A content analysis of the context, nature of, and language used by U.S. officials when identifying and attributing "cyber-attacks" between 2010-2020..

Abstract

The United States is the world’s preeminent cyber-power and, accordingly, though somewhat paradoxically, its preeminent cyber-victim. In an age of escalating frequency, severity and cost of cyber-attacks, political and military leaders demonstrate inconsistency when using the “language” of cyberspace. This research project will aim to answer the question: When is a cyber-attack a cyber-attack? After performing a content analysis of the context, nature of, and language used by U.S. officials when identifying and attributing “cyber-attacks'' throughout the last decade, this research project expects to confirm that, when used by American civil and military leaders, the term “cyber-attack” can mean significantly different things. Additionally, this research hypothesizes that civil and military leaders disagree on the definition of the term. Disagreement on definitions likely hampers agreement on solutions. The findings of this research could provide a pathway to a better understanding of what America’s leaders actually consider to be a “cyber-attack” and how to respond, prevent and deter such future attacks.

Background and Research Question

The rapid pace of technological change and innovation across the last five decades, while providing stunning upgrades to many aspects of our lives, has also served to reinforce the entropic nature of the international order. State and non-state actors clash on an opaque cyber-battleground with increasing frequency, intensity, and cost. Terminological inconsistency among civilian and military leaders, the media, industry professionals and the general public have plagued the development and implementation of clear frameworks for acceptable cyber-behaviour. In the absence of rules of engagement, guiding norms, and even a consistent lexicon to identify and characterise their actions, malicious cyber-actors routinely attack individuals, businesses and governments with impunity.

Cybersecurity Ventures, one of the world's leading researchers and publishers covering the global cyber economy, anticipated the total international cost of cybercrime would increase by 15 per cent each year between 2020 and 2025, eventually reaching USD 10.5 trillion annually by 2025, up from USD 3 trillion in 2015 (Cybercrime Mag 2018). In 2020, the number of IoT devices was forecast to reach 8.74 billion, surpassing the total number of people on earth - a quite staggering figure that illustrates the extent to which technology has saturated our lives (Vailshery).

When one considers that each of those connected devices offers a potential pathway into the networks that house our personal information, that secure our critical infrastructure (CI), and control our military systems, the enormity of the task of protecting them might appear overwhelmingly daunting and, perhaps, even impossible.

Accompanying this massive “attack surface’s diffuse vulnerabilities is an increased opportunity for asymmetric inter-state assaults. Sophisticated state and state-sponsored hackers working in groups termed Advanced Persistent Threats (APTs) seek to infiltrate the command and control systems of “enemy” militaries and gain access to the networks that operate national critical infrastructures. Access to these protected networks offers bad actors the opportunity to trigger potentially catastrophic “real-world” kinetic events, like the often referenced and now-infamous “cyber Pearl Harbour” analogy. While some pundits are sceptical of the likelihood of a “cyber Pearl Harbour” ever eventuating, in purely technical terms, the extreme risk from network exploitation is undeniable (Lawson 2016).

China, Russia, and Iran occupy places of privilege at the top of Freedom Houses’ “World’s Worst Online Freedom rankings” (Fazzini 2019). The Democratic People’s Republic of Korea (DPRK), it should be noted, does not feature on this list as its internet-connected network does not meet the threshold for qualification. Despite this, China, Russia, Iran and the DPRK represent a block of state actors that perpetrate the most significant, and frequent, cybercrimes internationally and pose the greatest threat to U.S. cybersecurity.

In the past twenty years, a focus on asymmetric capabilities by these nation-states has seen a steady increase in “short-of-war” cyber-attacks against the U.S. government, critical infrastructure and the private sector. It is commonplace for these low-cost attacks to be perpetrated by state-supported malicious cyber-actors as proxies for their surrogate nation. Cyber-security firms such as FireEye and Symantec, classify these actions as APT attacks and monitor the ongoing assaults through sophisticated proprietary software applications. Yet, other than by attribution, advice and network security support, these organisations are technically prohibited from combating (counter-attacking) APT groups. The absence of genuine private sector-government integration in this area , it could be argued, is hampering a more effective framework for attribution, deterrence and retaliation.

Between 2014 and 2016, the United States suffered three large-scale (known) cyber-attacks from three separate state adversaries. In 2014, in an attempt to prevent the impending release of the film The Interview, in which a pair of tabloid news reporters are recruited by the CIA to assassinate Kim Jong-Un, the DPRK launched a cyber-attack against Sony Pictures (SPE). That attack rendered SPE servers inoperable; IT infrastructure repairs alone cost the company over $30 million, with a total impact of approximately $100 million (Richwine 2014). In 2015 the United States Office of Personnel Management, an agency of the federal government that manages the personnel records of civilian government employees was hacked with the records of over 20 million people targeted. While the U.S. was reluctant to attribute the attack publicly, a Chinese national was arrested in relation to the hack. The Wall Street Journal, the Washington Post, and the New York Times ran stories suggesting the government suspected (or knew) the Chinese were responsible for the attack (Devlin Barrett and Paletta 2015; Sanger and Davis 2015).

