“I mean, there are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese. —James Comey, then FBI director, October 5, 2014”

From a realist perspective of the current international environment, observing the struggle of states jostling for power and security in an anarchic world, one could be forgiven for regarding the “cyber-domain” as this century’s wild west. The rapid pace of technological innovation and change across the last five decades, while providing stunning upgrades to many aspects of our lives has reinforced the entropic nature of the international order. State and non-state actors clash on an opaque cyber-battleground with increasing frequency, intensity, and cost. In the absence of rules of engagement and guiding norms, malicious actors routinely attack individuals, businesses and governments with impunity. Where norms, policy and laws should prevail, instead; vacillation, secrecy and inertia sustain the status quo.

Through a close examination of the impact and effects of international cybercrime, and analysis of potential strategic response options, this paper will argue that U.S. vital interests would be well served by taking the lead in the establishment of an international organisation mandated to attribute, deter, and punish cybercrime.

This paper is divided into four main sections. The first examines the current international context, the major state and non-state players, and diagnoses the problem - a vacuum of leadership on tackling cybercrime. The second debates the responsibility of jurisdiction at the intersection of domestic and international networks. The third analyses theoretical considerations that could strengthen, or undermine the establishment of a new international organisation.The four section offers the outline of a potential organisational framework through comparison with existing international treaties and organisations.

Il Buono, Il Brutto, Il Cattivo - The context, the actors, and the problem

The United States is the current global leader in information communication technologies (ICT). Paradoxically, this cyber-hegemonic status also ensures it is the most vulnerable to cyber-attacks from malicious state and non-state actors. The sheer scale of its network of connected devices, while being the most sophisticated, also offers potential adversaries a significantly more expansive “attack surface than any other nation. The ubiquity of ICT to American society guarantees that the private information of civilians housed on computer servers, business and financial systems, and the command and control centres of the military exist as part of an interconnected international network of exploitable devices. The Internet of Things (IoT) will comprise more than 26 billion connected devices by the end of 2019. To understand that each device represents at least one exploitable vulnerability is to begin to grasp the daunting magnitude of the task of monitoring, securing, and policing this vast virtual environment.

A report produced by Macafee and the Center for Strategic and International Studies (CSIS) estimated the total global cost of cybercrime in 2016 was circa $600 billion USD, with the U.S. individually suffering a loss in the range of $140-$175 billion USD. Note that his figure doesn’t take into account the impact of intellectual property (IP) theft. Gen. Keith Alexander, former head of the National Security Agency (NSA), describes IP theft resulting from cyberespionage as “the greatest transfer of wealth in history” China has, and continues to be, the undisputed principal beneficiary of U.S. IP theft.

The U.S. national security and intelligence communities identify China, Russia, Iran and North Korea (DPRK) as the leading proponents and perpetrators of international cybercrime. In the past twenty years, a focus on asymmetric capabilities by these nation states has seen a steady increase in “short-of-war” cyber-attacks against the U.S. government, critical national infrastructure (CNI) and the private sector. It is commonplace for these low-cost attacks to be perpetrated by state-supported malicious cyber-actors working as proxies for a surrogate nation.

Between 2014 and 2016 the United States suffered three large-scale (publicly known) cyber-attacks from three separate state adversaries. In 2014, in an attempt to prevent the impending release of the film The Interview, in which a pair of tabloid news reporters are recruited by the CIA to assassinate Kim Jong-Un, the DPRK launched a cyber-attack against Sony Pictures (SPE). That attack rendered SPE servers inoperable; IT infrastructure repairs alone costing the company over $30 million, with the total impact nearer to $100 million. In 2015 the United States Office of Personnel Management, an agency of the federal government that manages the personnel records of civilian government employees, was hacked with the records of over 20 million people targeted. While the U.S. was reticent to publicly attribute the attack, a Chinese national was arrested in relation to the hack, and media outlets asserted the government had internally attributed the attack to China. The 2016 U.S. presidential elections were broadly targeted by Russian cybergroups. Server hacking, theft, and public release of Democratic National Convention files and emails, as well as widespread disinformation (dezinformatsiya) campaigns were uniformly attributed to Russia by the U.S. intelligence community - investigations ultimately producing more than thirty individual indictments of Russian nationals. The U.S., whilst a regular victim, is not uncredentialed in interstate offensive cyber-operations. Perhaps the most sophisticated (known) cyber-operation in history, Operation Olympic Games, was a joint U.S./Israel operation. This operation designed and implanted malware into the programmable logic controllers (PLCs) of centrifuges located in the Iranian nuclear enrichment facility in Natanz. The malware disrupted the normal operational cycle of the PLCs causing many of the centrifuges to fail, and in some cases explode - a kinetic result from a digital incursion. Though the U.S. has never publicly accepted responsibility, their role in the attack is widely accepted. Although the malware only achieved its design purpose under certain technical conditions, namely when exposed to Siemens’ PLCs, its underlying proliferate characteristic saw it spread to more than 200,000 non-target computers worldwide - an illustrative example of the potentially catastrophic collateral damage posed by cyberattacks.

