Spotlight on Cyber VI: The Cybersecurity Storm Front—Forces Shaping the Cybersecurity Landscape: A Framework for Analysis


The managing and shaping of the offerings for a cybersecurity business and the teaching of an undergraduate course on cybersecurity policy, operations, and technology present a dual challenge. This challenge imposes the need to understand what is happening on the cybersecurity landscape, how the forces shaping that landscape relate to each other, and how governments and other enterprises should respond to those forces. This challenge has also impelled the author to attempt to describe to students these forces in a coherent fashion.

The media focuses on the dramatic consequences of recent cybersecurity breaches (e.g., Sony, Anthem, the U.S. Government’s Office of Personnel Management, and other incidents). At the same time, our understanding of the cybersecurity landscape is often fragmented, which cybersecurity industry and its practitioners fail to relate. For example, why are our information technology infrastructures continuing to demonstrate significant vulnerability? Are the steps we might take to reduce that vulnerability likely to remain effective as these infrastructures change? If we do a more complete job of sharing threat intelligence, what privacy implications must we face? Are the breaches with which we’re contending “merely” the result of cybercrime, or are we seeing emerge a new component of statecraft, one that must become part of our international relations calculus?

The speed with we must address these questions and the changes associated with some of the underlying factors calls for a more coherent cybersecurity framework. We need a framework that allows us to analyze events and develop courses of action within an ever-changing cybersecurity environment. Because these factors are changing so rapidly and simultaneously, the term cybersecurity “storm front” applies—a turbulent place that changes rapidly, with potentially disruptive consequences for those over whom the storm front passes. While the term “storm front” may appear hyperbolic, the need to improve analysis and generate more useful hypotheses deserves as much attention as the cybersecurity profession can allow, and it is to the confluence of these forces that the paper refers, and not necessarily to the effects of any specific cybersecurity event. This article discusses five prominent factors shaping this storm front:

  1. The growing importance of the information managed by increasingly complex IT infrastructures
  2. The technology and structure of the IT infrastructures we seek to safeguard
  3. The changing technological and operational nature of the threat that jeopardizes those infrastructures and the information they manage
  4. The changing role of cybersecurity as an instrument of statecraft
  5. The changing privacy relationship of citizens to the enterprises that employ complex IT infrastructures.

Taken together, these factors can be used to analyze cybersecurity developments; identify and analyze the consequences of these developments; and, hopefully, aid the development of policies, doctrines, and resources to help us manage these consequences.

What We Must Protect
Well documented and broadly discussed in policy and current cybersecurity literature are both the various domains we seek to protect in the United States and elsewhere and the domains subject to exploitation (stealing of information) and attack (damage to information, information systems, and the infrastructures that depend on information). In brief, in the United States, these domains are described by the Comprehensive National Cybersecurity Initiative (CNCI), signed by former President Bush in 2006 and supported by President Obama. CNCI defined those domains in which cybersecurity disciplines are exercised as .gov, .mil, companies comprising the defense industrial base, owners and operators of critical infrastructure, and certain key manufacturers. A number of CNCI initiatives followed, as well as a series of Presidential Executive Orders (EOs). Most notable was EO 13636, which named the sectors of critical infrastructure, sectors the cybersecurity of which represent a significant public interest.

Important to understand and consider are the cybersecurity consequences of changes in the information technology on which government, military, the defense industrial base, critical infrastructures, and other enterprises depend. These changes are far reaching. Defending the enterprises that depend on them presents new challenges, because these technologies are shaping infrastructures more complex and more dynamic than those that preceded them.

The Rising Importance of Information
The role of information within enterprises is changing, growing more important, and helping shape our view of cybersecurity. The importance of information can be viewed as an enterprise’s “information intensity.” In the general economy, information—and by extension, its security—is recognized as an essential aspect of corporate strategy and, more importantly, as an enterprise’s overarching value proposition. The concept of information intensity reflects the recognized value of information. This concept has existed for decades, but gained currency in the 1980s, and has experienced rising importance through the present day. Two types of information intensity were defined in the 1980s and both are vital to today’s enterprise: product information intensity and value chain information intensity.

Product information intensity measures the extent to which a product is information-based (i.e., information-as-product), which is increasingly the case in today’s global economy in general and in the United States and other advanced economies in particular. Any business that provides information-for-value (e.g., financial reporting and transactions, media, and social networking) delivers one or more products that comprise principally (or solely) information. For such enterprises, the security of the information they employ and provide affects materially the value of the product they convey to their customers. Their value proposition can exist and thrive only to the extent cybersecurity and information assurance (relating to provenance, processing, and delivery) are present.

Value chain information intensity describes the extent to which information contributes to the production and delivery of non-information products. Global supply chains for the manufacture of aircraft, for example, rely on a complex web of information ranging from specifications and test data, to pricing and delivery schedules. Every element of this information is crucial to production. In fact, many of the processes used in manufacturing are information-technology controlled, enhancing the level of information intensity on which these products and their value chains rely. Cybersecurity failure in these value chains can result in faulty parts, dangerous industrial operations, loss of intellectual property, and non-delivery of the product as promised.

Linked to value-chain intensity is the extent to which many physical products (e.g., airliners) are characterized by an increasing proportion of information technologies. Today’s Boeing Dreamliner, for example, uses computer-based “fly-by-wire” technologies to control critical flight systems. It possesses Internet-based architectures for other systems ranging from avionics to passenger entertainment subsystems. In many ways, the Dreamliner is a computer around which someone designed an airplane. In Boeing’s own parlance:

The 787 Dreamliner, the world’s first “e-Enabled commercial airplane, combines the power of integrated information and communications systems to drive operational efficiency, enhance revenue, and streamline airplane maintenance.

Boeing also notes:

These tools promise to change the flow of information and create a new level of situational awareness that airlines can use to improve operations. At the same time, the extensive e-Enabling on the 787 increases the need for network connectivity, hardware and software improvements, and systems management practices.

The importance of the concept of information intensity is not new. Compelling work by Michael E. Porter and Victor A. Miller in 1985 described the value of information in both information-as-product and in value chains. The authors defined the concept of manufacturing information and distribution systems (MIDS), noting that “an information intensive MIDS will generally bring value to a company if it adds high value to the product.” In today’s world, such systems are of vital importance.

