Zero Days Negative – MI 7

Contentscase defense................................................................................................................................... 3

solvency................................................................................................................................................................................41nc solvency.....................................................................................................................................................................52nc alt causes....................................................................................................................................................................92nc cybersecurity impossible..........................................................................................................................................102nc status quo solves.......................................................................................................................................................12

critical infrastructure advantage.........................................................................................................................................141nc critical infrastructure................................................................................................................................................151nc grid impact...............................................................................................................................................................172nc grid impact...............................................................................................................................................................181nc water impact.............................................................................................................................................................21at: agriculture..................................................................................................................................................................23at: air traffic control........................................................................................................................................................25at: econ impact................................................................................................................................................................26at: emergency response impact.......................................................................................................................................27at: internet impact...........................................................................................................................................................28

ip theft advantage...............................................................................................................................................................291nc china modernization.................................................................................................................................................302nc china modernization.................................................................................................................................................331nc hegemony.................................................................................................................................................................361nc russian modernization..............................................................................................................................................40

oco’s advantage..................................................................................................................................................................411nc treaties/norms...........................................................................................................................................................421nc cyberwar...................................................................................................................................................................442nc cyberwar...................................................................................................................................................................492nc fear mongering.........................................................................................................................................................512nc retaliation.................................................................................................................................................................522nc status quo solves.......................................................................................................................................................532nc us strikes first...........................................................................................................................................................54at: china impact...............................................................................................................................................................55

offcase arguments........................................................................................................................ 56advantage counterplans......................................................................................................................................................57

1nc oversight cp..............................................................................................................................................................582nc oversight solves........................................................................................................................................................601nc regulations cp...........................................................................................................................................................632nc regulations cp...........................................................................................................................................................641nc wassenaar regulations cp..........................................................................................................................................662nc solvency...................................................................................................................................................................67at: cp doesn’t solve china................................................................................................................................................69at: can’t catch all vulnerabilities.....................................................................................................................................70

cyberdeterrence da..............................................................................................................................................................711nc cyberdeterrence da...................................................................................................................................................722nc link/turns case wall...................................................................................................................................................74link – legal restrictions....................................................................................................................................................78link – transparency..........................................................................................................................................................80brink – no cyberwar now................................................................................................................................................82internal link – china war.................................................................................................................................................83internal link/impact – korea war.....................................................................................................................................84impact – china war..........................................................................................................................................................85at: cyberdefense..............................................................................................................................................................87

1

Zero Days Negative – MI 7at: cyberoffense bad........................................................................................................................................................89at: deterrence impossible................................................................................................................................................90at: deterrence doesn’t apply to cyber..............................................................................................................................91at: deterrence fails (attribution).......................................................................................................................................92at: no retaliation..............................................................................................................................................................93at: other agencies solve...................................................................................................................................................94at: transparency solves war.............................................................................................................................................95at: treaties solve..............................................................................................................................................................96

nato counterplan.................................................................................................................................................................971nc nato counterplan.......................................................................................................................................................982nc nato cp solvency.....................................................................................................................................................1012nc nato impact.............................................................................................................................................................1032nc russia cyberwar impact...........................................................................................................................................104at: permutation..............................................................................................................................................................106

politics links.....................................................................................................................................................................1081nc politics link.............................................................................................................................................................109tpa solves ip theft..........................................................................................................................................................110

2

Zero Days Negative – MI 7

CASE DEFENSE

3

Zero Days Negative – MI 7

SOLVENCY

4

Zero Days Negative – MI 71NC SOLVENCY

No solvency --- US demand doesn’t drive global zero-day useBellovin et al. 14 [Steven M., professor of computer science at Columbia University, Matt Blaze, associate professor of computer science at the University of Pennsylvania, Sandy Clark, Ph.D. student in computer science at the University of Pennsylvania, Susan Landau, 2012 Guggenheim Fellow; she is now at Google, Inc., April, 2014, “Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet,” Northwestern Journal of Technology and Intellectual Property, 12 Nw. J. Tech. & Intell. Prop. 1] //khirn

P165 It is interesting to ponder whether the policy of immediately reporting vulnerabilities could disrupt the zero-day industry. Some members of the industry, such as HP DVLabs, "will responsibly and promptly notify the appropriate product vendor of a security flaw with their product(s) or service(s)." n245 Others, such as VUPEN, which "reports all discovered vulnerabilities to the affected vendors under contract with VUPEN," n246 do not. Although it would be a great benefit to security if the inability to sell to law enforcement caused the sellers to actually change their course of action, U.S. law enforcement is unlikely to have a major impact on the zero-day market since it is an international market dominated by national security organizations .

Can’t solve lack of trust within the private sector --- regulatory and competitive barriersJaffer 15 [Jamil N., Adjunct Professor of Law and Director, Security Law Program, George Mason University Law School, Occasional Papers Series, published by the Dean Rusk Center for International Law and Policy, 4-1-2015, “Cybersecurity and National Defense: Building a Public-Private Partnership,” http://digitalcommons.law.uga.edu/cgi/viewcontent.cgi?article=1008&context=rusk_oc] //khirn

But, second, and perhaps even more important, is the lack of trust within the private sector —

the inability of private industry actors to communicate with one another the threats they’re seeing. And there are a lot of reasons for that. There are regulatory reasons, there are competitive reasons, and there’s just an inherent sense of, “It’s hard for me to tell the guy next door what I’m doing .” Now, the truth is that at the systems administrator level this happens all the time. Systems administrators of major corporations all the time will call each other up and say, “Hey, I’m seeing this on my network. Are you seeing it?” And the reason that relationship works is because they trust each other. They know that the other sys admin is not going to, you know, screw them over competitively. They do worry at the corporate level , however. If general counsel were to know about this kind of conversation going on, they’d probably be tamping it down and saying, “Look, you can’t be talking to, you know, the sys admin over at our competitor because who knows if he tells his CEO what’s going to happen to us competitively.”

Vulnerabilities inevitable --- orphansBellovin et al 14 (Steven M. Bellovin (computer science prof at Columbia), Matt Blaze (associate prof at UPenn, Sandy Clark (Ph.D student at UPenn), & Susan Landau (Guggenheim fellow), April 2014, Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet, Northwestern Journal of Technology and Intellectual Property, April, 2014, 12 Nw. J. Tech. & Intell. Prop. 1, lexis) /AMarbTo whom should a vulnerability report be made? In many cases, there is an obvious point of contact: a software vendor that sells and maintains the product in question, or, in the case of open-source software, the community team maintaining it. In other cases, however, the answer is less clear. Not all software is actively maintained; there may be “orphan” software without an active vendor or owner to report to.253 Also, not all vulnerabilities result from bugs in specific software products. For example, standard communications protocols are occasionally found to have vulnerabilities,254 and a given protocol may be used in many different products and

5

Zero Days Negative – MI 7systems. In this situation, the vulnerability would need to be reported not to a particular vendor, but to the standards body responsible for the protocol. Many standards bodies operate entirely in the open,255 however, which can make quietly reporting a vulnerability—or hiding the fact that it has been reported by a law enforcement agency—problematic. In this situation, the choice is simple: report it openly.

Can’t solve info sharing --- legal barreirsBucci, Ph.D., Rosenzweig and Inserra 13 (Steven P., Paul, and David, April 1, 2013, A Congressional Guide: Seven Steps to U.S. Security, Prosperity, and Freedom in Cyberspace, Heritage Foundation, http://www.heritage.org/research/reports/2013/04/a-congressional-guide-seven-steps-to-us-security-prosperity-and-freedom-in-cyberspace) /AMarb

There are four steps that can be taken to enable and encourage the needed cyber information sharing. First, Congress should remove barriers to voluntary private-sector sharing. Currently, legal ambiguities impede greater collaboration and sharing of information.[14] As a result, nearly every cybersecurity proposal in the last Congress contained provisions for clarifying these ambiguities to allow sharing. The 2011 Cyber Intelligence Sharing and Protection Act (CISPA), the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology (SECURE IT) Act of 2012, and the Cyber Security Act (CSA) of 2012 all authorized sharing by stating that “[n]otwithstanding any other provision of law” a private-sector entity can “share” or “disclose” cybersecurity threat information with others in the private sector and with the government.[15] While sharing information is important, all of it should be voluntary, in order to encourage true cooperation. After all, any arrangement that forces a business to share information is, by definition, not cooperation but coercion. Voluntary sharing will also allow organizations with manifest privacy concerns to simply avoid sharing their information, while still receiving helpful information from the government and other organizations. Second, those entities that share information about cyber threats, vulnerabilities, and breaches should have legal protection. The fact that they shared data about an attack, or even a complete breach, with the authorities should never open them up to legal action. This is one of the biggest hindrances to sharing today, as it seems easier and safer to withhold information than to share it, even if it will benefit others. The Information Technology Industry Council (ITIC) provides several examples of how liability concerns block effective information sharing. Under current law, “Company A [could] voluntarily report what may be a cybersecurity incident in an information-sharing environment, such as in an ISAC (Information Sharing and Analysis Centers), or directly to the government, such as to the FBI.” The result of such sharing could be that government prosecutors, law enforcement agencies, or civil attorneys use this information as the basis for establishing a violation of civil or criminal law against Company A or a customer, partner, or unaffiliated entity harmed by the incident sues Company A for not informing them of the incident as soon as they were aware of it. Company A’s disclosure can be seen as a “smoking gun” or “paper trail” of when Company A knew about a risk event though Company A did not yet have a legal duty to report the incident. Such allegation could lead to costly litigation or settlement regardless of its validity.[16] With the threat of legal action, businesses have determined that they are better off not sharing information. Strong liability protection is critical to expanding information sharing. Third, the information that is shared must be exempted from FOIA requests and use by regulators. Without such protection, a competitor can get its hands on potentially proprietary information through a FOIA action. Alternatively, if information is shared with a regulator, it will dampen voluntary sharing, since organizations will fear a backlash from regulators, who could use shared information to penalize a regulated party or tighten rules. Once again, the ITIC provides a valuable example. If a company shares information on a potential cybersecurity incident and “later finds that a database was compromised that included Individually Identifiable Health Information as defined under the Health Insurance Portability and Accountability Act (HIPAA),” then the Federal Trade Commission could use the shared information “as evidence in a case against [that company] for violating the security provisions of HIPAA.”[17] If shared information is exempted from FOIA and regulatory use, a company can share important data without fear that its competitive advantages will be lost to other firms or used by regulators to impose more rules or costs.[18]

NSA won’t listen to the plan --- circumvention inevitableGellman 13 (Barton Gellman writes for the national staff. He has contributed to three Pulitzer Prizes for The Washington Post, most recently the 2014 Pulitzer Prize for Public Service. The Washington Post: “NSA broke privacy rules thousands of times per year, audit finds.” Published August 15th, 2013. Accessed June 29th, 2015. http://www.washingtonpost.com/world/national-security/nsa-broke-privacy-rules-thousands-of-times-per-year-audit-finds/2013/08/15/3310e554-

6

Zero Days Negative – MI 705ca-11e3-a07f-49ddc7417125_story.html) KalM

The National Security Agency has broken privacy rules or overstepped its legal authority thousands of times each year since Congress granted the agency broad new powers in 2008,

according to an internal audit and other top-secret documents. Most of the infractions involve unauthorized surveillance of Americans or foreign intelligence targets in the United States, both of which are restricted by statute and executive order. They range from significant violations of law to typographical errors that resulted in unintended interception of U.S. e-mails and telephone calls. The documents, provided earlier this summer to The Washington Post by former NSA contractor Edward Snowden, include a level of detail and analysis that is not routinely shared with Congress or the special court that oversees surveillance. In one of the documents, agency personnel are instructed to remove details and substitute more generic language in reports to the Justice Department and the Office of the Director of National Intelligence. In one instance, the NSA decided that it need not report the unintended surveillance of Americans. A notable example in 2008 was the interception of a “large number” of calls placed from Washington when a programming error confused the U.S. area code 202 for 20, the international dialing code for Egypt, according to a “quality assurance” review that was not distributed to the NSA’s oversight staff. In another case, the Foreign Intelligence Surveillance Court, which has authority over some NSA operations, did not learn about a new collection method until it had been in operation for many months. The court ruled it unconstitutional. Read the documents NSA report on privacy violations Read the full report with key sections highlighted and annotated by the reporter. FISA court finds illegal surveillance The only known details of a 2011 ruling that found the NSA was using illegal methods to collect and handle the communications of American citizens. What's a 'violation'? View a slide used in a training course for NSA intelligence collectors and analysts. What to say (and what not to say) How NSA analysts explain their targeting decisions without giving "extraneous information" to overseers. [FISA judge: Ability to police U.S. spying program is limited] The Obama administration has provided almost no public information about the NSA’s compliance record. In June, after promising to explain the NSA’s record in “as transparent a way as we possibly can,” Deputy Attorney General James Cole described extensive safeguards and oversight that keep the agency in check. “Every now and then, there may be a mistake,” Cole said in congressional testimony. The NSA audit obtained by The Post, dated May 2012, counted 2,776 incidents in the preceding 12 months of unauthorized collection, storage, access to or distribution of legally protected communications. Most were unintended. Many involved failures of due diligence or violations of standard operating procedure. The most serious incidents included a violation of a court order and unauthorized use of data about more than 3,000 Americans and green-card holders. In a statement in response to questions for this article, the NSA said it attempts to identify problems “at the earliest possible moment, implement mitigation measures wherever possible, and drive the numbers down.” The government was made aware of The Post’s intention to publish the documents that accompany this article online. “We’re a human-run agency operating in a complex environment with a number of different regulatory regimes, so at times we find ourselves on the wrong side of the line,” a senior NSA official said in an interview, speaking with White House permission on the condition of anonymity. “You can look at it as a percentage of our total activity that occurs each day,” he said. “You look at a number in absolute terms that looks big, and when you look at it in relative terms, it looks a little different.” There is no reliable way to calculate from the number of recorded compliance issues how many Americans have had their communications improperly collected, stored or distributed by the NSA. The causes and severity of NSA infractions vary widely. One in 10 incidents is attributed to a typographical error in which an analyst enters an incorrect query and retrieves data about U.S phone calls or e-mails. But the more serious lapses include unauthorized access to intercepted communications, the distribution of protected content and the use of automated systems without built-in safeguards to prevent unlawful surveillance. The May 2012 audit, intended for the agency’s top leaders, counts only incidents at the NSA’s Fort Meade headquarters and other -facilities in the Washington area. Three government officials, speaking on the condition of anonymity to discuss classified matters, said the number would be substantially higher if it included other NSA operating units and regional collection centers. Senate Intelligence Committee Chairman Dianne Feinstein (D-Calif.), who did not receive a copy of the 2012 audit until The Post asked her staff about it, said in a statement late Thursday that the committee “can and should do more to independently verify that NSA’s operations are appropriate, and its reports of compliance incidents are accurate.” Despite the quadrupling of the NSA’s oversight staff after a series of significant violations in 2009, the rate of infractions increased throughout 2011 and early 2012 . An NSA spokesman declined to disclose whether the trend has continued since last year. One major problem is largely unpreventable, the audit says, because current operations rely on technology that cannot quickly determine whether a foreign mobile phone has entered the United States. In what appears to be one of the most serious violations, the NSA diverted large volumes of international data passing through fiber-optic cables in the United States into a repository where the material could be stored temporarily for processing and selection. The operation to obtain what the agency called “multiple communications transactions” collected and commingled U.S. and foreign e-mails, according to an article in SSO News, a top-secret internal newsletter of the NSA’s Special Source Operations unit. NSA lawyers told the court that the agency could not practicably filter out the communications of Americans. In October 2011, months after the program got underway, the Foreign Intelligence Surveillance Court ruled that the collection effort was unconstitutional. The court said that the methods

7

Zero Days Negative – MI 7used were “deficient on statutory and constitutional grounds,” according to a top-secret summary of the opinion, and it ordered the NSA to comply with standard privacy protections or stop the program.

The plan doesn’t solve basic NSA surveillance --- that makes corporate trust impossibleKehl, 14 (July, 2014, Danielle Kehl is a senior policy analyst at New America's Open Technology Institute, where she researches and writes about technology policy. , “Surveillance Costs: The NSA’s Impact on the Economy, Internet Freedom & Cybersecurity” https://www.newamerica.org/downloads/Surveilance_Costs_Final.pdf)

Certainly, the actions of the NSA have created a serious trust and credibility problem for the United States and its Internet industry. “All of this denying and lying results in us not trusting anything the NSA says, anything the president says about the NSA, or anything companies say about their involvement with the NSA,” wrote security expert Bruce Schneier in September 2013.225 However, beyond undermining faith in American government and business, a variety of the NSA’s efforts have undermined trust in the security of the Internet itself. When Internet users transmit or store their information using the Internet, they believe—at least to a certain degree—that the information will be protected from unwanted third-party access. Indeed, the continued growth of the Internet as both an economic engine and an as avenue for private communication and free expression relies on that trust. Yet, as the scope of the NSA’s surveillance dragnet and its negative impact on cybersecurity comes into greater focus, that trust in the Internet is eroding.226 Trust is essential for a healthy functioning society. As economist Joseph Stiglitz explains, “Trust is what makes contracts, plans and everyday transactions possible; it facilitates the democratic process, from voting to law creation, and is necessary for social stability.”227 Individuals rely on online systems and services for a growing number of sensitive activities, including online banking and social services, and they must be able to trust that the data they are transmitting is safe. In particular, trust and authentication are essential components of the protocols and standards engineers develop to create a safer and more secure Internet, including encryption.228 The NSA’s work to undermine the tools and standards that help ensure cybersecurity—especially its work to thwart encryption—also undermines trust in the safety of the overall network. Moreover, it reduces trust in the United States itself, which many now perceive as a nation that exploits vulnerabilities in the interest of its own security.220 This loss of trust can have a chilling effect on the behavior of Internet users worldwide.230 Unfortunately, as we detail below, the growing loss of trust in the security of Internet as a result of the latest disclosures is largely warranted. Based on the news stories of the past year, it appears that the Internet is far less secure than people thought—a direct result of the NSA’s actions. These actions can be traced to a core contradiction in NSA’s two key missions: information assurance—protecting America’s and Americans’ sensitive data—and signals intelligence—spying on telephone and electronic communications for foreign intelligence purposes

8

Zero Days Negative – MI 72NC ALT CAUSES

Can’t solve corporate trust – NSA does a lot of pretty evil things Sasso 14 [Brendan, technology correspondent for National Journal, previously covered technology policy issues for The Hill and was a researcher and contributing writer for the 2012 edition of the Almanac of American Politics, “The NSA Isn't Just Spying on Us, It's Also Undermining Internet Security,” National Journal, April 29, 2014, http://www.nationaljournal.com/daily/the-nsa-isn-t-just-spying-on-us-it-s-also-undermining-internet-security-20140429] //khirn

He said that company officials have historically discussed cybersecurity issues with the NSA, but that he wouldn’t be surprised if those relationships are now strained. He pointed to news that the NSA posed as Facebook to infect computers with malware. “That does a lot of harm to companies’ brands, ”

Soltani said. The NSA’s actions have also made it difficult for the U.S. to set international norms for cyberconflict. For several years, the U.S. has tried to pressure China to scale back its cyberspying operations, which allegedly steal trade secrets from U.S. businesses. Jason Healey, the director of the Cyber Statecraft Initiative at the Atlantic Council, said the U.S. has “militarized cyber policy.” “The United States has been saying that the world needs to operate according to certain norms,” he said. “It is difficult to get the norms that we want because it appears to the rest of the world that we only want to follow the norms that we think are important.” Vines, the NSA spokeswoman, emphasized that the NSA would never hack into foreign networks to give domestic companies a competitive edge (as China is accused of doing). “We do not use foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of—or give intelligence we collect to—U.S. companies to enhance their international competitiveness or increase their bottom line,” she said. Jim Lewis, a senior fellow with the Center for Strategic and International Studies, agreed that NSA spying to stop terrorist attacks is fundamentally different from China stealing business secrets to boost its own economy. He also said there is widespread misunderstanding of how the NSA works , but he acknowledged that there is a “trust problem —

justified or not.” He predicted that rebuilding trust with the tech community will be one of the top challenges

for Mike Rogers, who was sworn in as the new NSA director earlier this month. “All the tech companies are in varying degrees unhappy and not eager to have a close relationship with NSA,” Lewis said.

