GMU Debate [File Name]

***PRO SIDE***

GMU Debate [File Name]

Congressional Solutions Solve

GMU Debate [File Name]

Agency Cooperation
Interagency cooperation and deliberate planning key to cyber DoD needs authority and cooperation Carter et al. 12
[Colonel Rosemary M. Carter, USA, is a Communications Officer on the Army Staff. Colonel Brent Feick, USAF, is a Senior Policy Advisor for the Office of the Deputy Assistant Secretary of Defense for Homeland Defense and Americas Security Affairs, Inte gration, and Defense Support of Civil Authorities. Captain Roy C. Undersander, USN, is the Executive Officer of Naval Air Station Jacksonville, Florida. The authors collaborated on this article while attending the Joint and Combined Warfighting School at the Joint Forces Staff College. http://www.ndu.edu/press/offensive-cyber.html ]jap Operational Planning Larger than the targeting process is overall planning for an operation. Today, a limited understanding of the cyber domain artificially constrains military planners. Many planners perceive that DOD does not have authority to do offensive operations in the cyber domain. However, the real issue is that the authorities are not understood or delegated down. Joint force commanders need to develop integrated plans with offensive cyber operations to help shape policy and build a norm of authorities and rules of engagement for military cyber attack, but their planners do not know the domain well enough to develop these plans. The discussion becomes circular. Civilian policymakers want to know exactly what DOD intends to do and commanders perceive that they cannot do anything because they do not have the authority. With this, the value of the J5 Planning Directorate and deliberate plans come into play. The more fidelity joint force commanders can put into offensive cyber planning, the easier it will be to articulate potential new authorities with sufficient time to integrate them into the plan. Often, intelligence agencies will not be supportive of specific targets, citing a concern over loss of intelligence. However, this is a moot point at the planning stage, and planners should not let this, or the lack of authorities, defer their planning if the target will help meet an objective. It is better to have a plan available in times of crisis from which to have the intelligence gain/loss and legal discussions than to be caught with no options when the government is prepared to take action. Unique features of the cyber domain have encumbered deliberate cyber planning in the past. The following generic scenario demonstrates the methodology and the unique features. A planner determines that Effect A can be met either by dropping a joint direct attack munition on Target 1, a building, or by conducting a cyber attack on Target 2, a router. In both cases, the planner uses intelligence to link the target to the effect, determine access, pick the appropriate capability, and maintain the target in the joint target list. However, it typically takes much more intelligence preparation to develop Target 2 because our culture is so focused on geographic targets that it takes an extra level of intellectual energy to broaden the aperture. If the planner can obtain imagery of Target 1, then it is simply easier for a weaponeer to plan for a kinetic solution and hold that target at risk. In determining access, we see the second difference. Access to Target 1 may constitute a bomber flying through or avoiding a surface-toair missile threat. This is a well-understood problem and is addressed by the tactical force. In the case of Target 2, access must be established through the cyber domain by cyber operators, who are limited. To do this, the command requires cyber OPE or exploitation authorities as discussed. This is often where targeting in the cyber domain stops due to limited NSA resources and competition with national priorities. If Service cyber components were conducting cyber preparation of the environment under Title 10 at the joint force commander's direction, many of these issues would be resolved. As it is, these differences add up to a longer time-line to develop the target. The third difference is the capability itself. The United States has a finite number of types of kinetic weapons to attack physical targets. Using the right combination and number of weapons, and based on experience, it is easy to quantify the level of damage that these weapons inflict, which aids in the decisionmaking process. By contrast, cyber weapons are customized for each target, which makes it difficult for decisionmakers to use experience to visualize the mode of attack and its effects. Many cyber weapons are also based on specific software versions, so if the version changes, the weapon may no longer be effective. The fourth and most significant difference is maintaining the target, the process in which the intelligence and planning teams routinely review the intelligence and endstates to ensure that the target still meets the desired effects and nothing has changed that requires new weaponeering. This is a common task for any target on the joint target list; the difference is the volatility of the cyber target. In the case of Target 1, a planner may go 1 or 2 years between conducting maintenance. The structure of the building rarely changes and it will not move. However, Target 2 may receive a software upgrade 3 months after identification that makes the weapon developed for it obsolete. As a result, if the planner is serious about holding this target at risk, the maintenance cycle must speed up significantly. In a Joint Force Quarterly article, Major General Brett Williams, USAF, stated that "our understanding of nonkinetic effects in cyberspace is immature." (16) This is a fair statement and frankly one of the biggest barriers for decisionmakers who grew up waging kinetic war. Our country is currently more willing to drop a bomb on an adversary than break his computer, which stems from two issues. First, as discussed earlier, the Nation is concerned about escalation without set standards. Second, decisionmakers are not likely to experiment with a cyber attack when lives are on the line and collateral damage is not well known. Until DOD makes the cyber attack option as

GMU Debate [File Name] tangible for a decisionmaker as dropping munitions, and can prove it will meet or exceed the effect of a kinetic option without catastrophic collateral effects, the decisionmaker will choose the kinetic option every time. To remedy this, planners must develop highfidelity cyber attack options that are part of an integrated solution and can be tested on ranges prior to execution. This will allow the cyber community to establish a historical database to provide the confidence and statistical data required for decisionmakers to choose the nonkinetic options. To summarize deliberate planning, the primary reason that some organizations push back on cyber planning to this level of detail is the increased level of effort to develop the target and the volatility of the target. However, if joint force commanders want to normalize cyber attack and have a reasonable expectation of successfully executing it as a part of combined fires, deliberate planning is a must. Likewise, cyber operators need to embrace this concept as well lest they become irrelevant, especially when effects cannot be brought to bear where and when they are needed for the commander. (17) Finally, if a computer network attack is not planned for standalone delivery, the capabilities must be synchronized with the other capabilities brought to bear by the joint force commander. U.S. Strategic Command (USSTRATCOM) is responsible for or is assigned many of the nonkinetic capabilities in DOD, and its planners must work alongside joint force planners to provide the commander the most successful attack options and courses of action. This effort must include USCYBERCOM, a subunified command under USSTRATCOM that is assigned DOD cyber forces. During the integration process, joint force planners must develop an appreciation for the synergies between USCYBERCOM and the other components of USSTRATCOM. Additionally, because cyber attacks may have global implications as well as the intended regional effects, it is imperative that these options also be vetted collectively through the DOD and interagency communities. This is a coordinating task that must be completed by U.S. Strategic Command. USSTRATCOM's Joint Functional Component Command-Global Strike started a model for this, but it is immature and requires refinement and expansion. As military professionals, we have recognized the need to work closely with interagency partners to fully achieve desired endstates and ultimately the national strategy. Cyber warfare is no different and may be one of the most compelling reasons for interagency cooperation because agencies outside of DOD have authorities in the cyber domain and may have interest or even cyber attack options developed for a particular target. These tasks must be normalized into the joint interagency coordination group process to become a force multiplier for DOD.

Integrating OCO into military frameworks is key to effective use OCO inevitable, its just a question of whether we are doing it right Carter et al. 12
[Colonel Rosemary M. Carter, USA, is a Communications Officer on the Army Staff. Colonel Brent Feick, USAF, is a Senior Policy Advisor for the Office of the Deputy Assistant Secretary of Defense for Homeland Defense and Americas Security Affairs, Inte gration, and Defense Support of Civil Authorities. Captain Roy C. Undersander, USN, is the Executive Officer of Naval Air Station Jacksonville, Florida. The authors collaborated on this article while attending the Joint and Combined Warfighting School at the Joint Forces Staff College. http://www.ndu.edu/press/offensive-cyber.html ]jap All future U.S. military operations will include the cyber domain. Cyber is where we coordinate joint functions and control weapons systems. We must operate securely across the cyber domain and commanders must protect it. Of equal importance is our ability to operate offensively within this domain to ensure dominance, restrict the offensive cyber capabilities of the adversary, and leverage cyber as a force multiplier. With new fiscal constraints on the horizon, our ability to adapt and make the best use of these cyber capabilities is even more important. Offensive cyber operations must be integrated into the joint force commander's plan, and his planning and executing staffs must understand the desired effects. As cyber domain doctrine matures, there is an opportunity to correct current deficiencies in an integrated approach through deliberate planning and the targeting cycle. This will inform U.S. policymakers and allow for new language in key policies, laws, and treaties. The United States must act quickly because the clock is ticking and the adversary is learning. Offensive cyber--it's not that different.

Agency oversight key to cybersecurity Nielson 2012

[Army Lieutenant Colonel SUZANNE C. NIELSEN is an associate professor in the Department of Social Sciences at the U.S. Military Academy at West Point. She is responsible for the International Relations Program and teaches courses in international relations and national security. Pursuing Security in Cyberspace: Strategic and Organizational Challenges, Foreign Policy Research Ins, Elsevier Ltd, Summer 2012, Epsco ]jap When thinking about what the U.S. government should do to enhance cybersecurity, it is important to acknowledge that many central issues remain unsettled. For example, it is reasonable to assume that Americans expect their privacy rights and civil liberties to be protected. However, it is less clear what Americans expect in terms of protection from their government. In Cyber War, Clarke and Knake recount conversations with corporate leaders in which these corporate leaders share their view that it is their responsibility to invest sufficiently in security to prevent cyber crime, but that if the attackers are foreign states, they expect protection from the United States government.40 If these expectations are reasonable, than some entity or agency in the U.S. government must have this role and must also have the capabilities and capacity needed to play it successfully.

GMU Debate [File Name]

Interagency cooperation key to cyber operations keeps Presidential action in check and allows for more effective cyber actions Nielson 2012
[Army Lieutenant Colonel SUZANNE C. NIELSEN is an associate professor in the Department of Social Sciences at the U.S. Military Academy at West Point. She is responsible for the International Relations Program and teaches courses in international relations and national security. Pursuing Security in Cyberspace: Strategic and Organizational Challenges, Foreign Policy Research Ins , Elsevier Ltd, Summer 2012, Epsco ]jap In addition to these strategic challenges, there are also significant organizational challenges. First and foremost, there is the question of how to execute a whole-of-government approach to cybersecurity in the absence of centralized direction and control. As summarized by the CSIS Commission on Cybersecurity for the 44th Presidency, a voluntary disaggregated approach based on information sharing and public-private partnership remains the center of cybersecurity policy.54 While the position of Cyber Security Coordinator and Special Assistant to the President exists, this office does not have formal levers of either budgetary or personnel authorities that extend across or into executive branch departments and agencies to enable the coherent and timely implementation of the Presidents priorities. While the responsibilities of this office are great, the authorities are very limited. In the absence of strong, centralized direction, the challenge becomes one of interagency cooperation and the alignment of capabilities and responsibilities. It is to be expected that this will be a difficult and slow process and it is not clear whether a decentralized process will even be able to produce an acceptable level of security. As James Q. Wilson pointed out in his classic work Bureaucracy, the executives of government departments and agencies have incentives to preserve their autonomy, stake out and protect turf, and avoid cooperative action.55 However, cybersecurity is a challenge that intrinsically requires interagency cooperation as well as public-private partnerships. Shared situational awareness, dynamic defense, and acting rapidly will require robust working relationships among the DHS, DoD, FBI, Department of Treasury, and others. In addition to interagency challenges, there are also challenges associated with achieving robust cooperation across the public-private divide. A July 2010 Government Accountability Office report found that public-private partnerships in the cyber realm have consistently failed to meet the expectations of either party.56 As an added complication, most of the governments cyber capability is currently in the DoD but DHS has significant responsibilities. There has been progress in building cooperation between these two executive departments, to include a memorandum of agreement signed by the secretaries. However, given the relatively recent nature of this accord, it is likely that efforts to realize its potential are still ongoing.57

Should have Congressional oversight Brecher 2012

[Aaron P. Brecher received the Howard B. Coblentz Prize An award presented for outstanding contributions by members of the senior editorial staff of the Michigan Law Review. Cyberattacks and the covert action statute: toward a domestic legal framework for offensive cyberoperations, Michigan Law Review 111.3 (Dec 2012): 423 -452, Proquest ]jap Cyberattacks are capable of penetrating and disabling vital national infrastructure, causing catastrophic economic harms, and approximating the effects of war, all from remote locations and without the use of conventional weapons. They can be nearly impossible to attribute definitively to their sources and require relatively few resources to launch. The United States is vulnerable to cyberattacks but also uniquely capable of carrying out cyberattacks of its own. To do so effectively, the United States requires a legal regime that is well suited to cyberattacks' unique attributes and that preserves executive discretion while inducing the executive branch to coordinate with Congress. The trouble is that it is unclear which domestic legal framework should govern these attacks. The military and intelligence communities have disputed which of their respective legal regimes should control. The choice between these frameworks raises important issues about the policy benefits of the executive branch keeping Congress informed regarding cyberattacks that it conducts. It also raises constitutional questions about the branches' respective roles in warmaking when the chosen course of conduct blurs the line between an intelligence operation and an act of war. This Note argues that, in the absence of an independent congressional authorization to use force against a target, the covert action statute, which demands written reports from the president to the congressional intelligence committees in advance of operations, should presumptively govern, and that the president should issue an executive order to that effect.

GMU Debate [File Name]

Legal framework
Declared policy for cyber operations framework is key to effective US cyber need legislative statutes in place Carter et al. 12
[Colonel Rosemary M. Carter, USA, is a Communications Officer on the Army Staff. Colonel Brent Feick, USAF, is a Senior Policy Advisor for the Office of the Deputy Assistant Secretary of Defense for Homeland Defense and Americas Security Affairs, Inte gration, and Defense Support of Civil Authorities. Captain Roy C. Undersander, USN, is the Executive Officer of Naval Air Station Jacksonville, Florida. The authors collaborated on this article while attending the Joint and Combined Warfighting School at the Joint Forces Staff College. http://www.ndu.edu/press/offensive-cyber.html ]jap U.S. policy, authorities, and doctrine for military operations in the cyber domain are not mature. The International Strategy for Cyberspace (6) (May 2011) and the Department of Defense (DOD) Strategy for Operating in Cyberspace (7) (July 2011) are a start, but both documents focus almost entirely on cyber defense. While this is an important aspect, it leaves the Armed Forces in a state of flux with regard to integrating offensive capability. As is to be expected, conduct of cyber attacks is a sensitive issue. International organizations such as North Atlantic Treaty Organization (NATO) Watch advocate for a ban on offensive cyber operations altogether because the domain is so pervasive that offensive operations could quickly escalate beyond the intended virtual boundaries with devastating global impact. (8) Cyber activity is also being addressed through international anticrime channels, (9) but care must be given to provide separate and distinct definitions for acts of crime as opposed to acts of war. Without international rules, some countries have started to set precedent by their actions, demonstrating ethics that differ from ours. Standards of conduct for cyber warfare similar to those for other aspects of war are required. The United States should draft a declaratory policy that establishes lines we do not intend to cross in the cyber domain and that we expect an adversary to adhere to as well. The U.S. Code is another source of guidance for DOD. The authorities of Title 10, The Armed Forces, and Title 50, War and National Defense, were established prior to the existence of the concept of cyberspace, so translating them to the cyber domain is extremely complex and not yet fully deconflicted. For example, under Title 10, a joint force commander is authorized to collect intelligence on an adversary for operational preparation of the environment (OPE). In the cyber domain, this task becomes mired in law because the same capability used to exploit is also used to attack, and there is no way to demonstrate intent within the effects of the task. (10) Because of the legal concerns, collection to date is done under Title 50 authorities, which severely limit military capacity and compel a centralized approach to these types of intelligence. If Service cyber components were allowed to conduct OPE on behalf of the joint force command for targeting, offensive cyber options could be much more integrated and timely. As it is, joint force planning staffs routinely lose national-level support due to higher priority tasking from the National Intelligence Priority Framework. Agencies supporting national tasking are highly skilled but have limited resources; hence, they do not have excess capacity to meet DOD requirements. Section 954 of the National Defense Authorization Act for Fiscal Year 2012 (11) starts to address DOD authorities for offensive cyber operations, but it is vague enough that debates over Titles 10 and 50 will still occur. Its lack of clarity indicates that the thinking of policy-makers and lawmakers is still too traditional for this newest domain.

Definitive legal framework is key to effective and coherent cyber operations policy potential for war without boundaries places the US at too much risk Brust 2012
[Richard Brust, an assistant managing editor, joined the ABA Journal staff in 1997. He had worked as an editor at The Legal Intelligencer, The National Law Journal, The Morning Call, The Times Herald, and as a copy editor at the Philadelphia Daily News. He is a LL.M. candidate at The John Marshall Law School and holds a J.D. from Temple University School of Law. He earned a B.S. in biology at Brown University. Computer warfare looms as the next big conflict in international law, American Bar Association Journal, May 2012, lexis ]jap
And, as with earlier developments of powerful and unimagined weaponry, experts are debating how best to master digital domination and defense, and how to make cyberwar accord with international law. One debate focuses on whether the U.S. should learn the practicalities of winning a cyberwar--and then ask lawyers for their input--or, instead, set the legal ground rules before conducting cyberwarfare . The debate is among several featured in the upcoming book Patriots Debate: Contemporary Issues in National Security Law, sponsored by the American Bar Association's Standing Committee on Law and National Security. The book, featuring essays from experts in various fields of national security, is expected to be published this spring. The committee invited Washington, D.C., attorney Stewart A. Baker, who argues that policymakers and military planners should develop a strategy for dealing with cyberwar before allowing lawyers to set up guidelines and restrictions. "Once we have a strategy for winning a cyberwar, we can ask the lawyers for their thoughts. We can't do it the other way," writes Baker, a partner at Steptoe & Johnson in D.C. and former assistant secretary for policy and technology at the Department of Homeland Security. "The lesson for the lawyers and the diplomats is stark: Their effort to impose limits on cyberwar is almost certainly doomed." But Charles J. Dunlap Jr., a former U.S. Air Force judge advocate general, argues that "military commanders have seen the no-legal-limits movie before, and they do not like it." Dunlap, a retired major general who teaches at Duke University School of Law, was also invited by the committee to pose his argument: That laws can both guide military operations effectively and help them avoid disaster. "Experience shows that following the law is actually what works in war , not ignoring its limits," Dunlap says. "It is a very practical, pragmatic way to avoid catastrophes like Abu Ghraib and other incidents that are so tremendously destructive to mission success. Illegalities, such as the recent murders in Afghanistan, carry the potential to unravel the entire effort there." To Baker, however,

GMU Debate [File Name]

lawyers have become so involved in military planning that it's hard to know where legal ideas end and war strategy begins. "Lawyers across the government have raised so many showstopping legal questions about cyberwar that they've left our military unable to fight, or even plan for, a war in cyberspace." Over the last 60 years, the U.S. has fought "relatively low-stakes limited wars to win the hearts and minds" of our allies, Baker says in a telephone interview. The government has embedded lawyers deep within the military and intelligence system, overseeing every strategic move and weapon purchase. What have emerged are turf fights among government lawyers over which branch oversees which action and how involved the U.S. should become. "There are a whole bunch of people who want to create limits on fighting because they want a different outcome," he says. "So there's an ideological battle within the war itself." The resulting documents are overly broad, with vague wording and little policy direction. For example, last year the federal government published at least three statements: the White House's International Strategy for Cyberspace, issued in May; the Department of Defense'sStrategy for Operating in Cyberspace in July; and the DOD's Cyberspace Policy Report to Congress in November. The latter document deals generally with maintaining a deterrent policy, the difficulty of finding the digital attacker, managing escalation, engaging allies, transporting cyberweapons, and assessing how the War Powers Act complies with a counterattack to a digital confrontation. But, Baker says, it lacks a plan of action. "If you don't have a single person like the president demanding a plausible plan, what you tend to get is everyone coming around the table protecting their roles," Baker says. "They end up with a bunch of abstract papers, none of which produces a workable plan." Lawyer control abounds in the Legal Reviews of Weapons and Cyber Capabilities, issued in July by the U.S. Air Force JAG office. Among its stipulations is that the office will ensure that each weapon or "cybercapability" is reviewed under the law of armed conflict, domestic law and other international laws. Baker writes in his Patriots Debate essay that the Air Force "surrendered to its own lawyers, allowing them to order that all cyberweapons be reviewed for 'legality' ... before cyberwar capabilities are even acquired." The U.S. has responded to cyberwarfare, Baker adds, "with an outpouring, not of technology or strategy, but of law review articles, legal opinions and legal restrictions." REALITY CHECK IT ISN'T LIKE THE U.S. HAS NEVER BEEN THERE before. The development of airpower in the 1930s presaged a future of massive bombing and tactical dogfights. While the British were "realists about air war," Baker says, the "American tool of choice was international law." President Franklin D. Roosevelt at first pressed the legal response. He had a good case, says Baker. The Hague Conventions, among other early 20th century treaties, cautioned against harm to civilians as well as to "edifices devoted to religion, art, science and charity." "It began to look like a great victory for the international law of war," Baker says. We know what happened: the Nazi blitzkrieg of Europe, the Luftwaffe's bombing of London, the Japanese attack on Pearl Harbor. Instead of legalisms, Baker says, we need an offensive strategy that may deter cyberspace adversaries, and a defense that imposes a "resilience and redundancy into our infrastructure." Cyberwar is a reality, Baker says in his essay: "Cyberweapons went mainstream when the developers of Stuxnet sabotaged [Iran], proving that computer network attacks can be more effective than 500-pound bombs. In war, weapons that work get used again." But adherence to the law isn't some extravagant notion, Dunlap replies. The law adds legitimacy, "a practical, hard-nosed necessity for success in contemporary military operations." To do otherwise "would deprive the U.S. of the international cooperation that countering a cyberthreat ( especially) absolutely requires." One issue lawyers face, Dunlap says, is communicating to technology experts--educated in the exact sciences of math and physics--about the subjective nature of decision-making. "Too often," he writes, "it seems as if cyberstrategists, schooled in the explicit verities of science, expect a level of assurance in legal matters rivaling mathematical equations. All law, but especially [the law of armed conflict], necessarily involves subjectivity in human reasoning that may be troubling to those of a technical mindset accustomed to the precision that their academic discipline so often grants ." While Dunlap stands up for legal guidance, he stresses that deciding whether to go to war is not an issue for lawyers. Instead, it is for policy- and decision-makers to discern. An act of war "is a political phrase, not a legal term," he says in a 2011 law review article, "Perspectives for Cyber Strategists on Law for Cyberwar." "The real difficulty with respect to the law and cyberwar is not any lack of 'law,' per se," Dunlap writes in the article, "but rather in the complexities that arise in determining the necessary facts which must be applied to the law to render legal judgments ." Nevertheless, Dunlap notes, "many observers believe the need for a new legal regime designed for cyberwar is urgent." For example, technology expert Bruce Schneier suggests a "cybertreaty" that would "stipulate a no-first-use policy, outlaw unaimed weapons or mandate weapons that self-destruct at the end of hostilities." Some experts, Dunlap writes, prefer an "effects-based" decision on a cyberincident to determine whether it "equates to" an armed attack . The more damage that a digital attack can cause, the closer the nation gets to declaring legitimate war. Use of force can be considered as part of a continuum, says U.S. Navy JAG Cmdr. Todd Huntley, with armed attacks leading to a right to self-defense on one end, and "coercive but permissible acts," such as disruption of transportation and communications, on the other. "Modern warfare," he writes in a 2010 law review article, "Controlling the Use of Force in Cyber Space: The Application of the Law of Armed Conflict During a Time of Fundamental Change in the Nature of Warfare," "... is beginning to move away from this 20th century paradigm and is becoming more 'effects-based.' That is, military thinking is beginning to move away from the focus on tools/weapons and [toward] thinking about consequences and how to achieve those which are desired." In his 2011 article, former JAG Dunlap also cites Michael N. Schmitt, chairman of the International Law Department at the U.S. Naval War College. Schmitt writes that the "essence of an 'armed' operation is the causation, or risk thereof, of

death or injury to persons, or damage or destruction of property and other tangible objects."

Legal frameworks key to effective cyber engagement Nielsen 2012

[Army Lieutenant Colonel SUZANNE C. NIELSEN is an associate professor in the Department of Social Sciences at the U.S. Military Academy at West Point. She is responsible for the International Relations Program and teaches courses in international relations and national security. Pursuing Security in Cyberspace: Strategic and Organizational Challenges, Foreign Policy Research Ins, Elsevier Ltd, Summer 2012, Epsco ]jap A third and related requirement, tied to the speed at which activities occur in cyberspace, is for rapid action. As former Deputy Secretary of Defense Lynn explained, ideally a defender wants to block an attack or somehow frustrate it before it even arrives.45 To illuminate the challenge, it was mentioned above that the Slammer worm spread so rapidly in January 2003 that there was no time for human intervention to significantly impede its progress. To counter malware of this nature may require new rules of engagement. As explained by General Alexander, You need autonomous decision logic that's based on the rule of law, the legal framework, to let network defenders know what they are allowed to do in the networks defense.46 As argued by former DNI Blair, We cannot afford to discover successful cyber intrusions after-the-fact, accept disastrous losses, and then seek merely to contain them.47

International legal frameworks are key to cyber space norm building Nielson 2012
[Army Lieutenant Colonel SUZANNE C. NIELSEN is an associate professor in the Department of Social Sciences at the U.S. Military Academy at West Point. She is responsible for the International Relations Program and teaches courses in international relations and

GMU Debate [File Name] national security. Pursuing Security in Cyberspace: Strategic and Organizational Challenges, Foreign Policy Research Ins, Elsevier Ltd, Summer 2012, Epsco ]jap Having laid out the characteristics of an effective approach to cybersecurity, there are certainly technical challenges to be addressed. However, an underlying premise of the discussion here is that the technical challengesas significant as they may bewill probably not be as difficult to overcome as those that are nontechnical in nature. There are significant challenges, for example, to realizing a security posture with the characteristics articulated in the previous section in the realms of U.S. policy and U.S. law. In addition, there are strategic and organizational challenges. This section will focus on the latter. Though far from comprehensive, the discussion here will help to illuminate some of the central issues that must be addressed if Americas interests are to be protected better in cyberspace. Turning first to strategic challenges, it has become commonplace for national security specialists to note that important security challenges in the current era should be met with a whole of government approach that brings to bear all instruments of power: diplomatic, informational, military, and economic. Since 2001 and the rise of terrorism as a significant U.S. national security challenge, financial, intelligence, and law enforcement means have sometimes been added to this list. In the cyber realm, much remains to be done in thinking through how the various instruments of national power can be employed together to achieve national goals. Some of the strategic challenges that lie ahead can be illuminated through an examination of diplomacy. Under Secretary of State Hillary Clintons leadership, the U.S. State Department has been active in the cyber realm. In February of 2011, Secretary Clinton announced the creation of an Office of the Coordinator for Cyber issues, which has since been stood up. In addition, the United States has already enjoyed some diplomatic successes. These include the U.S. decision to become a party to the Council of Europe Convention on Cybercrime and the U.S. partnership with NATO in the alliances decision to put cybersecurity at the forefront of its emerging security agenda. Despite these steps forward, many fundamental questions still remain regarding the use of diplomacy to enhance cybersecurity. One question is whether arms control negotiations and treaties will be useful in enhancing cybersecurity. The challenges involved would be complex, to say the least, with key issues being incentives to cheat and the difficulties in identifying violators given the frequent lack of ability to attribute actions to their perpetrators in cyberspace.51 However, there are also many who believe that it would be useful now to at least begin an international dialogue on international norms to provide some framework for guiding state behavior in cyberspace. From the perspective of the U.S. government, participation in such talks would need to be preceded by interagency discussions within the United States to agree on the norms that the country would like to see hold sway internationally.