The U.S. has suffered from inconsistent prioritization of cyber-policy and strategy by different administrations. This inconsistency has left gaping holes in the legislative and normative frameworks both domestically and internationally. The Obama administration sought to address the international vacuum with its 2011 International Strategy for Cyberspace: Prosperity Security and Openness in a Networked World. In this strategy report the administration acknowledged “the world must collectively recognize the challenges posed by malevolent actors’ entry into cyberspace, and update and strengthen our national and international policies accordingly.” Little progress, however, has been made toward these goals in the eight year since the release of this strategy. The costs of wide-spread intellectual property theft, business interference, attacks on democratic institutions, damage to critical infrastructure, and attempted sabotage of military assets continue to mount, and the threat of global cyberwar lurks ever present. The United States, given its dominant global ICT position, it could be argued, is the presumptive leader the world needs to focus its collective attention on fixing the problem of cybercrime. Yet, the Trump administration has delivered a somewhat “psychitzophrenic” stance on cybercrime to the international community; which to some might undermine its credibility as the logical nation to spearhead the formation of a new international body. In November 2018, the Trump administration formally launched a new agency of the Department of Homeland Security, the Cybersecurity and Infrastructure Agency (CISA). Designed to complement other cyber focused agencies, like the United States Cyber Command (USCYBERCOM), this agency, as its name suggests, has a focus on protecting U.S. critical infrastructure. The establishment of such an agency would generally imply an administration that is cognizant of the threats of cybercrime, and proactively attempting to prevent them. President Trump’s refusal, however, to accept the intelligence community’s assessment that Russian interfered with the 2016 election campaign contradicts this assumption. The irony is not lost on many observers, that the agency President Trump signed into law in November 2018 is, in fact, responsible for securing the very electoral systems (deemed critical infrastructure) attacked by Russia in 2016. National security and intelligence community leaders have lamented the lost opportunity for building a consensus cybers strategy, through greater interdepartmental cooperation, which stems in part from the president’s failure to acknowledge Russian meddling in the U.S. elections, and his unwillingness to unite behind this “common enemy”. Generally, the Trump administration has advocated and enacted a foreign policy that leans more toward retrenchment than engagement. Withdrawal from international agreements like the Paris Accord, Joint Comprehensive Plan of Action, and the Trans Pacific Partnership (TPP), signpost a potentially isolationist attitude to international participation. Despite this, for a new international cybercrime fighting institution to succeed, the United States, with their enormous resources and technological superiority, must participate and lead for it to have any chance of succeeding. Appealing to the U.S. from a purely economic perspective (annual losses to cybercrime circa $175b), should make a sufficiently compelling case for involvement, if not leadership.

Coming To America

Does an international cybercrime organisation need to be underpinned by stronger domestic practices and legislation, or should the international community consider rules and enforcement independent of domestic considerations? The free and open character of the U.S. internet provides a place where public and private, government and civilian networks and systems intertwine and overlap. It is an ecosystem that connects to every other accessible internet around the globe. This interconnectedness, however, is the instrument hackers rely on to perpetrate transnational cybercrime and offensives.

