to the restrictive conditions for the publication or
dissemination of research information or outcomes. n398 There is indeed ample evidence that security and
encryption researchers are wary of the possible civil and criminal penalties that a violation of any of the
restrictive provisions of the DMCA on encryption research, security testing, and reverse engineering of
software could engender. n399 Notable amongst such incidents was the much publicized [*511] event in which
Professor J. Alex, Halderman, then a graduate student at Princeton University delayed the publication of the existence of several security vulnerabilities
that he found in the CD copy-protection software on dozens of Sony-BMG titles. He delayed disclosing the vulnerabilities for several weeks whilst he
sought legal advice from lawyers on how to avoid running afoul of DMCA pitfalls, a measure that left millions of music fans unnecessarily at risk. n400
The fear of prosecution or litigation by vulnerabilities researchers is not entirely unfounded as exemplified by
several incidents of actual threats of DMCA lawsuits . For example, in April 2003, the educational software company, Blackboard Inc.,
obtained a temporary restraining order to stop the presentation of research on security vulnerabilities in its software products at the InterzOne II
conference in Atlanta. n401 The said software security vulnerabilities pertained to the Blackboard ID card system used by university campus security
systems. However, the students who were scheduled to speak on the vulnerabilities and the conference organizers had no opportunity to challenge the
temporary restraining order, which was obtained ex parte on the eve of the event. n402
INHERENCY
2AC INHERENCY
Recent leaks show that the NSA is sitting on mounds of zero-days
Crocker 15 [Andrew, staff attorney on the Electronic Frontier Foundations civil liberties team, J.D. Harvard
University, The Government Says It Has a Policy on Disclosing Zero-Days, But Where Are the Documents to
Prove It?, March 30, 2015, https://www.eff.org/deeplinks/2015/03/government-says-it-has-policydisclosing-zero-days-where-are-documents-prove-it] //khirn
We have known for some time that the
U.S. intelligence and law enforcement community looks to find and exploit
vulnerabilities in commercial software for surveillance purposes . As part of its reluctant, fitful transparency efforts after the
Snowden leaks, the government has even officially acknowledged that it sometimes uses so-called zero-days. These statements
are intended to reassure the public that the government nearly always discloses vulnerabilities to software
vendors, and that any decision to instead exploit the vulnerability for intelligence purposes is a thoroughly
considered one. But now, through documents EFF has obtained from a Freedom of Information Act (FOIA) lawsuit, we
have learned more about the extent of the governments policies , and one thing is clear: theres very little to
back up the Administrations reassuring statements . In fact, despite the White Houses claim that it had
reinvigorated its policies in spring 2014 and established a disciplined, rigorous and high-level decision-making process for vulnerability
disclosure, none of the documents released in response to our lawsuit appear to be newer than 2010. Last
spring, the Office of the Director of National Intelligence (ODNI) issued a strong denial of press reports that the NSA knew about and exploited the
Heartbleed vulnerability in the OpenSSL library. As part of that denial, the ODNI described the Vulnerabilities Equities Process
(VEP), an interagency process for deciding when to share vulnerabilities with developers. EFF submitted a FOIA request to
ODNI and NSA to learn more about the VEP and then sued to force the agencies to release documents. ODNI has now finished releasing documents in
response to our suit, and the results are surprisingly meager. Among the handful of heavily redacted documents is a one-page list of VEP Highlights
from 2010. It briefly describes the history of the interagency working group that led to the development of the VEP and notes that the VEP established an
office called the Executive Secretariat within the NSA. The only other highlight left unredacted explains that the VEP creates a process for notification,
decision-making, and appeals. And thats it. This document, which is almost five years old, is the most recent one released. So where are the
documents supporting the reinvigorated VEP 2.0 described by the White House in 2014? Nor do the
documents we have seen do much to back up the claim that VEP 1.0 ever functioned as a guide for helping the
government decide whether to disclose zero-days. Meanwhile, reports describing the CIAs annual hacker jamboree instead suggest
that theres little stopping the government from exploiting vulnerabilities it comes across. Indeed, none of the documents describing the CIAs jamboree
contain the slightest suggestion that the VEP was actively considered. Writing about the newly released documents in Wired, Kim Zetter places them in
the context of the government's development of the Stuxnet worm: We know that Stuxnet, a digital weapon designed by the U.S. and Israel to
sabotage centrifuges enriching uranium for Irans nuclear program, used
does not notify the developer, which would likely otherwise issue a patch and protect users from online
adversaries such as identity thieves or foreign governments who may also be aware of the zero-day.
Nevertheless, the Snowden leaks have shown that
President Obamas own Review Group strongly recommended against [.pdf]. The
President Obama
decided in January that from now on any time the NSA discovers a major flaw in software, it must
disclose the vulnerability to vendors and others so that it can be patched, according to the New York Times. But Obama
included a major loophole in his decision, which falls far short of recommendations made by a presidential
review board last December: According to Obama, any flaws that have a clear national security or law enforcement use
can be kept secret and exploited . This, of course, gives the government wide latitude to remain silent on
critical flaws like the recent Heartbleed vulnerability if the NSA, FBI, or other government agencies can justify
their exploitation. A so-called zero-day vulnerability is one thats unknown to the software vendor and for which no
patch therefore exists. The U.S. has long wielded zero-day exploits for espionage and sabotage purposes , but has never
publicly stated its policy on their use. Stuxnet, a digital weapon used by the U.S. and Israel to attack Irans uranium enrichment program, used five zeroday exploits to spread.
Per the solicitation, it would seem the Navy is looking not only for offensive weapons, but also those that
meet the need internally to emulate hacker tactics and capabilities. Reading the call, it seems as much about N-day (N<6 months) as 0-day for the red team when
delivery.
evaluating their own systems, said Nicholas Weaver, a senior network security and malware researcher with the University of California at Berkeley. And its as much about the capability of turning vulnerability reports into exploits. I wouldnt
think of it as too out of the ordinary for such a solicitation about offensive tools for defensive use,' Weaver added. The request, however, does require the contractor to develop exploits for future released CVEs. Binaries must support
The governments
involvement in the use and purchasing of zero days has always been a contentious point, not only over how the
exploits will be used, but also because details wont be disclosed to the vendor leaving potentially
millions of users exposed to attacks. Shortly after the disclosure last year of the Heartbleed vulnerability in OpenSSL, White House cybersecurity coordinator and special assistant to the president
Michael Daniel explained the executive branchs position on disclosure, which somewhat lines up with the NSAs stance, in that there are occasions when the government wont share bug details with vendors. Building up a
huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people
unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence
configurable, custom, and/or government owned/provided payloads and suppress known network signatures from proof of concept code that may be found in the wild, the RFP said.
collection, and better protect our country in the long-run, Daniel wrote in April 2014. Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area. Daniels memo shares the high-
in legitimate and underground markets. Whats more noteworthy is how little regard the government seems to have for the
security of millions of users. The NSA, for example, has a twofold mission to not only protect American networks, but also to gather data from foreign networks, which could include penetrating those
The need to keep those vulnerabilities under wraps is of great value to the
NSA, something director Adm. Michael S. Rogers said during a November speech that he discussed with the president. He also said, look, there are some instances when
were not going to [share vulnerability information]. The thought process as we go through this policy decision, the things we tend to look at are, how foundational
networks using vulnerabilities the agency has discovered or purchased.
and widespread is this potential vulnerability? Who tends to use it? Is it something you tend to find in one nation state? How likely are others to find it? Is this the only way for us to generate those insights we need or is there another alternative
we could use? Rogers said. Those answers shape the decision.
SOLVENCY
plan fails to tackle the most important part of cybersecurity: how exactly
cooperation between the public and private sector will work. As Obama said in his address, This has to be a shared mission
Government cannot do this alone. But the private sector cannot do it alone, either. And Obamas plan, for all its positive contributions, does remarkably
little to facilitate this sort of necessary cooperation from either a policy or a procedural standpoint. What does it take to get government and business to
work together productively in the cyber security realm? Ken Chenault, American Express CEO, made it clear in his panel discussion at Fridays
cybersecurity summit: What were really talking about when we talk about cybersecurity is trust. The extent to which consumers trust companies like
American Express to behave safely, ethically, and respectfully in their online dealings is integral to the companies bottom line.
Trust between
the private sector and the government is integral to internet security . But the fact of the matter is that
recent governmental power-grabs, from those revealed in Snowdens leaks to the more recent
situation of government-sponsored spying programs hidden in US products, give private corporations
few reasons to trust the government in todays digital realm . Obama is aware of the existence of this mistrust. The
day after his Stanford appearance, in aninterview with Re/codes Kara Swisher, he noted that the Snowden disclosures were really harmful in terms of
the trust between the government and many of these companies. So, in this post-Snowden world, how do we promote a greater level of trust between
the federal government and private companies? Here are two suggestions that can at least lead us in the right direction. First, we should work
to make government more transparent. If companies arent able to see how their shared data is being used by the government,
what incentive do they have to give it up? More transparency would be a catalyst for cooperation , and would also
help ensure customers that companies arent betraying them when giving up their data for cybersecurity
purposes. Yet in past years, more FOIA (Freedom of Information Act) requests have been denied than ever before, and confidential requests for
personal data through the Foreign Intelligence Surveillance Act are on the rise. These things need to change before the government
and private sector can cooperate adequately. Second, government must genuinely respect consumers right to privacy. Consumers trust
that a company will respect their privacy online is critical to its economic success. However, by attempting to crack down on private companies
protection of their customers data, and even at times forcing them to install backdoors to their encryption methods, the Obama administration has hurt
consumers and companies alike. And by ignoring the privacy concerns raised by their actions, the administration has
further eroded the already shaky trust between business and government. If Obama expects companies to voluntarily share
their cybersecurity information and algorithms in the future, its important for policies such as these to be discontinued. To conclude his speech, Obama
quoted one of the key philosophies from Google that, with the help of technology, the future is awesome. But I think there might have been a more
apt Google catchphrase for him to use: Theres always more information out there. When it comes to cybersecurity, its no secret that weve got a long
way to go in learning about and deterring the threats present to our internet today. Merely creating information sharing networks, such as the ISAOs in
Obamas executive order, cannot be enough.
government and private sectors can the meaningful cooperation necessary for a more secure
internet exist . And if we cant address the concerns of transparency and privacy that have held back this trust for so long, the future may be a
very un-awesome place indeed.
2AC MODELING
US policies spilloverleads to international cooperation
Fidler 14 (Mailyn Fidler, graduate student at the Center for International Security and Cooperation Freeman
Spogli Institute for International Studies, Stanford University. ANARCHY OR REGULATION:
CONTROLLING THE GLOBAL TRADE IN ZERO-DAY VULNERABILITIES, May 2014,
https://stacks.stanford.edu/file/druid:zs241cm7504/Zero-Day%20Vulnerability%20Thesis%20by
%20Fidler.pdf)//CLi
International cooperation is needed on the zero-day issue, but U.S. leadership is required to catalyze such
cooperation. Snowdens disclosures have caused significant problems for the United States, reducing receptivity to cooperation with the United
States on cyber issues. This 178 problem is exacerbated by the need to have the United States, as a major cyber player, involved in international
negotiations. Existing confusion and controversy over national U.S. policies towards zero-day vulnerabilities
create
S tates needs to establish
policy clarity at a national level to set the stage for collective action, signaling to other nations its
seriousness about the problem and the nature of American interests towards it. Richard Clarke and Peter Swire agree: we create a
more secure and useful global Internet if other nations, including China and Russia, adopt and implement
similar policies to what the Obama administration recently announced about U.S. zero-day policy, but because they [other nations] are unlikely
to do so any time soon, the Obama administration should also step up its efforts and create the basis for an international norm of behavior.669 This
thesis argues that the U.S. government must do more to strengthen its own zero-day policies as a necessary element of addressing the need for collective
action.
warfare, the United States has long provided innovative models for national security that diffuse internationally
(Golfman and Eliason 2003). For the United States to announce a new national cyber command automatically
provokes a new debate in the international military and legal communities (Shackelford 2009). Whether or not other nations
need, want, or can afford to have a singular military unit focused on cybered conflict, their leaders, doctrine writers, and strategic
thinkers will contemplate the potential benefits of the model. If patterns of military emulation hold true, many nations will develop
organizations that look like a national cyber command. Already we have seen nations closely associated with the United States
either creating their own cyber commands or declaring an interest in approximating the functions of US Cyber
Command.
States created the cyberweapons market by being the first to pay extraordinarily high prices
for zero-days.
of
market .147 Others have gone so far as to propose that, rather than regulating the supply side of the market, U.S.
government agencies should curb the demand side by relinquishing their own purchases of
exploits .148 If agencies did so, the market would lose some of its most well-paying buyers,
potentially deterring suppliers from scouring software for vulnerabilities . Before relinquishing such
purchases, U.S. policymakers would first need to examine the potential costs of doing so in terms of foregoing potentially valuable information from the
exploit market. Some analysts have indicated that if U.S. agencies halted their exploit-purchasing program, they
would be deprived of crit-ical tools for defending U.S. networks against attack. 150 Law enforcement agencies would
likewise forgo valuable technologies for tracking underground crimi-nals. 151 But do these agencies weigh these benefits against the
potentially cata-strophic risks that the day market poses to U.S. security? We have seen no evi-dence that
they do. The time has come for Congress, Executive Branch leaders, the software industry, and scholars to bring this tradeoff analysis into the open
and determine whether staying at the extreme end of the policy spectrumthat of de facto support for a dangerous bazaar for day-exploitsbest serves
U.S. national security.
internet insecure points to the contradictions in its dual mandate: simultaneously securing and breaking cyber
security. On the one hand it is tasked with securing information and communications networks (falling under its Information Assurance mandate),
and on the other hand it is tasked with surveilling information and communications networks (its Signals Intelligence mandate).43 Similar tensions
exist within the US military, which is tasked with both defending national networks from hacking attacks as well as with conducting offensive hacking
attacks. The US "cyber command", the military command for the cyber domain, is under the stewardship of the NSA commander. This conflict of
interest in the NSA's dual role has not been addressed in current NSA reform . Tasked with national security, intelligence
agencies like the NSA have a conflicting mandate that cannot enable them to actually provide US citizens with cyber security, in the same way that states
are for example able to provide us with physical security. It will always be against the interests of intelligence agencies to
assure the provision of secure technologies that cannot be eavesdropped on. This is exacerbated by a cyber
security-surveillance industrial complex of government agencies and private contractors selling hacking and
surveillance products, with revolving doors between the two. We need to be very wary of intelligence agencies
being given roles as stewards of cyber security.
whom should a vulnerability report be made? In many cases, there is an obvious point of contact: a
software vendor that sells and maintains the product in question, or , in the case of open-source software, the
community team maintaining it. In other cases, however, the answer is less clear. Not all software is actively
maintained; there may be "orphan" software without an active vendor or owner to report to. n253 Also, not all
vulnerabilities result from bugs in specific software products. For example, standard communications protocols are occasionally
found to have vulnerabilities, n254 and a given protocol may be used in many different products and systems . In
this situation, the vulnerability would need to be reported not to a particular vendor, but to the standards body responsible
for the protocol. Many standards bodies operate entirely in the open, n255 however, which can make quietly
reporting a vulnerability--or hiding the fact that it has been reported by a law enforcement agency --problematic.
In this situation, the choice is simple: report it openly.
hackers and security firms sell tools for breaking into computers. Reuters revealed that the US
its
intelligence agency
and on
exploits
Government, in particular
head., its a news way to compete with adversary in cyberspace. Recent tension between China and US gave security experts the opportunity to
discuss about the development of the two countries of efficient cyber strategy that improve both offensive and defensive cyber capabilities. Both
countries are largely invested in the creation of new cyber units, but according intelligence sources, offensive approach seems to be most stimulated by
the need to preserve the security in the cyberspace. NSA chief General Keith Alexander told Congress that the
US Government
is
defense
contractors and intelligence agencies spend at least tens of millions of dollars a year just on
exploits . The zero-day market is very complex due high perishability of the goods, following some key figures of a so complex business Difculty
nding buyers and sellers Its a closed market not openly accessible. Find a buyer or identify a possible seller is a critical phase. Checking the buyer
reliability The reduced number of reliable brokers able to locate a buyer pushes the researcher to try to tell many individuals about the discovery in an
attempt to nd a buyer with obvious risks. Value cannot be demonstrated without loss One of the most fascinating problems a researcher attempting to
sell vulnerability information or a 0-day exploit may face is proving the validity of the information without disclosing the information itself. The only way
to prove the validity of the information is to either reveal it or demonstrate it in some fashion. Obviously, revealing the information before the sale is
undesirable as it leaves the researcher exposed to losing the intellectual property of the information without compensation. Exclusivity of rights The
nal hurdle involves the idea of the exclusive rights of the information. In order to receive the largest payoffs, the researcher must be willing to sell all
rights to the information to the buyer. However, the buyer has no way to protect themselves from the researcher selling the information to numerous
parties, or even disclosing the information publicly, after the sale. Current approaches to zero-day vulnerabilities are to be bought
up exploits avoiding that they could be acquired by governments opponents such as dictators or organized
criminals, many security firms sell subscriptions for exploits, guaranteeing a certain number per year. The trend to
exploit zero-day for offensive purposes has been followed by intelligence agencies and also private companies, both actors have started to code their own
zero-day exploits. Private companies have also sprung up that hire programmers to do the grunt work of identifying vulnerabilities and then writing
exploit code. The starting rate for a zero-day is around $50,000, some buyers said, with the price depending on such factors as how widely installed the
targeted software is and how long the zero-day is expected to remain exclusive. The Reuters report also revealed the participation of government
representatives to the Secret Snoop Conference for Government and law enforcement spying, clearly with the intent to acquire new technologies to
conduct cyber espionage through malware based attacks able to compromise target networks.
acquire a zero-day exploit to use it against a foreign governments hide serious risks for its
country, cyber terrorist, cyber criminals or state-sponsored hackers could reverse engineer
the source code to compose new malicious agent to use against the same authors .
the destructive use to which they could be put, the lack of transparency in the buying
and selling of zero-days may be problematic. The consequence could be the development of a global
cyber arms bazaar , where criminals or terrorist groups could potentially find tools to use . The US government
regulates the export of sensitive technologies out of a fear that adversaries could use them in a way hostile to US interests, but whether such restrictions
apply to the sale of zero-day vulnerabilities is not entirely clear.
commodities and software that provide penetration capabilities that are capable of attacking ,
denying, disrupting, or otherwise impairing the use of cyber infrastructure or networks . Does that language
cover the possibility that some researcher or broker may try to sell a back-door exploit, or even a cyberweapon, to a foreign agent who could put it to
destructive use? I think it does cover the export of some kinds of cyberweapons, says Washington lawyer Roszel Thomsen, who helped write the
regulations and specializes in export control law. But other specialists are not convinced. There is also the legal question of whether private firms who
have been subject to cyber attacks can legally strike back against attackers who penetrate their networks and steal their data. Steven Chabinsky, formerly
the top cyber lawyer at the FBI, argues that if a company can identify the server from which a cyber attack originated, it should be able to hack into that
server to delete or retrieve its stolen data. It is universally accepted that in the physical world you have the right to protect your property without first
going to law enforcement, Chabinsky argued at a recent cyber symposium. Other computer consultants have a different view. I get asked this all the
time, said Richard Bejtlich, chief security officer at Mandiant, a prominent cybersecurity firm, speaking at the Air Forces CyberFutures conference.
People in hacked companies want to hit back. We want to go get these guys, they tell us. But almost always, our lawyers say, Absolutely not. In
addition, there are policy questions raised by the escalating government investment in offensive cyber war capabilities. One fear is that
offensive cyberweapon
each new
adversary and trigger a fierce cyber arms race . A hint of such an escalatory cycle may be seen in the confrontation with Iran over
its nuclear program. US officials suspect the Iranian government was responsible for the recent wave of cyber attacks directed against Aramco, the Saudi
oil company, and may also have been behind a series of denial-of-service attacks on US financial institutions. Such attacks could be in retaliation for the
Stuxnet worm. Some writers foresee a dangerous new world, created by the United States and Israel with the deployment of Stuxnet. Misha Glenny,
writing in the Financial Times, argued that the tacit US admission of responsibility for Stuxnet will act as a starting gun;
countries around the world can now argue that it is legitimate to use malware pre-emptively against their
enemies. One danger is that US adversaries, notably including Russia and China, may now cite the use of Stuxnet to
support their argument that an international treaty regulating the use of cyberweapons may be needed . The United
States has long opposed such a treaty on the grounds that it would undermine its own technological advantages in cyberspace and could also lead to
efforts to regulate the Internet in ways that would harm freedom of expression and information. Some of these issues will be resolved as cyber activities
mature and the cyber domain becomes more established. The US military as yet has not set up its own rules of engagement for cyber conflict, even
though the head of the US Cyber Command, Army General Keith Alexander, says they are necessary. Neither has the US government articulated a
declaratory policy regarding the use of cyberweapons analogous to government statements on when and where nuclear weapons may be used. All these
are serious issues. It is now obvious that adversarial actions in cyberspace have fundamentally changed warfighting, crime, espionage, and business
competition. Our institutions must adapt to this new reality , and quickly, or we will face the danger of cyber chaos and
anarchy.
Collecting zero-days for cyberoffense leaves our infrastructure to cyberattacks
Zetter 14 (Kim Zetter, staff reporter at Wired, a writer and editor at PC World. She has been a guest
on NPR and CNN. Author of Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital
Weapon. How Obama Endangered us all with Stuxnet,
http://www.thedailybeast.com/articles/2014/11/13/how-obama-endangered-us-all-with-stuxnet.html,
11/13/14)//CLi
The cybersabotage campaign on Irans nuclear facilities
d i d n t j u s t d a m a g e c e nt r i f u g e s . I t
undermined digital security everywhere . A few months after President Obama took office in 2009, he announced that securing
the nation's critical infrastructure -- its power generators, its dams, its airports, and its trading floors -- was a top priority for his administration.
Intruders had already probed the electrical grid, and Obama made it clear the status quo around unsecured systems was unacceptable. A year later,
however, a sophisticated digital weapon was discovered on computers in Iran that was designed to attack a uranium enrichment plant near the town of
Natanz. The virus, dubbed Stuxnet, would eventually be identified by journalists and security experts as a U.S.-engineered attack. Stuxnet was
unprecedented in that it was the first malicious code found in the wild that was built not to steal data, but to physically destroy equipment controlled by
the computers it infectedin this case, the cylindrical centrifuges Iran uses to enrich uranium gas. Much has been said about Stuxnet in the years since
its discovery. But little of that talk has focused on how use of the digital weapon undermined Obamas stated priority of protecting critical infrastructure,
placed that vulnerable infrastructure in the crosshairs of retaliatory attacks, and illuminated our countrys often-contradictory policies on cyberwarfare
and critical infrastructure security. Even less has been said about Stuxnets use of five so-called zero-day exploits to spread itself and the
troubling security implications of the government's stockpile of zero-days -- malicious code designed to attack previously-unknown vulnerabilities in
computer software. Because a zero-day vulnerability is unknown, there is no patch available yet to fix it and no signatures available to detect exploit code
built to attack it. Hackers and cyber criminals uncover these vulnerabilities and develop zero-day exploits to gain entry to susceptible systems and slip a
virus or Trojan horse onto them, like a burglar using a crowbar to pry open a window and slip into a house. But organizations like the NSA and the U.S.
military also use them to hack into systems for surveillance purposes, and even for sabotage, such as the case with the centrifuges in Iran. Generally
when security researchers uncover zero-day vulnerabilities in software, they disclose them to the vendor to be fixed; to do otherwise would leave critical
infrastructure systems and other computers open to attack from criminal hackers, corporate spies and foreign intelligence agencies. But when the
NSA uncovers a zero-day vulnerability, it has traditionally kept the information secret in order to exploit the security
hole in the systems of adversaries. In doing so, it
systems that control the electric grid and the financial sector vulnerable to attack. It's a government
model that relies on keeping everyone vulnerable so that a targeted few can be hackedthe equivalent of
withholding vaccination from an entire population so that a select few can be infected with a strategic biological
virus. It's also a policy that pits the NSAs offensive practices against the Department of Homeland Security's defensive ones, since it's
the latter's job to help secure critical infrastructure. Thats more than just poor policy. Its a combination that could someday lead to disaster. Much has
been said about Stuxnet in the years since its discovery. But little of that talk has focused on how use of the digital weapon
vulnerable infrastructure in the crosshairs of retaliatory attacks . None of this would be so troubling if the use of
zero-days in Stuxnet were an isolated event. But
result ing in a flourishing market to meet this demand and a burgeoning arms race
against other countries racing to stockpile their own zero day tools . The trade in zero days used to be confined to the
and exploits for about a decade,
underground hacker forums, but in the last ten years, it's gone commercial and become populated with small boutique firms whose sole business is zeroday bug hunting and large defense contractors and staffing agencies that employ teams of professional hackers to find security holes and create exploits
for governments to attack them. Today, a zero-day exploit can sell for anywhere from $1,000 to $1 million. Thanks to the injection of government
dollars, what was once a small and murky underground trade has ballooned into a vast, unregulated cyber weapons bazaar.