9

Zero Days Negative – MI 72NC CYBERSECURITY IMPOSSIBLE

True cybersecurity doesn’t exist, impact inevitableVillasenor 14 (John Villasenor; Professor, UCLA; Nonresident senior fellow at the Brookings Institution; National Fellow at the Hoover Institution. manuscript of an article to be published in the American Intellectual Property Law Association Quarterly Journal, 2015: “Corporate Cybersecurity Realism: Managing Trade Secrets in a World Where Breaches Occur” published August 28, 2014. Accessed June 24, 2015. http://poseidon01.ssrn.com/delivery.php?ID=347005106102011003080125018116007000009034067081071060081068017000117077089066011073126035037037025005058020000072094121097017060073073001035007006103107126028000127081002001029090093119117091094066083082080081069023080104113079101072079088008078064&EXT=pdf&TYPE=2) KalMIt would be an understatement to call trade secret cybersecurity a complex challenge. Trade secrets stored on company networks are ripe targets for cyberintruders who have continuing access to new vulnerabilities, including via a robust global market for zero day exploits. When a company can have hundreds or thousands of laptop computers, servers, tablets, and smartphones; all of the associated software; and employees with varying degrees of security awareness, how can security of economically valuable confidential information be assured ? The answer, unsurprisingly, is that it can’t . As a result,

the “every company has been hacked” theme has become a popular refrain in discussions about cybersecurity. In 2011 Dimitri Alperovitch, who was then with McAfee and went on to found cybersecurity company CrowdStrike, wrote, “I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact.”2 In a speech at the 2012 RSA conference, then-FBI Director Robert S. Mueller, III said “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”3 So what should companies do? First and most obviously companies need to take all reasonable steps to minimize the ability of cyber-intruders to get into their systems and make off with their trade secrets. There is a multibillion-dollar industry of products and services available to help plug security holes, and many companies have made cybersecurity a top priority. But there is no such thing as perfect cybersecurity. Sometimes, despite all efforts to the contrary, skilled attackers intent on obtaining trade secrets will find their way into company systems. This inevitability leads to a second aspect of the corporate cybersecurity challenge that is not generally appreciated: Companies need to manage their intellectual property in light of the affirmative knowledge that their computer systems will sometimes be breached.

Bugs will always occur and be hard to find – no aff solvencyBellovin et al 14 (Steven M. Bellovin (computer science prof at Columbia), Matt Blaze (associate prof at UPenn, Sandy Clark (Ph.D student at UPenn), & Susan Landau (Guggenheim fellow), April 2014, Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet, Northwestern Journal of Technology and Intellectual Property, April, 2014, 12 Nw. J. Tech. & Intell. Prop. 1, lexis) /AMarb **We don’t endorse ableist languageP67 We are suggesting use of pre-existing vulnerabilities for lawful access to communications. To understand why this is plausible, it is important to know a fundamental tenet of software engineering: bugs happen. In his classic The Mythical Man-Month, Frederick Brooks explained why: First, one must perform perfectly. The computer resembles the magic of legend in this respect, too. If one character, one pause, of the incantation is not strictly in proper form, the magic doesn't work. Human beings are not accustomed to being perfect, and few areas of human activity demand it. Adjusting to the requirement for perfection is, I think, the most difficult part of learning to program. n114 P68 Because computers, of course, are dumb--they do exactly what they are told to do-- programming has to be absolutely precise and correct. If a computer is told to do something stupid, it does it, while a human being would notice there is a problem. A person told to walk 50 meters then turn left would realize that there was an obstacle present, and prefer the path 52 meters down rather than walking into a tree trunk. A computer would not, unless it had been specifically programmed to check for an impediment in its path. If it has not been programmed that way--if there is virtually any imperfection in code--a bug will result. The circumstances which might cause that bug to become apparent may be rare, but it would nonetheless be a bug. n115 If this bug should happen to be in a security-

10

Zero Days Negative – MI 7critical section of code, the result may be a vulnerability. P69 A National Research Council study described the situation this way: [*28] [A]n overwhelming majority of security vulnerabilities are caused by "buggy" code. At least a third of the Computer Emergency Response Team (CERT) advisories since 1997, for example, concern inadequately checked input leading to character string overflows (a problem peculiar to C programming language handling of character strings). Moreover, less than 15 percent of all CERT advisories described problems that could have been fixed or avoided by proper use of cryptography. n116 P70 It would seem that bugs should be easy to eliminate: test the program and fix any problems that show up. Alas, bugs can be fiendishly hard to find, and complex programs simply have too many possible branches or execution paths to be able to test them all. n117

Cyber security impossible to be prepared for - threats are too rapidly developingOpenDNS, 2014(“Rethinking Cyber Security” OpenDNS is a security company operating out of San Francisco, http://www.gridcybersec.com/cybersecurity-research/prevention-is-no-match-for-persistence)

Today, most IT security is based on prevention – an attempt to create counter measures against previously identified tactics and threats. In theory, understanding how hackers attack us helps us prepare our best defenses against them. But in practice, we can never build our virtual walls high or strong enough to serve as sufficient barricades. For starters, old tactics evolve and new tactics emerge at a rate impossible for security professionals to match. Spear phishing targets our most vulnerable employees and watering holes attract the unwary. Our best “sandbox” malware analyses can miss some of the latest suspect behaviors. It’s impossible to predict when and where the technologies we rely upon, such as Flash or Java, will suffer the exploitation of a previously undetected (a.k.a. zero-day) vulnerability. Worse, practice makes perfect. The key part of any advanced persistent threat (APT) is the persistence; even relatively basic, “off the shelf” malware can become powerful when it is applied repeatedly across a wide attack surface. As our digital borders, via private and public cloud services and mobile users and devices, expand they become more porous and our digital line in the sand becomes too big to defend. For enterprises or organizations at any scale, prevention alone can never be a sufficient defense: our security professionals must be right and fast all the time, but cyberattackers just need to be effective once, over any time period.

Cyber security won’t happen – the internet is too large a beast to conquerZimmer, 41 March 2004, “The tensions of securing cyberspace: the Internet, state power & the National Strategy to Secure Cyberspace,” Michael T. Zimmer is a doctoral student in Media Ecology in the Department of Culture and Communication at New York University. http://firstmonday.org/ojs/index.php/fm/article/view/1125/1045

The rise of information technologies, including the Internet, impacts the way governance is organized and power is exercised in our society. As Castells notes, "Networks constitute the new social morphology of our societies, and the diffusion of networking logic substantially modifies the operation and outcomes in processes of production, experience, power and culture" [10]. This poses immense constraints on any government’s attempt to secure cyberspace. While the structural tensions noted above seem clear, more abstract constraints to State power lurk just below the surface, exposing deep substantive tensions. These include challenges to the hierarchical structures of the nation–state, the blurring of territorial boundaries, and general resistance to power in a society increasingly focused on control. Information technology networks contribute to the departure from traditional hierarchical authoritative contexts privileging nation–states. As Arquilla and Ronfeldt explain, the rise of global information networks sets in motion forces that challenge the hierarchical design of many institutions: "It disrupts and erodes the hierarchies around which institutions are normally designed. It diffuses and redistributes power, often to the benefit of what may be considered weaker, smaller actors. It crosses borders, and redraws the boundaries of offices and responsibilities. It expands the spatial and temporal horizons that actors should take into

11

Zero Days Negative – MI 7account. And thus, it generally compels closed systems to open up." [11] As a consequence of the Internet’s capacity for anarchic global communication, new global institutions are being formed that are preponderantly sustained by network rather than hierarchical structures — examples include peer–based networks such as Slashdot.org, or even the IETF itself. Such global, interconnected networks help to flatten hierarchies, often transforming them altogether, into new types of spaces where traditional sovereign territoriality itself faces extinction.

12

Zero Days Negative – MI 72NC STATUS QUO SOLVES

Project Zero solves the aff – companies are eliminating bugsSanger and Perlroth 15 – New York Times Reporters (David and Nicole, Feb 12, 2015, New York Times, Obama Heads to Tech Security Talks Amid Tensions, http://www.nytimes.com/2015/02/13/business/obama-heads-to-security-talks-amid-tensions.html?_r=0) /AMarbPALO ALTO, Calif. — President Obama will meet here on Friday with the nation’s top technologists on a host of cybersecurity issues and the threats posed by increasingly sophisticated hackers. But nowhere on the agenda is the real issue for the chief executives and tech company officials who will gather on the Stanford campus: the deepening estrangement between Silicon Valley and the government. The long history of quiet cooperation between Washington and America’s top technology companies — first to win the Cold War, then to combat terrorism — was founded on the assumption of mutual interest. Edward J. Snowden’s revelations shattered that. Now, the Obama administration’s efforts to prevent companies from greatly strengthening encryption in commercial products like Apple’s iPhone and Google’s Android phones has set off a new battle, as the companies resist government efforts to make sure police and intelligence agencies can crack the systems. And there is continuing tension over the government’s desire to stockpile flaws in software — known as zero days — to develop weapons that the United States can reserve for future use against adversaries. “What has struck me is the enormous degree of hostility between Silicon Valley and the government,” said Herb Lin, who spent 20 years working on cyberissues at the

National Academy of Sciences before moving to Stanford several months ago. “ The relationship has been poisoned, and it’s not going to recover anytime soon.” Mr. Obama’s cybersecurity coordinator, Michael Daniel, concedes there are tensions. American firms, he says, are increasingly concerned about international competitiveness, and that means making a very public show of their efforts to defeat American intelligence-gathering by installing newer, harder-to-break encryption systems and demonstrating their distance from the United States government. The F.B.I., the intelligence agencies and David Cameron, the British prime minister, have all tried to stop Google, Apple and other companies from using encryption technology that the firms themselves cannot break into — meaning they cannot turn over emails or pictures, even if served with a court order. The firms have vociferously opposed government requests for such information as an intrusion on the privacy of their customers and a risk to their businesses. “In some cases that is driving them to resistance to Washington,” Mr. Daniel said in an interview. “But it’s not that simple. In other cases, with what’s going on in China,” where Beijing is insisting that companies turn over the software that is their lifeblood, “they are very interested in getting Washington’s help.” Mr. Daniel’s reference was to Silicon Valley’s argument that keeping a key to unlocking terrorists’ secret communications, as the government wants them to do, may sound reasonable in theory, but in fact would create an opening for others. It would also create a precedent that the Chinese, among others, could adopt to ensure they can get into American communications, especially as companies like Alibaba, the Chinese Internet giant, become a larger force in the American market. “A stupid approach,” is the assessment of one technology executive who will be seeing Mr. Obama on Friday, and who asked to speak anonymously. That tension — between companies’ insistence that they cannot install “back doors” or provide “keys” giving access to law enforcement or intelligence agencies and their desire for Washington’s protection from foreign nations seeking to exploit those same products — will be the subtext of the meeting. That is hardly the only point of contention. A year after Mr. Obama announced that the government would get out of the business of maintaining a huge database of every call made inside the United States, but would instead ask the nation’s telecommunications companies to store that data in case the government needs it, the companies are slow-walking the effort. They will not take on the job of “bulk collection” of the nation’s communications, they say, unless Congress forces them to. And some executives whisper it will be at a price that may make the National Security Administration’s once-secret program look like a bargain. The stated purpose of Friday’s meeting is trying to prevent the kinds of hackings that have struck millions of credit card holders at Home Depot and Target. A similar breach revealed the names, Social Security numbers and other information of about 80 million people insured by Anthem, the nation’s second-largest health insurer. Mr. Obama has made online security a major theme, making the case in his State of the Union address that the huge increase in attacks during his presidency called for far greater protection. Lisa Monaco, Mr. Obama’s homeland security adviser, said this week that attacks have increased fivefold since the president came to office; some, like the Sony Pictures attack, had a clear political agenda. The image of Kim Jong-un, the North Korean leader, shown in the Sony Pictures comedy “The Interview” has been emblazoned in the minds of those who downloaded the film. But the one fixed in the minds of many Silicon Valley executives is the image revealed in photographs and documents released from the Snowden trove of N.S.A. employees slicing open a box containing a Cisco Systems server and placing “beacons” in it that could tap into a foreign computer network. Or the reports of how the N.S.A. intercepted email traffic moving between Google and Yahoo servers. “The government is realizing they can’t just blow into town and let bygones be bygones,” Eric Grosse, Google’s vice president

of security and privacy, said in an interview. “Our business depends on trust. If you lose it, it takes years to regain .” When it comes to matters of security, Mr. Grosse said, “Their mission is clearly different than ours. It’s a source of continuing tension. It’s not like if they just wait, it will go away.” And while Silicon Valley executives have made a very public argument over encryption, they have been fuming quietly over the government’s use of zero-day flaws. Intelligence agencies are intent on finding or buying information about those flaws in widely used hardware and software, and information about the flaws often sells for hundreds of thousands of dollars on the

13

Zero Days Negative – MI 7black market. N.S.A. keeps a potent stockpile, without revealing the flaws to manufacturers. Companies like Google, Facebook, Microsoft and Twitter are fighting back by paying “bug bounties” to friendly hackers who alert them to serious bugs in their systems so they can be fixed. And last July, Google took the effort to another level. That month, Mr. Grosse began recruiting some of the world’s best bug hunters to track down and neuter the very bugs that intelligence agencies and military contractors have been paying top dollar for to add to their arsenals. They called the effort “Project Zero ,” Mr. Grosse says, because the ultimate goal is to bring the number of bugs down to zero. He said that “Project Zero” would never get the number of bugs down to

zero “but we’re going to get close.” The White House is expected to make a series of decisions on encryption in the coming weeks. Silicon Valley executives say encrypting their products has long been a priority, even before the revelations by Mr. Snowden, the former N.S.A. analyst, about N.S.A.’s surveillance, and they have no plans to slow down. In an interview last month, Timothy D. Cook, Apple’s chief executive, said the N.S.A. “would have to cart us out in a box” before the company would provide the government a back door to its products. Apple recently began encrypting phones and tablets using a scheme that would force the government to go directly to the user for their information. And intelligence agencies are bracing for another wave of encryption.

14

Zero Days Negative – MI 7

CRITICAL INFRASTRUCTURE ADVANTAGE

15

Zero Days Negative – MI 71NC CRITICAL INFRASTRUCTURE

Reject doom and gloom predictions --- redundancies check major collapse Hodgson 15 [Quentin E., Chief of Staff for Cyber Policy, Office of the Secretary of Defense, Occasional Papers Series, conference, published by the Dean Rusk Center for International Law and Policy, 4-1-2015, “Cybersecurity and National Defense: Building a Public-Private Partnership,” http://digitalcommons.law.uga.edu/cgi/viewcontent.cgi?article=1008&context=rusk_oc] //khirn

A lot of the time — and I’ll just close with this — a lot of the time, when we talk about cyberspace, there’s lots of doom and gloom. I just want to get back to the piece about critical infrastructure. You know, you’ll hear people talk about the zero-day exploits , gray and black markets and how people are constantly scanning critical infrastructure. I think it’s a very important thing that we need to track, but I think it’s also very important to understand, from

at least the Department of Defense perspective: systemic failure of these kinds of systems is not an easy thing to do . And so we have to really be very cautious about how we think about these kinds of threats. There are certainly threats to a power substation, for instance, that can come through cyberspace, but does that mean the entire system will go down? Probably not . In fact, given where I live–my local company is PEPCO, one of the most hated companies in America — and one thing they’ve gotten very good at is not having a functioning system that they are able to get back up and running again, and we manage to live through that. On the other hand, if somebody was to target, for instance, the power generation side of things, not the distribution side of things, GE, for instance, does not have large-scale gas turbines just sitting on a shelf. It doesn’t make sense for them to do that. That’s the case where, if somebody could use a cyber attack to disable a large swath of those kinds of machines, to kind of go “stucksnet” on them, to coin a phrase, that could have a significant impact to the United States. But we have to understand that that’s something that for the most part, is only within the reach of very few nation-states , and we think that’s still the case. There may be some very talented

individuals out there, but understanding the complexity of these systems and that there are redundancies in these systems, we should note a word of caution: we have to be prepared to address

these threats, but we shouldn’t be slaves to the doom and gloom all the time and should understand what’s real and what’s not real when it comes to these risks. So, with that, I’ll conclude my remarks and thank you.

Low probability of attack – difficulty and cost Rid and Buchanan 14 -- professor in the Department of War Studies at King’s College London and PhD candidate (Thomas and Ben, 12/23/2014, Attributing Cyber Attacks, pg. 21, Taylor and Francis online, http://dx.doi.org/10.1080/01402390.2014.977382) /AMarb

Computer network exploitation requires preparation. Analysing the abilities required to breach a specific network can be a useful clue in the attribution process. The Stuxnet attack on Iran’s heavily-guarded nuclear enrichment facility was highly labour-intensive. The malware’s payload required superb target-specific information, for instance hardto-get details about specific frequency-converter drives used to control rotational speeds of motors; about the detailed technical parameters of the Iranian IR-1 centrifuges in Natanz; or about the resonance-inducing critical input frequency for the specific configuration of these machines.48 Stuxnet also used an unprecedented number of zero days, four or five, and exhibited the first-ever rootkit for a programmable logic controller (used to control industrial machinery).49 These characteristics drastically limited the number of possible perpetrators. Other preparations include target reconnaissance and payload testing capabilities. Again Stuxnet is a useful example: the attack reprogrammed a complex target system to achieve a kinetic effect. This required advance testing.50 The testing environment would have to use IR-1 centrifuges. Such machinery can be expensive and hard to obtain. No non-state actor, and indeed few governments, would likely have the capability to test Stuxnet, let alone build and deploy it. This further narrows the possibilities.

16

Zero Days Negative – MI 7Zero chance of effective cyber attack Lin 14 [Patrick, “Just the Right Amount of Cyber Fear,” The Atlantic, January 6, 2014, theatlantic.com/technology/archive/2014/01/just-the-right-amount-of-cyber-fear/282787] //khirn

Likewise, “cyberterrorism” is a much-ballyhooed but vague fear: a “term like cyberterrorism has as much clarity as cybersecurity, that is none at all.” The fear also doesn’t seem to match the hype : ... the “Izz ad-Din al-Qassam Cyber Fighters” claimed responsibility for a series of denial-of-service attacks on five U.S. banking firms. While many believe they stole credit for cybercriminals’ work, the effects of the attacks were negligible, shutting down customer access to the sites for a few hours. Most customers didn’t even know there had been an attack. Take out the word “cyber” and we wouldn’t even call such a nuisance “terrorism” … As one cyber expert put it to us, “There are threats out there, but there are no threats that threaten our

fundamental way of life.” Perhaps to Iran, the Stuxnet worm is a clear example of a cyberterrorist attack, if not an outright act of cyberwar. The malware blew up Iran’s nuclear centrifuges and their replacement for over a year—key equipment in their alleged illegal development of nuclear weapons. Singer and Friedman not only walk us through this dramatic operation—a real-life Mission: Impossible plot—but they also use Stuxnet as a case study in ethical cyberweapons. In contrast to indiscriminate malware, such as an email virus, Stuxnet was designed to activate under highly specific conditions that narrowed its target to one, e.g., only if exactly 984 centrifuges were linked together and controlled by a certain operating system. This specificity and requisite inside knowledge reveals how hard it is to hit a weapons lab or any other sensitive facility, and therefore how unlikely cyberterrorism might be : To cause true damage entails

an understanding of the devices themselves: how they run, their engineering, and their underlying physics. Stuxnet, for example, involved cyber experts as well as experts in nuclear physics and engineers familiar with a specific kind of Siemens-brand industrial equipment. On top of the required expertise, expensive software tests had to be conducted on working versions of the target hardware. As a professor at the U.S. Naval Academy [George

Lucas] explains, “the threat of cyber terrorism, in particular, has been vastly overblown ,” because

conducting a truly mass-scale act of terrorism using cyber means “simply outstrips the intellectual, organizational, and personnel capacities of even the most well-funded and well-organized terrorist organization, as well as those of even the most sophisticated international criminal enterprises. To be blunt: neither the 14-year old hacker in your next-door neighbor’s upstairs bedroom, nor the two or three person al Qaeda cell holed up in some apartment in Hamburg are going to bring down the Glen Canyon and Hoover Dams.” By comparison, the entire 9/11 plot cost less than $250,000 in travel and organizational costs and used simple box-cutters.