Whether an enterprise delivers information itself as a product or products that rely on information to empower and mediate their value chains, cybersecurity clearly bears directly on information intensity and on corporate strategy and the value proposition an enterprise delivers. Indeed, the cybersecurity of information-intensive products is intrinsic to the value of those products and rises, therefore, to the level of a corporate strategic issue.

Recent research makes even more important the concept of information intensity and more urgent the focus on cybersecurity. For example, this research provides powerful evidence about information-intensive businesses that produce information-as-product: These businesses should use information technology to disaggregate for the purpose of efficiency their production, just as value-chain information-intensive manufacturers are building global IT-enabled value and production chains.

Such disaggregation is an important component of corporate strategy designed to take advantage of regional and local specialization and cost structures. At the same time, securing the IT infrastructures involved is essential for every aspect of development, production, integration, and delivery. Indeed, in all of these cases, the ability to provide effective cybersecurity is an essential enabling element of strategy. It can even be a competitive discriminator vis-á-vis competitors for which product quality (e.g., provenance and test data) and the integrity of information can be enhanced by cybersecurity.

The publication of Porter and Miller’s work came, perhaps, too early for the application of the term “big data” used frequently today. Had the term been in vogue, Porter and Miller might have added information analysis value.

This term describes the ability of today’s analytic tools to aggregate data from many sources (and of many types, i.e., heterogeneous data) in a homogeneous environment to create decisions of significant value. Some examples are what products to offer specific consumers at specific prices and times, how to deploy valuable medical research and development resources, what crop futures the market might expect, or the likely progression of a dangerous epidemic. Tools applied from disciplines such as “business intelligence,” “enterprise resource management,” and “data mining” amplify considerably the value of information.

Overall, no surprise occurs when the rise in the importance of information—and the need to secure it—is followed closely by these concerns: the attempts globally to steal intellectual property, to gain illegal access to information-as-product, and to enter value chains and achieve the ability to damage the information on which those chains rely.

A New Information Infrastructure
Changes in the information technology infrastructures we must protect are far reaching and include increased and ubiquitous use of mobile devices, advances in cloud technology (and changes in cloud business models), and the ongoing transition worldwide to Internet protocol version 6 (IPv6). We rely increasingly on mobile (physically untethered) devices for the bulk of our information technology needs. These devices, smartphones and tablets, have become “convergence platforms” that serve all our digital needs, including telephony, email, tweets and text messages, audio and video media, online commerce, financial transactions, and even supply chain management. Mobile devices are used to facilitate meetings and online conferences. They are sources of entertainment. They help us build and shape virtual communities worldwide. With the means to deploy more powerful applications, they support us in managing business.

Cost and efficiency drivers have made the transition to cloud architectures swifter than many foresaw. More and more enterprises are moving vital workloads to public clouds, private sectors, and “hybrid” cloud models. These workloads include enterprise resource management (ERM) and customer relations management (CRM) applications; development and test (devtest) environments, back-office, and enterprise applications; conferencing and multimedia applications; desktop applications; and supply chain management. Cloud cost models have become competitive and compelling. The ubiquity of cloud capacity has made cloud infrastructure “plastic,” allowing enterprise to shift their workload from one cloud provider to another, depending on requirements, cost, and availability.

This “cloud orchestration” model was pioneered by companies such as CSC through its acquisition of ServiceMesh. While offering an ever-more-efficient mechanism for managing availability and cost, the model complicates the association of data with any specific physical location, already a challenge in a world of complex cloud infrastructures hosted on myriad vast server farms. The recent European Commission decision to invalidate the 2000 Safe Harbor decision (allowing U.S.-based processing of European citizens’ information) thrusts privacy concerns at the heart of the global cloud model. The decision relates to the ongoing rise of privacy as an issue shaping cybersecurity discussed below.

Complicating this situation is the rise of IPv6 and the “Internet of Things” (IoT) that it makes possible. We are reaching the limits under the preceding Internet Protocol Version 4 (IPv4) of the number of devices (approximately four billion) that we can attach to the Internet with identifiable addresses. IPv6 will allow the connection and addressing of a number of devices that can be described as greater than the number of stars in the known universe, squared! Other aspects of IPv6 make this protocol more efficient. Its adoption will create new and complex infrastructures that extend from our mobile devices through a “plastic” cloud to the very devices on which our lives depend.

The adoption of IPv6 will allow for a more or less unfettered convergence of today’s enterprise information technology (IT), and the operational technology (OT) that control physical infrastructures (e.g., energy, transportation, water, health care, etc.).  Components of these infrastructures (turbines, valves, railway switches) are instrumented with IP-enabled devices that allow for the collection of data and more efficient and distributed command and control.  Information can be used to mediate the resources associated with the emerging “smart grid,” for example. For the electrical power sector, the Department of Energy describes such infrastructures as follows:

“Smart grid” generally refers to a class of technology people are using to bring utility electricity delivery systems into the 21st century, using computer-based remote control and automation. These systems are made possible by two-way communication technology and computer processing that has been used for decades in other industries. They are beginning to be used on electricity networks, from the power plants and wind farms all the way to the consumers of electricity in homes and businesses. They offer many benefits to utilities and consumers—mostly seen in big improvements in energy efficiency on the electricity grid and in the energy users’ homes and offices.

It likely that the emergence of IP-enabled, information-mediated infrastructures will allow for the “smart” management of combined systems, e.g., electrical energy (for rechargeable, electric cars) and intelligence roadways serving self-driving cars. Such technology could allow drivers to make cost- and time-efficient decisions about when to recharge their cars, and when to run routine errands, combining an understanding of electrical power costs with regional transportation congestion.

This article offers a framework for analysis regarding the evolving cybersecurity landscape. However, the author’s business background makes irresistible a few words on the likely implications of these infrastructure changes on the nature of the cybersecurity business. The management of cybersecurity on an enterprise basis is something many enterprises undertake for themselves, either by constituting their own cybersecurity workforce or by using a cybersecurity services provider to manage the various cybersecurity tools and technologies (e.g., firewalls, governance/risk/compliance tools, intrusion detection/protection systems, antivirus tools, security information, and event management systems, etc.) in which the enterprise has invested. Some enterprises are outsourcing their cybersecurity, in whole or in part, to commercial managed security services providers (MSSPs), acquiring (cyber)security-as-a-service (or SaaS).

