The cyber insecurity conundrum cuts across all things digital or networked. How can we prioritize defensive efforts across such a vast domain? This talk will describe a framework for engineering systems and policymaking based on the work factors for cyber attack and defense. After developing the work factor concept, it will be illustrated in several examples
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Models of Escalation and De-escalation in Cyber Conflict
1. Models of Escalation and De-
escalation in Cyber Conflict
John C. Mallery
Computer Science & Artificial Intelligence Laboratory
Massachusetts Institute of Technology
Presentation at the 2011 Workshop on Cyber Security and Global Affairs, Budapest,
Hungary, May 31 – June 2, 2011.
Version: 3/29/2012 11:04 AM
2. Escalation And De-escalation Models For
State-state Cyber Conflict & Cooperation
l A step towards a US-Russia-China workshop
on escalatory models of cyber conflict
l Intended to develop shared perspectives and
analytical frameworks across countries
l Appendices include a draft set of topics for
consideration in a longer workshop
l Dynamics of cyber-fueled conflict
l Approaches to managing cyber-fueled conflict
l Lessons from history or other conflictual domains
l Today we will discuss a few selected topics
l Background: Topic area selected as the top
priority by MSU IISI team from 10 workshop
topics presented last year
John C. Mallery 2 MIT CSAIL
3. Possible International Workshops
On Critical Cyber Policy Issues
Workshop Topics MSU IISI prioritization
1. Cyber Definitions 1. Escalation Models
2. Cyber Crime 2. Civil infrastructures
3. Cyber Terrorism 3. Cyber Definitions
4. Escalatory Models 4. Cyber Law
5. Civilian 5. Codes of Conduct
Infrastructures 6. Cyber Terrorism
6. Industrial Espionage 7. Cyber Crime
7. Technical 8. Technical
Cooperation Cooperation
8. Codes of Conduct 9. Protection of the
9. Cyber Law Commons
10. Protection of the Termed “Protection of
Commons World Community”
10. Industrial Espionage
John C. Mallery 3 MIT CSAIL
4. Overview
l Defining cyberspace
l Threat actors and capabilities
l Entropy-based model of conflict and cooperation
l Global cyber conflict mess
l Illustrative Conflictual Actions
l Illustrative Cooperative Actions
l Phase-structured Cyber Events Data
l Utility of cyber actions
l Managing Strategic
Technology Competition
l Cross Domain Responses
l Proportionality Judgments
l Institutions and Mechanisms
for Cyber De-escalation
l Cyber Conflict Characteristics
John C. Mallery 4 MIT CSAIL
5. What is cyberspace?
l Interdependent network of information technology
infrastructures (NSPD54/HSPD23)
l Internet
l Telecommunications networks
l Computer systems
l Embedded processors
l Controllers in critical industries
l Also virtual environment of information and
interactions between people (NSPD54/HSPD23)
l Activities riding on cyberspace
l US Military
l Electro-magnetic spectrum
l Information operations
l C4ISR, space
l Supply chains for IT
l Computers, networks, software, sensors, crypto, identity
management, etc.
l Knowledge, information, data
John C. Mallery 5 MIT CSAIL
6. Domains of Cyberspace
Diplomacy Treaties Agreements Norms Alliances IGOs NGOs Industry
Governance
Technological Level Network, Computer, Crypto, ID Mgt. Standards Universal Principles
Knowledge Formation Value System Dynamics Political Discourse
Information Processes, Social Networking
Cyberspace
Economic & Business Activity International Dialogues Military And Intelligence Systems
Physical Network Connectivity Critical Infrastructures Enterprise IT Consumer IT
Network Infrastructure Administration Application Software and Administration
Routers, Switches, Fiber, Wireless, Other PCs, Servers, Laptops, Cell Phones, PDAs
Supply Chain
IC Fabrication IC Design Operating Systems Information Assurance Cryptography
Research Communities IA, Certification, Accreditation International Standards
John C. Mallery 6 MIT CSAIL
7. Threat Actors And Capabilities
Threat Actors Motive Targets Means Resources
Military, intelligence, infrastructure,
Nation States Intelligence, military, Fully mobilized, multi-
Political espionage, reconnaissance,
During War Time broad private sector spectrum
influence operations, world orders
Intelligence, military, High, multi-spectrum,
Nation States Espionage, reconnaissance, leverages criminal variable skill sets
Political
During Peace Time influence operations, world orders enterprises or black below major cyber
markets powers
Terrorists,
Political Infrastructure, extortion Leverage black markets? Limited, low expertise
Insurgents
Political Activists
Political Political outcomes Outsourcing? Limited, low expertise
or Parties
Black Markets For Tools, exploits, platforms, Mobilizes cyber crime
Financial
Cyber Crime data, expertise, planning networks
Professional, low end
Hijacked resources, fraud, theft, IP Reconnaissance,
Criminal multi-spectrum,
Financial theft, illicit content, scams, crime planning, diverse
Enterprises leverage of black
for hire expertise
markets
Small Scale Low, mostly reliant on
Financial Leverages black markets
Criminals black markets
IP theft, influence on sectoral Outsourcing to criminal Sectoral expertise,
Rogue Enterprises Financial
issues enterprises? funding, organization
John C. Mallery 7 MIT CSAIL
8. Conflict and Cooperation
within Living Social Systems Framework
