Small Wars Journal

Cyber Threat or Cyber Threat Inflation? - Assessing the Risk to U.S. National Security

Mon, 08/07/2017 - 7:37am

Cyber Threat or Cyber Threat Inflation? - Assessing the Risk to U.S. National Security

Kenneth Mok

Introduction  

In response to increasing cyber intrusions, the United States government has exponentially strengthened its investment in cyber defense capabilities over the past decade. In just two years, Congress introduced over 90 bills related to cybersecurity through four different Committees and former President Obama directed five executive orders,1 supplementing his proposal to raise the fiscal year 2017 budget for cyber defense by 35% to $19 billion.2

There are two competing arguments regarding the gravity of the threat that cyber-attacks pose to the nation’s security. On one hand, cyber-attacks present a serious national security threat that can cause as much harm as conventional military attacks, warranting a robust cybersecurity policy (cyber threat theory). Alternatively, cyber-attacks present a nuisance primarily to businesses and do not pose an imminent threat to the survival of the United States, causing the U.S. to overinvest in this area (cyber threat inflation theory).

An inquiry into the plausibility of future cyber war underlies this debate. In the Journal of Strategic Studies, dozens of experts have engaged in this discussion with articles that argue whether “Cyber War Will Take Place,”3 or whether “Cyber War Will Not Take Place.”4 Examining arguments on both sides of the debate provides policymakers and practitioners a basic framework for analyzing this increasingly salient national security issue. Such analysis necessitates an acknowledgement that sophisticated cyber operations are being orchestrated by individuals and groups who do not fit the stereotypical narrative of the 400-pound hacker, as President Donald Trump once suggested.5

Cyber threat theory contends that cyber-attacks are emerging national security threats that may cause as much harm as conventional military tactics. U.S. policy tends to reflect this threat assessment.

By nature of cyberspace, efforts to attribute responsibility for cyber-attacks to states, rather than criminals or terrorists, often prove fruitless.6 This accountability problem hinders states’ ability to deter enemies who directly or indirectly perpetrate cyber-attacks without fear of legal liability or military response.7 Despite recent efforts by scholars to form international cyber norms through the creation of the Tallinn Manual, major geopolitical powers lack consensus on cyber norms which increases the likelihood for miscommunication, escalation, and potential crises.8 For example, one country can hack into another state’s system as benign “standard operating procedure,” but mistakenly leave an implant in a system marginally connected with critical infrastructure, prompting a disproportionate response.9 The increase of cyber offensive capabilities in China, Russia, and the U.S. have induced characterizations of a “quasi-arms race.”10 Three notable incidents in the last decade demonstrate different methods through which cyber-attacks can pose a substantial threat to a nation’s security.

Weakening Government Capabilities: The Bronze Statue incident in Estonia

In 2007, distributed denial of service (DDoS) attacks targeted Estonia’s infrastructure and shut down the websites of all government ministries, two major banks, and several political parties. Most have attributed blame to digital activists (also known as hacktivists). Although authorities arrested one individual, they never uncovered the primary culprits. This incident demonstrates that sophisticated political hacktivists may possess the ability to disrupt or destroy government operations.11 They can hide behind layers of software by manipulating globally dispersed and virtually untraceable computers (i.e. botnets) to execute the attacks.

Augmenting Traditional Warfare: The Russo-Georgian War

Prior to and during the Russo-Georgian War of 2008, Russia deployed decentralized cyber mobs to attack Georgia’s infrastructure. These attacks blocked the ability of Georgian citizens to obtain information, disrupted access to banking for 10 days, and hindered Georgia’s ability to mobilize an effective domestic and international response. This incident depicts how the digitization of government and military systems revolutionizes conventional warfare, particularly in the air and sea domains. Cyber warfare impacts engagement systems at the tactical level, the adversary’s ability to mass and synchronize forces at the operational level, and the ability of senior leadership to maintain clear situational awareness of the national security environment at the strategic level.12 While cyber weapons do not have a direct kinetic effect, they can indirectly render defense systems, command and control (C2) systems, tanks, and aircraft useless.13 For example, Israeli cyber-attacks in 2007 spoofed Syrian air defense systems, enabling F-15 and F-16s to penetrate the airspace and destroy a suspected nuclear site.14 Similarly, Iranian cyber engineers, in conjunction with Russian assistance, brought down a valuable U.S. drone in 2011 by hacking global tracking systems.15