GMU Debate [File Name]

Modeling
US cyber policy creates norms will be modeled Belk and Noyes 12
[Robert and Matthew, Robert is, studying international and global affairs at the Harvard Kennedy School.. Following graduation, he is scheduled to report to the Naval Operations staff in the Pentagon to develop and execute Navy network and cybersecurity policy, Matthew studies international security policy and is a senior associate with the cybersecurity practice at Good Harbor Consulting.. He has a degree in Computer Science and Applied Computational Mathematics from the University of Washington. On the Use of Offensive Cyber Capabilities A Policy Analysis on Offensive US Cyber Policy, http://belfercenter.ksg.harvard.edu/files/cybersecurity-pae-belk-noyes.pdf, Accessed 9-1-13]jap-lkm

The NRC report rightly observes that U.S. cyber operations have the potential to interfere with similar operations of our allied nations. 136 When considering the damaging effects of cyber force, the U.S. should liaise with allied nations to discuss possible conflict with their cyber operations. There are myriad ways in which U.S. cyber operations could affect those of our allies, but what is critical here is the recognition that, particularly with cyber force, the U.S. should deconflict with friendly nations operating on the systems the U.S. plans to exploit. Also, because cyberspace is a rapidly developing domain, there is great potential for norm-setting. Psychologically, there are various reasons for conforming to a particular conduct, and unanimity of action is one of the more potent methods of strengthening conformity. 137 Thus, it would benefit the U.S. to support the conduct it would wish to become the norm. That is, if the U.S. has an interest, as it likely does, in restricting the use of cyber force internationally, then it should seek to adhere to this standard.

U.S. defense department plan boosts relations; other nations to follow exchange between government and industry Adhikari 11
(Richard Adhikari is a staff writer at TechNewsWorld, DoD Talks Up Plans to Deploy Cybercommandos, February 16, 2011, http://www.technewsworld.com/story/71872.html, Last Accessed 8/30/13) ELJ

The United States will leverage IT know-how among members of the National Guard and the nation's military reserves by increasing the number of units that have dedicated cybermissions, U.S. Deputy Defense Secretary William Lynn announced Tuesday. Government efforts alone can't fend off cyberattackers, and stronger cooperation with the private sector is crucial, said Lynn, who was speaking at the RSA 2011 security conference in San Francisco. To that end, the Department of Defense is strengthening ties with the private sector. This includes extending cybersecurity to selected networks, closer cooperation with telecommunications carriers and expansion of a program in which cybersecurity personnel are swapped between the government and the cybersecurity industry. Lynn also announced that the DoD will spend US$500 million on research into encryption and other high-tech areas. Chronicling the Cyberthreat "In the cyber domain, soldiers are not the only ones on the front lines; scientists and innovators are there, too," Lynn told his audience. Cyberthreats continues to mature, beginning with exploitation of networks, then moving on to degradation of networks in attacks like the DDoS attacks against Estonia and Georgia in 2007 and 2008, respectively, as well as the hacker group Anonymous' attacks against eBay and PayPal last December, Lynn stated. The next phase in the evolution of cyberthreats is destruction, where online tools are used to cause actual physical damage, Lynn said. "When you look at the cybertools already available, it's clear this threat already exists," he added. While it's possible that destructive cyberattacks will never be launched, "few weapons in the history of warfare, once created, have gone unused," he remarked. The U.S. Defense Department has therefore adopted a new strategy that recognizes "we're in the midst of this strategic shift in cyberthreat, moving up from exploitation to disruption and eventually destruction," Lynn said. The greatest danger comes from terrorist groups, which can create their own tools or purchase them. "With few tangible assets to lose in a confrontation, terrorist groups are difficult to deter," Lynn said. "We have to assume that, if they have the means to strike, they will do so."The Defense Department has adopted a strategy dubbed "Cyber 3.0." It has five pillars. First, the military recognizes cyberspace as a sphere of operations. This means it needs to organize, train and equip forces to perform cybermissions -- think of them as cybercommandos. Second, the military has equipped its networks with active defenses. Third, the Department of Homeland Security is working to ensure that the United States' critical infrastructure is protected. Military cybercapabilities will be made available to the civilian authorities to protect civilian infrastructure. Fourth, the U.S. is building cooperative defenses with its allies. Fifth, it's marshaling the nation's technological and human resources to ensure it maintains its preeminence in cyberspace . In addition, Lynn announced a program to increase the number of National Guard and armed forces reserve units that have a dedicated cybermission. The DoD and Department

of Homeland

Security are also working with telecommunications providers, who have "unparalleled visibility into global networks," Lynn said. Lynn also announced the DoD's plans to expand the information technology exchange program, under which cybersecurity personnel are exchanged between the government and industry. Overkill Is a Myth. If anything, Lynn may be understating the problem the United States faces. "We have wasted almost three decades with little thought given to secure computing," Randy Abrams, director of technical education at ESET, told TechNewsWorld. "Functionality has always trumped security, and so a plethora of insecure products was created. We're still repeating mistakes with things like smart meters lacking basic security protections," he said, referring to electrical meters with advanced recording and reporting capabilities. "We're dealing with an infrastructure that wasn't intended to support the level and complexity of traffic it serves today," Charles King, principal at Pund-IT, told TechNewsWorld. "Security professionals will continue to play catch-up until the infrastructure is replaced," King added. However, the infrastructure is only part of the problem; another part is that

GMU Debate [File Name] "creative individuals and groups will always be able to move more quickly than governmental agencies," King said. "It's in the nature of the beast." That lack of speed is one of the problems the government seeks to tackle with the establishment of cybercommandos and with stronger cooperation between the private and public structures. "It takes the Pentagon 81 months to introduce a new system; the iPhone was developed in 24 months," Lynn said. "That's the same amount of time it takes for us to prepare and approve a new budget. We have to close this gap, and Silicon Valley can help us," he added.

GMU Debate [File Name]

Signal
NFU sends signal that nuclear weapons are not necessary Laird 09[Burgess Laird, a national security analyst in the Washington, D.C. area ,JULY 21, 2009, A Guide to the Challenges Facing
President Obama's Nuclear Abolition Agenda, Carnegie Council, http://www.carnegiecouncil.org/publications/articles_papers_reports/0025.html assessed August 30, 13 LMM] Advocates of no first use maintain that the U.S. adoption of a no first use policy would improve global security and stability here and now, not in some distant time by further reducing the salience of nuclear weapons in U.S. security policy, and further underscoring our commitment to our Article VI disarmament pledge. In so doing, a no first use policy would positively influence the nuclear doctrines and postures of other nuclear weapons states and strengthen international nuclear norms against the acquisition, production, and use of nuclear weapons, and thereby, bolster non-proliferation efforts. At the very least, there would appear to be more than sufficient grounds for the Obama Administration to undertake a careful net assessment of the costs and benefits of adopting a no first use declaratory policy. The Administration's Nuclear Posture Review, now underway in the Pentagon, provides an ideal setting for such an analysis.

NFU helps prevent cyber attacks Caplan 2013[Nathalie Caplan, Conflict Management and Resolution Graduate Program University of North Carolina Wilmington,
2013, Cyber War: the Challenge to National Security, Global Security Studies, Volume 4, Issue 1, http://globalsecuritystudies.com/Caplan%20Cyber.pdf assessed August 30, 13 LMM] Another vital element to the U.S. cyber security strategy is the Defense Advanced Research Projects Agencys (DARPAs) National Cyber Range Project.83 Fulghum illustrates, The Cyber Range is an air-gapped network, with no physical connections to the outside world, with servers that can simulate corporate and government networks. The idea is to insert malware into representative networks without the risk of contaminating real systems. The malware could be found on the Internet or developed by the Pentagon's or industry's own white hat operators, who would probe network weaknesses in order to fix them.84 This program is expected to be operational in late- 2012. Despite recent efforts to bolster the U.S. cyber security strategy, experts argue more actions need to be taken to effectively protect the United States from cyber attack. Richard Clarke offers a defensive strategy known as the Defensive Triad. He argues the Triad stops malware on the Internet at the backbone ISPs, hardens the controls of the electric grid, and increases the security of the Defense Departments networks and the integrity of its weapons.85 Moreover, he offers some additional suggestions, including instituting a no-first-use agreement, aimed at preventing cyber attacks from starting wars, while not limiting their use within existing conflicts.86 Another option is to issue a unilateral declaration that precludes the use of cyber weapons against civilian targets. A third possibility suggested by the author is to sign international accords preventing cyber attacks on the international financial system. However, Clarke notes that the value of international agreements depends on the ability to detect violations and assign blame.

NFU solves confrontation between US and China Ramo 2013[Joshua Cooper Ramo ,vice chairman of an international consulting firm in New York and the author of The Age of the
Unthinkable: Why the New World Disorder Constantly Surprises Us and What We Can Do About It., July 9, 2013, Talking Cybe rthreat With China, The New York Times, http://www.nytimes.com/2013/07/10/opinion/global/talking-cyberthreat-with-china.html assessed August 30, 13 LMM] Finally, the two sides could examine what concepts such as no first use could mean in a cyberenvironment . In particular, the United States should lead an effort to create a framework that, like the Nuclear Nonproliferation Treaty, would offer benefits to countries that sign up. In any event, this should be a part of Americas new strategy for a network age. China is a good place to start. The best hope for avoiding a confrontation between rising and established powers is to be creative in developing fresh institutions. We live, after all, in a revolutionary age. The challenge the United States and China face together is not only the interoperability of two great nations. It is the future interoperability of man and machine.

NFU could prohibit cyber attacks against civilian infrastructure Schneier 2012[Bruce Schneier , is an internationally renowned security technologist and author. His latest book is Liars and Outliers:
Enabling the Trust that Society Needs to, June 8, 2012,An International Cyberwar Treaty Is the Only Way to Stem the Threat, U.S. News http://www.usnews.com/debate-club/should-there-be-an-international-treaty-on-cyberwarfare/an-international-cyberwar-treaty-isthe-only-way-to-stem-the-threat assessed August 30, 13 LMM] Arms races stem from ignorance and fear: ignorance of the other side's capabilities, and fear that their capabilities are greater than yours. Once cyberweapons exist, there will be an impetus to use them. Both Stuxnet and Flame damaged networks other than their intended targets. Any military-inserted back doors in Internet systems make us more vulnerable to criminals and hackers. And it is only a matter of time before something big happens, perhaps by the rash actions of a low-level military officer, perhaps by a non-state actor, perhaps by accident. And if the target nation retaliates, we could find ourselves in a real cyberwar. The cyberwar arms race is destabilizing. International cooperation and treaties are the only way to reverse this. Banning cyberweapons entirely is a good goal, but almost certainly unachievable. More likely are treaties that stipulate a no-first-use policy, outlaw unaimed or broadly targeted weapons, and mandate

GMU Debate [File Name] weapons that self-destruct at the end of hostilities. Treaties that restrict tactics and limit stockpiles could be a next step. We could prohibit cyberattacks against civilian infrastructure; international banking, for example, could be declared off-limits.

SQ deterrence doctrine does nothing to stop cyber threats and leaves us wide open NFU needed Brecht 09 [Lyle A Brecht, National Cyber Systems Infrastructure Security Review, September 24, 2011,The Strategic Elements of
Cyber Warfare, Scribd.com, http://www.scribd.com/doc/57767711/The-Strategic-Elements-of-Cyber-Warfare assessed August 30, 13 LMM] With cyber weapons, there presently is no countervailing strategic game doctrine for Deterrence Doc- trine, like MAD (mutual assured destruction), that has the potential to actually deter First Use. The notion that the doctrine of nuclear deterrence can be retrofitted and used to deter cyber attacks is absurd. Because Deterrence Doctrine threats can be initiated easily by privatized transnational groups, without the knowledge of national governments by rogue elements within the state, and the originating location of the attack readily masked and even transposed to a predetermined DNS, the threat of nuclear armageddon in response appears both unwarranted and unproductive.

More diplomacy between US and China solves possible cyber - attacks Global Security Newswire 2013[Global Security Newswire, produced by National Journal Group, offers daily news updates about
nuclear, biological and chemical weapons, terrorism and related issues ,June 17, 2013,Ex-White House Advisers Discourage Nuke Threats Against Cyber Attacks, NTI, http://www.nti.org/gsn/article/two-former-white-house-advisers-discourage-nuke-threats-againstcyber-attacks/ assessed August 30, 13 LMM] Its more likely to lead to a new focus by Pentagon planners on generating an expanding list of cyber -related targets and the operational deployment of nuclear forces to strike those targets in minutes, they wrote. U.S. cyber-vulnerabilities are serious, but equating the impact of nuclear war and cyberwar to justify a new nuclear deterrence policy and excessive Cold War-era nuclear capabilities goes too far. Clarke, who now chairs Good Harbor Security Risk Management, and Andreasen, a consultant to the Nuclear Threat Initiative, urged Obama to use a speech on nuclear policy initiatives this Wednesday in Berlin to make good on his first -term commitments to end outdated Cold War nuclear policies. The two panned a recent Defense Science Board recommendation to threaten atomic retaliation for any existential dangers to the United States posed by cyber attacks. Gen. Robert Kehler, the top U.S. commander for strategic nuclear operations, said he supported the thrust of the boards advice. Concern has been mounting about the possibility that China, in particular, might wield a capability to attack huge swaths of the U.S. power grid or other critical systems. To prevent a digital strike so devastating that the government itself might lose control, the former government advisers recommended more diplomacy in the form of multinational cooperation centers [that] could ultimately lead t o shared approaches to cybersecurity, including agreements related to limiting cyberwar.

Non-proliferation agreements would solve potential impacts of cyber attacks Brecht 09 [Lyle A Brecht, National Cyber Systems Infrastructure Security Review, September 24, 2011,The Strategic Elements of
Cyber Warfare, Scribd.com, http://www.scribd.com/doc/57767711/The-Strategic-Elements-of-Cyber-Warfare assessed August 30, 13 LMM] The use of cyberspace for intelligence gathering and war ghting should be limited by thoughtful multi-lateral non-proliferation agreements. For example, with offensive cyber weaponry, the potential for a serious problem is the capture of a digital agent by a hostile force and the alteration of the code to infect domestic data stores. With the potential for self- replication, and modication of basic code sets, once these sophisticated agents are released in the wild, it may not either be affordable or feasible to turn them off easily. Friends and foes will suffer.

Agreements reduces possibility of misinterpretation or escalation from cyber attacks Lewis 2011[James Andrew Lewis , is a senior fellow and Program Director at the Center for Strategic and International Studies
(CSIS). Before joining CSIS, he worked at the US Departments of State and Commerce as a Foreign Service Officer and as a member of the Senior Executive Service. He was the Rapporteur for the 2010 United Nations Group of Governmental Experts on information Security. His current research examines strategic competition and technological innovation. Lewis received his PhD from the University of Chicago., 2011, Confidence-building and international agreement in cybersecurity, http://citizenlab.org/cybernorms2012/Lewis2011.pdf assessed August 30, 13 LMM] Agreements to reduce the possibility of misinterpretation, escalation or unintended consequences in cyberconflict are a legitimate subject for international agreement and would improve international security. Just as states feel a degree of constraint from norms and agreements on non-proliferation, establishing explicit international norms for behaviour in cyberspace would affect political decisions on the potential risks and costs of cyber attack. The effect of globalizationthe deep economic interconnection among stateshas if anything increased the need for cooperation among states. The creation of norms for responsible state behaviour in cyberspace, the

GMU Debate [File Name] expansion of common understandings on the application of international law to cyberconflict, and the development of assurances on the use of cyber attacks would increase stability and reduce the risks of miscalculation or escalation. The single most important norm for multilateral agreement might be a norm that establishes state responsibility for the actions of its private citizenssuch a norm could make it more difficult for states to tacitly encourage proxies by ignoring them or denying involvement with their actions.

GMU Debate [File Name]

Preemptive Cyber Strikes

The US has a first use preemptive strike policy concerning cyber warfare. Sanger and Shanker 2013 (David E. Sanger, Chief Washington Correspondent for The New York Times, and Thom Shanker,
Pentagon correspondent for The New York Times, February 3, 2013, Broad Powers Seen for Obama in Cyberstrikes, New York Time s, http://www.nytimes.com/2013/02/04/us/broad-powers-seen-for-obama-in-cyberstrikes.html?pagewanted=all&_r=0)

A secret legal review on the use of Americas growing arsenal of cyberweapons has concluded that President Obama has the broad power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack looming from
abroad, according to officials involved in the review. That decision is among several reached in recent months as the administration moves, in the next few weeks, to approve the nations first rules for how the military can defend, or retaliate, against a major cyberattack. New policies will also govern how the intelligence agencies can carry out searches of faraway computer networks for signs of potential attacks on the United States and, if the president approves, attack adversaries by injecting them with destructive code even if there is no declared war. The rules will be highly classified, just as those governing drone strikes have been closely held. John O. Brennan, Mr. Obamas chief counterterrorism adviser and his nominee to run the Central Intelligence Agency, played a central role in developing the administrations policies regarding both drones and cyberwarfare, the two newest and most politically sensitive weapons in the American arsenal. Cyberweaponry

is the newest and perhaps most complex arms race under way. The Pentagon has created a new Cyber Command, and computer network warfare is one of the few parts
of the military budget that is expected to grow. Officials said that the new cyberpolicies had been guided by a decade of evolution in counterterrorism policy, particularly on the division of authority between the military and the intelligence agencies in deploying cyberweapons. Officials spoke on condition of anonymity because they were not authorized to talk on the record. Under current rules, the military can openly carry out counterterrorism missions in nations where the United States operates under the rules of war, like Afghanistan. But the intelligence agencies have the authorhity to carry out clandestine drone strikes and commando raids in places like Pakistan and Yemen, which are not declared war zones. The results have provoked wide protests. Mr. Obama

is known to have approved the use of cyberweapons only once,

early in his presidency, when he ordered an escalating series of cyberattacks against Irans nuclear enrichment facilities. The operation was code-named Olympic Games, and while it began inside the Pentagon under President George W. Bush, it was quickly taken over by the National Security Agency, the largest of the intelligence agencies, under the presidents authority to conduct covert action. As the process of defining the rules of engagement began more than a year ago, one senior administration official emphasized that the United States had restrained its use of cyberweapons. There are levels of cyberwarfa re that are far more aggressive than

attacks on Iran illustrated that a nations infrastructure can be destroyed without bombing it or sending in saboteurs. While many potential targets are military, a countrys power grids, financial systems and communications networks can also be crippled. Even more complex, nonstate actors, like terrorists or criminal groups,
anything that has been used or recommended to be done, the official said. The can mount attacks, and it is often difficult to tell who is responsible. Some critics have said the cyberthreat is being exaggerated by contractors and consultants who see billions in potential earnings. One senior American official said that officials quickly determined that the cyberweapons were so powerful that like nuclear weapons they should be unleashed only on the direct orders of the commander in chief. A possible exception would be in cases of narrowly targeted tactical strikes by the military, like turning off an air defense system during a conventional strike against an adversary. There are very, very few instances in cyberoperations in which the decision will be made at a level below the president, the official said. That means the administration has ruled out the use of automatic retaliation if a cyberattack on Americas infrastructure is detected, even if the virus is traveling at network speeds. While the

rules have been in development for more than two years, they are coming out at a time of greatly increased cyberattacks on American companies and critical infrastructure. The Department of
Homeland Security recently announced that an American power station, which it did not name, was crippled for weeks by cyberattacks. The New York Times reported last week that it had been struck, for more than four months, by a cyberattack emanating from China. The Wall Street Journal and The Washington Post have reported similar

The U.S. has a policy of preemptive strikes and is focused on offensive cyber capabilities preemptive strikes cause a cyber arms race and escalates to international war Schneir 13
(Bruce Schneir is an CNN Specialist, "Has U.S. Started An Internet War? CNN, June 18, 2013, http://www.cnn.com/2013/06/18/opinion/schneier-cyberwarpolicy/index.html) ELJ

(CNN) -- Today, the U nited S tates is conducting offensive cyberwar actions around the world. More than passively eavesdropping, we're penetrating and damaging foreign networks for both espionage and to ready them for attack. We're creating custom-designed Internet weapons, pre-targeted and ready to be "fired" against some piece of another country's electronic infrastructure on a moment's notice. This is much worse than what we're accusing China of doing to us. We're pursuing policies that are both expensive and destabilizing and aren't making the Internet any
safer. We're reacting from fear, and causing other countries to counter-react from fear. We're ignoring resilience in favor of offense. Welcome to the cyberwar arms race , an arms race that will define the Internet in the 21st century. Presidential Policy Directive 20, issued last October and released by Edward Snowden, outlines U.S. cyberwar policy. Most of it isn't very interesting, but there are two paragraphs about "Offensive Cyber Effect Operations," or OCEO, that are intriguing: "OECO can offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging. The development and sustainment of OCEO capabilities, however, may require considerable time and effort if access and tools for a specific target do not already exist. "The United States Government shall identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness and risk as compared with other instruments of national power, establish and maintain OCEO capabilities integrated as appropriate with other U.S. offensive capabilities, and execute those capabilities in a manner consistent with the provisions of this directive." These two paragraphs, and another paragraph

Cyberattacks have the potential to be both immediate and devastating. They can disrupt communications systems, disable national infrastructure, or, as in the case of Stuxnet, destroy nuclear reactors; but only if they've been
about OCEO, are the only parts of the document classified "top secret." And that's because what they're saying is very dangerous. created and targeted beforehand. Before launching cyberattacks against another country, we have to go through several steps. We have to study the details of the computer systems they're running and determine the vulnerabilities of those systems. If we can't find exploitable vulnerabilities, we need to create them: leaving "back doors" in hacker speak. Then we have to build new cyberweapons designed specifically to attack those systems. Sometimes we have to embed the hostile code in those networks, these are called "logic bombs," to be unleashed in the future. And we have to keep penetrating those foreign networks, because computer systems always change and we need to ensure that the cyberweapons are still effective. Like our nuclear arsenal during the Cold War, our cyberweapons arsenal must be pretargeted and ready to launch . That's what Obama directed the U.S. Cyber Command to do. We can see glimpses in how effective we are in Snowden's allegations that the NSA is currently penetrating foreign networks around the world: "We hack network backbones -- like huge Internet routers, basically -- that give us access to the communications of hundreds of thousands of computers without having to hack every single one." The NSA and the U.S. Cyber Command are basically the same thing. They're both at Fort Meade in Maryland, and they're both led by Gen. Keith Alexander. The same people who hack network backbones are also building weapons to destroy those backbones. At a March Senate briefing, Alexander boasted of creating more than a dozen offensive cyber units. Longtime NSA watcher James Bamford reached the same conclusion in his recent profile of Alexander and the U.S. Cyber Command (written before the Snowden revelations). He discussed some of the many cyberweapons the U.S. purchases: "According to Defense News' C4ISR Journal and Bloomberg Businessweek, Endgame also offers its intelligence clients -- agencies like Cyber Command, the NSA, the CIA, and British intelligence -- a unique map showing them exactly where their targets are located. Dubbed Bonesaw, the map displays the geolocation and digital address of basically every device connected to the Internet around the world, providing what's called network situational awareness. The client locates a region on the password-protected web-based map, then picks a country and city -- say, Beijing, China. Next the client types in the name of the target organization, such as the Ministry of Public Security's No. 3 Research Institute, which is responsible for computer security -- or simply enters its address, 6 Zhengyi Road. The map will then display what software is running on the computers inside the facility, what types of malware some may contain, and a menu of custom-designed exploits that can be used to secretly gain entry. It can also pinpoint those devices infected with malware , such as the Conficker worm, as well as networks turned into botnets and zombies -- the equivalent of a back door left open... "The buying and using of such a subscription by nation-states could be seen as an act of war. 'If you are engaged in reconnaissance on an adversary's systems, you are laying the electronic battlefield and preparing to use it' wrote Mike Jacobs, a former NSA director for information assurance, in a McAfee report on cyberwarfare. 'In my opinion, these activities constitute acts of war, or at least a prelude to future acts of war .' The question is, who else is on the secretive company's client list? Because there is as of yet no oversight or regulation of the cyberweapons trade, companies in the cyber-industrial complex are free to sell to whomever they wish. "It should be illegal,' said the former senior intelligence official involved in cyberwarfare. 'I knew about Endgame when I was in intelligence. The intelligence community didn't like it, but they're the largest consumer of that business.'" That's the key question: How much of what the United States is currently doing is an act of war by international definitions? Already we're accusing China of penetrating our systems in order to map "military capabilities that could be exploited during a crisis." What PPD-20 and Snowden describe is much worse, and certainly China, and other countries, are doing the same. All of this mapping of vulnerabilities and keeping them secret for offensive use makes the Internet less secure, and these pre-targeted, ready-to-unleash cyberweapons are destabalizing forces on international relationships. Rooting around other countries'

GMU Debate [File Name]

networks, analyzing vulnerabilities, creating back doors, and leaving logic bombs could easily be construed as an act of war. And

all it takes is one over-achieving national leader for this all to

tumble into actual war. It's time to stop the madness. Yes, our military needs to invest in cyberwar capabilities, but we also need international rules of cyberwar, more transparency from our own government on what we are
and are not doing , international cooperation between governments and viable cyberweapons treaties. Yes, these are difficult. Yes, it's a long slow process. Yes, there won't be international consensus, certainly not in the beginning. But even with all of those problems, it's a better path to go down than the one we're on now. We can start by taking most of the money we're investing in offensive cyberwar capabilities and spend them on national cyberspace resilience. MAD, mutually assured destruction, made sense because there were two superpowers opposing each other. On the Internet there are all sorts of different powers, from nation-states to much less organized groups. An arsenal of cyberweapons begs to be used, and, as we learned from Stuxnet, there's always collateral damage to innocents when they are. We're much safer with a strong defense than with a counterbalancing offense.