l Goal: Continuous function from conflict to cooperation
l Countries are autopoetic systems
l Prigogine, non-equilibrium thermodynamics
l Self-recreating living systems
l Network of component producing processes
l Recreate the socio-economic and political system over time
l Key functional areas:
l Physical Security: Military, intelligence, terrorism
l Economic Security: Business, technology, science, policy
l Political Security: Ideation, legitimacy, diplomacy
l State-state interactions
l Conflictual action: Increases autopoetic entropy
l Cooperative action: Decreases autopoetic entropy
l Mesh of state-state interactions
l Reciprocity dimensions: economic, political, military, cultural
l Relationships: parasitic or mutualistic
John C. Mallery 8 MIT CSAIL
9. Global Cyber Conflict Mess*
Cyber Capability Levels
Cyber Power No. IW Espionage Attack Integration
Major 3? High High High High
Important 10? Moderate? Significant Significant High
Middle 20? Lower? Crime ware Crime ware Lower
Lesser 70 Lower? Crime ware Crime ware Lower
+
l Over 100 states developing offensive cyber capabilities
l Various USG 2008-2010
l What are their targets?
l Economic
l Political
l Military/intelligence
l Who are their targets?
l G20?
l Major industries?
John C. Mallery 9 MIT CSAIL
10. Illustrative Conflictual Actions
Move Type Action Std. Cyber Intensity Duration Impact
Displeasure x x 1
Protest x 1
Withdraw Support x 2
Political Snub x 1
Threaten x x 1
Support opposition x x 4
Subversion x 5
Industrial espionage x x 2
Sabotage x x 2
Economic
Sanctions x ? 3
Quarantine x ? 4
Politico-military espionage
x x ?
Unconventional warfare, terrorism x x 1
Military Skirmishes x x 2
Limited warfare x x 4
General warfare x x 5
John C. Mallery 10 MIT CSAIL
11. Illustrative Cooperative Actions
Move Type Action Std. Cyber Intensity Duration Impact
Diplomatic recognition x 1
Praise, hail, applaud x x 2
Endorse or support policy or position x x 3
Political Promise material support x x 3
Negotiate x x 1
Make substantive agreement x x 2
Share data, intelligence x 4
Joint ventures, technical sharing x x 5
Economic
Support capacity building x x 3
Suspend Sanctions x ? 1
Extend economic aid x ? 3
Extend military assistance
x x 4
Coordinate counter-terrorism x x 4
Military Coordinate defense x x 5
Cease hostilities x x 3
John C. Mallery
Settle dispute 11
x x 3 MIT CSAIL
12. Phase-structured Cyber Events Data
l Define cyber action vocabulary
l Party actions
l Referrals to conflict managers
l Conflict management actions
l Code state-state interaction sequences
l Include partial order for level of conflict or
cooperation
l Phase structure is given by the movement
up or down hostility/altruism
l Enables learning to:
l Predict escalation or de-escalation as a
function of event sequences
l Efficacy of conflict management actions
John C. Mallery 12 MIT CSAIL
14. Managing Strategic
Technology Competition
1. Engineering networking standards and computational
frameworks for national advantage
2. Developing universalizable norms for system
engineering and design certification
3. Managing industrial espionage when integrated
component of strategic economic competition
4. Sanctions (diplomatic, economic) against predatory
behaviors in open multilateral trading systems
5. Standards for ICT intended to reduce opportunities
for bad cyber behavior, enhance international stability
and promote orderly international interactions
John C. Mallery 14 MIT CSAIL
15. Cross Domain Responses
l State need not respond to cyber in kind
l Cross domain responses cloud anticipation of
responses to cyber actions
l Judgment of proportionality by initiator
l Judgment of perception by recipient
l Example:
l Industrial espionage by China
l Possible response aiming at regime legitimacy
l Example:
l Russia and US declare potential nuclear response
against cyber attacks on C2 systems
l Penetration of the wrong system could provoke
major response
l Cross domain responses Introduce potentially
destabilizing feedback paths
John C. Mallery 15 MIT CSAIL
16. Proportionality Judgments
l Shared understandings of proportionality
are necessary for meaningful calibration
of action
l Different perspectives, approaches,
traditions and cultural contexts can
produce misunderstandings and
unintended escalations
l Errors or accidents involving cyber
weapons may produce
l Unintended consequences via cascading
effects
l Unforeseen escalatory responses
John C. Mallery 16 MIT CSAIL
17. Cyber Conflict Characteristics
1. Offense dominated
2. Strategic reach
3. Poor attribution (low frequency)
4. Poor warning with short detection times
5. No strategic depth -> pre-emption strategies
6. Readily usable techniques for espionage
7. Strong reciprocity among major actors
8. Low barriers to entry
9. Over 100 state players
10. Lack of shared perception of action seriousness
l Limited history of cyber conflict
l Cross cultural understanding challenges
l Little guidance from international law
l Many variations possible
l Conclusion: Unstable, dangerous feedbacks
John C. Mallery 17 MIT CSAIL
18. Institutions and Mechanisms
for Cyber De-escalation
Domain Activity Conflict Manager
Hacktivism
Political ?, UN
Legitimacy IW
Industrial espionage
Economic Predatory Trade ?, IMF, G*, WTO, regional IGOs
Supply chain subversion
Prepositioning logic bombs
Conventional mediators (e.g., UN,
Military
Critical infrastructure attacks regional IGOs)