Threatening Critical Infrastructure: Stuxnet worm attack against Iran

In 2009, Stuxnet – an alleged Israeli-American created virus – rendered Iranian nuclear centrifuges useless by making them rotate more rapidly in a suicidal-mechanical fashion. The type of malware associated with Stuxnet, now called Duqu, uses a coding platform that puts together different pieces of modules to create entirely different malware, surpassing the air-gap that exists between the internet and the system. This instance shows that cyber-attacks can pose debilitating physical effects by taking advantage of zero-day vulnerabilities and self-replicating itself among systems. A single cyber weapon can steal information from civilian institutions to create additional cyber weapons in a “cascading effect” that harms aircraft, air defense systems, and critical infrastructure.16 Industry leaders and congressional representatives frequently warn that the supervisory control and data acquisition (SCADA) systems underlying the nation’s critical infrastructure possess potentially catastrophic vulnerabilities.17

In sum, cyber threat theory contends that cyber-attacks pose a dangerous threat to national security by infiltrating government systems, complicating warfare, and attacking critical infrastructure.

In contrast, cyber threat inflation theory argues that cyber-attacks pose a nuisance primarily to contractors, enabling them to profit from inflated perceptions of cyber vulnerability.

Critics of cyber threat theory argue that most cyber-attacks fall below the threshold of armed conflict and do not threaten the defense capabilities of the U.S. Instead, they believe most so-called cyber-attacks are better characterized as criminal acts and cyber thefts. In a comprehensive study of 111 cyber incidents from 2001-2011 between rival states, scholars Brandon Valeriano and Ryan Maness found that only 20 out of 126 rival pairs of states engaged in government targeted conflicts and most of them tend to be mild nuisances and disruptions.87 According to the U.S. Government Accountability Office, only 18% of 44,562 cyber incidents directed at federal agencies resulted from malicious code, 17% from unauthorized access and the rest from improper usage, probes, and other benign intrusions.19 Rather than agitating geopolitical balance, the scholar, Thomas Rid, proposes that cyber-attacks will “diminish rather than accentuate political violence” by offering states and other actors a new mechanism to engage in aggression below the threshold of war.20

If most cyber incidents comprise espionage cases that do not threaten the nation’s security, it follows that public and private leaders hold an alternative reason for exaggerating cyber threats: lucrative government contracts. A strong qualitative and quantitative relationship between cyber defense investment and companies’ revenue streams supports this cyber threat inflation theory.

Defense budget cuts, accompanied by an exponential growth in the international cybersecurity market, has spurred private contractors to provide government cyber services.

The global cybersecurity market has grown roughly 35 times in the last 13 years.21 Private sector firms own 85% of U.S. critical infrastructure assets and serve as the “de facto providers of software used by everyone,” especially the federal government.22 During this period, traditional defense contractors, who are normally known for developing military weapon systems, have begun to create and expand their own cybersecurity centers. BAE Systems has purchased at least 9 cyber-related firms since 2005 and Boeing has spent over $1 billion doing the same since 2010.23 In May 2016, the United States Cyber Command (USCYBERCOM) awarded spots on a massive $460 million operations contract to 6 traditional contractors.24 The nature of this relationship has led several scholars to suspect excessive, unaccountable spending by the government. Like the “military-industrial complex,” this relationship can otherwise be known as the “cybersecurity-industrial complex,” the close nexus between the Pentagon, defense contractors, and elected officials that could lead to the unnecessary expansion of cybersecurity spending and a breakdown of checks and balances.25 Prior to a 2007 House oversight bill, the Office of the Director of National Intelligence allocated billions of dollars in classified intelligence work to contractors without having to inform Congress.26

In the cyber-intelligence industry, strong relationships between contractors and government agencies create a revolving door that gives companies disproportionate lobbying influence in Congress.

Parallel to general trends in the defense industry, budget constraints resulting from the end of the Cold War increased the pressure on the National Security Agency (NSA) to outsource their capabilities. Hiring close to 20 companies in the mid 1990’s, the agency exponentially increased hiring to about 1,000 in 2000, 2,690 in 2004 and over 5,400 in 2008.27 Former high-ranking government and military officials have left their posts and accepted senior positions with military contractors, consultancies, and private-equity firms, often replicating the services they provided while in government.28 This revolving door of cyber-intelligence leaders gives them disproportionate influence in Congress and possibly taints the contracting decisions they made while serving. Today, approximately 1,500 companies lobby for Congress on cybersecurity issues, compared to just four in 2006.29 Historically, legislators tend to reject cybersecurity proposals that industry lobbyists do not approve of. As a major donor to both political parties since 1998, Microsoft has exercised such influence by convincing government agencies to use their software to reduce costs.30 After weaknesses were repeatedly exploited, the government considered a shift to cheaper, open-source software like Linux, but Microsoft successfully "went on the warpath" to retain their contracts.31

Heighted perceptions of cyber threats closely correlate with substantial increases in contractors' revenue, which indicates overriding economic interests.