17

Zero Days Negative – MI 71NC GRID IMPACT

Power grid is attacked twice a week anyway, no impactToppa 3/25 (SABRINA TOPPA: a journalist in Asia, formerly working at TIME Magazine’s Asia headquarters in Hong Kong. Before this, she also worked at Kathmandu Post in Nepal and the Dhaka Tribune in Bangladesh after serving as Rice University’s Zeff Fellow from 2013-2014. Time Magazine: “The National Power Grid Is Under Almost Continuous Attack, Report Says.” Published March 25th, 2015. Accessed June 26, 2015. http://time.com/3757513/electricity-power-grid-attack-energy-security/) KalMThe U.S. national power grid faces physical or online attacks approximately “once every four days,” according to a new investigation by USA Today, threatening

to plunge parts of the country into darkness. For its report, USA Today scrutinized public records, national energy data and records from 50 electric utilities. It found that from 2011 to 2014, the U.S. Department of Energy received 362 reports from electric utilities of physical or cyber attacks that interrupted power services. In 2013, a Department of Homeland Security branch recorded 161 cyber attacks on the energy sector, compared to just 31 in 2011. Worryingly, most of the nation’s power infrastructure has poor defenses — sometimes only a security camera and fence. In April 2013, PG&E Corp’s Metcalf Transmission Substation in California reported that over 100 ammunition rounds were fired into its transformers, causing over $15 million worth of damage. The gunmen were never apprehended — neither have the perpetrators of over 300 physical attacks on electricity infrastructure since 2011.

Utilities are un-hackableTanji 10 [Michael, spent 20 years in the US intelligence community; veteran of the US Army; served in strategic and tactical assignments worldwide; participated in national and international analysis and policy efforts for the NIC, NSC and NATO; Claremont Institute Lincoln Fellow and Senior Fellow at the Center of Threat Awareness; lectures on intelligence issues at The George Washington University, 7/13/10, “Hacking the Electric Grid? You and What Army?,” http://www.wired.com/dangerroom/2010/07/hacking-the-electric-grid-you-and-what-army] //khirn

People have claimed in the past to be able to turn off the internet, there are reports of foreign penetrations into government systems, “proof” of foreign interest in attacking U.S. critical infrastructure based on studies, and concerns about adversary capabilities based on allegations of successful critical infrastructure attacks. Which begs the question: If it’s so easy to turn off the lights using your laptop, how come it doesn’t happen more often? The fact of the matter is that it isn’t easy to do any of these things. Your average power grid or drinking-water system isn’t analogous to a PC or even to a corporate network. The complexity of such systems, and the use of proprietary operating systems and applications that are not readily available for study by your average hacker, make the development of exploits for any uncovered vulnerabilities much more difficult than using Metasploit. To start, these systems are rarely connected directly to the public internet. And that makes gaining access to grid-controlling networks a challenge for all but the most dedicated, motivated and skilled — nation-states, in other words.

18

Zero Days Negative – MI 72NC GRID IMPACT

Grids are very resilientAvila 12 (Jim, Senior National Correspondent at ABC News, “A U.S. Blackout as Large as India’s? ‘Very Unlikely’”, http://abcnews.go.com/blogs/headlines/2012/07/a-u-s-blackout-as-large-as-indias-very-unlikely/)

As India recovers from a blackout that left the world’s second-largest country — and more than 600 million residents — in the dark, a ripple of uncertainty moved through the Federal Regulatory Commission’s command center today in the U.S. The Indian crisis had some people asking about the vulnerability of America’s grid. “What people really want to know today is, can something like India happen here? So if there is an outage or some problem in the Northeast, can it actually spread all the way to California,” John Wellinghoff, the commission’s chairman, told ABC News. “It’s very, very unlikely that ultimately would happen.” Wellinghoff said that first, the grid was divided in the middle of the nation. Engineers said that it also was monitored more closely than ever. The grid is checked for line surges 30 times a second . Since the Northeast blackout in 2003 — the largest in the U.S., which affected 55 million — 16,000 miles of new transmission lines have been added to the grid . And even though some lines in the Northeast are more than 70 years old, Wellinghoff said that the chances of a blackout like India’s were very low.

Status quo solves grid cyber vulnerability Clark, 124/28/12, “The Risk of Disruption or Destruction of Critical U.S. Infrastructure by an Offensive Cyber Attack,” Paul Clark is an MA candidate in intelligence/terrorism studies at the American Military University, http://blog.havagan.com/wp-content/uploads/2012/05/The-Risk-of-Disruption-or-Destruction-of-Critical-U.S.-Infrastructure-by-an-Offensive-Cyber-Attack.pdfAn attack against the electrical grid is a reasonable threat scenario since power systems are "a high priority target for military and insurgents" and there has been a trend towards utilizing commercial software and integrating utilities into the public Internet that has "increased vulnerability across the board" (Lewis 2010). Yet the increased vulnerabilities are mitigated by an increased detection and deterrent capability that has been "honed over many years of practical application" now that power systems are using standard, rather than proprietary and specialized, applications and components (Leita and Dacier 2012). The security of the electrical grid is also enhanced by increased awareness after a smart-grid hacking demonstration in 2009 and the identification of the Stuxnet malware in 2010: as a result the public and private sector are working together in an "unprecedented effort" to establish robust security guidelines and cyber security measures (Gohn and Wheelock 2010).

Grids are actively improvingKoerth-Baker, 12(8/3/12 Maggie Koerth-Baker is a science editor – Boing Boing, columnist – NYT Magazine, electric grid expert, , “Blackout: What's wrong with the American grid,” http://boingboing.net/2012/08/03/blackout-whats-wrong-with-t.html)But this is about more than mere bad luck. The real causes of the 2003 blackout were fixable problems, and the good news is that, since then, we’ve made great strides in fixing them . The bad news, say some grid experts, is that we’re still not doing a great job of preparing our electric infrastructure for the future. Let’s get one thing out of the way right up front: The North American electric grid is not one bad day away from the kind of catastrophic failures we saw in India this week. I’ve heard a lot of people speculating on this, but the folks who know the

19

Zero Days Negative – MI 7grid say that, while such a huge blackout is theoretically possible, it is also extremely unlikely. As Clark Gellings, a fellow at the Electric Power Research Institute put it, “An engineer will never say never,” but you should definitely not assume anything resembling an imminent threat at that scale. Remember, the blackouts this week cut power to half of all Indian electricity customers. Even the 2003 blackout—the largest blackout in North America ever—only affected about 15% of Americans. We don’t know yet what, exactly, caused the Indian blackouts, but there are several key differences between their grid and our grid. India’s electricity is only weakly tied to the people who use it, Gellings told me. Most of the power plants are in the far north. Most of the population is in the far south. The power lines linking the two are neither robust nor numerous. That’s not a problem we have in North America. Likewise, India has considerably more demand for electricity than it has supply. Even on a good day, there’s not enough electricity for all the people who want it, said Jeff Dagle, an engineer with the Pacific Northwest National Laboratory’s Advanced Power and Energy Systems research group. “They’re pushing their system much harder, to its limits,” he said. “If they have a problem, there’s less cushion to absorb it. Our system has rules that prevent us from dipping into our electric reserves on a day-to-day basis. So we have reserve power for emergencies.

Military computers are resilientWeimann 4Gabriel Weimann, senior fellow at the United States Institute of Peace and professor of communication at the University of Haifa, Israel, 2004, Cyberterrorism How Real Is the Threat?, ttp://www.usip.org/files/resources/sr119.pdf

Neither al Qaeda nor any other terrorist organization appears to have tried to stage a serious cyberattack. For now, insiders or individual hackers are responsible for most attacks and intrusions and the hackers’ motives are not political. According to a report issued in 2002 by IBM Global Security Analysis Lab, 90 percent of hackers are amateurs with limited technical proficiency, 9 percent are more skilled at gaining unauthorized access but do not damage the files they read, and only 1 percent are highly skilled and intent on copying files or damaging programs and systems. Most hackers, it should be noted, try to expose security flaws in computer software, mainly in the operating systems produced by Microsoft. Their efforts in this direction have sometimes embarrassed corpo- rations but have also been responsible for alerting the public and security professionals to serious security flaws. Moreover, although there are hackers with the ability to damage systems, disrupt e-commerce, and force websites offline, the vast majority of hackers do not have the necessary skills and knowledge. The ones who do, generally do not seek to wreak havoc. Douglas Thomas, a professor at the University of Southern California, spent seven years studying computer hackers in an effort to understand better who they are and what motivates them. Thomas interviewed hundreds of hackers and explored their “literature.” In testimony on July 24, 2002, before the House Subcommittee on Govern- ment Efficiency, Financial Management and Intergovernmental Relations, Thomas argued that “with the vast majority of hackers, I would say 99 percent of them, the risk [of cyberterrorism] is negligible for the simple reason that those hackers do not have the skill or ability to organize or execute an attack that would be anything more than a minor inconvenience.” His judgment was echoed in Assessing the Risks of Cyberterrorism, Cyber War, and Other Cyber Threats, a 2002 report for the Center for Strategic and International Studies, written by Jim Lewis, a sixteen-year veteran of the State and Commerce Depart- ments. “The idea that hackers are going to bring the nation to its knees is too far-fetched a scenario to be taken seriously,” Lewis argued. “Nations are more robust than the early analysts of cyberterrorism and cyberwarfare give them credit for. Infrastructure systems [are] more flexible and responsive in restoring service than the early analysts realized, in part because they have to deal with failure on a routine basis.” Many computer security experts do not believe that it is possible to use the Internet to inflict death on a large scale. Some pointed out that the resilience of computer systems to attack is the result of significant investments of time, money, and expertise. As Green describes, nuclear weapons systems are protected by “air- gapping” : they are not connected to the Internet or to any open computer network and thus they cannot be accessed by intruders, terrorists, or hackers . Thus, for example, the Defense Department protects sensitive systems by isolating them from the Internet and even from the Pentagon’s own internal network . The CIA’s classified computers are also air- gapped, as is the FBI’s entire computer system.

20

Zero Days Negative – MI 7

Cyber-attacks don’t threaten electrical gridLewis 02 (James Andrew Lewis is the Director and Senior Fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington, D.C. Ph.D. from the University of Chicago. Center for Strategic and International Studies: “Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats:” http://csis.org/files/media/csis/pubs/021101_risks_of_cyberterror.pdf) KalMThe U.S. has already run a large-scale experiment on the effects of disrupting electrical power supplies, thanks to California’s experience with ‘deregulation’ last year. California’s efforts to de-regulate the electrical power market resulted in months of blackouts and rolling brownouts across the state. Deregulation was a more powerful ‘attack’ on the electrical infrastructure than anything a cyber-terrorist could mount. There was clearly economic cost to the California regulatory event, but it was not crippling nor did it strike terror into the hearts of Americans. Similarly, power outages across the country in 1999 affected millions of people and cost electrical power customers millions of dollars in lost business and productivity. These outages were the result of increased electricity use prompted by sustained high summer temperatures. In contrast to California’s State government or hot weather, the number of blackouts in U.S. caused by hackers or cyber-terrorists remains zero.

21

Zero Days Negative – MI 71NC WATER IMPACT

Cyber terror isn’t a threat to water supply: old tech, no effect, and high difficultyLewis 02 (James Andrew Lewis is the Director and Senior Fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington, D.C. Ph.D. from the University of Chicago. Center for Strategic and International Studies: “Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats:” http://csis.org/files/media/csis/pubs/021101_risks_of_cyberterror.pdf) KalMIn the United States, the water supply infrastructure would be an elusive target for cyber attack. There are 54,064 separate water systems in the U.S. Of these, 3,769 water systems serve eighty one percent of the population and 353 systems served forty-four percent of the population. However, the uneven spread of diverse network technologies complicates the terrorists’ task. Many of these water supply systems in the U.S., even in large cities, continue to rely on technologies not easily disrupted by network attacks. There have been cases in the U.S. when a community’s water supply has been knocked out for days at a time (usually as a result of flooding), but these have produced neither terror nor paralysis . A cyber terrorist or cyber warrior would need to carry out a sustained attack that would simultaneously disrupt several hundred of these systems to gain any strategic benefit. Assuming that a terrorist could find a vulnerability in a water supply system that would allow him to shut down one city’s water for a brief period, this vulnerability could be exploited to increase the damage of a physical attack (by denying fire fighters access to water). In general, a cyber attack that alone might pass unnoticed in the normal clutter of daily life could have useful multiplier effects if undertaken simultaneously with a physical

attack. This sort of simultaneous combination of physical and cyber attacks might be the only way in which cyber weapons could be attractive to terrorists. The American Waterworks Association assessment of the terrorist threat to water supplies placed “physical destruction of the system's components to disrupt the supply of water” as the most likely source of infrastructure attack.4

No cyber terror riskLewis 02 (James Andrew Lewis is the Director and Senior Fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington, D.C. Ph.D. from the University of Chicago. Center for Strategic and International Studies: “Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats:” http://csis.org/files/media/csis/pubs/021101_risks_of_cyberterror.pdf) KalMWhile the press has reported that government officials are concerned over Al Qaeda plans to

use the Internet to wage cyber-terrorism , these stories often recycle the same hypothetical scenarios previously attributed to foreign governments’ cyber-warfare efforts. The risk remains hypothetical but the antagonist has changed from hostile states to groups like Al Qaeda. The only new element attributed to Al Qaeda is that the group might use cyber attacks to disrupt emergency services in order to reinforce and multiply the effect of a physical attack. If cyber-attacks were feasible, the greatest risk they might pose to national security is as corollaries to more traditional modes of attacks.

Resource wars don’t happen, their ev is hypeVictor 07 (David G. Victor is a professor of law at Stanford Law School and the director of the Program on Energy and Sustainable Development. He is a senior fellow at the Council on

22

Zero Days Negative – MI 7Foreign Relations, where he directed a task force on energy security. He is also a frequent writer on natural resource policy. The National Interest: “What Resource Wars?” published November/December, 2014. Accessed June 26, 2015. http://pages.ucsd.edu/~dgvictor/publications/Faculty_Victor_Article_2007_What%20Resource%20Wars_The%20National%20Interest.pdf) KalMRising energy prices and mounting concerns about environmental depletion have animated fears that the world may be headed for a spate of “resource wars”— hot conflicts triggered by a struggle to grab valuable resources. Such fears come in many stripes, but the threat industry has sounded the alarm bells especially loudly in three areas. First is the rise of China, which is poorly endowed with many of the resources it needs—such as oil, gas, timber and most minerals—and has already “gone out” to the world with the goal of securing what it wants. Violent conflicts may follow as the country shunts others aside. A second potential path down the road to resource wars starts with all the money now flowing into poorly governed but resource-rich countries. Money can fund civil wars and other hostilities, even leaking into the hands of terrorists. And third is global climate change, which could multiply stresses on natural resources and trigger

water wars, catalyze the spread of disease or bring about mass migrations. Most of this is bunk, and nearly all of it has focused on the wrong lessons for policy . Classic resource wars are good material for Hollywood screenwriters. They rarely occur in the real world . To be sure, resource money can magnify and prolong some conflicts, but the root causes of those hostilities

usually lie elsewhere. Fixing them requires focusing on the underlying institutions that govern how resources are used and largely determine whether stress explodes into violence. When conflicts do arise, the weak link isn’t a dearth in resources but a dearth in governance. Resource wars are largely back in vogue within the U.S. threat industry because of China’s spectacular rise. Brazil, India, Malaysia and many others that used to sit on the periphery of the world economy are also arcing upward. This growth is fueling a surge in world demand for raw materials. Inevitably, these countries have looked overseas for what they need, which has animated fears of a coming clash with China and other growing powers over access to natural resources. Within the next three years, China will be the world’s largest consumer of energy. Yet, it’s not just oil wells that are working harder to fuel China, so too are chainsaws. Chinese net imports of timber nearly doubled from 2000 to 2005. The country also uses about one-third of the world’s steel (around 360 million tons), or three times its 2000 consumption. Even in coal resources, in which China is famously well-endowed, China became a net importer in 2007. Across the board, the combination of low efficiency, rapid growth and an emphasis on heavy industry—typical in the early stages of industrial growth—have combined to make the country a voracious consumer and polluter of natural resources. America, England and nearly every other industrialized country went through a similar pattern, though with a human population that was much smaller than today’s resource-hungry developing world. Among the needed resources, oil has been most visible. Indeed, Chinese state-owned oil companies are dotting Africa, Central Asia and the Persian Gulf with projects aimed to export oil back home. The overseas arm of India’s state oil company has followed a similar strategy—unable to compete head-to-head with the major Western companies, it focuses instead on areas where humanrights abuses and bad governance keep the major oil companies at bay and where India’s foreign policy can open doors. To a lesser extent, Malaysia engages in the same behavior. The American threat industry rarely sounds the alarm over Indian and Malaysian efforts, though, in part because those firms have less capital to splash around and mainly because their stories just don’t compare with fear of the rising dragon. These efforts to lock up resources by going out fit well with the standard narrative for resource wars—a zero-sum struggle for vital supplies. But will a struggle over resources actually lead to war and conflict? To be sure, the struggle over resources has yielded a wide array of commercial conflicts as companies duel for contracts and ownership. State-owned China National Offshore Oil Corporation’s (cnooc) failed bid to acquire U.S.-based Unocal—and with it Unocal’s valuable oil and gas supplies in Asia—is a recent example. But that is hardly unique to resources—similar conflicts with tinges of national security arise in the control over ports, aircraft engines, databases laden with private information and a growing array of advanced technologies for which civilian and military functions are hard to distinguish. These disputes win and lose some friendships and contracts, but they do not unleash violence.

