March 15, 2021 — Foreign influence operations are an acknowledged threat to national security. Less understood is the data that enables that influence. This article argues that governments must recognize microtargeting—data informed individualized targeted advertising—and the current advertising economy as enabling and profiting from foreign and domestic information warfare being waged on its citizens. The Department of Defense must place greater emphasis on defending servicemembers’ digital privacy as a national security risk. Without the ability to defend this vulnerable attack space, our adversaries will continue to target it for exploitation. MORE
|
March 15, 2021 — For approximately thirty years an unanswered question has hung over the military enterprise of nation-states: As the digital information age progresses, should we construct a military for the information age, or should we construct an information age military? The former would be an old enterprise applying new tools to its roles and missions. The latter would be a new enterprise. The new tools would not only alter the roles and missions the military prosecutes; they would alter the primary purposeful activity of the modern military. The short answer is that militaries and the national security communities that support them have hedged, wary of the uncertainty which comes with complex change. Into this gap has grown a new type of insecurity – a type not confined to military affairs and national security but society-wide – which open societies in particular are yet to fully understand and, thus to develop an appropriate response. The formulation of an appropriate response ties directly back to the thirty-year question. The response, where it exists, is decidedly fragmented. MORE
|
March 15, 2021 — Digital authoritarianism, or the use of digital technologies to enhance or enable authoritarian governance, has received much attention due to its implications for human rights and global democracy. Yet, often overlooked are the implications of digital authoritarianism for US national security. This article explores
the ways in which digital authoritarianism exposes US national security to risk on three fronts: consolidation of power in authoritarian regimes; increased incentives for authoritarians to promote diffusion of surveillance technologies; and potential insulation against foreign cyber attacks and lowered disincentives for authoritarians to conduct destabilizing cyber operations on the global Internet. MORE
|
March 15, 2021 — Defending against information warfare across the vastness of the social media space is difficult, if not impossible, or so the story goes. Many are trying, many are failing, and we have all heard of the many solutions that will turn the tide someday, somewhere, somehow: increased media literacy, expanded factchecking, banning bots, deleting accounts, redirecting users, curtailing free speech, boosting counter-messaging, etc. But what if there were one solution, better than all others, that no democratic nation dares to touch … yet? MORE
|
March 15, 2021 — This paper proposes the development and inclusion of Information Influence Operations (IIOs) in Cyberspace Operations. IIOs encompass the offensive and defensive use of cyberspace to influence a targeted population. This capability will enable the evolution of strategic messaging in cyberspace and allow response to near peer efforts in information warfare. MORE
|
March 15, 2021 — The following book review explores the content and insights of Dr. Herbert Lin and Dr. Amy Zegart’s Bytes, Bombs, and Spies: The Strategic Dimensions of Offensive Cyber Operations. Initially published in 2018, the book is omposed of a collection of works by prominent cyber scholars, practitioners, and professionals on the strategic uses of offensive cyber operations. MORE
|
November 18, 2020 — Welcome to The Cyber Defense Review (CDR) Fall 2020 edition. As the new Director for the Army Cyber Institute (ACI), I am honored to be joining the CDR team and very excited about this most recent issue of the journal. The CDR plays a critical role in expanding the discussion within the cyber community, from tactical units to national leadership to industry partners to academia. The quality of articles from a diverse group of leaders and thinkers within the community, coupled with an extensive reach that includes foreign allies, partners, and international educational institutes, is a testament to the impact of this journal. The CDR is truly adding to the body of knowledge in the cyberspace domain. MORE
|
November 18, 2020 — In 2018, the United States (US) Department of Defense (DoD) published the 2018 Cyber Strategy summary featuring a new strategic concept for the cyber domain: defend forward. It states DoD will, “defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.”[1] This reflects an important shift in DoD’s strategic posture, compared to the 2015 Cyber Strategy, in two key ways.[2] First, defend forward rests on the premise that to deter and defeat adversary threats to national security, the US could not solely rely on responding to malicious behavior after the fact. Rather, the DoD should be proactive in maneuvering outside of US cyberspace to observe and understand evolving adversary organizations and, when authorized, conduct operations to disrupt, deny, or degrade their capabilities and infrastructure before they reach the intended targets. Implied, but not explicitly stated, in the 2018 strategy summary is the role of information operations, and the relationship between cyberspace and the information environment. According to US doctrine, the former is a subset of the latter.[3] This article builds on our work as members of the US Cyberspace Solarium Commission to offer a conceptual framework and policy recommendations for integrating information operations in the context of defend forward. Many of the Commission’s 82 recommendations are slated to pass in the Fiscal Year 2021 National Defense Authorization Act (NDAA). MORE
|
November 18, 2020 — According to the Department of Homeland Security (DHS), municipal critical infrastructure has become an ideal target for a range of cyber threat actors including near-peer competitors seeking geopolitical gains and decentralized cyber criminals attempting to hold cities captive for monetary gain. With municipalities predominantly partnering with the private sector for operation of national critical infrastructure as defined in Presidential Policy Directive (PPD) 21, cities, states, and industry entities find themselves on the front lines—possibly the first line of defense—against a perpetual barrage of attacks in cyberspace. Accordingly, a dynamic shift from traditional conflict in the physical world to a homeland defense posture in cyberspace reveals several potential gaps with regard to handling emergency situations, coordinating response efforts, and restoring basic services for citizens.[3] This article seeks to highlight this dynamic environment, and the inherent gaps that exist in bolstering critical infrastructure resilience. Accordingly, the Jack Voltaic® (JV) research framework discussed in this article explores the interconnections among municipal, state, and federal response efforts during a cyber emergency scenario, with added emphasis on critical findings and themes from its Jack Voltaic® 2.5 workshop series. This effort brought together key regional stakeholders from across various levels of governance, the private sector, and academia to discuss the
findings of previous JV exercises, lessons learned, and how similar efforts can strengthen critical infrastructure, community resilience, and a whole-of-nation approach to handling cyber threats.[4] This article will highlight common findings and themes from multiple exercises and workshops that further reinforce current JV research and the Jack Voltaic® 3.0 Legal and Policy Tabletop Exercise (TTX). Finally, this article concludes with a detailed discussion about JV 3.0, which is scheduled to execute in September 2020. MORE
|
November 18, 2020 — The Cyberspace Solarium Commission (CSC) published its report in March 2020 offering emphatic, far-reaching recommendations in the cybersecurity domain. This report highlights the rapidly growing importance of public-private partnership (P3) in this domain as a national security cornerstone, and significantly informs the debate over the public-private balance in the cybersecurity system of governance in the United States. While important questions remain as to the best ways to safeguard public law values, the report strongly supports arguments for informed P3 collaboration, and further discourages the notion that cybersecurity should exclusively be an inherently governmental function. A legal analysis of partnering in the cyber domain suggests the risks of violating existing inherently governmental function rules are low, and navigable. Indeed, the CSC’s strong, bipartisan report accepts this as a given point of departure from the ad hoc P3 system we have today, and recommends concrete steps to advance national security and other public law values such as accountability, transparency, fairness, and privacy. Like legislation that set the stage for the NASA-SpaceX partnership, the CSC’s unequivocal embrace of P3 in the cybersecurity realm has great potential to guide legislation and other steps to reshape and adapt “defense-of-nation” Cyber domain efforts. MORE
|