The model of cybersecurity managed internally is likely to become more difficult to implement, particularly given the “plastic” nature of the infrastructures being safeguarded, the shift to multiple cloud backbones on which they will rely, the interconnected nature of these infrastructures (e.g., connected to suppliers, partners and customers), and the extension of these network to IPv6-enabled manufacturing and critical infrastructure appliances. Enterprises will be hard pressed to maintain an accurate infrastructure topology, much less deploying to these infrastructures and managing the cybersecurity tools and technologies they elect to use.

MSSPs specializing in cybersecurity are more likely to have the expertise requisite to meeting this challenge. They will be required to develop business models, metrics (and associated service-level-agreements), and pricing models that reflect shifting and interconnected infrastructures. They will need to manage cybersecurity devices in both the enterprises for which they are taking responsibility and to understand and help protect other infrastructures on which their clients’ infrastructures depend. In effect, as information technology capacity becomes a managed commodity, so too might become the cybersecurity needed to safeguard that capacity.

The implications of this change in the infrastructure landscape are important to consider. More complex infrastructures will be more difficult to characterize. Anomalous behavior caused by cyber exploits and attacks may be more difficult to detect. Shared infrastructures complicate the challenge of monitoring and managing cybersecurity by any one enterprise or MSSP. Infrastructures that change quickly will need cybersecurity management tools and technologies that can characterize and assess and mitigate dynamically cybersecurity vulnerabilities, incidents, and consequences. Overall, our ability to understand complex, changing systems will require cybersecurity tools for monitoring, analysis, and response that exceed current cybersecurity technology.

The Threat Changes
Changes in the threat landscape have resulted in breaches that have become larger both in the number of people whose information has been compromised and the depth of that compromise (i.e., the range of attributes reflecting personal information, including social security numbers, financial information, security clearance information, and even biometric data such as fingerprints). Foreign intelligence organizations and cybercriminals have demonstrated impressive access to and use of sophisticated cyber exploit technologies. In the case of Stuxnet and possibly a German steel manufacturing plant, cyber attack technologies can penetrate the industrial control systems (ICS) that connect physical systems with information technology infrastructures.

New malware can exhibit no known signature (prior to its first use). It is polymorphic (adept in changing its appearance once rooted in a target infrastructure), able to hide and evade the “sandboxing” used to isolate it within a target infrastructure, stealthy, and capable of “beaconing” to and responding effective command and control by its handlers. Stuxnet malware purportedly targeted Iranian centrifuges used to produce highly enriched uranium. It supposedly consisted of numerous “zero-day” modules (not seen before) and was capable of identifying specific components of the ICS used by Iranian centrifuges. It tricked those systems into spinning the centrifuges at incorrect rotations, while informing the workstations used to monitor them that the centrifuges’ operation was normal. Such malware is indeed “advanced.”

Perhaps more troubling is the advance in operational expertise or “tradecraft” exhibited by cyber exploiters and attackers. This tradecraft is characterized by formal information requirements, well-defined doctrine and operational concepts, thorough reconnaissance and intelligence characterization of the targeted infrastructure, dedicated resources capable of treating the infrastructures to be penetrated as formal intelligence targets, and impressive persistence—lasting almost 10 years (and possibly more), and the malware posed by organizations that possess this tradecraft can be characterized as “persistent.” In other words, malware and the operations that employ it can be called “advanced persistent threats” or APTs.

The use of operational expertise extends to clever social network analysis (to identify users with administrative privileges, for example) and well-targeted spear-phishing that can result in the compromise of privileged information by even well-trained IT professionals. The use of witting and unwitting insiders whose administrative privileges can be compromised can undermine network defenses significantly. Of equal importance, constant changes in the IT infrastructures we seek to defend leave defenders unable to characterize accurately their own networks. On the other hand, exploiters and attackers can operate with the discipline of well-established intelligence services. They can form a more accurate view of the networks they threaten than the view held by the networks’ owners.

Reporting abounds that characterizes the manner in which cybersecurity threats have become technically advanced and operationally efficient. Employees of the author’s company, ICF International, working with the Army’s Research Laboratory’s Threat Cell, see evidence of the increased technical sophistication of today’s malware. Mandiant, a cybersecurity professional services subsidiary of FireEye, publishes an annual report that provides a year-over-year view of the technical and operational cybersecurity threat landscape. Mandiant’s report paints an alarming picture of the cybersecurity challenges facing modern, information-intensive enterprises, including the difficulty in finding malware before law enforcement or social media becomes aware of these enterprises’ breaches. Mandiant noted:

[In 2014] attackers still had a free rein in breached environments far too long before being detected—a median of 205 days in 2014 compared with 229 days in 2013. At the same time, the number of organizations discovering these intrusions on their own remained largely unchanged. Sixty-nine percent learned of the breach from an outside entity such as law enforcement. That’s up from 67 percent in 2013 and 63 percent in 2012.

Mandiant’s report added that at least one breach had remained undetected for 2,982 days, a time period consistent with the author’s own experience dealing with a breach that had been undetected (and unmitigated) for approximately nine years. Speaking to the adaptability of today’s cyber adversaries, Mandiant also noted:

As security teams deploy new defenses, attackers are evolving their tactics. We saw that dynamic in full force over the past year as attackers employed new tactics (or in some cases sharpened tried-and-true techniques from the past) to hijack virtual private networking security, evade detection, steal credentials; and maintain a stealthy, persistent foothold in compromised environments.

The report reflects eloquently both the technical prowess and operational cunning with which today’s cybersecurity professionals must contend.

Perhaps no cybersecurity incident illustrates the convergence of technology and tradecraft as the reported 2010/2011 compromise of the algorithm used in RSA’s SecurID key fobs, employed by many organizations to govern access to sensitive IT systems. Wired magazine and others reported that the RSA breach was followed in swift order by compromises at a number of defense contractors (e.g., L-3 and Lockheed) that employ RSA’s technology. This set of incidents reflects a well-elaborated plan that defined the information the exploiter desired, determined where that information was managed and how it was protected, and compromised the technology used to protect that information. More importantly, this plan used that compromise swiftly—and before it could be detected and mitigated—to steal sensitive defense information. Such an operation reflects planning, discipline, readiness, and polished execution. The intellect and resources associated with such incidents represent a difficult challenge for any targeted enterprise.