23

Zero Days Negative – MI 7AT: AGRICULTURE

US ag. Doesn’t feed the worldCharles 13 (Dan Charles is NPR's food and agriculture correspondent. National Public Radio: ” American Farmers Say They Feed The World, But Do They?” published September 17, 2013. Accessed June 28th, 2015. http://www.npr.org/sections/thesalt/2013/09/17/221376803/american-farmers-say-they-feed-the-world-but-do-they) KalMWhen critics of industrial agriculture complain that today's food production is too big and too dependent on pesticides, that it damages the environment and delivers mediocre food, there's a line that farmers offer in response: We're feeding the world. It's high-tech agriculture's claim to the moral high ground. Farmers say they farm the way they do to produce food as efficiently as possible to feed the world. Charlie Arnot, a former public relations executive for food and farming companies, now CEO of the Center for Food Integrity, says it's more than just a debating point. "U.S. farmers have a tremendous sense of pride in the fact that they've been able to help feed the world," he says. That phrase showed up, for instance, a few weeks ago at a big farm convention in Decatur, Ill. The seed and chemical company DuPont set up a wall with a question printed at the top in big, capital letters: "How are you making a difference to feed the world?" The company invited people to answer that question, and thousands of them did. They wrote things like "raising cattle," "growing corn and beans," "plant as much as possible." Kip Tom, who grows corn and soybeans on thousands of acres of Indiana farmland, says he's very aware of the fact that the world has more and more people, demanding more food. Yet there are fewer and fewer farmers, "and it's the duty of those of us who are left in the business, us family farmers, to help feed that world." That means growing more food per acre, he says, which requires new and better technology: genetically engineered seed, for instance, or pesticides. And this is why the words "feed the world" grate on the nerves of people who believe that large-scale, technology-driven agriculture is bad for the environment and often bad for people. Margaret Mellon, a scientist with the environmental advocacy group Union of Concerned Scientists, recently wrote an essay in which she confessed to developing an allergy to that phrase. "If there's a controversy, the show-stopper is supposed to be, 'We have to use pesticides, or we won't be able to feed the world!' " she says. Mellon says it's time to set that idea aside. It doesn't answer the concerns that people have about modern agriculture — and it's not even true. American-style farming doesn't really grow food for hungry people , she says. Forty percent of the biggest crop — corn — goes into fuel for cars. Most of the second-biggest crop — soybeans — is fed to animals. Growing more grain isn't the solution to hunger anyway, she says. If you're really trying to solve that problem, there's a long list of other steps that are much more important. "We need to empower women; we need to raise incomes; we need infrastructure in the developing world; we need the ability to get food to market without spoiling." It seemed that this dispute needed a referee. So I called Christopher Barrett, an economist at Cornell University who studies international agriculture and poverty. "They're both right," he says, chuckling. "Sometimes the opposite of a truth isn't a falsehood, but another truth, right?" It's true, he says, that bigger harvests in the U.S. tend to make food more affordable around the world, and "lower food prices are a good thing for poor people." For instance, Chinese pigs are growing fat on cheap soybean meal grown by farmers in the U.S. and Brazil, and that's one reason why hundreds of millions of people in China are eating much better than a generation ago — they can afford to buy pork. So American farmers who grow soybeans are justified in saying that they help feed the world. But Mellon is right, too, Barrett says. The big crops that American farmers send abroad don't provide the vitamins and minerals that billions of people need most. So if the U.S. exports lots of corn, driving down the cost of cornmeal, "it induces poor families to buy lots of cornmeal, and to buy less in the way of leafy green vegetables, or milk," that have the key nutrients. In this case, you're feeding the world, but not solving the nutrition problems. Arnot, from the Center for Food Integrity, recently did a survey, asking consumers whether they think the U.S. even has a responsibility to provide food to the rest of the world. Only 13 percent of these consumers strongly agreed. In focus groups, many people said that if feeding the world means more industrial-scale farming, they're not comfortable with it. This is not a message farmers like to hear. "It is a real sense of frustration for farmers that 'feeding the world' is no longer a message that resonates with the American public," Arnot says. He tells farm groups that they'll have to find another message. They'll need to show that the way they grow food is consistent with the values of American consumers.

Turn: US ag. actually wastes waterLall 15 (Upmanu Lall: the Alan and Carol Silberstein Professor of Earth and Environmental Engineering and of Civil Engineering and Engineering Mechanics. Columbia Engineering: “Will we run out of fresh water in the 21st century?” copyright date 2015. Accessed June 26th 2015. http://engineering.columbia.edu/will-we-run-out-fresh-water-21st-century) KalMIn fact, one of the key players in the looming water crisis is agriculture, which accounts

24

Zero Days Negative – MI 7for 70 percent of global water use on average and more than 90 percent in arid regions. We might be able to dramatically improve the efficiency of water use by improving irrigation systems, by changing the way farmers water their crops, and by changing where different crops are grown. In fact, all these measures will need to be effected even if our sole goal was

adaptation to climate change and variability. Agricultural water use efficiency is not much higher in the United States than in many developing countries .

Agricultural water pollution due to the way fertilizers, herbicides, and pesticides are used is also a significant global factor. We could also improve water use by improving food processing, storage, and delivery as a means of reducing the 30 to 40 percent food loss that currently occurs post agricultural production. With one-third of the developing world expected to confront severe water shortages in this century, this is not a problem that we can ignore or avoid, and we’re working hard at the Columbia Water Center to find answers.

25

Zero Days Negative – MI 7AT: AIR TRAFFIC CONTROL

No impact to air traffic targetingLewis 02 (James Andrew Lewis is the Director and Senior Fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington, D.C. Ph.D. from the University of Chicago. Center for Strategic and International Studies: “Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats:” http://csis.org/files/media/csis/pubs/021101_risks_of_cyberterror.pdf) KalMInterference with national air traffic systems to disrupt flights, shut down air transport and endanger passenger and crews is another frequently cited cyber-threat.10 We are not yet at a stage where computer networks operate aircraft remotely, so it is not possible for CSIS, 2002 5 a cyber-attacker to take over an aircraft. Aircraft still carry pilots who are trained to operate the plane in an emergency. Similarly, the Federal Aviation Authority does not depend solely on computer networks to manage air traffic, nor are its communications dependent on the Internet. The high level of human involvement in the control and decision making process for air traffic reduces the risk of any cyber attack. In a normal month storms, electrical failures and programming glitches all ensure a consistently high level of disruption in air traffic. Pilots and air traffic controllers are accustomed to unexpected disruptions and have adapted their practices to minimize the effect. Airlines and travelers are also accustomed to and expect a high degree of disruption in the system. In the United States, it is normal for 15,000 to 20,000 flights to be delayed or cancelled every month. A cyber attack that degraded the air traffic system would create delays and annoyance, but it would not pose a risk to national security.

26

Zero Days Negative – MI 7AT: ECON IMPACT

Cyber-attacks don’t threaten econ: empiricsLewis 02 (James Andrew Lewis is the Director and Senior Fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington, D.C. Ph.D. from the University of Chicago. Center for Strategic and International Studies: “Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats:” http://csis.org/files/media/csis/pubs/021101_risks_of_cyberterror.pdf) KalMManufacturing and economic activity are increasingly dependent on computer networks, and cyber crime and industrial espionage are new dangers for economic activity. However, the evidence is mixed as to the vulnerability of manufacturing to cyber attack. A virus in 2000 infected 1,000 computers at Ford Motor Company. Ford received 140,000 contaminated e-mail messages in three hours before it shut down its network. Email service was disrupted for almost a week within the company. Yet, Ford reported, “the rogue program appears to have caused only limited permanent damage. None of its 114 factories stopped, according to the automaker. Computerized engineering blueprints and other technical data were unaffected. Ford was still able to post information for dealers and auto parts suppliers on Web sites that it uses for that purpose.”12 Companies now report that the defensive measures they have taken meant that viruses that were exceptionally damaging when they first appeared are now only “nuisances.”13

27

Zero Days Negative – MI 7AT: EMERGENCY RESPONSE IMPACT

Cyber-attacks don’t threaten emergency responseLewis 02 (James Andrew Lewis is the Director and Senior Fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington, D.C. Ph.D. from the University of Chicago. Center for Strategic and International Studies: “Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats:” http://csis.org/files/media/csis/pubs/021101_risks_of_cyberterror.pdf) KalMThe 911 emergency response system, a specialized communications network that relies on local telephone service, is also a favorite target for theorists of cyber-terrorism, but like other infrastructures, it is a robust target. The U.S. for example, does not use a single 911 system in but instead has several thousand local systems using different technologies and procedures. No 911 system in a major city has been hacked. It might be possible to send a flood of email messages instructing people to call 911 for important information and thus overload the system (this was the technique used in the 1997 U.S. cyber exercise “Eligible Receiver”). This sort of technique usually works only once - but made in conjunction with a bombing or other physical attack they could act as a ‘force multiplier’ for a terrorist event.

28

Zero Days Negative – MI 7AT: INTERNET IMPACT

Internet take-down isn’t threatened by cyber terrorLewis 02 (James Andrew Lewis is the Director and Senior Fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington, D.C. Ph.D. from the University of Chicago. Center for Strategic and International Studies: “Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats:” http://csis.org/files/media/csis/pubs/021101_risks_of_cyberterror.pdf) KalMWhile the Internet may have a few points of failure that offer the possibility for system wide disruption, it was designed to be a robust, distributed communications network capable of continuing operations after a strategic nuclear exchange. Packet switching and Internet protocols were developed to allow communications to be maintained even when CSIS, 2002 6 some nodes in the network were eliminated and the Internet itself was designed to automatically route around damage to allow for continued communications. Additionally, computer networks rely on a backbone of high capacity telecommunications systems that are relatively secure from cyber-attack. The introduction of new communications technologies also enhances survivability. Wireless and satellite communications also provide some redundancy for landline systems. Most industrial countries now have access to three or four different modes of communications, making the system considerably more robust than it was a decade ago. Increased use of ultra wideband and mesh radio networks will also increase redundancy and survivability against cyber attack in communications networks.

29

Zero Days Negative – MI 7

IP THEFT ADVANTAGE

30

Zero Days Negative – MI 71NC CHINA MODERNIZATION

Modernization won’t turn violent despite nationalismDyer 9 [Gwynne, BA in History from Memorial University of Newfoundland in 1963; an MA in Military History from Rice University, Houston, Texas, in 1966; and a PhD in Military and Middle Eastern History at King's College London, Jakarta Post, Mar 29, http://www.thejakartapost.com/news/2005/03/12/china-unlikely-engage-military-confrontation.html] //khirn

Given America's monopoly or huge technological lead in key areas like stealth bombers, aircraft carriers, long-range sensors, satellite surveillance and even infantry body armor, Goss's warning is misleading and self-serving. China cannot project a serious military force even 200 miles (km) from home, while American forces utterly dominate China's ocean frontiers, many thousands of miles (kilometers) from the United States. But the drumbeat of warnings about China's ""military build-up"" continues . Just the other week U.S. Defense Secretary Donald Rumsfeld was worrying again about the expansion of the Chinese navy, which is finally building some amphibious landing ships half a century after Beijing's confrontation with the non-Communist regime on the island of Taiwan began. And Senator Richard Lugar, head of the Senate Foreign Relations Committee, warned that if the European Union ends its embargo on arms sales to China, the U.S. would stop military technology sales to Europe. It will come as no surprise, therefore, that the major U.S. defense review planned for this year will concentrate on the rising ""threat"" from China, or that this year for the first time the joint U.S.-Japanese defense policy statement named China as a ""security concern"", or that the Taiwan government urged the ""military encirclement"" of China to prevent any ""foreign adventures"" by Beijing. It comes as no surprise -- but it still makes no sense. China's defense budget this year is 247.7 billion yuan: Around US$30 billion at the official exchange rate. There are those in Washington who will say that it's more like $60 billion in purchasing power, but then there used to be ""experts"" who annually produced hugely inflated and frightening estimates of the Soviet defense budget. Such people will always exist: to justify a big U.S. defense budget, you need a big threat. It's true that 247.7 billion yuan buys an awful lot of warm bodies in military uniform in the low-wage Chinese economy, but it doesn't actually buy much more in the way of high-tech military systems. It's also true that the Chinese defense budget has grown by double-digit increases for the past fourteen years: This year it's up by 12.6 percent. But that is not significantly faster than the Chinese economy as a whole is growing, and it's about what you have to spend in order to convert what used to be a glorified peasant militia into a modern military force. It would be astonishing if China chose NOT to modernize its armed forces as the rest

of the economy modernizes, and the end result is not going to be a military machine that towers above all others. If you project the current growth rates of military spending in China and the United States into the future, China's defense budget catches up with the United States about the same time that its Gross Domestic Product does, in the late 2030s or the early 2040s. As to China's strategic intentions, the record of the past is reassuring in several respects. China has almost never been militarily expansionist beyond the traditional boundaries of the Middle Kingdom (which do include Tibet in the view of most Chinese), and its border clashes with India, the Soviet Union and Vietnam in the first decades of Communist rule generally ended with a voluntary Chinese withdrawal from the disputed territories. The same moderation has usually applied in nuclear matters. The CIA frets that China could have a hundred nuclear missiles targeted on the United States by 2015, but that is actually evidence of China's great restraint. The first Chinese nuclear weapons test was forty years ago, and by now China could have thousands of nuclear warheads targeted on the U.S. if it wanted. (The United States DOES have thousands of nuclear warheads that can strike Chinese targets.) The Beijing regime is obsessed with economic stability, because it fears that a severe downturn would trigger social and political upheaval. The last thing it wants is a military confrontation with its biggest trading partner, the United States. It will go on playing the nationalist card over Taiwan to curry domestic political favor, but there is no massive military build-up and no plausible threat of impending war in East Asia.

Modernization is insulated from US policyHolslag 9 [Jonathan, degree in political science @ Vrije Universiteit Brussels, Washington Quarterly, “Embracing Chiense Global Security Ambitions,” July 2009, http://www.twq.com/09july/docs/09jul_Holslag.pdf] //khirn

China increasingly acknowledges that its free ride is over, and that it will have to invest more in the protection of its economic interests. The debate about how to protect foreign interests with military means is only starting to take place. Ma Xiaojun of the International Institute of Strategic Studies of the Central Party School summarizes this predicament very clearly: it is the responsibility of the state to protect its citizens, and China is now confronted with a dilemma between its principle of non-interference and the interests that derive from its national development. Experts and officials invoke four main arguments in favor of a more proactive security policy. First,

31

Zero Days Negative – MI 7the economic competition from developed nations has compelled China to look for investment opportunities in unstable parts of the world, particularly in oil drilling and contract labor in sub-Sahara African and South Asia. Second, China is no longer expected to stand aloof when violence erupts. Given its status as an aspiring great power, while national governments with which it does business automatically ask for military aid and the international community requests mediation or sanctions, keeping a low profilethe traditional maxim of China’s diplomacy is no longer tenable. Third, Beijing recognizes that passing the buck to regional organizations or other powers is not an option. During a roundtable in Beijing in 2007, a group of senior military officers concluded that not only are these players incapable of delivering, but relying on other countries with their own interests would be strategically irresponsible. Finally, Chinese experts reckon that China should not rely on the United States or other regional powers for its security. While coordination is desirable, it cannot take for granted that these actors would refrain from containing China in the future. China, therefore, is modifying its posture on foreign security challenges. In a 2007 report from the Development Research Center of the State Council, two senior researchers of the State Council’s study department categorized non-traditional threats as a strategic economic challenge and pleaded for including a series of new measures in the national security strategy, according to China’s position as an ‘‘influential world power.’’ After the lethal attack on a Chinese oil facility in Ethiopia in April 2007, China Daily asserted: ‘‘China needs to consider new channels to protect overseas interests.’’ The article stressed that: China must break through traditional diplomatic thinking ... Only to rely on the traditional mode of high-level political contacts, only ‘peaceful coexistence’ and ‘mutually beneficial cooperation’ or the principle of self-restraint are insufficient to protect ourselves or to safeguard overseas economic interests and development.’’ In a July 2008 Xinhua article, experts went beyond this idea of self-defense, emphasizing that cooperation on asymmetric threats is also desirable for China’s international prestige but cannot be taken for granted. ‘‘Self-restraint does not work anymore,’’ it concluded, ‘‘China should develop its capabilities faster and show that while it becomes stronger, it does not threaten others, but rather contributes to a stable world.’’

Zero risk of China rise impactsBeauchamp 13 [Zach. Editor of TP Ideas, Reporter for ThinkProgress. Masters IR from London School of Economics. “China has not replaced America — and it never will,” The Week, 2/13/14] //khirn

Many people seem to think it's simply a matter of when, not if, China takes the reins of world leadership.

How, they think, can America's 314 million people permanently outproduce a population that outnumbers the U.S. by over a billion people? This facile assumption is wrong. China is not replacing the United States as the global hegemon. And it never will . China faces too many internal problems and regional rivals to ever make a real

play for global leadership. And even if Beijing could take the global leadership mantle soon, it wouldn't. China wants to play inside the existing global order's rules, not change them. Start with the obvious military point: The Chinese military has nothing like the global reach of its American rival's. China only has one aircraft carrier, a refitted Russian vessel. The U.S. has 10, plus nine marine mini-carriers. China's first homemade carrier is slated for completion in 2018, by which time the U.S. will have yet another modern carrier, and be well

on its way to finishing another. The idea that China will be able to compete on a global scale in the short to medium term is absurd . Even in East Asia, it's not so easy for China. In 2012, Center for Strategic

and International Studies experts Anthony Cordesman and Nicholas Yarosh looked at the data on Chinese and Taiwanese military strength. They found that while China's relative naval strength was growing, Taiwan had actually improved the balance of air power in its favor between 2005 and 2012 — just as China's economic growth rate, and hence influx of

new resources to spend on its military, was peaking. China's equipment is often outdated, and its training regimes can be comically bad . A major part of its strategic missile force patrols on horseback because it doesn't have helicopters. This isn't to deny China's military is getting stronger. It is. And one day, this might require the United States

to rethink its strategic posture in East Asia. But Chinese hard power is nowhere close to replacing, or even thinking about challenging, American military hegemony. And look at China's geopolitical neighborhood.

As a result of historical enmity and massive power disparities, Beijing would have a tough time convincing Japan, South Korea, and Taiwan that its military buildup is anything but threatening. Consequently, the smaller East Asian states are likely to get over their mutual disagreements and stick it out together in the American-led alliance system for the foreseeable future. To the north and west, China is bordered by Russia and India. China fought each of them as recently as the 1960s, and both are likely to be threatened by any serious Chinese military buildup. Unlike the United States, bordered by oceans and two friendly states, China is surrounded by enemies and rivals. Projecting power globally is hard when you've got to worry about defending your own turf. But

what happens when China's GDP passes America's? Well, for one thing, we're not really sure when that will be. Realizing that current growth rates were economically and ecologically unsustainable, the Chinese government cut off the investment

32

Zero Days Negative – MI 7spigot that fueled its extraordinary 10 percent average annual growth. Today, China's growth rate is about half of what it was in 2007. One analysis suggests China's GDP may not surpass America's until the 2100s . Moreover, China's GDP per capita is a long way off from matching Western standards. In 2012, the World Bank assessed China's at $6,009; the United States' was $57,749. The per-person measure of wealth matters in that it reflects the government's capacity to pay for things

that make its citizens happy and healthy. That's where China's internal headaches begin. The Chinese government has staked its domestic political legitimacy on delivering rapid, massive improvements in quality of life for its citizens. As growth slows, domestic political dissent may rise. Moreover, growth's worst side effect to date — an unprecedented ecological crisis — is also a source of massive discontent. China has 20 of the

world's 30 most polluted cities; environmental cleanup costs may hoover up 3 percent of China's GDP. That's

throwing 30 percent of its yearly average growth (during the pre-2013 boom years!) down the drain. The mass death and poisoning

that follow as severe pollution's handmaidens threaten the very foundations of the Communist Party's power . American University China scholar Judith Shapiro writes that environmental protests — which sometimes "shut down" huge

cities — are "so severe and so central to the manner in which China will 'rise' that it is no exaggeration to say that they cannot be separated from its national identity and the government's ability to

provide for the Chinese people." That's hardly the only threat to the Chinese economy. China's financial system bears a disturbing resemblance to pre-crisis Wall Street. Its much-vaunted attempt to move away from an unsustainable export-based economy, according to Minxin Pei, may break on the rocks of massive corruption and other economic problems. After

listing a slew of related problems, Pei suggests we need to start envisioning a world of " declining Chinese strength and rising probability of an unexpected democratic transition in the coming two decades." But even if this economic gloom and doom is wrong, and China really is destined for a prosperous future, there's one simple reason China will never displace America as global leader: It doesn't want to. Chinese foreign policy, to date, has been characterized by a sort of realist incrementalism. China has displayed no interest in taking over America's role as protector of the global commons; that's altogether too altruistic a task. Instead, China is content to let the United States and its allies keep the sea lanes open and free ride off of their efforts. A powerful China, in other words, would most likely to be happy to pursue its own interests inside the existing global order rather than supplanting it. In 2003, Harvard's Iain Alastair Johnston analyzed data about Chinese hostility to the global status quo across five dimensions: participation in international institutions, compliance with international norms, twisting the rules that govern global institutions, making the transformation of global political power into a clear policy goal, and acting militarily on that objective. He found that China was "more integrated into and more cooperative within international institutions than ever before," and that there was "murky" evidence at best of intent to challenge the United States outside of them. Johnston reassessed parts of his argument in 2013 and concluded that not much had changed.