It
is also thought that open disclosure incentivises companies to more quickly patch vulnerabilities
Private businesses want the government to cooperate --- key to protect critical infrastructure
Tucker 14 [Patrick, Defense One, Major Cyber Attack Will Cause Significant Loss of Life By 2025, Experts
Predict, October 29, 2014, http://www.defenseone.com/threats/2014/10/cyber-attack-will-cause-significantloss-life-2025-experts-predict/97688/] //khirn
But some political leaders say that the
response from industry to cyber threats has outpaced that of government. Just ask
Rep. Mike Rogers, R-Mich., chairman of the House Intelligence Committee, who said that private businesses were increasingly
asking government to defend them from cyber attacks from other nation state actors, and even launch first strikes
against those nations. Most of the offensive talk is from the private sector, they say weve had enough, Rogers said at a recent Washington Post cyber
security summit. Its worth noting that the Pew survey was made public one day after the group FireEye released a major report stating that a Russiangovernment affiliated group was responsible for hacking into the servers of a firm keeping classified U.S. military data. In his remarks at the summit,
Rogers singled out Russia as a prime target for future, U.S.-lead cyber operations. But SCADA vulnerabilities look quaint compared to
the exploitable security gaps that will persist across the Internet of Things as more infrastructure components
are linked together. Current threats include economic transactions, power grid, and air traffic control. This will
expand to include others such as self-driving cars, unmanned aerial vehicles, and building infrastructure, said
Mark Nall, a program manager for NASA [emphasis added].
unforeseen mistakes or failures becomes unfathomably large. The complexity of computer systems often leads to accidental
mistakes or failures. We have all suffered computer crashes, and sometimes these crashes cause serious problems. Last year the Internet in Germany and
Sweden went down for several hours due to errors in the domain name system that identifies computers on the Internet. In January of this year, a
software problem in the Pentagons global positioning system network prevented the Air Force from locking onto satellite signals on which they depend
for many tasks. The accident on the Washington Metro last summer, which killed nine people and injured dozens, was probably caused by a malfunction
in the computer system that controls train movements. Three years ago, six stealth F-22 Raptor jets on their maiden flights were barely able to return to
base when their onboard computers crashed. The same complexity that leads to such malfunctions also creates vulnerabilities that human agents can use
to make computer systems operate in unintended ways. Such cyber threats come in two forms. A cyber attack is an act that alters, degrades, or destroys
adversary computer systems or the information in or transiting through those systems. Cyber attacks are disruptive activities. Examples
include the manipulation of a computer system to
can you attack it; only if you get near the Citibank branch in New York can you rob it. And if you are near these places in real space, American law
enforcement and military authorities can exercise their full powers, within U.S. sovereignty, to check or deter the attack. In cyberspace, geography
matters much less because the Internet links computers globally with speed-of-light communication. As the Google
case shows, someone sitting at a terminal in China can cause significant harm in the United States. And of course there are countless people around the
globe with access to a computer who would like to do bad things inside the United States. To the extent that they are located outside the United States,
American law enforcement authorities have much less effective power to stop or to deter them. The FBI must
rely on law enforcement authorities in foreign countries who are often slow and uncooperative, giving bad
cyber actors time to cover their tracks. And the American military cannot enter a foreign country unless the
threat or attack rises to the level of war.
IP THEFT ADVANTAGE
were to receive the same protection overseas that it does here, the American economy would add millions of
jobs. A drag on U.S. GDP growth. Better protection of IP would encourage significantly more R&D investment
and economic growth. Innovation. The incentive to innovate drives productivity growth and the advancements
that improve the quality of life. The threat of IP theft diminishes that incentive. Long Supply Chains Pose a Major Challenge
Stolen IP represents a subsidy to foreign suppliers that do not have to bear the costs of developing or licensing
it. In China, where many overseas supply chains extend, even ethical multinational companies frequently procure counterfeit items or items whose
manufacture benefits from stolen IP, including proprietary business processes, counterfeited machine tools, pirated software, etc.International IP Theft
Is Not Just a Problem in China. Russia, India, and other countries constitute important actors in a worldwide challenge.
Many issues are the same: poor legal environments for IPR, protectionist industrial policies, and a sense that IP
theft is justified by a playing field that benefits developed countries. The Role of China Between 50% and 80% of the
problem. The major studies range in their estimates of Chinas share of international IP theft; many are roughly 70%, but in specific industries we see
a broader range. The evidence. Evidence comes from disparate sources: the portion of court cases in which China is the destination for stolen IP, reports
by the U.S. Trade Representative, studies from specialized firms and industry groups, and studies sponsored by the U.S. government. Why does
China stand out? A core component of Chinas successful growth strategy is acquiring science and technology.
It does this in part by legal meansimports, foreign domestic investment, licensing, and joint venturesbut
also by means that are illegal. National industrial policy goals in China encourage IP theft, and an
extraordinary number of Chinese in business and government entities are engaged in this practice. There are
also weaknesses and biases in the legal and patent systems that lessen the protection of foreign IP. In addition,
other policies weaken IPR, from mandating technology standards that favor domestic suppliers to leveraging
access to the Chinese market for foreign companies technologies.
Economic decline leads to war empirics: Jobs and econ decline can each trigger the impact
Mead 9 (2/4, Walter Russell, Henry A. Kissinger Senior Fellow in U.S. Foreign Policy at the Council on
Foreign Relations, Only Makes You Stronger: Why the recession bolstered America, The New Republic,
http://www.newrepublic.com/article/only-makes-you-stronger-0) //JRW
None of which means that we can just sit back and enjoy the recession. History may suggest that financial crises actually help capitalist great powers
maintain their leads--but it has other, less reassuring messages as well. If financial crises have been a normal part of life during the
between $24 billion and $120 billion (or 0.2 to 0.8 percent of GDP), and results in the loss of as many as 200,000 U.S.
jobs annually.220 The Chinese governments engagement in cyber espionage for commercial advantage was
exposed on May 19, 2014, when the U.S. Department of Justice charged five PLA officers for cyber-enabled
theft and other related offenses committed against six U.S. victims , including Westinghouse Electric Co. (Westinghouse), U.S.
subsidiaries of SolarWorld AG (SolarWorld), United States Steel Corp. (U.S. Steel), Allegheny Technologies Inc. (ATI), Alcoa Inc., and the United Steel,
Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union (USW or Steelworkers Union).221
According to the indictment, PLA Unit 61398 * 222 officers Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui hacked, or
attempted to hack, into the victims computers to steal information that would be useful to competitors in
China, including SOEs.223 One victim, SolarWorld, subsequently petitioned the U.S. Department of Commerce to investigate the allegations made in
the indictment as they directly related to SolarWorlds ongoing trade dispute over imports of solar products from China.224
The Chinese government strongly denied what it called the fabricated allegations, 225 and within days of the indictment, China retaliated
both economically and politically against the United States. The Chinese government suspended participation
in a U.S.-China Cyber Working Group, which was established in 2013 as a bilateral dialogue on cyber
security.226 China also announced that its government offices were forbidden from using Microsofts Windows
8 operating system and ordered security checks on foreign IT products and services seemingly directed at U.S.
companies, including Cisco Systems.227 Likewise, the PBOC and the Chinese Ministry of Finance asked banks
to replace IBM servers with those produced by domestic brands to protect financial security.228 In the same
week, the Chinese government instructed SOEs to sever ties with U.S. consulting companies, including
McKinsey, Boston Consulting Group, Bain & Company, and Strategy & Co. (formerly known as Booz & Co.),
and urged SOEs to establish teams of domestic consultants out of fears that U.S. consultants are government
spies.229 Chinese entities have long been engaging in cyber-enabled theft against U.S. companies for
commercial gain; however, the May 19 indictment represents the first ever charges against known state actors
for infiltrating U.S. commercial targets by cyber means.230 In addition, the indictment states that Chinese firms hired the same
PLA Unit where the defendants worked to provide information technology services. 231 This established a channel through which the Chinese firms
could issue tasking orders to the PLA defendants to engage in cyber theft and commercial espionage. For example, in one case, according to the
indictment, a Chinese SOE hired the PLA Unit to build a secret database to hold corporate intelligence. 232 Of the 141 organizations
allegedly compromised by PLA Unit 61398 since 2006, 81 percent were located or headquartered in the United
States.233 In June 2013, the U.S. Department of Justice indicted Chinese energy firm Sinovel for cyber-enabled IP theft committed against
Massachusetts-based American Superconductor (AMSC).* Florida-based biofuel company Algenol, which is developing technology that converts algae
into fuels while decreasing greenhouse gas emissions, fell victim to more than 39 million hacking attempts since mid-2013.234 According to Algenols
technology chief, 63,000 hacking attempts came from China, of which 6,653 attempts came from IP addresses identified by cyber security firm Mandiant
as belonging to PLA Unit 61398.235 Algenols investigation also identified Alibabas cloud computing subsidiary Aliyun as an originator of hacking
attempts, though Alibaba claimed that Algenol mischaracterized ordinary Internet traffic as hacking attempts.236
All organisations are potential victims. Intuitively, one would assume that large organisations with valuable data were exposed to a much
higher risk than smaller organisations overall. Certainly, a number of high-profile attacks have involved prestigious names (e.g.,
Sony, RSA, Citicorp, Startfor, AT&T), with an excess of $200 million in losses. These breaches have generated a stronger awareness about
the need for network security systems. In addition, several states have laws that require companies to publicly report any event in
which their customers personal information has been compromised, meaning that these are the attacks the public
hears about. A 2010 Canadian government report asserted that 86 percent of large Canadian companies had been victims or targeted attacks from
Black Hats, and that efforts to steal intellectual property from the private sector had doubled since 2008 . No empirical
data exists quantifying the impact of hacking as a whole, but many modelling attempts have been made to estimate its impact. The German
intelligence agency BfV, for example, estimates that Germany loses $21 billion to $71 billion of revenue and 30,000 to
70,000 jobs each year due to intellectual property theft through hacking. In Frost & Sullivans opinion, the majority of serious
website intrusions are never detected or never made public. True Black Hats always try to keep a low profile and remain as silent as possible. Hacking
attacks in the media are usually caused by young hackers and hacktivists. There is clearly more glory involved in hacking a Charles Schwab than an
unknown SME. Hence, decision-makers erroneously believe that Web hacks only target large organisations.
Economic Signaling and the Problem of Economic Crises, Economics of War and Peace: Economic, Legal and Political Perspectives, ed. Goldsmith and
Brauer, p. 213-215 https://books.google.com/books?hl=en&lr=&id=HmcwrzBU6dsC&oi=fnd&pg=PA205&dq=Economic+Integration,
+Economic+Signaling+and+the+Problem+of+Economic+Crisis&ots=aZ0lgMVudZ&sig=6Asm0R-CJGcjnSniv5sYOpNYLUE#v=onepage&q=Economic
%20Integration%2C%20Economic%20Signaling%20and%20the%20Problem%20of%20Economic%20Crisis&f=false ) //JRW
Less intuitive is how periods
of economic decline may increase the likelihood of external conflict. Political science
literature has contributed a moderate degree of attention to the impact of economic decline and the security
and defense behaviour of interdependent slates. Research in this vein has been considered at systemic, dyadic and national levels.
Several notable contributions follow. First, on the systemic level. Pollins (2008) advances Modelski and Thompson's (19%) work on leadership cycle
theory, finding that rhythms in the global economy are associated with the rise and fall of a pre-eminent power and
the often bloody transition from one pre-eminent leader to the next. As such, exogenous shocks such as economic crises could
usher in a redistribution of relative power (sec also Gilpin. 1981) that leads to uncertainty about power balances, increasing the risk of miscalculation
(Fearon, 1995). Alternatively, even a relatively certain redistribution of power could lead to a permissive environment for conflict as a rising power may
seek to challenge a declining power (Werner, 1999). Separately. Pollins (1996) also shows that global economic cycles combined with parallel leadership
cycles impact the likelihood of conflict among major, medium and small powers, although he suggests that the causes and connections between global
economic conditions and security conditions remain unknown. Second, on a dyadic level. Copeland's (1996. 2000) theory of trade expectations suggests
that 'future expectation of trade' is a significant variable in understanding economic conditions and security behaviour of states. He argues that
interdependent states are likely to gain pacific benefits from trade so long as they have an optimistic view of future trade relations. However, if the
expectations of future trade decline, particularly for difficult to replace items such as energy resources, the likelihood for conflict increases as states will
be inclined to use force to gain access to those resources. Crises could potentially be the trigger for decreased trade expectations either on its own or
because it triggers protectionist moves by interdependent states. 4 Third, others have considered the link between economic
decline and external armed conflict at a national level. Blomberg and Hess (2002) find a strong correlation
between internal conflict and external conflict, particularly during periods of economic downturn. They write,
The linkages between internal and external conflict and prosperity are strong and mutually reinforcing.
Economic conflict tends to spawn internal conflict, which in turn returns the favour. Moreover, the presence of
a recession lends lo amplify the extent to which international and external conflicts self-reinforce each other .
(Blomberg & I less. 2002. p. 89) Economic decline has also been linked with an increase in the likelihood of terrorism (Blomberg. Hess. & Wccrapana.
2004). which has the capacity to spill across borders and lead to external tensions. Furthermore, crises generally reduce the popularity of a silting
government. "Diversionary theory' suggests that, when facing unpopularity arising from economic decline, sitting governments have increased incentives
to fabricate external military conflicts to create a 'rally around the flag' effect. Wang (1996), DcRoucn (1995), and Blomberg. Mess, and Thacker (2006)
find supporting evidence showing that economic decline and use of force are at least indirectly correlated. Gelpi (1997), Miller (1999), and Kisangani and
Pickering (2009) suggest that the tendency towards diversionary tactics are greater for democratic states than autocratic states, due to the fact that
democratic leaders are generally more susceptible to being removed from office due to lack of domestic support. DcRoucn (2000) has provided evidence
showing that periods of weak economic performance in the United States, and thus weak Presidential popularity,
are statistically linked to an increase in the use of force. In summary, recent economic scholarship positively
correlates economic integration with an increase in the frequency of economic crises, whereas political science
scholarship links economic decline with external conflict at systemic, dyadic and national levels.5 This implied connection
between integration, crises and armed conflict has not featured prominently in the economic-security debate and deserves more attention. This
observation is not contradictory to other perspectives that link economic interdependence with a decrease in the likelihood of external conflict, such as
those mentioned in the first paragraph of this chapter. Those studies tend to focus on dyadic interdependence instead of global interdependence and do
not specifically consider the occurrence of and conditions created by economic crises. As such, the view presented here should be considered ancillary to
those views.
The World Health Organization recently warned that as much as half of the worlds drug supply may soon
consist of fake pharmaceutical drugs. Counterfeiting of drugs, in fact, could soon be one of the worlds fastestgrowing industries. Profits in the counterfeit drug industry are estimated to have doubled since 2005. These
counterfeit drugs often have useless, non-therapeutic ingredients or even contain dangerous and poisonous
ingredients. They are almost always sub-potent. Hundreds of thousands of deaths have been caused by fake
pharmaceuticals around the world. Fortunately, in the United States, thanks to better regulations and the
efforts of skilled and dedicated law enforcement officers, only a small handful have died. Counterfeit drugs are
overwhelmingly manufactured in India, where the government is now cracking down on the manufacturing of
counterfeit drugs and lawmakers are enacting stiff new criminal penalties. One recent report recently stated
that the profits from the sale of counterfeit drugs are now eclipsing the profits being made from the sale of
heroin and cocaine, attracting the involvement of organized crime and terrorists seeking income to fund other
criminal activities. Moreover, there are fears that the growing expertise of counterfeiters combined with the
involvement of criminals and terrorists could result in threats to national security from the use of poisons or
biological products. The Russian mafia, Colombian drug cartels, Chinese triads, and Mexican gangs have all
been implicated in producing and trafficking in counterfeit drugs, as has Al Qaeda, according to one report.
Counterfeit drugs lead to disease
Newton et. al., 2010 (Paul N., Michael D. Green, Facundo M. Fernndez. Newton works at Centre for Clinical Vaccinology and Tropical
Medicine, Churchill Hospital, University of Oxford, Green at the Division of Parasitic Diseases, Centers for Disease Control and Prevention, Atlanta,
Georgia, and Fernndez at the School of Chemistry and Biochemistry, Georgia Institute of Technology, Atlanta, Georgia. Impact of poor-quality
medicines in the developing world. Science Direct, Volume 31 Issue 3. http://www.sciencedirect.com/science/article/pii/S016561470900203X ) //
JRW
adverse effects of unexpected ingredients, e.g. co- trimoxazole containing diazepam; reused ceftazidime vials containing streptomycin; and counterfeit
artesunate tablets containing artemisinin, chloramphenicol, parace- tamol, and metamizole. Patients may be allergic to these covert
pharmaceuticals, or may experience confusing adverse events. Some substandard drugs contain more active
ingredient than stated [10] and, for anti-infectives with narrow therapeutic ratios, this may increase the
prevalence of adverse effects. The use of counterfeit anti-malarials, and the conse- quent failure of patients to
improve, has led to false reports of drug resistance to malaria [13]. An example of the potential dangers of sub-therapeutic
dosage were illus- trated when heavier tourists, dosed without taking patient body weight into account, and not their thinner co-trave- lers, developed P.
vivax relapses [11]. Anti-infectives con-taining sub-therapeutic amounts of the active ingredient (whether counterfeit
or substandard) increase the risk of the selection and spread of drug-resistant pathogens [13]. Selection depends on a
wide variety of factors, i.e. pathogen biomass; host immunity; relationships between the drug pharmacokinetic profile; pharmacodynamic effects on the
pathogen; anti-microbial susceptibility of the the pathogen; and the fitness of resistant mutants. If resistant pathogens infect or arise de
novo within a host and encoun- ter sub-lethal concentrations of a slowly eliminating anti- microbial, they will
have a survival advantage and multi- ply faster than sensitive pathogens [12]. Although models of the emergence and spread
of resistance to anti-malarial drugs suggest that poor-quality drugs are important, it is very difficult to tease apart the effects of the misuse of antiinfectives by health workers, patient adherence, and poor- quality drugs. Counterfeits containing no active ingredient will not
provide this drug pressure, and it is likely that substandard medicines are more important in engendering
resistance. However, fakes containing sub-therapeutic amounts of the stated ingredient, or incorrect antimicrobial ingredients, may facilitate the emergence and spread of drug-resistant pathogens. For diseases treated with
combination therapy (e.g. tuberculosis, HIV, falci- parum malaria), poor-quality combination medicines risk the spread of resistance due to the poorquality active ingredient and the unprotected co-ingredient. Artemisi- nin derivatives-based combination therapies (ACTs) hold great hope for
controlling malaria in Africa but, most alarmingly, poor-quality ACTs are already widespread [2,6,13]. Plasmodium falciparum artesunate resistance has
recently been described on the ThailandCambodia border and the wide use of monotherapy, substandard artesunate, and fake artesunate containing
sub-thera- peutic quantities of artemisinin and artesunate in South-East Asia have probably contributed to this poten- tially disastrous problem [8].
Poor-quality tuberculosis (TB) drugs [14] are a neglected link between TB treatment, therapeutic failure and the increasing burden of TB drug resistance.
A pandemic will kill off all humans. In the past, humans have indeed fallen victim to viruses. Perhaps the bestknown case was the bubonic plague that killed up to one third of the European population in the mid-14th
century (7). While vaccines have been developed for the plague and some other infectious diseases, new viral
strains are constantly emerging a process that maintains the possibility of a pandemic-facilitated human
extinction. Some surveyed students mentioned AIDS as a potential pandemic-causing virus. It is true that scientists have been unable thus far to
find a sustainable cure for AIDS, mainly due to HIVs rapid and constant evolution. Specifically, two factors account for the viruss abnormally high
mutation rate: 1. HIVs use of reverse transcriptase, which does not have a proof-reading mechanism, and 2. the lack of an error-correction mechanism
in HIV DNA polymerase (8). Luckily, though, there are certain characteristics of HIV that make it a poor candidate for a large-scale global infection: HIV
can lie dormant in the human body for years without manifesting itself, and AIDS itself does not kill directly, but rather through the weakening of the
immune system. However, for more easily transmitted viruses such as influenza , the evolution of new strains could prove far more
consequential. The simultaneous occurrence of antigenic drift (point mutations that lead to new strains) and
antigenic shift (the inter-species transfer of disease) in the influenza virus could produce a new version of
influenza for which scientists may not immediately find a cure. Since influenza can spread quickly, this lag time could potentially
lead to a global influenza pandemic, according to the Centers for Disease Control and Prevention (9). The most recent scare of this variety came in 1918
when bird flu managed to kill over 50 million people around the world in what is sometimes referred to as the Spanish flu pandemic. Perhaps even more
frightening is the fact that only 25 mutations were required to convert the original viral strain which could only infect birds into a human-viable
strain (10).
Decline in Competitiveness Leads to Economic Collapse and Fiscal Crisis Empirics in France
Prove
Tully 13 (Shawn Tully, editor at Fortune, Fortune, 6/20/15, http://fortune.com/author/shawn-tully/)
/dylsbury
A deeper look shows that France is mired in no less than an economic crisis. The eurozones second-largest
economy (2012 GDP: 2 trillion euros) is suffering more than any other member from a shocking deterioration
in competitiveness. Put simply, Frances products its cars, steel, clothing, electronics cost far too much to
produce compared with competing goods both from Asia and its European neighbors, including not just
Germany but even Spain and Italy. Thats causing a sharp and accelerating fall in its exports, and a significant
decline in manufacturing and the services that support it.
The virtual implosion of French industry is overlooked by analysts and pundits who claim that the eurozone
had dodged disaster and entered a new, durable period of stability. In fact, its France not Greece or Spain
that now poses the greatest threat to the euros survival. France epitomizes the real problem with the single
currency: The inability of nations with high and rising production costs to adjust their currencies so that their
products remain competitive in world markets.So far, the worries over the euro have centered on dangerously
rising debt and deficits. But those fiscal problems are primarily the result of a loss of competitiveness. When
products cost too much to make, the economy stalls or actually declines, so that even modest increases in
government spending swamp nations with big budget shortfalls and excessive borrowings. In this no-ornegative growth scenario, the picture is usually the same: The private economy shrinks while government
keeps expanding. Thats already happened in Italy, Spain and other troubled eurozone members. The
difference is that those nations are adopting structural reforms to restore their competitiveness. France is
doing nothing of the kind. Hence, its yawning competitiveness gap will soon create a fiscal crisis. Its absolutely
astonishing that an economy so large, and so widely respected, can be unraveling so quickly.
RE<C invested in large-scale renewable energy projects and investigated a wide range of innovative
technologies, such as self-assembling wind turbine towers, drilling systems for geothermal energy, and solar
thermal power systems, which capture the suns energy as heat. For us, designing and building novel energy
systems was hard but rewarding work. By 2011, however, it was clear that RE<C would not be able to deliver a
technology that could compete economically with coal, and Google officially ended the initiative and shut down
the related internal R&D projects. Ultimately, the two of us were given a new challenge. Alfred Spector,
Googles vice president of research, asked us to reflect on the project, examine its underlying assumptions, and
learn from its failures.
We had some useful data at our disposal. That same year, Google had completed a study on the impact of clean
energy innovation, using the consulting firm McKinsey & Co.s low-carbon economics tool. Our studys bestcase scenario modeled our most optimistic assumptions about cost reductions in solar power, wind power,
energy storage, and electric vehicles. In this scenario, the United States would cut greenhouse gas emissions
dramatically: Emissions could be 55 percent below the business-as-usual projection for 2050.While a large
emissions cut sure sounded good, this scenario still showed substantial use of natural gas in the electricity
sector. Thats because todays renewable energy sources are limited by suitable geography and their own
intermittent power production. Wind farms, for example, make economic sense only in parts of the country
with strong and steady winds. The study also showed continued fossil fuel use in transportation, agriculture,
and construction. Even if our best-case scenario were achievable, we wondered: Would it really be a climate
victory?A 2008 paper by James Hansen [PDF], former director of NASAs Goddard Institute for Space Studies
and one of the worlds foremost experts on climate change, showed the true gravity of the situation. In it,
Hansen set out to determine what level of atmospheric CO2 society should aim for if humanity wishes to
preserve a planet similar to that on which civilization developed and to which life on Earth is adapted. His
climate models showed that exceeding 350 parts per million CO2 in the atmosphere would likely have
catastrophic effects. Weve already blown past that limit. Right now, environmental monitoring shows
concentrations around 400 ppm. Thats particularly problematic because CO2 remains in the atmosphere for
more than a century; even if we shut down every fossil-fueled power plant today, existing CO2 will continue to
warm the planet.We decided to combine our energy innovation studys best-case scenario results with Hansens
climate model to see whether a 55 percent emission cut by 2050 would bring the world back below that 350ppm threshold. Our calculations revealed otherwise. Even if every renewable energy technology advanced as
quickly as imagined and they were all applied globally, atmospheric CO2 levels wouldnt just remain above 350
ppm; they would continue to rise exponentially due to continued fossil fuel use. So our best-case scenario,
which was based on our most optimistic forecasts for renewable energy, would still result in severe climate
change, with all its dire consequences: shifting climatic zones, freshwater shortages, eroding coasts, and ocean
acidification, among others. Our reckoning showed that reversing the trend would require both radical
technological advances in cheap zero-carbon energy, as well as a method of extracting CO2 from the
atmosphere and sequestering the carbon.