The implications of the evolving threat landscape will force information technology executives and operators to become more vigilant regarding the vulnerabilities of their enterprises. It will compel better threat information sharing and may prove an impetus to the formation of new information sharing and advisory organizations, as described by a 2015 Presidential Executive Order. Enterprises of all types will be forced to consider the strategies they need to defend themselves against threats posed in the past by nation-state actors against national security targets only. Even smaller enterprises may be subject to sophisticated cyber attacks and exploits by adversaries attempting to test their capabilities on such targets as a way of avoiding detection.

Cybersecurity in Peace, in War, and in-Between
Much has been written regarding the continuing efforts of the United States and others to achieve effective cyber defense in light of unending work by other countries and cybercriminals to exploit and damage sensitive information and achieve the ability to attack critical, information technology-dependent infrastructures. In a previous article in the Georgetown Journal on International Affairs, the author contrasted the views of the United States and other Western democracies of cybersecurity as a discipline safeguarding intellectual property, infrastructures, and private information within a global commons (i.e., global cyberspace).

Russia and China, by contrast, view cybersecurity as the exercise of government authority within portions of cyberspace. These governments seek to exercise the prerogatives of sovereignty—principally to safeguard social stability and limit the effects of religious, political, and other movements these governments regard as illegitimate. Additional articles in the current volume of the Georgetown Journal of International Affairs and others describe the evolution of cybersecurity as an element of warfare and statecraft, evidence of the rising importance of cybersecurity (and cyberspace) as elements to which international relations theorists must pay attention. Indeed, rising importance to international relations and the functioning of the international system is one of the principal dynamics shaping the cybersecurity landscape.

The evolution of this dynamic, however, appears to be tending toward a situation in which cybersecurity challenges (exploits and attacks) are a constant concern. Rather than concerns about a “cyberwar,” we are witnessing cyber attacks and exploits as a component of statecraft in peacetime. They are tools “short of war” and components of hybrid warfare operations (e.g., Russia’s campaign against the Ukraine) that constitute neither peace nor war but allow countries to engage in conflict while maintaining diplomatic and economic relations. Efforts to steal and alter information, damage information infrastructures and IT-dependent critical infrastructures, and shape information conveyed through social and online media are ever present.

Theorists such as Lucas Kello deride the term “cyberwar” while seeking to describe this new state of affairs. These efforts also challenge IR theorists generally to model cybersecurity challenges as factors modulating ongoing relations between among countries and between countries and non-state actors. International relations practitioners now consider what behavioral norms are required to accommodate these challenges, while protecting the stability of the international system (and avoiding destabilizing surprises). Behavioral norms do not eliminate all behavior deemed objectionable by all actors, but they can constrain provocative behavior and non-proportional responses.

A survey of the field of the emerging role of cybersecurity as a component of the international system is not provided here. However, prominent IR theorists are seeking to describe that role. Erik Gartzke’s 2013 article, “The Myth of Cyberwar,” notes that cyberwar is “unlikely to prove particularly potent in grand strategic terms…” Gartzke challenges various cyberwar concepts and notes:

  • Cyber damage can be more easily repaired than damage to physical infrastructures.
  • Countries that are the victims of covert cyber attack cannot acquiesce to attackers they do not know.
  • Some cyber attack capabilities risk being made ineffective after their first use.

Gartzke’s article provides evidence that cyber attack as a challenge to cybersecurity is assuming its logical place alongside other tools in the exercise of power and influence, rather than as a decisive mode of combat.

The 2013 article by Lucas Kello, “The Meaning of the Cyber Revolution,” offers a challenge to study the effects on the international system of cyber attacks and exploits. Kello regards the term “cyberwar” as overused. He suggests assets used in the research methodologies to analyze international relations can and should be applied to the study of cybersecurity challenges. Kello quotes former NSA Director and Commander of the USCYBERCOM, General Keith Alexander, who stated that “no consensus exists” regarding how to characterize the destabilizing effects of cyber attack. Kello’s work represents, as does Gartzke’s, a challenge to theorists to replace speculation with useful research.

What might this research show? Recent events support the hypothesis that efforts are under way to establish norms as well as the diplomatic and political mechanisms required to react to normative transgressions. Although more research is necessary to convert this hypothesis to theory, recent events are noteworthy, perhaps none more so that the recent cybersecurity agreement between President Obama and Chinese President Xi Jinping. An attempt at normative behavior can be seen in the following: the United States and China agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.

Although the agreement attempts to constrain the theft of intellectual property, it does not define the sanctions that might follow such theft. It is silent regarding cyber exploits by one government against the other, reflecting perhaps acceptance of such acts. Indeed, former Central Intelligence Agency and National Security Agency (NSA) Director Michael Hayden has called the recent breach (possibly by China) of personal records held by the U.S. Office of Personal Management as “honorable espionage work” against a “legitimate intelligence target.”

In other words, the state of affairs in which the agreement was drafted reflects efforts to define normative behavior, although recognizing that some acts, while unpalatable, are not necessarily unacceptable. This agreement also represents, perhaps, an effort by the United States and China to interact in cyberspace without dangerous conflict, even in the presence of very different concepts of cybersecurity (“global commons” rather than “sovereign cyberspace”).

For theorists of international relations, governments, non-state actors, warriors, and even the private sector, the implications of efforts to achieve and describe normative behavior are likely to be significant. The existence of norms recognizes that the behavior associated with those norms will be present under day-to-day circumstances. Government departments and agencies—and their industrial partners—will need to detect, fend off, and mitigate foreign cyber exploits that do not reflect the theft of intellectual property intended to create commercial advantage. Defense contractors, for example, may find that exploits against their systems, while unfortunate, do not violate necessarily emerging norms, thus making more likely such exploits and more important the need to deal with them. If this trend holds, we are likely to see a continuing shift from concerns about “cyberwar” to recognition that some level of cyber exploit is part of the “new normal.”

The same may be true regarding cyber attack. Sascha Dov Bachmann and Håkan Gunneriusson argue in a 2015 article that Russia has built a hybrid warfare doctrine that incorporates attacks against another country’s infrastructure into an operational approach that falls just short of war. Russia is using this doctrine in the Ukraine. The country is combining cyber attacks, efforts to shape online and social media discussions, support to Ukrainian separatists, deployment of Russian irregulars, and the unacknowledged use of Russian soldiers into an effective campaign, one that is eroding the Ukrainian Government’s effectiveness while corroding the integrity of Ukraine’s border with Russia. Again, the implications are likely to be significant. Russia’s doctrine represents the use of force “short of war” and drives those affected (government, nongovernment, commercial entities, and others) to exist in a state in which attacks against their IT infrastructures are unpalatable but not regarded as acts of war and not compelling a vigorous, warlike response.