The 2016 U.S. presidential elections were extensively targeted by Russian state and state-sponsored proxy cybergroups. Direct hacking, theft, and public release of Democratic files and emails, as well as widespread disinformation (dezinformatsiya) campaigns, were uniformly attributed to Russia by the U.S. intelligence community, with investigations ultimately producing more than thirty individual indictments of Russian nationals.

The U.S., while a regular victim, is not without experience in state-on-state offensive cyber-operations. Perhaps the most incendiary and infamous (known) cyber-operation in history, Operation Olympic Games, a joint U.S./Israel operation, designed and implanted malware into the programmable logic controllers (PLCs) of centrifuges located in the Iranian nuclear enrichment facility in Natanz. The malware confused the normal operating cycle of the PLCs causing many of the centrifuges to fail, explode in some cases - a kinetic response to a digital incursion. Though the U.S. has never publicly accepted responsibility, that it played a role in the attack is widely accepted. This incident holds further significance as an example of the potential for massive collateral damage when executing a cyber attack. Although the malware only achieved its design purpose under certain technical conditions, namely when exposed to a Siemens PLC, its proliferate characteristic saw it spread to more than 200,000 computers worldwide - what could have been a catastrophic spread had the malware not had such a specific execution environment and conditions.

Each of these “cyberattacks” were publicly labelled “cyberattacks” by company representatives, journalists, government officials, military personnel (at least those willing to discuss them) and policy-makers. Yet, each is markedly different in terms of the nature of and context in which they were perpetrated. One targeted a public company, the other a government department, and the third a piece of critical infrastructure. Despite the enormous costs, the sensitivity of the networks accessed, and the incredible impact of these attacks, they were all considered short-of-war attacks. “Short-of-war” is a term that is applied often and broadly to actions called cyber-attacks and covers myriad different types of cyber-exploits. It is, in essence, a convenient semantic device that allows very serious cyber-events to be classified at a level below the threshold for very serious “real-world” responses, and adds to the general opacity that shrouds the cyber-domain.

Historically, an “attack” of any type on American civilian or military institutions, infrastructure or personnel has been met with a coordinated, and often devastating, response against the perpetrators. In the age of “cyber-attacks”, however, responses designed to punish and delivered to deter future attacks, have been (at least publicly) the exception rather than the rule. Proportionality is one of the four principles outlined in the Law of Armed Conflict (LOAC) and represents an essential part of forming a response to any attack - whether imminent or already executed. Determining a proportionate response to a cyber-attack is widely considered more complex than forming a response to a traditional military assault, in part due to the issue of accurately attributing the origins and perpetrators of the attack. The other major factor that contributes significantly to this complexity (and confusion), however, is the very broad application of the term “cyber-attack”.

What actually makes a cyber-attack a cyber-attack?

This is the focus of this research project, to ask: when is a cyber attack a cyber attack? When a cyber-attack is carried out, what actually happened and to what? This research will aim to uncover specifically how U.S. officialdom defines “cyber-attack”. It will investigate what the term includes, and excludes, and how this definition varies, if at all, between civilian political leaders and military leaders.

In order to realise this ambition, the proposed research project will undertake a content analysis of the context, nature of, and language used by U.S. officials when identifying and attributing "cyber-attacks" between 2010-2020. The data samples will include congressional reports and testimony, public statements (i.e. interviews/tweets/articles/opinion pieces) made by civilian and military leaders, press releases, Intelligence Community products, as well as relevant departmental and military strategic and threat assessment products.

There is an inherent risk in allowing the term “cyberattack” to be used as a catchall for the full spectrum of malicious digital activities. A broad definition blurs the line between criminal, activist, and enemy actions. It allows low-level, low-harm exploits to be lumped in the same category as sophisticated and targeted offensive operations. It muddies the water sufficiently to allow state-sponsored bad actors to escape repercussions for actions that, if executed with an equivalent kinetic effect, would have (or should have) triggered interstate conflict.

If policy makers and military leaders are not aligned in their understanding and usage of the term, eventually they will find themselves working at cross purposes. Tackling different problems, and advocating for different solutions.

Literature Review

The United States is the current global leader in information communication technologies (ICT). Paradoxically, this cyber-hegemonic status also ensures it is the most vulnerable to cyber-attacks from malicious state and non-state actors. The sheer scale of its network of connected devices, while being the most sophisticated, also offers potential adversaries a significantly more expansive “attack surface than any other nation on Earth. The ubiquity of ICT to American society guarantees that the private information of civilians housed in computer servers around the world; the systems of financial and business operations; and the command and control centres of the military exist as part of an interconnected international network of exploitable devices.