Warming Causes Extinction
Jamail 13 (Dahr Jamail, journalist and award-winning author, Mother Jones, 12/17/13,
http://www.motherjones.com/authors/dahr-jamail) /dylsbury
I haven't returned to Mount Rainier to see just how much further that glacier has receded in the last few years,
but recently I went on a search to find out just how bad it might turn out to be. I discovered a set of perfectly
serious scientistsnot the majority of all climate scientists by any means, but thoughtful outlierswho suggest
that it isn't just really, really bad; it's catastrophic. Some of them even think that, if the record ongoing releases
of carbon dioxide into the atmosphere, thanks to the burning of fossil fuels, are aided and abetted by massive
releases of methane, an even more powerful greenhouse gas, life as we humans have known it might be at an
end on this planet. They fear that we may be atand overa climate change precipice hair-raisingly quickly.
Mind you, the more conservative climate science types, represented by the prestigious Intergovernmental
Panel on Climate Change (IPCC), paint scenarios that are only modestly less hair-raising, but let's spend a little
time, as I've done, with what might be called scientists at the edge and hear just what they have to say."We've
Never Been Here as a Species" "We as a species have never experienced 400 parts per million of carbon
dioxide in the atmosphere," Guy McPherson, professor emeritus of evolutionary biology, natural resources, and
ecology at the University of Arizona and a climate change expert of 25 years, told me. "We've never been on a
planet with no Arctic ice, and we will hit the average of 400 ppmwithin the next couple of years. At that time,
we'll also see the loss of Arctic ice in the summersThis planet has not experienced an ice-free Arctic for at
least the last three million years."
For the uninitiated, in the simplest terms, here's what an ice-free Arctic would mean when it comes to heating
the planet: minus the reflective ice cover on Arctic waters, solar radiation would be absorbed, not reflected, by
the Arctic Ocean. That would heat those waters, and hence the planet, further. This effect has the potential to
change global weather patterns, vary the flow of winds, and even someday possibly alter the position of the jet
stream. Polar jet streams are fast flowing rivers of wind positioned high in the Earth's atmosphere that push
cold and warm air masses around, playing a critical role in determining the weather of our planet. McPherson,
who maintains the blog Nature Bats Last, added, "We've never been here as a species and the implications are
truly dire and profound for our species and the rest of the living planet." While his perspective is more extreme
than that of the mainstream scientific community, which sees true disaster many decades into our future, he's
far from the only scientist expressing such concerns. Professor Peter Wadhams, a leading Arctic expert at
Cambridge University, has been measuring Arctic ice for 40 years, and his findings underscore McPherson's
fears. "The fall-off in ice volume is so fast it is going to bring us to zero very quickly," Wadhams told a reporter.
According to current data, he estimates "with 95 percent confidence" that the Arctic will have completely icefree summers by 2018. (US Navy researchers have predicted an ice-free Arctic even earlierby 2016.) British
scientist John Nissen, chairman of the Arctic Methane Emergency Group (of which Wadhams is a member),
suggests that if the summer sea ice loss passes "the point of no return," and "catastrophic Arctic methane
feedbacks" kick in, we'll be in an "instant planetary emergency." McPherson, Wadham, and Nissen represent
just the tip of a melting iceberg of scientists who are now warning us about looming disaster, especially
involving Arctic methane releases. In the atmosphere, methane is a greenhouse gas that, on a relatively shortterm time scale, is far more destructive than carbon dioxide (CO2). It is 23 times as powerful as CO2 per
molecule on a 100-year timescale, 105 times more potent when it comes to heating the planet on a 20-year
timescaleand the Arctic permafrost, onshore and off, is packed with the stuff. "The seabed," says Wadham, "is
offshore permafrost, but is now warming and melting. We are now seeing great plumes of methane bubbling up
in the Siberian Seamillions of square miles where methane cover is being released." According to a study just
published in Nature Geoscience, twice as much methane as previously thought is being released from the East
Siberian Arctic Shelf, a two million square kilometer area off the coast of Northern Siberia. Its researchers
found that at least 17 teragrams (one million tons) of methane are being released into the atmosphere each
year, whereas a 2010 study had found only seven teragrams heading into the atmosphere.The day after Nature
Geoscience released its study, a group of scientists from Harvard and other leading academic institutions
published a report in the Proceedings of the National Academy of Sciences showing that the amount of
methane being emitted in the US both from oil and agricultural operations could be 50 percent greater than
previous estimates and 1.5 times higher than estimates of the Environmental Protection Agency. How serious is
the potential global methane build-up? Not all scientists think it's an immediate threat or even the major threat
we face, but Ira Leifer, an atmospheric and marine scientist at the University of California, Santa Barbara, and
one of the authors of the recent Arctic Methane study pointed out to me that "the Permian mass extinction that
occurred 250 million years ago is related to methane and thought to be the key to what caused the extinction of
most species on the planet." In that extinction episode, it is estimated that 95 percent of all species were wiped
out.
The human costs associated with intellectual property theft are on the rise. People are losing jobs and
companies are losing profits, but lives are put in danger not just from things like counterfeit drugs and
counterfeit consumer goods, but from the spread of gangs, organized crime groups, and terrorist organizations.
All of these groups are benefiting from the manufacturing of counterfeit drugs, piracy of music and movies, and
theft of trade and state secrets. Some observers even say there may be a cost in personal freedom, as freedom of
speech and the media are pitted against the rights of companies to keep their secrets and not have the secrets
aired when they are leaked as a result of an intellectual property crime.
Terrorism causes extinction
Sid-Ahmed 2004 (Mohamed Sid-Ahmed (Al-Ahram Weekly political analyst), Al-Ahram Weekly, August 26, 2004, "Extinction!", no. 705,
http://weekly.ahram.org.eg/2004/705/op5.htm]) //JRW
What would be the consequences of a nuclear
imperative if humankind is to survive. But the still more critical scenario is if the attack succeeds. This could
lead to a third world war, from which no one will emerge victorious. Unlike a conventional war which ends when one side
triumphs over another, this war will be without winners and losers. When nuclear pollution infects the whole planet, we will all be losers.
Organized crime kills economy and threatens national security
Finklea 2010 (Kristin M. Analyst in Domestic Security; Organized Crime in the United States: Trends and Issues for Congress. December 22,
2010 http://fas.org/sgp/crs/misc/R40525.pdf) //JRW
Organized crime threatens multiple facets of the United States, including the economy and national security. In
fact, the Organized Crime Council was reconvened for the first time in 15 years to address this continued threat. Organized crime has taken on
an increasingly transnational nature, and with more open borders and the expansion of the Internet, criminals
endanger the United States not only from within the borders, but beyond. Threats come from a variety of criminal
organizations, including Russian, Asian, Italian, Balkan, Middle Eastern, and African syndicates. Policymakers may question whether the tools they have
provided the federal government to combat organized crime are still effective for countering todays evolving risks. Organized crime could
weaken the economy with illegal activities (such as cigarette trafficking and tax evasion scams) that result in a loss of tax
revenue for state and federal governments. This is particularly of issue given the current state of the countrys
economic health. Fraudulent activities in domains such as strategic commodities, credit, insurance, stocks, securities and investments could
further weaken the already-troubled financial market. On the national security front, experts and policymakers have
expressed concern over a possible nexus between organized crime and terrorism. Despite the difference in motivation for
organized crime (profit) and terrorism (ideology), the linking element for the two is money. Terrorists may potentially obtain funding for their
operations from partnering directly with organized crime groups or modeling their profitable criminal acts. Even if organized crime groups
and terrorist organizations do not form long-term alliances, the possibility of short-term business alliances
may be of concern to policymakers.
cyber attacks that degrade the ability to command and control national security assets and attacks that disrupt
critical infrastructure have direct implications to national security. This infrastructure may be civilian, military, or both. In the
United States, for example, the Department of Defense relies heavily on the nations public and private cyber infrastructure
backbone for communications purposes [13].4 Some security measures are currently in place to protect against the threats
articulated above. Such measures are employed by both government agencies and the private sector owners of much of a nations
critical infrastructure [see 14]. An obvious measure to defend against the theft of sensitive information would be to place all
critical information and correspondence on closed systems that are not connected to the publicly accessible Internet. In the
United States, for example, this would entail containing the information within the national security system architecture managed by the National
Security Agency and Defense Information Systems Agency. Certainly, governments secure much of their critical information in this manner.
However, it is also the case that, as we become more reliant on the Internet for collaboration on all activities, especially
between the public and private sector, it is becoming increasingly difficult to keep critical information controlled
in this manner. A recent incident regarding a potential loss of design information for the F-35 Joint Strike Fighter
was stolen from private , proprietary industry networks (meaning no government
access or frequent auditing), and it apparently contained several terabytes of design data on the future air defense capability for
several nations [15]. Remaining disconnected from the greater cyberspace could be a measure employed by critical infrastructure owners and
highlights this problem. The information
operators also. The control networks could be closed, proprietary systems with no remote access. In fact, older generation control systems employed
tailored protocols and were only managed through proprietary, closed systems because there was no Internet available at the time. 4 Note that the focus
for this article does not include industrial espionage unrelated to national security, hacking for pleasure, identity theft, and the use of the Internet for
training, messaging, and internal transactions of bad actors. Though these can all be considered criminal acts in their own right, they are outside the
scope of this discussion. 5 For an overview of the U.S. National Security System, refer to the CNSS website at www.cnss.gov91 However, the trend
has been to install remotely maintained systems employing common OS architectures to leverage the connectivity benefits of the
Internet [16]. Therefore, these critical infrastructure systems have assumed a risk common to all those dependent on
the effective functioning of the Internet. The United States, as a sovereign country, certainly has the inherent right to control all of its borders in any
domain [17]. With the above considerations, it is clear the public sector cannot manage all necessary security actions alone .
Private companies are an important part of the dynamic that is absent in other areas of national security where the actions of the military, or law
enforcement, dominate the response options. We have no early warning radar system or Coast Guard to patrol the borders in cyberspace. Unlike in other
domains, information of an attack will come first from those being attacked . Therefore it is highly unlikely that a government
organization, unless it is actually the target of a cyber attack, will have greater situational awareness.
incentivize the private sector to invest in cyber security as well. In many cases, national security depends
on it. But if none of the measures being employed have a border patrol component, does that necessarily mean that borders are not significant in
cyberspace? The next two sections will introduce two different frameworks to address this question. In the first of the two analytic frameworks, I will
compare the problems of securing a nation against cyber threats to the challenges of securing a nation against international drug trafficking.
from the Commission on the Theft of American Intellectual Property claimed that annual losses to the American economy due from international IP theft
were likely over $300 billion.41 Reasonable people can of course differ regarding the accuracy of these assessments. It is beyond doubt, however, that the
annual cost to American companies of trade secret theft generally, and of cyber-enabled trade secret theft specifically, is many billions of dollars.
Valuable trade secrets attract the attention of highly skilled attackers who have access to a continuing stream of new exploits.
Citing data from the National Vulnerability Database,42 HPs 2013 Cyber risk report noted that over 4700 new vulnerabilities were reported through
November 2013, and that this number was about 6% lower than the corresponding number for 2012.43 Stated another way, the number of
reported new vulnerabilities averages well over ten per day; the number of unreported new vulnerabilities is clearly
higher. The HP report also cited approximately 250 vulnerabilities disclosed in 2013 through HPs Zero Day Initiative, which provides
compensation to researchers who disclose verified vulnerabilities and then coordinates the release of patch by the affected product
vendor.44 In addition, cyberespionage attacks are notable both in their sophistication and in their increasing frequency. The Verizon
2014 Data Breach Investigations Report45 examined 511 cyberespionage incidents in 2013, noting consistent, significant growth of incidents in the
dataset46 and that cyberespionage exhibits a wider variety of threat actions than any other pattern. 47
businesses in 2008 alone as upwards of $1 trillion .2'" America is being robbed of its most valuable asset: its
technological superiority. Prior to the Internet, looting on such a scale could only have been accomplished by a military occupation. The effectsbased approach requirement that a cyberattack must cause damage only previously possible by traditional military force is therefore satisfied. In
Offensive Cyber Operations and the Use of Force, Lin provides a series of hypothetical cyberattacks and analyzes whether such attacks would constitute
an armed attack." One hypothetical involves a cyberattack that disrupts the stock exchange of the fictitious country of Zendia.2"3 Lin provides the
following analysis: Bombs dropped on Zendia's stock exchanges at night. so that casualties were minimized, would be regarded as a use of force or an
armed attack by most observers, even if physical backup facilities were promptly available so that actual trading was disrupted only for a few hours. The
posited cyber attack could have the same economic effects, except that the buildings themselves would not be destroyed. In this case, the cyber attack
may be less likely to be regarded as a use of force than a kinetic attack with the same (temporary) economic effect, simply because the lack of physical
destruction would reduce the scale of the damage caused. However , a cyber attack against the stock exchanges that occurs
repeatedly and continually, so that trading is disrupted for an extended period of time , for days or weeks, would
surely constitute a use of force or even an armed attack, even if no buildings were destroyed. 2"' At the heart of Lin's analysis seems to be
the idea that a cyberattack causing sustained and substantial economic damage, without any physical damage, can
rise to the level of an armed attack. The argument this Note makes regarding cyber espionage is no different, except with cyber
espionage, the assault has not lasted mere days or weeks, but years. The important point is that once it is accepted that an armed attack
can occur without physical damage, to limit the use of active defenses to cyber "attacks"-the corruption of data-as opposed to
cyber "espionage"-the theft of data-is an overly mechanical distinction, which ignores the basic idea of the effects-based
approach. It is the effect that matters most.
Russia would threaten to use nuclear weapons during a conflict in order to deter an opponent from pursuing
further military gains. (While China maintains a public pledge never to be the first to use nuclear arms, Beijing likely has a similar plan should war with the
Americans go badly.) How might this doctrine come into play during a crisis? There is far less at stake between Russia and the West now, and the Russians are not
commanding a global empire dedicated to a revolutionary ideology. That does not mean, however, that Russian leaders, including President Vladimir Putin, accept the
outcome of the Cold War. And so imagine, in the wake of Russias successes in Ukraine, that the Russian leadership under Vladimir Putin
president with dread, especially as the Russian public watches their soldiers being cut to pieces in a foreign country. The Kremlin, at this point, threatens to use nuclear
weapons. The West responds by reiterating its demands that the Russians leave NATO territory, by initiating a renewed offensive against the invading forces, and by increasing
U.S., British, and French nuclear readiness."As during the Cold War, the
Once
a nuclear weapon explodes on Russian soil, however, Russian hardliners, civilian and military, will demand a strike on
America or Britain, or both, as revenge and as a show of resolve. If the crisis goes beyond this initial exchange of nuclear
force, with hundreds of thousands of people already dead and injured from nuclear strikes in multiple countries, we can expect all sides to execute their Cold War-era plans,
since theyre really still the only ones anyone has. Driven by fear and military logic, the United States and Russia will attack each others strategic
nuclear capability as quickly as possible, including command and control centers located in or near major cities like Washington and Moscow.
Carefully crafted nuclear war plans, with all their elegant, complicated options, will fall apart in the midst of chaos. Even taking into
account weapons destroyed by surprise, rendered inactive by flawed orders, or neutralized by some kind of technical malfunction, a combined total of several
hundred nuclear weapons will fall on each country, including a fair number on Canada, the United Kingdom and France. In the United States,
much of the eastern seaboard will burn. Even a limited strike will require the immediate destruction of Washington along with Navy
Anglo-Franco-American) attack on targets inside Russia near the fighting might be the Wests last ditch to convince the Russians to pull away from their failed gambit.
nuclear installations from Virginia to Florida. In the west, San Diego and Seattle will suffer the most. Omaha, the home of the U.S. Strategic Command, will be gone, along with
missile bases and airfields in the mountain states. Fallout will kill many more to the east of all of these targets, and irradiate large swaths of Americas agricultural heartland.
In the immediate aftermath, governors will take control of their states as best they can until something like a U.S. government can reconstitute itself. National Guardsmen,
along with state and local police forces, will be forced to cope with a terrified and gravely wounded population. Soldiers and cops will find themselves doing everything from
protecting food stocks to euthanizing doomed burn victims. Along with the grisly human cost, the damage to the fragile, electronically-based U.S. infrastructure will be
massive. Areas that were untouched in the strikes, from Northern New England to the Deep South, will drown under an influx of refugees. Civil disorder will eventually spiral
out of the control of even the most dedicated state military organizations and police forces. Martial law will be common and persistent. In Russia, the situation will be even
worse. The full disintegration of the Russian Empire, begun in 1905 and interrupted only by the Soviet aberration, will finally be complete. A second Russian civil war will
erupt, and Eurasia, for decades if not longer, will be a patchwork of crippled ethnic states led by strongmen. Some Russian rump state may emerge from the ashes, but it will
likely be forever suffocated by a Europe unwilling to forgive so much devastation. I am not enough of an expert on Chinese strategy to know if this situation would be
replicated in the Pacific. I cannot help but wonder, however, if the weak and insecure Chinese state, faced by a stunning conventional loss, might panic and take the nuclear
option, hoping to shock America into a cease-fire. The devastation to America might even be worse in this case: in order to achieve maximum effect, the small Chinese strategic
nuclear force is almost certainly targeted against American cities, from the West Coast inward. The United States of America, in some form, will survive. The Peoples Republic
of China, like the Russian Federation, will cease to exist as a political entity. How any
of this might happen is pure speculation. The important point is that it is not,
http://www.vox.com/2015/6/29/8845913/russia-war)
The Western side believes it is playing a game where the rules are clear enough, the stakes relatively modest, and the competition easily winnable. The
Russian side, however, sees a game where the rules can be rewritten on the fly, even the definition of war itself altered.
For Russia, fearing a threat from the West it sees as imminent and existential, the stakes are unimaginably
high, justifying virtually any action or gamble if it could deter defeat and, perhaps, lead to victory. Separately, the ever-paranoid
Kremlin believes that the West is playing the same game in Ukraine. Western support for Ukraine's government and efforts to broker a ceasefire to the
war there, Moscow believes, are really a plot to encircle Russia with hostile puppet states and to rob Russia of its rightful sphere of influence.
Repeated Russian warnings that it would go to war to defend its perceived interests in Ukraine, potentially even
nuclear war, are dismissed in most Western capitals as bluffing, mere rhetoric. Western leaders view these threats through Western
eyes, in which impoverished Ukraine would never be worth risking a major war. In Russian eyes, Ukraine looks much more important: an extension of
Russian heritage that is sacrosanct and, as the final remaining component of the empire, a strategic loss that would unacceptably weaken Russian
strength and thus Russian security. Both side are gambling and guessing in the absence of a clear understanding of what the
other side truly intends, how it will act, what will and will not trigger the invisible triplines that would send us careening into war. Today's
tensions bear far more similarity to the period before World War I During the Cold War, the comparably matched Western and Soviet blocs prepared for
war but also made sure that war never came. They locked Europe in a tense but stable balance of power; that balance is gone. They set clear red lines and
vowed to defend them at all costs. Today, those red lines are murky and ill-defined. Neither side is sure where they lie or what really happens if they are
crossed. No one can say for sure what would trigger war. That is why, analysts will tell you , today's tensions bear far more similarity to the
period before World War I: an unstable power balance, belligerence over peripheral conflicts, entangling
military commitments, disputes over the future of the European order, and dangerous uncertainty about what
actions will and will not force the other party into conflict. Today's Russia, once more the strongest nation in Europe and yet weaker than its
collective enemies, calls to mind the turn-of-the-century German Empire, which Henry Kissinger described as "too big for Europe, but too small for the
world." Now, as then, a rising power, propelled by nationalism, is seeking to revise the European order . Now, as then, it
believes that through superior cunning, and perhaps even by proving
its might, it can force a larger role for itself. Now, as then,
the drift toward war is gradual and easy to miss which is exactly what makes it so dangerous. But there is one way
in which today's dangers are less like those before World War I, and more similar to those of the Cold War: the apocalyptic logic of
nuclear weapons. Mutual suspicion, fear of an existential threat, armies parked across borders from one another, and hair-trigger
nuclear weapons all make any small skirmish a potential armageddon. In some ways, that logic has grown even more dangerous.
Russia, hoping to compensate for its conventional military forces' relative weakness, has dramatically relaxed its rules for
using nuclear weapons. Whereas Soviet leaders saw their nuclear weapons as pure deterrents, something that existed precisely so they would
never be used, Putin's view appears to be radically different. Russia's official nuclear doctrine calls on the country to launch a
battlefield nuclear strike in case of a conventional war that could pose an existential threat . These are more than just
words: Moscow has repeatedly signaled its willingness and preparations to use nuclear weapons even in a more
limited war. This is a terrifyingly low bar for nuclear weapons use, particularly given that any war would likely occur along Russia's
borders and thus not far from Moscow. And it suggests Putin has adopted an idea that Cold War leaders considered unthinkable: that a
"limited" nuclear war, of small warheads dropped on the battlefield, could be not only survivable but winnable. "Its not just a difference
in rhetoric. Its a whole different world," Bruce G. Blair, a nuclear weapons scholar at Princeton, told the Wall Street Journal. He called Putin's decisions
more dangerous than those of any Soviet leader since 1962. "Theres a low nuclear threshold now that didnt exist during the Cold War." Nuclear theory
is complex and disputable; maybe Putin is right. But many theorists would say he is wrong, that the logic of nuclear warfare means a
"limited" nuclear strike is in fact likely to trigger a larger nuclear war a doomsday scenario in which major
American, Russian, and European cities would be targets for attacks many times more powerful than the bombs that leveled
Hiroshima and Nagasaki. Even if a nuclear war did somehow remain limited and contained, recent studies suggest that environmental and
atmospheric damage would cause a "decade of winter" and mass crop die-outs that could kill up to 1 billion
people in a global famine.
US and Russian cyber capabilities increase risk of nuclear warmiscalculation
Cimbala 14 Distinguished Professor of Political Science, Penn State Brandywine, author of numerous books
and articles in the fields of international security studies, defense policy, nuclear weapons and arms control,
intelligence (Stephen J., Air & Space Power Journal 28.2, Nuclear Deterrence and Cyber: The Quest for
Concept p. 88 90, Mar/Apr 2014, ProQuest) | js
What are the implications of potential overlap between concepts or practices for cyber war and for nuclear deterrence?4 Cyber war and nuclear
weapons seem worlds apart. Cyber weapons should appeal to those who prefer a nonnuclear or even a postnuclear military-technical arc of
development. War in the digital domain offers, at least in theory, a possible means of crippling or disabling enemy assets without the need for kinetic
attack or while minimizing physical destruction.5 Nuclear weapons, on the other hand, are the very epitome of "mass" destruction, such that their use for
deterrence or the avoidance of war by the manipulation of risk is preferred to the actual firing of same. Unfortunately, neither nuclear deterrence
nor cyber war will be able to live in distinct policy universes for the near or distant future. Nuclear weapons, whether held back for
deterrence or fired in anger, must be incorporated into systems for command, control, communications, computers, intelligence, surveillance, and
reconnaissance (C4ISR). The weapons and their C4ISR systems must be protected from attacks both kinetic and digital
in
nature. In addition, the decision makers who have to manage nuclear forces during a crisis should ideally have the best
possible information about the status of their own nuclear and cyber forces and command systems, about the forces and
managing a
nuclear crisis demands clear thinking and good information. But the employment of cyber weapons in the early stages of a
crisis could impede clear assessment by creating confusion in networks and the action channels that depend
upon those networks.6 The temptation for early cyber preemption might "succeed" to the point at which nuclear
crisis management becomes weaker instead of stronger. Ironically, the downsizing of US and post-Soviet Russian strategic
nuclear arsenals since the end of the Cold War, while a positive development from the perspectives of nuclear arms control and nonproliferation,
C4ISR of possible attackers, and about the probable intentions and risk acceptance of possible opponents. In short, the task of
makes the concurrence of cyber and nuclear attack capabilities more alarming. The supersized deployments of missiles and bombers and expansive
numbers of weapons deployed by the Cold War Americans and Soviets had at least one virtue. Those arsenals provided so much redundancy against
first-strike vulnerability that relatively linear systems for nuclear attack warning, command and control, and responsive launch under-or after-attack
sufficed. At the same time, Cold War tools for military cyber mischief were primitive compared to those available now. In addition, countries and their
armed forces were less dependent on the fidelity of their information systems for national security. Thus the reduction of US, Russian, and possibly other
forces to the size of "minimum deterrents" might compromise nuclear flexibility and resilience in the face of kinetic attacks preceded or accompanied by
cyber war.7 Offensive and defensive information warfare as well as other cyberrelated activities is obviously very much on the minds of US military
leaders and others in the American and allied national security establishments.8 Russia has also been explicit about its cyber-related con- cerns.