Turn: Chinese modernization good; solves war and securityTuosheng 2014 (Zhang; Tuosheng is the Director of Research and Senior Fellow at the China Foundation for International Strategic Studies. “Impact of Chinese Military Development on Regional and Global Security,” May 8, 2014, http://www.chinausfocus.com/peace-security/impact-of-chinese-military-development-on-regional-and-global-security/#sthash.dUPF2IPd.dpuf ) //JRW Impact on regional and global security First, Chinese military development has played a very positive role in the maintenance of global peace and security. For years, along with increased military capabilities, China has undertaken major responsibility in, and made great contribution to international peacekeeping, disaster relief and humanitarian assistance. It has also become increasingly positive towards and made contribution to naval escort, sea-lane protection, anti-terror cooperation, prevention of proliferation of weapons of mass destruction and nuclear security, all of which have been welcomed by the international community. Second, China has also played a positive role in enhancing security in its neighborhood. In East Asia, the Chinese military has helped to decrease the possibility of conflict outbreak in two traditional hot spots: Taiwan Straits and the Korean Peninsula. In Central Asia, China has, through political and military cooperation, contained the challenges of three types of extremist forces, contributed to regional security and stability. In West Asia, China has given important support to the prevention of and combat of terrorist forces. Besides, the Chinese military has also taken an active part in disaster relief and medical assistance in the neighborhood, which is also welcomed by the relevant countries.

33

Zero Days Negative – MI 72NC CHINA MODERNIZATION

Modernization won’t cause warSwaine 11 [Michael, senior associate at the Carnegie Endowment for International Peace and author of the new book America’s Challenge: Engaging a Rising China in the Twenty-First Century, Enough Tough Talk on China, The National Interest, September 26, 2011, http://nationalinterest.org/commentary/enough-tough-talk-china-5934?page=1] //khirn

These days it is fashionable for pundits to point out the supposedly disastrous consequences for the United States that will result from China’s efforts to modernize its military . The latest variant of this argument was presented by Aaron Friedberg in The New York Times on September 4 and in his new book, A Contest for Supremacy: China, America and the Struggle for Mastery in Asia. The basic facts about China’s military buildup have been well known for years and are hardly disputed: Beijing is gradually acquiring the capability to interdict and possibly destroy U.S. ships and bases operating near China’s coastline, primarily using missiles, submarines, cyber warfare and ground-based satellite blinders. It’s also true that this development puts at risk Washington’s position as the predominant maritime power in that critical region. That is a legitimate issue that requires far more serious consideration than it has thus far received from most U.S. policy makers. The question is: what does China intend to do with its growing capabilities and how should Washington respond? Self-proclaimed realists such as Friedberg offer a relatively simple solution: The White House must recognize China’s buildup as an intended effort to eject the United States from Asia, convince the American public (and its allies) of the dire threat to hearth and home that it presents and, with public support in hand, plow untold additional defense dollars into maintaining an unambiguously superior military posture in the Western Pacific. Only then will Beijing give up its determined plans for regional dominance. In reality, there is little if any hard evidence to indicate that China’s strategic intent is to establish itself, in Friedberg’s words, as “Asia’s dominant power by eroding the credibility of America’s security guarantees, hollowing out its alliances, and eventually easing it out of the region.” If this is Beijing’s goal, the Pentagon has yet to discover it—and presumably not for lack of trying. The recently published annual Department of Defense report on the Chinese military asserts that Beijing’s ultimate military intentions in Asia and elsewhere are unknown. And privately, DoD analysts will acknowledge that the PLA is not currently acquiring the kinds of capabilities that would be required to project substantial power far from its shores and eject the United States from Asia. When confronted with such information, proponents of the “China is out to displace us” theory counter that Beijing’s strategy is so stealthy as to avoid detection, and that in any event, it is the so-called realist “logic” of China’s situation that demands such a strategy. According to this logic, Beijing has no choice but to seek to eject the United States from Asia to ensure its own security. So much for free will and the growing imperative both countries face to work together to solve worsening global

problems, such as climate change. China’s strategic mindset is quintessentially defensive , largely reactive, and focused first and foremost on deterring Taiwan’s independence and defending the Chinese mainland, not on establishing itself as Asia’s next hegemon. Although it is not inconceivable that China might adopt more ambitious, far-flung military objectives in the future—perhaps including an attempt to become the preeminent Asian military power—such goals remain ill-defined, undetermined and subject to much debate in Beijing. This suggests that China’s future strategic orientation is susceptible to outside influence, not fixed in stone.

Chinese nuclear posture is stableAlagappa 9 [Muthiah Alagappa, Distinguished Senior Fellow, East-West Center PhD, International Affairs, Fletcher School of Law and Diplomacy, Tufts University, 2009, “The Long Shadow,” p.517-518] //khirn

The caution induced by nuclear weapons, their leveling effect, the strategic insurance they provide to cope with unanticipated contingencies, and general deterrence postures inform and circumscribe interaction among the major powers, reduce their anxieties, and constrain the role of force in their interaction. This enables major powers to take a long view and focus on other national priorities. Nuclear weapons feature primarily in deterrence and insurance roles. These roles are not necessarily threatening to other parties. Modernization of nuclear arsenals and the development of additional capabilities have proceeded at a moderate pace; they have produced responses but not intense strategic competition. The net effect has been stabilizing. The stabilizing effect of nuclear weapons in the Sino-American, Russo-American, and Sino-Indian dyads were discussed in Chapter 17. Here I will limit myself to making some additional points. Continuing deterrence dominance underlies China’s measured response to the U.S. emphasis on offensive strategies and its development of strategic missile defense. Perceiving these as undermining the robustness of its strategic deterrent force, China seeks to strengthen the survivability of its retaliatory force and is attempting to develop capabilities that would

34

Zero Days Negative – MI 7threaten American space-based surveillance and communications facilities in the event of hostilities. However, these efforts are not presented as a direct challenge to or competition with the United States. Beijing has deliberately sought to downplay the modernization of its nuclear force. This is not simply deception, but a serious effort to develop a strong deterrent force without entering into a strategic competition with the United States, which it cannot win due to the huge imbalance in military capabilities and technological imitations. Strategic competition will also divert attention and resources away from the more urgent modernization goals. A strong Chinese strategic deterrent force blunts the military advantage of the United States, induces caution in that country, and constrains its military option in the event of hostilities. Although Russia’s response to the U.S. development of offensive and strategic defense capabilities has been more vocal, it lacks specifics. Moscow also does not appear to have allocated significantly more resources to its nuclear force.

Modernization’s stable---it’ll stay within NFU and de-mated force structure Lewis 9 [Jeffrey Lewis, Director of the Nuclear Strategy and Nonproliferation Initiative at the New America Foundation, Former executive director of the Managing the Atom Project at the Belfer Center for Science and International Affairs. Ph.D. in policy studies (international security and economic policy) from the University of Maryland, April 2009, “Chinese Nuclear Posture and Force Modernization,” in Engaging China and Russia on Nuclear Disarmament, eds. Hansell and Potter, online: http://cns.miis.edu/opapers/op15/op15.pdf] //khirnAlthough such increases are within China’s economic and industrial capabilities, especially if China were to deploy as many as five new ballistic missile submarines, it is also possible that China’s modernization will occur within the general parameters of its overall force posture, characterized by keeping warheads in storage and a restrictive nuclear no-first-use declaratory policy. China’s nuclear arsenal also stands out from the other nuclear powers not merely due to its small size, but also because

China keeps its nuclear forces off alert and under the strictures of a no-first use pledge . By all indications, Chinese nuclear warheads are not normally mated to their missiles. Robert Walpole, then national intelligence officer for strategic and nuclear programs at the CIA, stated in 1998 that “China keeps its missiles unfueled and without warheads mated.”20 The warheads are stored at nearby, but separate, bases. Press reports of Chinese mobile ballistic missile exercises published by the state-run Xinhua News Agency indicate that nuclear warheads would be mated in the fi eld to mobile ballistic missiles before launch, similar to the procedure used by Soviet Mobile Technical Rocket Bases (PRTB, in Russian) stationed in East Germany and elsewhere during the Cold War.21 Anecdotal evidence from public descriptions of Chinese exercises and doctrinal materials suggest that Chinese forces expend considerable effort training to conduct retaliatory missions in the harsh environment after a nuclear strike. One Chinese textbook that is used to train cadres is forthright about the difficulty of maintaining a survivable retaliatory capability under a no-first-use doctrine. “According to our principle of no first-use of nuclear weapons,” the text Zhanyi Xue (Operational Studies) warns future commanders, “the nuclear retaliation campaign of the Second Artillery will be conducted under the circumstances when [the] enemy has launched a nuclear attack on us. … The personnel, position equipment, weapons equipment, command telecommunication system and the roads and bridges in the battlefi eld will be seriously hurt and damaged.”22 Whether Chinese leaders will change these features of their nuclear posture is difficult to predict. Western analysts have long predicted, for example, that China would eventually move away from a no-first-use posture—yet China’s political leaders continue to appear committed to the policy. In part, the judgment that China would dump no-first-use has been based on voluminous criticisms of no-first-use in Chinese military writings. The considerable ink spilled in Chinese military publications complaining about “no-first-use” is probably the best evidence that the policy remains in place.23 Dissatisfaction among some Second Artillery commanders with no-first-use might also explain the growing deployments of conventionally armed ballistic missiles, which are presumably subject to less doctrinal interference from senior leaders and Chinese nuclear weapons scientists.

Modernization is inherently slow and stable---it’s guided by their doctrine which rejects any offensive role for nuclear weapons---there’s no chance modernization turns offensive Yuan 9 [Jing-Dong, Director of the East Asia Nonproliferation Program at the James Martin Center for Nonproliferation Studies and associate professor of international policy studies at the Monterey Institute of International Studies, April 2009, “China and the Nuclear-Free World,” in Engaging China and Russia on Nuclear Disarmament, eds. Hansell and Potter, online: http://cns.miis.edu/opapers/op15/op15.pdf] //khirn

China has long maintained that its nuclear weapons development is largely driven by the need to respond to nuclear coercion and

blackmail. The role of nuclear weapons, in this context, is purely defensive and retaliatory, rather than war-fighting, as some western analysts suggest.19 Indeed, in the early years, China even rejected the concept of deterrence, regarding it as an attempt by the superpowers to compel others with the threat of nuclear weapons. This probably explains the glacial pace with which China introduced, modified, and modernized its small-size nuclear arsenals over the past four decades. Mainly guided by the principle that nuclear weapons will only be used (but used in a rather indiscriminate way) if China is attacked with

35

Zero Days Negative – MI 7nuclear weapons by others, nuclear weapons in China’s defense strategy serve political rather than military purposes.20 PLA analysts emphasize that the terms “nuclear strategy” and “nuclear doctrine” are rarely used in Chinese strategic

discourse; instead, a more commonly used term refers to “nuclear policy,” which in turn is governed by the country’s national strategy. Hence, the deployment and use of nuclear weapons are strictly under the “supreme command” of the

Communist Party and its Central Military Commission. Nuclear weapons are for strategic deterrence only; no tactical or operational utility is entertained. If and when China is under a nuclear strike, regardless of the size and the yield, it warrants strategic responses and retaliation.21 Chinese leaders and military strategists consider the role for nuclear weapons as one of defensive nuclear deterrence (ziwei fangyu de heweishe). Specifically, the country’s nuclear doctrine and force modernization have been informed and guided by three general principles: effectiveness (youxiaoxing), sufficiency (zugou), and counter-deterrence (fanweishe).22 China’s 2006 Defense White Paper emphasizes the importance of developing land-based strategic capabilities, both nuclear and conventional, but provides no specifics on the existing arsenal, the structure of the Second Artillery Corps (China’s strategic nuclear force) order of battle, or the projected size of the nuclear force. It indicates only that China will continue to maintain and build a lean and effective nuclear force. While Chinese analysts acknowledge that deterrence underpins China’s nuclear doctrine, it is more in the sense of preventing nuclear coercion by the superpower(s) without being coercive itself, and hence it is counter-coercion or counter-deterrence. Rather than build a large nuclear arsenal as resources and relevant technologies have become available, a path pursued by the superpowers during the Cold War, China has kept the size of its nuclear weapons modest, compatible with a nuclear doctrine of minimum deterrence.23 According to Chinese analysts, nuclear weapons’ role in China’s defense doctrine and posture is limited and is reinforced by the NFU position, a limited nuclear arsenal, and support of nuclear disarmament.

Reject hyperbole—the US has accounted for Chinese buildupRoss 9 [Robert, professor of political science at Boston College, The National Interest, “Myth”, 9/1, http://nationalinterest.org/greatdebate/dragons/myth-3819] //khirn

Yet China does not pose a threat to America's vital security interests today, tomorrow or at any time in the near future. Neither alarm nor exaggerated assessments of contemporary China's relative capabilities and the impact of Chinese defense modernization on U.S. security interests in East Asia is needed because, despite China's military advances, it has not developed the necessary technologies to constitute a grave threat. Beijing's strategic advances do not require a major change in Washington's defense or regional security policy, or in U.S. policy toward China. Rather, ongoing American confidence in its capabilities and in the strength of its regional partnerships allows the United States to enjoy both extensive military and diplomatic cooperation with China while it consolidates its regional security interests. The China threat is simply vastly overrated. AMERICA'S VITAL security interests, including in East Asia, are all in the maritime regions. With superior maritime power, the United States can not only dominate regional sea-lanes but also guarantee a favorable balance of power that prevents the emergence of a regional hegemon. And despite China's military advances and its challenge to America's ability to project its power in the region, the United States can be confident in its ability to retain maritime dominance well into the twenty-first century. East Asia possesses plentiful offshore assets that enable the United States to maintain a robust military presence, to contend with a rising China and to maintain a favorable balance of power. The U.S. alliance with Japan and its close strategic partnership with Singapore provide Washington with key naval and air facilities essential to regional power projection. The United States also has developed strategic cooperation with Malaysia, Indonesia and the Philippines. Each country possesses significant port facilities that can contribute to U.S. capabilities during periods of heightened tension, whether it be over Taiwan or North Korea. The United States developed and sustained its strategic partnerships with East Asia's maritime countries and maintained the balance of power both during and after the cold war because of its overwhelming naval superiority. America's power-projection capability has assured U.S. strategic partners that they can depend on the United States to deter another great power from attacking them; and, should war ensue, that they would incur minimal costs. This American security guarantee is as robust and credible as ever. The critical factor in assessing the modernization of the PLA's military forces is thus whether China is on the verge of challenging U.S. deterrence and developing war-winning capabilities to such a degree that East Asia's maritime countries would question the value of their strategic alignment with the United States. But, though China's capabilities are increasing, in no way do they challenge U.S. supremacy . America's maritime security is based not only on its superior surface fleet, which enables it to project airpower into distant regions, but also on its subsurface ships, which provide secure "stealth" platforms for retaliatory strikes, and its advanced command, control, communications, computers, intelligence, surveillance and reconnaissance (C4ISR) capabilities. In each of these areas, China is far from successfully posing any kind of serious immediate challenge. CHINA IS buying and building a better maritime capability. However, the net effect of China's naval advances on U.S. maritime superiority is negligible. Since the early 1990s-especially later in the decade as the Taiwan conflict escalated and following the 1996 U.S.-China Taiwan Strait confrontation-Beijing focused its maritime-acquisitions program

36

Zero Days Negative – MI 7primarily on the purchase of modern submarines to contribute to an access-denial capability that could limit U.S. operations in a Taiwan contingency. It purchased twelve Kilo-class submarines from Russia and it has developed its own Song-class and Yuan-class models. These highly capable diesel submarines are difficult to detect. In addition, China complemented its submarine capability with a coastal deployment of Russian Su-27 and Su-30 aircraft and over one thousand five hundred Russian surface-to-air missiles. The combined effect of these deployments has been greater Chinese ability to target an American aircraft carrier and an improved ability to deny U.S. ships and aircraft access to Chinese coastal waters. Indeed, American power-projection capabilities in East Asia are more vulnerable now than at any time since the end of the cold war. We can no longer guarantee the security of a carrier. Nevertheless, the U.S. Navy is acutely aware of Chinese advances and is responding with measures to minimize the vulnerability of aircraft carriers. Due to better funding, improved technologies and peacetime surveillance of Chinese submarines, the American carrier strike group's ability to track them and the U.S. Navy's antisubmarine capabilities are constantly improving. The U.S. strike group's counter-electronic-warfare capabilities can also interfere with the PLA Navy's reconnaissance ability. Improved Chinese capabilities complicate U.S. naval operations and require greater caution in operating an aircraft carrier near the Chinese coast, particularly in the case of a conflict over Taiwan. A carrier strike force may well have to follow a less direct route into the area and maintain a greater distance from China's coast to reduce its vulnerability to Chinese capabilities. But such complications to U.S. operations do not significantly degrade Washington's ability to project superior power into maritime theaters. The United States still possesses the only power-projection capability in East Asia.

37

Zero Days Negative – MI 71NC HEGEMONY

Cyber-attacks don’t threaten militaryLewis 02 (James Andrew Lewis is the Director and Senior Fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington, D.C. Ph.D. from the University of Chicago. Center for Strategic and International Studies: “Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats:” http://csis.org/files/media/csis/pubs/021101_risks_of_cyberterror.pdf) KalM

Cyber attacks are often presented as a threat to military forces and the Internet has major implications for espionage and warfare. Information warfare covers a range of activities of which cyber attacks may be the least important. While information operations and information superiority have become critical elements in successful military operations, no nation has placed its military forces in a position where they are dependent on computer networks that are vulnerable to outside attack. This greatly limits the effectiveness of cyber weapons (code sent over computer networks). The many reports of military computer networks being hacked usually do not explain whether these networks are used for critical military functions. It is indicative, however, that despite regular reports of tens of thousands of network attacks every year on the Department of Defense, there has been no degradation of U.S. military capabilities.