In 2007 amidst a devastating interstate advanced persistent threat (APT), approximately one-sixth of all of distributed denial of service (DDOS) attacks directed against Estonia originated from devices housed within the United States. While no one is arguing the U.S. played any witting part in these attacks, which have uniformly been attributed to Russia and its proxies, should the United States bear any responsibility for helping to facilitate these attacks? Is this the job of local law enforcement, or the responsibility of the internet service providers (ISPs) to block or prohibit these users and their malicious actions? Or should the government ensure the population is insulated from foreign bad actors? What if the device being used to perpetrate these crimes belongs to an unwitting civilian who has had their computer hacked - do they bear any culpability? This murky jurisdictional space suffers from very significant collective action problems and, in particular, the tendency to “buck pass”. Stakeholders, like the networks they have a collective interest in securing, are interconnected. While, some argue that it is the government which should protect the citizenry from foreign bad actors, these are often the same people that cry foul over government intrusion into their personal freedoms, and demand smaller government. Unfortunately, greater protection through smaller government is paradoxical. The pathway to greater network security and integrity requires participation and effort at all levels.

According to cybersecurity experts seventy one percent of worldwide cyberattacks begin with spear-phishing emails. The U.S. is the most impacted by ransomware attacks (over eighteen percent of all world instances), and sixty one percent of all breach victims, in 2017, were small-to-medium businesses. The concept of defending “at the wire”, or cyber-hygiene is the foundation upon which robust cyber-security is constructed. A herd-immunity metaphor is apt in this context- the more immunized the network is the stronger it is.. Unfortunately, best practices are not observed at an adequate level anywhere in business or public life. The simplest of precautions, password security, is one of the most poorly executed. Ask yourself, for instance, how many of the password protected areas of your life are accessed using the same password? If your answer is more than one, technically, you’re doing it wrong.

Part of the problem, an increasing issue, is the emergence and rapid growth of the Internet of Things (IoT). Millions of network connected “dumb” devices when purchased come preset with hard-coded or default passwords. If someone is lackadaisical when it comes to rotating their internet banking password, just imagine how likely is it they are going to change the password on their George Foreman Grill. Even a relatively low-skilled hacker can gain access to such a device by merely testing the default password. The problem here is not that the grill itself might be hacked, but that the grill is capable of connecting to other more intelligent and capable devices and networks.

Laissez faire attitudes and application to the most fundamental cybersecurity practices can, in part, be attributed to the dearth of available genuine “cyber-education” - both community and institutional. Primary and secondary school curriculum should include cyber-safety subjects. Not only should school age children be educated on cyber-hygiene/security, but on how to distinguish between real and credible news, information, research, social media and fake or inauthentic content. Youth in America should also be taught how to handle cyber-bullying, and how to recognise and avoid dangerous and harmful interactions with adults. At home children should have certain behaviours, like updating passwords and installing antivirus software, modelled for them by parents or guardians, as they would habits like brushing their teeth, locking the front door, or putting on warm clothes before going outside on a cold day.

A culture of cyber-security is a critical underpinning of effectively combating domestic and international cybercrime. To build wide-spread acceptance and adoption of these behaviours would result in a massive upgrade to the structural security integrity of the American internet - the benefits (some $175b annually) would be shared by both industry and the community. Inaugural director of the Cybersecurity and Infrastructure Security Agency (CISA) Christopher Krebs concurred recently during an interview with former acting director of the CIA Michael Morrell on the Intelligence Matters podcast:

“Make it harder for the bad guys to get into your stuff. We do the basics, 90-95% of the problem set, I don’t want to say goes away, but we make the bad guys move. They’re not using zero days today because they don’t have to, because we’re still not doing the basics right”.

Yet, as Director Kreb identifies, even with a drastically improved cyber-security environment, the threat of professional malicious state, and non-state, actors remains. The sophisticated cyber-villain still possess the skills, talents, and tools to exploit a network by other means. Odds are against the average civilian or small business possessing the skills and resources to identify, let alone prevent, such an attack. The 2014 attack on Sony Pictures (SPE) illustrates this point. SPE is a multinational corporation operating in the digital technology space, spending millions of dollars annually on cybersecurity, and yet its systems were absolutely decimated by North Korean state-sponsored hackers. The unfortunate reality is that the only entities capable of attributing, combating, and deterring such attacks are cyber-security professionals, software developers, big-tech firms, and the government.