The post 9/11 consensus on countering global terrorism accelerated the government's initially modest investment in the cyber industry. Created shortly after the attacks, the Bush administration created the Department of Homeland Security (DHS) in 2002 and shortly increased its "information analysis and infrastructure protection" spending by 370% in 2004.32 Meanwhile, total federal government spending in the informational technology sector increased by 9.7% to $53.1 billion in 2003, amounting to one-third of the entire industry’s business.33 Following this money trail has led some scholars to conclude that threat inflation, similar to that witnessed during the build-up to the Iraq War, has driven the recent cyber defense splurge.34 The most widely cited literature in support of cyber investment, the 2008 Center for Strategic and International Studies Commission report and the best-selling book, Cyber War, predominantly utilizes unverifiable claims and anecdotal evidence.35 Speculative science is hardly the sort of information that should justify billions of American tax dollars. At congressional hearings, advocates who warn politicians of potentially catastrophic cyber threats often represent companies such as McAfee Corporation with decades-old government contracts.36

Conclusion

The cyber threat theory and cyber threat inflation theory present two opposing viewpoints of a prominent national debate. Like most complex subjects, the truth often falls in the middle of two extremes. Cyber-attacks potentially pose debilitating effects on critical infrastructure and the government’s ability to wage war; their sophistication and potency outpace the development of cyber defense. Yet, the Estonian and Georgian examples demonstrate that cyber war will likely not occur unless it stems from an existing conflict escalated through conventional means.

While recognizing that cyber intrusions falling the below threshold of warfare can “snowball” into a bigger conflict and give the aggressor a conventional warfare edge, policymakers should not dictate cybersecurity policy based principally on doomsday scenarios. Such threat inflations, driven by the cybersecurity-industrial complex, causes the government and military to overspend on cyber systems. Instead, a nuanced knowledge of cybersecurity that properly accounts for political and financial incentives should drive the nation’s investment decisions in cyber defense. Moving beyond the 400-pound hacker narrative, policymakers should focus on deep and intricate networks of state and non-state sponsored hackers who engage in cyber criminality, espionage, and other intrusions that degrade the ability of the military to operate in all of the combat domains.

End Notes

1. From January 2015 to February 2017, the 114th Congress introduced H.R.53, H.R.85, H.R.234, H.R.240, H.R.451, H.R.719, H.R.456, H.R.1017, H.R.1073, H.R.754, H.R.1560, H.R.1731, H.R.1765, H.R.1764, S.1008, H.R.1898, H.R. 1998, H.R.2029, H.R.1158, S.1241, S.1243, S.1356, S.1376, H.R.2534, H.R.2596, H.R.2577, H.R.1735, H.R.1738, S.1635, H.R.2977, S.1869, H.R.3305, H.R.3313, S.754, S.2007, H.R.3490, H.R. 3510, H.R.8, H.R.3578, H.R.3572, H.R.3664, H.R.3869, H.R.3873, H.R.3878, H.R.4350, S.2410, S.4206, S.2665, H.R.4743, H.R.4860, S.2756, S.2764, H.R.4897, H.R.4909, H.R.5069, S.2943, H.R.5312, H.R.5390, H.R.5459, H.R.5537, H.R.5843, S.3295, H.R.6004, H.R.6066, H.R.6073 and H.R.6227. The 115th Congress introduced H.R.54, S.27, H.R.584, H.R.404, H.R.244, H.R.612, H.R.600, H.R.1907, H.R.1981, S.770, S.754, S.719, H.R.1616, H.R.1609, S. 679, S.594, S.592, H.R.1465, S.536, S.516, H.R.1344, H.R.1340, H.R.1335, H.R.1324, H.R.1224, S.412, H.R.950, H.R.923, H.R.935, H.R.945 and H.R.950. Library of Congress. U.S. Govt. Web. Accessed 24 June 2017. https://www.congress.gov/search?searchResultViewType=expanded&q={%22source%22:%22legislation%22,%22search%22:%22cybersecurity%22,%22congress%22:[%22115%22,%22114%22]}&pageSort=dateOfIntroduction:asc. In the same time period, Obama passed EO 13757, 13718, 13719, 13691 and 13694. “Barack Obama Executive Orders Subjects." National Archives and Records Administration. National Archives and Records Administration. Accessed 11 June 2016. http://www.archives.gov/federal-register/executive-orders/obama-subjects.html.