Attribution of cyber-attacks is universally recognised as an incredibly complex and resource “heavy” process. As Carla Assumpcao notes in her paper “The Problem of Cyber Attribution Between States” “the more elaborate the attack, the harder it is to attribute” (Assumpção 2020). Assumpcao’s research addresses a number of factors relevant to this project’s proposed research area related to attribution, including the question not simply of who executed an attack, but who ordered it. Additionally, Assumpcao discusses the cost-benefit analysis required before publicly announcing attribution, assessing the implications of accusing another state of an “attack”. This material will serve to support areas of the proposed “contextual” analysis and will complement similar findings and analysis from Myriam Dunn Cavelty from the Center for Security Studies, Erik Gartzke at UC San Diego, and Lt Col Garry S. Floyd Jr. of the United States Air Force, all of whom have written on the topic of attribution and the language used by officialdom to characterise it.

Assumpcao does not explicitly define the parameters of what she considers to be a “cyber-attack”. Implicit in her spectrum of cited examples, however, is a much broader definition than that adopted by the authors of the Tallinn Manual on the International Law Applicable to Cyber Warfare, which, in its “Rule 30”, defines a cyber attack as “a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects” (Schmitt 2013). The Tallinn Manual, is an academic and non-binding analysis of how international law, particularly the Jus ad bellum (right to war), might apply in the “virtual” realm of cyber-warfare, and despite boasting some of the world's foremost legal scholars amongst its contributors, also serves to highlight the internationally inconsistent interpretations and definitions of what actually constitutes a cyber-attack. The Tallinn Manual appears to require an impact in the physical dimension (i.e. injury or damage) to meet the definitional threshold and be considered a “cyber-attack”. Yet, numerous “cyber-incidents” carried out against U.S. businesses and government institutions have been classified as “cyber-attacks” by US government officials without having resulted in physical injury or damage to objects.

The June 2015 Office of Personnel Management breach was one such “attack” that, while causing reputational harm and potentially compromising millions of US government staff, did not produce a real-world kinetic impact, yet was referred to as a “cyber-attack” by numerous government spokespeople including then DHS Assistant Secretary for Cybersecurity and Communications, Andy Ozmet during testimony on Capitol Hill in June 2015 (Sternstein 2015).

It should be noted that the Tallinn Manual does seek to expand the interpretative boundaries of its Rule 30 definition. Later, in Article 49 of Additional Protocol I references to ‘acts of violence’ could be interpreted as expanding the scope of an “attack” beyond those activities which produce kinetic force. Additionally, it shifts the focus for what actually constitutes a cyber attack to incorporate the consequences of the cyber operation: “it was agreed by th International Group of Experts that the existence of 'consequential harm' flowing from the cyber operation would qualify the cyber operation as an attack” (Norris 2013).

The Tallinn Manual is included in this literature review as a representative text, widely regarded as one of the most authoritative works on the topic (...you can’t write about cyber-attack definitions without reference to it). Despite the wealth of expertise involved in its conception and regard in which it is held, it is the perfect demonstration of the imperfect definition of “cyber-attack”.

Lost in Translation

During a 2016 presidential debate, then-nominee Donald Trump was quoted as identifying “the cyber” as one of the greatest threats posed to the United States. Trump went on to insist that under a Trump presidency, the U.S. would get “very, very, tough on cyber” (Futter 2018). The former President isn’t the first, and presumably won’t be the last person to use “cyber” as a noun, and yet, while he isn’t necessarily considered a shining beacon of oratorical integrity, his questionable usage of the word “cyber” points to a larger problem; namely the confusingly inconsistent application of varied terms to specific digital actions and events.

Scholars, politicians, journalists, cybersecurity professionals, and countries alike use “cyber” as a type of catchall, liberally applying it to a multitude of existing words to “digitise” different scenarios and objects and issues. The author of this review is not without guilt in this respect - already within these few pages the reader has encountered a dozen “cyber” compounded and hyphenated terms. To highlight this issue further, even different word processor spell checkers cannot agree on whether “cyberattack” is hyphenated or compounded. As James E. McGhee notes in Cyber Redux: The Schmitt Analysis, Tallinn Manual and US Cyber Policy:

“One of the continuing problems with cyber or dealing with cyber intrusions is the lack of uniformity in concepts, definitions, rules, policy, and law. In many instances, not only is uniformity lacking, but there is simply a void” (McGhee 2013).

McGhee also addresses the issue of conflating and equating cyber and kinetic attacks. This he suggests, mires the discourse and debate in the realm of jus ad bellum and jus in bello (right in war) and the Law of Armed Conflict (LOAC), and tends to ignore other malign and criminal cyber-activities such as cyber-espionage (McGhee 2013).

The tendency toward inconsistency often leads to a conflation of distinct terms, which can produce conflicting and contradictory meanings. David Sanger identifies an instructive example of inconsistent terminology application in his book The Perfect Weapon: War, Fear and Sabotage in the Cyber Age. In the book, Sanger outlines numerous instances in which the U.S. military refers to offensive cyber-operations conducted by their personnel as “cyber network exploitations”. When carried out by foreign actors, however, those very same actions are termed “cyberattacks” (Sanger 2018). The practised double standard is clear, and, while likely not limited to the cyber-context, reinforces the confusion in this area about what various “terms” actually mean.