GMU Debate [File Name]

Defensive Cyber Operations

Current focus on offensive cyber operations trades off with defensive cyber security Gjelten 2013
[Tom Gjelten is a correspondent for NPR. Jan/Feb 2013, First Strike: US Cyber Warriors Seize the Offensive, http://www.worldaffairsjournal.org/article/first-strike-us-cyber-warriors-seize-offensive ]jap

The growing interest in offensive operations is bringing changes in the cybersecurity industry. Expertise in patching security flaws in ones own computer network is out; expertise in finding those flaws in the other guys network is in. Among the hot jobs listed on the career page at the National Security Agency are openings for computer scientists who specialize in vulnerability discovery. Demand is growing in both government and industry circles for technologists with the skills to develop ever more sophisticated cyber tools, including malicious softwaremalware with such destructive potential as to qualify as cyberweapons when implanted in an enemys network. Offense is the biggest growth sector in the cyber industry right now, says Jeffrey Carr, a cybersecurity analyst and author of Inside Cyber Warfare. But have we given sufficient thought to what we are doing? Offensive operations in the cyber domain raise a host of legal, ethical, and political issues, and governments, courts, and business groups have barely begun to consider them. The move to offensive operations in cyberspace was actually under way even as Pentagon officials were still insisting their strategy was defensive. We just didnt know it. Extensive use of cyber space for offensive military attacks destroys global internet capabilities greater defensive focus key Belk and Noyes 12
[Robert and Matthew, Robert is, studying international and global affairs at the Harvard Kennedy School.. Following graduation, he is scheduled to report to the Naval Operations staff in the Pentagon to develop and execute Navy network and cybersecurity policy, Matthew studies international security policy and is a senior associate with the cybersecurity practice at Good Harbor Consulting.. He has a degree in Computer Science and Applied Computational Mathematics from the University of Washington. On the Use of Offensive Cyber Capabilities A Policy Analysis on Offensive US Cyber Policy, http://belfercenter.ksg.harvard.edu/files/cybersecurity-pae-belk-noyes.pdf, Accessed 9-1-13]jap-lkm

Cyberspace is a unique domain where, unlike the domains of land, sea, air, and space, the very geography and laws of physics can change by disconnecting systems or changing the protocol or code that operates cyberspace. 40 Potential changes to the laws of code in response to external cyber action may fundamentally alter the nature of cyberspace and render a large set of existing cyber capabilities obsolete . Cyber policy makers must carefully consider the systemic effects of their policies. How will civil society organizations, such as the Internet Engineering Task Force (IETF), react to a
cyber action? How will the political economy of cybersecurity change if organizations are free to conduct cyber attacks? Can the Internet survive as an interconnected and global commons if it becomes a domain used to conduct frequent military strikes? Currently the incentive structure in cyberspace systematically favors attackers over defenders. Correcting this misaligned incentive should be a key consideration of cyber policy makers in order to mitigate the risks of external cyber actions producing undesirable systemic effects . We believe it could be accomplished through the application of deterrence and mitigative counter-attacks to stop cyber attackers. Improving security in a manner that does not diminish the tremendous openness and generativity of the Internet, but instead increases it, is the essential goal of cybersecurity policy. 63

GMU Debate [File Name]

China Cyber War

China will attack - Cyber war with China impossible to win Clarke and Knake 2010
[Richard, former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism for the United States, and Robert, Cybersecurity and homeland security expert. Cyber War: The next threat to national security and what to do about it, 2010. https://www.bit9.com/download/eBook/eBook_Richard_Clarke_Cyber_War_Chapter.pdf]jap
In this situation, the team playing Cyber Command in the table top exercise faces a dilemma. They do not want to expose all of the cyber attack techniques, or exploits, that they have developed. Once an exploit is used, cyber defenders will devote the time and energy necessary to figure out how to block it in the future. While the defenders will not fix all of the systems that could be exploited, they will patch enough of the important systems that the attack technique will have lost much of its potency. Thus, Cyber Command will want to withhold its most clever attacks. If they wait, however, the Chinese may have done things that make it far more difficult for the U.S. to execute cyber attacks. As tensions begin to mount, China will reduce the flow of packets into China and will scan and filter for possible U.S. attacks the ones it permits in. Then it may drop connectivity to the outside world altogether.

If the U.S. has not already launched its cyber attack, it will be much harder to

get around the Great Firewall of China. Cyber Command will have to have created, in advance, tunnels into Chinese cyberspace, perhaps by hiding satellite telephones in China to download attacks and insert them
into the Internet behind the Wall. Or perhaps Cyber Command will, working with CIA, have placed agents inside China with the attack tools already on their laptops. If the U.S. waits to use its best weapons, China may make it difficult to launch an attack from U.S. cyberspace by confusing or crashing our cyberspace and Internet backbone . Scrambling data on the highest echelon servers of the Domain Name System, which provides the Internet addresses of websites, or doing so on the routing tables (the Border Gateway Protocol lists) of the Tier 1 backbone providers will disrupt U.S. cyberspace for days. The effect would be to send traffic more or less randomly to the wrong place on the Internet. As noted in chapter 3, very little prevents this from happening now since these software programs that make the Internet run do not require that there be any checking to see if the commands issued are authentic. If the Chinese could get agents into the big windowless buildings where all the Tier 1 ISPs link to each other, the so called peering points, or into any place on the Tier 1 ISP networks, they could possibly issue commands directly to the routers that do the switching and directing of traffic on the Internet and in the rest of cyberspace. Even though DoD and U.S. intelligence agencies have their own channels in cyberspace separate from the public Internet, their traffic is likely to be carried on the same fiber optic cable pipes as the public Internet. The public Internet may just be a different color on the same fiber or maybe a different fiber in the same pipe. Chances are that there are many places where the

DoD and intelligence agency traffic is running through the same routers as the public Internet. As discussed earlier, China is very familiar with the routers. Most of them are made by the U.S. firm Cisco, but made in China. All of that Chinese potential to disrupt the Internet and stop the U.S. from being able to send cyber attacks out means that the Cyber Command team has an incentive in the early stages of a crisis to store their attacks on networks outside of the U.S. Of
course, doing so broadens the global involvement in the pending cyber war.

The use of cyber weapons will provoke East Asian war and economic collapse in 2013 Solana and Bremmer 13
(Javier Solana and Ian Bremmer, 2013 Foreign Minister of Spain, Secretary-General of NATO. Ian Bremmer is President of Eurasia Group), January 25, A New Year of Global Conflict, The New Times,)

Conflicts are much more likely to arise or persist when those with the means to prevent or end them cannot or will not do so. Unfortunately, this will be borne out in 2013. In the United States, barring a foreign-policy crisis that
directly threatens national security, President Barack Obama's administration will focus most of its time, energy, and political capital on debt reduction and other domestic priorities. In Europe, officials will continue their struggle to restore confidence in the eurozone. And, in China, though the demands of economic growth and job creation will force the country's new leaders to develop new ties to other regions, they are far too preoccupied with the complexities of economic reform to assume unnecessary costs and risks outside Asia. That is why the world's fires will burn longer and hotter this year. This does not mean that the world's powers will not inflict damage of their own. Today, these governments are more likely to use drones and special forces to strike at their perceived enemies. The world has grown used to US drone strikes in Afghanistan, Pakistan, and Yemen, but recent news reports suggest that China and Japan are also investing in unmanned aircraft - in part to enhance their leverage in disputes over islands in the East China Sea. By lowering the costs and risks of attack, these technological innovations make military action more likely. Perhaps the lowest-cost way to undermine rivals and attack enemies is to launch attacks in cyberspace. That is why so many deep-pocketed governments - and some that are not so rich - are investing heavily in the technology and skills needed to enhance this capability. This form of warfare is especially worrisome for two reasons. First, unlike the structure of Cold War-era "mutually assured destruction," cyber weapons offer those who use them an opportunity to strike anonymously. Second, constant changes in technology ensure that no government can know how much damage its cyber-weapons can do or how well its deterrence will work until they use them. As a result,

governments

now 's defenses every day, the accidental If John Kerry and Chuck Hagel are confirmed as US secretaries of state and defense, respectively, the Obama administration will feature two prominent skeptics of military intervention. But high levels of US investment in drones, cyber-tools, and other unconventional weaponry will most likely be maintained. These technological advances create the backdrop for the competition and rivalries roiling the two most important geopolitical hotspots. In the Middle East, US and European officials will continue to resist deeper involvement in regional turmoil this year, leaving local powers - Turkey, Iran, and Saudi Arabia - to vie for influence. Confrontations between moderates and militants, and between Sunni and Shia factions, are playing out in several North African and Middle Eastern countries. US officials have reason to believe that, over time, they will be able to worry less about the region and its problems. According to current projections, technological innovations in unconventional energy will allow the US to meet more than 80% of its oil demand from sources in North and South America by 2020. China, on the other hand, is set to become more dependent on Middle Eastern output. Meanwhile, East Asia will remain a potential trouble spot in 2013. Many of

probe one another

increasing

risk of

hostilities.

China's neighbors fear that its ongoing economic and military expansion poses a growing

threat to their interests and independence, and are reaching out to the US to diversify their security partnerships and hedge their bets on China's benign intentions. The US, eager to boost its economy's longer-term prospects by engaging new trade partners in the world's fastest-growing region, is shifting resources to Asia - though US (and European) policymakers would be wise to move forward with a transatlantic free-trade agreement as well. There is a growing risk that the new Chinese leadership will interpret a heavier US presence in the region as an attempt to contain China's rise and stunt its growth. We have already seen a series of worrisome confrontations in the region, pitting China against Vietnam and the Philippines in the South China Sea, and against Japan in the East China Sea. While these disputes are unlikely to provoke military hostilities this year, the use of drones and cyber weapons remains a real threat. The greatest risk for 2013 is large-scale economic conflict in Asia, which would not only harm the countries directly involved, but would also undermine global recovery. The first shots in this battle have already been fired. Last summer, disputes over a string of contested islands in the
East China Sea led to a furious exchange of charges between China and Japan, the world's second- and third-largest economies, respectively. The two sides were never in danger of going to war, but Chinese officials allowed nationalist protests to develop into boycotts of Japanese products and acts of vandalism against Japanese companies. Japan's automobile exports to China fell 44.5%, and China's imports from Japan fell nearly 10% - all in just one month. That was a tough hit for a struggling Japanese economy. It is also a clear warning to the rest of us that a fight need not involve troops, tanks, and rockets to exact a heavy price.

GMU Debate [File Name]

Cyber Terrorism
Critical infrastructure is weak and vulnerable to cyber attack by terrorist or state actors risks are high Goodman 2007
[S.E., Science, Technology, and Countering Terrorism: The Search for a Sustainable Strategy, http://www.nap.edu/openbook.php?record_id=11848&page=43 ]jap Cyberspace is the set of all computer-communications networks. It is a major technology-enabled medium providing means of passage, the locus of objects of value, and parts of the control and management systems for critical processes and infrastructures. The Internet and critical infrastructures rely on cyberspace for basic functioning. Richard Clarke, former White House counterterrorism advisor, observed that the United States has become a robust economic and military power as a result of building, implementing, and relying upon domestic systems [3]. Many of these systems are based in cyberspace, which could introduce weakness in the country's ability to operate, should terrorists find and exploit extant vulnerabilities. The U.S. is one hundred percent dependent on information systems and computer systems to run [the] nation, according to Ron Dick, former director of the FBI's National Infrastructure Protection Center [ 4]. Originally based on a strong brick foundation, the U.S. has gradually been converting to a foundation of fragile bits and bytes, one that is potentially more penetrable by terrorists [3]. It is interesting to note that very few of the cyber aspects of infrastructures were initially designed or implemented with embedded security measures. When the Department of Defense Advanced Research Projects Agency created the ARPANET, the precursor of the Internet, for example, security was not an initial design consideration and was therefore largely excluded [5]. Security inherently involves tradeoffs. Since almost all cyber systems were not originally designed with security in mind, there is an enormous legacy of insecure systems in use today. Improving security for such systems is therefore largely a matter of afterthoughts and patchwork. The problem is compounded by the fact that security is often in conflict with design criteria that best promotes the primary intents and needs of the organization, e.g., access and throughput. Added security not only costs more money, but may also result in reduced efficiency and functionality. Furthermore, there seems to be little incentive for people to design or redesign systems to be more secured. Rather, there has been much speculation that prioritizing security will have to await the trauma tic shock of a digital Pearl Harbor or the forces of legal liability or insurance necessities and standards. The Internet is the largest single component of cyberspace, with a presence in over 200 countries and something approaching a billion users. For the most part, the Internet is built upon national and international telecommunications infrastructure, including the landlines of most public phone systems, wireless, and satellite communications. Beyond the Internet, these telecommunications infrastructures are more generally highly dependent on computing technology and, thus, part of cyberspace by our definition. Other critical infrastructures, in the United States and increasingly elsewhere in the world as well, depend on computer-communications systems for direct control and other functions. Critical infrastructures include major forms of transportation, banking and finance, energy distribution, emergency preparedness and response, public health, water, and others. Most systems that rely on cyberspace, however, are riddled with vulnerabilities, which we define as weaknesses that can be exploited through either hostile attack or accident. Many of these systems were designed to provide cheap and extensive network access, which unfortunately greatly increases the ability of malicious people to find and exploit vulnerabilities.

Cyberterrorism inevitable coming soon Goodman 2007

[S.E., Science, Technology, and Countering Terrorism: The Search for a Sustainable Strategy, http://www.nap.edu/openbook.php?record_id=11848&page=43 ]jap One area of concern that extends broadly across all of the stages of defense is the problem of insiders, who still probably account for a majority of successful penetrations for criminal purposes. Insiders are people who have authorized access with the potential for abuse that can cause great harm. Insiders may have the ability, for example, to change critical settings that could compromise the integrity of a system's security. These changes could be made covertly, thus resulting in a false sense of system security. Insiders are motivated by financial gain, recruitment, or coercion; their access, however, is the most dangerous aspect of insider threat [28]. The problem is complicated by changes in organizational relations and technical architectures that make inside and outside more difficul t to even define. The possibility that a terrorist or sympathizer may gain employment that puts him in a sensitive position to conduct a devastating attack or to provide critical information or access to others cannot be discounted or ignored. The two most general ways of dealing with this are through deep pre-employment investigations, something that most non-government entities are neither capable of doing nor permitted to do in many countries, and through stronger forms of containment and compartmentalization of access in an organization. It thus seems prudent to expect that cyberattacks will be launched sooner or later, which leads to the matter of how to deal with such terrorist activity. We start to answer this question by distinguishing between two forms of defense [29]: (1) active and (2) passive. It is then necessary to consider three stages of defense: (1) prevention, (2) incident management, attack mitigation, damage limitation; and (3) consequence management. Consideration of each of these elements of defense is vital for deterring or preventing cyberattacks. Deterrence mechanisms dont phase cyberterrorists different calculations 3.2.1. Prevention Terrorists prepared to perish during a spectacular attack may not be as sensitive to preventive measures such as deterrence as are criminals, industrial spies, hate mongers, or agents of nation states who engage in other forms of cyber conflict. From a risk perspective, individual terrorists and terrorist organizations (even those supported by nation states) thus differ from nation state actors. Explicitly or implicitly under the alternate forms of prevention is the need to identify the attackers or potential attackers and to convince them that there is a high probability that they will be punished. Plausible denial is not important, since terrorists have few assets and no sovereign territory to protect from physical or other forms of counterattack

GMU Debate [File Name] or embargo. Unlike nation states, terrorists are insensitive to most of the possible consequences that negative attention and identification might entail. On the other hand, given the possibilities of catastrophic terrorism, it is particularly important for the defense to try to prevent attacks and identify and apprehend or otherwise punish potential attackers.

Hackers will attack the water supply with lethal chemical weapons Waterman 13 (Shaun August 28, Reporter for The Washington Times, http://www.washingtontimes.com/news/2013/aug/28/syriairan-capable-of-launching-a-cyberwar/?page=all. 8/31/13 RK)
But the

kind of cyberattack that most alarms national security specialists took place a year ago and was aimed at the Saudi Arabian state oil company, Aramco. A virus called Shamoon infected the companys computer network and wiped data from more than 30,000 computers, effectively destroying all the information on the system. A similar attack on a bank could destroy digital records of customer accounts. Hackers also have demonstrated that they could take over computer control systems that operate chemical, electrical and water and sewage treatment plants. They also can hack into transportation networks. An aggressor nation or extremist group could gain control of critical switches and derail passenger trains, or trains loaded with lethal chemicals, Leon E. Panetta, then CIA director, warned in a speech in New York last year. They could contaminate the water supply in major cities or shut down the power grid across large parts of the country . Specialists doubt that
the Syrian Electronic Army has that kind of advanced capability, but it is always hard to tell, said Timothy Sample, who is a vice president at technology contractor Battelle Inc., which does cybersecurity work for U.S. intelligence and defense agencies and civilian clients. The barriers to entry for these kinds of capabilities are very low, he said, adding that it is easy to buy cyberattack tools and hire hackers on the black market. It would be dangerous to rely on the proposition that any given attacker lacks a particular skill, Mr. Sample added. Cyberforensic specialists have documented the Syrian Electronic Armys historic links to a computer society founded years ago by Syrian President Bashar Assad. The British Guardian newspaper has reported that the group is funded by Rami Makhlouf, a cousin of Mr. Assads and the owner of SyriaTel, a telecommunications and Internet service provider.

GMU Debate [File Name]

Economy
Cyber attacks threaten national security, the economy & public health infrastructures Sharp 2010 (Walter Gary, Sr. - Sr. Ass. Deputy General Counsel for Intelligence, Office of the General Counsel, U.S. DOD, "The Past, Present, and Future of
Cybersecurity", Journal of National Security Law & Policy", vol. 4:13) kc

The cyber threat is the most pervasive and pernicious threat facing the United States today. Its mention does not immediately conjure visions of the
catastrophic horrors that would result from an attack using a weapon of mass destruction, but todays cyber threat is a very real and present danger. As of September 14, 2009, more than 10,450,000 U.S. residents had been victimized by identity theft in 2009 alone, and that number increases by one victim each second.2 Fifteen million victims will lose more than fifty billion dollars each year.3 Specific threats such as identity and consumer fraud allow us to quantify and understand part of the cyber threat in terms that allow the U.S. government,4 corporate America,5 consumer groups, and individuals6 to take preventive action. However, the growing number of victims would clearly suggest we have not effectively solved the problem, even if we are starting to comprehend its scope. The cyber threat to U.S. national security, economic security, and public health and safety is far more amorphous and less susceptible of comprehension than its kinetic analogs. Popular media productions such as 247 and Live Free or Die Hard8 have depicted sophisticated cyber intrusions that intentionally caused aircraft collisions, a nuclear power plant meltdown, a compromise of White House security and communications, and a U.S. stock market crash. Recognizing the extent of abuse of the Internet for terrorist purposes, including through radicalization, recruitment, training, operational planning, fundraising and other means, the United Nations established a Working Group on Countering the Use of the Internet for Terrorist Purposes.9 The Cyberspace Policy Review (the Review) directed by President Obama reports that a growing array of state and non -state actors such as terrorists and international criminal groups are targeting U.S. citizens, commerce, critical infrastructure, and government.10 It is only a matter of time before terrorists attempt to use the Internet to cause acts of terrorism like those already described in popular media.

Cyber intrusions on banking would kill the global economy transaction disruptions Nielson 2012
[Army Lieutenant Colonel SUZANNE C. NIELSEN is an associate professor in the Department of Social Sciences at the U.S. Military Academy at West Point. She is responsible for the International Relations Program and teaches courses in international relations and national security. Pursuing Security in Cyberspace: Strategic and Organizational Challenges, Foreign Policy Research Ins, Elsevier Ltd, Summer 2012, Epsco ]jap Though some incidents garner press attention, espionage in cyberspace seems to maintain a lower profile than espionage in other realms. For example, the Center for Strategic and International Studies (CSIS) notes that in May 2006, The Department of States networks were hacked, and unknown foreign intruders downloaded terabytes of information. If Chinese or Russian spies backed a truck up to the State Department, smashed the glass doors, tied up the guards and spent the night carting off file cabinets it would be an act of war, but when it happens in cyberspace we barely notice.20 Increasingly deep and sophisticated intrusions may threaten even more, however, than the compromise or loss of specific data. At a debate in 2010, former National Security Agency Director and DNI Mike McConnell explained it in this way: The United States economy is $14 trillion a year. Two banks in New York City move $7 trillion a day. On a good day, they do eight trillion. Now think about that. Our economy is $14 trillion. Two banks are moving $7 trillion to $8 trillion a day. There is no gold; there are not even printed dollar bills. All of those transactions [. . .] are massive reconciliation and accounting. If those who wish us ill [. . .] [were] successful in attacking that information and destroying the data, it could have a devastating impact, not only on the nation, but the globe.21 Beyond discrete acts of espionage or cybercrime, an even more dangerous attack would be one that called into question the integrity of the data and information networks underpinning the financial system as a whole. It is difficult to estimate fully the effects of such activity, but the consequences could be catastrophic. The world may have had a preview on a small scale when, on May 6, 2010, a simple data entry error caused the Dow to drop nearly a thousand points in less than an hour.22 Fortunately, in this instance the market recovered fairly quickly. While intrusion, data compromise, and theft of intellectual property may remain the greatest long-term cyber threats to U.S. economic well-being, threats have continued to evolve so that additional concerns have become disruption and even destruction. A famous example of disruption was the loss of government, financial sector, and other services to a large portion of Estonias population for a period of several days during a cyber riot led by Russian nationalists in 2007. In 2008, disruption to government Internet services in Georgia was part of the prelude to the intervention in physical space of Russian armed forces. The involvement of the Russian government, or at least its encouragement of these activities, is suspected in both of these cases. Other states and firms, in the United States and abroad, have been the victims of distributed denial-of-service attacks since 2008. As one example, a group calling itself Anonymous attacked companies that pulled their support from Wikileaks after Wikileaks released hundreds of thousands of U.S. classified documents in November 2010.23 Though the effects of attacks such as these have been temporary, the losses incurred while they are in progress are not.

Cyber attacks kill US economic competitiveness cause major losses in system stability Nielson 2012
[Army Lieutenant Colonel SUZANNE C. NIELSEN is an associate professor in the Department of Social Sciences at the U.S. Military Academy at West Point. She is responsible for the International Relations Program and teaches courses in international relations and national security. Pursuing Security in Cyberspace: Strategic and Organizational Challenges, Foreign Policy Research Ins, Elsevier Ltd, Summer 2012, Epsco ]jap

GMU Debate [File Name] Economic prosperity. A second set of consequences that could result from inadequate U.S. cybersecurity measures relates to economic prosperity. Significant costs include the large-scale losses in intellectual property discussed above, which are likely to have difficult-tocalculate but significant consequences for U.S. future economic competitiveness. At the level of individual enterprises, one 2010 study of 45 companies found that the median annualized cost of cyber crime [. . .] is $3.8 million per year, but can range from $1 million to $52 million per year per company.36 Costs include lost data, as well as the costs of recovery and system clean up. Cyber attacks may also have significant ramifications for individuals who have sensitive personal information compromised through security breaches. By one estimate, over 345 million records were compromised between 2005 and 2010.37 Despite the scale of this figure, many more losses probably go unreported either because they are not detected or because firms and organizations want to avoid revealing vulnerabilities. As argued above, the ultimate economic consequences of inadequate cybersecurity could include loss of confidence in the system of finance itself with difficult-to-calculate implications for the American way of life.

GMU Debate [File Name]

Infrastructure
Grid vulnerable to attacks now smart grids raise the risk Giani & Bent 2012
[Annarita Giani has her Ph.D. in Engineering from the Thayer School of Engineering, Dartmouth College, and her Laurea in Mathematics from the Universita' di Pisa, Italy. She is a Postdoctoral Research Associate, EECS, at the University of California at Berkeley, 2007-2013 and was a researcher at the Consiglio Nazionale delle Ricerche (CNR) Pisa, Italy, 1996-2001. Russell Bent has his PhD in Comp. Sci from Brown, his Masters in Comp. Sci from Brown, his B.S. in comp. sci from Rochester, and a B.A. in history from Rochester. He is a Technical Staff Member at the Los Alamos National Laboratory, and has been a Research and Teaching Assistant at Brown University, and a Software Developer and Researcher at the University of Rochester. Addressing Smart Grid Cyber Security, CSIIRW 12 10/30 11/1/12, Ebsco ]jap
Protecting the country's critical infrastructure from dan- gerous attacks is crucial. The electric power a the critical It pro- vides the power permitting all other systems to operate. The grid has changed over recent years, and is character- ized by increasingly sophisticated devices, higher levels of interconnection, and the exibility necessary to ac- commodate new products and services. CSIIRW 12 Oct 30 - Nov 01 2012, Oak Ridge, TN, USA ACM 978-1-4503-1687-3/12/10. A clear example is the grid's accommodation of vari- able storage and generation options, such as electric ve- hicles and renewable energy. Moreover, technological developments which have increased the means of gen- erating power have,

grid is backbone of

nation's

infrastructure.

developments also signal a growing concern about vulnerability to cyber attacks. While the Advanced Metering Infrastructure (AMI) is an important component of the smart grid and it brings new security challenges, attacks on AMI and on the dis- tribution level in general are not considered in this ex- tended abstract. Instead we concentrate on cyber at- tacks at the generation, transmission and control levels. Smart grid cyber security presents new challenges
consequently, permitted a degree of decentralization of power generation (and to a much more limited extent, storage), that has fostered direct consumer participation in the power generation process. But these welcomed due to the interconnection between human, digital and physi- cal worlds. Research and solutions often concentrate on one of these three worlds. Thus, we have conducted investigations that attempt to account for the human factor, as well as physical security and network security. all three of levels in a coherent and overarching fash- ion. For example it is important to understand how grid operators react in contingency situations and to develop tools to guide decision-making. This requires sophisti- cated modeling that examines simultaneously interac- tively human (cognition and behavior) and technolog- ical performance. Such modeling requires the elabora- tion and exploration of hypotheticals where a variety of stressors are applied to both human and technological aspects in order to assess overall system performance and resiliance.

It is crucial to develop methodologies that address

these

And, if the US were attacked on the grid, not only would the military be vulnerable, it would wipe out all of the American society Kessler 9
[Ronald, EMP Attack Would Send America into a Dark Age, http://www.newsmax.com/RonaldKessler/emp -electromagneticpulse/2009/09/23/id/335160]jap In a matter of seconds, an electromagnetic pulse (EMP) attack or a geomagnetic storm would set America back to the 14th century, Gale Nordling, president of a
company that protects against such a catastrophe, tells Newsmax. An EMP attack occurs when a nuclear bomb explodes in the atmosphere. The electromagnetic pulse generated by the blast fries all electronics in line of sight. EMP was first detected after the detonation of the Starfish Prime nuclear test on July 9, 1962. While the explosion occurred near Johnston Island in the Pacific Ocean and was not designed to be an EMP blast, it blew out street lamps, television sets, and telephone communications in Hawaii nearly 1,000 miles

A single nuclear bomb exploded over the Midwest would generate an electromagnetic pulse would destroy the chips that are at the heart of every electronic device. While military and intelligence networks may be shielded against EMP, the rest of the countrys technological infrastructure is not. Geomagnetic storms emanating from the sun could cause a similar catastrophe. Such a storm occurred in 1859, but because a
away.
that

system for distributing electric power had not yet been invented, it did not do any appreciable damage. On March 13, 1989, a minor geomagnetic storm left six million people without power in eastern Canada and the U.S. for 12 hours. If a nuclear device designed to emit

the entire electric grid. It would disable communications, it would disable fuel manufacturing and production, it would disable hospitals and medicines, it would disable 911 call centers. Everything else would be shut down, Nordling says. Water treatment facilities, food storage facilities, everything would be gone, Nordling says. Financial records would be wiped out. Your investments would be gone. Your medical records and prescriptions would be zapped. Forget about your computer and the Internet, heating and air conditioning,
EMP were exploded 250 to 300 miles up over the middle of the country, it would disable the electronics in the entire United States, s ays Nordling, president and CEO of Minneapolis-based Emprimus. That would disable supermarkets, telephones, and radio and television. Banks and ATMs would shut down, credit cards would become useless, and hospital operating rooms would close. While vehicles made before 1970 might still work, they would be useless. Thats because gasoline could not be obtained, and newer cars and trucks, disabled by the pulse, would block the roads and highways. In most cases, the damage to chips would be permanent. Because tow trucks would not operate, cars would never be cleared from roads. The vast majority of or according to William Graham, who was chairman of the bipartisan congressional Commission to Assess the Threat to the United States from Electromagnetic Pulse Attack . Yet at a hearing of the House Committee on Homeland Security on July 21, Graham testified that the government has done virtually nothing to address the effects of such an attack on the civil sector. People say it would bring us back to the 1800s, but its worse than that because in the 1800s there was a much larger sector that did farming and produced food, and there werent so many people living in inner core cities, Nordling says. All that has changed. Nordling cites a prediction by William R. Forstchen, author of One Second After, that an EMP strike would take the U.S. back to the 14th century. That is because whe n Thomas A. Edison invented the light bulb in 1879, the country had established police and fire departments, hospitals, and food and water distribution systems. Since an EMP strike would render those entities inoperative,

Americans would die from starvation disease or would freeze to death,

the country would be in chaos, and

disease, starvation, and lawlessness would prevail. The book is a fictional account of a town struggling to survive after an EMP weapon is used against the
United States.

