Graded Cyber Policy Papers

A collection of studies about cyber security in military and civilian context.

cyber
politics
security
infosec
  1. Home
  2. Google Sheet
  3. Graded Cyber Policy Papers

Graded Cyber Policy Papers

A collection of studies about cyber security in military and civilian context.

cyber, politics, security, infosec

Sanctioning Russia for SolarWinds: What Normative Line Did Russia Cross? Robert Chesney https://www.lawfareblog.com/sanctioning-russia-solarwinds-what-normative-line-did-russia-cross A He noticed some things nobody seems to want to point out, for example, the domestic political salience bit. :)

Current International Law Is Not an Adequate Regime for Cyberspace Michael P. Fischerkeller Michael P. Fischerkeller A Needs diagrams, otherwise great.

Pathologies of obfuscation: Nobody understands cyber operations or wargaming Nina Kollars and Benjamin Schechter https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/pathologies-of-obfuscation-nobody-understands-cyber-operations-or-wargaming/ A

The Cyber Paradigm Shift Emily Goldman https://digital-commons.usnwc.edu/cgi/viewcontent.cgi?article=1044&context=usnwc-newport-papers. A Essentially a prequel to the Fischerkeller paper

Rapid capabilities generation and prompt effects in offensive cyber operations JD Work Technology and The Cyber Domain: Implications for Intelligence. International Studies Association Annual Conference. Las Vegas. April 2021. A Explains the ops against bot networks from USCC

Successful counter-cyber operations secure US election JD Work Janes Intelligence Review | March 2021 A Points out a subtle area of PE in terms of judging success and failure...

Early intelligence assessments of COMBLOC computing JD Work JD Work (2021) Early intelligence assessments of COMBLOC computing, Journal of Intelligence History, DOI: 10.1080/16161262.2021.1884791 A Very much worth a read. Not just about the past.

From cold to cyber warriors: the origins and expansion of NSA’s Tailored Access Operations (TAO) to Shadow Brokers Steven Loleski https://www.tandfonline.com/doi/abs/10.1080/02684527.2018.1532627?journalCode=fint20 A

DECONSTRUCTING THE U.S. POLICY OF INDICTING MALICIOUS STATE CYBER ACTORS PETER G. MACHTIGER https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3799284 A

Opportunity Seldom Knocks Twice: Influencing China’s Trajectory via Influencing China’s Trajectory via Defend Forward and Persistent Engagement Defend Forward and Persistent Engagement in Cyberspace Michael P. Fischerkeller asia policy, volume 15, number 4 (october 2020), 65–89 A https://cybersecpolitics.blogspot.com/2020/11/a-second-byte-at-china-apple.html

Cyber Competition to Cybered Conflict Chris Demchak https://digital-commons.usnwc.edu/cgi/viewcontent.cgi?article=1044&context=usnwc-newport-papers A https://twitter.com/daveaitel/status/1347612121677377538?s=20

China's Counter-Strategy to American Export Controls in Integrated Circuits Douglas B. Fuller https://www.prcleader.org/fuller A

Troubled vision: Understanding recent Israeli–Iranian offensive cyber exchanges JD Work, Richard Harknett https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/troubled-vision-understanding-israeli-iranian-offensive-cyber-exchanges/ A Best starter paper on PE

Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits Lillian Ablon, Andy Bogart https://www.rand.org/pubs/research_reports/RR1751.html A Only paper with any data on this subject

Public attribution of cyber intrusions Florian J Egloff doi: 10.1093/cybsec/tyaa012 A

Secrecy's End Oona A. Hathaway https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3852303 A Great paper on an important topic - I have some minor quibbles about the final section of suggestions, but the history section and legal analysis is a must read. https://www.youtube.com/watch?v=cP-RSBAI_wc&ab_channel=DaveAitelDaveAitel

Who Hath Measured the (Proving) Ground: Variation in Offensive Capabilities Test and Evaluation JD Work https://osf.io/preprints/socarxiv/p92tn/ A There was some stuff in here I didn't know about how history played out (i.e. this is a paper where public facts get reinterpreted in a way that surprises you).

Achieving Systemic Resilience in a Great Systems Conflict Era Chris Demchak https://cyberdefensereview.army.mil/Portals/6/Documents/2021_spring_cdr/COVID_CDR_V6N2_Spring_2021_r4.pdf B It has some good stuff in it, and an important recalibration, but I don't feel like it actually adapted its own recalibration or properly absorbed what the implications were. https://twitter.com/daveaitel/status/1395136883668180992 , https://www.youtube.com/watch?v=ODwuB9Zu2KI&t=1s&ab_channel=DaveAitel

Targeting Technology: Mapping Military Offensive Network Operations Daniel Moore https://ccdcoe.org/uploads/2018/10/Art-05-Targeting-Technology.-Mapping-Military-Offensive-Network-Operations.pdf B This is a taxonomy, mostly, which is a good overview but does not push too far into the wacky corners. I feel like it sets the ground for a future paper (which is probably already written and sitting in an email queue somewhere).