Overall, the international system will need to adjust to accommodate cybersecurity challenges as a factor that is both constantly present—and constantly changing. Low barriers to entry, difficulties with attribution (of exploits and attacks), and modest consequences (to date) faced by the perpetrators of cyber attacks and exploits are likely to make these activities a long-term aspect of the international system.

Privacy Dominates—for Now
The 2006 CNCI defines cybersecurity as a national security imperative, one that unites the public and private sectors. From a policy perspective, CNCI makes clear that an enduring public interest exists in the cybersecurity of the defense industrial base, critical infrastructure, and parts of the nation’s manufacturing base as well as the national defense, intelligence, and civil government establishment.

Things have changed.

Today’s cybersecurity environment is defined increasingly by concerns about privacy and a perceived need to protect private information from government authorities. Examples abound, and one can speculate as to the reasons for this shift, though Edward Snowden’s activities appear to be the most influential.

Three examples cast into sharp relief this change in the cybersecurity narrative. First, the 2000 Safe Harbor decision by the European Commission indicated that U.S. data protection standards are adequate for European Union citizens. The intervening years, however, have wrought visible change in the European political situation vis a vis U.S. data privacy, as reflected in an October 2015 decision by the Commission that U.S. data protection standards are not sufficient.

Taking place against the backdrop of enduring European concerns over the purported activities of the U.S. intelligence community and a case brought in 2013 by an Austrian citizen, the court’s ruling invalidated the 2000 U.S.-EU Safe Harbor Agreement. It also determined that member countries’ data protection authorities are not bound by the Commission, allowing for further challenges. Although the U.S. government is working vigorously to restore Safe Harbor, this ruling reflects a trans-Atlantic cybersecurity relationship defined as much by privacy concerns as by the needs for mutual defense.

Second, broad agreement appears to exist on the need to improve public and private cybersecurity threat and incident information sharing. However, successive bills brought forward in the U.S. House and Senate (the Cybersecurity Information Sharing and Protection Act [CISPA] and the Cybersecurity Information Sharing Act [CISA], respectively), have foundered on the rocks of concerns raised by privacy and civil liberties advocates. The bills did not advance to the President’s desk from 2010 to 2014. Indeed, rumors abounded in Washington that the President would veto an information-sharing bill that risked the unauthorized (even mistaken) disclosure of private information to the government generally and the intelligence community specifically.

In addition, members of the IT industry feared the potential liability that could result should such a disclosure take place, reflecting their customers’ private information. Only in October 2015 was a Senate bill presented that appeared capable of gaining White House support. The Senate bill is prescriptive in its protections of information considered private. Conditional Administration support was signaled in a Statement of Administration Policy, although that statement emphasizes that information sharing must be mediated through the Department of Homeland Security. Although not entirely satisfactory to the civil liberties community, the bill passed both houses and gained Presidential signature.

Finally, one notes that conservative congressional leaders, including two reported candidates for the position of Speaker of the House of Representatives—a position to which Congressman Paul Ryan (R-Wisconsin) has been elected, are known more for their concerns regarding cybersecurity privacy than for cybersecurity as a national security issue. Congressman Darrell Issa (R-California) has made clear his view that NSA’s bulk collection programs (specifically, the program authorized by Section 215 of the Patriot Act) should be limited. Congressman Jason Chaffetz (R-Utah) and Issa both support the Email Privacy Act, which would close a loophole Electronic Communication Privacy Act that “allows the government to subpoena emails from Internet service providers after they’re 180-days old.”

Taken together, these examples point to a cybersecurity landscape domestically that is influenced more powerfully by privacy concerns than in the past. They represent a likely reaction to the purported actions of the government in cyberspace as well as a change internationally. They also reflect a clear division between the United States and many of its partners. This division, defined by privacy concerns, stands in contrast to the continuing but now less prominent efforts to work together in support of common cyber defense. Whether privacy will trump national security in defining the cybersecurity relationship between the United States and its European allies (and other countries) remains to be seen. National security may reassert itself (particularly in the wake of the November 2015 terrorist attacks in Paris), or a new accommodation between national security and privacy may be struck. In any case, the cybersecurity landscape with which policy makers and operators will be forced to deal will be shaped by these parallel, often entwined considerations as will the relations among allies and between allies and other countries.

Some Progress is Evident
While this article proposes an analytical framework, it is worth noting that progress has been made, particularly on the part of the U.S. government.  This progress, which is itself a framework, consists of:

  • A Presidential Policy Directive (21) that identify 16 critical infrastructure standards that require stronger cybersecurity.
  • A Presidential Executive Order (EO 13636) mandating the creation by the National Institutes of Standards and Technology (NIST) a cybersecurity framework that identifies best practices, provides a means for critical infrastructure self-assessment, and conveys a mechanisms for sector-specific cybersecurity standards.
  • An additional Executive Order that mandates the creation of Information Sharing and Advisory Organizations (ISAOs) to improve cybersecurity threat and best-practice information sharing within specific sectors and for specialized needs (e.g.,  the operational technology used in industrial control systems).

Another framework of which we should account is the Tallinn Manual, a NATO-sponsored effort that seeks to codify the rules of conduct of offensive cyber operations.  The Manual represents an effort to impose on nation states a set of behavior norms, improving transparency and predictability, and may serve to improve our understanding of the role of cybersecurity in the international system.

While useful, this progress should be accompany by a stronger understanding of the larger context of information value, global policy, and operations shaping cyberspace today and tomorrow and the cybersecurity challenge we face.

The cybersecurity field is changing swiftly. The swiftness of this change makes difficult the detachment useful generally to gain perspective and balance, to generate hypotheses, and collect the data necessary to theorize. At the same time, the swiftness of these changes poses challenges to policy makers, operators, technologists, and practitioners. This article identifies major categories of change and provides the means to describe the evolving cybersecurity landscape in a manner that is both lucid and practical.