Public and private companies are not legally authorised to retaliate against cyber-attacks, their only response option is to better secure their networks. While a deeper collaboration between government agencies like USCYBERCOM and CISA and innovative technology companies would enhance the security environment, the role of combattance and deterrence should remain firmly the jurisdiction of government agencies. It could be argued that big-tech companies possess the advanced technical capabilities, some of the best strategic thinkers in the world, and the will to challenge, threaten, even disable APT groups. So, why not let them protect themselves, and take out some bad guys while they’re at it? This would broaden and strengthen the U.S.’ cyber “shield”, improving security for all, with little or no direct expense to the taxpayer. What if, however, a Google or a Microsoft made a mistake when retaliating and hit the wrong target? Or hit the right target, but caused massive civilian collateral damage? What if the target counter-attacked and damaged U.S. critical infrastructure? Allowing corporations (or civilians) to retaliate, acting as judge, jury and hangman, is at its most elemental level vigilantism. To accept vigilantism is to undermine the rule of law, the authority of the branches of government and, fundamentally, in opposition to modern civil society.

The implication of this argument, therefore, is that, though individuals should play their part through cyber-hygiene, states should bear the overall responsibility for securing networks and controlling cybercriminals within their borders But what if the state is not predisposed or incentivised to take action against cybercriminals operating within their borders? Martin Libicki identifies this problem in his article Avoiding Crises by Creating Norms, in which he notes that states who use cybercriminal groups as proxies enjoy the “benefits” of whatever attacks these hackers perpetrate, without suffering the condemnation of responsibility - plausible (more likely implausible) deniability This reality strengthens the case for an international crime fighting body. An impartial interstate collective will diminish the opportunities for individual states to renege.

The Theory of Everything….cyber

“Cyber Pearl Harbour” or “digital 9/11” are common catch-cries used to articulate a fear held by many that lurking inevitably around the corner is a seminal cyber-event; a devastating surprise attack set to shake the foundations of the international order. Some theorists and scholars, however, are less convinced of the inevitability of such an attack. Jon R. Lindsay and Erik Gartzke apply the “Stability-Instability Paradox” to the international cyber-conflict context. They explain though conditions are slightly different than in the nuclear context, the results are similar: “little truly dangerous behaviour and a lot of provocative friction”. Their thesis contends the unpredicatable dynamic of the cyber-environment disincentives malicious actors to execute large-scale aggression, in preference of simpler small-scale short-of-war assaults. A recent example of this was the U.S. response to Iran’s “downing” of an American drone in June 2019. According to reporting by The New York Times rather than authorising a more aggressive and conventional kinetic response the President greenlit an online operation - “because it was intended to be below the threshold of armed conflict” While this example seems to affirm Gartzke and Lynday’s stability/instability argument, it could be argued that this decision was made based on consideration of proportionality - President Trump, in fact, tweeted “not proportionate to shooting down an unmanned drone”.

Deterrence theory has some application in the cyber-domain. The asymmetric nature cyber-weaponry can fit neatly into the weaker nation/stronger nation stalemate model. In his article A Theory of Cyber Deterrence, Christopher Haley identifies, however, an obstacle that complicates this application, when contrasted with conventional military engagements - namely attribution. “In the cyber realm, this challenge looms large as an obstacle to intelligent retaliation, since the nature of the digital domain lends itself to anonymity”.

As Haley notes, cyberattacks are by their very nature covert. Avoiding attribution is a primary objective for any cyber-actor, unless deliberately signalling to an adversary intention as a deterrent threat. Haley proposes a three pronged cyber-variation on traditional deterrence theory encompassing defense, attribution, and retaliation.

Theoretically this model seems sound. Director Krebs, of CISA, however identifies a fatal flaw in the application of deterrence theory to the cyber-domain: “I think the nuclear deterrence model...works when you have a small set of players and there are barriers to entry - including costs and technological development..[this] is just not reality in cyber

Relative to traditional military weaponry, the inexpensive nature and accessibility of cyber-weaponry development means that devastating capabilities are held by a much larger set of players. Deterrent relationships are therefore, vastly more complex than in a traditional deterrence context.

Team America - World Cyber Police

It is in this context of incredible complexity that a referee is needed. Unlike nuclear weapons, the proliferation of potentially catastrophic cyber-weapons continues unchecked and unregulated. Absent international cooperation and action to address it, there is no indication that this proliferation will slow or subside. A massive multilateral agreement is necessary to tackle this issue - harnessing the resources, both technological and human, of a diverse collective with a mandate to police and penalise cybercrime - CYBERPOL.