2. The White House. "FACT Sheet: Cybersecurity National Action Plan." Press Release. The White House. 9 Feb. 2016, accessed 6 June 2016. https://obamawhitehouse.archives.gov/the-press-office/2016/02/09/fact-sheet-cybersecurity-national-action-plan.

3. John Stone, "Cyber War Will Take Place!" Journal of Strategic Studies 36.1 (2013): 101-08.

4. Thomas Rid, "Cyber War Will Not Take Place." Journal of Strategic Studies 35.1 (2012): 5-32.

5. Trump, Donald. Debate. 1st Debate of the 2016 U.S. Presidential Election. Hofstra University. Hempstead, NY. 26 Sept. 2016.

6. Several studies point to this conclusion. See Paul Rosenzweig, Cyber Warfare: How Conflicts in Cyberspace Are Challenging America and Changing the World. Santa Barbara, CA: Praeger, 2013. 78-80; Clorinda Trujillo, "The limits of cyberspace deterrence." Joint Force Quarterly (Oct. 2014): 43-47, Aaron Brantly, The Decision to Attack: Military and Intelligence Cyber Decision-making. Athens: U of Georgia, 2016. 83-88; Scott J. Shackelford and Richard B. Andres, "State Responsibility for Cyber Attacks: Competing Standards for a Growing Problem." Georgetown Journal of International Law (Summer 2011): 981-982.

7. Several studies point to this same conclusion. See Shackelford and Andres, "State Responsibility for Cyber Attacks: Competing Standards for a Growing Problem,” 975; Kenneth Geers, "The Challenge of Cyber Attack Deterrence." Computer Law and Security Review: The International Journal of Technology and Practice 26.3 (2010): 298-303; Daniel Creekman, "Helpless America--An Examination of the Legal Options Available to the United States in Response to Varying Types of Cyber-Attacks from China." American University International Law Review 17.3 (2001-2002): 641-682; Jessica M. Smith, "Twilight Zone Conflicts: Employing Gray Tactics in Cyber Operations." Small Wars Journal. 27 Oct. 2016, accessed 3 March 2017. http://smallwarsjournal.com/jrnl/art/twilight-zone-conflicts-employing-gray-tactics-in-cyber-operations; Daniel Ventre, Cyberwar and Information Warfare. London: Wiley, 2012. 252.

8. Timothy Junio, "How Probable Is Cyber War? Bringing IR Theory Back into the Cyber Conflict Debate." Journal of Strategic Studies 36.1 (2013): 126.

9. Brian M. Mazanec, The Evolution of Cyber War: International Norms for Emerging-technology Weapons. Lincoln, NE: U of Nebraska, 2015. 177-189.

10. Martin C. Libicki, Crisis and Escalation in Cyberspace. Project Air Force: Rand Corporation, 2012. 135-138.

11. Stephen Herzog, "Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses." Journal of Strategic Security 4.2 (2011): 49-60.

12. United States Department of Defense, Joint Publications 3-13.1: Electronic Warfare, Jan. 2007, accessed 15 Feb. 2017. www.dtic.mil/doctrine/jel/new_pubs/jp3_13.1.pdf.

13. Robert M. Lee, "The Interim Years of Cyberspace (Cyber Focus: Feature)." Air & Space Power Journal 27.1 (2013): 62-63; Aaron F. Brantly, "Strategic Cyber Maneuver." Small Wars Journal. 17 Oct. 2015, accessed 22 April 2017. http://smallwarsjournal.com/jrnl/art/strategic-cyber-maneuver.

14. David Fulghum, Robert Wall, and Amy Butler. "Cyber-Combat's First Shot: Israel Shows Electronic Prowess." Aviation Week & Space Technology 167.21 (2007): 28-31.

15. Daniel P. Shepard, Jahshan A. Bhatti, and Todd E. Humphreys, "Drone Hack: Spoofing Attack Demonstration on a Civilian Unmanned Aerial Vehicle. (AVIATION)." GPS World 23.8 (2012): 30-33.