GMU Debate [File Name]

Plan X
DoD developing Plan X to make cyber offensives easier Wait 2012
(DARPA Seeks 'Plan X' Cyber Warfare Tools by Patience Wait Staff writer for Information Week specializing in Government on August 23, 2012 http://www.informationweek.com/government/security/darpa-seeks-plan-x-cyber-warfare-tools/240006066 09/1/2013)SPH The Department of Defense is looking to develop new technologies, including hardened operating systems and other platforms, for managing cyber warfare in real time on a large scale. The Defense Advanced Research Projects Agency has scheduled a workshop for September 27 where it will lay out requirements for the envisioned system and invite technology vendors to demonstrate capabilities that might be part of it. Plan X, as the program is known, aims to help the Pentagon understand, plan, and manage cyber warfare "in real-time, large-scale, and dynamic network environments," according to DARPA. The program also encompasses cyber warfare strategies and tactics . DARPA also wants to identify a system architecture team,
which would oversee development of application programming interfaces, specifications for data formats, and acquisition of the required computer hardware and other infrastructure. Plan X entails research in four primary areas. First, DARPA is looking to develop analytics capabilities to help the military understand the "cyber battlespace" through analysis of large scale networks . Second, DARPA wants the ability to create a mission plan

and "script" that can be used by cyber personnel. That would include quantifying potential damages associated with those plans. The agency compares the sought-after capability to the auto-pilot function on an airplane. DARPA also seeks operating systems and platforms that can operate in "dynamic, contested, and hostile network environments." It describes those components as hardened "battle units" that perform functions such as damage monitoring, communications, and weapon deployment. Finally, the agency wants the ability to visualize what's happening in a virtual battlefield for use in planning, operations, and war gaming.

Plan X will lead to the proliferation of malicious viruses and worms like Stuxnet and development of new wave of destructive cyberweapons Basulto 2012
(X Marks the Spot of the First Cyber War by DOMINIC BASULTO Contributor to the Washington Post and Staff Writer for Big Think on JUNE 18, 2012 http://bigthink.com/endless-innovation/x-marks-the-spot-of-the-first-cyber-war 09/1/2013)SPH

Plan X, DARPA's plan reflects a disturbing tendency these days the willingness of governments including your very own U.S. government - to weaponize and militarize the Internet. The best known example of the militarization of cyberspace was Stuxnet, a computer virus engineered by America to bring Irans nuclear program to a halt. There have been countless others, the latest being Flame, a Stuxnet cousin that was recently discovered in the wilds of the Middle East. If anything, Plan X would accelerate the promulgation of similar types of viruses as well as develop an entirely new class of (gulp) cyber weapon. When DARPA knows what it wants, it gets it. The phenomenal success of DARPA in pushing forward the innovation agenda of the military is certainly nothing to ignore. Consider DARPA's "Grand Challenge" robotic vehicle competition, which pushed the nation's foremost artificial intelligence experts to develop an all-terrain vehicle capable of driving across the Mojave desert. In the private
DARPA the government organization that brought you the Internet is back, this time with an audacious five-year, $110 million research initiative to militarize cyberspace. Called sector, this inevitably led to the Google Driverless Car. In the military sector, it will inevitably inspire a new generation of unmanned vehicles for rough terrain war zones like Iraq and Afghanistan. And thats not all by some accounts, DARPA is working on a whole host of game-changing innovations - harnessing the properties of lightning as the next GPS, creating metals that are light enough to rest on a dandelion, and usi ng "green goo" from tobacco plants as a new type of vaccine. No wonder DARPAs former head, Regina Dugan, was invited

its just a matter of time before DARPA gets the types of offensive capabilities it wants to wage the first cyber war. Its a push that senior leaders within the military have been agitating for, concerned that our potential rivals in places like China have already
to speak at TED 2012 to the nation's leading thinkers and visionaries. So, if we are to believe the earlier success of DARPA, stolen a march on us. The sheer size of Chinas cyber -hacking initiatives are truly breathtaking by some estimates, Chinas cyber sleuths have hacked into a majority of America's largest corporations and have been found lurking around inside Americas utilities grid. Thats a disturbing thought, indeed that as we sleep, weaponized viruses and other pieces of malware are hunting for entry points into our electric utilities and nuclear power plants. The centerpiece of Plan X, according to The Washington Post, would be the creation of a digital battlefield map that would plot tens of billions of nodes on the Internet and give the government a broad overview of where viruses and other malware may be massing for a potential attack, as well as identify potential soft targets and the optimal delivery paths. The ideal map

, we are now creating a whole new class of cyber weapon that will deliver a payload to its target almost instantaneously. Forget the metpahors and images of the Cold War, the brave new world of the first Cyber War is
would show network connections, analyze how much capacity a particular route has for carrying a cyberweapon and suggest alternative routes according to traffic flow." Instead of developing long-range B-52 bombers armed with nukes almost here. Google has already proclaimed that it will be manning the front lines, looking for signs of any state-sponsored Cyber War intrusions, while the nations best universities have been given the go-ahead to start producing a talent pipeline of hackers and other cyberwarriors to support the mission of Plan X. Just as George F. Kennans famous "X" article in Foreign Affairs magazine in 1947 unofficially outlined America's strategy for winning the Cold War, DARPAs Plan X may outline America's strategy for winning the first Cyber War.

And, Plan X will lead to destructive cyber war Basulto 2013

(Has the Global Cyberwar Already Started? by DOMINIC BASULTO Contributor to the Washington Post and Staff Writer for Big Think on JULY 31, 2013 http://bigthink.com/endless-innovation/has-the-global-cyberwar-already-started 09/1/2013)SPH

. Already, there have been five cyberattacks of unprecedented size and scope in just the first six months of the year. Of even these cyberattacks appear to have emanated from state-sponsored actors coordinating cyberespionage campaigns lasting years, not days or weeks. These cyberweapons which involve everything from malicious bits of code hidden within PDF documents to viruses that infect the software used to operate the infrastructure of nuclear power plants represent a growing threat to the national security of the world's leading powers. In his roundup of the Five Most Dangerous Cyberweapons of 2013, Igor Rozin suggests that the newest cyberweapons are already more sophisticated and lethal than those from just six months ago. If the
Mark 2013 down as the year that the global cyberweapons arms race started greater concern, many of earliest versions of cyberweapons were pieces of malicious code that infected your computer and caused it to crash, the newest cyberweapons enable users to take over your computer and use it to steal sensitive trade, research, or diplomatic secrets. In one operation known as "MiniDuke," a group of hackers targeted a range of government and non-government institutions across Europe by using malicious PDF documents that exploited Adobe Reader. In another operation known as "Red October,"hackers conducted a global cyberespionage campaign against politicians and diplomats that involved servers, proxy servers and hosting services housed across multiple countries. What's all the more disconcerting about a potential cyberweapons arms race is that the line between state and non-state actors is no longer clear. As Mandiant discovered earlier this year, it's possible to have shadowy state actors loosely affiliated with a countrys military, as in the case of Chinas APT1. What do you do with these Chinese hackers who appear to be systematically tapping into our nation's research organizations, corporations and governmental organizations and then siphoning away trade secrets and sensitive diplomatic communications? Send a few armed drone strikes into the heart of Shanghai to take out the hackers camped out in a single building? If the previous rounds of cyberattacks were organized by cybercriminals and shadowy cyber-terrorist cabals, then future round of cyberattacks will be organized by the wealthiest nation-states. That means that the single, one-off attacks of disgruntled hackers will be replaced by sustained, multi-year campaigns made possible by billion-dollar budgets and the involvement of a nation's top leaders. The phishing scams of Syrian hackers (which have gone so far as to infiltrate the emails of the White House) and the ongoing cyberespionage schemes of the Chinese

cybersecurity has been ratcheted up in national strategic importance, the generals are getting involved. If before, these generals counted the number of tanks, stealth bombers and nuclear warheads they had at their disposal, they now have a brand new way to measure their relative power:
Army (which are thought to have tapped into every important organization in New York and Washington) are just the start. Now that the number of computers capable of delivering lethal payloads. Already, you can see the impact of a global cyberweapons arms race at the highest diplomatic levels. Russia, growing ever more concerned about the new geopolitical balance of power made possible by the development of the Internet as a delivery mechanism for cyberattacks, just elevated cybersecurity to a major strategic concern. Russia is now partnering with the United States on a bilateral cybersecurity commission, even going so far as to install a Cold War-style telephone hotline between the two nations to avert a cyberwar. (This appears to be the suggestion of a Cold War general eager to get back into the game.) The upshot of the new global concern about cybersecurity is that the Kremlin just like the White House - is now working on a comprehensive cyber plan to outline exactly when and where it can attack enemy hacker combatants. Both countries are working on new Cyber Commands and appointing new Cyber Czars. From now on, its no longer about defense, its now all about going on t he offensive

GMU Debate [File Name]

against cybercombatants. And thats where things get dicey. At what point do these cyberattacks represent a military attack against a country? Vincent Manzo of The Atlantics Defense One recently analyzed the blurring line between what consti tues a cyberattack and a

As more of these high-tech cyberweapons begin to target a nations power grid, physical infrastructure, or telecommunications networks, things could get out of control, real fast. And dont say that we havent been warned. There have already been warnings of a digital Pearl Harbor
military attack. scenario in which an enemy state (or rogue non-state actor) could get its hands on the equivalent of computerized nukes and target the infrastructure, telecom networks or power grids in cities like New York or Washington. At that point, all the conventions of

international law likely go out the window, as the U.S. Army Cyber Command grapples with the reality of responding to a threat that it cant see from an Internet destination that may or may not be real from an enemy that may or may not be a rival nation-state. As Stanley Kubrick would

GMU Debate [File Name]

Separation of Powers
Unchecked presidential use of Offensive Cyber Operations undermines separation of powers Lorber 13
(Eric, J.D. Candidate, University of Pennsylvania Law School, Ph.D Candidate, Duke University Department of Political Science , EXECUTIVE WARMAKING AUTHORITY AND OFFENSIVE CYBER OPERATIONS: CAN EXISTING LEGISLATION SUCCESSFULLY CONSTRAIN PRESIDENTIAL POWER?, https://www.law.upenn.edu/live/files/1773-lorber15upajconstl9612013, Accessed 9-7-13)

legal strictures governing their use would provide policymakers and military planners a better sense of how to operate in cyberspace. 12 Second, the possible employment of these tools adds yet another wrinkle to the battle between the executive and legislative branches over war-making authority. 13 In particular, if neither the War Powers Resolution nor the Intelligence Authorization Act governs OCOs, the executive may be allowed to employ U.S. military power in a manner largely unchecked by congressional authority. 14 As a result, the employment of these tools implicatesand perhaps problematically shiftsthe balance between the executives commander-inchief power 15 and Congresss war-making authority.
Yet addressing these questions is increasingly important for two reasons. First, as states such as China, Israel, Russia, and the United States use these weapons now and likely will do so more in future conflicts, determining the domestic

GMU Debate [File Name]

***CON SIDE***

GMU Debate [File Name]

Congressional Solutions Fail

GMU Debate [File Name]

Interagency
Oversight fails- doesnt foster cooperation between the military and intelligence communities- causes interagency fights that undermine plan enforcement- thats Wall- a former legal adviser to special ops Interagency conflict undermines oversight Wall 11 (Andru E. Senior Associate for Alston & Bird LLP; former senior legal advisor for U.S. Special Operations Command Central
(2007-2009). Article: Demystifying the Title 10-Title 50 Debate: Distinguishing Military Operations, Intelligence Activities & Covert Action. Harvard National Security Journal, Vol 3. Pp. 105 -107, http://harvardnsj.org/wp-content/uploads/2012/01/Vol.-3_Wall1.pdf)
While the jurisdictions of the Senate and House intelligence committees are nearly identical, HPSCI exercises broader jurisdiction in two significant respects: HPSCI uses a much broader definition of intelligence activities and adds oversight of sources and methods.68 SSCI exercises jurisdiction over intelligence activities, while HPSCI exercises jurisdiction more broadly over intelligence and intelligence-related activities . . . including the tactical intelligence and intelligence-related activities of the Department of Defense.69 The House gives intelligence and intelligence-related activities this all-encompassing definition: [The] collection, analysis, production, dissemination, or use of information that relates to a foreign country, or a government, political group, party, military force, movement, or other association in a foreign country, and that relates to the defense, foreign policy, national security, or related policies of the United States and other activity in support of the collection, analysis, production, dissemination, or use of such information. 70 Thus, the House of Representatives via a rule change gave HPSCI oversight of intelligence-related activities including tactical intelligence and other military information collection activities for which congressional notification is not statutorily mandated. This would be understandable if HPSCI controlled authorizations for those military activities, but it does not. All authorizations

for these military activities originate in the House Armed Services Committee and House rules do not provide for their review by the intelligence committee . In fact, just the opposite occurs as all intelligence authorization bills passed by the intelligence committees must then clear the armed services committees before being considered by the full House. Intelligence committee oversight is weakened by the bifurcated authorization and appropriations processes. . Because most appropriations for intelligence activities are included as a classified section of the annual defense appropriations bill, the real control over the intelligence purse lies with the defense subcommittees of the House and Senate Appropriatio ns Committees. 71 The 9/11 Commission recognized how dysfunctional this arrangement is in practice and recommended the establishment of a single joint intelligence committee with authorizing and appropriating authorities.72 Congress, to its detriment, has not adopted this recommendation. Intelligence committee oversight is further weakened by the failure to enact an intelligence authorization bill for five of the past six years.
Title 50 prohibits the expenditure or obligation of appropriated funds on intelligence or intelligence-related activities unless these funds were specifically authorized by Congress for such activities. 73 Congress meets this specifically authorized provision through the use of a catch -all provision inserted into the defense appropriations acts. 74 Over the past 30 years, Congress enacted an intelligence authorization bill prior to the start of the fiscal year on just two occasions 1983 and 1989.

Congressional oversight fails- lack of interagency support Wall 11 (Andru E. Senior Associate for Alston & Bird LLP; former senior legal advisor for U.S. Special Operations Command Central
(2007-2009). Article: Demystifying the Title 10-Title 50 Debate: Distinguishing Military Operations, Intelligence Activities & Covert Action. Harvard National Security Journal, Vol 3. Pp. 141, http://harvardnsj.org/wp-content/uploads/2012/01/Vol.-3_Wall1.pdf) Congresss failure to provide necessary interagency authorities and budget authorizations threatens our ability to prevent and wage warfare. Congresss stubborn insistence that military and intelligence activities inhabit separate worlds casts a pall of illegitimacy over interagency support, as well as unconventional and cyber warfare. The U.S. military and intelligence agencies work together more closely than perhaps at any time in American history, yet Congressional oversight and statutory authorities sadly remain mired in an obsolete paradigm. After ten years of war, Congress still has not adopted critical recommendations made by the 9/11 Commission regarding congressional oversight of intelligence activities . Congresss stovepiped oversight sows confusion over statutory authorities and causes Executive Branch attorneys to waste countless hours distinguishing distinct lines of authority and funding. Our military and intelligence operatives work tirelessly to coordinate, synchronize, and integrate their efforts; they deserve interagency authorities and Congressional oversight that encourages and supports such integration.

GMU Debate [File Name]

Rollback
Oversight fails- congress provide guidance in urgent circumstances- also the person in charge with implementation might make mistakes such as misinterpreting attacs- statutory policy cant get compliance from the executive- thats Dycus President can circumvent reforms- empirics Lorber 13 [Eric, Upenn Law School; Duke University - Department of Political Science Executive Warmaking Authority and
Offensive Cyber Operations: Can Existing Legislation Successfully Constrain Presidential Power? http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2017036&download=yes Accessed 8/29/2013 DMW] Pg.1001
The lack

of congressional oversight of offensive cyber operations under the Intelligence Authorization Act also likely does not seriously shift the balance between congressional and executive war-making powers. The reason is inherent in the limitations of the legislation itself: the Intelligence Authorization Act specifies reporting requirements, but does not require the non-use or withdrawal of forces.234 Further, these reports must be made in a timely fashion (the definition of which is undefined) and only to a small number of Congressmen (at most eight ).235 Thus even if the President had to report offensive cyber operations to Congress, it is unclear he would have to do so in a way that gave Congress an effective check , as these reports would be made only to a small group of Congressmen (who would not be able to share the information, because of its classified nature, with other members of the legislature) and could be done well after the employment of these capabilities. The resulting picture is one of increased presidential flexibility ; the W ar P owers R esolution and the Intelligence Authorization Actwhile arguably ineffective in many circumstances provide increased congressional oversight of presidential war-making actions such as troop deployments and covert actions. Yet these statutes do not cover offensive cyber operations, giving the President an increasingly powerful foreign policy tool outside congressional reach.

Low threshold for circumvention Lorber 13 [Eric, Upenn Law School; Duke University - Department of Political Science Executive Warmaking Authority and
Offensive Cyber Operations: Can Existing Legislation Successfully Constrain Presidential Power? http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2017036&download=yes Accessed 8/29/2013 DMW] 999-1000 Despite falling into this category, however, such an offensive operation, for the reasons discussed above, likely satisfies the congressional test for a traditional military activity. First, because General Alexander is the commander of both CYBERCOM and the head of the N ational S ecurity A gency and because many of the personnel are dual-hatted at the respective organizations, any offensive cyber operation conducted independently of a kinetic assault will be commanded and executed by military personnel .230 Second, because the President can launch offensive cyber operations without congressional notification if they are in anticipation of hostilities,231 he also has great flexibility in deciding whether to report his activities. For example, if the President were to order the launch of a Stuxnet-style attack against Iran to degrade its
nuclear enrichment capability, such an activity wouldassuming it was done with the Secretary of Defenses consent necessarily constitute approval by the National Command Authority. In

the definition of operational planninganother element required in fulfilling the TMA exception to the definition of covert action is so broad , such an attack would likely fall within its purview . The President would simply argue that approval has been given for operational planning of future combat operations with Iran (which it almost certainly has in the U.S. military)232 and therefore the activity was taking place in the context where overt hostilities are anticipated. Indeed, only in a situation where no contingency planning has occurredsuch as with an ally or a country that the United States takes little interestwould this exception not apply. As a result, it becomes evident that even a Stuxnet-type of attack likely will not trigger the requirements set forth in the Intelligence Authorization Act. Given the dual-hatted nature of many NSA and CYBERCOM personnel, as well as the fact that action
addition, because approved by the President and the Secretary of Defense necessarily constitutes approval by the National Command Authority, all the executive branch must realistically show is that it undertook the

This hurdle is very low and the executive should have little problem clearing it. These limited requirements suggest that the executive can easily argue that offensive cyber operations conducted both as independent actions and in conjunction with kinetic operations likely fall under the Traditional Military Activity exception to the definition of covert action as provided by the Intelligence Authorization Act. As a result, the President is likely not statutorily required to report any offensive cyberattacks under the Act.
operation in a context where operational planning had occurred for potential hostilities at some undefined point in the future.

Congress doesnt have capabilities to ensure compliance or success Dycus 10 [Stephen, Professor, Vermont Law School. Congresss Role in Cyber Warfare JOURNAL OF NATIONAL SECURITY
LAW & POLICY [Vol. 4:155 2010] http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CDUQFjAB&url=http%3A%2F%2Fjnslp.com%2Fwpcontent%2Fuploads%2F2010%2F08%2F11_Dycus.pdf&ei=-r8fUouoMizsQTGvIGoCw&usg=AFQjCNFeTSdaF_RrGhCVMDeCrO02XeCzGw&sig2=aXj04Yn_CPE493NHErRmOw&bvm=bv.51495398,d.c Wc&cad=rja Accessed 8/29/2013 DMW

GMU Debate [File Name] Congresss active role in the development and implementation of cyber warfare policy is no guarantee of national security . The policy might be flawed in various ways. There is also a risk that whatever policy is adopted will not be properly executed or that its execution will have unintended results. The policy might be misunderstood or might not provide clear or appropriate guidance in the urgent circumstances facing its interpreter. The person charged with implementing the policy might make a mistake for example, by interpreting a potential enemys electronic espionage as an attack. Available cyber weaponry might not work as planned. Or a purely defensive move by U.S. operators might be construed by another nation as offensive, and provoke an attack . Nor can the clearest policy, statutory or executive, guarantee compliance by an Executive determined to ignore it .71 The rules might be construed by the President in a way that reduces the importance of Congresss role. Or they might be challenged in court.

GMU Debate [File Name]

Capability Gap
Lack of skilled operators undermines cyber warfare- its a key driver of effectiveness- without resrouces operational changes will not be effective- thats GAO We dont have the personnel to adequately perform cyber operations. CSM - September 15, 2013 ("Cyber security: The new arms race for a new front line", Anna Mulrine, http://www.csmonitor.com/USA/Military/2013/0915/Cybersecurity-The-new-arms-race-for-a-new-front-line) kc

the plan to expand the cyber cadre has quickly raised concerns about how the services will find enough cyberwarriors to do the job and keep them from decamping for the high-paying private sector firms eager to recruit well-trained specialists with topsecret security clearances. Maj. Gen. Suzanne "Zan" Vautrinot, commander of Air Forces Cyber and of Air Force Network Operations at Lackland Air Force Base, Texas, offers a glimpse of the wide scope of Pentagon designs for cybersecurity. She cites congressional figures that indicate the military has 1,000 cyberwarriors who can operate at the highest level. But , she adds, "what we need is on the order of 20,000 or 30,000.... Cyber is foundational to everything we do, because everything you do in your mission is dependent on it."
These are complex talents, and

Demand of workers outpaces supply National Journal 13

(May 30, "You Call This an Army? The Terrifying Shortage of U.S. Cyberwarriors", http://www.nationaljournal.com/tech/you-call-thisan-army-the-terrifying-shortage-of-u-s-cyberwarriors-20130225, accessed 9/18/13) kc The U nited S tates doesn't have nearly enough people who can defend the country from digital intrusions . We know this, because cybersecurity professionals are part of a larger class of workers in science, technology, engineering, and math--and we don't have nearly enough of them, either. We're just two years into President Obama's decade-long plan to develop an army of STEM teachers. We're little more than one year from his request to Congress for money to retrain 2 million Americans for high-tech work (a request Republicans blocked). And it has been less than a month since the Pentagon said it needed to increase the U.S. Cyber Command's workforce by 300 percent--a tall order by any measure, but one that's grown even more urgent since the public learned of massive and sustained Chinese attempts at cyberespionage last month. Where are Cyber Command's new hires going to come from? Even with so many Americans out of work, it isn't as though there's a giant pool of cyber professionals tapping their feet, waiting to be plucked up by federal agencies and CEOs who've suddenly realized they're naked in cyberspace. In fact, over the next couple of years, the manpower deficit is only going to get worse as more companies come to grips with the scale of the danger. Demand for cyber labor is still far outstripping supply , Ron Sanders, a vice president at Booz
Allen Hamilton, told National Journal in a phone interview. "With each headline we read," he said, "the demand for skilled cyber professionals just increases."

Loosing war for talent USA Today 13 Sept. 18 (Report: Shortage of cyber experts may hinder government",
http://abcnews.go.com/Technology/story?id=8147774&page=1, accessed 9/18/13) kc U.S. federal government agencies are facing a severe shortage of computer specialists, even as a growing wave of coordinated cyberattacks against the government poses potential national security risks, a private study found. The study describes a fragmented federal cyber force, where no one is in charge of overall planning and government agencies are "on their own and sometimes working at cross purposes or in competition with one another." The report, scheduled to be released Wednesday, arrives in the wake of a series of cyberattacks this month that shut down some U.S. and South Korean government and financial websites. The recruiting and retention of cyber workers is hampered by a cumbersome hiring process , the failure to devise governmentwide certification standards, insufficient training and salaries, and a lack of an overall strategy for recruiting and retaining cyber workers , the study said. " You can't win the cyber war if you don't win the war for talent," said Max Stier, president of the Partnership for Public Service, a Washingtonbased advocacy group that works to improve government service. "If we don't have a federal work force capable of meeting the cyber challenge, all of the cyber czars and organizational efforts will be for naught."

Experts agree Reuters 12 (June 13, "Experts warn of shortage of U.S. cyber pros", by Jim Finkle & Noel Randewich,
http://www.reuters.com/article/2012/06/13/us-media-tech-summit-symantec-idUSBRE85B1E220120613, accessed 9/18/13) kc Leading cyber experts warned of a shortage of talented computer security experts in the United States, making it difficult to protect corporate and government networks at a time when attacks are on the rise . Symantec Corp Chief Executive Enrique Salem told the Reuters Media and
(Reuters) Technology Summit in New York that his company was working with the U.S. military, other government agencies and universities to help develop new programs to train security professionals. "We

don't have enough security professionals and that's a big issue. What I would tell you is it's going to be a bigger issue from a national security perspective than people a prominent hacking expert who sits on the U.S. Department of Homeland Security Advisory Council, said that it was difficult to persuade talented people with technical skills to enter the field because it can be a thankless task. "If you really look at security, it's like trying to prove a negative. If you do security well, nobody comes and says 'good job.' You only get called when things go wrong." The warnings come at a time when the security industry is under fire for failing to detect increasingly sophisticated pieces of malicious software designed for financial fraud and
realize," he said on Tuesday. Jeff Moss,

GMU Debate [File Name]

espionage and failing to prevent the theft of valuable data. Moss, who goes by the hacker name "Dark Tangent," said that he

sees no end to the labor shortage. "None of the projections look positive," said Moss, who serves as chief security officer for ICANN, a group that helps run some of the Internet's infrastructure. "The numbers I've seen look like shortages in the 20,000s to 40,000s for years to come."

Government & private sector compete for labor. National Journal 13

(May 30, "You Call This an Army? The Terrifying Shortage of U.S. Cyberwarriors", http://www.nationaljournal.com/tech/you-call-thisan-army-the-terrifying-shortage-of-u-s-cyberwarriors-20130225, accessed 9/18/13) kc
In the (very) long run, those institutions will pay off. But right now? We

don't have enough cybersecurity professionals to make up for the deficits of the last five years, let alone meet the growing demands of the next five. At the pace we're training our digital soldiers, government and the private sector won't be working together to secure the country--they will be too busy fighting each other for what little manpower's coming out of the university system. And that's just as scary.

US has a skills gap. Hacksurfer - September 14, 2013 ("Cybersecurity Skills Shortage Across the Globe - And Everyone's Trying to Fix It",
http://www.hacksurfer.com/amplifications/279-cybersecurity-skills-shortage-across-the-globe-8212-and-everyone-8217-s-trying-to-fix-it, accessed 9/18/13) kc

Established players such as the U.S. are facing a massive skills gap as well, despite offering cybersecurity training programs that reward high achievers with key positions in the CIA and NSA for battling cybercrime. Although cybersecurity education will help in the long run, government and private organizations will also have to come up with short-term solutions to cybersecurity. And the race to fill that gap is
happening across the globe. - See more at: http://www.hacksurfer.com/amplifications/279-cybersecurity-skills-shortage-across-the-globe-8212-and-everyone-8217-s-trying-to-fixit#sthash.Dd79EsCC.dpuf

US cyber security experts lack skill due to labor shortage. Smart Brief 13 (June 13, "Is the cybersecurity talent shortage putting the U.S. at risk?", http://www.smartbrief.com/06/13/13/cybersecurity-talent-shortage-puttingus-risk-1#.UjpxL8ZJOAg, accessed 9/18/13) kc

The U.S. government is aggressively seeking to bolster its cyberdefenses, but experts warn that a severe talent shortage means hiring standards are much lower than they should be. Jeffrey Carr, founder of consultancy Taia Global, says the talent shortage helps explain how National Security Agency leaker Edward Snowden managed to get an intelligence job making six figures despite being a high-school dropout and failed Army Special Forces recruit. "They're competing heavily for anyone who can get a clearance and has computer skills," Carr said.