Two international organisations offer structural frameworks capable of forming the basis of a new cybercrime fighting body - Interpol and Nato. An amalgam of the two, however, would be required to achieve the core purposes of deterrence, attribution and response. Founded in 1923, the International Criminal Police Organisation (Interpol) boasts 194 member countries, is politically independent, and works to connect, cooperate and share policing resources from across the globe. Their resources are focused on three main crime programmes: counter terrorism, organized and emerging crime, and cybercrime. Interpol does not have the capacity or jurisdiction to make arrests or charge criminal suspects - this remains the responsibility of local law enforcement agencies. Despite its enforcement limitations, Interpol’s is a potential structural option for consideration during the planning and establishment of a new body.

Elements of the North Atlantic Treaty Organisation’s (NATO) structure could be incorporated into a hybrid model (Interpol/NATO). NATO was formed in 1949 as a collective security organisation, designed to balance power in Europe against a common threat - the Soviet Union. NATO membership has continued to expand over the ensuing seventy years, and this characteristic might offer some advantages over the Interpol model. Establishing a cybercrime organisation comprised of like minded, genuinely motivated, and willing participants, whilst not initially universal, decreases the probability of collective action problems, disagreement, decision paralysis, and organisational inertia. Existing NATO membership, plus Japan, South Korea, Australia and New Zealand, for instance, could form the foundations of a comprehensive international coalition, with shared values, and motivation to collectively enhance their cybersecurity, and benefit from a reduction in cybercrime. Additional willing and compliant nations could be admitted pending review and approval by the existing membership body. NATOs structure holds two other elements worth consideration. The obligation for member states to spend two percent of their annual gross domestic product (GDP) on defence, and the capacity to mobilise offensive/defensive forces. An annual financial commitment from member states will be essential to the ongoing viability of the organisation. Rather than an impermanent force, assembled at times of need, this organisation would require a permanent organisational and policing “staff”. The organisation will have the jurisdiction to identify, attribute, and respond to cyber-attacks, cyber criminal groups (APT groups/hackers/cyber-activists) not in the physical world, but the virtual realm. Disabling malicious user connections, networks, systems, and equipment will form the foundation of its punitive measures. Also, identifying network and software vulnerabilities; requiring network owners, and software developers to upgrade and correct these deficiencies (like health inspectors and the FDA) or lose their “certifications”. This body would not adopt the NATO “consensus” model on enforcement decisions. Whilst a “consensus” model should be considered by the institution for the process of defining norms, standards and laws, such a requirement for decisions of enforcement would impede the organization's capacity to respond rapidly and effectively to cyberattacks.

There may be some objections to this proposed structure. Opponents might question the “judge and jury” authority entrusted to the organisation, arguing that, like in other areas of law enforcement and criminal justice, the jobs of identifying and prosecuting crimes must remain separate. This argument, however, ignores the incredibly rapid pace and urgency of crime in the cyber-domain. Crimes are committed at the speed of light, and the perpetrators can disappear just as quickly. The traditional model of policing and “justice” needs to be rethought for a modern cyber context. Critics too might ask: why not just use Interpol, after all it already has a focus on cybercrime? This is a valid question, and while Interpol relies on response to crimes at a local law enforcement level, as discussed earlier, perhaps domestic practices and legislation needs to be strengthened before any material international progress can be made. This approach, though, doesn’t factor in the incentives (or disincentives) for states and their local law enforcement to curb the activities of certain cybercriminals that act as proxies for the state. China and Russia could not be relied upon, currently, to take genuine action against APT groups operating within their borders. Critics might also point to the “free-riding” of the majority of NATO member states as it relates to the two percent of GDP commitment. In 2016 only five of twenty nine member states met their two percent commitment. The cost of ICT is drastically lower than defence spending, therefore membership of this organisation will be much lower, and offset by a measurable reduction in cybercrime costs to their own country.

Final Destination

The Wild West that is the cyber-domain needs itself a sheriff - no question. The United States is uniquely positioned to use its technological, economic, and diplomatic supremacy to rally other nations to come together and create a new international organisation mandated to deliver increased order and predictability to the anarchic cyber landscape.