16. Lech Janczewski and Andrew M. Colarik, Cyber Warfare and Cyber Terrorism. Hershey: Information Science Reference, 2008. 218-220; Robert M. Lee, "The Interim Years of Cyberspace (Cyber Focus: Feature)." Air & Space Power Journal 27.1 (2013): 58-70.

17. In a speech to New York business leaders in 2012, Secretary of Defense Leon E. Panetta warned of a “cyber-Pearl Harbor.” See also T. G. Lewis, Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation. Hoboken, NJ: Wiley-Interscience, 2006. 230-235; Securing the Modern Electric Grid from Physical and Cyber Attacks: Hearing before the Comm. on Homeland Security, Subcomm. on Emerging Threats Cybersecurity, and Science and Technology. 111th Cong. 1 (2009) (statement of Chairwoman Yvette D. Clarke, Chairwoman, Subcomm.).

18. For a comprehensive chart of these findings, see page 88 of Brandon Valeriano and Ryan C. Maness, Cyber War versus Cyber Realities: Cyber Conflict in the International System. New York: Oxford UP, 2015. Also, WIRED’s Ryan Singel reports in "White House Cyber Czar: ‘There Is No Cyberwar.’” that Howard Schmidt, a cybersecurity adviser to former President Obama, said “there is no cyberwar” and that the government needs to focus its effects on online espionage.

19.The Cybersecurity Partnership between the Private Sector and Our Government: Protecting Our National and Economic Security: Joint Hearing before the Comm. on Commerce, Science, and Transportation and the Comm. on Homeland Security and Governmental Affairs. 113th Cong. 1 (2013) (statement of Gregory C. Wilshusen, Director, Information Security Issues, U.S. Gov. Accountability Office).

20. See also Financial Management and Intergovernmental Relations: Cyber Terrorism and Critical Infrastructure Protection: Hearing before the Subcomm. on Gov. Efficiency. Comm. on Gov. Reform. 107th Cong. 2 (2002) (statement of Douglas Thomas, Associate Professor, University of Southern California).

21. Steve Morgan, “The Cybersecurity Market Report: Cybersecurity Ventures predicts global cybersecurity spending will exceed $1 trillion from 2017 to 2021.” Cybersecurity Ventures. 17 Feb. 2017, accessed 5 June 2017. http://cybersecurityventures.com/cybersecurity-market-report/.

22. Audrey Guinchard, "Between Hype and Understatement: Reassessing Cyber Risks as a Security Strategy." Journal of Strategic Security 4.2 (2011): 84.

23. Peter W. Singer, Cybersecurity and Cyberwar: What Everybody Needs to Know. New York: Oxford U, 2013. 164.

24. Aaron Boyd, “CYBERCOM Awards Spot on New $460M Cyber Operations Contract.” Federal Times. 23 May 2016, accessed 31 May 2017. http://www.federaltimes.com/story/government/cybersecurity/2016/05/23/cybercom-operations-contract/84787066/.

25. Brito, Jerry, and Tate Watkins. "The Cybersecurity-Industrial Complex: The Feds Erect a Bureaucracy to Combat a Questionable Threat." Reason 43.4 (2011): 28. For further proponents of the cybersecurity-industrial complex, see Mary O’Connell, "Cyber Security without Cyber War." Journal of Conflict and Security Law 17.2 (2012): 197-198; Peter Singer and Noah Shachtman, "The Wrong War: The Insistence on Applying Cold War Metaphors to Cybersecurity Is Misplaced and Counterproductive." Brookings Institution. 15 Aug. 2011, accessed 6 June 2016. https://www.brookings.edu/articles/the-wrong-war-the-insistence-on-applying-cold-war-metaphors-to-cybersecurity-is-misplaced-and-counterproductive/; Jeff Stone, "Meet the Cyber-Industrial Complex: Private Contractors May Get $7B Windfall from Pentagon's Cyberwar on ISIS." International Business Times. Newsweek Media Group, 30 Mar. 2016, accessed 18 June 2017. http://www.ibtimes.com/meet-cyber-industrial-complex-private-contractors-may-get-7b-windfall-pentagons-2329652; Timothy Carney, "Carney: The rise of the cybersecurity-industrial complex." Washington Examiner. Washington Examiner, 27 Apr. 2011, accessed 15 May 2017. http://www.washingtonexaminer.com/carney-the-rise-of-the-cybersecurity-industrial-complex/article/113362; David Talbot, "The Cyber Security Industrial Complex." MIT Technology Review. MIT Technology Review, 22 Oct. 2012, accessed 18 June 2017. https://www.technologyreview.com/s/426285/the-cyber-security-industrial-complex/.