DOD Incapable of maintaining cyber ops GAO 11

(United States Government Accountability Office, July 2011, "DEFENSE DEPARTMENT CYBER EFFORTS DOD Faces Challenges In Its Cyber Activities", www2.gwu.edu/~nsarchiv/NSAEBB/NSAEBB424/docs/Cyber-049.pdf, Date Accessed: 8/28/13, MSN)
According to the 2006 National Military Strategy for Cyberspace Operations, military departments and certain agencies and commands should develop the capabilities necessary to conduct cyberspace operations, including consistently trained personnel, infrastructure, and organization structures. U.S. Strategic Commands Operational Concept for Cyberspace reported in 2008 that national security vulnerabilities inherent in cyberspace make it imperative that the United States develop the requisite capabilities, policy, and tactics, techniques, and procedures for employing offensive, defensive, and supporting operations to ensure freedom of action in cyberspace. In addition, a study commissioned by the Joint Staff and conducted by the Institute for Defense Analyses states that the key underlying drivers of effectiveness

in cyberspace are developing and deploying the right tools and building and sustaining an adequate cyber force of trained and certified people.55 Institute for Defense Analyses officials stated that unless DOD has adequate resources for cyber operations, organizational changes within the cyber domain will not be effective . DOD commands have identified capability gaps that hinder their ability to marshal resources to operate in the cyberspace domain. U.S. Strategic Command and other combatant commands highlighted their cyber capability gaps in their Integrated Priority Lists for fiscal years 2011- 2015.56 U.S. Strategic Command, which is
tasked with being the global synchronizer for cyber operations within DOD, identified in its Integrated Priority List for fiscal years 2011-2015 gaps and associated priorities in such areas as the need to be able to defend against known threats, detect or characterize evolving threats, and conduct exploitation and counter operations, as desired. U.S. Strategic Command listed cyberrelated gaps as its highest priority, emphasizing the need for and importance of resources to increase cyber capabilities. U.S. Pacific Command, U.S. Special Operations Command, and U.S. Joint

Forces Command have also reported cyber capability gaps involving lack of sufficient numbers of trained personnel to support their cyber operations and a need for additional cyber intelligence capabilities. U.S. Strategic Command has reported that the lack of cyber resources it identified has affected the commands ability to respond to requests for cyber capabilities from other combatant commands, particularly for fullspectrum cyberspace operations. It remains to be seen what effect the newly proposed U.S. Cyber
Command will have on this process, particularly with Joint Functional Component Command for Network Warfare and Joint Task ForceGlobal Network Operations being merged into one organization within the new U.S. Cyber Command. A need for more cyber planners and cyber-focused intelligence analysts

was a common theme during our meetings with officials at the combatant commands. Officials at several of the geographic combatant commands stated that without the proper planners and cyber-focused intelligence analysts, they lacked situational awareness of their networks and the ability to both plan cyber operations for their respective commands and request applicable

GMU Debate [File Name] support from U.S. Strategic Command. For example, cyber planners play a key part in the developmental process of a computer network attack operation.
U.S. Central Command officials stated that although most computer network attack operations are being conducted in its area of responsibility, it does not have a single full-time dedicated cyber planner to assist in the development of such operations. Because it lacks the appropriate trained personnel and dedicated career path, U.S. Central Command has redirected personnel with cyber expertise to act as temporary planners. This greatly affected the commands ability to match resources to, and plan for, all cyber-related functions. For example, a cyber planner within U.S. Central Command was borrowed from another career field, worked as a planner for a time, and then was reassigned to help resolve information technology issues at a help desk. Without a sufficient number of cyber planners in-theater,

combatant commands will continue to struggle with being able to plan cyber activities to assist in accomplishing the commanders mission objectives, and communicating their need for assistance to U.S. Strategic Command. The lack of skilled and highly trained cyber personnel presents challenges for many DOD components, and the lack of sufficient personnel prevents DOD components from fulfilling essential computer network operation activities

GMU Debate [File Name]

Flux
Regulating OCOs is impossible- infinitely changing field, other actors creates major problems for regulation since they are always chasing a moving target- thats Deibert Regulating OCOs is impossible- infinitely changing field, other actors Deibert and Rohozinzki 10 Ronald and Rafal are both professors in Political Science at the University of Toronto. Risking
Security: Policies and Paradoxes of Cyberspace Security International Political Sociology 2010 Pg 16 Wiley Second, and closely related, cyberspace is operated as a mix of public and private networks . Governance of cyberspace, like its architecture, is distributed, and does not take place within a singular forum or point of control (Dutton and Peltu 2007). Even the Internet Corporation for Assigned Names and Numbers (ICANN), that is most often associated with Internet governance issues, is only narrowly concerned with domain and routing management and not with the full panoply of cyberspace governance issues (Mueller 2002). There are instead numerous sites of cyberspace governance, from spectrum allocation to copyright and intellectual property regulation to content ltering and cyber-crime (among many others). Each of these sites involves numerous stakeholders, including governments, businesses, and civil society networks. In addition, private sector actors from multiple countries operate most of the core infrastructural components of cyberspace. What James Der Derian (2003) calls heteropolarity perhaps best characterizes the state of cyberspace governance. Third, unlike other domains, such as the sea, land, air, or space, cyberspace is a human-made domain in constant ux based on the ingenuity and participation of users themselves. One of the core design features of cyberspace is the end-toend principle, which allows for generative technologies to be introduced into cyberspace by end users as long as they conform to the basic protocols of interconnectivity (Saltzer, Reed, and Clark 1984). The latter introduces not only great variation and constant innovation, but also new and unforeseen security risks (Zittrain 2007). It also creates major problems for regulation, insofar as regulators are always chasing a moving target . In other words, cyberspace is a domain of constant transformation and a high degree of complexity. Fourth, cyberspace is comprised of both a material and a virtual realm a space of things and ideas, structure and content. Theorists and observers of cyberspace often focus on one of these elements to the exclusion or diminution of the other, but both are important and interdependent. Cyberspace is indeed a consensual hallucination as Gibson (1984) famously dened it, but one that could not exist without the
physical infrastructure that supports it. Attempts to control and monitor the virtual realm of cyberspace often begin with interventions in the physical infrastructure, at key Internet chokepoints (Deibert, Palfrey, Rohozinski, and Zittrain 2008). However, these efforts are never entirely comprehensive; once released into cyberspace, the distributed properties of the network help ideas

GMU Debate [File Name]

Info-sharing
Without info sharing between industry and government we are unprepared for an attack- its key- thats Ridge- the first secretary to Homeland security Regulation fails- info sharing is key Ridge - September 11, 2013 (Tom - Pres & CEO of Ridge Global & First Secretary to Dept of Homeland Security, Senate Homeland
Security & Governmental Affairs Committee: The Department of Homeland Security at 10 Years: Examining Challenges and Achievements and Addressing Emerging Threats - Testimony) kc But if we know that NationStates and terrorist groups are probing and attacking the systems of our critical infrastructure operators, doesnt government have a responsibility to work with the private sector owners? And if government and private sector owner-operators are not collaborating, how will we determine the source of an attack or determine the proper course of action to take in a timely manner? The game has changed. A 20th Century regulatory model simply will not work to combat this 21st Century threat. It requires both government and industry leaders to think anew. We need to support agile paradigms based on information sharing and public-private partnership.
I know that some members favor a prescriptive approach to cyber security because of the legitimate concern that critical infrastructure will be impacted.

Plan doesnt prepare us for attack info sharing key. Ridge - September 11, 2013 (Tom - Pres & CEO of Ridge Global & First Secretary to Dept of Homeland Security, Senate Homeland
Security & Governmental Affairs Committee: The Department of Homeland Security at 10 Years: Examining Challenges and Achievements and Addressing Emerging Threats - Testimony) kc
At the end of the day, if

we are not prepared to enable government and critical industries to share information and coordinate to prevent major cyber attacks and incursions, we will also be unprepared to respond together and to be resilient if and when attacks occur. In this sense, we are just as vulnerable to experience a Cyber Katrinathat is, experience a disaster on top of a disasteras we are to realize a Cyber Pearl Harbor. Information sharing and public-private partnerships must be foundational to our national cyber security and resilience efforts. I applaud the President for issuing his Executive Order on Cybersecurity and for pursuing, through NIST, a public-private framework. This is a positive and important step.
But I would caution against leveraging this process as merely a path toward prescriptive mandates.

GMU Debate [File Name]

No First Use
NFU fails- not enough to change countries actions in the near term to deter them from actions they deem vital- thats Lewis- senior fellow of Technology and public policy at CSIS Opponents dont follow international law LEWIS 13 [JAMES ANDREW is a senior fellow and director of the Technology and Public Policy Program at CSIS. Before joining
CSIS, he worked at the Departments of State and Commerce as a Foreign Service officer and as a member of the Senior Executive Service. His current research examines the political effect of the Internet, strategic competition among nations, and technological innovation. Lewis received his Ph.D. from the University of Chicago. a report of the technology and public policy program Conflict and Negotiation in Cyberspace, Accessed 9/2/2013 DMW
Perhaps more important, some of the new classes of opponents

that America faces do not seem greatly interested in observing any restriction on civilian targets. The logic of jihadis allows them to strike targets that would, under Western practice, be considered prohibited. They would justify these actions on the grounds that Western military actions cause indiscriminate civilian casualties among Muslim populations or that or that there is a religious sanction for attacking unbelievers. Other potential opponents, such as Iran and North Korea, have never shown any hesitation in attacking civilian targets once they have concluded that it serves their self-interest to do so. It is not even clear that some classes of opponents accept the validity of international law on the use of force or are aware of its existence. In these circumstances, a policy of identifying certain classes of targets as sanctuaries is an invitation to cheat. A review of Soviet planning in the Cold War show that it targeted Western European power grids, telecommunications services, transportation hubs, fuel pipelines, and government centers for strikes Including the use of WMD) on the opening day of any conflict . Publicly available docu- ments on current Russian military doctrine suggest this has not changed. Chinese military doc- trine is similar in considering civilian targets as legitimate. Whether either country (or any other nation possessing such capabilities) would choose to attack infrastructure is a different question whose answer would depend on circumstances
and the course of military action, no opponent is likely to renounce the possibility of such attacks.

Makes no sense- not extreme weapon LEWIS 13 [JAMES ANDREW is a senior fellow and director of the Technology and Public Policy Program at CSIS. Before joining
CSIS, he worked at the Departments of State and Commerce as a Foreign Service officer and as a member of the Senior Executive Service. His current research examines the political effect of the Internet, strategic competition among nations, and technological innovation. Lewis received his Ph.D. from the University of Chicago. a report of the technology and public policy program Conflict and Negotiation in Cyberspace, Accessed 9/2/2013 DMW No first use makes little sense when it is taken out of the nuclear context. Nuclear weapons are so devastating that they justify additional constraints on their use that go beyond those found in international law. The central existing constraint is that the use of for force is justified only in self-defense (to preserve territorial integrity or political independence) or when authorized by the UN Security Council in the interest of international peace. If cyberattack is really a conven- tional weapon not much different from artillery or aircraft, if its use does not produce horror and devastation, it is reasonable to reject the idea that a special constraint like no first use goes beyond existing international law is necessary or helpful . Existing international law on armed conflict governs and restricts the use of military force against civilian targets. It does not provide for sanctuaries where force is banned. This is a pragmatic acknowledgment of the realities of combat. Civilian targets can be attacked if there is an overriding military necessity (in the judgment of commanders) and if due concern is taken to minimize harm to civilians (through proportionality and discrimination). Identification of a particular target set as a sanctuary faces the risk that an opponent will exploit this for military advantage.

NFU Fails- no trust LEWIS 13 [JAMES ANDREW is a senior fellow and director of the Technology and Public Policy Program at CSIS. Before joining
CSIS, he worked at the Departments of State and Commerce as a Foreign Service officer and as a member of the Senior Executive Service. His current research examines the political effect of the Internet, strategic competition among nations, and technological innovation. Lewis received his Ph.D. from the University of Chicago. a report of the technology and public policy program Conflict and Negotiation in Cyberspace, Accessed 9/2/2013 DMW Comparisons between cyberattack and nuclear strategy are too imprecise to be of much use cyberattacks and nuclear weapons are not the same.37 But parallels between nuclear and cyber exist in narrow circumstances. One similarity involves the growing discussion of disarmament. No first use, for example, is an inheritance from the nuclear debates. The intent of no first use is to increase stability by reducing the risk that an opponent may misinterpret actions as a first strike and react in what they think is a preemptive fas hion. No first use depends on the ability to trust an opponents pledge, reinforced by the international opprobrium that violating such a pledge would bring. Unfortunately, while Americas likely opponents do not enjoy international opprobrium, it is not enough to change their actions in the near term or deter them from a course of action they deem vital. When a nation routinely engages in violations of human rights or support for oppres- sive regimes, this does not signal a great concern for the opinion of the international community. Nor does an unwillingness to accept national responsibilities in accordance with law and practice to control criminals resident on a national territory (because they are in fact proxy forces) build confidence in observance of a no-first-use pledge. No first use is also a diplomatic ploy used in the past to constrain perceived areas of U.S.

GMU Debate [File Name] mili- tary advantage . China and Russia both used this ploy during the Cold War. Countries calculate that a no first use p ledge costs them less in terms of military advantage than it costs the United States, particularly if they do not intend to abide by that pledge.

GMU Debate [File Name]

Cyber Proliferation

GMU Debate [File Name]

Markets
Preventing cyber prolif is impossible- commercial availability and easily acquired skills- thats Lewis- senior fellow and director of tech and public policy at CSIS Plan cant check private market Gjelten 13 [Tom is a correspondent for NPR. First Strike: US Cyber Warriors Seize the Offensive
http://www.worldaffairsjournal.org/article/first-strike-us-cyber-warriors-seize-offensive Accessed 8/27/2013 DMW] market for back-door exploits has been boosted in large part by the burgeoning demand from militaries eager to develop their cyber warfighting capabilities. The designers of the Stuxnet code cleared a path into Iranian computers through the use of four or five separate zero-day vulnerabilities, an achievement that impressed security researchers around the world. The next Stuxnet would require the use of additional vulnerabilities. If the president asks the US military to launch a cyber operation in Iran tomorrow, its not the time to start looking for exploits, says Christopher Soghoian, a Washington-based
In most cases, these are governments. The cybersecurity researcher. They need to have the exploits ready to go. And you may not know what kind of computer your target uses until you get there. You need a whole arsenal [of

National Security Agencybuying through defense contractorsmay well be the biggest customer in the vulnerability market, largely because it pays handsomely. The US militarys dominant presence in the market means that other possible purchasers cannot match the militarys price . Instead of telling Google or Mozilla about a flaw and getting a bounty for two thousand dollars, researchers will sell it to a defense contractor like Raytheon or SAIC and get a hundred thousand for it, says Soghoian, now the principal technologist in the Speech, Privacy and Technology Project at the American Civil Liberties Union and a prominent critic of the zero-day market. Those companies will then turn around and sell the vulnerability upstream to the NSA or another defense agency. They will outbid Google every time. The government customers may be intelligence or law enforcement agencies who need to know about software vulnerabilities in order to hack into the computers and phones of suspected criminals or intelligence targets. Private companies who have been repeatedly penetrated and are looking to retaliate may also be customers . The vulnerability market has developed to such a point that entire security companies are now devoting themselves exclusively to the discovery and sale of these exploits. Some deal strictly with US government agencies or the defense contractors that act on their behalf, but other companies (and individuals) deal with foreign buyers as well. Perhaps the most prominent is Vupen, a French security firm that sells exploits to a variety of governments. According to the Vupen website, the company sees itself as the leading source of advanced vulnerability research . It describes its role as providing government-grade exploits specifically
vulnerabilities] ready to go in order to cover every possible configuration you may meet. Not surprisingly, the designed for the intelligence community and national security agencies to help them achieve their offensive cyber security an d lawful intercept missions....Our offensive and exclusive exploits take advantage of undisclosed zero-day vulnerabilities discovered by Vupen researchers and bypass all modern security protections. Vupen executives note that they do business only with government agencies, not private buyers, and that the company has chosen to comply with European and international regulations restricting technology exports (emphasis added). They say they will not do business in countries subject to US or international sanctions. But the idea of a private company openly boasting of its business record selling hacker secrets and bypassing security protections seems odd at a time when so much of the cybersecurity community is focused on defending computer networks and boosting security protections. And the

companys hint that its compliance with international standards is voluntary, not required, underscores the possibility that other dealers in the shadowy vulnerability market may be willing to sell to more questionable clients.

Private trade can trigger arms race Gjelten 13 [Tom is a correspondent for NPR. First Strike: US Cyber Warriors Seize the Offensive
http://www.worldaffairsjournal.org/article/first-strike-us-cyber-warriors-seize-offensive Accessed 8/27/2013 DMW] O ffensive o perations in cyberspace have expanded so rapidly in recent years that legal, regulatory, and ethical analyses have not kept up. The development of the zero-day market, the inclination of some private companies to mimic the Pentagon by going on the offense rather than continuing to depend on defensive measures to protect data, the design and development of cyberweapons, and the governmental use of such weapons against unsuspecting targets all raise serious and interesting questions, and the answers are far from obvious. Given the destructive use to which they could be put, the lack of transparency in the buying and selling of zero-days may be problematic. The consequence could be the development of a global cyber arms bazaar , where criminals or terrorist groups could potentially find tools to use. The US government regulates the export of sensitive technologies out of a fear that adversaries could use them in a way hostile to US interests, but whether such restrictions apply to the sale of zero-day vulnerabilities is not entirely clear . Current law restricts the export of encryption commodities and software that provide penetration capabilities that are capable of attacking, denying, disrupting, or otherwise impairing the use of cyber infrastructure or networks. Does that language cover the possibility that some researcher or broker may try to sell a back-door exploit, or even a cyberweapon, to a foreign agent who could put it to destructive use? I think it does cover the export of some kinds of cyberweapons, says Washington lawyer Roszel Thomsen, who helped write the regulations and specializes in export control law. But other specialists are not convinced . There is also the legal question of whether private firms who have been subject to cyber attacks can legally strike back against attackers who penetrate their networks and steal their data. Steven Chabinsky, formerly the top cyber lawyer at the FBI, argues that if a company can identify the server from which a cyber attack originated, it should be able to hack into that server to delete or retrieve its stolen data. It is universally accepted that in the physical world you have the right to protect your property without first going to law enfo rcement, Chabinsky
argued at a recent cyber symposium. Other computer consultants have a different view. I get asked this all the time, said Richard Bejtlich, chief security officer at Mandiant, a prominent cybersecurity firm, speaking at the Air Forces CyberFutures conference. People in hacked companies want to hit back. We want to go get these guys, they tell us. But almost always, our lawyers say, Absolutely not.

Federal government has no control over private sector Spade 12 (Colonel Jayson M. Spade- United States Army, "CHINAS CYBER POWER AND AMERICAS NATIONAL SECURITY"
US Army War College, May 2012, www2.gwu.edu/~nsarchiv/NSAEBB/NSAEBB424/docs/Cyber-072.pdf date accessed: 8/16/13) TM

GMU Debate [File Name] The federal government works with defense industries to implement additional safeguards, as part of contracted work, but has not mandated requirements for private sector cyber defense.163 In a speech announcing the updated CNCI, President Obama stated that the government would not attempt to regulate cyber security for private companies, opting instead to work through public and private sector partnerships. 164 Nascent
partnerships such as the Enduring Security Framework, where executive officers and technology officers for information technology and defense companies meet with DHS and DOD, are the governments primary method for encouraging better national cyber defense.165

Prolif inevitable- market access LEWIS 13 [JAMES ANDREW is a senior fellow and director of the Technology and Public Policy Program at CSIS. Before joining
CSIS, he worked at the Departments of State and Commerce as a Foreign Service officer and as a member of the Senior Executive Service. His current research examines the political effect of the Internet, strategic competition among nations, and technological innovation. Lewis received his Ph.D. from the University of Chicago. a report of the technology and public policy program Conflict and Negotiation in Cyberspace, Accessed 9/2/2013 DMW the proliferation of cyber weapons a useful strategy to reduce risk. Widespread commercial availability undercuts any effort at control . Cyberattacks use widely available commercial productsroughly 400 million desktops and notebook computers were produced in 2001, for example, and estimates place the number of such machines produced since 2004 at over 2.3 billion.38 Software coding skills are ubiquitous and easily acquired, and many of the tools available for legitimate network analysis and administration can be used for attack pur- poses. While it might be possible to close down the flourishing back market in cyber exploits and criminal software, these are not the source of the most advanced techniques. Cyber exploitation techniques are also widely and routinely used in criminal and espionage activities, and the line between a penetration for the purposes of exfiltrating information and a penetration for disruption network services and data is very thin. The notion of calling for an end to espionage is laughable, and since espionage will continue, nations will have access to the tools needed for certain kinds of cyberattack. The widespread availability of commercial products and software makes the idea of banning cyber weapons suspect and impossible to define in a mean- ingful way. Specific code like that used in Stuxnet could be called a weapon, but the components and precursors for the weapon are so widely available in legitimate markets around the globe that any ban could
Nor is the idea of preventing be easily circumvented.

GMU Debate [File Name]

No Model
No modeling- doesnt apply to cyber space in which duplication is instantaneous- if the international community could enforce such norms its could have done a great many other- this world does not existthats Libicki- a senior management scientist at RAND Cyberweapons are inev- norm setting is utopian James Lewis 12, Director of the Technology and Public Policy Program at the Center for Strategic and International Studies, Benefits
Are Great, and the Risks Exist Anyway, Oct 17, NYT, http://www.nytimes.com/roomfordebate/2012/06/04/do -cyberattacks-on-iranmake-us-vulnerable-12/benefits-are-great-and-the-risks-exist-anyway Nor do cyberattacks against Iran increase the risk of damaging cyberattacks against the U nited States. It is true that we are defenseless; efforts to make us safer are hamstrung by self-interest, ideology and the gridlock of American politics. But we are no more vulnerable today than we were the day before the news. If someone decides to attack us, they may cite Iran as precedent, but it will only be to justify a decision they had already made. We could ask whether the United States creates more problems for itself when it makes public a new weapon while potential opponents keep it secret. Four other countries can launch sophisticated and damaging cyber attacks -- including China and Russia -- and plan to use them in warfare. Another 30 nations are acquiring cyber weapons, including Iran and North Korea. There is a very old argument for disarmament that holds that if the U nited States were to renounce some weapons -- usually nuclear weapons -- the world would be a better place. This utopianism has a revered place in American political thinking, but when humans invent weapons they rarely give them up, especially useful weapons whose components are easy to acquire. Cyberattack is now part of warfare , no different from
any other weapon. The publicity around Stuxnet may complicate U.S. efforts to get international rules for the use of cyberattack, but the White House decided that tampering with Irans nuclear program was more important than possible risk to slow-moving negotiations.

Pandoras box has already been opened- cyber-war inevitable Mikko Hypponen 12, an authority on cybercrime and one of Foreign Policys Top 100 Global Thinkers, is the chief research officer
at F-Secure Corporation, A Pandoras Box We Will Regret Opening, June 5, NYT, http://www.nytimes.com/roomfordebate/2012/06/04/do-cyberattacks-on-iran-make-us-vulnerable-12/a-pandoras-box-we-will-regretopening
If somebody would have told me five years ago that by 2012 it would be commonplace for countries to launch cyberattacks against each other, I would not have believed it. If somebody would have told me that a Western government would be using cybersabotage to attack the nuclear program of another government, I would have thought that's a Hollywood movie plot. Yet, that's exactly what's happening, for real. Cyberattacks have several advantages over traditional espionage or sabotage. Cyber attacks are

effective, cheap and deniable . This is why governments like them. In fact, if Obama administration officials would not have leaked the confirmation that the U.S. government (together with the Israelis) was behind Stuxnet, we probably would have never known for sure. In that sense, it's a bit surprising that the U.S. government seems to have taken the credit - and the blame - for Stuxnet. Why did they do it? The most obvious answer seems to be that it's an election year and the voters like to see the president as taking on adversaries like Iran. But we don't really know. The downside for owning up to cyberattacks is that other governments can now feel free to do the same. And the United States has the most to lose from attacks like these. No other country has so much of its economy linked to the online world. Other
governments are already on the move. The

game is on, and I don't think there's anything we could do to stop it any more. International espionage has already gone digital. Any future real-world crisis will have cyberelements in play as well. So will any future war. The cyberarms race has now officially started. And nobody seems to know where it will take us. By launching Stuxnet, American officials opened Pandora's box. T hey will most likely end up regretting this decision.

Cant stop cyberweapons- incentives to use are too high Dr. Paul Kaminski 13, Chairman of the Defense Science Board Task Force on Resilient Military Systems & PhD from Stanford,
Department of Defense Defense Science Board Task Force Report: Resilient Military Systems and the Advanced Cyber Threat, January, Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics, http://www.acq.osd.mil/dsb/reports/ResilientMilitarySystems.CyberThreat.pdf There is no single silver bullet to solve the threat posed by cyber-attack or warfare. Solving this problem is analogous to previous complex national security and military strategy
developments including counter U-boat strategy in WWII, nuclear deterrence in the Cold War , commercial air travel safety and countering IEDs in the Global War on terrorism . The risks involved with these challenges were never driven to zero, but through broad systems engineering of a spectrum of techniques, the challenges were successfully contained and managed. There are several characteristics of the cyber challenge that collectively thwart our

DoDs comprehensive dependence on this vulnerable technology is a magnet to U.S. opponents. DoDs dependency is not going to be reduced and will continue to grow. Thus, the adversary is not going away and their attraction to this weakness will increase. This adversarial persistence yields a never-ending challenge. Secondly, there are no technical approaches that will comprehensively protect DoD against a
attempts to discover a closed-form solution to this national security issue. First, determined adversary. DoDs diligent work over decades attempting to drive inherent vulnerability out of these systems and co mponents has resulted in some progress, although DoD has barely begun to address the daunting problem of operationally introduced vulnerabilities into systems which is compounded by the large dependence on the global supply chain. In the face of the evolving cyber threat, DoD must recognize the limits to vulnerability reduction and the effectiveness of protection mechanisms and move to employ the threshold of good enough and work to reduc e overall risk by managing all three risk parameters from a systems perspective. Third, while there are many tests to demonstrate the vulnerability or weakness in a system, there will never be a test that demonstrates or prov es the security of a system. This fact reinforces the need to seek good enough and the enduring existence

, because the opponents advantage in exploiting/compromising /attacking DoDs information technology is substantial (game they will be highly motivated in their pursuit, innovative in their approach, and adaptive to U.S. strategy. The adversary gets a vote and this brings us back to the never-ending challenge. (However, they have many of the same risks to their systems).
of residual uncertainty. Finally changing),

GMU Debate [File Name]

US cant solve modeling- no norms are followed Libicki 9 (Martin, Senior Management Scientist at the RAND Corporation, "Cyberdeterrence and Cyberwar",
http://www.rand.org/content/dam/rand/pubs/monographs/2009/RAND_MG877.pdf)
Historically, arms

control has always gone hand in hand with deter- rence and crisis stability, but it would be difficult to be optimistic about its prospects in cyberspace. A good deal depends on what one means by arms control. If the model were to be something like the treaties signed between the United StatesNATO and the
Soviet Union Warsaw Pact, which limited certain classes of weapons and banned others, there is little basis for hope. 1 If, instead, the goal were a framework of international agreements and norms that could raise the diffi- culty of certain types of cyberattacks, some progress can be made. Why is it nearly impossible to limit or ban cyberweapons? First, although

the purpose of limiting arms is to put an inventory-based lid on how much damage they can do in a crisis, such a consideration is irrelevant in a medium in which duplication is instantaneous . 2 Second, banning attack methods is akin to banishing how-to information, which is inherently impossible (like making advanced mathematics illegal). The same holds for banning knowledge about vulnerabilities. Third, banning attack code is next to impossible . Such code has many legitimate purposes, not least of which is in building defenses against attack from others. These others include individuals and nonstate actors, so the argument that one does not need defenses because offenses have been outlawed is unconvincing . In many, per- haps most cases, such attack code is useful for espionage, an activity that has yet to be banned by treaty. Furthermore, finding such code is a hopeless quest . The worlds information storage capacity is immense; much of it is legitimately encrypted; and besides, bad code does not emi t telltale odors. If an enforcement entity could search out, read, and decrypt the entire database of the world, it would doubtless find far more interesting material than malware. Exhuming digital informa- tion from everyone elses systems is hard enough when the authorities with arrest powers try it; it may be virtually impossible when ou tsiders try.
The only barely feasible approach is to ban the activity of writing attack code, then hope that the fear of being betrayed by an insider who goes running to international authorities prevents governments from organizing small groups of elite hackers from engaging in such nefarious activities. If

the international community had the manpower and access to enforce such norms, it could probably enforce a great many other, and more immediately practical, norms (e.g., against cor- ruption). Such a world does not exist.