John C. Mallery 18 MIT CSAIL
19. Research Questions
1. What is the domain of cyber conflict and cooperation?
2. Does the rise of cyber operations, whether attack, espionage or
influence operations, change inter-state conflict dynamics?
3. What are the stability characteristics of current and future
international systems as cyber conflict capacity develops and
diffuses?
4. How can levels of cyber conflict and cooperation be measured
and compared across technical change?
5. How can strategic technical and economic competition be
managed?
6. How can different perceptions of hostility or cooperation and
escalation phases be managed?
7. Can legal or normative frameworks increase stability or protect
non-combatants?
John C. Mallery 19 MIT CSAIL
21. Dynamics Of Politico-military Escalation And
De-escalation In State-state Cyber Conflict
1. Analysis of factors contributing to instability or stability
2. Cyber as a means for strategic reach with low barriers to entry (over 100 countries
with some cyber offensive capabilities)
3. Pre-emption strategies due to poor warning as a source of instability
4. Problems of n-way games, including (mis-)attribution, bad reputations,
provocations
5. Clusters of state-level cyber conflict and cooperation
6. Dangerous feedbacks, good feedbacks
7. Unintended consequences (e.g., perceptions, cascading impact, spreading impact,
collateral damage to civilians or 3rd parties)
8. Precision and controllability of cyber techniques across target domains, including
impact on neutral countries or global commons
9. Usability of cyber techniques for attack or exploitation (low probability of attribution,
low physical damage, low human causalities)
10. Cross-domain responses to cyber as amplifiers or attenuators conflict
11. Differential perception of threat (e.g., economic, legitimacy, systemic)
12. Special case of nuclear powers (cyber under cover of nuclear)
13. Asymmetric vulnerability of lower ICT capacity states to cyber attack by stronger
military powers
14. Dynamics of collapse or rebuilding of trust across state-state transactions, with
special attention to low-to-mid level cyber provocations
15. Mechanisms for de-escalation, including termination of conflict or war
16. Mechanisms for establishing ground truth (e.g., monitoring, data sharing,
inspection, cross correlation)
17. Institutions for international mediation and conflict management
John C. Mallery 21 MIT CSAIL
22. Conflict Triggers Or Escalators
1. Misread of red lines
2. Denial of service or attack on C2 or space assets
3. Ambiguity of cyber actions between exploitation and
attack
4. Penetration of critical infrastructure, or "preparation of
the battlefield”
5. Accidental impact on 3rd parties via spread or
cascading
6. Excessive espionage provoking hostile responses,
possibly cross-domain
7. 3rd party provocations intended to incite major power
conflict
8. Information operations targeting political legitimacy
9. Conventional conflict triggering cyber responses
John C. Mallery 22 MIT CSAIL
23. Cross-modality Or Cross-domain Responses
To Cyber Exploitation Or Attack
1. Signaling and problems of
misperception in cyber conflict (or cyber
cross-domain responses)
2. Mismatches of cross cultural or doctrinal
models of cyber conflict
3. Hostility spirals due to volume of
exploitation or development of bad
reputation
John C. Mallery 23 MIT CSAIL
25. Challenges
1. How can verification, monitoring and
situational awareness be achieved and
to what extent?
2. How is cyber defense possible without
understanding and anticipating incoming
cyber attacks?
3. How can proliferation of cyber weapons
within or across countries be prevented
or managed?