Governments and commercial enterprises must shape policies that reflect the concerns of citizens and customers alike. Governments and commercial enterprises must recognize the ever-present threats that are likely to endure and grow more serious in a world where cyber exploits and cyber attacks can take place at any time and may become regarded as “peacetime,” normative behavior. Defending against these attacks and exploits will be made more difficult by the rising value of the information at risk and the complexity of the infrastructures by which this information is managed and which this information helps control. The framework provided, framed by salient issues, represents a useful starting point for the further analysis of cyber developments—and possibly a challenge to develop stronger and more useful frameworks in future.

A version of this article appears in International Engagement on Cyber VI, forthcoming for Georgetown University Press in December 2016.


Samuel Sanders Visner is senior vice president and general manager at Enterprise Cybersecurity and Resilience, ICF International, and an adjunct professor of cybersecurity at the Science and Technology in International Affairs Program at the Edmund A. Walsh School of Foreign Service at Georgetown University. He previously served as vice president and general manager of the Computer Sciences Corporation Cybersecurity and chief of the Signals Intelligence Programs at the National Security Agency.


  • February 25, 2017


    Useful information. Fortunate me I found your website unintentionally, and I am shocked why this twist of fate didn’t happened in advance!
    I bookmarked it.

  • This site was… how do you say it? Relevant!!
    Finally I have found something which helped me.

  • March 11, 2017

    Augusto de Arruda Botelho

    Admiring the time and energy you put into your website and in depth
    information you offer. It’s great to come across a blog every once
    in a while that isn’t the same unwanted rehashed material.
    Fantastic read! I’ve saved your site and I’m adding your RSS
    feeds to my Google account.

  • March 15, 2017


    PwC US partners share their experiences on why cyber security strategy belongs in the c-suite and the boardroom.

  • March 19, 2017

    BRIAN WILLIS Brockstar

    BROCKSTAR BY BRIAN NELSON WILLIS SFO probes US lender over missing millions Brockstar Finance

  • March 19, 2017


    Hey! This is kind of off topic but I need
    some advice from an established blog. Is it tough to set up your own blog?
    I’m not very techincal but I can figure things out pretty quick.
    I’m thinking about setting up my own but I’m not sure where to
    start. Do you have any points or suggestions? With thanks

  • BROCKSTAR BY BRIAN NELSON WILLIS SFO probes US lender over missing millions Brockstar Finance

  • March 19, 2017


    BROCKSTAR BY BRIAN NELSON WILLIS SFO probes US lender over missing millions Brockstar Finance

  • Hi to all, the contents present at this website are actually
    awesome for people experience, well, keep up the nice work fellows.

  • March 20, 2017

    Egli Diana Pinto

    I loved as much as you will receive carried out right here.

    The sketch is attractive, your authored subject matter stylish.
    nonetheless, you command get bought an impatience over
    that you wish be delivering the following. unwell unquestionably come further formerly
    again since exactly the same nearly a lot often inside case you
    shield this hike.

  • March 20, 2017

    Egli Diana Pinto

    Hey There. I found your weblog the use of msn. That is a very neatly written article.
    I’ll be sure to bookmark it and return to read more of your
    useful information. Thanks for the post. I will definitely return.

  • March 20, 2017


    Hi! This is my 1st comment here so I just wanted to give
    a quick shout out and say I genuinely enjoy reading your blog
    posts. Can you recommend any other blogs/websites/forums that cover the same topics?

  • March 20, 2017

    Egli Diana Pinto

    When I initially commented I clicked the “Notify me when new comments are added”
    checkbox and now each time a comment is added I get three emails with the same comment.
    Is there any way you can remove people from that service?

    Thanks a lot!

  • March 20, 2017


    Have you ever thought about writing an ebook or guest authoring on other blogs?
    I have a blog based upon on the same ideas you discuss and would really
    like to have you share some stories/information. I know my
    subscribers would enjoy your work. If you are even remotely interested, feel free to shoot me an e mail.

  • Does your site have a contact page? I’m having a tough time locating it but, I’d like to shoot you an email.
    I’ve got some creative ideas for your blog you might be interested in hearing.

    Either way, great site and I look forward to seeing it develop over time.

  • March 20, 2017

    automated forex

    Hey, I think your website might be having browser compatibility issues.
    When I look at your blog site in Opera, it looks fine but
    when opening in Internet Explorer, it has some overlapping.
    I just wanted to give you a quick heads up! Other then that,
    terrific blog!

  • March 20, 2017


    Its like you read my thoughts! You appear to grasp so much approximately this, like you wrote the
    guide in it or something. I think that you just could do
    with some percent to pressure the message house a little bit, but other than that,
    that is fantastic blog. A fantastic read. I will definitely be

  • I think this is one of the most vital information for me.

    And i’m glad reading your article. But want to remark on some general things, The web site style is wonderful, the articles
    is really excellent : D. Good job, cheers

  • March 20, 2017

    Itamar Serpa Fernandes

    I do not even know how I ended up here, but I thought this post was good.
    I don’t know who you are but definitely you are going to
    a famous blogger if you are not already 😉 Cheers!

  • March 20, 2017


    I’d like to thank you for the efforts you have put
    in writing this blog. I’m hoping to check out the
    same high-grade content by you in the future as well. In truth,
    your creative writing abilities has inspired me to get my own, personal
    website now 😉

  • March 20, 2017

    velashape tips

    I really like it when individuals come together and share thoughts.
    Great website, continue the good work!

  • March 20, 2017

    change antibiotics

    Spot on with this write-up, I honestly believe this web site needs much more attention. I’ll probably be back again to read more, thanks for the info!

  • March 20, 2017


    What’s up, just wanted to say, I liked this blog post.
    It was inspiring. Keep on posting!

  • March 21, 2017


    Hmm it appears like your site ate my first comment (it was extremely long) so
    I guess I’ll just sum it up what I had written and say, I’m thoroughly enjoying your blog.
    I as well am an aspiring blog writer but I’m still new to the whole thing.
    Do you have any recommendations for novice blog writers?
    I’d certainly appreciate it.

  • March 21, 2017

    Itamar Serpa Fernandes

    magnificent put up, very informative. I wonder why the opposite specialists of
    this sector do not notice this. You should proceed your writing.
    I am confident, you have a great readers’ base already!

  • March 21, 2017

    Attractive section of content. I just stumbled upon your website and in accession capital
    to assert that I get actually enjoyed account your blog posts.
    Any way I will be subscribing to your feeds and
    even I achievement you access consistently rapidly.