Using successful international organisations, such as Interpol and NATO, as models on which to base this new body, the organisation will foster strong partnerships with multinational tech companies. These relationships will capture the technological and network enhancements generated from collaboration, while also leveraging their human capital - the innovative and strategic thinkers often inaccessible to government organisations due to lower remuneration opportunities. This organisation will work to define not only the terms and language applied to criminal activities conducted in the cyber-realm, but also the crimes themselves. It will clarify the thresholds and parameters of these crimes, and the penalties to be applied. This organisation will define “jurisdiction” to ensure that the responsibility for network security cannot be “buck passed”. To realise the goal of a safer and more predictable global internet, individual nations, businesses, and civilians will need to contribute to the effort. CISA Director Chrisopher Krebs succinctly relates this need to the British response to the devastating bombing campaign by Germany during the Second World War. The British “hardened their underlying infrastructure, then they hardened their people then [responded] with selective strikes against the adversary” Cyberhygiene will harden the underlying infrastructure that is the network. Cyber-education will harden the people, forcing them to care and share the responsibility for improved cybersecurity, and CYBERPOL will determine when and how to strike back against the adversary.

Bibliography

==================================================================

• A Guide to Cyber Attribution (14 September, 2018). Office of the Director of National Intelligence (ODNI), pp. 1-5.

• America's National Interests (pp. 1-62, Rep.). (2000). Cambridge, Massachusetts: Belfer Center. doi:https://www.belfercenter.org/sites/default/files/files/publication/amernatinter.pdf

• Barnes, J. E., & Gibbona-Neff, T. (2019, June 22). U.S. Carried Out Cyberattacks on Iran. The New York Times. Retrieved July 2, 2019, from https://www.nytimes.com/2019/06/22/us/politics/us-iran-cyber-attacks.html?auth=login-email&login=email

• Barrett, D (5 June 2015). "U.S. Suspects Hackers in China Breached About four (4) Million People's Records, Officials Say". The Wall Street Journal.

• Brooks, Stephen G., G. John Ikenberry, and William C. Wohlforth. 2012. Don’t Come Home, America: The Case against Retrenchment. International Security 37(3): 7-51.

• Cavelty, M.D., 2008. Cyber-terror—looming threat or phantom menace? The framing of the US cyber-threat debate. Journal of Information Technology & Politics, 4(1), pp.19-36.

• Cavelty, M. (2013). From Cyber-Bombs to Political Fallout: Threat Representations with an Impact in the Cyber-Security Discourse. International Studies Review, 15(1), 105-122.

• Clark, G. (2017). The Great Firewall of China. The Wall Street Journal Online, accessed June 28, 2019.

• Dai, C. (2015). Politique étrangère, 80(4), 207-208. Farwell, J.P. and Rohozinski, R., 2011. Stuxnet and the future of cyber war. Survival, 53(1), pp.23-40.

• Gartzke, E. (2013). The Myth of Cyberwar: Bringing War in Cyberspace Back Down to Earth. International Security, 38(2), 41-73.

• Gholz, Eugene, Daryl G. Press, Harvey M. Sapolsky. 1997. “Come Home, America: The Strategy of Restraint in the Face of Temptation.” International Security 21 (4): 4-48.

• Goddard, Stacie.E., 2009. When right makes might: how Prussia overturned the European balance of power.International Security, 33(3):110-142.

• Farwell, J. P., & Rohozinski, R. (2011). Stuxnet and the future of cyber war. Survival, 53(1), 23-40.

• Fazzini, K (2019). A new Russian law will further separate the country from the global internet. CNBC.com. Accessed June 28 2019

• Floyd, G. (2018). Attribution and Operational Art: Implications for Competing in Time. Strategic Studies Quarterly, 12(2), 17-55.

• Futter, A. (2018). ‘Cyber’ Semantics: why we should retire the latest buzzword in security studies. Journal of Cyber Policy, 3(2), 201-216.

• Haley, C. (2013). A Theory of Cyber Deterrence. Georgetown Journal of International Affairs. Retrieved July 2, 2019, from https://www.georgetownjournalofinternationalaffairs.org/online-edition/a-theory-of-cyber-deterrence-christopher-haley.

• Hawkins, D. (2018, August 8). The Cybersecurity 202: Trump team isn't doing enough to deter Russian cyberattacks, according to our panel of security experts. The Washington Post. Retrieved July 4, 2019, from https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/08/08/the-cybersecurity-202-trump-team-isn-t-doing-enough-to-deter-russian-cyberattacks-according-to-our-panel-of-security-experts/5b69c3631b326b0207955f94/?noredirect=on&utm_term=.13af473122be

• Heginbotham, E., Nixon, M., Morgan, F., Heim, J., Hagen, J., Li, S., . . . Morris, L. (2015). Scorecard 9: U.S. and Chinese Cyberwarfare Capabilities. In The U.S.-China Military Scorecard: Forces, Geography, and the Evolving Balance of Power, 1996–2017 (pp. 259-284). RAND Corporation.