GMU Debate [File Name]

Cyberwar

GMU Debate [File Name]

No Risk
No impact to cyber attacks- they overestimate the risks- years after Stutnex we have seen no similar attacksalso the only countries that can have no incentive to attack due to interdependence and well as the threat of retaliation- thats Birch Impact would be small and temporary Gartzke 12 (Erik, Associate Professor in Political Science at UC-San Diego. The Myth of Cyberwar Page 15-16 12-7-12
http://dss.ucsd.edu/~egartzke/papers/cyberwar_12062012.pdf
Beyond questions of means and motive, two basic features make cyber warfare di erent from other types of con ict.

First, the bulk of damage contemplated by cyberwar is in all likelihood temporary . The assumption among many cyber-pessimists that the potential for creating harm is sufficient to make cyber space a suitable substitute for, or at least an alternative to, terrestrial conflict is simply incorrect . Shutting down the power grid, or preventing communication could be tremendously costly, but most such damage can be corrected quickly and with comparatively modest investment of tangible resources. Regardless, damage of this type is sunk. Losses experienced over a given time interval cannot be recovered whatever one's reactions and so should not have much direct impact on subsequent policy behavior. Harm inflicted over the internet or through any other medium will matter politically when it involves changes to the subsequent balance of power, or when it indicates enemy capabilities that must be taken into account in future plans. Precisely because cyberwar does not involve bombing cities or devastating armored columns, the damage inflicted will have a short-term impact on targets.10 To accomplish meaningful objectives, cyber attacks must contribute
to other aspects of a more conventional war e ort. In order to a ect the long-term balance-of-power, for instance, cyberwar must be joined to other, more traditional, forms of war.

Countries wont use them Thomas P.M. Barnett 13, special assistant for strategic futures in the U.S. Defense Department's Office of Force Transformation from
2001 to 2003, is chief analyst for Wikistrat, March/April 2013, Think Again: The Pentagon, Foreign Policy, http://www.foreignpolicy.com/articles/2013/03/04/the_pentagon?page=full As for cyber serving as a stand-alone war-fifighting domain, there you'll find the debates no less theological in their intensity. After serving as senior managing director for half a dozen years at a software firm that specializes in securing supply chains, I'm deeply skeptical . Given the uncontrollable nature of cyberweapons (see: Stuxnet's many permutations), I view them as the 21st century's version of chemical weapons -- nice to have, but hard to use . Another way to look at it is to simply call a spade a spade: Cyberwarfare is nothing more than espionage and sabotage updated for the digital era. Whatever cyberwar turns out to be in the national security realm, it will always be dwarfed by the industrial variants -- think cyberthieves, not cyberwarriors. But you wouldn't know it from the panicky warnings from former Defense Secretary Leon Panetta and the generals about the imminent threat of a "cyber Pearl Harbor." Please remember amid all this frenetic scaremongering that the Pentagon is never
more frightened about our collective future than when it's desperately uncertain about its own. Given the rising health-care costs associated with America's aging population and the never-ending dysfunction in Washington, we should expect to be bombarded with frightening scenarios of planetary doom for the next decade or two. None lethality. But you won't hear that from the next-warriors on the Potomac.

of this bureaucratic chattering will bear any resemblance to global trends, which demonstrate that wars have grown increasingly infrequent , shorter in duration, and diminished in

Best evidence says no impact Colin S. Gray 13, Prof. of International Politics and Strategic Studies @ the University of Reading and External Researcher @ the
Strategic Studies Institute @ the U.S. Army War College, April, Making Strategic Sense of Cyber Power: Why the Sky Is Not Falling, U.S. Army War College Press, http://www.strategicstudiesinstitute.army.mil/pdffiles/PUB1147.pdf
CONCLUSIONS AND RECOMMENDATIONS: THE SKY IS NOT FALLING This analysis has sought to explore, identify, and explain the strategic meaning of cyber power. The organizing and thematic question that has shaped and driven the inquiry has been So what? Today we all do cyber, but th is behavior usually has not been much informed by an understanding that reaches beyond the tactical and technical. I have endeavored to analyze in strategic terms what is on offer from the largely technical and tactical literature on cyber. What can or might be done and how to go about doing it are vitally important bodies of knowledge. But at least as important is understanding what cyber, as a fifth domain of warfare, brings to national security when it is considered strategically. Military history is stocked abundantly with examples of tactical behavior un - guided by any credible semblance of strategy. This inquiry has not been a campaign to reveal what cy ber can and might do; a large literature already exists that claims fairly convincingly to explain how to . . . But what does cyber power mean, and how does it fit strategically, if it does? These Conclusions and Rec ommendations offer some understanding of this fifth geography of war in terms that make sense to this strategist, at least. 1. Cyber can only be an enabler of physical effort. Stand-alone (popularly misnamed as strategic) cyber action is inherently grossly limited by its immateriality . The physicality of conflict with cybers human participants and mechanical artifacts has not been a passing phase in our species strategic history. Cyber action, quite independent of action on land, at sea, in the air, and in orbital space,

strategic logic of such behavior, keyed to anticipated success in tactical achievement, is not promising. To date, What if . . . speculation about strategic cyber attack usually is either contextually too light, or, more often, contextually unpersuasive . 49 However, this is not a great strategic truth,
certainly is possible. But the though it is a judgment advanced with considerable confidence. Although societies could, of cour se, be hurt by cyber action, it is important not to lose touch with the fact, in Libickis apposite words, that [i]n

the absence of physical combat, cyber war cannot lead to the occupation of territory. It is almost inconceivable that a sufficiently vigorous cyber war can overthrow the adversarys government and replace it with a more pliable one. 50 In the same way that the
concepts of sea war, air war, and space war are fundamentally unsound, so also the idea of cyber war is unpersuasive. It is not impossible, but then, neither is war conducted only at sea, or in the air, or in space. On the one hand, cyber war may seem more probable than like environmentally independent action at sea or in the air. After all, cyber

warfare would be very unlikely to harm human beings directly, let alone damage physically the machines on which they depend. These near-facts (cyber attack might cause
socially critical machines to behave in a rogue manner with damaging physical consequences) might seem to ren - der cyber a safer zone of belligerent engagement than would physically violent

GMU Debate [File Name]

action in other domains. But most likely there

would be serious uncertainties pertaining to the consequences of cyber action, which must include the possibility of escalation into other domains of conflict. Despite popular assertions to the contrary, cyber is not likely to prove a precision weapon anytime soon. 51 In addition, assuming that the political and strategic contexts for cyber war were as serious as surely they would need to be to trigger events warranting plausible labeling as cyber war, the distinctly limited harm likely to follow from cyber assault would hardly appeal as prospectively effective coercive moves. On
balance, it is most probable that cybers strategic future in war will be as a contribut - ing enabler of effectiveness of physical efforts in the other four geographies of conflict. Speculation about cyber war, defined strictly as hostile action by net - worked computers against networked computers, is hugely unconvincing. 2. Cyber

defense is difficult, but should be sufficiently effective. The structural advantages of the offense in cyber conflict are as obvious as they are easy to overstate . Penetration and exploitation, or even attack, would need to be by surprise. It can be swift almost beyond the imagination of those encultured by the traditional demands of physical combat. Cyber attack may be so
stealthy that it escapes notice for a long while, or it might wreak digital havoc by com - plete surprise. And need one emphasize, that at least for a while, hostile cyber action is likely to be hard (though not quite impossible) to attribute with a cy - berized equivalent to a smoking gun. Once one is in the realm of the catastrophic What if . . . , the world is indeed a f rightening place. On a personal note, this defense analyst was for some years exposed to highly speculative briefings that hypothesized how unques - tionably cunning plans for nuclear attack could so promptly disable the United States as a functioning state that our nuclear retaliation would likely be still - born. I should hardly need to add that the briefers of these Scary Scenarios were obliged to make a series of Heroic Assumptions. The

literature of cyber scare is more than mildly reminiscent of the nuclear attack stories with which I was assailed in the 1970s and 1980s. As one may observe regarding what Winston Churchill wrote of the disaster that was the Gallipoli campaign of 1915, [t]he terrible Ifs accumulate. 52 Of course, there
are dangers in the cyber domain. Not only are there cyber-competent competitors and enemies abroad; there are also Americans who make mistakes in cyber operation. Furthermore, there are the manufacturers and constructors of the physical artifacts behind (or in, depending upon the preferred definition) cyber - space who assuredly err in this and that detail. The

more sophisticatedusually meaning complexthe code for cyber, the more certain must it be that mistakes both lurk in the program and will be made in digital communication. What I have just outlined minimally is not a reluc - tant admission of the fallibility of cyber, but rather a statement of what is obvious and should
be anticipat - ed about people and material in a domain of war. All human activities are more or less harassed by friction and carry with them some risk of failure, great or small. A strategist who has read Clausewitz, especially Book One of On War , 53 will know this. Alternatively, anyone who skims my summary version of the general theory of strategy will note that Dictum 14 states explicitly that Strategy is more difficult to devise and execute than are policy, operations, and tactics: friction of all k inds comprise phenomena inseparable from the mak - ing and execution of strategies. 54 Because of its often widely distributed character, the physical infrastruc - ture of an enemys cyber power is typically, though not invariably, an impracticable target set for physical assault. Happily, this probable fact should have only annoying consequences. The discretionary nature and therefore the variable possible characters feasible for friendly cyberspace(s), mean that the more danger - ous potential vulnerabilities that in theory could be the condition of our cyber-dependency ought to be avoidable at best, or bearable and survivable at worst. Libicki offers forthright advice on this aspect of the subject that deserves to be taken at face value: [T]here is no inherent reason that improving informa - tion technologies should lead to a rise in the amount of critical information in existence (for example, the names of every secret agent). Really critical information should never see a computer; if it sees a computer, it should not be one that is networked; and if the computer is networked, it should be air-gapped. Cyber

defense admittedly is difficult to do, but so is cyber offense. To quote Libicki yet again, [i]n this medium

[cyberspace] the best defense is not necessarily a good offense; it is usually a good defense. 56 Unlike the geostrategic co ntext for nuclear-framed competition in U.S.Soviet/Russian rivalry, the

geographical domain of cyberspace definitely is defensible. Even when the enemy is both clever and lucky, it will be our own design and operating fault if he is able to do
more than disrupt and irritate us temporarily. When cyber is contextually regarded properly which means first, in particular, when it is viewed as but the latest military domain for defense planningit should be plain to see that cyber performance needs to be good enough rather than perfect. 57 Our Landpower, systems also will have

sea power, air power, and prospectively our space to be capable of accepting combat damage and loss, then recovering and carrying on. There is no fundamental reason that less should be demanded of our cyber power. Second, given that cyber is not of a nature or potential character at all likely to parallel nuclear dangers in the menace it could
con - tain, we should anticipate international cyber rivalry to follow the competitive dynamic path already fol - lowed in the other domains in the past. Because the digital age is so young, the pace of technical change and tactical invention can be startling. However, the mechanization RMA of the 1920s and 1930s recorded reaction to the new science and technology of the time that is reminiscent of the cyber alarmism that has flour - ished of recent years. 58 We

can be confident that cyber defense should be able to function well enough , given the strength of political, military, and commercial motivation for it to do so. The technical context here is a medium that is a constructed one, which
provides air-gapping options for choice regarding the extent of networking. Naturally, a price is paid in convenience for some closing off of possible cyberspace(s), but all important defense decisions involve choice, so what is novel about that? There is nothing new about accepting some limitations on utility as a price worth paying for security. 3. Intelligence is critically important, but informa - tion should not be overvalued. The strategic history of cyber over the past decade confirms what we could know already from the science and technology of this new domain for conflict. Specifically,

cyber power is not technically forgiving of user error. Cyber warriors seeking criminal or military benefit require precise information if their intended exploits are to succeed. Lucky guesses should not stumble upon passwords, while efforts to disrupt electronic Supervisory Con - trol and Data Acquisition (SCADA) systems ought to be unable to achieve widespread harmful effects. But obviously there are practical limits to the air-gap op - tion, given that control (and command) systems need to be networks for communication. However, Internet connection needs to be treated as a potential source of serious danger. It is one thing to be able to be an electronic nuisance, to annoy, disrupt, and perhaps delay. But it is quite another to be capable of inflicting real persisting harm on the fighting power of an enemy. Critically important military computer networks are, of course, accessible neither to the inspired amateur outsider, nor to the malignant political enemy. Easy passing reference to a hypothetical cyber Pearl Harbor reflects both poor history and ignorance of contemporary military common sense. Critical potential military (and other) targets for cyber attack are extremely hard to access and influence (I believe and certainly hope), and the technical knowledge, skills, and effort required to do serious harm to national security is forbiddingly high. This is not to claim, foolishly, that cyber means absolutely could not secure near-catastrophic results. However, it is to say that such a scenario is extremely improbable . Cyber defense is advancing all the time, as is cyber offense, of course. But so discretionary in vital detail can one be in the making of cyberspace, that
confidencereal confidencein cyber attack could not plausibly be high. It should be noted that I am confining this particular discussion to what rather idly tends to be called cyber war. In political and strategic practice, it is unlikely that war would or, more importantly, ever could be restricted to the EMS. Somewhat rhetorically, one should pose the question: Is it likely (almost anything, strictly, is possible) that cyber war with the potential to inflict catastrophic damage would be allowed to stand unsupported in and by action in the other four geographical domains of war? I believe not. Because we have told ourselves that ours uniquely is the Information Age, we have become unduly respectful of the potency of this rather slippery catch-all term. As usual, it is helpful to contextualize the al - legedly magical ingredient, information, by locating it properly in strategic history as just one important element contributing to net strategic effectiveness. This mild caveat is supported usefully by recognizing the general contemporary rule that information per se harms nothing and nobody. The electrons in cyber - ized conflict have to be interpreted and acted upon by physical forces (including agency by physical human beings). As one might say, intelligence (alone) sinks no ship; only men and machines can sink ships! That said, there is no doubt that if friendly cyber action can infiltrate and misinform the electronic informa - tion on which advisory weaponry and other machines depend, considerable warfighting advantage could be gained. I do not intend to join Clausewitz in his dis - dain for intelligence, but I will argue that in strategic affairs, intelligence usually is somewhat uncertain. 59 Detailed up-to-date intelligence literally is essential for successful cyber offense, but it can be healthily sobering to appreciate that the strategic rewards of intelligence often are considerably exaggerated. The basic reason is not hard to recognize. Strategic success is a complex endeavor that requires adequate perfor - mances by many necessary contributors at every level of conflict (from the political to the tactical). When thoroughly reliable intelligence on the en - emy is in short supply, which usually is the case, the strategist finds ways to compensate as best he or she can. The IT-led RMA of the past 2 decades was fueled in part by the prospect of a quality of military effec - tiveness that was believed to flow from dominant battle space knowledge, to deploy a familiar con - cept. 60 While there is much to be said in praise of this idea, it is not unreasonable to ask why it has been that our ever-improving battle space knowledge has been compatible with so troubled a course of events in the 2000s in Iraq and Afghanistan. What we might have misunderstood is not the value of knowledge, or of the information from which knowledge is quarried, or even the merit in the IT that passed information and knowledge around. Instead, we may well have failed to grasp and grip understanding of the whole context of war and strategy for which battle space knowledge unquestionably is vital. One must say vital rather than strictly essential, because relatively ignorant armies can and have fo ught and won despite their ig - norance. History requires only that ones net strategic performance is superior to that of the enemy. One is not required to be deeply well informed about the en - emy. It is historically quite commonplace for armies to fight in a condition of more-than-marginal reciprocal and strategic cultural ignorance. Intelligence is king in electronic warfare, but such warfare is unlikely to be solely, or even close to solely, sovereign in war and its warfare, considered overall as they should be. 4. Why the sky will not fall. More accurately, one should say that the sky will not fall because of hostile action against us in cyberspace unless we are improb - ably careless and foolish. David J. Betz and Tim Ste vens strike the right note when they conclude that [i]f cyberspace is not quite the hoped -for Garden of Eden, it is also not quite the pestilential swamp of the imagination of the cyber-alarmists. 61 Our understanding of cyber is high at the technical and tactical level, but re - mains distinctly rudimentary as one

GMU Debate [File Name] Nonetheless, our scientific, technological, and tactical knowledge and understanding clearly indicates that the sky is not falling and is unlikely to fall in the future as a result of hostile cyber action. This analysis has weighed the more technical and tactical literature on cyber and concludes , not simply on balance, that cyber alarmism has little basis save in the imagination of the alarmists. There is military and civil peril in the hostile use of cyber, which is why we must take cyber security seriously, even to the point of buying
ascends through operations to the more rarified altitudes of strategy and policy. redundant capabilities for a range of command and control systems. 62 So seriously should we regard cyber danger that it is only prudent to as - sume that we will be the target for hostile cyber action in future conflicts, and that some of that action will promote disruption and uncertainty in the damage it will cause. That granted, this analysis recommends strongly that the U.S. Army, and indeed the whole of the U.S. Government, should strive to comprehend cyber in context. Approached in isolation as a new technol - ogy, it is not unduly hard to be over impressed with its potential both for good and harm. But if we see networked computing as just the latest RMA in an episodic succession of revolutionary changes in the way information is packaged and communicated, the computer-led IT revolution is set where it belongs, in historical context. In modern strategic history, there has been only one truly game-changing basket of tech - nologies, those pertaining to the creation and deliv - ery of nuclear weapons. Everything else has altered the tools with which conflict has been supported and waged, but has not changed the game. The nuclear revolution alone raised still-unanswered questions about the viability of interstate armed conflict. How - ever, it would be accurate to claim that since 1945, methods have been found to pursue fairly traditional political ends in ways that accommodate nonuse of nuclear means, notwithstanding the permanent pres - ence of those means. The light cast by general strategic theory reveals what requires revealing strategically about networked computers. Once one sheds some of the sheer wonder at the seeming miracle of cybers ubiquity, instanta - neity, and (near) anonymity, one realizes that cyber is just another operational domain, though certainly one very different from the others in its nonphysi - cality in direct agency. Having placed cyber where it belongs, as a domain of war, next it is essential to recognize that its nonphysicality compels that cyber should be treated as an enabler of joint action, rather than as an agent of military action capable of behav - ing independently for useful coercive strategic effect. There

are stand-alone possibilities for cyber action, but they are not convincing as attractive options either for or in opposition to a great power, let alone a superpower. No matter how intriguing the scenario design for cyber war strictly or for cyber warfare, the logic of grand and military strategy and a common sense fueled by understanding of the course of strategic history, require one so to contextualize cyber war that its independence is seen as too close to absurd to merit much concern.

No motive Gartzke 12 (Erik, Associate Professor in Political Science at UC-San Diego. The Myth of Cyberwar Page 1 12-7-12
http://dss.ucsd.edu/~egartzke/papers/cyberwar_12062012.pdf A blitz of media, punditry and public pronouncements inform interested observers and policy makers that the next war is likely to be won or lost on the internet. Indeed, events such as the coordinated cyber attacks on Estonia and the Stuxnet worm seem to indicate that cyberwar has already begun. The sense of urgency surrounding cyberwar appears to be tied to perceptions that internet
con ict is the newest phase in the ongoing revolution in military a airs, only this time the threat is directed at the sophisticated technological civilizations of the West, rather than at poor developing states or the recipients of inferior second-world military hardware.1 To believe a growing number of pundits and practitioners, cyberwar threatens to render existing military advantages impotent, exposing those nations most dependent on comprehensive information infrastructures to devastating and unpredictable attacks. If powerful states largely immune to terrestrial invasion can have their military might blunted and their factories and cities idled by foreign hackers, then perhaps this latest technological revolution really does presage a \Pearl Harbor" in which the United States and other great powers will be

There is a problem with the growing consensus of impending cyber apocalypse, however: it is far from clear that con ict over the internet can actually function as war. Discussions of cyberwar commit a common fallacy of arguing from opportunity to outcome, rather than considering whether something that could happen is at all likely, given the motives of those who are able to act. Cyber pessimism rests heavily on capabilities (means), with little thought to a companion logic of consequences (ends). Much that could happen in the world fails to occur , largely because those capable of initiating action discern no benefit from doing so. Put another way, advocates have yet to work out how cyberwar actually accomplishes the objectives that typically sponsor terrestrial military violence. Absent a logic of consequences, it is di cult to believe that cyberwar will proveas devastating for world a airs and for developed nations in particular as many seem to believe.
targets, rather than perpetrators, of shock and awe.

Diminishing marginal returns means theres no impact Martin C. Libicki 9, Senior Management Scientist @ RAND and adjunct fellow @ Georgetowns Center for Security Studies,
Cyberdeterrence and Cyberwar, RAND, http://www.rand.org/pubs/monographs/MG877.html Strategic Cyberwar Is Unlikely to Be Decisive
No one knows how destructive any one strategic cyberwar attack would be. Estimates of the damage from todays cyberattacks within the United States range from hundreds

cyberwarmay be rationalized as a way to assist military efforts or as a way to coerce the other side to yield to prevent further suffering. But can strategic cyberwar induce political compliance the way, say, strategic airpower would? Airpower tends to succeed when societies are convinced that matters will only get worse. With cyberattacks, the opposite is more likely. As systems are attacked, vulnerabilities are revealed and repaired or routed around. As systems become more hardened, societies become less vulnerable and are likely to become more, rather than less, resistant to further coercion.
of billions of dollars to just a few billion dollars per year. The higher dollar figures suggest that cyberattacks on enemy civilian infrastructuresstrategic

Cyberattacks wont result in nuclear war- safeguards Green 2 editor of The Washington Monthly (Joshua, 11/11, The Myth of Cyberterrorism,
http://www.washingtonmonthly.com/features/2001/0211.green.html) There is no such thing as cyberterrorism--no instance of anyone ever having been killed by a terrorist (or anyone else) using a computer. Nor is there compelling evidence that al Qaeda or any other terrorist organization has resorted to computers for any sort of serious destructive activity. What's more, outside of a Tom Clancy novel, computer security specialists believe it is virtually impossible to use the Internet to inflict death on a large scale, and many scoff at the notion that terrorists would bother trying. "I don't lie awake at night worrying about cyberattacks ruining my life," says Dorothy Denning, a computer science professor at Georgetown University and one of the country's foremost cybersecurity experts. "Not only does [cyberterrorism] not rank alongside chemical, biological, or nuclear weapons, but it is not anywhere near as serious as other potential physical threats like car bombs or suicide bombers." Which is not to say that cybersecurity isn't a serious problem--it's just
There's just one problem: not one that involves terrorists. Interviews with terrorism and computer security experts, and current and former government and military officials, yielded near unanimous agreement that the real danger is from the criminals and other hackers who did $15 billion in damage to the global economy last year using viruses, worms, and other readily available tools. That figure is sure to balloon if more isn't done to protect vulnerable computer systems, the vast majority of which are in the private sector. Yet when it comes to imposing the tough measures on business necessary to protect against the real cyberthreats, the Bush administration has balked. Crushing BlackBerrys When ordinary

people imagine cyberterrorism,

they , airliners, or military computers from halfway around the world. Given the colorful history of federal boondoggles--billion-dollar weapons systems that misfire, $600 toilet seats--that's an understandable concern. But, with few exceptions, it's not one that applies to preparedness for a cyberattack. "

tend to think along Hollywood plot lines, doomsday scenarios in which terrorists hijack nuclear weapons

The government is miles ahead of the private sector when it comes to cybersecurity," says Michael Cheek, director of intelligence for

GMU Debate [File Name] iDefense, a Virginia-based computer security company with government and private-sector clients. "Particularly the most sensitive military systems." Serious effort and plain
good fortune have combined to bring this about. Take nuclear weapons. The biggest fallacy about their vulnerability, promoted in action thrillers like WarGames, is that they're designed for remote operation. "[The movie] is premised on the

nuclear weapons and other they're " air-gapped ," meaning that they're not physically connected to the Internet and are therefore inaccessible to outside hackers. (Nuclear weapons also contain " p ermissive a ction l ink s ," mechanisms to prevent weapons from being armed without inputting codes carried by the president.) A retired military official was somewhat indignant at the mere suggestion: "As a general principle, we've been looking at this thing for 20 years. What cave have you been living in if you haven't considered this [threat]?" When it comes to cyberthreats, the Defense Department has been particularly vigilant to protect key systems by isolating them from the Net and even from the Pentagon's internal network. All new software must be submitted to the National Security Agency for security testing. "Terrorists could not gain control of our spacecraft, nuclear weapons, or any other type of high-consequence asset," says Air Force Chief Information Officer John Gilligan. For more than a year, Pentagon CIO John Stenbit has enforced a moratorium on new wireless networks, which are often easy to hack into, as well as common wireless devices such as
assumption that there's a modem bank hanging on the side of the computer that controls the missiles," says Martin Libicki, a defense analyst at the RAND Corporation. "I assure you, there isn't." Rather, sensitive military systems enjoy the most basic form of Internet security: PDAs, BlackBerrys, and even wireless or infrared copiers and faxes. The September 11 hijackings led to an outcry that airliners are particularly susceptible to cyberterrorism. Earlier this year, for instance, Sen. Charles Schumer (D-N.Y.) described "the absolute havoc and devastation that would result if cyberterrorists suddenly shut down our air traffic control system, with thousands of planes in mid-flight." In fact, cybersecurity experts give some of their highest marks to the FAA, which

It's impossible to hijack a plane remotely, which eliminates the possibility of a high-tech 9/11 scenario in which planes are used as weapons. Another source of concern is terrorist infiltration of our intelligence agencies. But here, too, the risk is slim. The CIA's classified computers are also air-gapped, as is the FBI's entire computer system. " They've been paranoid about this forever," says Libicki, adding that paranoia is a sound governing principle when it comes to cybersecurity. Such concerns are manifesting themselves in broader policy terms as well. One notable characteristic of last year's
reasonably separates its administrative and air traffic control systems and strictly air-gaps the latter. And there's a reason the 9/11 hijackers used box-cutters instead of keyboards: Quadrennial Defense Review was how strongly it focused on protecting information systems.