Andrew Futter in his article ‘Cyber’ semantics: why we should retire the latest buzzword in security studies succinctly summarises the effects of these inconsistencies:

“..there is no single definition or research agenda that all adhere to. This in turn often drives hype and leads to misunderstanding and bad policy. The result is that formulating suitable policies to deal with and respond to threats to digital computers and networks, either domestically or internationally, has become disjointed and obfuscated” (Futter 2018).

The absence of strong policy, norms, and legislation in this area, both at a U.S. domestic level, and internationally, seem to confirm Futter’s contention. Further research and analysis by Futter, David Sanger, and Dr Martin Libicki from the Centre For Cyber Security Studies (note the separation of Cyber and Security - it is intentional) at the United States Naval Academy, will be used to support, and perhaps, counter the findings of this research project’s content analysis particularly in the areas of language and terminology usage.

Helping to overcome this “lexiconical” quagmire, and establishing a consistent language, one that qualifies and defines the componentry of the cyber-domain, particularly the term at its centre “cyberattack” is an elemental aspiration of this research.

I have been unable to identify comparable content analyses concerned with the same (or similar) themes as those intended to be researched for this project. JulianJang-Jaccard and SuryaNepal produced A survey of emerging threats in cybersecurity published in the Journal of Computer and System Sciences in 2014. While their study addresses issues proximate to this research project, they avoid the definitional questions posed in this study. Johan Eriksson and Giampiero Giacomello authored Content Analysis in the Digital Age: Tools, Functions, and Implications for Security, a fascinating insight into the implications on information security as a result of technological innovations in the content analysis methodology. While their paper provides insights into the content analysis methodology, it doesn’t offer any substantive contribution to the intended research area of this project.

Some might argue that terminology is less important than this research topic suggests, perhaps even irrelevant - that ultimately it is actions that matter most. Indeed, the question is often asked whether sticking a “cyber” on another word is even necessary. After all, isn’t the defence of systems integrity, whether physical or virtual, really just security not cybersecurity? “Cyber” can act as a magnet, indiscriminately attracting and attaching itself to other things and terms. In a way, on its own, the “cyber” can certainly be considered meaningless or redundant. Yet, attaching “cyber” to other instantly recognisable and clearly understood terms can help make the route to specificity and comprehension shorter. Ultimately, before progress can be made on how to fix the problem of “cyber-anything”, it is essential everyone is certain they are talking about the same thing - a case of you say potato, and I say potato!

Research Hypotheses

This research question holds two assumptions:

1. When used by American political and military leaders, the term “cyberattack” can mean many different things.

2. U.S. civilian policy makers and military leaders define “cyberattack” differently.

These hypotheses may present as blindingly obvious, but as the literature review suggests, it doesn’t appear that anyone has, as yet, taken the time to prove them. Initial inquiries support both hypotheses. Indeed, the three significant examples discussed in the background to this proposal demonstrate the different “things” and “definitions” considered cyber-attacks by US officialdom. A comprehensive content analysis, if able to prove these hypotheses, could also serve to crystallize the criteria of what American leaders consider a “cyber-attack” and in turn provide a platform from which to formulate consistent and proportionate responses able to punish perpetrators and designed to deter would-be attackers.

Research Design

The research design will follow a content analysis model that incorporates both a conceptual and relational analysis framework. As previously highlighted, data samples may include, inter alia, congressional reports and testimony, public statements (i.e. interviews/tweets/articles/opinion pieces) made by civilian and military leaders, press releases, Intelligence Community products, as well as departmental and military strategic and threat assessment products.

The term “cyber-attack” will be measured for occurrence in the selected data sets, and a sub-set of concepts and categories will identify the frequency and nature of the actual event/attack perpetrated, and the context in which it transpired.

A proximity analysis will accompany the conceptual analysis during which an evaluation of the co-occurrence of explicit concepts (i.e. cyber-attack and phishing-attack) will be undertaken. This scan of the “window” for the co-occurrence and relationship of concepts will lead to the creation of a “concept matrix” that demonstrates the inter-relational nature of the identified concepts.

1. The first goal is to examine the occurrence of selected explicit terms in the data.

   1. These terms are: cyber-attack, cyber attack, and cyberattack

   2. These terms will be coded as the same

   3. To refine the data set, the research will first code for existence, then may code for frequency

   4. Coding rules will evolve throughout this process

   5. Coding will be undertaken by hand, not software

   6. Information deemed “irrelevant” will be excluded

2. The terms will then be coded into manageable content categories to distinguish the nature of the “attack” (i.e. DDOS, Phishing, Ransomware)

   1. Categories will, where possible, incorporate the “cyber-weapons” used to undertake the attack

   2. A flexible approach will be adopted that allows the addition of categories as needed/identified

3. The terms will also be coded into categories to distinguish context

   1. Context could be defined loosely as “target” (i.e. critical infrastructure, private company, government department), but will also incorporate attribution, perpetrators, political environment, and timing

4. Once coding is complete a proximity analysis will be performed to evaluate the co-occurence of the identified concepts and ask:.