John C. Mallery 25 MIT CSAIL
26. Shared International Frameworks
For Designating Actions In Cyber Space As
Criminal, Hostile, Or Negligent
1. Definitions of hostility levels
2. Definition of when counter-force becomes counter-value
targeting along supply chains or supporting infrastructure for an
opposing military
3. Red lines with the contexts of peace, crisis or war
4. Impact of red lines on dynamics of escalation control and stability
5. Instabilities arising from attacks on C5ISR systems, including
nuclear systems, space assets and naval forces
6. Large-scale espionage: quantity exceeds conventional hostility
calibrations
7. Ambiguity of cyber-physical systems (e.g., cyber attack on power
grid causing physical damage)
8. Information operations: anti-terrorism, threats to government
stability
9. How should international sharing of cyber data be organized and
coordinated?
10. Rebuilding trust in a low verification environment
John C. Mallery 26 MIT CSAIL
27. Responsibility Of National Leadership For
Controlling Cyber Offense And Exploitation
1. Government actors
2. Surrogates, including state responsibility for cyber
"patriots" or criminals operating within their territory
under International law regardless of whether the
state has direct, indirect or no control at the time
3. Non-state actors using computing platforms within
their territories
Hackivists
Terrorists
4. Leakage of advanced cyber capabilities to criminals
or terrorists
5. Managing different levels of conflict from strategic
(e.g., nuclear weapons control and release) to theater
or tactical
6. Responsibility for cleaning up botnets, or other
platforms within their territories used by 3rd parties to
attack or exploit 2nd parties
John C. Mallery 27 MIT CSAIL
28. Managing Strategic
Technology Competition
1. Engineering networking standards and computational
frameworks for national advantage
2. Developing universalizable norms for system
engineering and design certification
3. Managing industrial espionage when integrated
component of strategic economic competition
4. Sanctions (diplomatic, economic) against predatory
behaviors in open multilateral trading systems
5. Standards for ICT intended to reduce opportunities
for bad cyber behavior, enhance international stability
and promote orderly international interactions
John C. Mallery 28 MIT CSAIL
29. Legal Or Normative Frameworks
Codifying Shared Interests
1. How can cooperative activities in cyber defense or fighting cyber crime
build reservoirs of trust that help prevent or attenuate cyber crises?
2. Can a "public health" approach to cyber help reduce risk of conflict and
enhance trust through cooperative contributions to the cyber commons?
3. To what extent are states interpreting cyber with the framework of the
Geneva Convention?
4. Where are current international legal frameworks adequate or
inadequate?
5. How can they be extended to cover gaps?
6. How do they serve the range of state or non-state actors in the
international system?
7. Can legal or normative frameworks actually help in a timely fashion with
cyber capabilities are so widely diffused and technical change is rapid?
8. What is their domain of relevance across a hostility range from,
peacetime to wartime?
9. How can adverse impacts on international cyber infrastructures be
prevented or managed?
10. How can collateral damage to non-belligerents be managed?
11. How can 3rd party provocations intended to initiate conflicts between
major powers be prevented beforehand or managed afterwards?
John C. Mallery 29 MIT CSAIL
30. Legal Or Normative Frameworks
Codifying Shared Interests
12. What is the legal or pragmatic liability of states for consequences of cyber
operations, whether intentional, collateral, or accidental (including cyber
proliferation)?
13. What should be the status of a cyber attack on one country that disrupts
economic activity in 3rd countries? (e.g., shared infrastructure,
outsourcing, linked industrial verticals) Rights of 3rd parties to respond?
Non-state actor case?
14. What is the responsibility to states to prevent private actors or 3rd parties
from launching attacks from with their territory by controlling bad network
traffic, taking down botnets, or requiring higher assurance standards?
15. What legal recourses are available when cyber espionage exceeds
standards of customary practice to reach extraordinarily high levels of
hostility?
16. What should be the responsibility of Internet service providers to report
bad behavior to states (e.g., tracing attacks via proxies, cyber pollution,
IW)?
17. What should be the legal liability of ISPs if they act as agents of a state
by providing the means to deliver cyber attacks, engage in cyber
exploitation or weaponization?
18. To what extent are States and ISPs separate around the world? How
does it effect the ability of states to act in cyberspace?
John C. Mallery 30 MIT CSAIL
32. Lessons From History Or Other
Conflictual Domains
1. How should the definition of "armed force" be extended to cyber
attacks? (e.g., by consequences, by threat level)
2. How do we measure the consequences of cyber weapons? Must
they have physical manifestation?
3. How can conventional counter proliferation approaches bear on
cyber capabilities?
4. How can conventional protections of neutral parties, international
infrastructures or global commons (e.g., sea, space) be extended
to cyber?
1. How is cyber not like nuclear deterrence? (Over worked analogy
with many analytical assumptions failing.)
2. How are cyber weapons like non-nuclear kinetic weapons?
3. How can biological weapons regimes inform cyber regimes?
(Similarities and differences, for example in terms of proliferation,
verification, usability)
John C. Mallery 32 MIT CSAIL