President Vladimir Putin urged the Russian Security Council in early July 2013 to improve state security against cyber attacks. 9 Russian security
expert Vladimir Batyuk, commenting favorably on a June 2013 US-Russian agreement for protection, control, and accounting of nuclear materials
(a successor to the recently expired Nunn-Lugar agreement on nuclear risk reduction), warned that pledges by Presidents Putin and Barack Obama for
cooperation on cybersecurity were even more important: "Nuclear weapons are a legacy of the 20th century. The challenge of
the 21st century is cybersecurity."10 On the other hand, arms control for cyber is apt to run into daunting security and
technical issues, even assuming a successful navigation of political trust for matters as sensitive as these. Of special significance is
whether cyber arms-control negotiators can certify that hackers within their own states are sufficiently under
control for cyber verification and transparency. The cyber domain cuts across the other geostrategic domains for warfare as well: land,
sea, air, and space. However, the cyber domain, compared to the others, suffers from the lack of a historical perspective. One author argues that the cyber
domain "has been created in a short time and has not had the same level of scrutiny as other battle domains."11 What this might mean for the cybernuclear intersection is far from obvious. Thble 1 summarizes some of the major attributes that distinguish nuclear deterrence from cyber war, according
to experts, but the differences between nuclear and cyber listed here do not contradict the prior observation that cyber and
nuclear domains inevitably interact in practice. According to research professors Panayotis A. Yannakogeorgos and Adam B. Lowther at
the US Air Force Research Institute, "As airmen move toward the future, the force structure-and, consequently, force-development
programs-must change to emphasize the integration of manned and remotely piloted aircraft, space, and cyber-power
projection capabilities."12
wars that do not necessarily threaten Russias existence and sovereignty. 393 Ian Traynor found something else to worry
about in the Putins new pronouncement: He had in another part of his statement unequivocally declar[ed] the West a hostile
power that must be resisted.394 Furthermore, even while he said he would not increase his nuclear arsenal, Putin
promised from his first days in office to modernize and upgrade it.395 And as if to underscore his altered focus, in 2001 Putin moved
tactical nuclear weapons to Kaliningrad, the former East Prussian city of Knigsberg, now a small Russian enclave set among the Baltic States and
geographically separated from Russia proper.396 In the years since, Putin has taken steps to build a nuclear arsenal with what is
known as intermediate force capability. At law, there is an obstacle to such development. In 1987, Ronald Reagan and Mikhail Gorbachev
agreed to the Intermediate Range Nuclear Forces Treaty,397 which called for the elimination of cruise missiles and ground-launched inter-continental
ballistic missiles with a range between 500 and 5,500 kilometers (300 to 3,400 miles).398 In February, 2007, Putin indicated a desire to withdraw from
the Treaty.399 The Americans, he said, had taken actions inconsistent with its obligations by proposing to construct a missile defense in Eastern
Europe400 and there was additionally a need to deter growing Chinese nuclear capability.401 Putin did not formally withdraw from the intermediate
forces treaty,402 although the evidence is compelling that he has now developed a modern and sophisticated arsenal of intermediate-range nuclear
weapons. It was alleged in a letter to the Russian government in the summer of 2014 that as far back as 2008, Russia began testing a prohibited groundlaunched cruise missile.403 Without providing supporting documentation, the United States Department of State subsequently declared
categorically that the Russian Federation
is in violation of its obligations under the INF Treaty not to possess, produce,
or flight-test a ground-launched cruise missile [within the prohibited range].404 There has been substantial speculation as to the types
of missiles Putin has been testing.405 Some have suggested that the Russians might have modified the R-500 short-range cruise missile to a range that
now falls within the Treatys prohibition.406 Others have guessed that Russia has modified a sea-launched cruise missile for land-based deployment.407
In response to the Department of States allegations, Russia threatened to withdraw from the Treaty .408 In September, 2014, Vladimir
Putin issued a series of more direct challenges. He reminded the world that Russia is one of the most powerful
nuclear nations. This is a reality, not just words.409 He test-fired an inter-continental ballistic missile.410 And he
declared that Russia is, indeed, working on new generation of nuclear and conventional weapons.411
intelligence collectors, we judge that the highest interest may be in the following areas. Information and communications
technology (ICT). ICT is a sector likely to remain one of the highest priorities of foreign collectors. The computerization of manufacturing and the push
for connectedness mean that ICT forms the backbone of nearly every other technology used in both civilian and military applications. Beijings Project
863, for example, lists the development of key technologies for the construction of Chinas information infrastructure as the first of four priorities.
Military technologies. We expect foreign entities will continue efforts to collect information on the full array of US
military technologies in use or under development. Two areas are likely to be of particular interest: Marine systems. Chinas desire to
jump-start development of a blue-water navyto project power in the Taiwan Strait and defend maritime trade routeswill drive efforts to obtain
sensitive US marine systems technologies. Aerospace/aeronautics. The air supremacy demonstrated by US military operations in
recent decades will
espionage against the United States. It is strategic in the sense that it is not just a governments spy agency trying to steal bits of classified
information or an enterprise conducting industrial espionage. Rather, it is a concerted effort to steal American intellectual
property to achieve a level technological development that Russia cannot achieve on its own . In this regard, it is worth
repeating an October 2011 finding of the U.S. Counterintelligence Executive. Motivated by Russias high dependence on natural
resources, the need to diversify its economy, and the belief that the global economic system is tilted toward US and
other Western interests at the expense of Russia, Moscows highly capable intelligence services are using HUMINT, cyber,
and other operations to collect economic information and technology to support Russias economic development
and security.8 In sum, Russiain its capabilities and its intentpresents a major cyber challenge to the United States. The only difference between
it and China may be, as Jeff Carr points out, that it is seldom caught. And that, alone, may make it the number one cyber threat.
modernization of our country and creating the optimal conditions for the development of its science and
technology.' IP theft threatens some companies more than others. Companies that are less dependent on IP for competitive advantage may be able to
recover fairly quickly. Indeed, the ElU's survey shows that many executives are optimistic about their companies'abi|ities to respond to IP attacks, with
48% of respondents saying that while die theft of IP would cause damage in the short-term, they would be able to recover. Companies that innovate
quickly-and develop new IP-may find that they continue to outpace aIso-ran competitors who have tried to steal their older ideas. In the most alarmist
scenarios, however, IP theft by low-cost competitors manifests itself only years later in reduced industry competitiveness, slower economic growdi, lost
jobs, and even lower living standards. By the same token, defense technologies and secrets stolen from US industry and
government networks could give China and Russia military advantages worth billions.
U.S. government confronts rival powers over widespread Internet espionage, it has become the biggest buyer in a
burgeoning gray market where hackers and security firms sell tools for breaking into computers. The strategy is spurring concern in the
technology industry and intelligence community that Washington is in effect encouraging hacking and failing to disclose to software
companies and customers the vulnerabilities exploited by the purchased hacks. That's because U.S. intelligence and
military agencies aren't buying the tools primarily to fend off attacks. Rather, they are using the tools to infiltrate computer networks overseas, leaving
behind spy programs and cyber-weapons that can disrupt data or damage systems. The core problem: Spy tools and cyber-weapons rely on
vulnerabilities in existing software programs, and these hacks would be much less useful to the government if the flaws were exposed through public
warnings. So the more the government spends on offensive techniques, the greater its interest in making sure that security holes in widely used software
remain unrepaired. Moreover,
the money going for offense lures some talented researchers away from
work on defense , while tax dollars may end up flowing to skilled hackers simultaneously supplying criminal groups. "The only people paying
are on the offensive side," said Charlie Miller, a security researcher at Twitter who previously worked for the National Security Agency. A spokesman for
the NSA agreed that the proliferation of hacking tools was a major concern but declined to comment on the agency's own role in purchasing them, citing
the "sensitivity" of the topic. America's offensive cyber-warfare strategy - including even the broad outlines and the total spending levels is classified information. Officials have never publicly acknowledged engaging in offensive cyber-warfare, though the one case that has been
most widely reported - the use of a virus known as Stuxnet to disrupt Iran's nuclear-research program - was lauded in Washington. Officials confirmed to
Reuters previously that the U.S. government drove Stuxnet's development, and the Pentagon is expanding its offensive capability through the nascent
Cyber Command. Stuxnet, while unusually powerful, is hardly an isolated case. Computer researchers in the public and private sectors say
the U.S.
government, acting mainly through defense contractors, has become the dominant player in fostering the
shadowy but large-scale commercial market for tools known as exploits, which burrow into hidden computer vulnerabilities.
In their most common use, exploits are critical but interchangeable components inside bigger programs. Those programs can steal financial account
passwords, turn an iPhone into a listening device, or, in the case of Stuxnet, sabotage a nuclear facility. Think of a big building with a lot of hidden doors,
each with a different key. Any door will do to get in, once you find the right key. The pursuit of those keys has intensified. The Department of Defense and
U.S. intelligence agencies, especially the NSA, are spending so heavily for information on holes in commercial computer systems, and on exploits taking
advantage of them, that they are turning the world of security research on its head, according to longtime researchers and former top government
officials. Many talented hackers who once alerted companies such as Microsoft Corp to security flaws in their products are now selling the information
and the exploits to the highest bidder, sometimes through brokers who never meet the final buyers.
agencies spend at least tens of millions of dollars a year just on exploits , which are the one essential
ingredient in a broader cyber-weapons industry generating hundreds of millions annually, industry executives said privately. Former
White House cybersecurity advisors Howard Schmidt and Richard Clarke said in interviews that the government in this way has been putting
too much
consumers at risk . "If the U.S. government knows of a vulnerability that can be exploited, under normal circumstances, its
first obligation is to tell U.S. users," Clarke said. "There is supposed to be some mechanism for deciding
how they use the information, for offense or defense. But there isn't." Acknowledging the strategic trade-offs, former NSA director
Michael Hayden said: "There has been a traditional calculus between protecting your offensive capability and strengthening your defense. It might be
time now to readdress that at an important policy level, given how much we are suffering." The issue is sensitive in the wake of new disclosures about the
breadth and scale of hacking attacks that U.S. intelligence officials attribute to the Chinese government. Chinese officials deny the allegations and say
they too are hacking victims. Top U.S. officials told Congress this year that poor Internet security has surpassed terrorism
to become the single greatest threat to the country and that better information-sharing on risks is
crucial. Yet neither of the two major U.S. initiatives under way - sweeping cybersecurity legislation being weighed by Congress and President Barack
Obama's February executive order on the subject - asks defense and intelligence agencies to spread what they know about vulnerabilities to help the
private sector defend itself. Most companies, including Microsoft, Apple Inc and Adobe Systems Inc, on principle won't pay researchers who report flaws,
saying they don't want to encourage hackers. Those that do offer "bounties", including Google Inc and Facebook Inc, say they are hard-pressed to
compete financially with defense-industry spending. Some national-security officials and security executives say the U.S. strategy is perfectly logical: It's
better for the U.S. government to be buying up exploits so that they don't fall into the hands of dictators or organized criminals. UNINTENDED
CONSEQUENCES When a U.S. agency knows about a vulnerability and does not warn the public, there can be
unintended consequences. If malign forces purchase information about or independently discover the same hole, they can use it to cause
damage or to launch spying or fraud campaigns before a company like Microsoft has time to develop a patch. Moreover, when the U.S. launches a
program containing an exploit, it can be detected and quickly duplicated for use against U.S. interests before any public warning or patch.
40 years, farmers across the world will need to double production and do it with
fewer resources - especially water - to feed, clothe and provide energy for a global population of 9 billion souls.
Farmers will need to produce as much food, feed and fiber during the first half of this century as has been produced over the last 100 centuries
combined to meet the growing demand, says Greg Hart, John Deere sales manager for the U.S. Western Region. Hart says the future
of the
world depends on agriculture, and much of that increased production will come from
U.S. farmers. U.S. agriculture will be at the forefront of solving food production challenges for
the world," he says. "No one is better positioned than U.S. farmers. It will not be easy. Most of the population growth
expected to occur by 2050 will take place where diets are already less than adequate. Africa will account for 41% of the population growth, second to
Asias 49%. North American growth is anticipated to increase only 4% and South America only 7%. Europes population could decline by about 1%.
Obstacles include meshing productivity with sustainability and resource stewardship. Lack of a skilled labor force, especially in developing nations, also
poses significant problems. Our challenge is to do more with less skilled labor, Hart says. Production variables will continue to challenge farmers.
Weather is the big one. Hart said agricultural
yield has followed a strong upward trend since the early 1990s . But
we also had a reduction in 2012 from drought. In 2013, the Southwest had a late spring that hurt production. Much of the region
remains in a three-year drought cycle. We are just one or two weather events away from either a surplus or a
deficit. Thats the volatility of agriculture. We must continue to work to optimize production and continue to improve that trend
line. Increased production Agriculture has to increase productivity with more limited resources. The resource base is shrinking. In 10
years, water demand will be 17& higher than availability, Hart says. Improving irrigation efficiency will help. Currently, 18% of the worlds agricultural
land is irrigated, but that 18% provides 40% of crop production and 60% of cereal production. But more than half of the worlds irrigation is by the most
inefficient method, gravity flow, Hart adds. Focusing on more efficient systems, such as low energy precision application (LEPA) and subsurface drip
irrigation (SDI), will help. Agriculture
will have to compete for water, and we will see more regulation and
higher costs. Including energy production into the equation puts even more pressure on agricultural
productivity. Achieving production targets, he says, will demand smart use of available resources .
WMD conflict and extinction
Lugar, 4 (Richard G., former U.S. Senator Indiana and Former Chair Senate Foreign Relations
Committee, Plant Power, Our Planet, 14(3), http://www.unep.org/ourplanet/imgversn/143/lugar.html)
longrange challenges. But we do so at our peril. One of the most daunting of them is meeting the worlds need for food and
energy in this century. At stake is not only preventing starvation and saving the environment , but also world peace and
security. History tells us that states may go to war over access to resources, and that poverty and famine have often bred fanaticism
and terrorism . Working to feed the world will minimize factors that contribute to global instability and the proliferation
of w eapons of m ass d estruction. With the world population expected to grow from 6 billion people today to 9 billion by mid-century, the demand
for affordable food will increase well beyond current international production levels. People in rapidly developing nations will have the means
In a world confronted by global terrorism, turmoil in the Middle East, burgeoning nuclear threats and other crises, it is easy to lose sight of the
greatly to improve their standard of living and caloric intake. Inevitably, that means eating more meat. This will raise demand for feed grain at the same
time that the growing world population will need vastly more basic food to eat. Complicating a solution to this problem is a dynamic that must be better
understood in the West: developing countries often use limited arable land to expand cities to house their growing populations. As good land
disappears, people destroy timber resources and even rainforests as they try to create more arable land to feed themselves.
The long-term environmental consequences could be disastrous for the entire globe . Productivity revolution To meet the
expected demand for food over the next 50 years, we in the United States will have to grow roughly three times more food on the land
we have. Thats a tall order. My farm in Marion County, Indiana, for example, yields on average 8.3 to 8.6 tonnes of corn per hectare typical for a farm
in central Indiana. To triple our production by 2050, we will have to produce an annual average of 25 tonnes per hectare. Can we possibly boost output
that much? Well, its been done before. Advances in the use of fertilizer and water, improved machinery and better tilling techniques
combined to generate a threefold increase in yields since 1935 on our farm back then, my dad produced 2.8 to 3 tonnes per hectare. Much US
agriculture has seen similar increases. But of course there is no guarantee that we can achieve those results again. Given the urgency of expanding food
production to meet world demand, we must invest much more in scientific research and target that money toward projects that promise to have
significant national and global impact. For the United States, that will mean a major shift in the way we conduct and fund agricultural science.
Fundamental research will generate the innovations that will be necessary to feed the world. The United States can take a leading position
in a productivity revolution. And our success at increasing food production may play a decisive humanitarian role in the
compromised record, mostly from business disruption and revenue loss. That does not include intangible costs
like losing customer loyalty or hurting a companys brand. To add insult to injury, corporate espionage attacks
are increasing. Stealing intellectual property and spying on competitors comprises a growing number of attacks and come at
huge costs to the company that has been hacked. And the big difference with corporate spying is that the attacker usually does not give up until they are
successful. Finally, and most dangerous, are ideologically and politically motivated attacks. Cyber attacks have proven
that computers are very vulnerable. But like any profit-driven enterprise, criminals and corporations are adverse to killing the goose that
lays their golden eggs. Even nation states like China and Russia may be too co-dependent on the U.S. But the growth of ideologically driven
movements is changing the risk. It is not a huge leap of imagination to envision a radical environmental group
hacking into our energy infrastructure. Or terrorist groups like ISIS, Boko Haram and al Qaeda wanting to
bring down our banking system. Ideological or political enemies can exploit the same vulnerabilities but have no remorse about maiming or
killing the goose. In the recent annual threat assessment delivered to Congress, the National Director of Intelligence said that cyber attacks by
politically and criminally motivated actors are the biggest threat to U.S. national security . In this brave new world, the
good guys are playing catch up to the bad guys, who seem to always be one step ahead.
Economic decline leads to war empirics: Jobs and econ decline can each trigger the impact
Mead 9 (2/4, Walter Russell, Henry A. Kissinger Senior Fellow in U.S. Foreign Policy at the Council on
Foreign Relations, Only Makes You Stronger: Why the recession bolstered America, The New Republic,
http://www.newrepublic.com/article/only-makes-you-stronger-0) //JRW
None of which means that we can just sit back and enjoy the recession. History may suggest that financial crises actually help capitalist great powers
maintain their leads--but it has other, less reassuring messages as well. If financial crises have been a normal part of life during the
by paying very high prices for them, former Pentagon homeland-defense chief Paul Stockton and a co-author noted earlier this year in an
essay for the Yale Law and Policy Review. Both "white hat" and "black hat" markets have emerged for identified zero-day threats, which exploit
previously unknown vulnerabilities.
The re is also a " burgeoning gray market ," the essay notes, where companies sell
the exploits to governments and other unreported customers with screening that is "far too lenient to
safeguard critical U.S. infrastructure from attack ." Stockton's essay -- which underscored the risk the exploits pose to the
U.S. electric grid and other critical infrastructure sectors -- urged U.S. policymakers to consider reining in the practice of paying so much for the flaws,
adding there is "no evidence" that the agencies who exploit them weigh the benefits against the "potentially
catastrophic risks" that the zero-day market poses to U.S. security. "The time has come for Congress, Executive
Branch leaders, the software industry, and scholars to bring this tradeoff analysis into the open and determine
whether staying at the extreme end of the policy spectrum -- that of de facto support for a dangerous bazaar for zero-dayexploits -- best serves U.S. national security," wrote Stockton and co-author Michele Golabek-Goldman, a student at Yale University Law
School. Last spring, in a speech at Georgetown University, Eric Rosenbach, then the Pentagon's deputy assistant secretary of defense for cyber policy,
voiced serious concern about the black market for cyber vulnerabilities. "I am very, very concerned about that growing market for zero-day exploits, for
destructive malware," he said at the time. But when asked last week whether the Obama administration is considering reducing purchases of zero-day
exploits to control the booming market, Laura Lucas Magnuson, a spokeswoman for White House Cybersecurity Coordinator Michael Daniel, disputed
the notion of a booming market. "The U.S. government does not see evidence that there is a booming market for zero-day exploits," she told Inside
Cybersecurity. "Instead, the private sector is stepping up to create innovative solutions to our cybersecurity challenges such as 'bug bounty' programs or
crowd-sourcing the process of vulnerability discovery." These kinds of " innovative
solutions
...
how we identify and patch unknown vulnerabilities and protect U.S. networks and the Internet
as a whole ," she continued. "We are looking at whether the U.S. government can or should play a role in encouraging the
development of such solutions." Congress has taken an interest in controlling the proliferation of zero-day and
other cyber exploits. How the administration responds to recent legislation could shed light on the way ahead. The fiscal year 2014 National
Defense Authorization Act directs the president to launch an interagency process to create an integrated policy to control the proliferation of cyber
weapons through various means. The legislation also mandates the development of a new cyber deterrence policy.
Federal Government has not yet provided leadership on international cyber response and recovery
issues. The government must provide a clear definition of the factors that determine a cyber incident of national
significance, including specific triggers and protocols for response escalation. This policy should clarify the legal authorities of the Federal
Government during a cyber incident and set goals for expected Federal interactions with the private sector and with
government entities at the state and local level. It should strengthen international understanding of and cooperation on cyber issues and establish
initiatives to engage the international community in discussion of appropriate actions during cyber crises. The Federal Government should also set
expectations for the private sector. The business community plays a major role in critical infrastructure protection, but
there is widespread confusion as to how it should prepare for, respond to, or recover from catastrophic cyber incidents.
The private sector owns and operates a large share of the critical infrastructure in the U nited States, but the
Federal Government, too, owns and operates much of it. As part of its traditional role of managing catastrophic incidents, the
government has a responsibility to protect this infrastructure . The U.S. Government should leverage its extensive global networks
to establish early warning and information-sharing protocols that could be used by both the government and private sector in the event of emergency. In
serving as a leader to the private sector, the Federal Government should inform the private sector of what it can expect
from government departments and agencies; establish minimum expectations for actions from the private sector; and mandate
liabilities for failure to perform in a satisfactory manner. It should also establish central points of contact that are easily accessible to private sector
stakeholders. These government actions to manage catastrophic incidents should be clearly defined, so as to provide clear guidelines to the private
sector. The private sector also has a responsibility to protect its infrastructure. The business community must take the
initiative and not simply wait for guidance from the Federal Government. Private sector stakeholders must join to form their own points of contact. The
Information Sharing and Analysis Centers (ISACs) now established in several critical industry sectors are a start, but more is needed. The private
sector should communicate with the government to establish joint expectations that are acceptable to both the public and
private sectors. Business leaders should focus efforts on learning how to manage important economic issues that
may be affected by a cyber disruption, such as public trust and confidence in the markets.29 CEOS and other senior business officials must
plan within their own companies and industries in order to maintain business functionality during catastrophic incidents.
security of critical
infrastructures ,10 including transportation, finance,11 the power grid,12 water supply and waste management
sys-tems,13 computer networks,14 military,15 and homeland security and disaster recovery,16 to name but a few.17
These sectors are increasingly dependent on the evolving information infrastructure ,18 which in turn is
increasingly dependent on secure software.19 The growing risks inherent in insecure information technology systems
have prompted corporate executives,20 computer security experts,21 commentators,22 lawyers,23 and government officials24 to call for action.
Software vulnerabilities are abused for cyber attacks
Kuehn 14 (Andreas Kuehn: School of Information Studies, Syracuse University 221 Hinds Hall Syracuse, New
York 13244; Milton Mueller: School of Information Studies, Syracuse University 307 Hinds Hall Syracuse, New
York 13244. NSPW '14 Proceedings of the 2014 workshop on New Security Paradigms Workshop Pages 6368: Shifts in the Cybersecurity Paradigm: Zero-Day Exploits, Discourse, and Emerging Institutions.
Published 2014. Accessed June 24th, 2015.
Software vulnerabilities and exploits have attracted significant attention recently because of their implications for
cybersecurity, cyber crime, and cyber war. In recent years, actors began to realize the economic and military value of
retaining exclusive knowledge of vulnerabilities. A market has developed for the production and distribution of software
vulnerabilities; buyers sometimes pay over USD 100,000 for software exploits . Major software companies now run bug bounty
programs to acquire vulnerabilities in order to patch their products. Security firms, such as VUPEN, Endgame, Netragard, and TippingPoints Zero
Day Initiative bring together suppliers and buyers in this market. U.S. government intelligence services have become a de facto regulator by virtue of
their ability to spend millions to develop or acquire software exploits. A software vulnerability, also referred to as a security bug, is a flaw in computer
code that can compromise the security of a computer system . Software and network protocols often contain
security vulnerabilities that are unintended consequences of design choices or mathematical errors in models. An exploit makes use of
such vulnerabilities to circumvent security mechanisms and allows unauthorized actors to intrude into, destroy,
manipulate or steal data from an information system. A zero-day exploit (ZDE) is a special type of exploit. It makes use of an
undisclosed vulnerability, whose existence is kept secret. Thus, established security procedures and technologies such as antivirus or intrusion detection
systems cannot defend against them. Hence, ZDEs are a central component and provide effective means in cyber operations and attacks for offensive and
defensive ends. Stuxnet, Flame, and Aurora are examples of cyber weapons that made use of ZDEs [12, 24]. 1.1 Research Problem The proliferation
of exploits and ZDEs raises fundamental questions about the relationship between technology and society and heightens
concerns about the unaccountable use of cyber attack capabilities . Labeled a digital arms race by some, it is
generating a transnational debate about control and regulation, the role of secrecy and disclosure, and the
ethics of exploit production and use (e.g., [18, 4]). The controversy reflects underlying conflicting rationales: while intelligence and military
circles are concerned about national security, industrial and civilian logics emphasize matters of trade, innovation and freedom. Recent revelations about
NSA spying have amplified this debate, including reports that the NSA spent USD 25 million in 2013 to acquire exploits [6]. The U.S. Presidents Review
Group made specific recommendations regarding software exploits [2]. Issues regarding secrecy and disclosure, knowledge and ignorance, and
transparency and concealment are paramount in this debate [21, 22]. There is a longstanding debate in computer security about the role of disclosure in
improving or undermining security (e.g., [20]). Since
interconnected society, understanding how software vulnerabilities and exploits and cyber weapons more generally are used,
de- fined, and controlled is of utmost importance for society as a whole and for policy-makers .
infrastructure and only upgraded the computer technology but the actual assets are still old, Pollet, founder of
consulting firm Red Tiger Security, told FoxNews.com. Through the Recovery Act, the Energy Department has so far invested roughly $4.5 billion to
modernize and enhance the reliability of the nation's grid. Without action, the current setup will allow for potential
cyberattacks against the system. Weve taken an infrastructure that is older and we have this modernized
equipment on top of it that is vulnerable to the same type of hacking attack that you see with [companies] like
Target, said Pollet.