Nukes are airgapped and resilient to hackingReed 12 [John, national security reporter for Foreign Policy “Keeping nukes safe from cyber attack,” September 25, 2012, Foreign Policy, complex.foreignpolicy.com/posts/2012/09/25/keeping_nukes_safe_from_cyber_attack] //khirn

"Our ability to keep our networks assured and protected and not vulnerable is really important, it's something we have looked at hard," Maj. Gen. William Chambers, head of Air Force Global Strike Command's nuclear deterrence shop, told Killer Apps during a Sept. 18 interview. "It's something that we build into all of our new nuclear weapons systems so that they remain cyber-secure." Global Strike Command manages U.S. land-based nuclear ICBMs and air-launched nuclear cruise missiles and bombs. Protecting what are arguably the nation's most important military assets from cyber attack, and avoiding the terrifying scenario of an enemy feeding incorrect information into the nuclear command-and-control networks "seized" Air Force officials after they lost contact with a field of 50 Minuteman III ICBMs at FE Warren Air Force Base in Wyoming for an hour in late 2010, according to Chambers. "It's really important. It's a problem that about a year ago we were seized with. We have done some pretty comprehensive studies of the cyber-state of our ICBM force. We are confident in it," said Chambers. "There was an issue: we had a temporary interruption in our ability to monitor one of our missile squadrons back in the fall of 2010. That produced a need to take a comprehensive look at the entire system. It took a year to do that study, and we're confident that the system is good, but as we upgrade it, modernize it, integrate it, we've got to really pay attention to" protecting nuclear command-and-control information. While Chambers didn't go into specifics of how Global Strike Command will protect its nuclear command-and-control networks from cyber attack, he did say that it is working to harden its networks against intrusion and the manipulation of nuclear command-and-control information and to increase backup communications abilities. Chambers added that the Minuteman III ICBM command systems, designed in

the 1960s and 1970s, are incredibly robust . "ICBM-wise we have a very secure system." A Boeing official

later told Killer Apps that while it is looking at upgrading the ancient technology used in parts of the Minuteman command

networks, that technology is safe from hacking . Boeing is on contract with the Air Force to maintain the 1970s-vintage Minuteman III fleet and is helping the service keep the missiles in service through the 2030s. "Our C2 [command-and-control] system for Minuteman is a very old system. There's a network called the HICS [hardened intersite cable system] network, and it's [made of] copper wire, and it's limited in bandwidth," said Peggy Morse, director of Boeing's strategic missiles systems programs, told

Killer Apps on Sept. 18. While it's old, " it's very secure ," she added. Still, "as we look at different C2 systems and ways to

move data about in the field, information assurance is a big deal there, and the security requirements are going to drive the solutions that we look at," said Morse. The company is also working to modernize the actual cryptographic

38

Zero Days Negative – MI 7devices used to encrypt and decipher launch codes for nuclear missiles.

Russia and China can’t cyberattack the US – they only use it to crack down on their own populationsRid 12 [Thomas, reader in war studies at King's College London, is author of "Cyber War Will Not Take Place" and co-author of "Cyber-Weapons.", March/April 2012, “Think Again: Cyberwar”, http://www.foreignpolicy.com/articles/2012/02/27/cyberwar?page=full] //khirn

"The West Is Falling Behind Russia and China." Yes, but not how you think. Russia and China are busy sharpening their cyberweapons and are already well steeped in using them. The Russian military clandestinely crippled Estonia's economy in 2007 and Georgia's government and banks in 2008. The People's Liberation Army's numerous Chinese cyberwarriors have long inserted "logic bombs" and "trapdoors" into America's critical infrastructure, lying dormant and ready to wreak havoc on the country's grid and bourse in case of a crisis. Both countries have access to technology, cash, and talent -- and have more room for malicious maneuvers than law-abiding Western democracies poised to fight cyberwar with one hand tied behind their backs. Or so the alarmists tell us. Reality looks quite different . Stuxnet, by far the most sophisticated cyberattack on record, was most likely a U.S.-Israeli operation. Yes, Russia and China have demonstrated significant skills in cyberespionage, but the fierceness of Eastern cyberwarriors and their coded weaponry is almost certainly overrated . When it comes to military-grade offensive attacks, America and Israel seem to be well ahead of the curve. Ironically, it's a different kind of cybersecurity that Russia and China may be more worried about. Why is it that those countries, along with such beacons of liberal democracy as Uzbekistan, have suggested that the United Nations establish an "international code of conduct" for cybersecurity? Cyberespionage was elegantly ignored in the suggested wording for the convention, as virtual break-ins at the Pentagon and Google remain a favorite official and corporate pastime of both countries. But what Western democracies see as constitutionally protected free speech in cyberspace, Moscow and Beijing regard as a new threat to their ability to control their citizens. Cybersecurity has a broader meaning in non-democracies: For them, the worst-case scenario is not collapsing power plants, but collapsing political power.b The social media-fueled Arab Spring has provided dictators with a case study in the need to patrol cyberspace not only for subversive code, but also for subversive ideas. The fall of Egypt's Hosni Mubarak and Libya's Muammar al-Qaddafi surely sent shivers down the spines of officials in Russia and China. No wonder the two countries asked for a code of conduct that helps combat activities that use communications technologies -- "including networks" (read: social networks) -- to undermine "political, economic and social stability." So Russia and China are ahead of the United States, but mostly in defining cybersecurity as the fight against subversive behavior. This is the true cyberwar they are fighting.

Meaningful attacks are infeasibleClark 12 [Paul, MA candidate – Intelligence Studies @ American Military University, senior analyst – Chenega Federal Systems, “The Risk of Disruption or Destruction of Critical U.S. Infrastructure by an Offensive Cyber Attack,” 4/28/2012, American Military University] //khirn

The Department of Homeland Security worries that our critical infrastructure and key resources (CIKR) may be exposed, both directly and indirectly, to multiple threats because of CIKR reliance on the global cyber infrastructure, an infrastructure that is under routine cyberattack by a “spectrum of malicious actors” (National Infrastructure Protection Plan 2009). CIKR in the extremely large and complex U.S. economy spans multiple sectors including agricultural, finance and banking, dams and water resources, public health and emergency services, military and defense, transportation and shipping, and energy (National Infrastructure Protection Plan 2009). The disruption and destruction of public and private infrastructure is part of warfare, without this infrastructure conflict cannot be sustained (Geers 2011). Cyber-attacks are desirable because they are considered to be a relatively “low cost and long range” weapon (Lewis 2010), but prior to the creation of Stuxnet, the first cyber-weapon, the ability to disrupt and destroy critical infrastructure through cyber-attack was theoretical. The movement of an offensive cyber-weapon from conceptual to actual has forced the United States to question whether offensive cyber-attacks are a significant threat that are able to disrupt or destroy CIKR to the level that national security is seriously degraded. It is important to understand the risk posed to national security by cyber-attacks to ensure that government responses are appropriate to the threat and balance security with privacy and civil liberty concerns. The risk posed to CIKR from cyber-attack can be evaluated by measuring the threat from cyber-attack against the vulnerability of a CIKR target and the consequences of CIKR disruption. As the only known

39

Zero Days Negative – MI 7cyber-weapon, Stuxnet has been thoroughly analyzed and used as a model for predicting future cyber-weapons. The U.S. electrical grid, a key component in the CIKR energy sector, is a target that has been analyzed for vulnerabilities and the consequences of disruption predicted – the electrical grid has been used in multiple attack scenarios including a classified scenario provided to the U.S. Congress in 2012 (Rohde 2012). Stuxnet

will serve as the weapon and the U.S. electrical grid will serve as the target in this risk analysis that concludes that there is a low risk of disruption or destruction of critical infrastructure from a an

offensive cyber-weapon because of the complexity of the attack path, the limited capability of non-state adversaries to develop cyber-weapons, and the existence of multiple methods of mitigating the cyber-attacks. To evaluate the threat posed by a Stuxnet-like cyber-weapon, the complexity of the weapon, the available attack vectors for the weapon, and the resilience of the weapon must be understood. The complexity – how difficult and expensive it was to create the weapon – identifies the relative cost and availability of the weapon; inexpensive and simple to build will be more prevalent than expensive and difficult to build. Attack vectors are the available methods of attack; the larger the number, the more severe the threat. For example, attack vectors for a cyberweapon may be email attachments, peer-to-peer applications, websites, and infected USB devices or compact discs. Finally, the resilience of the weapon determines its availability and affects its usefulness. A useful weapon is one that is resistant to disruption (resilient) and is therefore available and reliable. These concepts are seen in the AK-47 assault rifle – a simple, inexpensive, reliable and effective weapon – and carry over to information technology structures (Weitz 2012). The evaluation of Stuxnet identified malware that is “ unusually complex and large ” and required code written in multiple languages (Chen 2010) in order to complete a variety of specific functions contained in a “vast array” of components – it is one of the most complex threats ever analyzed by Symantec (Falliere, Murchu and Chien 2011). To be successful, Stuxnet required a high level of technical knowledge across multiple disciplines, a laboratory with the target equipment configured for testing, and a foreign intelligence capability to collect information on the target network and attack vectors (Kerr, Rollins and Theohary 2010). The malware also needed careful monitoring and maintenance because it could be easily disrupted; as a result Stuxnet was developed with a high degree of configurability and was upgraded multiple times in less than one year (Falliere, Murchu and Chien 2011). Once introduced into the network, the cyber-weapon then had to utilize four known vulnerabilities and four unknown vulnerabilities, known as zero-day exploits, in order to install itself and propagate across the target network (Falliere, Murchu and Chien 2011). Zero-day exploits are incredibly difficult to find and fewer than twelve out of the 12,000,000 pieces of malware discovered each

year utilize zero-day exploits and this rarity makes them valuable, zero-days can fetch $50,000 to $500,000 each on the black market (Zetter 2011). The use of four rare exploits in a single piece of malware is “unprecedented” (Chen 2010). Along with the use of four unpublished exploits, Stuxnet also used the “first ever” programmable logic controller rootkit, a Windows rootkit, antivirus evasion techniques, intricate process injection routines, and other complex interfaces (Falliere, Murchu and Chien 2011) all wrapped up in “layers of encryption like Russian nesting dolls” (Zetter 2011) – including custom encryption algorithms (Karnouskos 2011). As the malware spread across the now-infected network it had to utilize additional vulnerabilities in proprietary Siemens industrial control software (ICS) and hardware used to control the equipment it was designed to sabotage. Some of these ICS vulnerabilities were published but some were unknown and required such a high degree of inside knowledge that there was speculation that a Siemens employee had been involved in the malware design (Kerr, Rollins and Theohary 2010). The unprecedented technical complexity of the Stuxnet cyber-weapon, along with the extensive technical and financial resources and foreign

intelligence capabilities required for its development and deployment, indicates that the malware was likely developed by a nation-state (Kerr, Rollins and Theohary 2010). Stuxnet had very limited attack vectors. When a computer system is connected to the public Internet a host of attack vectors are available to the cyber-attacker (Institute for Security Technology Studies 2002). Web browser and browser plug-in vulnerabilities, cross-site scripting attacks, compromised email attachments, peer-to-peer applications, operating system and other application vulnerabilities are all vectors for the introduction of malware into an Internetconnected computer system. Networks that are not connected to the public internet are “air gapped,” a technical colloquialism to identify a physical separation between networks. Physical separation from the public Internet is a common safeguard for sensitive networks including classified U.S. government networks. If the target network is air gapped, infection can only occur through physical means – an infected disk or USB device that must be physically introduced into a possibly access controlled environment and connected to the air gapped network. The first step of the Stuxnet cyber-attack was to initially infect the target networks, a difficult task given the probable disconnected and well secured nature of the Iranian nuclear facilities.

40

Zero Days Negative – MI 7Stuxnet was introduced via a USB device to the target network, a method that suggests that the attackers were familiar with the configuration of the network and knew it was not connected to the public Internet (Chen 2010). This assessment is supported by two rare features in Stuxnet – having all necessary functionality for industrial sabotage fully embedded in the malware executable along with the ability to self-propagate and upgrade through a peer-to-peer method (Falliere, Murchu and Chien 2011). Developing an understanding of the target network

configuration was a significant and daunting task based on Symantec’s assessment that Stuxnet repeatedly targeted a total of five different organizations over nearly one year (Falliere, Murchu and Chien 2011) with physical introduction via USB drive being the only available attack vector. The final factor in assessing the threat of a cyber-weapon is the resilience of the weapon. There are two primary factors that make Stuxnet non-resilient: the complexity of the weapon and the complexity of the target. Stuxnet was highly customized for sabotaging specific industrial systems (Karnouskos 2011) and needed a large number of very complex components and routines in order to increase its chance of success (Falliere, Murchu and Chien 2011). The malware required eight vulnerabilities in the Windows operating system to succeed and therefore would have failed if those vulnerabilities had been properly patched; four of the eight vulnerabilities were known to Microsoft and subject to elimination (Falliere, Murchu and Chien 2011). Stuxnet also required that two drivers be installed and required two stolen security certificates for installation (Falliere, Murchu and Chien 2011); driver installation would have failed if the stolen certificates had been revoked and marked as invalid. Finally, the configuration of systems is ever-changing as components are upgraded or replaced. There is no guarantee that the network that was mapped for vulnerabilities had not changed in the months, or years, it took to craft Stuxnet and successfully infect the target network. Had specific components of the target hardware changed – the targeted Siemens software or programmable logic controller – the attack would have failed. Threats are less of a threat when identified; this is why zero-day exploits are so valuable. Stuxnet went to great lengths to hide its existence from the target and utilized multiple rootkits, data manipulation routines, and virus avoidance techniques to stay undetected. The malware’s actions occurred only in memory to avoid leaving traces on disk, it masked its activities by running under legal programs, employed layers of encryption and code obfuscation, and uninstalled itself after a set period of time, all efforts to avoid detection because its authors knew that detection meant failure. As a result of the complexity of the malware, the changeable nature of the target network, and the chance of discovery, Stuxnet is not a resilient system. It is a fragile weapon that required an investment of time and money to constantly monitor, reconfigure, test and deploy over the course of a year. There is concern, with Stuxnet developed and available publicly, that the world is on the brink of a storm of highly sophisticated Stuxnet-derived cyber-weapons which can be used by hackers, organized criminals and terrorists (Chen 2010). As former counterterrorism advisor Richard Clarke describes it, there is concern that the technical brilliance of the United States “has created millions of potential monsters all over the world” (Rosenbaum 2012). Hyperbole aside, technical knowledge spreads. The techniques behind cyber-attacks are “constantly evolving and making use of lessons learned over time” (Institute for Security Technology Studies 2002) and the publication of the Stuxnet code may make it easier to copy the weapon (Kerr, Rollins and Theohary 2010). However, this is something of a zero-sum game because knowledge works both ways

and cyber-security techniques are also evolving , and “understanding attack techniques more clearly is the

first step toward increasing security” (Institute for Security Technology Studies 2002). Vulnerabilities are discovered and patched, intrusion detection and malware signatures are expanded and updated, and monitoring and analysis processes and methodologies are expanded and honed. Once the element of surprise is lost, weapons and tactics are less useful , this is the core of the argument that “uniquely

surprising” stratagems like Stuxnet are single-use, like Pearl Harbor and the Trojan Horse, the “very success [of these attacks] precludes their repetition” (Mueller 2012). This paradigm has already been seen in the “son of Stuxnet” malware – named Duqu by its discoverers – that is based on the same modular code platform that created Stuxnet (Ragan 2011). With the techniques used by Stuxnet now known, other variants such as Duqu are being discovered and countered by security researchers (Laboratory of Cryptography and System Security 2011). It is obvious that the effort required to create, deploy, and maintain Stuxnet and its variants is massive and it is not clear that the rewards are worth the risk and effort. Given the location of initial infection and the number of infected systems in Iran (Falliere, Murchu and Chien 2011) it is believed that Iranian nuclear facilities were the target of the Stuxnet weapon. A significant amount of money and effort was invested in creating Stuxnet but yet the expected result – assuming that this was an attack that expected to damage production – was minimal at best. Iran claimed that Stuxnet caused only minor damage, probably at the Natanz enrichment facility, the Russian contractor Atomstroyeksport reported that no damage had occurred at the Bushehr facility, and an unidentified “senior diplomat” suggested that Iran was forced to shut down its centrifuge facility “for a few days” (Kerr, Rollins and Theohary

41

Zero Days Negative – MI 72010). Even the most optimistic estimates believe that Iran’s nuclear enrichment program was only delayed by months, or perhaps years (Rosenbaum 2012). The actual damage done by Stuxnet is not clear (Kerr, Rollins and Theohary 2010) and the primary damage appears to be to a higher number than average replacement of centrifuges at the Iran enrichment facility (Zetter 2011). Different targets may produce different results. The Iranian nuclear facility was a difficult target with limited attack vectors because of its isolation from the public Internet and restricted access to its facilities. What is the probability of a successful attack against the U.S. electrical grid and what are the potential consequences should this critical infrastructure be disrupted or destroyed? An attack against the electrical grid is a reasonable threat scenario since power systems are “a high priority target for military and insurgents” and there has been a trend towards utilizing commercial software and integrating utilities into the public Internet that has “increased vulnerability across the board” (Lewis 2010). Yet the increased vulnerabilities are mitigated by an

increased detection and deterrent capability that has been “honed over many years of practical application” now that power systems are using standard, rather than proprietary and specialized, applications and components (Leita and Dacier 2012). The security of the electrical grid is also enhanced by increased awareness after a smart-grid hacking demonstration in 2009 and the identification of the Stuxnet malware in 2010; as a result the public and private sector are working together in an “unprecedented effort” to establish robust security guidelines and cyber security measures (Gohn and Wheelock 2010).

42

Zero Days Negative – MI 71NC RUSSIAN MODERNIZATION

Europe contains Russian aggressionBandow 12 [Doug, senior fellow at the Cato Institute, specializing in foreign policy and civil liberties, “Op Ed: NATO and Libya: It’s Time To Retire a Fading Alliance,” 1/2/2012, http://feb17.info/editorials/op-ed-nato-and-libya-its-time-to-retire-a-fading-alliance] //khirn

The Cold War required an extraordinary defense commitment from the U.S. But no longer. Europe still matters, but it faces no genuine military threat. Whatever happens politically in Moscow, there will be no Red Army pouring armored divisions through Germany’s Fulda Gap. Washington has much to worry about, but Europe is not on the list. Of course, the Europeans still have geopolitical concerns. Civil wars in the Balkans and Libya threatened refugee flows and economic disruption. However, the Europeans are capable of handling such issues. Potentially more dangerous is the situation in Eastern Europe and beyond, most notably Georgia and Ukraine. But not dangerous to America. The U.S. has survived most of its history with these lands successively part of the Russian Empire and the Soviet Union. Nor is there any evidence that Russia wants to forcibly reincorporate its “lost” territories into a renewed Soviet empire. Rather, Moscow appears to have retrogressed to a “great power” like Imperial Russia. The new Russia is concerned about international respect and border security. Threaten that, and war might result, as Georgia learned in 2008.

No impact because Russian elites know US strength will returnKuchins 11 [Andrew, Director of the Russia and Eurasia Program at the Center for Strategic and International Studies in Washington, D.C., “Reset expectations: Russian assessments of U.S. power,” http://csis.org/files/publication/110613_kuchins_CapacityResolve_Web.pdf] //khirn

Like the U.S.-Russia relationship, Russian elite perceptions of U.S. power and role in the world have experienced great volatility in the past 20 years. How durable is the current Russian perception that not only is the United States less threatening but is pursuing policies far more accommodating to Russian interests? And because we are entering a new Russian (and American) presidential cycle in the

coming year, to what extent does possible de facto leadership change in Moscow matter? There is no definitive answer to this

question, but from reviewing the last ten years or so since Vladimir Putin first became the Russian president, my conclusion is that U.S. policies will be a far more important factor in effecting Russian leader and elite views of the United States than who the next Russian president is. The Russian perspective on U.S. power and role in the world did not change during the last two years because Dmitri Medvedev replaced Vladimir Putin as president of Russia. The Russian perspective changed because of the impact of the global

economic crisis and changes in Obama administration policies of greatest interest to Moscow. Russian elites are unsure about the durability of U.S. power capacity, but they have seen the United States renew itself in the wake of global foreign and economic setbacks in, for example, the 1980s. Russians are as aware as anybody of the current fiscal challenges of the United States and the questions about whether the U.S. political system will be capable of managing to resolve them. They are also watching closely the political commitment of the United States to stabilize Afghanistan. If the United States manages progress on these domestic and foreign policy fronts and, more important, continues to pursue a pragmatic set of policies that accommodate some of Russia’s core interests, then the current trend toward a more positive assessment of U.S. power and growing cooperation on a wide variety of issues will continue. In other words, we are the critical independent variable.