Countries with capability wont use them Lewis 11 [James A. Director and Senior Fellow, Technology and Public Policy Program, Center for Strategic and International Studies
(CSIS) Statement before the House Oversight and Government Reform Committee, Subcommittee on National Security, Homeland Defense, and Foreign Operations CYBERSECURITY: ASSESSING THE IMMEDIATE THREAT TO THE UNITED STATES Accessed 9/1/2013 DMW]
Most people know about the Stuxnet worm, when a cyber attack destroyed equipment at an Iranian nuclear facility. Stuxnet confirmed what a test at the Idaho National Labs in 2007 had already shown that an attacker could remotely interfere with the software controlling critical infrastructure and damage or destroy machine ry and equipment. This kind of military

grade cyber attack is best seen as a new capability for long range, very rapid strikes against critical infrastructure, information and networks . Cyber attacks
are faster than a missile and have a global reach, but their payload is much less destructive. This military aspect of the cyber problem is like other military threats to U.S. security, deterred in part by our capability for response. At this time, only

a few nations with advanced military or intelligence agencies have the ability to launch Stuxnet-like cyber attacks that could disrupt critical infrastructure. There are perhaps five or six such nations. Our most advanced cyber opponents have carried out network reconnaissance against America's critical infrastructure. None of the countries with advanced cyber attack capabilities are likely to use them frivolously against the U nited S tates, but they are certain to use cyber attacks if we enter into a military conflict with them.

No risk of attack- tech expertise Clapper 13 (James R. Clapper- Director of National Intelligence, "Statement for the Record Worldwide Threat Assessment of the US
Intelligence Community, Senate Select Committee on Intelligence, March 12, 2013 www.intelligence.senate.gov/130312/clapper.pdf date accessed: 8/16/13) TM
We judge that there

is a remote chance of a major cyber attack against US critical infrastructure systems during the next two years that would result in long-term, wide-scale disruption of services, such as a regional power outage. The level of technical expertise and operational sophistication required for such an attackincluding the ability to create physical damage or overcome mitigation factors like manual overrideswill be out of reach for most actors during this time frame. Advanced cyber actors such as Russia and Chinaare unlikely to launch such a devastating attack against the United States outside of a military conflict or crisis that they believe threatens their vital interests.

Their evidence is just hype CSM - September 15, 2013 ("Cyber security: The new arms race for a new front line", Anna Mulrine,
http://www.csmonitor.com/USA/Military/2013/0915/Cyber-security-The-new-arms-race-for-a-new-front-line) kc Alexander acknowledges, too, that the attacks hitting Wall Street, for example, are mainly "distributed denial-of-service attacks," which tend to be "at the nuisance level." The vast majority of cyberthreats to US networks today are intellectual property theft and other forms of corporate espionage, rather than the dire sorts of attacks decried by top US officials. "Any teenager can do a distributed denial-of-service attack. It's finite; when it's done, there's no permanent damage," says George Mason University's Brito. In other words, "it's very easy, and not very harmful." On the other hand, a "kinetic" attack, in which a hacker is able to, say, open a dam and flood a community, "is incredibly difficult we've never seen it happen." Such an attack would be "incredibly harmful, but if you look at the realm of possibility, really unlikely ," Brito adds. "When you hear all the rhetoric from politicians and defense contractors, it's a cyber Pearl Harbor where planes fall out of the sky, trains derail, and thousands are killed but they provide no evidence to back up serious threats, and a lot of it is easily debunked. "The lesson," he argues, "is to be more critical."
Yet

GMU Debate [File Name]

No impact to cyber attack Birch 12 (Douglas Birth is the former foreign correspondent for the Associated Press and the Baltimore Sun who has written
extensively on technology and public policy, Forget Revolution. 10/1/12 http://www.foreignpolicy.com/articles/2012/10/01/forget_revolution?page=full DATE ACCESSED: 11/4/12) TM
"That's a good example of what some kind of attacks would be like," he said. "

which is the situation now. " The question of how seriously to take the threat of a cyber attack on critical infrastructure surfaced recently, after Congress rejected a White House measure to require businesses to adopt stringent- new regulations to protect their computer networks from intrusions. The bill would have required industries to report cyber security breaches, toughen criminal penalties

You don't want to overestimate the risks . You don't want somebody to be able to do this whenever they felt like it, But this is not the end of the world.

But the potential cost to industry also seems to be a major factor in the bill's rejection. A January study by Bloomberg reported that banks, utilities, and phone carriers would have to increase their spending on cyber security by a factor of nine, to $45.3 billion a year, in order to protect themselves against 95 percent of cyber intrusions. Likewise, some of the bill's advocates suspect that in the aftermath of a truly successful cyber attack, the government would have to bail the utilities out anyway. Joe Weiss, a cyber security professional and an authority on industrial control systems like those used in the electric grid, argued that a
against hacking and granted legal immunity to companies cooperating with government investigations. Critics worried about regulatory overreach. well-prepared, sophisticated cyber attack could have far more serious consequences than this summer's blackouts. "The reason we are so concerned is that cyber could take out the grid for nine to 18 months," he said. "This isn't a

pulling off a cyber assault on that scale is no easy feat . Weiss agreed that hackers intent on inflicting this kind of long-term interruption of power would need to use a tool capable of inflicting physical damage. And so far, the world has seen only one such weapon: Stuxnet, which is believed to have been a joint military project of Israel and the United States. Ralph Langner, a German expert on industrial-control
one to five day outage. We're prepared for that. We can handle that." But system security, was among the first to discover that Stuxnet was specifically designed to attack the Supervisory Control and Data Acquisition system (SCADA) at a single site: Iran's Natanz uranium-enrichment plant. The computer worm's sophisticated programs, which infected the plant in 2009, caused about 1,000 of Natanz's 5,000 uranium-enrichment centrifuges to self-destruct by accelerating their precision rotors beyond the speeds at which

Professionals like Weiss and others warned that Stuxnet was opening a Pandora's Box: Once it was unleashed on the world, they feared, it would become available to hostile states, criminals, and terrorists who could adapt the code for their own nefarious purposes. But two years after the discovery of Stuxnet, there are no reports of similar attacks against the United States. What has prevented the emergence of such copycat viruses? A 2009 paper published by the University of California, Berkeley, may offer the answer. The report, which was released a year before Stuxnet surfaced, found that in order to create a cyber weapon capable of crippling a specific control system ---- like the ones operating the U.S. electric grid -- six coders might have to work for up to six months to reverse engineer the targeted center's SCADA system. Even then , the report says, hackers likely would need the help of someone with inside knowledge of how the network's machines were wired together to plan an effective attack. "Every SCADA control center is configured differently, with different devices, running different software/protocols, " wrote Rose Tsang, the report's author. Professional hackers are in it for the money -- and it's a lot more cost-efficient to search out vulnerabilities in widely-used computer programs like the Windows operating system, used by banks and other affluent targets, than in one-of-a-kind SCADA systems linked to generators and switches. According to Pollard, only the world's industrial nations have the means to use the Internet to attack utilities and major industries. But given the integrated global economy, there is little incentive , short of armed conflict, for them to do so. "If you're a state that has a number of U.S. T-bills in your treasury, you have an economic interest in the United States," he said. "You're not going to have an interest in mucking about with our infrastructure." There is also the threat of retaliation . Last year, the U.S. government reportedly issued a classified report on cyber strategy that said it could respond to a devastating digital assault with traditional military force. The idea was that if a cyber attack caused death and destruction on the scale of a military assault, the United States would reserve the right to respond with what the Pentagon likes to call "kinetic" weapons: missiles, bombs, and bullets. An unnamed Pentagon official, speaking to the Wall Street Journal, summed up the policy in less diplomatic terms: "If you shut down our power grid, maybe we will put a missile down one of your smokestacks." Deterrence is sometimes dismissed as a toothless strategy against cyber attacks because hackers have such an easy time hiding in the anonymity of the Web. But investigators typically come up with key suspects, if not smoking guns, following cyber intrusions and assaults -- the way suspicions quickly focused on the United States and Israel after Stuxnet was discovered. And with the U.S. military's global reach, even terror groups have to factor in potential retaliation when planning their operations.
they were designed to operate.

GMU Debate [File Name]

Status Quo Solves Deterrence

US deters cyber attacks- conventional forces Weiner 12 [Sarah is a research intern for the Project on Nuclear Issues Searching for Cyber-Deterrence http://csis.org/blog/searchingcyber-deterrence Accessed 9/1/2013 DMW]
If defense

strategists develop an understanding of cyber-security that differentiates between cyber-nuisances and higher-level cyberattacks, however, countries can begin to more credibly establish deterrence doctrines and red lines. Hacking into a commercial bank is one thing, but taking down the electric grid, causing the release of toxic chemicals, or damaging essential infrastructure is quite another. The US could credibly threaten to retaliate against such devastating cyber-attacks with conventional force. But to do so, it must clearly distinguish nondeterrable, low-impact cyber-nuisances from high-impact attacks so Washington can establish a credible pattern of response and non-response. The US has begun to develop such policies, but significantly more definitional and doctrinal clarity will be necessary before it has a cyber-doctrine capable of signaling clear red lines . The most devastating cyber-attacks the kind that would accompany or precede offensive military operations are almost certainly deterrable. If an adversary believes their actions are likely to begin a war with the US, then the heft of the USs substantial conventional capabilities will weigh against their decision to strike . That said, the stability of cyber-deterrence is unlikely to ever reach the levels we currently experience in the nuclear domain, where the offensive use of such weapons is
almost unthinkable. But that may not necessarily be a bad thing. Nuclear deterrence works so well because the costs are so high; mutually assured destruction really does mean total destruction if deterrence fails. Most cyber-attacks could never come close to such levels of damage. And although that means we may be unable to deter low-level cyber-nuisances, it also means that the threat

posed by cyber-weapons is much lower than the risk created by other historical revolutions in military technology. On the whole, that seems like a bargain worth accepting.

GMU Debate [File Name]

Deterrence Fails
Cyber deterrence fails- hacking into an enemies system is too difficult- doing so requires acknowledgment of the action, and high value targets a isolated- thats Libicki Deterrence fails- no fear of retaliation Riley & Vance 11 [Michael, reporter for Bloomberg News Ashlee technology writer for Bloomberg Businessweek Cyber Weapons:
The New Arms Race http://www.businessweek.com/magazine/cyber-weapons-the-new-arms-race-07212011.html#p5 Accessed 912013 DMW
Theres another reason for the silence. Traditional military

logic falls apart in the Code War. Deterrence and arms treaties are but philosophical concepts when invisible weapons are involved. Assigning certain blame for an attack may be impossible when its conducted through computers in dozens of countries. The fear of retaliationwhich kept the Cold War from becoming hot may not apply . The U.S. government has spent the past
couple of years formalizing its operations and thinking around computer warfare. In 2009 the Obama Administration announced the creation of the U.S. Cyber Command, headquartered at Fort Meade, Md. President Barack Obama recently signed executive orders that gave the military the all-clear to use weapons that can perform tasks ranging from espionage to the crippling of an enemys electrical grid. (The latter would require a Presidential directive.) Its a moment of rapid and frightening change. Its

like the early days of the American-Soviet

nuclear balance, says Clarke. We dont know the rules of the road.

Nuclear logic doesnt apply Weiner 12 [Sarah is a research intern for the Project on Nuclear Issues Searching for Cyber-Deterrence http://csis.org/blog/searchingcyber-deterrence Accessed 9/1/2013 DMW]
Others vehemently disagree with this presupposition.

Jim Lewis, for example, argued earlier this month at an event at the Stimson Center that deterrence will not work in the cyber domain. He emphasized that difficulties in attributing attacks, holding hostage adversaries cyber and physical assets, and achieving a proportional response all decrease the credibility of US threats and reduce the costs of an adversaries hostile cyber operations. And Dr. Lewis has considerable evidence on his side: public and private entities in the US experience cyber-attacks on a daily basis. If these attacks are deterrable, we are doing a terrible job of leveraging our capabilities. For a number of reasons, trying to apply nuclear deterrence logic to cyber warfare feels a bit too much like trying to fit a square peg into a round hole . That does not mean, however, that we should
abandon all attempts to draw analogies between cyber and nuclear strategy. Despite a few close calls, the basic principles of nuclear deterrence and mutually assured destruction have prevented the use of nuclear weapons for over 60 years. Understanding the reason why this largely effective and stable model of deterrence cannot map cleanly onto the cyber world may help us better conceptualize strategies for cyber-deterrence. The first difficulty is establishing

an analogue between a nuclear attack and a cyber-attack. We know when a nuclear bomb explodes, and we know it is unacceptable. The spectrum of cyber-attacks, however, spans far, far below the destructiveness of a nuclear strike . Denial-of-service attacks, such as Irans recent shutdown of several banks websites, are a world away from the detonation of any weapon, not to mention a nuclear weapon. This creates the problem of credibility and proportionality Dr. Lewis spoke about: responding to such low-level attacks with a military use of force is so disproportionate that it is not a credible threat. If the US instead decides to use cyber capabilities to deter cyber-attacks, it runs into a second problem. Cyber weapons cannot be used in the same way we use nuclear weapons because, unlike nuclear weapons, the demonstration of a cyber-capability quickly renders that capability useless. If the US were to release the details of a cyber-weapon, intended to signal a retaliatory capability, potential adversaries could attempt to steal the technology and/or harden their cyber defenses against the US weapons specific attributes. This is the opposite of nuclear deterrence, in which the US pursues the most cre dible and reliable force so that other nations know precisely how damaging a US counterstrike would be. Demonstrating that a nation could effectively mount a second-strike in response to a nuclear attack creates a stabilizing dynamic of mutually assured destruction in which no nation believes it could gain militarily by launching a nuclear attack. The trouble with cyber weapons, however, is that they cannot be so transparently deployed . The only effective cyber-attack is an unexpected attack, and that does nothing for signaling or deterrence. What do these differences tell us about developing a cyber-deterrent? First, planners must stop treating cyber as a discrete and
homogenous category. Most of the cyber-attacks government and private enterprises experience on a daily basis are more like cyber-nuisances. Electronic espionage, intellectual property theft, and even denial-of-service attacks may hurt economic productivity, but they come nowhere close to threatening physical assets or human life .

The US cannot credibly deter cybernuisances with cyber counterattacks because it cannot signal an ability to respond or find appropriate targets that make the cost of cyberattacks unacceptably high. Similarly, the US cannot deter cyber-nuisances with threats of military force because such a disproportionate response is simply not credible. If the US cannot
raise the cost of attacks it must instead focus on reducing the benefits, and that requires improving cyber defenses in the public and private sectors.

Threat is not credible LEWIS 13 [JAMES ANDREW is a senior fellow and director of the Technology and Public Policy Program at CSIS. Before joining
CSIS, he worked at the Departments of State and Commerce as a Foreign Service officer and as a member of the Senior Executive Service. His current research examines the political effect of the Internet, strategic competition among nations, and technological innovation. Lewis received his Ph.D. from the University of Chicago. a report of the technology and public policy program Conflict and Negotiation in Cyberspace, Accessed 9/2/2013 DMW few opponents find it credible that the United States will use military force against espionage or crime, particularly when these actions are sponsored by another sovereign state. A military response to espionage would be unprecedented in
The central flaw in cyber deterrence is that

GMU Debate [File Name] international affairs. We can effectively deter the use of force against the United States, but little else . In this, as in anything else, the use of force would involve actions threatening the territorial integrity, political independence or sovereignty of the United States. It could involve the use of force or threat to use force (e.g. , coercion). The use of force involves physical harmdamage or destruction. Espionage and cybercrime do not produce physical harm and do not qualify as the use of force. This makes threats to use military force against them not credible , leaving the United States in the position of having one of the most powerful cyberattack capabilities in the world and finding it of little use in deterring cyber exploits (how it could be used for defense is another
matter). One suggestion that has been made to fix the lack of credibility is to lower the threshold for the use of force for cyberspace, so that we could consider espionage or cybercrime as actions that justify a military response. This would be exceptionally shortsighted. The United States itself has an immense espionage effort, including the use of cyber espionage. We

do not wish to constrain our own ability, nor do we wish to justify other nations using military force against us. Deterrence is less effective in an environment where the
United States has more to lose than its opponents. Another suggestion has been that the United States adopt new procedures to justify the use of force. When we discovered an exfiltration program or a computer penetration, we would first warn the government with jurisdiction that we were going to take action against the offending computer located in their country if they did not themselves take action against it themselves. If no action were taken, the United States would be justified in reprisal. Under this approach, if we found a computer in China responsible for espionage, we would go to the Chinese government and tell them that if they did not take action we would damage or disable the computer. There would be benefits from confronting a nation we believe is tolerating if not directing cyber espionage (although the risk to future collection from disclosing persuasive evidence would have to be considered). The problem with this warn before shooting idea is what if the other government says no? Nations

are far more protective of their sovereignty than is generally recog- nized, and warning a nation that you intend to violate its sovereignty in a way you consider to be justified may not produce the expected results. The international community is very slow to
sanc- tion the use of force against a sovereign state, even in much more compelling circumstances (e.g., Libya or Somalia). One way to make this linkage would be to warn an opponent that if malicious cyber actions continued unchecked, this would trigger a cyberattack in response. The dilemma would be in preventing this from escalating to a broader military conflict using kinetic weapons. An astute opponent would imply that a cyberattack in response to espionage would trigger a kinetic conflict, to complicate planning and deter use. Threatening

a large-scale SIOP-style attack in response to espionage would likely not be perceived as credible. Even precise, targeted attacks that damaged or destroyed a single server in another country could, however, be regarded as the use of force and as an illegal act. To put this in a physical context, if pirate vessels operate out of Hainan Island, the United States could not assert the right to sink them in harbor. A long series of
diplomatic steps would be required first and, absent Chinese cooperation, would lead ultimately to an ultimatum stop the pirates, or we will use force. This is a very-high-stakes game that would certainly escalate tensions and could easily trigger unexpected retaliation.

Attacking undermines deterrence- causes defenses of vulnerabilities Libicki 13 [Martin C. research described in this report was prepared for the Office of the Secretary of Defense (OSD). The research
was conducted within the RAND National Defense Research Institute, a federally funded research and development center sponsored by OSD, the Joint Staff, the Unified Combatant Commands, the Navy, the Marine Corps, the defense agencies, and the defense Intelligence Community under Contract W74V8H-06-C-0002. Brandishing Cyberattack Capabilities http://www.rand.org Accessed 8/29/2013 DMW Can brandishing help dissuade other states from pursuing a network-centric high- technology force to counter U.S. military capabilities? The best way to demonstrate the risk of network-centricity is to hack into military systems to show their fragility (claiming responsibil- ity is unnecessary; the point is to emphasize not U.S. power but the vulnerability of the ene- mys network-centric systems). In other circumstances, making what is vulnerable clear may be unnecessary, perhaps unwise . Every hack leads to fixes that make the next exploitation much harder. But the hint of an attack that leaves no specific trace leaves nothing specific to fix. The point is to convince others that they cannot protect their systems even after paying close atten- tion to their security. The vulnerability of less sophisticated states to unseen manipulation may be higher when the target does not really understand the technology behind its own weapon systems. Often, the targets lack of access to others source code and not having built any of its own complicates fig uring out what went wrong and how to fix it.

Not all states would be deterred Libicki 13 [Martin C. research described in this report was prepared for the Office of the Secretary of Defense (OSD). The research
was conducted within the RAND National Defense Research Institute, a federally funded research and development center sponsored by OSD, the Joint Staff, the Unified Combatant Commands, the Navy, the Marine Corps, the defense agencies, and the defense Intelligence Community under Contract W74V8H-06-C-0002. Brandishing Cyberattack Capabilities http://www.rand.org Accessed 8/29/2013 DMW Not all states will throw up their hands, though. Some may reason that, because the effects of cyberattacks are temporary and difficult , their systems can survive the initial exchange and recover for subsequent rounds. So, they pursue high technology and ignore the demonstrated possibility that high-technology military campaigns might last days rather than months or years. A subtler counterstrategy is to network warfighting machines
(configured not to touch the Internet) and forget about networking people; isolation avoids some of the pesky vulner- abilities arising from human error (notably those associated with authentication, such as pass- words and tokens). Or they simply renounce network-centric warfare and conclude that they avoided the pitfalls of depending on technology. It

is unclear whether brandishing cyberattack capabilities can curb the enthusiasm of potential foes for war. Some states may feel they have little choice. Others may feel that they can succeed even if their high-technology systems fail. Yet others may discount the possibil- ity entirely, believing their systemswhen called on for warwould be disconnected from the rest of the world. Last, the target may simply not believe its own vulnerability, not during peacetime and certainly not when the war drums sound. Going to war requires surmounting a great many fears; digital ghosts may simply be another. The unwanted effects of making even some third parties believe that we have invaded their systems warrants note. All other militaries may
also shy away from foreign sources for logic- processing devices (whether software or hardware) and may redouble their efforts to increase their indigenous production capability or, alternatively,

The problem does not go away if the threat turns out not to work. Countries certain that their military systems have been invaded may blame the United States for any military failures even with no evidence of U.S. involvement. Conversely, the United States may be accused of complicity with a rogue state whenever its equipment does not fail because this could only
pressure their suppliers to hand over source code with their systems, a negative if their supplier is a U.S. corporation. mean that the United States condoned the rogues actions.

GMU Debate [File Name]

Using cyber as a deterrent fails- would motivate defense Libicki, 2013 [Martin C. research described in this report was prepared for the Office of the Secretary of Defense (OSD). The research
was conducted within the RAND National Defense Research Institute, a federally funded research and development center sponsored by OSD, the Joint Staff, the Unified Combatant Commands, the Navy, the Marine Corps, the defense agencies, and the defense Intelligence Community under Contract W74V8H-06-C-0002. Brandishing Cyberattack Capabilities http://www.rand.org Accessed 8/29/2013 DMW
The purpose of brandishing a cyberwar

weapon is to threaten the other sides ability use its nuclear capability in a crisis. This purpose is less to make the other side doubt its own nuclear capabilityalthough that can helpbut to project a belief that the United States will press on either because the rogue states weapons will not work or because the rogue state will respond to the brandishers confidence (underwritten, of course, by its deterrence capability) and back down. Note that the logic works even if the target state believes that the brandishers confidence has no basis in reality (i.e., its own nuclear command and control is rock solid). The rogue state needs only to believe that the brandisher believes it can act with impunity to conclude that the choice is between disaster and backing down . To be sure, because a cyber- war capability cannot be tested in the same way that an antimissile capability can be tested, the rogue state may conclude that the brandishers confidence is unwarranted and therefore that such confidence should not exist and hence does not exist. But that could also be wishful thinking on the rogue states part . If brandishing a cyberthreat created a use-it-or-lose-it dilemma for the rogue state
lead- ing to nuclear use, brandishing could backfire on the United States. But it should not, largely because it is not a threat of what will happen but what has already happened: The flaw has already been exploited. However, brandishing

a cyberwar capability, particularly if specific, makes it harder to use such a capability because brandishing is likely to persuade the target to redouble its efforts either to find or route around the exploited flaw (the one that enabled the United States to neutralize its nuclear threat). Brandishing capabilities sacrifices the ability to manage a war in exchange for the ability to manage a crisis.

Cyber-Deterrence fails- to difficult Libicki 13 [Martin C. research described in this report was prepared for the Office of the Secretary of Defense (OSD). The research
was conducted within the RAND National Defense Research Institute, a federally funded research and development center sponsored by OSD, the Joint Staff, the Unified Combatant Commands, the Navy, the Marine Corps, the defense agencies, and the defense Intelligence Community under Contract W74V8H-06-C-0002. Brandishing Cyberattack Capabilities http://www.rand.org Accessed 8/29/2013 DMW challenge is how to demonstrate cyberwar capabilities. The most obvious way to demonstrate the ability to hack into an enemys system is to actually do it, leave a calling card, and hope it is passed forward to national decisionmakers. If the attack can be repeated at will or if the penetration can
A bigger be made persistent, the target will be forced to believe in the attackers ability to pop into his system at any time. This s hould force the target to recalculate its correla- tion of forces against the

with many things in cyberspace, it sounds simpler than it is . Hinting at outright success is difficult without conceding ones participation in mischief in the first place and hence cyberwars legitimacy as a tool of statecraft, something countries only started acknowl- edging in mid2012. Targets of little value tend to be easy, but penetrating them is unimpres- sive. Targets of some value are, for that reason, much harder , often because they are electroni- cally isolated . Finally, the ability to penetrate a system does not necessarily prove the ability to break a system. The latter requires not only breaking into sufficiently privileged levels but also figuring out how to induce a system to fail and keep on failing. But penetration may be suf- ficiently scary in itself if the target leadership cannot discern the difference between breaking into and breaking. Breaking a system is more hostile and more difficult than breaking into one. It requires an understanding of what makes the system fail. Getting the desired results also requires shap- ing the
attacker. But as attack so that those who administer the system cannot detect the attack and repair the damage quickly. Conveying to others the ability to bring their systems down and keep them down is not easy.

If so, for brandishing to work, cyberattack capabilities may require repeated demonstration. Alternatively, a less hostile demonstration could be to manipulate the system but not to the point of harming it, a fine line.
Intended audiences of such demonstrations may subsequently identify the flaw that would allow such an attack and fix it.

GMU Debate [File Name]

SOP

GMU Debate [File Name]

No violation
Lack of oversight of OCO doesnt disrupt SOP- its empirically denied- the president has always had such authority thus you should have a low threshold for their impact- thats Lorber Lack of OCO oversight doesnt disrupt SOP Lorber 13 Eric, J.D. Candidate, University of Pennsylvania Law School, Ph.D Candidate, Duke University
Department of Political Science. Journal Of Constitutional Law 15.3 https://www.law.upenn.edu/live/files/1773lorber15upajconstl9612013.
This Comment provides an initial answer to the question of whether current U.S. law can effectively govern the Executives use of OCOs.17 It explores the interaction between this new tool and the current statutory limits on presidential war-making authority, with a particular focus on whether the two current federal laws meant to restrict executive power in this fieldthe War Powers Resolution18 and the Intelligence Authorization Act19apply to a wide range of potential offensive cyber operations undertaken by the executive branch. Beyond suggesting that neither the War Powers Resolution nor the Intelligence Authorization Act can effectively regulate most types of offensive cyber operations, this Comment suggests that while marginally problematic for a proper balance of war-making power

between the executive and legislative branches, this lack of oversight does not fundamentally shift the current alignment. It does argue, however, thatgiven this lack of regulatory oversightthe President now has another powerful war-making tool to use at his discretion. Finally, the Comment suggests that this lack of limitation may be positive in some ways, as laying down clear legal markers before having a developed understanding of these capabilities may problematically limit their effective use.