Power grid threatened by cyber terror
DOE 15 (The United States Department of Energy is a Cabinet-level department of the United States
Government concerned with the United States' policies regarding energy and safety in handling nuclear
material. Energy.gov: CYBERSECURITY. No publishing date provided, but the post indicates a series of
goals announced on January 8th, 2015. Accessed June 26th, 2015. http://energy.gov/oe/services/cybersecurity)
KalM
Addressing cybersecurity is critical to enhancing the security and reliability of the nations electric grid .
Ensuring a resilient electric grid is particularly important since it is arguably the most complex and critical
infrastructure that other sectors depend upon to deliver essential services . Over the past two decades, the roles of electricity
sector stakeholders have shifted: generation, transmission, and delivery functions have been separated into distinct markets; customers have become
generators using distributed generation technologies; and vendors have assumed new responsibilities to provide advanced technologies and improve
security. These changes have created new responsibilities for all stakeholders in ensuring the continued security
the failure of any one element requires energy to be drawn from other areas. If multiple parts fail at the
same time, there is the potential for a cascading effect that could leave millions in the darks for
days, weeks or longer .
Grid failure causes societal collapse and mass starvation
Lewis 14 (Patrice Lewis is a freelance writer. WND Commentary: If the grid fails, will you die? published
May 23rd, 2014 accessed June 26th, 2015. http://www.wnd.com/2014/05/if-the-grid-fails-will-you-die/) KalM
It seems too many people are flippant or dismissive of the potential hardships . An electromagnetic pulse is a joke and would
be minor at best, notes one person. I say that because most people know how to survive without all the modern conveniences. Or, Wed go back
to the 1800s. Big deal. People lived just fine in the 1800s. Im not here to argue about the odds of an EMP taking out the grid. Im not going to
discuss the technicalities of Faraday cages or the hardening of electronics. Im here to state that if you think life in America without
electricity will merely revert us to pioneer days, you are dead wrong (no pun intended, I hope). We wouldnt regress to
the 1800s; we would regress to the 1100s or earlier. Life would become a bitter, brutal struggle for survival .
Society thrived in the 1800s for four very simple reasons: 1) a non-electric infrastructure already existed; 2)
people had the skills, knowledge and tools to make do; 3) our population levels were far lower, and most people
lived rural and raised a significant portion of their own food; and 4) there were relatively few people who didnt
earn their way. To be blunt, if you didnt work, you seldom ate. Those who couldnt work (the disabled, the elderly, etc.) were cared for by family
members or charitable institutions. There were no other options. These conditions no longer exist. Homes do not come equipped
with outhouses, hand water pumps and a trained horse stabled in the back. Many people dont have the faintest
clue how to cook from scratch, much less grow or raise their own food . Eighty percent of Americans live in cities
and are fed by less than 2 percent of the population, which means farmers must mass-produce food for
shipments to cities. And there are far too many people on multi-generational entitlement programs who literally know no other lifestyle except an
endless cycle of EBT cards and welfare payments. Additionally, the interconnectivity that exists in todays society is complex
beyond belief. Its been proven again and again that a single weak link can bring down the whole chain. A
truckers strike or a massive storm at one end of the country can mean interrupted food deliveries at the other
end. Even the most humble object a pencil, for example has a pedigree of such unimaginable complexity
that its manufacture requires the cooperation of millions, and not one single person on the planet knows how
to make one from start to finish. Read this essay to see what I mean. How much more complex would it be to rebuild a fallen electrical grid
than a pencil? And yet some people claim that a grid-down situation will be a minor inconvenience. They think that
because they line-dry their clothes and have a few tomatoes on their patio, that theyll be able to survive a
situation in which all services cease. They think food production and distribution is somehow independent of
fuel and electricity. In fact, its intimately connected. Ever try to till a 3,500-acre wheat field by horse-drawn
plow? Shut off power and you shut off food. Period. Some people contemptuously dismiss the hardships that would
ensue after grid-down by noting that we already posses the know-how for technological and medical advances .
We know how to treat or cure illness and injury. We know how to provide electrical power. We know how to make engines. Therefore, it will be easy to
rebuild Americas infrastructure in the event of a grid-down situation. And these people are right we do possess the knowledge. What we
would lack is the infrastructure to rebuild the infrastructure. We lack the stop-gap services that would allow
engineers and manufacturers to rebuild society without facing starvation first . And if the people with the specialized
knowledge to rebuild die off in the interim before the infrastructure gets rebuilt, then where will we be? Americas connectivity, more than
anything else, will cripple our society should the power fail . Its all well and good for a surgeon to have the knowledge of how to
operate on a cancerous tumor, but if sterile scalpels and anesthesia and dressings and other surgical accouterments are not available, the surgeons
abilities regress almost to the point of a tribal witch doctor by the lack of infrastructure, services and supplies.
flaws that water facilities must identify, consider and address. Firewalls are complex software systems because they are difficult to
configure, and their configurations are difficult to understand and verify. The smallest error in these configurations can introduce
vulnerabilities. Defects are frequently discovered in firewall software and in the complex operating systems
underlying that software, some of which can be exploited as security vulnerabilities . In order to prevent
exploitation of known defects and vulnerabilities, firewall vendors issue a steady stream of security updates, which must be applied promptly. Even
worse, because the firewalls provide not only real-time data but also online access to mission-critical systems and networks, the firewalls fundamentally
expose these environments to numerous types of attacks. For example, phishing attacks send email through a firewall to persuade recipients to either
reveal passwords or to download and run malware. Meanwhile, vulnerabilities as simple as hard-coded passwords and hard-coded encryption keys have
been reported in industrial firewalls. In addition, cross-site scripting vulnerabilities in HTTP-based "VPN" proxy servers are difficult or impossible to fix
because they are essential to the design of the firewall's features. Waterfall Security Solutions. Defects are frequently discovered in firewall software and
in the complex operating systems underlying that software, some of which can be exploited as security vulnerabilities. Photo courtesy of Waterfall
Security Solutions. Even if connections through firewalls are initiated from the control network side, once the connections are established,
they permit bi-directional data to flow through the firewalls. Any of those flows can be used to launch attacks
back to systems on the protected network. This means that utilities cannot deliver any confidence that their
operational assets are adequately protected by firewalls. The level of risk is unacceptably high , and water utilities must
compensate for it.
The rest of the world depends on the US for food, but production is on the brink; Water
disruption collapses it empirically.
Smith 14 (Ron Smith is editor at Southwest Farm Press. Farm Futures: U.S. Ag: Poised to Feed the World?
published January 12th, 2014. http://farmfutures.com/story-ag-poised-feed-world-18-107236) KalM
The challenge is daunting: Within 40 years, farmers across the world will need to double production and do it with fewer
resources - especially water - to feed, clothe and provide energy for a global population of 9 billion souls. Farmers will need to
produce as much food, feed and fiber during the first half of this century as has been produced over the last 100 centuries combined to meet the growing
demand, says Greg Hart, John Deere sales manager for the U.S. Western Region. Hart says the future of the world depends on
agriculture, and much of that increased production will come from U.S. farmers. U.S. agriculture
will be at the forefront of solving food production challenges for the world," he says. "No one is better
positioned than U.S. farmers. It will not be easy. Most of the population growth expected to occur by 2050 will take place where diets are
already less than adequate. Africa will account for 41% of the population growth, second to Asias 49%. North American growth is anticipated to increase
only 4% and South America only 7%. Europes population could decline by about 1%. Obstacles include meshing productivity with sustainability and
resource stewardship. Lack of a skilled labor force, especially in developing nations, also poses significant problems. Our challenge is to do more with
less skilled labor, Hart says. Production variables will continue to challenge farmers. Weather is the big one. Hart said agricultural yield has
followed a strong upward trend since the early 1990s. But we also had a reduction in 2012 from drought. In 2013,
the Southwest had a late spring that hurt production. Much of the region remains in a three-year drought cycle. We are just one or two
weather events away from either a surplus or a deficit. Thats the volatility of agriculture . We must continue to work to
optimize production and continue to improve that trend line. Increased production Agriculture has to increase productivity with more limited
resources. The resource base is shrinking. In 10 years, water demand will be 17& higher than availability, Hart says. Improving irrigation
efficiency will help. Currently, 18% of the worlds agricultural land is irrigated, but that 18% provides 40% of crop production and 60% of cereal
production. But more than half of the worlds irrigation is by the most inefficient method, gravity flow, Hart adds. Focusing on more efficient systems,
such as low energy precision application (LEPA) and subsurface drip irrigation (SDI), will help. Agriculture will have to compete for
water, and we will see more regulation and higher costs. Including energy production into the equation puts
even more pressure on agricultural productivity. Achieving production targets, he says, will demand smart use
of available resources.
almost all of the major aquifers in the arid and semi-arid parts of the world ." The Middle East, north Africa and
south Asia are all projected to experience water shortages over the coming years because of decades of bad
management and overuse. Watering crops, slaking thirst in expanding cities, cooling power plants, fracking oil
and gas wells all take water from the same diminishing supply. Add to that climate change which is
projected to intensify dry spells in the coming years and the world is going to be forced to think a lot more
about water than it ever did before. The losses of water reserves are staggering . In seven years, beginning in 2003, parts of
Turkey, Syria, Iraq and Iran along the Tigris and Euphrates rivers lost 144 cubic kilometres of stored freshwater or about the same amount of water in
the Dead Sea, according to data compiled by the Grace mission and released last year. A small portion of the water loss was due to soil drying up because
of a 2007 drought and to a poor snowpack. Another share was lost to evaporation from lakes and reservoirs. But the majority of the water lost, 90km3, or
about 60%, was due to reductions in groundwater. Farmers, facing drought, resorted to pumping out groundwater at times on a massive scale. The
Iraqi government drilled about 1,000 wells to weather the 2007 drought, all drawing from the same stressed supply. In south Asia, the losses of
groundwater over the last decade were even higher. About 600 million people live on the 2,000km swath that extends from eastern Pakistan, across the
hot dry plains of northern India and into Bangladesh, and the land is the most intensely irrigated in the world. Up to 75% of farmers rely on pumped
groundwater to water their crops, and water use is intensifying. Over the last decade, groundwater was pumped out 70% faster
than in the 1990s. Satellite measurements showed a staggering loss of 54km3 of groundwater a year. Indian farmers were
pumping their way into a water crisis. The US security establishment is already warning of potential conflicts
including terror attacks over water. In a 2012 report, the US director of national intelligence warned that overuse of water as in
India and other countries was a source of conflict that could potentially compromise US national security. The report
focused on water basins critical to the US security regime the Nile, Tigris-Euphrates, Mekong, Jordan, Indus, Brahmaputra and Amu Darya. It
concluded: "During the next 10 years, many countries important to the United States will experience water problems shortages, poor water quality, or
floods that will risk instability and state failure, increase regional tensions, and distract them from working with the United States." Water, on its own,
was unlikely to bring down governments. But the report warned that shortages could threaten food production and energy supply
and put additional stress on governments struggling with poverty and social tensions. Some of those tensions are already
apparent on the ground. The Pacific Institute, which studies issues of water and global security, found a fourfold increase in violent confrontations over
water over the last decade. "I think the risk of conflicts over water is growing not shrinking because of increased
competition, because of bad management and, ultimately, because of the impacts of climate change ," said Peter
Gleick, president of the Pacific Institute. There are dozens of potential flashpoints, spanning the globe . In the Middle East, Iranian
officials are making contingency plans for water rationing in the greater Tehran area, home to 22 million people. Egypt has demanded Ethiopia stop
construction of a mega-dam on the Nile, vowing to protect its historical rights to the river at "any cost". The Egyptian authorities have called for a study
into whether the project would reduce the river's flow. Jordan, which has the third lowest reserves in the region, is struggling with an influx of Syrian
refugees. The country is undergoing power cuts because of water shortages. Last week, Prince Hassan, the uncle of King Abdullah, warned that a war
over water and energy could be even bloodier than the Arab spring. The United Arab Emirates, faced with a growing population, has invested in
desalination projects and is harvesting rainwater. At an international water conference in Abu Dhabi last year, Crown Prince General Sheikh Mohammed
bin Zayed al-Nahyan said: "For us, water is [now] more important than oil." The chances of countries going to war over water were slim at least over
the next decade, the national intelligence report said. But it warned ominously: "As water shortages become more acute beyond the next 10 years, water
in shared basins will increasingly be used as leverage; the use of water as a weapon or to further terrorist objectives will become more likely beyond 10
years." Gleick predicted such conflicts would take other trajectories. He expected water tensions would erupt on a more local scale. "I think the biggest
worry today is sub-national conflicts conflicts between farmers and cities, between ethnic groups, between pastoralists and farmers in Africa, between
upstream users and downstream users on the same river," said Gleick. "We have more tools at the international level to resolve disputes between nations.
We have diplomats. We have treaties. We have international organisations that reduce the risk that India and Pakistan will go to war over water but we
have far fewer tools at the sub-national level." And new fault lines are emerging with energy production. America's oil and gas rush is putting growing
demands on a water supply already under pressure from drought and growing populations. More than half the nearly 40,000 wells drilled since 2011
were in drought-stricken areas, a report from the Ceres green investment network found last week. About 36% of those wells were in areas already
experiencing groundwater depletion. How governments manage those water problems and protect their groundwater reserves will be critical. When
California emerged from its last prolonged dry spell, in 2010, the Sacramento and San Joaquin river basins were badly depleted. The two river basins lost
10km3 of freshwater each year in 2012 and 2013, dropping the total volume of snow, surface water, soil moisture and groundwater to the lowest levels in
nearly a decade. Without rain, those reservoirs are projected to drop even further during this drought. State officials are already preparing to drill
additional wells to draw on groundwater. Famiglietti said that would be a mistake. " We are standing on a cliff looking over the edge
Global water crisis causing failed harvests, hunger, war and terrorism. Published March 27 th, 2015. Accessed
June 25th, 2015.
http://www.theecologist.org/News/news_analysis/2803979/global_water_crisis_causing_failed_harvests_h
unger_war_and_terrorism.html) KalM
The world is already experiencing water scarcity driven by over-use, poor land management and climate
change, writes Nafeez Ahmed. It's one of the causes of wars and terrorism in the Middle East and beyond, and if we
fail to respond to the warnings before us, major food and power shortages will soon afflict large parts of the
globe fuelling hunger, insecurity and conflict. Countries like Iraq, Syria and Yemen, where US counterterrorism operations are in full swing, are right now facing accelerating instability from terrorism due to the
destabilising impacts of unprecedented water shortages. The world is already in the throes of an epidemic of local and regional
water shortages, and unless this trend is reversed, it will lead to more forced migrations, civil unrest and outbreaks of conflict Behind the escalating
violence in Iraq, Syria and Yemen, as well as the epidemic of civil unrest across the wider region, is a growing shortage of water. New peer-
reviewed research published by the American Water Works Association (AWWA) shows that water scarcity
linked to climate change is now a global problem playing a direct role in aggravating major conflicts in the
Middle East and North Africa.
US water security on the brink now
Dimick 14 (Dennis Dimick is National Geographic's Executive Editor for the Environment. National
Geographic: If You Think the Water Crisis Can't Get Worse, Wait Until the Aquifers Are Drained published
August 21st, 2014. Accessed June 25th, 2015. http://news.nationalgeographic.com/news/2014/08/140819groundwater-california-drought-aquifers-hidden-crisis/#) KalM
This coincides with a nationwide trend of groundwater declines. A 2013 study of 40 aquifers across the United States by the
U.S. Geological Survey reports that the rate of groundwater depletion has increased dramatically since 2000, with almost
25 cubic kilometers (six cubic miles) of water per year being pumped from the ground . This compares to about 9.2 cubic
kilometers (1.48 cubic miles) average withdrawal per year from 1900 to 2008. Scarce groundwater supplies also are being used for
energy. A recent study from CERES, an organization that advocates sustainable business practices, indicated that competition for water by
hydraulic fracturinga water-intensive drilling process for oil and gas known as " fracking"already occurs in dry regions of the
United States. The February report said that more than half of all fracking wells in the U.S. are being drilled in regions
experiencing drought, and that more than one-third of the wells are in regions suffering groundwater depletion. Satellites have allowed us to
more accurately understand groundwater supplies and depletion rates. Until these satellites, called GRACE (Gravity Recovery and Climate Experiment),
were launched by NASA, we couldn't see or measure this developing invisible crisis. GRACE has given us an improved picture of groundwater worldwide,
revealing how supplies are shrinking in several regions vulnerable to drought: northern India, the North China Plain, and the Middle East among them.
As drought worsens groundwater depletion, water supplies for people and farming shrink, and
this scarcity can set the table for social unrest . Saudi Arabia, which a few decades ago began pumping deep underground
aquifers to grow wheat in the desert, has since abandoned the plan, in order to conserve what groundwater supplies remain, relying instead on imported
wheat to feed the people of this arid land.
reviewed research published by the American Water Works Association (AWWA) shows that water scarcity
linked to climate change is now a global problem playing a direct role in aggravating major conflicts in the
Middle East and North Africa.
US security
establishment is already warning of potential conflicts including terror attacks over water. In a
2012 report, the US director of national intelligence warned that overuse of water as in India and
other countries was a source of conflict that could potentially compromise US national
securit y. The report focused on water basins critical to the US security regime the Nile, TigrisEuphrates, Mekong, Jordan, Indus, Brahmaputra and Amu Darya. It concluded: "During the next 10
years, many countries important to the United States will experience water problems shortages,
poor water quality, or floods
that will risk instability and state failure , increase regional tensions, and distract them
from working with the United States." Water, on its own, was unlikely to bring down governments. But the report warned that shortages could threaten
food production and energy supply and put additional stress on governments struggling with poverty and social tensions. Some of those tensions are
already apparent on the ground. The Pacific Institute, which studies issues of water and global security, found a fourfold increase in violent
confrontations over water over the last decade. "I think the risk of conflicts over water is growing not shrinking because of increased competition,
because of bad management and, ultimately, because of the impacts of climate change," said Peter Gleick, president of the Pacific Institute.
There
are dozens of potential flashpoints , spanning the globe. In the Middle East, Iranian officials are making contingency
plans for water rationing in the greater Tehran area, home to 22 million people. Egypt has demanded Ethiopia stop construction of a mega-dam on the
Nile, vowing to protect its historical rights to the river at "any cost". The Egyptian authorities have called for a study into whether the project would
reduce the river's flow. Jordan, which has the third lowest reserves in the region, is struggling with an influx of Syrian refugees. The country is
undergoing power cuts because of water shortages. Last week, Prince Hassan, the uncle of King Abdullah, warned that a war over water and energy could
be even bloodier than the Arab spring. The United Arab Emirates, faced with a growing population, has invested in desalination projects and is
harvesting rainwater. At an international water conference in Abu Dhabi last year, Crown Prince General Sheikh Mohammed bin Zayed al-Nahyan said:
"For us, water is [now] more important than oil." The chances of countries going to war over water were slim at least over the next decade, the national
intelligence report said. But it warned ominously: "As water shortages become more acute beyond the next 10 years, water in shared basins will
increasingly be used as leverage; the use of water as a weapon or to further terrorist objectives will become more likely beyond 10 years."
Empirics prove
Fergusson 4/24/15- James Fergusson started out in journalism in 1989 on the Independent. He has written for many publications since,
covering current affairs in Europe, North and East Africa, the Far East, the Caribbean and, especially, Central Asia and Afghanistan. From 1998 to 2000
he worked in Sarajevo as a press spokesman for the Office of the High Representative, the body charged with implementing the Dayton Peace Accord
that ended Bosnia's civil war in 1995..(James Fergusson;The World Will Soon be at War Over Water; http://www.newsweek.com/2015/05/01/worldwill-soon-be-war-over-water-324328.html)\\pranav/KalM
The world is at war over water . Goldman Sachs describes it as the petroleum of the next
century. Disputes over water tend to start small and local for instance, with the sort of protests that drought-stricken So Paolo has experienced
this year. But minor civil unrest can quickly mushroom, as the bonds of civilisation snap . It is often forgotten that the revolution against
Syrian president Bashar al-Assad began this way, when youths of the southern Syrian town of Daraa, angry at the local
governors corrupt allocation of scarce reservoir water, were caught spraying anti-establishment graffiti . Their arrest and
torture was the final straw for the tribes from which the youths came. It was a very similar story in Yemen, whose revolution began in 2011 in Taiz, the
most water-stressed city in that country. When we think of Syria now, we cannot see far past the threat posed by Islamists. But Isis, in the end, is a
symptom of social malfunction. If order is to be restored, we might do better to start focusing instead on the causes. Then we could perhaps look harder
for soft power solutions the restoration of governance and basic services, such as electricity and water supply rather than for hard power ones, such
as missiles and bombs. 1. THE MESOPOTAMIAN WAR As Islamic States leaders work to carve out their glorious new state, they have comprehended
that political power in Mesopotamia has always rested on the ability to supply its citizens with water. The prosperity of ancient Nimrud, the 7th-century
BC ruins that Isis recently bulldozed because they were unIslamic, was founded on its irrigation dam across the Tigris. The Sumerian city-state of Ur
the first city, founded in 3800BC was abandoned by 500BC following a protracted drought and the siltation of the Euphrates. Isis is headquartered at
Raqqah, a mere 40km down the Euphrates from the largest reservoir in Syria, Lake Assad. Raqqahs economy has long depended on the cultivation of
cotton irrigated by the reservoir, which was formed by the Russian-assisted construction of the Tabqa dam in 1973, and designed to irrigate some 2,500
square miles of farmland. Last
August, Isis fought fiercely for control of the largest dam in Iraq, across the
Tigris at Mosul. Its fighters also took over two other dams across the Euphrates, one at Fallujah, the other at Haditha. In all cases, it took American air
strikes to drive them off, and the high value the terrorist group places on Mesopotamias dams suggests that further offensives against such targets are
likely. Even if Isis leaders in Raqqah succeed in holding one of these key pieces of hydro-infrastructure, however, they do not control the headwaters of
either the Tigris or the Euphrates, which rise in Turkey. It is the Turks, who have squabbled for 40 years with their downstream neighbours over use of
the rivers, who therefore hold the keys to the long-term future of Isis and the Islamists know it. 2. TURKEY V ISIS Last summer, Isis accused the
Turkish government in Ankara, headed by Recep Tayyip Erdogan, of deliberately holding back the Euphrates through a series of dams on its territory,
lowering water levels in Lake Assad by a record six metres. Isis was apoplectic. Turkeys dams have given Ankara a vital hold over Isiss leaders, who, for
the present, twitch like puppets on a string. Ankara, it should be said, may not have been wholly responsible for the shrinking of Lake Assad. Local
farmers, emboldened by the collapse of governance in Syria, were reported last year to have siphoned off vast amounts of water to irrigate their own
cotton plantations. Nature played a role too; there was less than half as much rainfall in the Turkish highlands in the wet season of 2014 as in the
previous year. Nevertheless, Turkeys stranglehold over its downstream neighbours is real and it is set to tighten further in 2015, with the completion
of the controversial Ilisu hydro-dam on the Tigris, which will create a 10 billion cubic metre reservoir just 30 miles north of the Syrian border. The dam is
the latest of 22 envisioned under the Southeastern Anatolia Project (or GAP, to use its Turkish acronym), a vast regional development plan that was
originally mooted by Kemal Ataturk in the 1930s. The father of modern Turkey could not have foreseen how completely his countrys blue gold would
one day replace oil as the regions most important resource. Iraqs oil industry requires 1.8 billion cubic metres of water a year in order to function at all.
Ankara has adopted a canny and forward foreign policy for years now, extending its influence everywhere from Somalia to Afghanistan. What is
happening in Anatolia now suggests that neo-Ottomanism is not just political posturing: it really is the future for this part of the Middle East.