  • March 21, 2017


    For latest information you have to visit the web and on internet I found
    this website as a most excellent website for
    most recent updates.

  • March 21, 2017


    Asking questions are in fact pleasant thing if you are not understanding something
    completely, except this post provides pleasant understanding yet.

  • March 21, 2017

    options trading terms

    Thanks for your marvelous posting! I certainly enjoyed reading it, you’re a great author.

    I will always bookmark your blog and will come back in the future.
    I want to encourage that you continue your great work, have a nice morning!

  • March 21, 2017


    Hi there, just became alert to your blog through Google, and found that it is
    truly informative. I’m gonna watch out for brussels. I’ll
    be grateful if you continue this in future.
    Lots of people will be benefited from your writing.

  • March 21, 2017


    I am really impressed with your writing skills and also with the
    layout on your blog. Is this a paid theme or did you modify it yourself?
    Either way keep up the nice quality writing, it’s rare to see a great blog like this one
    these days.

  • I don’t even understand how I ended up right here, but I assumed this put
    up was once good. I don’t realize who you might be however definitely you are going to a famous blogger if you aren’t already.


  • March 21, 2017

    transfer online-

    Pretty nice post. I just stumbled upon your blog and wanted to say that I have really enjoyed surfing
    around your blog posts. After all I’ll be subscribing to your rss feed and I hope you write again soon!

  • March 21, 2017

    bacterial infections

    Howdy, i read your blog from time to time and i own a similar one and
    i was just curious if you get a lot of spam comments?
    If so how do you stop it, any plugin or anything
    you can recommend? I get so much lately it’s driving me mad so any support is
    very much appreciated.

  • March 21, 2017

    green cleaning products

    You made some decent points there. I checked on the web to learn more about the issue and found most people will go along with your views on this web site.

  • March 21, 2017

    toenail fungus thrives

    Normally I don’t read post on blogs, however I would like to say that
    this write-up very pressured me to try and do it! Your writing taste has been surprised
    me. Thanks, very great post.

  • March 22, 2017

    granger whitelaw

  • March 22, 2017

  • Have you ever thought about publishing an ebook or guest authoring on other blogs?
    I have a blog based upon on the same topics you
    discuss and would really like to have you share some stories/information. I know my readers
    would value your work. If you are even remotely interested,
    feel free to shoot me an email.

  • March 22, 2017


    This information is worth everyone’s attention. When can I
    find out more?

  • Hello there, I found your blog via Google even as searching for a comparable topic, your site got here up,
    it appears good. I have bookmarked it in my google bookmarks.

    Hello there, just was alert to your blog through Google,
    and found that it’s really informative. I am gonna be careful for brussels.
    I will be grateful when you proceed this in future.
    A lot of other folks shall be benefited out of your writing.

  • March 22, 2017


    Thanks for one’s marvelous posting! I truly enjoyed reading
    it, you are a great author.I will always bookmark your blog
    and may come back later in life. I want to encourage that you
    continue your great work, have a nice holiday weekend!

  • March 22, 2017

    thoroughly cellulite

    Good day! I know this is kind of off topic but
    I was wondering which blog platform are you using for
    this site? I’m getting tired of WordPress because I’ve had issues with hackers and I’m looking at options for another platform.

    I would be fantastic if you could point me in the direction of a
    good platform.

  • March 22, 2017


    Everything is very open with a very clear clarification of the issues.
    It was truly informative. Your website is useful. Many thanks for sharing!

  • March 22, 2017

    car computer exchange

    Aw, this was an exceptionally good post. Taking
    the time and actual effort to generate a superb article… but what can I
    say… I put things off a whole lot and never seem to get anything done.

  • Keep this going please, great job!

  • March 22, 2017

    lottery e book

    fantastic issues altogether, you simply won a
    brand new reader. What would you recommend in regards to your submit that you just made some days
    ago? Any certain?

  • March 22, 2017

    lack of motivation

    I would like to thank you for the efforts
    you have put in penning this blog. I’m hoping to view the same high-grade content from you later
    on as well. In truth, your creative writing abilities
    has motivated me to get my very own blog now 😉

  • March 22, 2017

    penetrating lotto past

    I’ve been surfing online more than three hours today, yet I
    never found any interesting article like yours. It’s
    pretty worth enough for me. In my view, if all website owners and bloggers made good content
    as you did, the internet will be much more useful than ever before.

  • March 22, 2017


    I’m not sure why but this website is loading extremely slow for me.
    Is anyone else having this issue or is it a problem on my end?
    I’ll check back later on and see if the problem still exists.

  • March 22, 2017

    except credit cards

    There’s certainly a lot to find out about this topic.
    I like all the points you made.

  • March 22, 2017

    Itamar Serpa Fernandes

    I am really grateful to the owner of this site who has shared this wonderful article at at this place.

  • March 23, 2017

    credit cards

    After going over a few of the blog posts on your web
    page, I seriously appreciate your way of writing a blog. I book marked it to my
    bookmark site list and will be checking back soon. Take a
    look at my web site as well and tell me what you think.

  • March 23, 2017

    Georges Sadala

    Hello, I enjoy reading through your article post.
    I wanted to write a little comment to support you.

  • March 23, 2017


    I simply couldn’t go away your web site prior to suggesting that I really enjoyed the usual information an individual provide in your guests?

    Is gonna be back ceaselessly to check out new posts

  • I have been surfing online more than 3 hours today, yet I never found any interesting article like yours.
    It is pretty worth enough for me. Personally, if all web owners
    and bloggers made good content as you did, the
    net will be much more useful than ever before.

  • March 23, 2017

    Georges Sadala

    It’s genuinely very complicated in this full of activity life to listen news on TV, therefore I only use
    web for that reason, and get the latest information.

  • March 23, 2017


    Keep on writing, great job!

  • March 23, 2017

    Georges Sadala

    I have been exploring for a little bit for any
    high-quality articles or weblog posts on this kind of space .
    Exploring in Yahoo I eventually stumbled upon this web site.
    Studying this info So i am happy to exhibit that I have
    a very just right uncanny feeling I discovered exactly
    what I needed. I such a lot indisputably will make certain to don?t omit this web site and give it
    a look regularly.