   1. What is the strength of the relationship: the degree to which the concepts are related?

   2. What is the sign of the relationship: are concepts positively or negatively related to each other?

   3. Direction of relationship: the types of relationship that categories exhibit (e.g.: “X implies Y” or “X occurs before Y” or “if X then Y” or if X is the primary motivator of Y.)

5. A concept-matrix will then be created to represent the findings

Data Sources

There exists a vast “library” of data sources from which to draw for this research project, and while it is critical to the project’s ambition to collect information from a wide spectrum of sources, extreme care will need to be taken to avoid getting “lost in the weeds” of volume. Ensuring the accuracy, validity and relevance of each source requires limiting consideration to established authoritative sources. This research project will initially draw from that broad set of available data sources, however, using the research design strategy will refine the larger sample to a more relevant and representative data set.

After refinement, a rich data set remains available to tap for research and should still qualify as a large-N content analysis. The qualitative data set may include, inter alia, congressional reports and testimony, public statements (i.e. interviews/tweets/articles/opinion pieces) made by civilian and military leaders, press releases, Intelligence Community products, as well as departmental and military strategic and threat assessment products (i.e. national threat assessments), diplomatic communiques, public speeches by leaders, diplomats, and relevant political figures, internationally developed guides (i.e. Tallinn Manual 2.0), think tank products (i.e. 2018 Munich Security Conference report), and federal and local indictments. These sources will be refined to identify the most relevant and authoritative examples and then used to identify, interpret and code the context, nature, and language usage around those events termed “cyber-attacks” by the United States throughout the last decade.

Initial inquiry suggests that the refinement process will settle on congressional testimony and reports, IC product, defense strategic products, and official press releases and statements by public figures to factor as the predominant sources. At this stage, however, additional data sources have not been eliminated.

Included below are representative examples of the types of sources that will likely be used, across various categories.

Congressional Testimony/Reports:

• JUNE 8, 2021: Senate Homeland Security Hearing on Colonial Pipeline Cyber Attack

Colonial Pipeline CEO Joseph Blount appeared before the Senate Homeland Security and Governmental Affairs Committee as the panel examined threats against the nation’s infrastructure.

https://www.c-span.org/video/?512247-1/senate-homeland-security-hearing-colonial-pipeline-cyber-attack

• March 20, 2013: House Hearing, 113th Congress - CYBER THREATS FROM CHINA, RUSSIA, AND IRAN: PROTECTING AMERICAN CRITICAL INFRASTRUCTURE

https://www.govinfo.gov/app/details/CHRG-113hhrg82583/CHRG-113hhrg82583

Indictments:

• US Justice Department - Four Chinese Nationals Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including Infectious Disease Research

(https://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion)

Think Tanks/Journals/Research:

• Journal of Cyber Policy

(https://journalofcyberpolicy.com/)

• Rand Corporation - Cyber Security

(https://www.rand.org/topics/cybersecurity.html)

• Carnegie Endowment for International Peace (Cybernorms)

(https://carnegieendowment.org/publications/interactive/cybernorms)

Treaties/MOUs/Agreements/Communiques:

• Tallinn Manual on the International Law Applicable to Cyber Warfare

(https://www.cambridge.org/core/books/tallinn-manual-on-the-international-law-applicable-to-cyber-warfare/50C5BFF166A7FED75B4EA643AC677DAE)

• UNIDIR Cyber Policy Portal

(​​https://unidir.org/cpp/en/)

Speeches/Tweets/Statements:

• FACT SHEET: President Xi Jinping’s State Visit to the United States, Office of the Whitehouse Press Secretary (https://obamawhitehouse.archives.gov/the-press-office/2015/09/25/fact-sheet-president-xi-jinpings-state-visit-united-states)

• Remarks by President Biden in Press Conference

(https://www.whitehouse.gov/briefing-room/speeches-remarks/2021/06/16/remarks-by-president-biden-in-press-conference-4/)

Strengths, Limitations, Future Directions and Next Steps

The proposed research project boasts a number of strengths that endow it with legitimate research project credentials, and support pursuing it to completion. The research design is simple and structurally sound and, if executed correctly, should deliver coherent findings that support the hypotheses. The hypotheses are deceptively obvious, but critically, worth proving. The research design, as noted above in the data sources section of this proposal, is likely to refine the data sources to the most authoritative “voices” relevant to the research question (i.e. congressional reports/defense and IC product), which should help to reinforce the legitimacy of its findings. For instance, the definitional parameters of the term “cyber-attack” are unlikely to be broadened or muddied by inclusion of media sources, more prone to “sensationalization” and exaggeration of cybersecurity issues, in the data set.