Hydrologists in Sweden recently suggested that by 2040, the volume of water being extracted from the mighty Tigris and Euphrates rivers that once
There are
flashpoints around the world. The Permanent Court of
delineated and sustained the cradle of civilisation could be so great that they no longer reach the sea. 3. THE YANGTZE PROBLEM
dozens of potential
dam-related
Arbitration in The Hague, which handles international water disputes, says 263 river basins are
contested globally. There are already more than 40,000 large dams around the world. These icons of post-war Western development irrigate
millions of square miles of farmland and produce a fifth of the worlds electricity through hydropower. An area the size of California 0.3% of the
worlds total land mass has been lost to artificial reservoirs since the golden age of dam-building began in the 1950s. The number of major schemes
tailed off in the 1990s, as environmental concerns grew and the economic efficiency of the largest projects was called into question. But booming demand
has since dramatically revived the industry. New mega-dams are now among the largest and most expensive engineering projects on the planet. The
costliest so far is Chinas South-to-North Water Diversion Project, a scheme to divert the waters of the River Yangtze via dams, tunnels and three vast
canals to the arid north of the country. The project is still only half finished, yet by last year had swallowed more than $79bn (73bn). Hundreds of
thousands of villagers have been forced from their homes by the project. The schemes long-term effect on the environment and economy of the south
remains uncertain. Far to the south, meanwhile, on the River Mekong, Laos is copying China by building two major dams that could devastate not just
the local economies but the lives of its downstream neighbours, Cambodia and Vietnam. The diet of some 50 million people is based on fish caught in the
Mekong, which is already the most dammed river in the world. Then there is the Rogun hydro-dam on the Amu Darya in Tajikistan which, when
completed, could be 355 metres high: the tallest dam in the world. The possible effect on the Amu Darya worries downstream Uzbekistan, which has
responded with sanctions and travel restrictions on the Tajiks. Congo A general view of Inga dam's eight massive turbines, only three of which work, on
the mighty Congo River. With a flow second only to the Amazon, the mighty Congo river spews forth 1.5 million cubic feet (42.5 million litres) into the
Atlantic every second. Experts say it could generate over 40,000 megawatts (MW) of electricity -- more than twice the projected capacity of China 's
massive Three Gorges Dam, and a major step to keeping up with fast-growing demand for electricity in Africa and beyond. MARLENE
RABAUD/REUTERS 4. THE CONGO AND THE NILE The most productive hydro-power dam, the Grand Inga, has recently been proposed for the River
Congo, 225km south-west of Kinshasa. With a projected price tag of 80bn (74bn), developers claim it will light up Africa. Critics say that the
electricity generated will mostly be transmitted to distant cities, and that the continents poorest will see little benefit. The cost overruns in this
notoriously corrupt part of the world could also end up making the South-to-North China project look cheap. This month, Egypt and Ethiopia signed a
treaty over the latters half-built Grand Renaissance dam on the Blue Nile, which will be the largest hydro-scheme in Africa when it comes on stream in
2017. Downstream Egypt, whose development has depended on the Nile since ancient times, originally objected so strongly that in June 2013 a meeting
of the cabinet of the then president, Mohammad Morsi, was caught on live television discussing ways of destroying the dam, including via covert support
for anti-government rebels. Sanity seems now to have prevailed. 5. AFGHANISTAN DRIES UP Natos
in southern Afghanistan is not normally cast as a water conflict , although that is largely what it was. Helmand, the most hotlydisputed province, was once one of Afghanistans breadbaskets thanks to the Helmand Valley Authority, an irrigation scheme set up in the 1950s by
American engineers. But mismanagement of the schemes 300 miles of canals, coupled with a period of protracted drought, meant that the area of
irrigated land halved between 1979 and 2002. Local tribes, spurred on by the vast profits to be made from the cultivation of poppies, fought over what
remained, with the Taliban exploiting the conflict. One of the centrepieces of the HVA was the Kajaki hydro-dam, completed in 1953 by the same US firm
that built the Hoover Dam on the River Colorado . The Americans returned in 2001, this time in order to bomb it. 6. INDIA V PAKISTAN The
territorial dispute between India and Pakistan over Kashmir both the highest and longest-running in the world is
largely about control of the headwaters of the River Indus, on which Pakistans agricultural economy downstream has become ever
more dependent. There are 200 million people in Pakistan: double the number 30 years ago. Yet Dutch scientists think shrinking glaciers caused by
climate change could reduce the Indus by 8% by 2050. India, which has built or proposed some 45 hydro-schemes on the Induss upper reaches, insists
that flow will never be affected. But Pakistan is as paranoid about India as Isis is about Turkey, with a long track-record of blaming India for social ills at
home. The rhetoric of extremists is already hot. Hafiz Saeed, a militant linked to the Mumbai hotel atrocity of 2008, has spoken in the past of Indias
water terrorism, and campaigned under slogans like Water flows, or blood. Could diminishing water supply push these nuclear-armed neighbours
towards a new war? Red Sea A plant is seen on the parched shore of the Dead Sea. The Dead Sea is slowly but surely drying up, and could be gone
completely in 50 years if no action is taken. The water level is dropping at close to one metre (three feet) per year due to a sharp decrease in inflow from
the Jordan and other rivers whose waters now irrigate fields. BAZ RATNER/ REUTERS 7. ISRAEL V PALESTINE Finally,
there is Israel
and Palestine, arguably the [precursor] grand-daddy of all water conflicts. Israel, a state founded on Ben-Gurions
dream of making the desert bloom, diverted the River Jordan half a century ago, east and southwards towards the Negev desert, via a canal called the
National Water Carrier. The Dead Sea has lost a third of its surface area as a direct consequence, and the River Jordan of biblical antiquity has become a
muddy trickle in a ditch. The reason Israel still occupies the Golan Heights, captured from Syria in the Six-Day War of 1967, is because that is where the
Jordan rises. All this has come at the expense of the Palestinians, who accuse Israel of manipulating water supply to suppress them.
OCOS ADVANTAGE
to espionage, to destruction of data, GG systems and physical entities. Lower level attacks will be tolerated, depending on the
consequences, but there is a point after which the consequences will demand action from government , he says, but it is
difficult to say where the shift occurs. "What constitutes cyber war, depends on scale and genesis," he told delegates at the RSA Conference 2011 in San
Francisco. But destruction alone cannot be used as a criterion for cyber war, says Bruce Schneier, chief security technology officer at BT. "In some
instances, attacks that cause destruction may simply be some form of cyber criminal activity. Classifying an attack as being an act of cyber war depends
on who is carrying out the attack and why," he told die RSA Conference. Mutual destruction deterrent Despite the ambiguity of the term cyber
war, Chertoff says it helps to emphasise the risk by reflecting the severity of the consequences. Cyber attacks are not only about G?
systems, but can result in loss of life. The good news is that, while state actors are best equipped to carry out devastating cyber attacks, they are
the least likely to do so because of the power of other nation states to retaliate in kind. But while there is a potential cold war situation of
mutual assured destruction acting as a deterrent, die concern voiced by many security experts is me potential of nonstate actors to acquire such capabilities. "The world is used to the model where, except for criminal matters, force is dealt will by the state,
but in cyber space there are no bystanders because attacks take place on the networks and computers of individuals . The
familiar categories no longer fit," said Chertoff. There is no single fix, he said, because threats to supply chains, insider threats and network
attacks require different remedies. For this reason, there has to be an appropriate legislative framework, says Mike McConnell, executive
vice-president at consultancy firm Booz Allen Hamilton. " We need to understand the vulnerabilities to business and the global
economy and ensure we have measures in place to mitigate the risk," he said. Government Intervention Schneier suggests the inflexion
point may be the point at which the market will not mitigate the risk. Business will secure against risk up to the value of the
business but no further, he says, and that is the point at which government will have to take over to fill the gap. But history
shows governments typically wait for a catastrophic event before taking action, said McConnell. Lessons can be learned
from the cyber attacks in Estonia in 2007, says Chertoff. Governments considering smart grids should use architectures
conducive to security and enable compartmentalisation akin to the watertight compartments in warships. "It would be foolish not to
recognise that we could get into a cyber war, because there is no doubt cyber will be a domain of conflict in any act of war that will be capable of
destroying systems and will not be dealt with by market forces," he said. Rules of engagement It is important governments consider wbat they are
capable of doing - and what they are authorised to do - in such a situation, said Chertoff. McConnell agreed a cyber element will be a part of any future
kinetic war, as demonstrated during Russia's incursion into Georgia in 2008. Schneier said that, in future conflicts, cyber attacks may be the first
wave of
aggression
that
ground . Chertoff said governments need to decide policies on what would be a reasonable response to cyber attack. McConnell
these issues before it is too late, but
Schneier says the concern is that this debate is taking place too far down the command chain. There is also a risk that experimental cyber
weapons may be unleashed on the internet by accident, said Schneier. That is why there is a need for international
agreements and treaties. At the least there should be obligations on the creators of such weapons to warn of the threats and attempt to disable
them, said Chertoff. If there is any consensus around cyber war, it is this: although the term is over-used and over-hyped, the threat
is real - Stuxnet has proved that physical damage can be caused by cyber attack - and governments ought to be
preparing an appropriate defence capability. Enterprise Involvement But, according to the US government and military, while the public sector
is doing everything it can to secure cyber space, the private sector has an important role to play as well. "We need industry because
cyber security is a team sport that brings together government, industry and international allies," said General Keith
Alexander, commander of US Cyber Command . US deputy secretary of defence, William Lynn, also called for
greater collaboration between government and the private sector in tackling cyber thareats. He appealed to the information
security industry for help in developing technology to ensure government and business stay ahead in the cyber arms race .
believes informed dialogue and debate should be directed at encouraging governments to address
technology on people, business and culture for more than a decade. Inside the Secret Digital Arms
Race: Facing the Threat of a Global Cyberwar, http://www.techrepublic.com/article/inside-thesecret-digital-arms-race/, April 24, 2014)//CLi
The military has been involved with the internet since its the start. It emerged from a US Department of Defense-funded project, so it's no surprise that
the armed forces have kept a close eye on its potential. And politicians and military leaders of all nations are naturally attracted to digital warfare as it
offers the opportunity to neutralise an enemy without putting troops at risk. As such,
what governments and the military have dubbed " cyberwar " sometimes shortened to just "cyber." Yes, it sounds like a cheaply sensational term
borrowed from an airport thriller, (and to some the use of such an outmoded term reflects the limited level of understanding of the issues involved by
those in charge) but the intent behind the investment is deadly serious. The UK's defence secretary Philip Hammond has made no secret of the country's
interest in the field, telling a newspaper late last year, "We will build in Britain a cyber strike capability so we can strike back in cyberspace against
enemies who attack us, putting cyber alongside land, sea, air and space as a mainstream military activity." One of the participants in the UK
cybersecurity wargame scenario analyzes the situation. Image: Steve Ranger The UK is thought to be spending as much as 500m on the project over the
next few years. On an even larger scale, last year General Alexander revealed the NSA was building 13 teams to strike back in the event of an attack on the
US. "I would like to be clear that this team, this defend-the-nation team, is not a defensive team," he said told the Senate Armed Services Committee last
year. And of course, it's not just the UK and US that are building up a digital army. In a time of declining budgets, it's a way for defence ministries and
defence companies to see growth, leading some to warn of the emergence of a twenty-first century cyber-industrial complex. And the shift from
investment in cyber-defence initiatives to cyber-offensives is a recent and, for some, worrying trend. Peter W. Singer,
director of the Center for 21st Century Security and Intelligence at the Brookings Institution, said 100 nations are building cyber military
commands of that there are about 20 that are serious players, and a smaller number could carry out a whole cyberwar campaign. And the fear is that
by emphasising their offensive capabilities, governments will up the ante for everyone else. "We are seeing
some of the same manifestations of a classic arms race that we saw in the Cold War or prior to World War One. The
essence of an arms race is where the sides spend more and more on building up and advancing military capabilities but feel less and less secure and
that definitely characterises this space today," he said. It's taken less than a decade for digital warfare to go from theoretical to the worryingly possible.
Politicians may argue that building up these skills is a deterrent to others, and emphasise such weapons would only be used to counter an attack, never to
launch one. But for some, far from scaring off any would-be threats, these investments in offensive cyber capabilities risk creating
more instability. " In international stability terms, arms races are never a positive thing : the problem is
it's incredibly hard to get out of them because they are both illogical [and] make perfect sense," Singer said. Similarly Richard Clarke, a former
presidential advisor on cybersecurity told a conference in 2012, "We turn an awful lot of people off in this country and around the world when we have
generals and admirals running around talking about 'dominating the cyber domain'. We need cooperation from a lot of people around the world
and in this country to achieve cybersecurity and militarising the issue and talking about how the US military have to dominate the cyber domain
is not helpful." Thomas Rid, a reader in War Studies at King's College London said that many countries now feel that to be taken seriously they need to
have a cyber command too. "What you see is an escalation of preparation. All sorts of countries are preparing and because these targets are intelligence
intensive you need that intel to develop attack tools you see a lot of probing, scanning systems for vulnerabilities, having a look inside if you can without
doing anything, just seeing what's possible," Rid said. As a result, in the shadows, various nations building up their digital military
presence are mapping out what could be future digital battlegrounds and seeking out potential targets, even leaving behind code to be
activated later in any conflict that might arise.
about social networking, financial systems, communications systems, journalism, data storage, industrial
control, or even government security -- it is all part of the Internet. That makes the world a very, very
dangerous place. Historically, wars are fought over territory or ideology, treasure or tradition, access or anger. When a war begins, the initial
aggressor wants something, whether to own a critical path to the sea or strategic oil fields, or "merely" to cause damage and build support among certain
constituencies. At first, the defender defends, protecting whatever has been attacked. Over time, however, the defender also seeks strategic benefit, to not
only cause damage in return, but to gain footholds that will lead to an end to hostilities, a point of leverage for negotiation, or outright conquest.
Shooting wars are very expensive and very risky. Tremendous amounts of material must be produced and
transported, soldiers and sailors must be put into harm's way, and incredible logistics and supply chain operations must be set up and managed on a
nationwide (or multi-national level). Cyberwar is cheap. The weapons are often co-opted computers run by the victims
being targeted. Startup costs are minimal. Individual personnel risk is minimal. It's even possible to conduct a
cyberwar without the victims knowing (or at least being able to prove) who their attackers are. Cyberwar can be
brutal, anonymous -- and profitable. But the damage done by a cyberwar can be huge, especially economically .
Let's follow that idea for a moment. One of the big reasons the U.S. won the Cold War (and scored highly in many of its other conflicts) is
because it had the economic power to produce goods for war, whether capital ships or food for troops. A economically
strong nation can invest in weapons R&D, creating a technological generation gap in terms of leverage and percapita effectiveness compared to weaker nations. But cyberwar can lay economic waste to a nation . Worse, the
more technologically powerful a nation is, the more technologically dependent that nation becomes. Cyberwar
can level the playing field, forcing highly connected nations to thrash, to jump at every digital shadow while
attackers can co-opt the very resources of the defending nation to force-multiply their attacks. Sony is still cleaning up
after the hack that exposed many confidential aspects of its relationship with stars and producers. Target and Home Depot lost millions of credit cards.
The Snowden theft, while not the result of an outside hack, shows the economic cost of a national security breach: nearly $47 billion. Cyberwar can
also cause damage to physical systems, ranging from electric power stations to smart automobiles. And when a
breach can steal deeply confidential information of a government's most trusted employees, nothing remains safe or secret. The U.S. Office of Personnel
Management was unwittingly funneling America's personnel data to its hackers for more than a year. Can you imagine? We think China was responsible
for the OPM hack. Despite the gargantuan nation's equally gargantuan investments in America (or, perhaps, because of them), China has been accused of
many of the most effective and persistent penetrations perpetrated by any nation. Providing additional reason to worry, Russia and China have recently
inked an agreement where they agreed to not launch cyberattacks against each other. They have also agreed to share cyberwarfare and
cyberdefense technology, creating an Asian axis of power that can split the world in half. On the other side of the
geopolitical spectrum are the American NSA and British GCHQ, two organizations who sharesignals intelligence and -- if the screaming is to be believed
-- spy as much upon their own citizens as enemies of the state. It is important to note that the destabilization of Allied intelligence can be traced to
Edward Snowden, who ran to and is currently living in Russia after stealing a vast trove of American state secrets. Ask yourself who gained from the
Snowden affair. Was it America? No. Was it Snowden? Not really. Was it Russia? You betcha. China, of course, supplies us with most of our
computer gear. Every iPhone and every Android phone, nearly all our servers, laptop computers, routers -- heck, the entire technological core of
American communications -- has come from China. The same China that has been actively involved in breaching American
interests at all levels. Russia and China. Again and again and again. In the center of all this is the main body of Europe, where
the last two incendiary world wars were fostered and fought. Nations fall when they are economically unstable. Greece is seeing the
writing on the wall right now. It is but one of many weak European Union members. Other EU members are former Soviet states who
look eastward towards Putin's Russia with a mixture of fear and inevitability. This time, Germany isn't the instigator of unrest, but instead
finds itself caught in the middle -- subject to spying by and active in spying on its allies -- the only nearly-super power of the EU. An enemy (or even a
supposed "friendly" nation) decides it needs the strategic upper hand. After years of breaches, it has deep access to nearly every powerful
government and business figure in the United States. Blackmail provides access into command and control and financial
systems. Financial systems are hit and we suffer a recession worse than the Great Recession of 2008-2009. Our
budget for just about everything (as well as our will) craters. Industrial systems (especially those that might post a physical or economic
threat to our attacker) are hit next. They are shut down or damaged in the way Stuxnet took out centrifuges in Iran.
Every step America takes to respond is anticipated by the enemy -- because the enemy has a direct pipeline to every important piece
of communication America produces, and that's because the enemy has stolen enough information to corrupt
an army of Snowdens. While this is all going on, the American public is blissfully in the dark. Citizens just get angrier and angrier at the
leadership for allowing a recession to take hold, and for allowing more and more foreigners to take American jobs. Europe, which has always relied on
be on its own. Russia will press in from the north east. ISIS will
continue to explode in the Middle East. China will keep up its careful dance as it grows into the world's leading
economic power. India, second in size only to China and a technological hotbed itself, remains a wild card, physically
surrounded by Europe, the Middle East, China, and Russia. India continues to live in conflict with Pakistan, and
with Pakistan both unstable and nuclear-tipped, Indo-Pak, too, is on the precipice. A world war is about huge
nations spanning huge geographic territories fighting to rewrite the map of world power. Russia, China, ISIS (which calls itself the Islamic State),
India, Pakistan, the US, the UK, and all of the strong and weak members of the EU: we certainly have the cast of characters for
another global conflict. I could keep going (and, heck, one day I might game the full scenario). But you can see how this works. If enemy
nations can diminish our economic power, can spy on our strategic discussions, and can turn some of our key
workers, they can take us out of the battle -- without firing a single shot. We are heading down this path now. I
worry that we do not have the national or political will to turn the tide back in our favor. This is what keeps me up at night.
in
nature. In addition, the decision makers who have to manage nuclear forces during a crisis should ideally have the best
possible information about the status of their own nuclear and cyber forces and command systems, about the forces and
C4ISR of possible attackers, and about the probable intentions and risk acceptance of possible opponents. In short, the task of managing a
nuclear crisis demands clear thinking and good information. But the employment of cyber weapons in the early stages of a
crisis could impede clear assessment by creating confusion in networks and the action channels that depend
upon those networks.6 The temptation for early cyber preemption might "succeed" to the point at which nuclear
crisis management becomes weaker instead of stronger. Ironically, the downsizing of US and post-Soviet Russian strategic
nuclear arsenals since the end of the Cold War, while a positive development from the perspectives of nuclear arms control and nonproliferation,
makes the concurrence of cyber and nuclear attack capabilities more alarming. The supersized deployments of missiles and bombers and expansive
numbers of weapons deployed by the Cold War Americans and Soviets had at least one virtue. Those arsenals provided so much redundancy against
first-strike vulnerability that relatively linear systems for nuclear attack warning, command and control, and responsive launch under-or after-attack
sufficed. At the same time, Cold War tools for military cyber mischief were primitive compared to those available now. In addition, countries and their
armed forces were less dependent on the fidelity of their information systems for national security. Thus the reduction of US, Russian, and possibly other
forces to the size of "minimum deterrents" might compromise nuclear flexibility and resilience in the face of kinetic attacks preceded or accompanied by
cyber war.7 Offensive and defensive information warfare as well as other cyberrelated activities is obviously very much on the minds of US military
leaders and others in the American and allied national security establishments.8 Russia has also been explicit about its cyber-related con- cerns.
President Vladimir Putin urged the Russian Security Council in early July 2013 to improve state security against cyber attacks. 9 Russian security
expert Vladimir Batyuk, commenting favorably on a June 2013 US-Russian agreement for protection, control, and accounting of nuclear materials
(a successor to the recently expired Nunn-Lugar agreement on nuclear risk reduction), warned that pledges by Presidents Putin and Barack Obama for
cooperation on cybersecurity were even more important: "Nuclear weapons are a legacy of the 20th century. The challenge of
the 21st century is cybersecurity."10 On the other hand, arms control for cyber is apt to run into daunting security and
technical issues, even assuming a successful navigation of political trust for matters as sensitive as these. Of special significance is
whether cyber arms-control negotiators can certify that hackers within their own states are sufficiently under
control for cyber verification and transparency. The cyber domain cuts across the other geostrategic domains for warfare as well: land,
sea, air, and space. However, the cyber domain, compared to the others, suffers from the lack of a historical perspective. One author argues that the cyber
domain "has been created in a short time and has not had the same level of scrutiny as other battle domains."11 What this might mean for the cybernuclear intersection is far from obvious. Thble 1 summarizes some of the major attributes that distinguish nuclear deterrence from cyber war, according
to experts, but the differences between nuclear and cyber listed here do not contradict the prior observation that cyber and
nuclear domains inevitably interact in practice. According to research professors Panayotis A. Yannakogeorgos and Adam B. Lowther at
the US Air Force Research Institute, "As airmen move toward the future, the force structure-and, consequently, force-development
programs-must change to emphasize the integration of manned and remotely piloted aircraft, space, and cyber-power
projection capabilities."12
global cybersecurity . The seriousness and widespread nature of the consequences of the zero-day trade have generated a growing policy
debate about regulating the zero-day trade. This thesis contributes to this debate by exploring what is known about the market and analyzing domestic
and international options for controlling the zero-day trade. Domestically, it analyzed criminalization, unilateral export controls, and increased oversight
of U.S. government executive branch actions. It concludes that increased executive branch oversight is the best national strategy to address the problems
of existing U.S. zero-day policy. Internationally, this thesis investigated international legal approaches, voluntary collective action through export
controls, and cooperation through collective defense organizations. Voluntary collective action to harmonize export controls on zero days through the
Wassenaar Arrangement emerges as the most feasible international option. However, the obstacles confronting effective regulation of
the 170 zero-day trade are daunting, raising the real possibility that this trade will continue to contribute to the
cyber security dilemma that is emerging in contemporary international relations.
AT: NO CYBERWAR
Cyber war can end the InternetUS vulnerabilities
May 10 president of the Foundation for the Defense of Democracies, a policy institute focusing on terrorism
(Clifford D., U. S. is too vulnerable to cyber war, cyber crime 3/8/10, p.A8, Access World News)
If a top intelligence expert said America was not prepared for war, and indeed that if we went to war "we would lose," that would worry you, wouldn't it?
Start worrying. The expert is Mike McConnell, who served as director of the N ational Security Agency under President Bill
Clinton and as director of national intelligence under President George Bush. He was referring not to a conventional war or a
guerrilla war. He was referring to a cyber war. But understand: Cyber war does not mean fun and video games. McConnell told a Senate
committee last week that the risk we face from cyber attacks "rivals nuclear weapons in terms of seriousness ."
Cyber combatants could cause massive blackouts lasting for months . They could destroy the electronic processes
on which our banking, commerce and financial systems have been built, stealing-- or simply wiping out--vast
amounts of wealth. They could put our air transportation system in jeopardy. They might even be able to cripple our defense
and national security infrastructure. It is possible to defend against such threats. But we are not doing it adequately. A year ago Jim Lewis,
director of the Center for Strategic and International Studies, told Steve Kroft of "60 Minutes" that in 2007 America suffered "an espionage Pearl Harbor.