  • March 23, 2017

    pyrotechnic business

    Hi, I think your website might be having browser compatibility issues.
    When I look at your blog in Ie, it looks fine but when opening in Internet Explorer,
    it has some overlapping. I just wanted to give you
    a quick heads up! Other then that, fantastic blog!

  • March 23, 2017


    I pay a visit everyday some web pages and sites to read posts, but this
    blog gives feature based writing.

  • March 23, 2017

    advisors stands

    Link exchange is nothing else but it is only placing the other person’s webpage link on your page at suitable place and other person will also do similar in favor of you.

  • March 23, 2017

    Georges Sadala

    I’d like to find out more? I’d want to find out more details.

  • March 23, 2017

    Georges Sadala

    Hi everyone, it’s my first go to see at this web site, and paragraph is in fact
    fruitful in support of me, keep up posting these types of
    articles or reviews.

  • March 23, 2017

    sales skills locating

    I think what you composed made a great deal of sense.

    But, think on this, what if you added a little content? I ain’t saying your information isn’t good, however suppose you added a headline that grabbed a person’s attention? I mean Spotlight on Cyber VI:
    The Cybersecurity Storm Front—Forces Shaping the Cybersecurity
    Landscape: A Framework for Analysis | is a little boring.

    You might look at Yahoo’s front page and watch how they write news
    headlines to get viewers interested. You might add a video or
    a pic or two to get readers excited about everything’ve
    written. In my opinion, it could make your posts a little bit more interesting.

  • Hi there! Quick question that’s totally off topic.
    Do you know how to make your site mobile friendly?
    My weblog looks weird when browsing from my iphone 4. I’m trying to find a theme or plugin that might
    be able to fix this issue. If you have any recommendations, please share.


  • March 23, 2017

    weight loss centers

    Ahaa, its nice dialogue about this paragraph at
    this place at this weblog, I have read all that, so at this time me also commenting at
    this place.

  • March 24, 2017


    Hello my loved one! I wish to say that this post is amazing, great written and come with approximately all
    vital infos. I would like to peer more posts like
    this .

  • March 24, 2017

    lottery video game

    Thanks for finally writing about >Spotlight on Cyber VI: The Cybersecurity
    Storm Front—Forces Shaping the Cybersecurity Landscape:
    A Framework for Analysis | <Liked it!

  • March 24, 2017

    find marketing

    Do you have a spam issue on this site; I also am a blogger, and I was wanting to know your situation;
    we have developed some nice methods and we are looking to swap
    techniques with other folks, please shoot me an email if

  • March 24, 2017

    spa treatment

    Heya i’m for the first time here. I came across this board and I in finding It really helpful &
    it helped me out a lot. I am hoping to present something back and help others like you helped me.

  • March 24, 2017

    car computer exchange

    I’m gone to convey my little brother, that he should also visit
    this web site on regular basis to take updated from
    hottest information.

  • With havin so much content do you ever run into any problems of plagorism or copyright infringement?
    My site has a lot of completely unique content I’ve either authored myself or outsourced but it appears a lot
    of it is popping it up all over the web without my agreement.
    Do you know any methods to help protect against content from being ripped off?
    I’d really appreciate it.

  • March 24, 2017

    Georges Sadala

    First of all I would like to say wonderful blog! I had a quick question that I’d
    like to ask if you do not mind. I was interested to know how you center yourself and
    clear your thoughts prior to writing. I have had a difficult time
    clearing my mind in getting my ideas out. I do enjoy writing however it just seems like the first 10 to 15 minutes are generally
    lost just trying to figure out how to begin. Any ideas or hints?


  • March 24, 2017


    Howdy! I simply would like to offer you a big thumbs up for your excellent information you
    have got right here on this post. I am coming back to your web site for more soon.

  • March 24, 2017


    Hi, I do believe this is an excellent website.

    I stumbledupon it 😉 I may revisit yet again since
    i have saved as a favorite it. Money and freedom is the greatest way to change, may
    you be rich and continue to guide other people.

  • March 24, 2017


    Thank you for sharing your thoughts. I really appreciate your efforts
    and I will be waiting for your next write ups thank you once again.

  • March 24, 2017


    It is in reality a great and useful piece of information. I am glad that you shared this helpful info with us.
    Please keep us up to date like this. Thanks for sharing.

  • March 24, 2017

    Augusto de Arruda Botelho

    WOW just what I was searching for. Came here by searching for top ten highest
    paying jobs in the us

  • March 24, 2017

    Augusto de Arruda Botelho

    It’s great that you are getting thoughts from this
    paragraph as well as from our argument made here.

  • March 24, 2017

    Egli Diana Pinto

    Hurrah! In the end I got a weblog from where I be capable of truly obtain helpful information concerning my study and knowledge.

  • March 25, 2017

    credit report

    Hello! I’m at work browsing your blog from my new iphone! Just
    wanted to say I love reading through your blog and look forward to all your posts!
    Keep up the excellent work!

  • March 25, 2017

    home based businesses

    When I originally commented I clicked the “Notify me when new comments are added” checkbox and now each
    time a comment is added I get three emails with the same comment.
    Is there any way you can remove people from that service?
    Many thanks!

  • March 25, 2017


    This page really has all the information I wanted about this subject and didn’t know who to ask.

  • March 25, 2017

    perfectly shaped body

    Greetings! Very useful advice in this particular post! It is the little changes that produce the most important changes.
    Thanks a lot for sharing!

  • March 25, 2017


    It’s not my first time to pay a quick visit this website, i am
    visiting this website dailly and obtain nice data from here
    all the time.

  • March 25, 2017

    credit based society

    Wow that was odd. I just wrote an very long comment but after I clicked
    submit my comment didn’t show up. Grrrr… well I’m not writing all that over again. Anyhow, just wanted to say great blog!

  • March 25, 2017


    Good way of describing, and good piece of writing to take information regarding my presentation subject, which i am going to convey in academy.

  • March 25, 2017

    refuse sales

    I got this web page from my friend who told me regarding
    this website and now this time I am browsing this website and reading very
    informative posts at this place.

  • March 25, 2017


    Hey there this is somewhat of off topic but I was
    wondering if blogs use WYSIWYG editors or if you have to manually code with HTML.
    I’m starting a blog soon but have no coding experience so I wanted to get advice from
    someone with experience. Any help would be enormously appreciated!

Leave a Reply