The absence of comparable research aimed at identifying the concepts in this project offers a unique opportunity to potentially establish, rather than advance, the research area. The study design is easily replicable and could be conducted in other nations to help them better understand their own ideas of what a “cyber-attack” is.

The simplicity of the design can serve to limit its scope, and consequently its “completeness”. That it focuses primarily on the term “cyber-attack” but ignores commonly used variants like: hack/hacks, exploit, zero-day exploit, cyber-incursion, cyber-crime, breach/cyber-reach could be seen as limiting the authority of its findings. Consideration was given to incorporating additional “explicit terms” for coding in the research design, however, it was determined that this could exponentially increase the parameters of the study, and potentially radically alter the intention of the research project. The decision to use the term “cyber-attack” solely was made on the basis that it is the most commonly used term, and avoids some of the more jargonistic terms adopted by “cyber” adjacent professionals, but rarely used by civil and military leaders.

While this research seeks to understand the parameters of what is and isn’t considered a “cyber-attack” by American civilian and military leaders, it doesn’t hope to offer a more succinct definition than already exists, or to provide a hierarchy of “inclusions”. In truth, the research project would be best implemented as a first step in a series of cascading research projects with the ambition of agreeing an international definition of “cyber-attack”, and adopting a set of protocols and principles for responding to them.

In terms of “execution costs”, this research project offers an achievable set of actions The data necessary to undertake and perform the analyses is readily available and accessible. The required timeframe (necessary time commitment) for an individual to conduct the collection and analyses while significant, is not prohibitively onerous. The costs, in dollar terms, will be minimal.

Immediate next steps to advance this project include, further consultation with experienced social science researchers to scrutinise and refine the study design, building the “broad” data set, and creation of a “project schedule” with specific milestones and deliverables aligned to a realistic timeline.

As previously stated, this is a study design that could very easily be replicated in other countries throughout the world. By seeking to investigate how nations understand and define the parameters of what a cyber-attack is, the international community could work towards finding a consistent definition that incorporates the commonalities and excludes the inconsistencies, and in turn this might present a path forward for better development of international laws, norms, and practices in the realm of cyber-conflict and crime.

Having focused much of my study on the emerging and escalating threats of cybercrime, cybersecurity and potential cyberconflict over the past three years, pursuing this research further is undeniably something I’m deeply interested in. Unfortunately, I have committed to the National Security capstone pathway for completing this master’s programme, and accordingly won’t be in a position to undertake this research in thesis form as part of Harvard Extension School Thesis track. That said, I have ambitions to seek admittance to a doctoral programme, and feel, with further scoping, this project might have the potential to form the foundations of a doctoral thesis.

BIBLIOGRAPHY

• AglsAgent, S. et al. (no date) 2020 Defence Strategic Update & 2020 Force Structure Plan. Available at: https://www1.defence.gov.au/strategy-policy/strategic-update-2020 (Accessed: 24 July 2021).

• A Guide to Cyber Attribution (14 September, 2018). Office of the Director of National Intelligence (ODNI), pp. 1-5.

• Assumpção, C. (2020) The problem of cyber attribution between states. Available at: https://www.e-ir.info/2020/05/06/the-problem-of-cyber-attribution-between-states/ (Accessed: 28 July 2021).

• Devlin Barrett, D. Y. and Paletta, D. (2015) ‘U.S. suspects hackers in China breached about 4 million people’s records, officials say’, Wall Street journal (Eastern ed.), 4 June. Available at: https://www.wsj.com/articles/u-s-suspects-hackers-in-china-behind-government-data-breach-sources-say-1433451888 (Accessed: 6 August 2021).

• Broeders, D., Cristiano, F. and Weggemans, D. (no date) ‘Too Close for Comfort: Cyber Terrorism and Information Security across National Policies and International Diplomacy’, Studies in Conflict and Terrorism, ahead-of-print(ahead-of-print), pp. 1–28.

• Cavelty, M.D., 2008. Cyber-terror—looming threat or phantom menace? The framing of the US cyber-threat debate. Journal of Information Technology & Politics, 4(1), pp.19-36.

• Cavelty, M. (2013). From Cyber-Bombs to Political Fallout: Threat Representations with an Impact in the Cyber-Security Discourse. International Studies Review, 15(1), 105-122.

• Clack, T. and Johnson, R. (2021) The World Information War: Western Resilience, Campaigning, and Cognitive Effects. Milton: Taylor and Francis (Routledge Advances in Defence Studies).

• Connable, B., Campbell, J. H. and Madden, D. (2016) Stretching and Exploiting Thresholds for High-Order War: How Russia, China, and Iran Are Eroding American Influence Using Time-Tested Measures Short of War. Rand Corporation.

• cybercrimemag (2018) Cybercrime to cost the world $10.5 trillion annually by 2025. Available at: https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/ (Accessed: 3 August 2021).