26. Tim Shorrock, Spies for Hire: The Secret World of Intelligence Outsourcing. New York: Simon & Schuster, 2008. 366-368, 371.

27. Shorrock, Spies for Hire: The Secret World of Intelligence Outsourcing, 201-202.  

28. ibid.

29. Alec Ross, "Want Job Security? Try Online Security." WIRED UK. WIRED UK, 22 May 2016, accessed 20 May 2017. http://www.wired.co.uk/article/job-security-cybersecurity-alec-ross.

30. Amitai Etzioni, "Cybersecurity in the private sector: the nations businesses manage a significant share of online activity related to national security and must play a larger role in ensuring the overall integrity of the system." Issues in Science and Technology 28.1 (2011): 60-61.

31. ibid.

32. Budget in Brief Fiscal Year 2004, Department of Homeland Security, available at https://www.dhs.gov/sites/default/files/publications/FY_2004_BUDGET_IN_BRIEF.pdf.

33. Shawn M. Powers and Michael Jablonski, The Real Cyber War: The Political Economy of Internet Freedom. Urbana: U of Illinois, 2015. 71.

34. For tactics used to inflate the threat of the Iraq War, see Chaim Kaufmann, “Threat Inflation and the Failure of the Marketplace of Ideas: The Selling of the Iraq War.” Quarterly Journal: International Security, Vol. 29. No. 1. (Summer 2004): 5-48; Jane K. Cramer, “Sounding the Tocsin Redux: Persistent Patterns of Threat Inflation,” paper presented at the annual meeting of the International Studies Association, Montreal, Canada, March 2004; The Iraq War: Regime Change. Dir. Charlie Smith. 2013. BBC Documentary, available at http://www.dailymotion.com/video/x1ih8sc_the-iraq-war-regime-change-documentary-2013-bbc-saddam-s-weapons-of-mass-destruction-240p_news.

35. Jerry Brito and Tate Watkins, "Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy." Harvard Law School National Security Journal 3 (2011): 39-84.

36. SFGate’s Alejandro Martínez-Cabrera reports in "McAfee Warns of Cold War-style Computer Attack” that McAfee Vice President of Threat Research, Dmitri Alperovitch, said “We believe we're seeing something a little like a cyber-Cold War.” See also Examining the Cyber Threat to Critical Infrastructure and the American Economy: Hearing before the Subcomm. on Cybersecurity, Infrastructure Protection, and Security Technologies of the Comm. on Homeland Security, 112th Cong. 1 (2011) (statement of Phyllis Schneck, Vice President and CTO, McAfee Corporation). For proof of contracting relationship, see Department of Homeland Security Awards McAfee With Enterprise Level Agreement Contract with Potential Value of $12 Million. 7 Aug. 2012. https://secure.mcafee.com/in/about/news/2012/q3/20120807-01.aspx.

Works Cited

Boyd, Aaron. “CYBERCOM Awards Spot on New $460M Cyber Operations Contract.” Federal Times. 23 May 2016. Web.

Brantly, Aaron F. The Decision to Attack: Military and Intelligence Cyber Decision-making. Athens: U of Georgia, 2016. Print.

Brantly, Aaron F. "Strategic Cyber Maneuver." Small Wars Journal. 17 Oct. 2015. Web.

Brito, Jerry, and Tate Watkins. "Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy." Harvard Law School National Security Journal 3 (2011): 39-84. Web.

Brito, Jerry, and Tate Watkins. "The Cybersecurity-Industrial Complex: The Feds Erect a Bureaucracy to Combat a Questionable Threat." Reason 43.4 (2011): 28. Web.

Budget in Brief Fiscal Year 2004, Department of Homeland Security. <https://www.dhs.gov/dhs-budget-brief-fiscal-year-2004>.

Carney, Timothy P. "Carney: The rise of the cybersecurity-industrial complex." Washington Examiner. Washington Examiner, 27 Apr. 2011. Web.

Cramer, Jane Kellet. “Sounding the Tocsin Redux: Persistent Patterns of Threat Inflation.” University of Oregon, March 2004.

Creekman, Daniel M. "Helpless America: An Examination of the Legal Options Available to the United States in Response to Varying Types of Cyber-Attacks from China." American University International Law Review 17.3 (2001-2002): 641-682.