GMU Debate [File Name]

No China Threat
China isnt a cyber threat- the networks are unprotected, U.S. actors are exaggerating Chinas capabilities to justify increased budgets- thats Hjortdal Chinese capabilities are weak Ball 11 [Desmond, Professor in the Strategic and Defence Studies Centre at the Australian National University, Canberra. He was Head
of the Centre from 1984 to 1991. Chinas Cyber Warfare Capabilities Security Challenges, Vol. 7, No. 2 (Winter 2011), pp. 81-103. Accessed 8/29/2013 DMW] Chinese strategists are quite aware of their own deficiencies and vulnerabilities with respect to cyber-warfare. In June 2000, a series of high- technology combat exercises being conducted by the PLA had to be suspended when they were attacked by a computer hacker.92 Chinas telecommunications technicians were impotent against the intermittent hijacking of the Sinosat -1 national communications satellite by Falun Gong practitioners in the early 2000s. Chinas demonstrated offensive cyber- warfare capabilities are fairly rudimentary . Chinese hackers have been able to easily orchestrate sufficient simultaneous pings to crash selected Web servers (i.e., Denial-of-Service attacks). They have been able to penetrate Web-sites and deface them, erase data from them, and post different information on them (such as propaganda slogans). And they have developed various fairly simple viruses for spreading by e-mails to disable targeted computer systems, as well as Trojan Horse programs insertible by e-mails to steal information from them. However, they have evinced little proficiency with more sophisticated hacking techniques. The viruses and Trojan Horses they have used have been fairly easy to detect and remove before any damage has been done or data stolen. There is no evidence that Chinas cyber-warriors can penetrate highly secure networks or covertly steal or falsify critical data. They would be unable to systematically cripple selected command and control, air defence and intelligence networks and databases of advanced adversaries, or to conduct deception operations by secretly manipulating the data in these networks . The gap between the sophistication of the anti-virus and network security
programs available to Chinas cyber-warriors as compared to those of their counterparts in the more open, advanced IT societies, is immense. Chinas cyber -warfare authorities must despair at the breadth and depth of modern digital information and communications systems and technical expertise available to their adversaries. China is condemned to inferiority in IW capabilities for probably several decades. At best, it can employ asymmetric strategies designed to exploit the (perhaps relatively greater) dependence on IT by their potential adversariesboth the C3ISREW elements of adversary military forces and the vital telecommunications and computer systems in the adversary's homelands. In particular, attacks on US information systems relating to military command and control, transportation and logistics could possibly degrade or delay U.S. force mobilisation in a time-dependent scenario, such as US intervention in a military conflict in the Taiwan Straits.93 Chinas cyber-warfare capabilities

are very destructive, but could not compete in extended scenarios of sophisticated IW operations. In other words, they function best when used pre-emptively, as the PLA now practices in its exercises.94 In sum, the extensive Chinese IW capabilities, and the possibilities for asymmetric strategies, are only potent if employed first.

Not a threat- easy to hack Lewis 7/23/2013 [James A. Director and Senior Fellow, Technology and Public Policy Program Center for Strategic and International
Studies (CSIS) Statement before the House Foreign Affairs Committee, Subcommittee on Asia and the Pacific ASIA: THE CYBERSECURITY BATTLEGROUND Accessed 9/1/2013 DMW
The Chinese

would portray things somewhat differently. They are still deeply marked by the Century of Humiliation, where Europe an powers and Japan carved their country into colonial fiefdoms. The Chinese are suspicious of the United States, particularly in the PLA, which has not shed enough of its
Maoist heritage. The Chinese are convinced that we have a Grand Strategy to preserve our global political, military and eco nomic hegemony and that part of this strategy is to contain a rising China. They

see the discussion of an Air-Sea Battle and a Pivot to Asia as confirmation of U.S. hostile intentions. Chinas own cybersecurity efforts are hampered by the use of pirated software , which is almost unsecurable, making China one of the easiest countries in the world to hack. Chinese official know how vulnerable they are and this reinforces their suspicions and fears.

Chinas cyber threat is exaggerated Hjortdal 11 [Magnus is a researcher associated with CHINA-SEC, Centre for Military Studies at the University of Copenhagen. He
holds an M.Sc. in Political Science from the University of Copenhagen and is owner of MH International Relations, which advises private and public institutions. Former Research Fellow at the Royal Danish Defense College, where he drew assessments and advised Danish authorities. Frequently featured in Danish television, radio, and print media. Expertise: China; East Asia; the U.S.; foreign, defense, and security policy; cyber warfare; intelligence; and espionage. China's Use of Cyber Warfare: Espionage Meets Strategic Deterrence Journal of Strategic Security Volume 4 Number 2 Summer 2011: Strategic Security in Article 2 the Cyber Age Accessed 8/28/2013 DMW] Who actually attacks whom? China's own network appears to be unprotected , and other countries can launch attacks through China, which makes it appear the primary suspect.84 IT expert Steve Arm- strong furthermore states that "[i]t's too easy to blame China [...] In fact, legitimate countries are bouncing their attacks through China. It's very easy to do, so why not? [...] My evil opinion is that some western governments are already doing this."85 2. Actors in the U nited S tates have an interest in exaggerating China's capabilities. In order to justify their existence and obtain increased budgets, several actors in the United States may have an interest in presenting China as a threat to U.S. security . The Pentagon, specific politicians, and the
intelligence services are often accused of acting as they did during the Cold War, thus contributing to conflict-like rela- tions between China and the United States.86 3.

China proposes global cooperation against hacking.87 This might sound like a sound proposal, but as described throughout this article, certain states have much to gain by carrying out cyber attacks, which makes cooperation difficult. Besides, it is extremely hard to see how such cooperation could be enforced and by whom. 4. It is also possible to imagine that in China, CNO has an anarchic lead- ership structure, meaning that the

GMU Debate [File Name] central leadership cannot control who carries out attacks. Some American reports indicate this very fact.88 Critical voices say, however, that this is just due to the way the Chinese use hackers from outside the military and the government to carry out attacks.89 5. China denies having any military hackers in the country.90 Other countries would most likely deny the same, but to what extent soldiers in the PLA w ith high-level IT knowledge are being used
to carry out cyber attacks is another question. Based on the references cited in this article, it is likely that the PLA uses hackers for espionage. 6. Some think that focusing on China's

capabilities does not deal with the fact that Beijing itself is very dependent on cyberspace for military and civilian purposes. This means that at the same time as China is devel- oping cyber warfare techniques, its own vulnerability is often over- looked .91 I would
argue that China can still deter the U.S., even though the U.S. is more powerful in all spheres. This is due to the dynamics of the asymmetrical techniques that China pursues, e.g., in cyberspace, which are changing the dynamics of the balance of power that we knew during the Cold War.

OCO contains China- asking nicely wont solve- thats Junio Weak Obama on cybersecurity emboldens Chinese attacks Davis 13 Matthew Davis, March 08, 2013, Matthew Davis: Obama's weak response to Chinese cyber attacks puts America at risk,
http://www.mlive.com/politics/index.ssf/2013/03/matthew_davis_obamas_weak_resp.html American foreign policy is usually the sole province of the executive branch - treaty ratification and Congressional resolutions authorizing the use of force notwithstanding. In a world that is still decades -- and in some cases centuries -- behind Western civilization with respect to openness, tolerance, and human rights, American foreign policy works best when we have a president who grasps Theodore Roosevelt's "big stick" doctrine. Moreover, the president must, in the words of John F. Kennedy, "Let every nation know, whether it wishes us well or ill, that we shall pay any price, bear any burden, meet any hardship, support any friend, oppose any foe to assure the survival and the success of liberty. " President Barack Obama is failing miserably on both accounts when it comes to Chinese cyber security. Last month, the security firm Mandiant released a report that concluded the Chinese military "has systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously." Moreover, the report notes that the observed thefts are but a fraction of what has likely been stolen since at least 2006. In other words, Obama is fiddling while our technology is being pilfered . Michigan's own U.S. Rep.
Mike Rogers, R-Brighton, said in a statement the same day the report was released: "The Chinese government's direct role in cyber theft is rampant and the problems have grown exponentially. The Mandiant report provides vital insights into the Chinese governme nts economic cyber espionage campaign against American companies. It

is crucial that the Administration begin bilateral discussions to ensure that Beijing understands that there are consequences for state sponsored economic espionage." Rogers is a tough,
no-nonsense former FBI agent. He's an expert on international security. He and C.A. "Dutch" Ruppersberger, D-Maryland, have introduced legislation to help, but that doesn't make China -- or its ambitions with respect to American technology -- disappear. Rather, the

main person who needs to act -- and with a clear demonstration that Chinese predation of American technology will be punished severely -- is the president. It is his reaction to this crisis (another one that has been all but ignored by the mainstream media, for the sake of the usual twaddle) that will either thwart or encourage the Chinese.

OCO Development Can Check China Junio 13 Tim Junio, Cybersecurity Fellow At Stanford Center For International Security And Cooperation, More Shots Fired on the
Cyber Front: Key Takeaways From Operation Troy, Huffinton Post, 7/11/13, http://www.huffingtonpost.com/tim-junio/operation-troycybersecurity_b_3582308.html How can the U.S. and its allies cope with these threats? An answer is to incorporate law enforcement responses and the efforts of private companies into a whole-of-government approach that stresses reducing adversaries' incentives to conduct attacks . A diplomatic priority should be to link cyber conflict to other issues during negotiations. Getting North Korea (and China and Russia and Iran) to stop highly lucrative cyber operations just by asking nicely has no hope of success . Military and intelligence agencies can help that bargaining process by aggressively developing new capabilities , and by pursuing
new human intelligence leads to best exploit the bureaucratic errors detailed in the Mandiant and McAfee reports.

Takes decades for china to use tech they steal effectively Lewis 7/9/2013 [James A. Director and Senior Fellow, Technology and Public Policy Program Center for Strategic and International
Studies (CSIS) Statement before the House Energy and Commerce Committee, Subcommittee on Oversight and Investigations CYBER ESPIONAGE AND THE THEFT OF U.S. INTELLECTUAL PROPERTY AND TECHNOLOGY
Second, to utilize stolen technology an opponent must accurately translate complex engineering terms from English to Chinese and then give it to someone with the necessary skills and access to a sufficiently sophisticated industrial base to make use of it. For China,

there has been a lag of several years, perhaps as many as ten, between successful acquisition through espionage and the ability to produce competing products (be they military or civil). For simple technologies, it may only take a few months for the Chinese copy to appear; for complex technologies it can take up to a decade . One troubling trend is that this lag time
between acquisition and the appearance of a competing product based on stolen technology is decreasing, as Chinas ability to absorb and utilize technology has increased.

GMU Debate [File Name]

Economy

GMU Debate [File Name]

Small Impact
Small economic impact- cyber war empirically has only led to recoverable and negligible economic impactsthats Libicki No overall economic impact Lewis 7/9/2013 [James A. Director and Senior Fellow, Technology and Public Policy Program Center for Strategic and International
Studies (CSIS) Statement before the House Energy and Commerce Committee, Subcommittee on Oversight and Investigations CYBER ESPIONAGE AND THE THEFT OF U.S. INTELLECTUAL PROPERTY AND TECHNOLOGY
First, it

is difficult to estimate the value of intellectual property in the abstract, making it hard to come up with a precise estimate of the dollar value of the loss. Published estimates of the cost to the U nited S tates range from a few billion to hundreds of billion of dollars annually. CSIS and McAfee are undertaking a study on how to estimate the cost of all malicious cyber activity, including the theft of IP. Our current estimate is that the cost to the U.S. for all malicious cyber activity, including trade effects, job losses, insurance and recovery costs, fraud, and lost exports is less than 1% of Americas GDP .

Even if, no global impact Lewis & Baker 13 [James Director and Senior Fellow, Technology and Public Policy Program, CSIS, Stewart CSIS and Partner,
Steptoe & Johnson LLP. THE ECONOMIC IMPACT OF CYBERCRIME AND CYBER ESPIONAGE Center for Strategic and International Studies July 2013, McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ: INTC), empowers businesses, the public sector, and home users to safely experience the benefits of the Internet. The company delivers proactive and proven security solutions and services for systems, networks, and mobile devices around the world. With its visionary Security Connected strategy, innovative approach to hardware-enhanced security, and unique global threat intelligence network, McAfee is relentlessly focused on keeping its customers safe Accessed 9/1/2013 DMW
In this initial report we start by asking what we should count in estimating losses from cybercrime and cyber espionage. We can break malicious cyber activity i nto six parts: The loss

of intellectual property and business confidential information Cybercrime, which costs the world hundr eds of millions of dollars every year The loss of sensitive business information, including possible stock market manipulation Opportunity costs, including ser vice and employment disruptions, and reduced trust for online activities The additional cost of securing networks, insurance, and recovery from cyber attacks Reputational damage to the hacked company Put these together and the cost of cybercrime and cyber espionage to the global economy is probably measured in the hundreds of billions of dollars. To put this in perspective, the World Bank says that global GDP was about $70 trillion in 2011. A $400 billion lossthe high end of the range of probable costswould be a fraction of a percent of global income. But this begs several important
questions about the full benefit to the acquirers and the damage to the victims from the cumulative effect of cybercrime and cyber espionage.

Its tiny Lewis & Baker 13 [James Director and Senior Fellow, Technology and Public Policy Program, CSIS, Stewart CSIS and Partner,
Steptoe & Johnson LLP. THE ECONOMIC IMPACT OF CYBERCRIME AND CYBER ESPIONAGE Center for Strategic and International Studies July 2013, McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ: INTC), empowers businesses, the public sector, and home users to safely experience the benefits of the Internet. The company delivers proactive and proven security solutions and services for systems, networks, and mobile devices around the world. With its visionary Security Connected strategy, innovative approach to hardware-enhanced security, and unique global threat intelligence network, McAfee is relentlessly focused on keeping its customers safe Accessed 9/1/2013 DMW Cyber crimes against banks and other financial institutions probably cost many hundreds of millions of dollars every year. Cyber theft of intellectual property and business-confidential information probably costs developed economies billions of dollars how many billions is an open
question. These losses could just be the cost of doing business or they could be a major new risk for companies and nations as these illicit acquisitions damage global economic competitiveness and undermine technological advantage. Previous estimates

of the annual losses to businesses from cyber espionage show a startling variation , ranging from few billion dollars to hundreds of billions. The wide range of estimates reflects the difficulty of collecting data. Companies conceal their losses and some are not aware of
what has been taken. Intellectual property is hard to value in the abstract. Estimates are often based on anecdotes or surveys. These problems combine to leave some previous estimates open to question. The cost

of malicious cyber activity involves more than the loss of financial assets or intellectual property. There are opportunity costs, damage to brand and reputation, consumer losses from fraud, the opportunity costs of service disruptions cleaning up after cyber incidents, and the cost of increased spending on cybersecurity. Each of these categories must be approached carefully, but in combination, they help us gauge the cost to societies. In many cases we have used the United States as an example. This reflects, more than anything else, the fact that data is more readily available from US sources. In an ideal world, aggregating the various factors would be straightforward. This is not possible. In all of the categories of malicious cyber activity, the data is incomplete. Data collection is com- plicated by definitional difficulties. Should cyber crime, for example, include all crimes committed using cyber means or only those crimes that could
only be committed with cyber tools, leaving out crimes that would have otherwise been commit- ted via traditional criminal means. One way to think about this is to ask, if there was no internet,

estimate net loss, which is particularly important for estimating the effect of a temporary disruption of service. A store knocked offline for a day may lose $10,000, but if customers wait or go
would this crime have occurred? Two important caveats shape this comprehensive view. First, we will try to

GMU Debate [File Name] to another store, the net loss to the economy is much smaller . Second, we will try to use market values rather than a value assigned by the victim. A company may spend
a billion on research, but it is the expected return on this research that determines its worth, not the expenditure.

Interdependence checks economic impact Lewis 11 [James A. Director and Senior Fellow, Technology and Public Policy Program, Center for Strategic and International Studies
(CSIS) Statement before the House Oversight and Government Reform Committee, Subcommittee on National Security, Homeland Defense, and Foreign Operations CYBERSECURITY: ASSESSING THE IMMEDIATE THREAT TO THE UNITED STATES Accessed 9/1/2013 DMW]
These black

markets support cybercrime. In the cyber black market you can buy the latest hacking tools, learn of recently discovered vulnerabilities, rent botnets (thousands of remotely controlled computers), or purchase personally identifiable information. Credit card numbers, social security numbers, and bank
accounts, can be bought in lots of five or ten thousand. Buyers can choose between raw information or data that has been te sted for accuracy. These black markets amplify the threat of cybercrime and help make it a professional activity. There is increasing

concern about the vulnerability of the American financial system to cyber disruption. How much of this concern is justified is difficult to say, but there are some disquieting signs. Last years flash crash, where automated trading systems briefly crashed the stock market shows the potential for cyber disruption. This years penetration of NASDAQ, while it did not lead to any noticeable losses , shows the potential vulnerabilities of the system. While it is very unlikely that the nations with advanced cyber capabilities would crash the American financial system they simply have too much invested in it they could try to do so in the
event of a war. It is more likely is that cybercriminals, in an attempt to manipulate stock prices or gain insider information, could inadvertently cause some kind of crash. Federal agencies,

financial institutions and the major exchanges are all working to reduce the chances of this kind of damaging event, but it remains a possibility.

Banks are real secure Libicki 2011 [Martin C PhD, is a senior management scientist at RAND Corporation, focusing on the impacts of information
technology on domestic and national security. He has published Conquest in Cyberspace: National Security and Information Warfare and Information Technology Standards: Quest for the Common Byte, as well as numerous monographs. Prior employment includes the National Defense University, the Navy Staff, and the GAOs Energy and Minerals Division. He holds a masters degree and PhD f rom the University of CaliforniaBerkeley.. Cyberwar as a Confidence Game Strategic Studies Quar terly Spring 2011 Online, Accessed 8/29/2013 DMW]
The depletion

dynamic noted above would work in roughly the same way in the civilian world as it does in the military world. These days, networks and systems are established with some degree of security adequate only to deal with the day-to-day threats such institutions face. Banks, for instance, give a great deal of thought to security in large part because the motive to rob them is ever present. Bank security is fairly good; bankers can reduce the damage to acceptable levels, which also puts a top bound on the dam- age a state-sponsored bank thief could carry out. Electric power compa- nies, by contrast, are rarely attackedwhat would be the point? Thus, unless they have been prodded to isolate themselves by the deluge of threat scenarios over the last few years, the difference between a state-level threat and todays threat could be quite substantial, and they may not necessarily be so
well prepared. But, should state hackers appear, many such institu- tions would learn quickly that the threat environment had changed and, with more time, how to survive and cope with such

the most primitive response (sever all Internet connections) would return the US net- working became so ubiquitous. Being cyber-bombed back to the 1990s has its downside, but it hardly compares to being bombed back to the Stone Age (pace LeMay) by conventional weaponry.
change. Coping with the worst attacks might be expensive and disruptive. But, at the very worst, economy to the state that it had in the mid-1990s, before

In context of overall economy its a negligible impact Lewis 11 [James A. Director and Senior Fellow, Technology and Public Policy Program, Center for Strategic and International Studies
(CSIS) Statement before the House Oversight and Government Reform Committee, Subcommittee on National Security, Homeland Defense, and Foreign Operations CYBERSECURITY: ASSESSING THE IMMEDIATE THREAT TO THE UNITED STATES Accessed 9/1/2013 DMW] It is hard to estimate the losses from cyber espionage and cyber crime. Companies conceal their losses and some may not even be aware of what has been taken. Crime against banks and other financial institutions probably costs a few hundred million dollars every year. In contrast, the theft of intellectual property and business confidential information economic espionage cost developed economies much more. One estimate put U.S. losses of intellectual property and technology through cyber espionage at $240 billion . Another put them at $1 trillion. An estimate of German losses of
intellectual property due to cyber espionage puts them at perhaps $20 billion. Since the U.S. GDP is roughly five times the size of Germany, a very simple extrapolation would put U.S. losses from intellectual property theft at $100 billion. These are very crude estimates, but they give some idea of the scope of the problem. In the context

of a $14 trillion economy, these losses appear small and perhaps this is why they do not attract much attention. Still it is baffling why a cyber- bank robbery that stole $11 million, such as occurred
in the last year, attracted little attention. If gunmen walked into a local bank and stole a million dollars, it would be on every front page. Robberies of this size probably happen almost every month in cyberspace, yet they rarely attract notice. The theft of credit card data gets more attention. It remains a lucrative field for cyber criminals. A recent example the theft of credit card data from the Play Station network - affected as many as 99 million people. Some say that so much was stolen that the price of credit card data in cybercrime black markets actually fell because of the glut.

Actual use of product takes years Lewis & Baker 13 [James Director and Senior Fellow, Technology and Public Policy Program, CSIS, Stewart CSIS and Partner,
Steptoe & Johnson LLP. THE ECONOMIC IMPACT OF CYBERCRIME AND CYBER ESPIONAGE

GMU Debate [File Name] Center for Strategic and International Studies July 2013, McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ: INTC), empowers businesses, the public sector, and home users to safely experience the benefits of the Internet. The company delivers proactive and proven security solutions and services for systems, networks, and mobile devices around the world. With its visionary Security Connected strategy, innovative approach to hardware-enhanced security, and unique global threat intelligence network, McAfee is relentlessly focused on keeping its customers safe Accessed 9/1/2013 DMW Extracting information from a computer network does not always mean there is immediate benefit to the acquirers. They may lack the advanced manufacturing capacity or skill needed to produce military or high tech products . For some advanced technologies, there may be a lag of five to ten years between the theft of the IP and when it appears as a competing product . This lag in the use of pilfered intellectual property complicates the estimation of loss from malicious cyber activity. The rate at which a competing product based on stolen intellectual property appears varies from sector to sector. Some take years. Others, such as high speed trains or wind power generators, appear rapidly. In some cases, acquirer of the technology has been able to put a product on the market before the victim can introduce their own, legitimate version. One way to put these possible losses in context is to consider a US company with $1 billion in intellectual property, all of which is extracted by foreign hackers and given to a
competitor. This competitor now has the advantage of access to valuable intellectual property for which it did not have to pay. However, if the competitor that ille- gally acquired the intellectual property is unable to develop a competing product, the theft does not create additional risk for the victim. To suffer loss, the acquiring company would have to use the IP in a way that harms the victim, by offering a competing product or by improving their

high tech products requires know-how as much as blockbuster IPknowing how to run a manufacturing process, where to buy the cheapest inputs, which customers are most interested, what designs actually move product, etc. All of those things hold back
bottom line through reduced R&D costs.9 Making companies that rely on cyber espionage. But if the company can ask each time they hit a roadblock, How did the victim get over this barrier? and then go back find the answer in the victims files, then they can quickly acquire

state sponsored commercial espionage has focused on areas of great interest to govern- ments, such as military and advanced technologies. More recently, some countries seem to use cyber espionage as a normal part of business. Cyber espionage by nation states to benefit their compa- nies is a kind of state
the practical know how to use the stolen IP. Historically, aid to those companies that is cheaper than traditional subsidies. This priva- tized espionage can be deployed against a much broader swath of companies. One interview with intelligence officials told of a US furniture company being hacked and losing its IP, only to see furni- ture made from its designs being offered online to wholesalers. There are similar stories involving efforts to use cyber techniques in attempts to acquire breakfast cereal recipes,

victim company still has access to the intellectual property. It has not lost the ability to make the product; what has in fact happened is that it now faces a new competitor. The risk of this competition is increased if the new foreign competitor has access to other government subsidies that allow it to sell at a lower price or if it is supported in its domestic market by barriers that
running shoe designs, automobile part technologies, and soft drink formulas. These are not strategic industries, but their losses from cyber espionage can still be significant. The hamper outside companies from competing. We need, in our assessment of the cost of cyber espionage, to put it in the larger context of national economic and trade policy to understand the possible consequences.

Job loss in tiny Lewis & Baker 2013 [James Director and Senior Fellow, Technology and Public Policy Program, CSIS, Stewart CSIS and Partner,
Steptoe & Johnson LLP. THE ECONOMIC IMPACT OF CYBERCRIME AND CYBER ESPIONAGE Center for Strategic and International Studies July 2013, McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ: INTC), empowers businesses, the public sector, and home users to safely experience the benefits of the Internet. The company delivers proactive and proven security solutions and services for systems, networks, and mobile devices around the world. With its visionary Security Connected strategy, innovative approach to hardware-enhanced security, and unique global threat intelligence network, McAfee is relentlessly focused on keeping its customers safe Accessed 9/1/2013 DMW The effect of malicious cyber activities on jobs needs further work. The Commerce Department estimated in 2011 that $1 billion in exports equaled 5,080 jobs.3 This means that the high end estimate of $100 billion in losses from cyber espionage would translate into 508,000 lost jobs. While this translates into a third of a percent decrease in employment, this is not the net loss as many workers will find other jobs. The real concern might be if the lost jobs are in manufacturing or other high paying sectors. If workers displaced by cyber espionage do not find jobs that pay as well or better, the victim country would be worse off. The effect of cyber espionage may be to move workers from high paying blue-collar jobs into lower paying work or unemployment.

No large economic impact to cyber attacks Libicki 11 [Martin C PhD, is a senior management scientist at RAND Corporation, focusing on the impacts of information technology
on domestic and national security. He has published Conquest in Cyberspace: National Security and Information Warfare and Information Technology Standards: Quest for the Common Byte, as well as numerous monographs. Prior employment includes the National Defense University, the Navy Staff, and the GAOs Energy and Minerals Division. He holds a masters degree and PhD from the University of CaliforniaBerkeley.. Cyberwar as a Confidence Game Strategic Studies Quar terly Spring 2011 Online, Accessed 8/29/2013 DMW]
There is a wide range of opinion on that score. People

have worried about cyberwar for most of the last 20 years, and in all that time, not one person is known to have been killed by a cyber attack.5 As for damage, estimates vary widely from several hundred million dollars a year to several hundred billion dollars a year. The most costly single attack was probably the I Love You virus in 2000, whose costs have been estimated at as much as $15 billion but which may be
more realistically estimated at several hundred million dollars, if that.6 Only one power plant is known to have been disabled by hackers a system in southern Brazil in 2007and even there, the

The only two examples of a states using cyber attacks against another were Russias attacks against Estonia in 2007 and Georgia in 2008 (and Russias responsibility is questionable in the first case); both caused disruption that can be measured at no more than the low millions of dollars, and both pulled their victims closer to rather than pushing them farther from NATO. The Stuxnet
power outage has been disputed by local authorities as soot buildup. worm, if it worked, did serious damage, but it was closer in form to a onetime act of sabotage.

GMU Debate [File Name]

Terrorism

GMU Debate [File Name]

No technology
No cyber tech Lewis 11 [James A. Director and Senior Fellow, Technology and Public Policy Program, Center for Strategic and International Studies
(CSIS) Statement before the House Oversight and Government Reform Committee, Subcommittee on National Security, Homeland Defense, and Foreign Operations CYBERSECURITY: ASSESSING THE IMMEDIATE THREAT TO THE UNITED STATES Accessed 9/1/2013 DMW] Terrorists currently lack the capability to launch cyber attacks. If they had it, they would have already used it. The day a terrorist group can launch a cyber attack, it will do so. A few terrorist groups have expressed interest in acquiring cyber attack capabilities. They have said one of their goals is to disrupt the American economy this was the alleged motive for the effort by al Qaeda in the Arabian Peninsula to tamper with printer cartridges sent via in air cargo. We have a few years before terrorist groups or irresponsible nations like Iran or North Korea become sufficiently advanced in their cyber attack capabilities to launch strikes against the United States.

GMU Debate [File Name]