Some unknown foreign power, and honestly, we don't know who it is, broke into the Department of Defense, to the Department of State, the Department
of Commerce, probably the Department of Energy, probably NASA." After that, you would think a serious and comprehensive cyber-defense program
would have been initiated. But in an op-ed published recently , McConnell warned that the U.S. government has "yet to address the
cyber-conflicts. ... we lack a cohesive strategy to meet this challenge." Add to that the growing
menace of cyber crime, which Joseph Menn, in his brilliant and disturbing book, "Fatal System Error," reports is already a "shadow
economy that is worth several times more than the illegal drug trade, that has already disrupted national
governments, and that has the potential to undermine Western affluence and security." If cyber crime is not
curbed, Menn predicts, it is likely to get "far worse potentially wiping out faith in electronic transactions and rendering the
Internet unfit for more than entertainment and informal, quasi-public communication." What about the nightmare scenario of
most basic questions about
cyber criminals and cyber combatants joining forces? That's already happening. "The full truth," Menn writes, "is that a number of enormously powerful
national governments, especially those of
Russia and China, have picked up the blossoming of the Internet age as the
time to ally with organized crime. The Russian government, and possibly the Chinese government, has access to minds capable not only of
stealing millions upon millions of dollars, but potentially disrupting the Western economy. Why wouldn't they encourage additional research to nurture
such a weapon?" Terrorists are penetrating cyberspace as well. Menn reports that "three British jihadists convicted in 2007 for inciting
murder used access to a database with 37,000 stolen credit cards to buy 250 airline tickets, night-vision goggles, hundreds of pre-paid cell phones, GPS
devices and more--$3.5 million in total purchases--to assist others in the movement." Could Iranian linked or al Qaeda jihadists do the same--on their
own or by making common cause with either cyber criminals or cyber combatants from countries ruled by regimes that would like to see harm done to
the United States? All too easily. The good news is that there are solutions. "The problem is not one of resources,"McConnell says. "Even in our current
fiscal straits, we can afford to upgrade our defenses." But he also predicts that the United States may have to suffer a catastrophic cyber attack before the
public demands that its leaders make this threat a top priority. America has built an incredible high-tech society. But it is flying on
gossamer wings.Our enemies know how fragile it is. So do we. The difference is they will do everything they can to destroy it. And we're not doing
everything we can to defend ourselves and to defeat them.
full-scale cyber war means that there is a credible possibility that such conflict may have the potential to change the world
military balance and thereby fundamentally alter political and economic relations. And it will suggest ways to reduce that
unpredictability.
emergency services call centers, electricity, nuclear power plants, communications, dams, air traffic control and
transportation, commercial databases and information systems for financial institutions and health care providers, and
military applications are vulnerable to attack s by cyberterrorists or hostile state actors (Ronfeldt & Arquilla, 2003, p. 314; Shackelford,
2009; The Economist, 2008). For many years, technology and policy analysts have been talking about the possibility of a
"digital Pearl Harbour"-an unexpected cyberattack on a nation's infrastructure. Some reports have indicated US
electricity grid infrastructures and F-35 lighter jet programs had been the target of cyberattacks (Beatty, 2009). The
US President Obama noted: "We know that cyber-intruders have probed our electrical grid and that in other countries, cyberattackers have plunged
entire cities into darkness" (cf. Harris, 2009). T he FBI has ranked cybercrime as the third-biggest threat to US national
security after nuclear war and weapons of mass destruction (Sloane, 2009). In a 2007 testimony to the US Congress, an analyst
working on cyber defense systems for the Pentagon told that a mass cyberattack could leave up to 70% of the United States
without electrical power for 6 months (Reid. 2007). Another estimate suggested that a loss of4% of the North American power grid will
disconnect almost two-thirds of the entire grid in the region (Cetron & Davies, 2009). Likewise, a study of US Cyber Consequences Unit indicated that
the costs of a single wave of cyberattacks on US infrastructures could exceed US $700 billion , which is about the same
as the costs associated with 50 major hurricanes (Sloane, 2009). In a discussion of the Internet's national security impacts, cyberattacks against Estonia
in April-May 2007 and those against Georgia in 2008 deserve special attention. The cyberattacks against Georgia by civilians were
coordinated with physical attacks by a military force (Claburn, 2009b). Likewise, in a high-profile Distributed Denial of Service ( DDOS)
attacks in 2007, a botnet of up to 1 million computers attacked Estonian computer networks, which shut down the country's
government ministries, parliament, and major banks (Grant, 2008). The attacks against Estonia were launched after the Estonian
government moved the Soviet memorial to the "Great Patriotic War" (1941-1945) (as well as the soldiers buried there) from downtown Tallinn to a
suburb location. Obviously, Russia was unhappy with this decision. Some cyberattack experts noted that they saw the involvement of the Russian
government in the attacks (Economist.com, 2007). Some analysts observed that the effects of the 2007 cyberattacks in Estonia "were
AT: NO MISCALC
That escalates and is uniquely dangerousmiscalculation and misattribution
Clarke 9 former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism for the
United States (Richard A., The National Interest, War from Cyberspace p. 32-3, Nov/Dec 2009,
http://users.clas.ufl.edu/zselden/coursereading2011/Clarkecyber.pdf) | js
We sit at a similar historical moment. War
fighting is forever changed. Though it will never produce the kind of death toll of nuclear
cyber-war battlefield. Weve developed a plethora of gee-whiz
technological capabilities in the past few years, but cyber war is a wholly new form of combat, the implications of which we do
not yet fully understand. Its inherent nature rewards countries that act swiftly and encourages escalation. As in the 1960s, the
weapons, we can see echoes of these same risks and challenges in todays newest
speed of war is rapidly accelerating. Then, long-range missiles could launch from the prairie of Wyoming and hit Moscow in only thirtyfive minutes.
Strikes in cyber war move at a rate approaching the speed of light. And this speed favors a strategy of preemption, which
means the chances that people can become trigger-happy are high. This, in turn, makes cyber war all the more likely. If a
cyber-war commander does not attack quickly, his network may be destroyed first . If a commander does not
preempt an enemy, he may find that the target nation has suddenly raised new defenses or even disconnected from the
worldwide Internet. There seems to be a premium in cyber war to making the first move. And much as in the nuclear era, there is a real risk of
escalation with cyber war. Nuclear war was generally believed to be something that might quickly grow out of conventional combat, perhaps initiated
with tanks firing at each other in a divided Berlin. The speed of new technologies created enormous risks for crisis instability and miscalculation.
Today, the risks of miscalculation are even higher, enhancing the chances that what begins as a battle of
computer programs ends in a shooting war. Cyber war, with its low risks to the cyber warriors, may be seen by a
decision maker as a way of sending a signal, making a point without actually shooting. An attacker would likely think of a cyberoffensive that knocked out an electric-power grid and even destroyed some of the grids key components (keeping the system down for weeks), as a
somewhat antiseptic move; a way to keep tensions as low as possible. But for the millions of people thrown into the dark and perhaps
the cold, unable
to get food, without access to cash and dealing with social disorder, it would be in many ways the same as
if bombs had been dropped on their cities. Thus, the nation attacked might well respond with kinetic activity. Responding, however, assumes
that you know who attacked you. And, one of the major differences between cyber war and conventional warone that
makes the battlefield more perilousis what cyber warriors call the attribution problem. Put more simply, it is a matter of
whodunit. In cyberspace, attackers can hide their identity, cover their tracks. Worse, they may be able to mislead, placing blame
on others by spoofing the source. In 2007, the Russian government denied that it had engaged in primitive cyber war against Estonia that took out
such things as the financial-services sector, and in 2009 claimed it was not responsible for largely identical activity against Georgia; though Russia did
concede that some of its citizens, outraged over the conflict in Abkhazia, might have launched the denial-of-service attacks.
DISADVANTAGES
2AC CYBER-DETERRENCE DA
Deterrence doesnt apply to cyberspace
Weiner 12 [Sarah, research intern for the Project on Nuclear Issues, boss, internally cites Dr. Lewis who is the
director of the Center for Homeland Security and Defense, https://www.hsdl.org/hslog/?q=node/9216]
Others vehemently disagree with this presupposition. Jim Lewis, for example, argued earlier this month at an event at the Stimson Center that
deterrence will not work in the cyber domain . He emphasized that difficulties in attributing attacks, holding
hostage adversaries cyber and physical assets, and achieving a proportional response all decrease the
credibility of US threats and reduce the costs of an adversaries hostile cyber operations . And Dr. Lewis has
considerable evidence on his side: public and private entities in the US experience cyber-attacks on a daily
basis. If these attacks are deterrable, we are doing a terrible job of leveraging our capabilities. For a number of
reasons, trying to apply nuclear deterrence logic to cyber warfare feels a bit too much like trying to fit a square
peg into a round hole. That does not mean, however, that we should abandon all attempts to draw analogies between cyber and nuclear strategy.
Despite a few close calls, the basic principles of nuclear deterrence and mutually assured destruction have prevented the use of nuclear weapons for over
60 years. Understanding the reason why this largely effective and stable model of deterrence cannot map cleanly onto the cyber world may help us better
conceptualize strategies for cyber-deterrence. The first difficulty is establishing an analogue between a nuclear attack and a cyber-attack. We know
when a nuclear bomb explodes, and we know it is unacceptable. The spectrum of cyber-attacks, however, spans
far, far below the destructiveness of a nuclear strike. Denial-of-service attacks, such as Irans recent shutdown
of several banks websites, are a world away from the detonation of any weapon, not to mention a nuclear
weapon. This creates the problem of credibility and proportionality Dr. Lewis spoke about: responding to such
low-level attacks with a military use of force is so disproportionate that it is not a credible threat . If the US instead
decides to use cyber capabilities to deter cyber-attacks, it runs into a second problem. Cyber weapons cannot be used in the same
way we use nuclear weapons because, unlike nuclear weapons, the demonstration of a cyber-capability quickly
renders that capability useless. If the US were to release the details of a cyber-weapon, intended to signal a
retaliatory capability, potential adversaries could attempt to steal the technology and /or harden their cyber
defenses against the US weapons specific attributes. This is the opposite of nuclear deterrence, in which the US pursues the most credible and
reliable force so that other nations know precisely how damaging a US counterstrike would be. Demonstrating that a nation could effectively mount a
second-strike in response to a nuclear attack creates a stabilizing dynamic of mutually assured destruction in which no nation believes it could gain
militarily by launching a nuclear attack. The trouble with cyber weapons, however, is that they cannot be so transparently deployed.
The only
effective cyber-attack is an unexpected attack, and that does nothing for signaling or
deterrence .
Maintaining zero-days causes more vulnerabilities
Comninos and Seneque 14 [Alex, Justus-Liebig University Giessen, and Gareth, Geist Consulting, Cyber
security, civil society and vulnerability in an age of communications surveillance, GIS Watch, 2014,
http://giswatch.org/en/communications-surveillance/cyber-security-civil-society-and-vulnerability-agecommunications-sur] //khirn
Cyber security and vulnerability Cyber
the net
number of vulnerabilities is increasing .19 Viruses and botnets, including Stuxnet and other state-sponsored malware,
require vulnerabilities to work . Finding and fixing vulnerabilities contributes to a safer and secure
internet, counters surveillance and can even save lives. For example, a vulnerability in Adobes Flash software was recently used against dissidents in
Syria.20 There are two categories of vulnerabilities, each requiring different user and policy responses: zero-days and forever-days. Zero-days are
vulnerabilities for which there is no available fix yet, and may be unknown to developers . Forever-days are
vulnerabilities which are known of, and either do not have a fix, or do have a fix in the form of a patch or an update, but they are for the most part not
applied by users. Zero-day vulnerabilities When a zero-day is found, the original software developer should be notified so
that they may find a fix for the vulnerability and package it as a patch or update sent out to users . Furthermore, at
some stage, users of the affected software that are rendered vulnerable should also be informed, so they can understand if they are or have been
vulnerable and take measures to recover and mitigate for the vulnerability. Throughout the history of computers, hackers21 have sought
to
use technology in ways that it was not originally intended. This has been a large source of technological innovation. Hackers have
applied this logic to computer systems and have bypassed security and found vulnerabilities for fun, fame, money, or in the interests of a more secure
internet. It is because of people that break security by finding vulnerabilities that we can become more secure. A problem for cyber security is that
good (or white hat) hackers or security researchers may not be incentivised to find zero-days and use this
knowledge for good. Rather than inform the software vendor, the project involved, or the general public of a vulnerability, hackers may
decide not to disclose it and instead to sell information about a vulnerability, or package it as an exploit and sell
it. These exploits have a dual use: They can be used as part of research efforts to help strengthen computers against intrusion. But they can also be
weaponised and deployed aggressively for everything from government spying and corporate
espionage to flat-out fraud.22 There is a growing market for zero-days that operates in a grey and
unregulated manner. Companies sell exploits to governments and law enforcement agencies around the world ;
however, there are concerns that these companies are also supplying the same software to repressive regimes and to intelligence agencies. There is
also a growing black market where these exploits are sold for criminal purposes.23
Black markets bad --- causes massive IP theft
Goldsmith 10 [Jack, teaches at Harvard Law School and is a visiting fellow at the Hoover Institution at
Stanford University, The New Vulnerability, New Republic, June 7, 2010,
http://www.newrepublic.com/article/books-and-arts/75262/the-new-vulnerability] //khirn
Today powerful
criminal organizations operate in flourishing online black markets to buy and sell information
about software vulnerabilities and an endless variety of sophisticated malware weapons that can be used to
exploit these vulnerabilities. They infect, gather, and rent huge clusters of compromised zombie computers
known as botnets that can be used for denial-of-service attacks or phishing expeditions (feigned trustworthy
messages of the general sort that tricked the Google administrators). They buy and sell criminal services ranging from phishingfor-hire to money laundering. And they trade in stolen goods such as credit card and Social Security numbers
and identification and login credentials. According to the computer security firm Symantec, a stolen credit card number fetches between
eighty-five cents and thirty dollars on the black market. For twenty bucks you can buy someones essential identity information: name, address, birth
date, and Social Security number. President Obama noted last year that cyber criminals stole an estimated $1 trillion in intellectual
property from businesses worldwide in 2008. In truth, we lack both the reliable data and the metrics needed to know for
certain the amount of losses from online criminal activities. Most security experts believe that the already massive online
criminal industry is growing in size, sophistication, and success at a faster rate than companies, individuals,
and law enforcement authorities are improving computer defenses . And the losses are surely much greater
than have been made public, for most companies that are targets of cyber attacks and cyber exploitations have
a powerful incentive not to report their losses, which might lead to stock-price drops , lawsuits , and
consumer anger .
Overconcentration on offense is uniquely destabilizing- makes cyberwar inevitable
McGraw 13 [Gary, PhD, Chief Technology Ofcer of Cigital, and author of Software Security (AWL 2006)
along with ten other software security books. He also produces the monthly Silver Bullet Security Podcast
forIEEE Security & Privacy Magazine (syndicated by SearchSecurity), Cyber War is Inevitable (Unless We Build
Security In), Journal of Strategic Studies - Volume 36, Issue 1, 2013, pages 109-119] //khirn
Also of note is the balancing effect that extreme cyber vulnerability has on power when it comes to cyber war. In
the case of the Stuxnet attack, the balance of power was clearly stacked high against Iran. Subsequently, however, Iran responded with the (alleged)
hijacking of a US drone being used for surveillance in Iranian airspace.10 Ironically, it may be that the most highly developed
countries are more vulnerable to cyber warfare because they are more dependent on modern high-tech
systems. In any case, failure to build security into the modern systems we depend on can backlash, lowering the
already low barrier to entry for geopolitically motivated cyber conict. Defending against cyberattack (by
building security in) is just as important as developing offensive measures. Indeed it is more so. War has both
defensive and offensive aspects, and understanding this is central to understanding cyber war. Over-concentrating on offense can
be very dangerous and destabilizing because it encourages actors to attack rst and
ferociously, before an adversary can. Conversely, when defenses are equal or even superior to offensive
forces, actors have less incentive to strike rst because the expected advantages of doing so are far lower.
The United States is supposedly very good at cyber offense today, but from a cyberdefense perspective it lives in
the same glasshouses as everyone else. The root of the problem is that the systems we depend on the lifeblood of the modern world are
not built to besecure.11This notion of offense and defense in cyber security is worth teasing out. Offense involves exploiting systems, penetrating systems
with cyberattacks and generally leveraging broken software to compromise entire systems and systems of systems.12 Conversely, defense means building
secure software, designing and engineering systems to be secure in the rst place, and creating incentives and rewards for systems that are built to be
secure.13 What sometimes passes for cyber defense today actively watching for intrusions, blocking attacks with network technologies such as
rewalls, law enforcement activities, and protecting against malicious software with anti-virus technology is little more than a cardboard shield.14 If
we do not focus more attention on real cyber defense by building security in, cyber war will be inevitable .
Cyberdefense outweighs any offensive capabilities --- deliberately weakening the internet
guarantees successful attacks
Masnick 13 [Mike, founder and CEO of Floor64 and editor of the Techdirt blog, Oct 7th 2013, National
Insecurity: How The NSA Has Put The Internet And Our Security At Risk, Techdirt,
https://www.techdirt.com/articles/20131005/02231624762/national-insecurity-how-nsa-has-put-internetour-security-risk.shtml] //khirn
But, really, the issue is that the
NSA's actions aren't actually helping national security, but they're doing the exact
opposite. They're making us significantly less safe . Bruce Schneier made this point succinctly in a recent interview: The NSAs
actions are making us all less safe. Theyre not just spying on the bad guys, theyre
it much easier for others to attack us . For all this talk of national security,
the NSA,
a judgment call on whether or not it's worth fixing or exploiting itself. He
discussed how the NSA thinks about whether or not it's a "NOBUS" (nobody but us) situation, where only the US could
exploit the hole: You look at a vulnerability through a different lens if even with the vulnerability it requires
substantial computational power or substantial other attributes and you have to make the judgment who else
can do this? If there's a vulnerability here that weakens encryption but you still need four acres of Cray computers in the basement in order to work it
In trying to defend this situation, former NSA boss Michael Hayden recently argued that
you kind of think "NOBUS" and that's a vulnerability we are not ethically or legally compelled to try to patch -- it's one that ethically and legally we could
try to exploit in order to keep Americans safe from others. Of course, that ignores just how sophisticated and powerful certain other groups and
governments are these days. As that article notes, the
NSA is known as a major buyer of exploits sold on the market -- but that
also means that every single one of those exploits is known by non-NSA employees , and the idea that only the NSA is
exploiting those is laughable. If the NSA were truly interested in "national security" it would be helping to close
those vulnerabilities, not using them to their own advantage. This leads to two more troubling issues -- the fact that the "US Cyber
Command" is under the control of the NSA is inherently problematic. Basically, the NSA has too much overlap between its offensive and defensive
mandates in terms of computer security. Given what we've seen now, it's pretty damn clear that the
efforts to break into computers, rather than defensive efforts to protect Americans' computers. The second issue is
CISPA. The NSA and its defenders pushed CISPA heavily, claiming that it was necessary for "national security" in
protecting against attacks. But a key part of CISPA was that it was designed to grant immunity to tech companies from
sharing information with... the NSA, which was effectively put in control over "cybersecurity" under CISPA. It seems clear, at this
point, that the worst fears about CISPA are almost certainly true. It was never about improving defensive cybersecurity, but a
cover story to enable greater offensive efforts by the NSA which, in turn, makes us all a lot less secure .
Squo cyber-offense is a bad framework
Iasiello 14 (Emilio Iasiello has been a cyber-threat analyst for the past twelve years supporting the US
Departments of State and Defense, as well as a private sector security firm. Hacking Back: Not the Right
Solution.
http://www.strategicstudiesinstitute.army.mil/pubs/Parameters/issues/Autumn_2014/13_IasielloEmilio_Ha
cking%20Back%20Not%20the%20Right%20Solution.pdf)//CLi
Abstract: In cyberspace attackers enjoy an advantage over defenders, which has popularized the concept of active cyber defense offensive
actions intended to punish or deter the adversary . This article argues active cyber defense is not a practical
course of action to obtain tactical and strategic objectives. Instead, aggressive cyber defense, a proactive
security solution, is a more appropriate option. Cyber Strategies Hacking Back: Not the Right Solution The ability to
retaliate against cyber attackers irrespective of the legalities of such actionsappears to have gained traction in
the United States government , but is it a practical response for achieving tactical and strategic objectives in cyberspace?
Attribution limitations, collateral damage considerations, the Internets global archi- tecture, and
potential event escalation make the challenges of engaging in active cyber defense
course of action destined to achieve limited tactical successes at best; and
an
ineffective
conflict . Too many variables prevent active cyber defense deter- ring or punishing adversaries in cyberspace. For that reason, this article advocates
a more productive solutionaggressive cyber defenseto frustrate attackers via nondestructive or damaging activities.
We have initiated a virtual Cold Waronly a defensive model can deter escalation
Iasiello 14 (Emilio Iasiello has been a cyber-threat analyst for the past twelve years supporting the US
Departments of State and Defense, as well as a private sector security firm. Is Cyber Deterrence an Illusory
Course of Action?, Journal of Strategic Security, http://scholarcommons.usf.edu/cgi/viewcontent.cgi?
article=1337&context=jss, 2014)//CLi
With the U.S. government (USG) acknowledgement of the seriousness of cyber threats, particularly against its critical infrastructures, as
well as the Department of Defense (DoD) officially
policymakers , and think tank researchers have resurrected a potential Cold War strategy to implement
against the new threats fermenting in cyberspace.1 It is argued that the same principles that successfully contributed to
nuclear deterrence with the Soviet Union can be applied to cyberspace and the hostile actors that operate
within. However compelling, similar strategies are not transferrable and the key factors that made nuclear deterrence a viable solution does not carry
the same value in cyberspace. While only a handful of states have demonstrated the capability to develop nuclear weapons, more than 140
nations have or are developing cyber weapons, and more than thirty countries are creating military
cyber units, according to some estimates. Moreover, this threat actor landscape does not consist of nation states alone. Included are cyber criminals,
hackers, and hacktivists of varying levels of sophistication and resources willing to use their capabilities to support nefarious objectives.2 There are
advocates favoring the implementation of a cyber deterrence strategy to mitigate the volume of hostile cyber
activity against public and private sector interests. However, too many factorsincluding attribution challenges and
sustainability against this vast threat actor landscape inhibit cyber deterrence options from achieving their desired outcome
in the near term. Whats more, other deterrent strategies such as those employed against nuclear weapon use,
terrorism, and rogue state behavior is not suitable models for the cyber realm. Despite some commonalities, the cyber domain lacks
the transparency and actor visibility required to develop deterrence measures. Despite these hindrances, nation states should seek to
develop, refine, and implement national level cyber security strategies that focus on cyber
defense improvements and enforce accountability to measure their successes. While there will always be sophisticated actors able to thwart the
most robust cyber security defenses, the success of hostile activity against networks are the result of poor cyber security practices such as unpatched
systems and users not well trained in information assurance principles. Cyber security is an ongoing effort that needs to be relentlessly monitored and
adapted to a constantly changing threat environment.
Squo policies makes companies and citizens vulnerable to hackerswe need to switch to
defense
Clarke and Swire 14 (Richard Clarke was a National Security official in the Bush, Clinton, and Bush
Administrations. Peter Swire was a White House official under Presidents Clinton and Obama, and now is a
professor at the Scheller College of Business of the Georgia Institute of Technology. The NSA Shouldnt
Stockpile Web Glitches, 4/18/2014, http://www.thedailybeast.com/articles/2014/04/18/the-nsa-shouldn-tstockpile-web-glitches.html)//CLi
When word spread last week about the greatest cyberspace vulnerability in years, the aptly named Heartbleed vulnerability, the first question that many
asked was Did NSA know? Because of the prior revelations about NSA activity, there is now a natural suspicion among many citizens that the NSA
would be using such a weakness in the fabric of cyberspace to collect information. Bloomberg even reported that the NSA did know and had been
exploiting the mistake in encryption. But actually no U.S. government agency was aware of the problem; they learned about it along with the rest of us.
That is both reassuring and troubling. The question remains, however, what if, in a similar case in the future, the NSA or some other government agency
did learn about such a flaw in software? Should it be the NSAs decision to tell us about the problem? Should the
government lean to offense, and use the vulnerability to create an exploit and collect information, or , instead, lean
toward defense, alerting citizens and companies so that they can protect themselves from malicious actors who
may also learn about the flaw? Although for some, the answer comes easily, it is in our minds a difficult decision. The temptation to stockpile
vulnerabilities for offense is easy to understand. After all, what if you could use a software glitch to destroy machines that Iran is using to make nuclear
bomb material? Or perhaps we can use a mistake in coding to get inside al Qaedas communications and learn about their next attack before it happens,
perhaps in time to stop it. In those hypothetical cases, what is the U.S. Governments chief responsibility? To protect us from nuclear proliferation or
terrorism? Or, to patch up software that might be running critical infrastructure such as our banks, stock markets, electric power grid, or transportation
systems? The Presidents Intelligence Review Group recommended earlier this year that the default decision, the assumption, should be to lean toward
defense. (Disclosure: We were two of the groups five members.) The government, upon learning of a software vulnerability, should alert us and act
quickly with the IT industry to fix the error. We reasoned that if the U.S. government learns about a software glitch, others will
too, and it would be wrong to knowingly let U.S. citizens, companies and critical infrastructure be vulnerable to
hackers and foreign intelligence cyber spies. Usually, it is the U.S. who has the most to lose when there is
a hole in the fabric of cyberspace . We rely upon information technology systems and control networks more than any other
economy or society, and the potential damage that could be done to our country from malicious hacking could be
devastating. We also recommended that there be the opportunity for rare exceptions to the rule. If the government learns about a vulnerability in
some obscure piece of software, not widely present on U.S. critical networks but running on the systems of some real threat (such as al Qaeda or Irans
nuclear program), the president ought to be able to authorize for a limited time the use of that knowledge to collect intelligence or even to cause
destruction of threatening hardware. That decision, however, should not be the NSAs to make alone. Balancing the offense/defense equities should be a
White House call, made after having heard from all sides of the issue. Those in the government who worry about defending critical, private sector
networks (the departments of Treasury, Homeland Security, Energy, Transportation) should have the opportunity to make their case that it would be
better to defend ourselves than to hoard our knowledge of a cyber problem to attack other nations networks. The reality is that there will be very
few cases where a strong argument could be made for keeping a software vulnerability secret. Even then, the issue
would be not whether to tell the American people about the cyberspace flaw, but how soon to tell. The president, according to a White House statement
last week, has decided to accept our recommendation. The Obama administration announced that, with very rare exceptions, when the U.S. government
learns of a software vulnerability, it will work with the software companies involved and with users to patch the mistake as quickly as possible. That
AT: CHINA/TAIWAN
Wont go nuclear
Pike 11 last modified 5/7/2011 (John, manager, Global Security, Chinas Options in the Taiwan
Confrontation, http://www.globalsecurity.org/military/ops/taiwan-prc.htm)
China would almost certainly not contemplate a nuclear strike against Taiwan, nor would Beijing embark on a
course of action that posed significant risks of the use of nuclear weapons. The mainland's long term goal is to
liberate Taiwan, not to obliterate it, and any use of nuclear weapons by China would run a substantial risk of
the use of nuclear weapons by the United States. An inability to control escalation beyond "demonstrative" detonations would cause
utterly disproportionate destruction.
