ASSESSING STATE-SPONSORED CYBER ATTACKS FROM A U.S. PERSPECTIVE: CASE STUDIES OF HACKTIVISM, DENIAL-OF-SERVICE,DISRUPTION, AND DESTRUCTION

Abstract

Although the question of whether cyber attacks constitute policy tools to more ethically and effectively achieve U.S. foreign policy goals remains largely unanswered, the U.S. government has enacted various policies that assume an affirmative answer. The extent to which cyber attacks contribute to U.S. foreign policy goals depends on the technical goal of the cyber attack. I evaluate the utility of cyber attacks with different technical goals by examining their strategic and secondary effects, which have significant policy implications. By analyzing the strategic and secondary effects of various case studies, I conclude that the U.S. government should employ disruptive cyber attacks, carry out hacktivism to avert violence, develop but refrain from destructive cyber attacks until they are better understood, and forgo denial-of-service attacks. Despite the lack of consensus regarding the effectiveness of cyber attacks, the U.S. government has instituted various public and covert policies to employ cyber attacks. Cyber Command, a new military command integrated with the National Security Agency, became operational in 2010 and the Department of Defense designated cyberspace as a military domain in 2011. In addition to these public initiatives, President Barack Obama expanded classified cyber attack projects inherited from President George W. Bush, such as Stuxnet, a disruptive cyber attack designed to slow down Iran’s nuclear program. In June 2013, leaks revealed that the National Security Agency has been covertly launching hundreds of cyber attacks on foreign targets since at least 2011. There is a clear need to assess all these U.S. policies to sponsor cyber attacks, many of which have been secret. To do so, I analyze the strategic and secondary effects of various case studies of cyber attacks with different technical goals. Technical goals, or the immediate effects of cyber attacks, can be categorized into hacktivism, denial-of-service, disruption, and destruction; these distinctions are not often made in either the scholarly or policy literature. The technical goals of cyber attacks generate strategic effects, or changes to information and programs online, physical programs controlled by computer networks, and human decision-making that are meant to contribute to the state’s foreign policy goals. While strategic effects directly measure whether using cyber attacks can help achieve U.S. strategic objectives, policymakers should also consider the often overlooked secondary effects, which include the costs of developing cyber attacks, collateral damage, disclosure of capabilities, and reputational consequences. An analysis of the strategic and secondary effects of the following case studies results in my policy recommendations to the U.S. government. Of the many examples of hacktivism, I discuss Chinese patriotic hackers during the Kosovo War, the Syrian Electronic Army, and cyber attacks on Al Qaeda’s English-language magazine Inspire. I also discuss state-sponsored denial-of-service attacks, or the cases of Estonia, Georgia, Kyrgyzstan, the BBC, and South Korea. The cyber attacks Stuxnet and Shamoon respectively exemplify the technical goals of disruption and destruction. I also analyze other disruptive and destructive cyber attacks that have been contemplated but not employed by the Obama administration, such as on Pakistan, Libya, and Syria, and explore a hypothetical case of disruptive cyber attacks on foreign censorship regimes. The diversity of my policy prescriptions, which have implications for issues including U.S. security partnerships, Internet governance, and just war theory, reflect the diversity of the technical goals of cyber attacks.