• Dai, C. (2015). Politique étrangère, 80(4), 207-208. Farwell, J.P. and Rohozinski, R., 2011. Stuxnet and the future of cyber war. Survival, 53(1), pp.23-40.

• Election Security (2018) Homeland Security - Election Security. Available at: https://www.dhs.gov/topic/election-security (Accessed: 3 August 2021).

• FACT SHEET: President Xi Jinping's state visit to the United States (2015). Available at: https://obamawhitehouse.archives.gov/the-press-office/2015/09/25/fact-sheet-president-xi-jinpings-state-visit-united-states (Accessed: 23 July 2021).

• Eriksson, J. and Giacomello, G. (2014) ‘International Relations, Cybersecurity, and Content Analysis: A Constructivist Approach’, in, pp. 205–219.

• Farwell, J. P., & Rohozinski, R. (2011). Stuxnet and the future of cyber war. Survival, 53(1), 23-40.

• Fazzini, K (2019). A new Russian law will further separate the country from the global internet. CNBC.com. Accessed June 28 2021

• Floyd, G. (2018). Attribution and Operational Art: Implications for Competing in Time. Strategic Studies Quarterly, 12(2), 17-55.

• Futter, A. (2018). ‘Cyber’ Semantics: why we should retire the latest buzzword in security studies. Journal of Cyber Policy, 3(2), 201-216.

• Gartzke, E. (2013). The Myth of Cyberwar: Bringing War in Cyberspace Back Down to Earth. International Security, 38(2), 41-73.

• Greenhill, K & Krause P (ed) (2018). Coercion: The Power to Hurt in International Politics New York: Oxford University Press

• Haley, C. (2013). A Theory of Cyber Deterrence. Georgetown Journal of International Affairs. Retrieved from: https://www.georgetownjournalofinternationalaffairs.org/online-edition/a-theory-of-cyber-deterrence-christopher-haley.

• Hawkins, D. (2018, August 8). The Cybersecurity 202: Trump team isn't doing enough to deter Russian cyberattacks, according to our panel of security experts. The Washington Post. Retrieved from: https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/08/08/the-cybersecurity-202-trump-team-isn-t-doing-enough-to-deter-russian-cyberattacks-according-to-our-panel-of-security-experts/5b69c3631b326b0207955f94/?noredirect=on&utm_term=.13af473122be

• Heginbotham, E., Nixon, M., Morgan, F., Heim, J., Hagen, J., Li, S., . . . Morris, L. (2015). Scorecard 9: U.S. and Chinese Cyberwarfare Capabilities. In The U.S.-China Military Scorecard: Forces, Geography, and the Evolving Balance of Power, 1996–2017 (pp. 259-284). RAND Corporation.

• Holmes, M. (2019) ‘Digital Diplomacy’, International Relations. Oxford University Press. doi: 10.1093/obo/9780199743292-0258.

• House Hearing, 113th Congress - CYBER THREATS FROM CHINA, RUSSIA, AND IRAN: PROTECTING AMERICAN CRITICAL INFRASTRUCTUREgovinfo (2013). Available at: https://www.govinfo.gov/app/details/CHRG-113hhrg82583/CHRG-113hhrg82583 (Accessed: 3 August 2021).

• Hughes, R. (2010). A treaty for cyberspace. International Affairs (Royal Institute of International Affairs 1944-), 86(2), 523-541.

• Iasiello, E., 2013, June. Cyber attack: A dull tool to shape foreign policy. In 2013 5th International Conference on Cyber Conflict (CYCON 2013) (pp. 1-18). IEEE.

• International Strategy for Cyberspace (pp. 1-30, Rep.). (2011). Washington D.C.: The White House.

https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf

• Jang-Jaccard, J. and Nepal, S. (2014) ‘A survey of emerging threats in cybersecurity’, Journal of Computer and System Sciences, 80(5), pp. 973–993.

• Lawson, S. (2016) ‘Does 2016 Mark the End of Cyber Pearl Harbor Hysteria?’, Forbes Magazine, 7 December. Available at: https://www.forbes.com/sites/seanlawson/2016/12/07/does-2016-mark-the-end-of-cyber-pearl-harbor-hysteria/ (Accessed: 4 August 2021).

• Lemnitzer, J. M. (2021) ‘Why cybersecurity insurance should be regulated and compulsory’, Journal of Cyber Policy, pp. 1–19. doi: 10.1080/23738871.2021.1880609.

• Libicki, M. (2012). Avoiding Crises by Creating Norms. In Crisis and Escalation in Cyberspace (pp. 19-38). RAND Corporation.

• Libicki, M. C. (2007). Conquest in cyberspace: national security and information warfare. Cambridge University Press.

• Libicki, M. (2018). Expectations of Cyber Deterrence. Strategic Studies Quarterly, 12(4), 44-57.

• Libicki, M. (2014). Why Cyber War Will Not and Should Not Have Its Grand Strategist. Strategic Studies Quarterly, 8(1), 23-39.