Cyber Threats and Vulnerabilities to Conventional and Strategic Deterrence Mark Montgomery and Erica Borghard https://ndupress.ndu.edu/Portals/68/Documents/jfq/jfq-102/JFQ_102.pdf B What would the US do, to help lower this risk? (https://carnegieendowment.org/2021/04/08/china-u.s.-cyber-nuclear-c3-stability-pub-84182) . Missing from this paper is NEGOTIATING WITH OUR ADVERSARIES. Other than that, it's a good TODO sheet of stuff we ought to do, but without the costs, or even a rough order of magnitude of the costs?

The Escalation Inversion and Other Oddities of Situational Cyber Stability Jason Healey, Robert Jervis https://tnsr.org/2020/09/the-escalation-inversion-and-other-oddities-of-situational-cyber-stability/ C Also at: http://dx.doi.org/10.26153/tsw/10962. This paper has SO MANY ISSUES. I could go on and on, and I did, in a twitter thread, which I should make a video out of. It feels like a huge attempt to justify a push-back on the concept of persistent engagement in favor of some sort of vague theory of defensive alignment and restraint that is never going to gain any ground. Two major arguments against this paper: 1. Geopolitical differences between countries make it impossible to have a generic understanding of escalation in the way this model requires. 2. Nations use hybrid approachs to conflict (i.e. cyber+mil+econ) that make this model impossible to detangle.

Countering cyber proliferation: Zeroing in on Access-as-a-Service Winnona DeSombre, James Shires, JD Work, Robert Morgus, Patrick Howell O’Neill, Luca Allodi, and Trey Herr https://www.atlanticcouncil.org/in-depth-research-reports/report/countering-cyber-proliferation-zeroing-in-on-access-as-a-service/ C Recommendations very bad, but ENFER bit and framing are great. https://youtu.be/Qr-4_fWFpqA

Persistent Engagement Neglects Secrecy at Its Peril Lennart Maschmeyer https://www.lawfareblog.com/persistent-engagement-neglects-secrecy-its-peril D Got docked points for " Cyber persistence posits that actors have the capacity to manage the degree of covertness of an operation. Yet a successful compromise always requires a clandestine approach. Covert operations obscure the origins of an operation but not the activity itself, while clandestine operations strive to obscure both the origins and the activity." https://twitter.com/daveaitel/status/1311474050582163457

Virtual Territorial Integrity: The Next International Norm Michael J. Mazarr https://www.tandfonline.com/doi/abs/10.1080/00396338.2020.1792100?journalCode=tsur20#:~:text=The%20rising%20potential%20for%20dangerous,traditional%20aggression%20toward%20other%20societies. D It's hard to see how this concept goes forward, to be honest.

Restraint under conditions of uncertainty: Why the United States tolerates cyberattacks Monica Kaminska https://academic.oup.com/cybersecurity/article/7/1/tyab008/6162971?searchresult=1 F Extremely frustrating. https://www.youtube.com/watch?v=wNzgrzL9J6c&t=11s&ab_channel=DaveAitel

Taking Stock: Estimating Vulnerability Rediscovery Trey Herr, Bruce Schneier https://privpapers.ssrn.com/sol3/papers.cfm?abstract_id=2928758 F Misunderstood data. Do not cite.

PrEP: A Framework for Malware & Cyber Weapons Trey Herr https://privpapers.ssrn.com/sol3/papers.cfm?abstract_id=2343798 F Oversimplified model

Deterrence in the Cyber Realm: Public versus Private Cyber Capacity NADIYA KOSTYUK https://academic.oup.com/isq/advance-article-abstract/doi/10.1093/isq/sqab039/6287900?redirectedFrom=PDF F It's good to point out from this paper an example of overbroad abstractions (nearly everything is a "PCI") here. Also, I find it funny she used the acronym PCI. But regardless, when trying to work on the model of deterrence in cyber this is the kind of horrible knots you will tie yourself into. Nearly everything in this paper is wrong but that itself is interesting, in a way. What would have improved this paper is a massive change of scope and focus. It needed to drill down into the weeds on some things. In particular, a rewrite of this paper JUST LOOKING AT TIANFU CUP/PWNTOOWN would potentially be useful.

Initiative Persistence as the Central Approach for U.S. Cyber Strategy Michael P. Fischerkeller, Richard J. Harknett https://docs.google.com/document/d/1SC_e3RnN8AIHNgzJFfCEXdb_44rmL9dgI7G8dB_gjNk/edit?usp=sharing B Makes a very good case that people should really stop attempting "Strategic Ambiguity". To be honest, does a GREAT job of hitting OTHER perspectives, but gets docked a point for not having enough time on its own initiative persistence work itself. https://www.youtube.com/watch?v=q-XoRdsfjBc&t=101s&ab_channel=DaveAitel

Deterrence by Denial in cyberspace Erica D. Borghard & Shawn W. Lonergan https://www.tandfonline.com/doi/abs/10.1080/01402390.2021.1944856?src=&journalCode=fjss20 C A counterpoint to the Fischerkeller paper above. https://www.youtube.com/watch?v=q-XoRdsfjBc&t=101s&ab_channel=DaveAitel

Paper Author Link Grade DA Comments Review Links ADD YOURSELF HERE

Escalation Management in 21st Century Operations in the Information Environment Lawrence, K. (NSI, Inc.); Hunt

Graded Cyber Policy Papers
Info
Tags Cyber, Politics, Security, Infosec
Type Google Sheet
Published 25/11/2021, 01:55:45

Resources

Cyberpunk 2077 Settings Optimization
APT Groups and Operations