"The Cybersecurity Market Report." Cybersecurity Ventures. 02 Dec. 2014. Web.

Department of Homeland Security Awards McAfee With Enterprise Level Agreement Contract with Potential Value of $12 Million. 7 Aug. 2012.

Etzioni, Amitai. "Cybersecurity in the private sector: the nations businesses manage a significant share of online activity related to national security and must play a larger role in ensuring the overall integrity of the system." Issues in Science and Technology 28.1 (2011): 58+. Academic OneFile.

Fulghum, David, Robert Wall, and Amy Butler. "Cyber-Combat's First Shot: Israel Shows Electronic Prowess." Aviation Week & Space Technology 167.21 (2007): 28-31. Web.

Geers, Kenneth. "The Challenge of Cyber Attack Deterrence." Computer Law and Security Review: The International Journal of Technology and Practice 26.3 (2010): 298-303.

Guinchard, Audrey. "Between Hype and Understatement: Reassessing Cyber Risks as a Security Strategy." Journal of Strategic Security 4.2 (2011): 84. Web.

Herzog, Stephen. "Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses." Journal of Strategic Security 4.2 (2011): 49-60.

The Iraq War: Regime Change. Dir. Charlie Smith. 2013. BBC Documentary, available at http://www.dailymotion.com/video/x1ih8sc_the-iraq-war-regime-change-documentary-2013-bbc-saddam-s-weapons-of-mass-destruction-240p_news.

Janczewski, Lech, and Andrew M. Colarik. Cyber Warfare and Cyber Terrorism. Hershey: Information Science Reference, 2008.

Junio, Timothy. "How Probable Is Cyber War? Bringing IR Theory Back In to the Cyber Conflict Debate." Journal of Strategic Studies 36.1 (2013): 125-33. Web.

Kaufmann, Chaim. “Threat Inflation and the Failure of the Marketplace of Ideas: The Selling of the Iraq War.” Quarterly Journal: International Security, Vol. 29. No. 1. (Summer 2004): 5-48.

Lee, Robert M. "The Interim Years of Cyberspace (Cyber Focus: Feature)." Air & Space Power Journal 27.1 (2013): 58-70.

Lewis, T. G. Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation. Hoboken, NJ: Wiley-Interscience, 2006. Print.

Libicki, Martin C. Crisis and Escalation in Cyberspace. Project Air Force: Rand Corporation, 2012. Print.

Library of Congress. U.S. Govt. Web. Accessed 24 June 2017. https://www.congress.gov/search?searchResultViewType=expanded&q={%22source%22:%22legislation%22,%22search%22:%22cybersecurity%22,%22congress%22:[%22115%22,%22114%22]}&pageSort=dateOfIntroduction:asc.

Martínez-Cabrera, Alejandro. "McAfee Warns of Cold War-style Computer Attack." SFGate. Hearst Communications, 18 Nov. 2009. Web.

Mazanec, Brian M. The Evolution of Cyber War: International Norms for Emerging-technology Weapons. Lincoln, NE: U of Nebraska, 2015. Print.

McAfee. Department of Homeland Security Awards McAfee With Enterprise Level Agreement Contract with Potential Value of $12 Million. 7 Aug. 2012. Web.

Morgan, Steve. “The Cybersecurity Market Report: Cybersecurity Ventures predicts global cybersecurity spending will exceed $1 trillion from 2017 to 2021.” Cybersecurity Ventures. 17 Feb. 2017. Web.

Obama, Barack. “Barack Obama Executive Orders Subjects." National Archives and Records Administration. National Archives and Records Administration. Web. 07 June 2016. http://www.archives.gov/federal-register/executive-orders/obama-subjects.html.

O’Connell, Mary Ellen. "Cyber Security without Cyber War." Journal of Conflict and Security Law 17.2 (2012): 187-209. Web.

Panetta, Leon E. “Defending the Nation from Cyber Attack” (Business Executives for National Security. New York, NY. 11 October 2012.

Powers, Shawn M., and Michael Jablonski. The Real Cyber War: The Political Economy of Internet Freedom. Urbana: U of Illinois, 2015. Print.

Rid, Thomas. "Cyber War Will Not Take Place." Journal of Strategic Studies 35.1 (2012): 5-32.

Rosenzweig, Paul. Cyber Warfare: How Conflicts in Cyberspace Are Challenging America and Changing the World. Santa Barbara, CA: Praeger, 2013. Print.