• McGhee, J. E. (2013) ‘Cyber redux: The Schmitt analysis, Tallinn manual and US cyber policy’, Journal of Law & Cyber Warfare, 2(1), pp. 64–103.

• Muresan, R. C. and Babeş‐Bolyai University, Faculty of European Studies, Romania, hexorro@gmail.com (2017) ‘Current Approaches of Diplomacy in the Cyberspace’, Studia Universitatis Babes-Bolyai. Studia Europaea, 62(2), pp. 31–43.

• Norris, M. J. (2013) ‘The Law of Attack in cyberspace: Considering the Tallinn manual’s definition of “Attack” in the digital battlespace’, Inquiries Journal, 5(10). Available at: http://www.inquiriesjournal.com/articles/775/the-law-of-attack-in-cyberspace-considering-the-tallinn-manuals-definition-of-attack-in-the-digital-battlespace (Accessed: 28 July 2021).

• O’Connell, M.E., 2012. Cyber security without cyber war. Journal of Conflict and Security Law, 17(2), pp.187-209.

• ODNI Office of Strategic Communications (no date) 2021 Annual Threat Assessment of the U.s. intelligence community. Available at: https://www.dni.gov/index.php/newsroom/reports-publications/reports-publications-2021/item/2204-2021-annual-threat-assessment-of-the-u-s-intelligence-community (Accessed: 23 July 2021).

• Powell, R. (2003). Nuclear Deterrence Theory, Nuclear Proliferation, and National Missile Defense. International Security,27(4), 86-118.

• Raugh, D. (2016). Is the Hybrid Threat a True Threat? Journal of Strategic Security, 9(2), 1-13.

• Richwine, L. (2014) ‘Cyber attack could cost Sony studio as much as $100 million’, Reuters, 9 December. Available at: https://www.reuters.com/article/us-sony-cybersecurity-costs-idUSKBN0JN2L020141209 (Accessed: 6 August 2021).

• Rogin, J. (2012, July 9). NSA Chief: Cybercrime constitutes the “greatest transfer of wealth in history” [Web log post]. Retrieved from https://foreignpolicy.com/2012/07/09/nsa-chief-cybercrime-constitutes-the-greatest-transfer-of-wealth-in-history/

• Sanger, D (5 June 2015). "Hacking Linked to China Exposes Millions of U.S. Workers". The New York Times.

• Sanger, D. 2018. The Perfect Weapon: War, Sabotage and Fear in the Cyber Age. New York: Crown Publishers.

• Schmitt, M. N. (2013) Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge University Press.

• Senate Homeland Security Hearing on Colonial Pipeline Cyber Attack (2021). Available at: https://www.c-span.org/video/?512247-1/senate-homeland-security-hearing-colonial-pipeline-cyber-attack (Accessed: 4 August 2021).

• Simmons, B. (2013). Preface: International Relationships in the Information Age. International Studies Review, 15(1), 1-4.

• Smeets, M. (2018). The Strategic Promise of Offensive Cyber Operations. Strategic Studies Quarterly, 12(3), 90-113.

• Sternstein, A. (2015) Heated house hearing offers new clues into how hackers broke into OPM networks. Nextgov. Available at: https://www.nextgov.com/cybersecurity/2015/06/heated-house-hearing-offers-new-clues-how-hackers-broke-opm-networks/115474/ (Accessed: 28 July 2021).

• Sobers, R. (2019, April 17). 60 Must-Know Cybersecurity Statistics for 2019. Retrieved July 2, 2019, from https://www.varonis.com/blog/cybersecurity-statistics/

• Top Cybersecurity Professional Chris Krebs on Protecting U.S. Infrastructure [Audio blog interview]. (2019, June 25). Retrieved from https://podcasts.apple.com/us/podcast/intelligence-matters/id1286906615

• Tsvetkova, N. et al. (no date) ‘Sprawling in Cyberspace: Barack Obama’s Legacy in Public Diplomacy and Strategic Communication’, Journal of political marketing, ahead-of-print(ahead-of-print), pp. 1–13.

• United Nations. Institute for Disarmament Research (UNIDIR) (2013) The Cyber Index: International Security Trends and Realities.

• Vailshery, L. S. (no date) Topic: Internet of Things (IoT) in the U.s, Statista. Available at: https://www.statista.com/topics/5236/internet-of-things-iot-in-the-us/ (Accessed: 3 August 2021).

• Walt, S. (1997). The Progressive Power of Realism. The American Political Science Review, 91(4), 931-935.

• Worldwide Threat Assessment of the US Intelligence Community (pp. 1-42, Rep.). (n.d.). Washington D.C.: Office of the Director of National Intelligence. doi:https://www.odni.gov/files/ODNI/https://www.odni.gov/files/ODNI/documents/2019-ATA-SFR---SSCI.pdf/2019-ATA-SFR---SSCI.pdf

Whyte, C. (2015). Power and Predation in Cyberspace. Strategic Studies Quarterly,9(1), 100-118.