43

Zero Days Negative – MI 7

OCO’S ADVANTAGE

44

Zero Days Negative – MI 71NC TREATIES/NORMS

Current mechanisms solve—any real treaty would be impossible to enforceLindsay 12 [Jon Lindsay, a research fellow at the University of California Institute on Global Conflict and Cooperation at UC-San Diego; June 8, 2012; “International Cyberwar Treaty Would Quickly Be Hacked to Bits,” USNews.com; http://www.usnews.com/debate-club/should-there-be-an-international-treaty-on-cyberwarfare/international-cyberwar-treaty-would-quickly-be-hacked-to-bits] //khirn

A cyberweapon (like Stuxnet, which damaged Iranian uranium enrichment) is not like a nuclear bomb or a gun that can be used to damage many different types of targets all around the world. Traditional weapons can be tested on a range, stockpiled in an arsenal, and fired predictably at their targets in wartime. A cyberweapon, by contrast, must be carefully engineered against any particular target, and this requires a lot of intelligence, technical expertise, test infrastructure, and operational management. A cyberattack is less like a strategic bombing attack delivered by a formidable force of airplanes and missiles and more like a special operation staged by a daring band of commandos far behind enemy lines. A cyberweapon for espionage (like the spyware Duqu and Flame) likewise require lots of planning and expertise to control. Covert operations are risky gambles (they might fail or be compromised if mistakes in planning or execution are made), and the damage they cause is far more unpredictable than that of traditional weapons. States resort to covert action options only when they don't have the will or ability (for either material or political reasons) to use overt force. When states act covertly, they break the domestic laws of other states (which is why spies can be caught and tried). Usually states moderate their ambitions for covert action because they don't want to trigger escalatory retaliation in the event the operation is compromised. Cyberoperations, like other types of intelligence and covert operations, take place in the shadows. An international treaty on cyberweapons would be like an international treaty against espionage and covert action. This is totally unenforceable , since such activity is designed to evade detection and attribution. The rhetoric of cyberwar is frightening, but the reality is more complicated. A world without cyberweapons is probably more desirable, but an international treaty is not the way to get there. I am not a lawyer (I write as an international security scholar), but I suspect that existing international law of war and legal mechanisms for managing covert operations in this country are probably sufficient, or at most need just marginal adjustments, in order to deal with the problems posed by cyberweapons. Cyberwar is not a revolutionary development, but a complicating electronic elaboration on clandestine and covert operations, and states have been conducting these for centuries.

Opponents would cheatLewis 12 [James, Director of the Technology and Public Policy Program at the Center for Strategic and International Studies, June 8, 2012, “A Cybersecurity Treaty is a Bad Idea,” USNews.com, http://www.usnews.com/debate-club/should-there-be-an-international-treaty-on-cyberwarfare/a-cybersecurity-treaty-is-a-bad-idea] //khirn

With all the excitement over Flame, Stuxnet, and the rest, a spokesperson for the Russian government has called for a global cybersecurity treaty. It's a bad idea that dates back to the 1990s. Back then, American academics proposed a complex legal instrument for cybersecurity whose distant ancestor appeared to be to the Kellogg-Briand Pact of the 1920s, where nations renounced war as an instrument of policy. A cybertreaty made about as much sense. Russia also proposed a cybertreaty about the same time, and introduced a draft in the United Nations in what was to become a recurring annual exercise that could never quite achieve consensus. A cybertreaty at first attracted support in the General Assembly, but there has been no progress because cybertreaties are unimplementable. How would any country address serious issues in treaty compliance and verification for cyber capabilities? A cybersecurity treaty would be unworkable if it went much beyond the existing constraints on the use of force found in international laws, if only because potential opponents are likely to cheat and it would be hard to detect this . Important definitional issues have never been resolved, probably because they are unresolvable. A commitment to limit "information weapons" is not very useful if you cannot say what they are, and efforts to define these "weapons" quickly run afoul of the overwhelmingly commercial use and availability of information technologies. Is a teenager with a laptop a

45

Zero Days Negative – MI 7weapon? How about a newspaper or magazine? A few countries would say yes. The international community has always looked studiously away from any treaty trying to banning espionage—it's a nonstarter, and Russia is the leading opponent of any real agreement to cooperate in fighting cybercrime. The idea of a treaty did not make sense in the 1990s and it does not make sense now. There are serious discussions underway on reducing the risk of cyberconflict, including bilateral talks between the United States and Russia, and the United States and China. The United Nation has a group of experts meeting later this summer. Many regional groups, like the Organization for Security and Co-operation in Europe or the Asian Regional Forum are talking about norms, confidence building measures and other kinds of agreement to limit cyber attack. Countries recognize that there is increasing risk that cyber incidents like Flame could lead to misperception or miscalculation that could escalate into more damaging conflict. But a treaty? Kellogg Briand is still in force and there has never been a war since, has there?

46

Zero Days Negative – MI 71NC CYBERWAR

Deterrence and rapid response checkFox 11 [Assistant Editor, InnovationNewsDaily, 2 July 2011, “Why Cyberwar Is Unlikely ,” http://www.securitynewsdaily.com/cyberwar-unlikely-deterrence-cyber-war-0931] //khirn

In the two decades since cyberwar first became possible, there hasn't been a single event that politicians, generals and security experts agree on as having passed the threshold for strategic cyberwar. In fact, the attacks that have occurred have fallen so far short of a proper cyberwar that many have begun to doubt that cyberwarfare is even possible. The reluctance to engage in strategic cyberwarfare stems mostly from the uncertain results such a conflict would bring, the lack of motivation on the part of the possible combatants and their shared inability to defend against counterattacks . Many of the systems that an aggressive cyberattack would damage are actually as valuable to

any potential attacker as they would be to the victim. The five countries capable of large-scale cyberwar (Israel,

the U.S., the U.K., Russia and China) have more to lose if a cyberwar were to escalate into a shooting war than they would gain from a successful cyberattack. "The half-dozen countries that have cyber capability are deterred from cyberwar because of the fear of the American response. Nobody wants this to spiral out of control ," said James Lewis, senior fellow and director of technology and public policy at the Center for Strategic and International Studies in Washington, D.C. "The countries that are capable of doing this don't have a reason to," Lewis added. "Chinese officials have said to me, 'Why would we bring down Wall Street when we own so much of it?' They like money almost as much as we do." Big deterrent: retaliation Deterrence plays a major factor in preventing cyberwar. Attacks across the Internet would favor the aggressor so heavily that no country has developed an effective defense. Should one country initiate a cyberattack, the victim could quickly counter-attack, leaving both countries equally degraded, Lewis told InnovationNewsDaily. Even if an attacker were to overcome his fear of retaliation, the low rate of success would naturally give him pause. Any cyberattack would target the types of complex systems that could collapse on their own, such as electrical systems or banking networks. But experience gained in fixing day-to-day problems on those systems would allow the engineers who maintain them to quickly undo damage caused by even the most complex cyberattack , said George Smith, a senior fellow at Globalsecurity.org in Alexandria, Va. "You mean to tell me that the people who work the electrical system 24 hours a day don't respond to problems? What prevents people from turning the lights right back on?" Smith told SecurityNewsDaily. "And attacks on the financial system have always been a non-starter for me. I mean, [in 2008] the financial system attacked the U.S.!"

No real cyber aggression – it’s paranoiaBarnett 13 [Thomas, special assistant for strategic futures in the DOD's Office of Force Transformation from 2001 to 2003, chief analyst for Wikistrat, March/April 2013, “Think Again: The Pentagon,” Foreign Policy, http://www.foreignpolicy.com/articles/2013/03/04/the_pentagon?page=full] //khirn

As for cyber serving as a stand-alone war-fighting domain, there you'll find the debates no less theological in their intensity. After serving as senior managing director for half a dozen years at a software firm that specializes in securing supply chains, I'm deeply skeptical . Given the uncontrollable nature of cyberweapons (see: Stuxnet's many permutations), I view them as the 21st century's version of chemical weapons -- nice to have, but hard to use. Another way to look at it is to simply call a spade a spade: Cyberwarfare is nothing more than espionage and sabotage updated for the digital era. Whatever cyberwar turns out to be in the national security realm, it will always be dwarfed by the industrial variants -- think cyberthieves, not cyberwarriors. But you wouldn't know it from the panicky warnings from former Defense Secretary Leon Panetta and the generals about the imminent threat of a "cyber Pearl Harbor."

47

Zero Days Negative – MI 7Reject their lashout impact – nobody’s that stupidLewis 10 [James Andrew, “The Cyber War Has Not Begun,” Center for Strategic and International Studies, March, csis.org/files/publication/100311_TheCyberWarHasNotBegun.pdf] //khirn

Expanded attention to cybersecurity is a good thing, but it seems that it is difficult to discuss this topic without exaggeration. We are not in a „cyber war ‟ . War is the use of military force to attack another nation and damage or destroy its capability and will to resist. Cyber war would involve an effort by another nation or a politically motivated group to use cyber attacks to attain political ends. No nation has launched a cyber attack or cyber war against the United States. Indeed, it would be a bold nation that would do so. A deliberate attack on the United States could

trigger a violent if not devastating response. No nation would be foolish enough to send a missile ,

aircraft or commando team to attack critical infrastructure in this country. The same logic applies to cyber attack. Foreign leaders will not lightly begin a war with the United States and the risk of cyber war is too high for frivolous or spontaneous engagement.

Zero impact to cyber-attacks --- overwhelming consensus of qualified authors goes negGray 13 [Colin S., Prof. of International Politics and Strategic Studies @ the University of Reading and External Researcher @ the Strategic Studies Institute @ the U.S. Army War College, April, “Making Strategic Sense of Cyber Power: Why the Sky Is Not Falling,” U.S. Army War College Press, http://www.strategicstudiesinstitute.army.mil/pdffiles/PUB1147.pdf] //khirn

CONCLUSIONS AND RECOMMENDATIONS: THE SKY IS NOT FALLING This analysis has sought to explore, identify, and explain the strategic meaning of cyber power. The organizing and thematic question that has shaped and driven the inquiry has been “So what?” Today we all do cyber, but this behavior usually has not been much informed by an understanding that reaches beyond the tactical and technical. I have endeavored to analyze in strategic terms what is on offer from the largely technical and tactical literature on cyber. What can or might be done and how to go about doing it are vitally important bodies of knowledge. But at least as important is understanding what cyber, as a fifth domain of warfare, brings to national security when it is considered strategically. Military history is stocked abundantly with examples of tactical behavior un - guided by any credible semblance of strategy. This inquiry has not been a campaign to reveal what cy ber can and might do; a large literature already exists that claims fairly convincingly to explain “how to . . .” But what does cyber power mean, and how does it fit strategically, if it does? These Conclusions and Rec ommendations offer some understanding of this fifth geography of war in terms that make sense to this strategist, at least. 1. Cyber can only be

an enabler of physical effort. Stand-alone (popularly misnamed as “strategic”) cyber action is inherently grossly limited by its immateriality. The physicality of conflict with cyber’s human participants and mechanical artifacts has not been a

passing phase in our species’ strategic history. Cyber action, quite independent of action on land, at sea, in the air, and in orbital space, certainly is possible. But the strategic logic of such behavior, keyed to anticipated success in tactical achievement, is not promising. To date, “What if . . .” speculation about strategic cyber attack usually is either contextually too light, or, more

often, contextually unpersuasive . 49 However, this is not a great strategic truth, though it is a judgment advanced with considerable confidence. Although societies could, of course, be hurt by cyber action, it is important not to lose touch with the fact, in Libicki’s apposite words, that “[i]n the absence of physical combat, cyber war cannot lead to the occupation of territory. It is almost inconceivable that a sufficiently vigorous cyber war can overthrow the adversary’s government and replace it with a more pliable one.” 50 In the same way that the concepts of sea war, air war, and space war are fundamentally unsound, so also the idea of cyber war is unpersuasive. It is not impossible, but then, neither is war conducted only at sea, or in the air, or in space. On the one hand, cyber war may seem more probable than like environmentally independent action at sea or in the air. After all,

cyber warfare would be very unlikely to harm human beings directly , let alone damage physically the machines on which they depend. These near-facts (cyber attack might cause socially critical machines to behave in a rogue manner with damaging physical consequences) might seem to ren - der cyber a safer zone of belligerent engagement than would physically violent action in other domains. But most likely there would be serious uncertainties pertaining to the consequences of cyber action, which must include the possibility of escalation into other domains of conflict. Despite popular assertions to the contrary, cyber is not likely to prove a precision weapon anytime soon. 51 In addition, assuming that the political and strategic contexts for cyber war were as serious as surely they would need to be

to trigger events warranting plausible labeling as cyber war, the distinctly limited harm likely to follow from cyber assault would hardly appeal as prospectively effective coercive moves. On balance, it is most probable that cyber’s strategic future in war will be as a contribut - ing enabler of effectiveness of physical efforts in the other four geographies of conflict. Speculation about cyber war, defined strictly as hostile action by net - worked computers against networked computers, is hugely unconvincing. 2.

Cyber defense is difficult, but should be sufficiently effective. The structural advantages of the offense in cyber conflict are as obvious as they are easy to overstate. Penetration and exploitation , or

48

Zero Days Negative – MI 7even attack, would need to be by surprise. It can be swift almost beyond the imagination of those encultured by the traditional demands of physical combat. Cyber attack may be so stealthy that it escapes notice for a long while, or it might wreak digital havoc by com - plete surprise. And need one emphasize, that at least for a while, hostile cyber action is likely to be hard (though not quite impossible) to attribute with a cy - berized equivalent to a “smoking gun.” Once one is in the realm of the catastrophic “What if . . . ,” the world is indeed a frightening place. On a personal note, this defense analyst was for some years exposed to highly speculative briefings that hypothesized how unques - tionably cunning plans for nuclear attack could so promptly disable the United States as a functioning state that our nuclear retaliation would likely be still - born. I should hardly need to add that the briefers of these Scary Scenarios were obliged to make a series of Heroic Assumptions. The literature of cyber scare is more than mildly reminiscent of the nuclear attack stories with which I was assailed in the 1970s and 1980s. As one may observe regarding what Winston Churchill wrote of the disaster that was the Gallipoli campaign of 1915, “[t]he terrible ‘Ifs’ accumulate.” 52 Of course, there are dangers in the cyber domain. Not only are there cyber-competent competitors and enemies abroad; there are also Americans who make mistakes in cyber operation. Furthermore, there are the manufacturers and constructors of the physical artifacts behind (or in, depending upon the preferred definition) cyber - space who assuredly err in this and that detail.

The more sophisticated—usually meaning complex—the code for cyber, the more certain must it be that mistakes both lurk in the program and will be made in digital communication. What I have just outlined minimally is not a reluc - tant admission of the fallibility of cyber, but rather a statement of what is obvious and should be anticipat - ed about people and material in a domain of war. All human activities are more or less harassed by friction and carry with them some risk of failure, great or small. A strategist who has read Clausewitz, especially Book One of On War , 53 will know this. Alternatively, anyone who skims my summary version of the general theory of strategy will note that Dictum 14 states explicitly that “Strategy is more difficult to devise and execute than are policy, operations, and tactics: friction of all kinds comprise phenomena inseparable from the mak - ing and execution of strategies.” 54 Because of its often widely distributed character, the physical infrastruc - ture of an enemy’s cyber power is typically, though not invariably, an impracticable target set for physical assault. Happily, this probable fact should have only annoying consequences. The discretionary nature and therefore the variable possible characters feasible for friendly cyberspace(s), mean that the more danger - ous potential vulnerabilities that in theory could be the condition of our cyber-dependency ought to be avoidable at best, or bearable and survivable at worst. Libicki offers forthright advice on this aspect of the subject that deserves to be taken at face value: [T]here is no inherent reason that improving informa - tion technologies should lead to a rise in the amount of critical information in existence (for example, the names of every secret agent). Really critical information should never see a computer; if it sees a computer, it should not be one that is networked; and if the computer is networked, it should be air-gapped. Cyber defense admittedly is difficult to do, but so is cyber offense. To quote Libicki yet again, “[i]n this medium [cyberspace] the best defense is not necessarily a good offense; it is usually a good defense.” 56 Unlike the geostrategic context for nuclear-framed competition in U.S.–Soviet/Russian rivalry, the geographical domain of cyberspace definitely is defensible. Even when the enemy is both clever and lucky, it will be our own design and operating fault if he is able to do more than disrupt and irritate us temporarily. When cyber is contextually regarded properly— which means first, in particular, when it is viewed as but the latest military domain for defense planning—it should be plain to see that cyber performance needs to be good enough rather than perfect. 57 Our Landpower, sea power, air power, and

prospectively our space systems also will have to be capable of accepting combat damage and loss, then recovering and carrying on. There is no fundamental reason that less should be demanded of our cyber power. Second, given that cyber is not of a nature or potential character at all likely to parallel nuclear dangers in the menace it could con - tain, we should anticipate international cyber rivalry to follow the competitive dynamic path already fol - lowed in the other domains in the past. Because the digital age is so young, the pace of technical change and tactical invention can be startling. However, the mechanization RMA of the 1920s and 1930s recorded reaction to the new science and technology of the time that is reminiscent of the cyber alarmism that has flour - ished of

recent years. 58 We can be confident that cyber defense should be able to function well enough , given the strength of political, military, and commercial motivation for it to do so. The technical context here is a medium that is a constructed one, which provides air-gapping options for choice regarding the extent of networking. Naturally, a price is paid in convenience for some closing off of possible cyberspace(s), but all important defense decisions involve choice, so what is novel about that? There is nothing new about accepting some limitations on utility as a price worth paying for security. 3. Intelligence is critically important, but informa - tion should not be overvalued. The strategic history of cyber over the past decade confirms what we could know already from the science and technology of this new domain for conflict. Specifically, cyber power is not technically forgiving of user error. Cyber warriors seeking criminal or military benefit require precise information if their intended exploits are to succeed. Lucky guesses should not stumble upon passwords, while efforts to disrupt electronic Supervisory Con - trol and Data

Acquisition (SCADA) systems ought to be unable to achieve widespread harmful effects. But obviously there are practical limits to the air-gap op - tion, given that control (and command) systems need to be networks for communication. However, Internet connection needs to be treated as a potential source of serious danger. It is one thing to be able to be an electronic nuisance, to annoy, disrupt, and perhaps delay. But it is quite another to be capable of inflicting real persisting harm on the fighting power of an enemy. Critically important military computer networks are, of course, accessible neither to the inspired amateur outsider, nor to the malignant political enemy. Easy passing reference to a hypothetical “cyber Pearl Harbor” reflects both poor history and ignorance of contemporary military common sense. Critical potential military (and other) targets for cyber attack are extremely hard to access and influence (I believe and certainly hope), and the technical knowledge, skills, and effort required to do serious harm to national security is forbiddingly high. This is not to claim, foolishly, that cyber means absolutely could not secure near-catastrophic results. However, it is to say that such a scenario is extremely improbable . Cyber defense is advancing all the time, as is cyber offense, of course. But so discretionary in vital detail can one be in the making of cyberspace, that confidence—real confidence—in cyber attack could not plausibly be high. It should be noted that I am confining this particular discussion to what rather idly tends to be called cyber war. In political and strategic practice, it is unlikely that war would or, more importantly, ever could be restricted to the EMS. Somewhat rhetorically, one should pose the question: Is it likely (almost anything, strictly, is possible) that cyber war with the potential to inflict catastrophic