Ross, Alec. "Want Job Security? Try Online Security." WIRED UK. WIRED UK, 22 May 2016. Web. 20 May 2017.

Shackelford, Scott J., and Richard B. Andres. "State Responsibility for Cyber Attacks: Competing Standards for a Growing Problem." Georgetown Journal of International Law (Summer 2011): 971-1016. Academic OneFile.

Shepard, Daniel P., Jahshan A. Bhatti, and Todd E. Humphreys, "Drone Hack: Spoofing Attack Demonstration on a Civilian Unmanned Aerial Vehicle. (AVIATION)." GPS World 23.8 (2012): 30-33.

Shorrock, Tim. Spies for Hire: The Secret World of Intelligence Outsourcing. New York: Simon & Schuster, 2008. Print.

Singel, Ryan. "White House Cyber Czar: ‘There Is No Cyberwar.’" WIRED. Conde Nast, 04 Mar. 2010. Web.

Singer, Peter W. Cybersecurity and Cyberwar: What Everybody Needs to Know. New York: Oxford U, 2013. Print.

Singer, Peter, and Noah Schachtman. "The Wrong War: The Insistence on Applying Cold War Metaphors to Cybersecurity Is Misplaced and Counterproductive." Brookings Institution. 15 Aug. 2011. Web.

Smith, Jessica Malekos. "Twilight Zone Conflicts: Employing Gray Tactics in Cyber Operations." Small Wars Journal. 27 Oct. 2016. Web.

Stone, Jeff. "Meet the Cyber-Industrial Complex: Private Contractors May Get $7B Windfall from Pentagon's Cyberwar on ISIS." International Business Times. Newsweek Media Group, 30 Mar. 2016. Web.

Stone, John. "Cyber War Will Take Place!" Journal of Strategic Studies 36.1 (2013): 101-08.

Talbot, David. "The Cyber Security Industrial Complex." MIT Technology Review. MIT Technology Review, 22 Oct. 2012. Web.

Trujillo, Clorinda. "The limits of cyberspace deterrence." Joint Force Quarterly (Oct. 2014): 43-52. Academic OneFile.

Trump, Donald. Debate. 1st Debate of the 2016 U.S. Presidential Election. Hofstra University. Hempstead, NY. 26 Sept. 2016.

United States. Congress. Senate. The Cybersecurity Partnership between the Private Sector and Our Government: Protecting Our National and Economic Security: Joint Hearing before the Committee on Commerce, Science, and Transportation and the Committee on Homeland Security and Governmental Affairs, United States Senate, One Hundred Thirteenth Congress, First Session, March 7, 2013. Washington: U.S. G.P.O., 2009. 53-54. Web.

United States. Congress. House. Examining the Cyber Threat to Critical Infrastructure and the American Economy: Hearing before the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the Committee on Homeland Security, House of Representatives, One Hundred Twelfth Congress, First Session, March 16, 2011. Washington: U.S. G.P.O., 2012. 49-50. Web.

United States. Congress. House. Financial Management and Intergovernmental Relations: Cyber Terrorism and Critical Infrastructure Protection: Hearing before the Subcommittee on Government Efficiency, Committee on Government Reform, United States House of Representatives, One Hundred Seventh Congress, Second Session, July 24, 2002. https://www.gpo.gov/fdsys/pkg/CHRG-107hhrg87387/html/CHRG-107hhrg87387.htm.

United States. Congress. House. Securing the Modern Electric Grid from Physical and Cyber Attacks: Hearing before the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the Committee on Homeland Security, House of Representatives, One Hundred Eleventh Congress, First Session, July 21, 2009. Washington: U.S. G.P.O., 2009. 1-4. Web.

Valeriano, Brandon, and Ryan C. Maness. Cyber War versus Cyber Realities: Cyber Conflict in the International System. New York: Oxford UP, 2015. Print.

Ventre, Daniel. Cyberwar and Information Warfare. London: Wiley, 2012. Print.

The White House. "FACT Sheet: Cybersecurity National Action Plan." Press Release. The White House. 9 Feb. 2016, accessed 6 June 2016. https://obamawhitehouse.archives.gov/the-press-office/2016/02/09/fact-sheet-cybersecurity-national-action-plan.

About the Author(s)

Kenneth Mok currently works at the New York County District Attorney's Office. He earned a B.A. in Political Science and Economics from Northwestern University, and will be attending law school in 2018. He would like to thank Major (USAF) Jahara "FRANKY" Matisek for his guidance on this article.