• Hughes, R. (2010). A treaty for cyberspace. International Affairs (Royal Institute of International Affairs 1944-), 86(2), 523-541.

• Iasiello, E., 2013, June. Cyber attack: A dull tool to shape foreign policy. In 2013 5th International Conference on Cyber Conflict (CYCON 2013) (pp. 1-18). IEEE.

• International Strategy for Cyberspace (pp. 1-30, Rep.). (2011). Washington D.C.: The White House.

https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf

• IoT: Number of connected devices worldwide 2012-2025. (2016, November 27). Retrieved June 29, 2019, from: https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/

• Lewis, J (2018). Economic Impact of Cybercrime - No Slowing Down. Report - Macafee and CSIS.

• Libicki, M. (2012). Avoiding Crises by Creating Norms. In Crisis and Escalation in Cyberspace (pp. 19-38). RAND Corporation.

• Libicki, M. C. (2007). Conquest in cyberspace: national security and information warfare. Cambridge University Press.

• Libicki, M. (2018). Expectations of Cyber Deterrence. Strategic Studies Quarterly, 12(4), 44-57.

• Libicki, M. (2014). Why Cyber War Will Not and Should Not Have Its Grand Strategist. Strategic Studies Quarterly, 8(1), 23-39.

• Greenhill, K & Krause P (ed) (2018). Coercion: The Power to Hurt in International Politics New York: Oxford University Press

• O’Connell, M.E., 2012. Cyber security without cyber war. Journal of Conflict and Security Law, 17(2), pp.187-209.

• Powell, R. (2003). Nuclear Deterrence Theory, Nuclear Proliferation, and National Missile Defense. International Security,27(4), 86-118.

• Raugh, D. (2016). Is the Hybrid Threat a True Threat? Journal of Strategic Security, 9(2), 1-13.

• Richwine, L (2014). Cyber attack could cost Sony studio as much as $100 million. Reuters Online. Accessed 28 June, 2019.

• Rogin, J. (2012, July 9). NSA Chief: Cybercrime constitutes the “greatest transfer of wealth in history” [Web log post]. Retrieved July 2, 2019, from https://foreignpolicy.com/2012/07/09/nsa-chief-cybercrime-constitutes-the-greatest-transfer-of-wealth-in-history/

• Sanger, D (5 June 2015). "Hacking Linked to China Exposes Millions of U.S. Workers". The New York Times.

• Sanger, D. 2018. The Perfect Weapon: War, Sabotage and Fear in the Cyber Age. New York: Crown Publishers.

• Schelling, Thomas C. 1980 The Strategy of Conflict. Cambridge: Harvard University Press, Ch. 2, 3, and 8.

• Simmons, B. (2013). Preface: International Relationships in the Information Age. International Studies Review, 15(1), 1-4.

• Smeets, M. (2018). The Strategic Promise of Offensive Cyber Operations. Strategic Studies Quarterly, 12(3), 90-113.

• Sobers, R. (2019, April 17). 60 Must-Know Cybersecurity Statistics for 2019. Retrieved July 2, 2019, from https://www.varonis.com/blog/cybersecurity-statistics/

• Top Cybersecurity Professional Chris Krebs on Protecting U.S. Infrastructure [Audio blog interview]. (2019, June 25). Retrieved July 1, 2019, from https://podcasts.apple.com/us/podcast/intelligence-matters/id1286906615

• Walt, S. (1997). The Progressive Power of Realism. The American Political Science Review, 91(4), 931-935.

• Worldwide Threat Assessment of the US Intelligence Community (pp. 1-42, Rep.). (n.d.). Washington D.C.: Office of the Director of National Intelligence. doi:https://www.odni.gov/files/ODNI/https://www.odni.gov/files/ODNI/documents/2019-ATA-SFR---SSCI.pdf/2019-ATA-SFR---SSCI.pdf

Whyte, C. (2015). Power and Predation in Cyberspace. Strategic Studies Quarterly,9(1), 100-118.