No miscalc
Cliff et al 11 senior political scientist at the RAND Corporation [Cliff with Phillip C. Saunders Senior Research Professor at the National Defense
University's Institute for National Strategic Studies and Scott HaroldMarch 30, 2011 New Opportunities and Challenges for Taiwan's Security
http://www.rand.org/content/dam/rand/pubs/conf_proceedings/2011/RAND_CF279.pdf Accessed July 12, 2011]
Moreover, other than pursuing the largely political goals of reunification and weakening the security relationship between Taiwan and the United States,
there doesnt seem to be any compelling military need for such measures (which is, after all, the essence of CBMs). To be sure, there is always a risk of
conflict when two militaries face each other, and more, rather than less, certainty never hurts. However, there seems to be little reason to
be concerned over accidental conflict or misperception. There are informal understandings (the centerline being
the prime example): There is already some cooperation in rescue at sea, many (probably too many) channels of
communication exist, and even some unilateral statements of intent have been made . Moreover, and very importantly,
viewing the question from the mainlands side, the frequent statements cited above regarding Taiwans desire to use CBMs to freeze the status quo
suggest that it is questionable whether Beijing really wants to - 45 - reinforce certainty regarding its intent and thus weaken its deterrent to the
independence forces, which is still considered to be so essential
Chinese President Hu Jintao prudently concluded that the character of current cross-Strait relations should be
fixed on anti-independence rather than a push for unification, suggesting that the policy of cross-Strait peaceful development should remain intact. Last but not
least was Washingtons policy. The United States, as the most important player in the region, has been trying to maintain the
status quo. So, a stable framework was constructed through a vague saddle point to keep the current crossStrait situation from descending into chaos: Taipei acted to maintain cross-Strait stability; Beijing promoted cross-Strait peaceful development; and Washington sought
to maintain the status quo. The stability is no longer abstract but has a distinct structure , though that framework is still fragile and each side still has to
learn how to trust the others. Almost all the subsequent policies that can help bring about greater stabilization are based on this fragile structure. There is the potential for a
diplomatic truce, Taiwans participation in the World Health Organization, and, most importantly, Taipeis involvement in the Economic
Cooperation Framework Agreement (ECFA), a trade agreement between China and Taiwan that came into effect in September 2010. The effects of ECFA have been greatly distorted. Those
development.
who criticize the agreement believe that it will only make Taiwan more dependent on the Chinese Mainland. They argue that Beijing also sees the agreement as a way to increase Taiwans dependence on
for Taipei, the ECFA represents something different. First, it tells Beijing
that Taiwan did not shut down all the possibilities of a common future, and this will definitely make Beijing
consider similar future policies more reasonably and rationally. Second, the ECFA is a gateway for Taiwans
economy. For the first decade of the twenty-first century, there were approximately 60 meaningful free trade agreements around the pan-Pacific region. Two countries were excluded from those
China, but that the Chinese use a different phrase: deepening the interaction of the two sides. But
agreements: North Korea and Taiwan. The result is that Taiwan has been gradually marginalized. The previous Taiwanese administration tried to push Beijing on this matter. But under the leadership of
can easily defend itself. South Koreas GDP is $1.13 trillion, versus North Koreas paltry $40 billion,
with similar disparities in the sizes of their respective defense budgets. The brutal authoritarian regime of North Korea is
made out to be a major threat to its neighbors, but it is comparatively weak , lacking the kind of advanced industrial
and technological military capacity of its southern neighbor and, certainly, the U.S. Experts consider Pyongyang unfit to
fight an extended modern battle.
Conflict will be limited and short-lived
Yong 11Washington-based analyst of international affairs at Asia Times (Yong Kwon, 2011,
Misunderstandings may prove fatal, http://www.atimes.com/atimes/Korea/MA08Dg02.html, RBatra)
The economic and military prowess of the DPRK in
relation to South Korea has diminished to such an extent that it makes any large-scale military action
implausible.
Radio Free Asia reported that the shelling of the Yeonpyeong Island caused widespread panic throughout North Korea because
of the belief that the United States would retaliate militarily. According to the same report, the panic caused a rush on foreign currency and forced the price of food
Nonetheless, there are several elements that make this analogy a dubious one when it comes to North Korea.
to rise, initiating a crisis similar to the one created by the currency revaluation in December 2009. [4]
Had the North Koreans feared the loss of their relative advantage, a large-scale invasion would have
commenced in the 1960s or 1970s, before the South Korean economy lifted off under the Park Chung-hee administration. With the mounting cost of
coercive bargaining, the North Koreans are not playing a zero-sum strategy game like the Japanese Empire in 1941, but a postfamine negative-sum survival game.
North Korea currently has two major military assets: its capacity to obliterate Seoul with its forward artillery, and its nuclear arsenal. A Pearl Harbor-like attack by North Korea will involve one and or both
there are questions as to whether North Korea has either the technological know-how or the
desire to actually utilize these military advantages.
There have been doubts on whether or not the two sensational nuclear tests have actually been successful. Several
observers of the North Korean nuclear crisis from both the United States and Russia have commented on the possibility that both tests may have merely
"fizzled". Furthermore, Pyongyang is a long ways from actually producing an inter-continental ballistic missile that can
of these assets. However,
the direct artillery strike on Seoul as the only strategically advantageous military asset for North Korea. However, this would be an
inappropriate use of force for Pyongyang's foreign policy objectives. North Korea more or less gave up on their
initial objective of unifying the peninsula in the 1970s, when the DPRK leadership recognized their country's relative economic backwardness compared to
This leaves
Since then, Pyongyang's policies have been geared towards coercive bargaining that will bring either legitimacy
or much-needed economic assistance to the regime. Any attack on Seoul would jeopardize the fine line between muchneeded subsidies and all-out war.
In terms of recent clashes, the scuttling of the Cheonan and the shelling of Yeonpyeong Island revealed fatal weaknesses in the South Korean defenses;
however, it did not reduce the deterrence against all-out war because North Korea cannot afford to take any physical
blows in its fragile state.
AT: POLITICS
Bipartisan support for NSA restrictions: recent votes prove
Coca 6/12 (Onan Coca is a graduate of Liberty University (2003) and earned his M.Ed. at Western Governors
University in 2012. Freedom Force: Bipartisan House Votes for Further Restrictions on Surveillance on
Americans! Published June 12th, 2015. Accessed June 29th, 2015. http://freedomforce.com/4275/bipartisanhouse-votes-for-further-restrictions-on-surveillance-on-americans/) KalM
In another win for freedom, the
several key provisions of the broad, post-9/11 surveillance law known as the Patriot Act
were up for renewal five years ago, the Senate debated for just 20 seconds before reauthorizing the
sweeping powers by a voice vote . The following day, the House followed the upper chambers lead, voting
315-97 to extend the acts most controversial elements .
Domestic surveillance is congressionally approved
Saletan 13 (Will Saletan is a journalist for Slate. He writes about politics, science, technology, and other stuff
for Slate. Hes the author of Bearing Right. Slate: Stop Freaking Out About the NSA published June 6th,
2013. Accessed June 29th, 2015.
http://www.slate.com/articles/news_and_politics/frame_game/2013/06/stop_the_nsa_surveillance_hysteri
a_the_government_s_scrutiny_of_verizon.html) KalM
3. Its congressionally supervised . Any senator whos expressing shock about the program is a liar or
a fool. The Senate Intelligence and Judiciary Committees have been briefed on it many times .
Committee members have had access to the relevant FISA court orders and opinions. The intelligence
committee has also informed all senators in writing about the program, twice , with invitations to review classified
documents about it prior to reauthorization. If they didnt know about it, they werent paying attention.
NSA hires outside companies to help it do the work it's supposed to do. But an analysis of the intelligence
agency's top hackers are also funneling money to firms of
dubious origin in exchange for computer malware that's used to spy on foreign governments . This year alone,
the NSA secretly spent more than $25 million to procure "'software vulnerabilities' from private malware vendors,"
community's black budget reveals that unlike most of its peers, the
according to a wide-ranging report on the NSA's offensive work by the Post's Barton Gellman and Ellen Nakashima. Companies such as Microsoft
already tell the government about gaps in their product security before issuing software updates, reportedly to give the NSA a chance to exploit those
bugs first. But the NSA is also reaching into the Web's shadier crevices to procure bugs the big software vendors don't even know about vulnerabilities
that are known as "zero-days." Just who might the NSA be paying in this covert marketplace? One of the most famous players in the arena is Vupen, a
French company that specializes in selling zero-day exploits. A 2011 brochure made public on WikiLeaks showed Vupen boasting that it could "deliver
exclusive exploit codes for undisclosed vulnerabilities discovered in-house by Vupen security researchers. "This is a reliable and secure approach to help
[law enforcement agencies] and investigators in covertly attacking and gaining access to remote computer systems," the brochure continued. To take
advantage of the service, governments can purchase an annual subscription. The subscription comes with a number of "credits" that are spent on buying
zero-day exploits; more sophisticated bugs require more credits. In 2012, Vupen researchers who discovered a bug in Google Chrome turned down the
chance to win a $60,000 bounty from the search giant, presumably in order to sell the vulnerability to a higher bidder. The company announced earlier
this month that it would be opening an office in the same state as the NSA's headquarters in Fort Meade, Md. WikiLeaks identified a total of nearly 100
companies participating in the electronic surveillance industry worldwide, though not all of them are involved in the sale of software vulnerabilities.
Zero-days are particularly effective weapons that can sell for up to hundreds of thousands of dollars
each.
AT: TERRORISM DA
Theyve magnified the risk of the internal linklittle chance that terrorists can access the zeroday market
Mueller 13 (Milton Mueller, Professor at the Syracuse University School of Information Studies. His research
and teaching explore the political economy of communication and information. For the past 15 years his
research, teaching and public service have concentrated on problems related to global Internet governance.
REGULATING THE MARKET FOR ZERO-DAY EXPLOITS: LOOK TO THE DEMAND SIDE,
http://www.internetgovernance.org/2013/03/15/regulating-the-market-for-zero-day-exploits-look-to-thedemand-side/, March 18, 2013)
We suggest focusing policy responses on the demand side rather than the supply side. The
Government itself , we should have a civilian agency such as DHS compile information about the scope and scale of our participation in the
exploits market. We should also ask friendly nations to assess and quantify their own efforts as buyers, and share information about the scope of their
purchases with us. If U.S. agencies and allies are key drivers of this market, we may have the leverage
we need to bring the situation under control. One idea that should be explored is a new federal program to purchase zero-day
exploits at remunerative prices and then publicly disclose the vulnerabilities (using responsible disclosure procedures that permit directly affected
parties to patch them first). The program could systematically assess the nature and danger of the vulnerability and pay commensurate prices. It would
need to be coupled with strong laws barring all government agencies including military and intelligence agencies from failing to disclose exploits with
the potential to undermine the security of public infrastructure. If other, friendly governments joined the program, the costs could be shared along with
the information. In other words, instead of engaging in a futile effort to suppress the market, the US would attempt to
create a near-monopsony that would pre-empt it and steer it toward beneficial ends . Funds for this purchase-to-disclose
program could replace current funding for exploit purchases. Obviously, terrorists, criminals or hostile states bent on destruction or break-ins would not
be turned away from developing zero-days by the prospect of getting well-paid for their exploits. But most of the known supply side of
the market does not seem to be composed of terrorists or criminals, but rather profit-motivated
security specialists. And its likely that legitimate, well-paid talent will discover more flaws than the dark side in the long run. Obviously the
details regarding the design, procedures and oversight of this program would need to be developed . But on its
face, a demand-side approach seems much more promising than railing against the morality of so-called cyber arms dealers.
Qaeda , Algerias Armed Islamic Group, Hezbollah, and the Egyptian Islamic Group are known to
be versed in information technology . However, the type of attacks that are possible with low-cost tools do
not yet rise anywhere near the level of breaking things and killing people. It is very unlikely that any
terrorist organization such as al-Qaeda will be able to deploy a cyberattack with the sophistication of Stuxnet .
Stuxnet was developed by military expert programmers with detailed knowledge about their 16 targets. It would take enormous time and human
resources to develop that level of sophisticated skills. Although terrorists might turn to the underground to hire hackers
with
sufficient skills, Giampiero Giacomello has argued that this approach is unlikely, because it would be far more costly than traditional
physical attacks that terrorists have used more or less successfully in the past.28 In addition to IT skills, an important element of major cyberattacks is
zero-day exploits (as used in Stuxnet), because no patch is available to defend against them.
day exploits , and it might be assumed that terrorists might be able to buy them easily as needed . However, there
is also competition. At the recent Black Hat conference, representatives from the U.S. military and intelligence community were among the thousands of
attendees to learn about vulnerabilities and buy exploits and software tools, among other things. Many of the companies involved in
discovering vulnerabilities and creating exploits are in Western countries unfriendly to terrorists, so
terrorists may find it very difficult to acquire zero-day exploits.
Current zero-day vulnerabilities put us at risk of terrorists
Arce 2014 (Nicole Arce, staff reporter at Tech Times, Operation Auroragold allows NSA to spy on Carriers
criminals and terrorists the NSA claims to target will also be able to exploit these
holes. "If there are vulnerabilities on those systems known to the NSA that are not being patched on purpose, it's quite likely they are being misused
by completely other kinds of attackers," Hypponen says. "When they start to introduce new vulnerabilities, it affects everybody who uses that technology;
it makes all of us less secure." Auroragold is in direct conflict with the results of a surveillance review called by President Obama in December after
Snowden's revelations elicited public furor when it first came to light. The panel concluded that the NSA should not "in any way subvert,
undermine, weaken or make vulnerable generally available commercial software ." It also said the NSA must
inform companies of newly discovered zero-day exploits, or exploits that developers had zero
days to fix . The White House confirmed these results but not without throwing in an escape clause that says the NSA is allowed not to disclose
security holes if in the presence of "a clear national security or law enforcement" threat. The NSA clearly sees this loophole to its advantage. NSA
spokesperson Vanee' Vines says the agency operates within the bounds of law and only spies on terrorists, weapons distributors and "valid foreign
targets," not "ordinary people." "NSA collects only those communications that is authorized by law to collect in response to valid foreign intelligence and
counterintelligence requirements - regardless of the technical means used by foreign targets, or the means by which those targets attempt to hide their
communication," Vines says.
COUNTERPLANS
AT: I-LAW CP
ILaw enforcement for cybercrime has failed empirics
Fidler 14 Masters in International Relations (MAILYN FIDLER, May 2014, ANARCHY OR
REGULATION: CONTROLLING THE GLOBAL TRADE IN ZERO-DAY VULNERABILITIES,
https://direct.decryptedmatrix.com/wp-content/uploads/2014/06/Fidler-Zero-Day-VulnerabilityThesis.pdf) /AMarb
The Convention on Cybercrime created by the Council of Europe seeks to harmonize substantive national
criminal law on cybercrime and strengthen mechanisms for international law enforcement cooperation on
cybercrime. The Convention entered into force in 2004 and was sponsored by the Council of Europe.463 The impetus for this treaty was
the need to harmonize national cybercrime laws to increase the chances of successful prosecution of cyber crimes across
borders.464 At the time, many states had yet to enact statutes criminalizing computer crimes, meaning cyber
criminals could find havens in these states.465 Countries with computer crime laws suffered from cyber crime, but some responsible
criminals went unpunished because they were located in other states without an adequate domestic legal framework or international legal agreement
with the affected country.466 Thus, the Convention on Cybercrime represents a direct use of treaty law to address a cybersecurity problem. Ten years
after the drafting of the Convention, the Obama administration stated that the Convention was effective in breaking down barriers to transnational
cooperation and communication and that the United States is able to respond to potential threats more quickly and effectively than ever as a result of
this collaboration.467 Still, the Convention exhibits several problems . Particularly, the treaty attempted to achieve consensus by adopting
The
Convention also provides fairly broad grounds for states to shirk obligations, leaving the door open for
significant reneging.470
overly broad definitions and including a plethora of requested items instead of only the core items that achieved consensus.468,469
representatives revealed few details about the depth of information on zero-day vulnerabilities the
agency holds, its internal process for deciding when to disclose a vulnerability, and whether or how that process
interacts with the interagency process.297 Meanwhile, the White House has stated that a review of the interagency process is currently
underway in response to the recommendations of the Presidents NSA Review Group. Michael Daniel, a Special Assistant to the President and
Cybersecurity Coordinator, asserted that the Intelligence Community should not abandon the use of vulnerabilities as a tactic for intelligence collection,
but did acknowledge that building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people
unprotected would not be in our national security interest.298 The White House purports to maintain a bias in the Vulnerabilities Equities Process
toward public disclosure in the absence of a clear national security or law enforcement need,299 but the scope of the NSAs vulnerabilities
stockpile calls into question how effective this mysterious disclosure process really is. Furthermore, the
governments repeated assertions that it has reinvigorated the interagency process in response to the
Presidents NSA Review Group report suggests that it has not previously been strongly implemented or
consistently followed .300 The Presidents Review Group report recommended that US policy should generally move to
ensure that Zero Days are quickly blocked , so that the underlying vulnerabilities are patched on US
Government and other networks.301 The authors went on to explain that eliminating the vulnerabilitiespatching them
strengthens the security of US Government , critical infrastructure, and other computer
systems . The group did carve out a narrow exception for a brief authorization for the delay of notification or patching of a zero-day vulnerability,
but only for high priority intelligence collection, following senior, interagency review involving all appropriate departments.302 Security experts like
Bellovin et al. also highlight that
itself may create a national security risk , such as affecting network routers and switches.303
AT: NATO CP
CP cant solve members dont want to share alliances and dont trust the US
Fidler 15 -- 1NC Author Marshall Scholar, Department of Politics and International Relations, University of
Oxford (Mailyn, Summer 2015, REGULATING THE ZERO-DAY VULNERABILITY TRADE: A PRELIMINARY
ANALYSIS, http://moritzlaw.osu.edu/students/groups/is/files/2015/06/Fidler-Second-Review-ChangesMade.pdf, pg. 72-74) /AMarb
NATO members, however, are extraordinarily sensitive to the alliance having any offensive cyber capabilities
or even discussing the need to think about the value of cyber capabilities and operations in missions NATO
might undertake, as NATO has done with previous technological developments affecting its mission.318 Some
of this hesitancy stems from NATO members with cyber capabilities not wanting to share with less cybercapable alliance partners. Additionally, the Snowden disclosures adversely affected prospects for advancing
NATO discussions about offensive cyber capabilities because of increased mistrust toward the United States,
particularly after revelations of U.S. spying on NATO allies.319
NATO cant just focus on Russia hybrid warfare and new countries will emerge
Lewis, PhD 15 -- internationally recognized expert on cyber security (James, 2015, The Role of
Offensive Cyber Operations in NATOs Collective Defence, NATO Cooperative Cyber Defence,
https://ccdcoe.org/sites/default/files/multimedia/pdf/TP_08_2015_0.pdf) /AMarb
Beyond deterrence, two other factors point to the need for additional consideration of NATOs public posture
on offensive cyber operations. The first is that cyber techniques are essential for the kinds of combat operations
that NATO forces may carry out in the future. No modern air force would enter into combat without electronic
warfare (EW) capabilities; as cyber and EW merge into a single activity, air operations will require cyber
support. The same is true for special forces operations. Offensive cyber capabilities will shape the battlefields of
the future. Second, NATOs potential opponents will use cyber techniques in new ways, in what some have
called hybrid warfare.6 These include countries traditionally of concern to NATO, but cyber threats could
also come from new actors, such as Iran or North Korea, and proxy or non-state actors such as the Syrian
Electronic Army. These nations and groups, using cyber techniques, now have new ways to strike NATO
countries
No net benefit cooperation will cause conflicts and they wont be able to respond
Lewis, PhD 15 -- internationally recognized expert on cyber security (James, 2015, The Role of
Offensive Cyber Operations in NATOs Collective Defence, NATO Cooperative Cyber Defence,
https://ccdcoe.org/sites/default/files/multimedia/pdf/TP_08_2015_0.pdf) /AMarb
The emphasis is on political action and opinion shaping, seeking to portray the other side as fascists and
human rights violators against whom an oppressed population has risen in defiance. The US, NATO, and the
West are characterised as interlopers, seeking only to extend their hegemony and weaken the sovereign rights
of other nations. Such charges are intended to support the aggressor narrative and create
dissension among Western nations . Western military forces and governments are ill-equipped to
respond to this.9 Cyber operations used for coercive effect create uncertainty and concern within the target
government. The knowledge that an attacker may have infiltrated their networks, is monitoring
communications, and perhaps considering even more damaging actions, can have a paralysing effect. The
vast majority of these cyber operations are likely to fall below the level of an armed attack,
even under the new NATO guidelines, complicating any response . The effort to gain information
superiority falls in good measure outside of NATOs purview, but the Alliance must take these into account in
planning for the role of cyber activities in conflict.10
administration adopted a new policy on whether the NSA can exploit zero-days
vulnerabilities that havent been discovered by anyone else yet. According to the White House, there is a bias toward publicly
disclosing flaws in security unless there is a clear national security or law enforcement need. In a blog post Monday, Michael Daniel, the White Houses
cybersecurity coordinator, said that disclosing security flaws usually makes sense. Building up a huge stockpile of undisclosed vulnerabilities while
leaving the Internet vulnerable and the American people unprotected would not be in our national security interest, he said. But Daniel added that, in
some cases, disclosing a vulnerability means that the U.S. would forego an opportunity to collect crucial intelligence that could thwart a terrorist attack,
stop the theft of our nations intellectual property, or even discover more dangerous vulnerabilities. He said that the government weighs a variety of
factors, such as the risk of leaving the vulnerability un-patched, the likelihood that anyone else would discover it, and how important the potential
intelligence is.
But privacy advocates and many business groups are still uncomfortable with the U.S.
keeping security flaws secret . And many dont trust that the NSA will only exploit the
vulnerabilities with the most potential for intelligence and least opportunity for other hackers. The
surveillance bureaucracy really doesnt have a lot of self-imposed limits. They want to get everything, said Ed
Black, the CEO of the Computer & Communications Industry Association, which represents companies including Google, Microsoft, Yahoo, and Sprint.
Now I think people dealing with that bureaucracy have to understand they cant take anything for granted. Most computer networks are
run by private companies, and the government must work closely with the private sector to improve cybersecurity. But companies have
become reluctant to share security information with the U.S. government, fearing the NSA could use any
information to hack into their systems . When you want to go into partnership with somebody and
work on serious issuessuch as cybersecurityyou want to know youre being told the truth , Black said.
Google and one other cybersecurity firm discovered Heartbleeda critical flaw in a widely used Internet encryption toolin
March. The companies notified a few other private-sector groups about the problem, but no one told the U.S.
government until April. Information you share with the NSA might be used to hurt you as a company ,
warned Ashkan Soltani, a technical consultant who has worked with tech companies and helped The Washington Post with its coverage of the Snowden
documents.
AT: REGULATIONS CP
Strong legal framework is key --- reporting regulations fail
Bellovin et al. 14 [Steven M., professor of computer science at Columbia University, Matt Blaze, associate
professor of computer science at the University of Pennsylvania, Sandy Clark, Ph.D. student in computer
science at the University of Pennsylvania, Susan Landau, 2012 Guggenheim Fellow; she is now at Google, Inc.,
April, 2014, Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet, Northwestern
Journal of Technology and Intellectual Property, 12 Nw. J. Tech. & Intell. Prop. 1] //khirn
P167 However, this
does not mean that a law enforcement exploitation laboratory will be naturally inclined to
report the fruits of its labor to vendors. From the perspective of an organization charged with developing
exploits, reporting might seem an anathema to the mission , since it means that the tools it
develops will become obsolete more quickly . Discovering and developing exploits costs money, and an
activity that requires more output would need a larger budget . n249 P168 An obligation mandating that
law enforcement agencies report any zero-day vulnerabilities they intend to exploit should thus be supported
by a strong legal framework . Such a framework should create bright lines for what constitutes a
vulnerability that must be reported, when the reporting must occur , to whom the report should be
made , and which parts of the government are required to do the reporting. There are many grey areas.
AT: OVERSIGHT CP
Guidelines/oversight fail
Bellovin et al. 14 [Steven M., professor of computer science at Columbia University, Matt Blaze, associate
professor of computer science at the University of Pennsylvania, Sandy Clark, Ph.D. student in computer
science at the University of Pennsylvania, Susan Landau, 2012 Guggenheim Fellow; she is now at Google, Inc.,
April, 2014, Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet, Northwestern
Journal of Technology and Intellectual Property, 12 Nw. J. Tech. & Intell. Prop. 1] //khirn
P175 The simplest way to implement a default reporting policy would be guidelines that mandate reporting under certain circumstances promulgated by
the administration, likely the Department of Justice. n256 However,
weaknesses . First, the guidelines would be formulated, implemented, and enforced by the very department with
the most interest in creating exceptions to the rule, and that most "pays the cost" when the tools it develops and
uses are neutralized. Such conflicts of interest rarely end up with the strongest possible protections for the
public. P176 Therefore, a legislative approach may be more appropriate. Perhaps as part of the appropriations bill that
funds the exploit discovery effort, Congress could mandate that any vulnerabilities the unit discovers be
reported; alternatively, a reporting mandate could be added to the wiretap statute. This second approach has the
advantage that it is more permanent; however, amending the Wiretap Act has proven to be a long and contentious process. Regardless, and
as noted above, such legislation would need to be carefully drafted to capture a range of different circumstances.
national security need exempting the vulnerability from disclosure continues to validate
keeping the vulnerability undisclosed . Scott Charney reflected on the prospect of a post-use or post-stockpiling review process,
and commented that, indeed, after Stuxnet, it might be interesting to see what would happen if there was a review, if the government did a good job
balancing competing equities.439 Moreover, if purchased vulnerabilities are really not currently subject to the same initial review process as in-house
discovered vulnerabilities, this post-use or post-stockpiling review process would extend the equities process to this important category of vulnerabilities.