49

Zero Days Negative – MI 7damage would be allowed to stand unsupported in and by action in the other four geographical domains of war? I believe not. Because we have told ourselves that ours uniquely is the Information Age, we have become unduly respectful of the potency of this rather slippery catch-all term. As usual, it is helpful to contextualize the al - legedly magical ingredient, information, by locating it properly in strategic history as just one important element contributing to net strategic effectiveness. This mild caveat is supported usefully by recognizing the general contemporary rule that information per se harms nothing and nobody. The electrons in cyber - ized conflict have to be interpreted and acted upon by physical forces (including agency by physical human beings). As one might say, intelligence (alone) sinks no ship; only men and machines can sink ships! That said, there is no doubt that if friendly cyber action can infiltrate and misinform the electronic informa - tion on which advisory weaponry and other machines depend, considerable warfighting advantage could be gained. I do not intend to join Clausewitz in his dis - dain for intelligence, but I will argue that in strategic affairs, intelligence usually is somewhat uncertain. 59 Detailed up-to-date intelligence literally is essential for successful cyber offense, but it can be healthily sobering to appreciate that the strategic rewards of intelligence often are considerably exaggerated. The basic reason is not hard to recognize. Strategic success is a complex endeavor that requires adequate perfor - mances by many necessary contributors at every level of conflict (from the political to the tactical). When thoroughly reliable intelligence on the en - emy is in short supply, which usually is the case, the strategist finds ways to compensate as best he or she can. The IT-led RMA of the past 2 decades was fueled in part by the prospect of a quality of military effec - tiveness that was believed to flow from “dominant battle space knowledge,” to deploy a familiar con - cept. 60 While there is much to be said in praise of this idea, it is not unreasonable to ask why it has been that our ever-improving battle space knowledge has been compatible with so troubled a course of events in the 2000s in Iraq and Afghanistan. What we might have misunderstood is not the value of knowledge, or of the information from which knowledge is quarried, or even the merit in the IT that passed information and knowledge around. Instead, we may well have failed to grasp and grip understanding of the whole context of war and strategy for which battle space knowledge unquestionably is vital. One must say “vital” rather than strictly essential, because relatively ignorant armies can and have fought and won despite their ig - norance. History requires only that one’s net strategic performance is superior to that of the enemy. One is not required to be deeply well informed about the en - emy. It is historically quite commonplace for armies to fight in a condition of more-than-marginal reciprocal and strategic cultural ignorance. Intelligence is king in electronic warfare, but such warfare is unlikely to be solely, or even close to solely, sovereign in war and its warfare, considered overall as they should be. 4. Why the sky will not fall. More accurately, one should say that the sky will not fall because of hostile action against us in cyberspace unless we are improb - ably careless and foolish. David J. Betz and Tim Ste vens strike the right note when they conclude that “[i]f cyberspace is not quite the hoped-for Garden of Eden, it is also not quite the pestilential swamp of the imagination of the cyber-alarmists.” 61 Our understanding of cyber is high at the technical and tactical level, but re - mains distinctly rudimentary as one ascends through operations to the more rarified altitudes of strategy

and policy. Nonetheless, our scientific, technological, and tactical knowledge and understanding clearly indicates that the sky is not falling and is unlikely to fall in the future as a result of hostile cyber action. This analysis has weighed the more technical and tactical literature on cyber and concludes, not simply on balance , that cyber alarmism has little basis save in the imagination of the alarmists. There is military and civil peril in the hostile use of cyber, which is why we must take cyber security seriously, even to the point of buying redundant capabilities for a range of command and control systems. 62 So seriously should we regard cyber danger that it is only prudent to as - sume that we will be the target for hostile cyber action in future conflicts, and that some of that action will promote disruption and uncertainty in the damage it will cause. That granted, this analysis recommends strongly that the U.S. Army, and indeed the whole of the U.S. Government, should strive to comprehend cyber in context. Approached in isolation as a new technol - ogy, it is not unduly hard to be over impressed with its potential both for good and harm. But if we see networked computing as just the latest RMA in an episodic succession of revolutionary changes in the way information is packaged and communicated, the computer-led IT revolution is set where it belongs, in historical context. In modern strategic history, there has been only one truly game-changing basket of tech - nologies, those pertaining to the creation and deliv - ery of nuclear weapons. Everything else has altered the tools with which conflict has been supported and waged, but has not changed the game. The nuclear revolution alone raised still-unanswered questions about the viability of interstate armed conflict. How - ever, it would be accurate to claim that since 1945, methods have been found to pursue fairly traditional political ends in ways that accommodate nonuse of nuclear means, notwithstanding the permanent pres - ence of those means. The light cast by general strategic theory reveals what requires revealing strategically about networked computers. Once one sheds some of the sheer wonder at the seeming miracle of cyber’s ubiquity, instanta - neity, and (near) anonymity, one realizes that cyber is just another operational domain, though certainly one very different from the others in its nonphysi - cality in direct agency. Having placed cyber where it belongs, as a domain of war, next it is essential to recognize that its nonphysicality compels that cyber should be treated as an enabler of joint action, rather than as an agent of military action capable of behav - ing independently for useful coercive strategic effect. There are stand-alone possibilities for cyber action, but they are not convincing as attractive options either for or in opposition to a great power, let alone a superpower. No matter how intriguing the scenario design for cyber war strictly or for cyber warfare, the logic of grand and military strategy and a common sense fueled by understanding of the course of strategic history, require one so to contextualize cyber war that its independence is seen as too close to absurd to merit much concern.

Cyberwar won’t escalate – low probability, current defense checks, and too difficult to coordinateGartzke & Lindsay, PhD, 15 (Erik (Associate professor at UC San Diego) and Jon R (PhD at MIT), June 22,2015, Weaving Tangled Webs: Offense,Defense, and Deception in Cyberspace, Taylor and Francis Online, http://www.tandfonline.com/doi/full/10.1080/09636412.2015.1038188#.VYsDgvlVhBc, pg. 325) /AMarbIndeed, the US Department of Defense gets attacked ten million times a day; a US university receives a hundred thousand Chinese attacks per day; and one firm measures three thousand distributed denial of service (DDoS) attacks per day worldwide.23 In reality, however, most of these so-called attacks are just routine probes by automated networks of compromised computers (botnets) run by profit-seeking criminals or spy bureaucracies—a far cry from terrorism or military assault. The most alarming scenarios of a “digital Pearl Harbor” or

50

Zero Days Negative – MI 7“cyber 9/11” have yet to materialize despite decades of warning. The Stuxnet worm caused limited and temporary disruption of Iran’s nuclear program in the late 2000s, the only known historical case of infrastructure damage via deliberate cyber attack, but this operation seems to reveal more about the strategic limitations of cyber war than its potency.24 The cyber revolution should presumably provide rivals with potent new tools of influence, yet actual cyber disputes from 2001 to 2011 remain restrained and regionalized, not disruptive and global.25 Computer espionage and nuisance cybercrime thrive, to be sure, but they are neither as prevalent nor as costly as they might be, leading skeptics to describe US losses as “a rounding error” in a fifteen trillion dollar economy.26 It is possible in principle that the same tools used for computer-network exploitation may one day be leveraged for more destructive strikes. Yet even if the nontrivial operational challenges of cyber war can be overcome, proponents of the cyber-revolution thesis have yet to articulate convincing strategic motives for why a state or non-state actor might actually use cyber capabilities effectively.27 A considerable shortage of evidence in the study of cyber conflict is thus a source both of concern and relief. That cyber war remains unusual is puzzling in light of the widely held belief that offense is easier than defense in cyberspace. A straightforward implication of the notable scarcity of cyber war would be that, contrary to conventional wisdom, cyberspace is defense dominant for some reason. More carefully stated, since clearly there is much mischief online, offense dominance may exist only for nuisance attacks that are rarely strategically significant, such as piracy, espionage, and “hacktivist” protest, even as the Internet is defense dominant for more harmful or complicated forms of attack. Serious cyber attacks against complicated infrastructure require considerable intelligence preparation, test and evaluation infrastructure, planning capacity, technical expertise, and complementary military or non-cyber intelligence assets.28 If so, it would be a categorical error to mistake the frequency of irritant activity for a more general tendency toward offense dominance across the entire cyber domain.

Cyber doom is not coming, only gradual and miniscule threats that can’t be eliminatedLawson, 154/05/2015, Sean Lawson is Associate Professor in the Department of Communication at the University of Utah. “The Death of Cyber Doom? Not So Fast,” http://www.forbes.com/sites/seanlawson/2015/04/05/the-death-of-cyber-doom-not-so-fast/

For decades, we have heard a lot of talk from American officials, industry experts, and others about the supposed threat of a “cyber 9/11,” “cyber Pearl Harbor,” “cyber Katrina,” or even “cyber Sandy.” In short, we have been warned repeatedly that “cyber doom” is coming. Indeed, as recently as this fall, cyber doom was in the news as a result of the cyber attack on Sony. But the latest World Wide Threat Assessment (WWTA) [PDF] presented to Congress by the Director of National Intelligence, Gen. James Clapper, says that “Cyber Armageddon“ is unlikely. Rather, the assessment “foresee[s] an ongoing series of low-to-moderate level cyber attacks form a variety of sources over time, which will impose costs on US economic competitiveness and national security.” This threat, it says, “cannot be eliminated; rather, cyber risk must be managed.” Some have argued that such scenarios were always about threat inflation and fear mongering and have applauded the admission by intelligence officials who once trafficked in such rhetoric that these scenarios are unlikely after all. Has the era of cyber doom fear mongering come to an end? Not likely. Key intelligence officials, like NSA Director Admiral Michael Rogers are still using this rhetoric. Just three days before the release of WWTA, Rogers defined “cyber Pearl Harbor” and said that one had already occurred. Asked to define a ’cyber Pearl Harbor’, a phrase used in 2012 by then-Defense Secretary Leon Panetta, Rogers replied: ‘An action directed against infrastructure within the United States that leads to significant impact—whether that’s economic, whether that’s in our ability to execute our day-to-day functions as a society, as a nation.’ He added that the hack of Sony Pictures Entertainment last November met that dire criteria. Movie studios fit into the U.S. government’s broad definition of critical infrastructure. With this comment, Admiral Rogers follows in the footsteps of Amit Yoran, former head of the Department of Homeland Security’s National Cyber Security Division, who claimed in 2009, “Cyber 9–11 has happened over the last 10 years, but it’s happened slowly so we don’t see it.” Of course, there was no evidence then that anything like 9/11 had occurred in or through cyberspace, just as the hack of Sony is nothing like Pearl Harbor now. Why do such outrageous claims persist even in the face of contradictory evidence and assessments? One reason is that, despite claims to the contrary, the use of “cyber doom” is primarily about emotions not facts. Its function is to motivate a response through the use of fear, not to describe accurately the true nature of the threat and its likely impacts. Among those who use cyber doom rhetoric when speaking in public or to the media, there is often a disconnect between the threat as implied in that rhetoric and the diagnosis of threats that these same individuals provide in more formal settings like threat assessments for Congress. For example, though Admiral Rogers warned publicly of “cyber Pearl Harbor” in February 2015, less than a month later, in his testimony to Congress, his description of the cyber threats facing the United States focused primarily on censorship as a threat to “Internet freedom,” theft of intellectual

51

Zero Days Negative – MI 7property, and disruption of networks and access to information. Cyber attacks against critical infrastructure were mentioned, but as in the past, were framed as a “potential” future threat that could “perhaps” result in sabotage during a wider conflict (page 10). Diagnosing the cyber threat as primarily about espionage, theft, and disruption while simultaneously relying on doom scenarios out of step with that diagnosis has been a feature of U.S. public policy discourse on this issue since at least 2008. And as long as officials believe there is still a need to motivate a response, cyber doom will continue to be a feature of U.S. public policy discourse on cyber security, even if their own assessments find such scenarios unlikely.

52

Zero Days Negative – MI 72NC CYBERWAR

Cyberwar won’t happen – countries will go for low risk rewards and its costly Gartzke & Lindsay, PhD, 15 (Erik (Associate professor at UC San Diego) and Jon R (PhD at MIT), June 22,2015, Weaving Tangled Webs: Offense,Defense, and Deception in Cyberspace, Taylor and Francis Online, http://www.tandfonline.com/doi/full/10.1080/09636412.2015.1038188#.VYsDgvlVhBc, pg. 345) /AMarbThe asymmetric actors featured in cybersecurity discourse—rogue states, lone hackers, criminals, and terrorists—will tend to focus on the low-risk, low-reward bonanza and avoid deception-dominant high-risk, high-reward operations. Advanced industrial states will also partake in low-risk, lowreward espionage and harassment in cyberspace. Capable countries will, however, employ risky computer network attacks against lucrative targets only when they are willing and able to follow them up or backstop them with conventional military power. Because intelligence is costly and its exploitation is complicated, wealthier and larger states tend to have more sophisticated, robust intelligence capacities. Only capable actors, such as major powers, are likely to be able to master the complex tango of deception and counter-deception necessary to execute high-intensity operations. Powerful actors have an operational advantage in cyberspace. Even then, the frequency of complex and risky action should still be relatively low.

Cyber attacks not a threat for near futureHealey, 13 (March 20, 2013, “No, Cyberwarfare Isn't as Dangerous as Nuclear War,” Jason Healey is the Director of the Cyber Statecraft Initiative of the Atlantic Council. www.usnews.com/opinion/blogs/world-report/2013/03/20/cyber-attacks-not-yet-an-existential-threat-to-the-us)America does not face an existential cyberthreat today, despite recent warnings. Our cybervulnerabilities are undoubtedly grave and the threats we face are severe but far from comparable to nuclear war. The most recent alarms come in a Defense Science Board report on how to make military cybersystems more resilient against advanced threats (in short, Russia or China). It warned that the "cyber threat is serious, with potential consequences similar in some ways to the nuclear threat of the Cold War." Such fears were also expressed by Adm. Mike Mullen, then chairman of the Joint Chiefs of Staff, in 2011. He called cyber "The single biggest existential threat that's out there" because "cyber actually more than theoretically, can attack our infrastructure, our financial systems." While it is true that cyber attacks might do these things, it is also true they have not only never happened but are far more difficult to accomplish than mainstream thinking believes. The consequences from cyber threats may be similar in some ways to nuclear, as the Science Board concluded, but mostly, they are incredibly dissimilar. Eighty years ago, the generals of the U.S. Army Air Corps were sure that their bombers would easily topple other countries and cause their populations to panic, claims which did not stand up to reality. A study of the 25-year history of cyber conflict, by the Atlantic Council and Cyber Conflict Studies Association, has shown a similar dynamic where the impact of disruptive cyberattacks has been consistently overestimated. Rather than theorizing about future cyberwars or extrapolating from today's concerns, the history of cyberconflict that have actually been fought, shows that cyber incidents have so far tended to have effects that are either widespread but fleeting or persistent but narrowly focused. No attacks, so far, have been both widespread and persistent. There have been no authenticated cases of anyone dying from a cyber attack. Any widespread disruptions, even the 2007 disruption against Estonia, have been short-lived causing no significant GDP loss. Moreover, as with conflict in other domains, cyberattacks can take down many targets but keeping them down over time in the face of determined defenses has so far been out of the range of all but the most dangerous adversaries

53

Zero Days Negative – MI 7such as Russia and China. Of course, if the United States is in a conflict with those nations, cyber will be the least important of the existential threats policymakers should be worrying about. Plutonium trumps bytes in a shooting war. This is not all good news. Policymakers have recognized the problems since at least 1998 with little significant progress. Worse, the threats and vulnerabilities are getting steadily more worrying. Still, experts have been warning of a cyber Pearl Harbor for 20 of the 70 years since the actual Pearl Harbor. The transfer of U.S. trade secrets through Chinese cyber espionage could someday accumulate into an existential threat. But it doesn't seem so seem just yet, with only handwaving estimates of annual losses of 0.1 to 0.5 percent to the total U.S. GDP of around $15 trillion. That's bad, but it doesn't add up to an existential crisis or "economic cyberwar."

No impact to cyber warWeimann, 2004 (Gabriel is on the Department of Communication at the University of Haifa, “Cyberterrorism How Real Is the Threat?” http://www.usip.org/ pubs/specialreports/sr119.pdf, December 2004)It seems fair to say that the current threat posed by cyberterrorism has been exaggerated. No single instance of cyberterrorism has yet been recorded; U.S. defense and intelligence computer systems are air-gapped and thus isolated from the Internet; the systems run by private companies are more vulnerable to attack but also more resilient than is often supposed; the vast majority of cyberattacks are launched by hackers with few, if any, political goals and no desire to cause the mayhem and carnage of which terrorists dream. So, then, why has so much concern been expressed over a relatively minor threat? The reasons are many. First, as Denning has observed, "cyberterrorism and cyberattacks are sexy right now. . . . [Cyberterrorism is] novel, original, it captures people's imagination." Second, the mass media frequently fail to distinguish between hacking and cyberterrorism and exaggerate the threat of the latter by reasoning from false analogies such as the following: "If a sixteen-year-old could do this, then what could a well-funded terrorist group do?" Ignorance is a third factor. Green argues that cyberterrorism merges two spheres—terrorism and technology—that many people, including most lawmakers and senior administration officials, do not fully understand and therefore tend to fear. Moreover, some groups are eager to exploit this ignorance. Numerous technology companies, still reeling from the collapse of the high-tech bubble, have sought to attract federal research grants by recasting themselves as innovators in computer security and thus vital contributors to national security. Law enforcement and security consultants are likewise highly motivated to have us believe that the threat to our nation's security is severe. A fourth reason is that some politicians, whether out of genuine conviction or out of a desire to stoke public anxiety about terrorism in order to advance their own agendas, have played the role of prophets of doom. And a fifth factor is ambiguity about the very meaning of "cyberterrorism," which has confused the public and given rise to countless myths.

54

Zero Days Negative – MI 72NC FEAR MONGERING

The us government uses fear mongering to exaggerate cyberwar greatlyRid, 13(March 13, 2013, “The Great Cyberscare,” http://foreignpolicy.com/2013/03/13/the-great-cyberscare/ Thomas Rid is a professor in the Department of War Studies at King’s College London.

The White House likes a bit of threat. In his State of the Union address, Barack Obama wanted to nudge Congress yet again into passing meaningful legislation. The president emphasized that America's enemies are "seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems." After two failed attempts to pass a cybersecurity act in the past two years, he added swiftly: "We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy." Fair enough. A bit of threat to prompt needed action is one thing. Fear-mongering is something else: counterproductive. Yet too many a participant in the cybersecurity debate reckons that puffery pays off. The Pentagon, no doubt, is the master of razzmatazz. Leon Panetta set the tone by warning again and again of an impending "cyber Pearl Harbor." Just before he left the Pentagon, the Defense Science Board delivered a remarkable report, Resilient Military Systems and the Advanced Cyber Threat. The paper seemed obsessed with making yet more drastic historical comparisons: "The cyber threat is serious," the task force wrote, "with potential consequences similar to the nuclear threat of the Cold War." The manifestations of an all-out nuclear war would be different from cyberattack, the Pentagon scientists helpfully acknowledged. But then they added, gravely, that "in the end, the existential impact on the United States is the same." A reminder is in order: The world has yet to witness a single casualty, let alone fatality, as a result of a computer attack. Such statements are a plain insult to survivors of Hiroshima. Some sections of the Pentagon document offer such eye-wateringly shoddy analysis that they would not have passed as an MA dissertation in a self-respecting political science department. But in the current debate it seemed to make sense. After all a bit of fear helps to claim -- or keep -- scarce resources when austerity and cutting seems out-of-control. The report recommended allocating the stout sum of $2.5 billion for its top two priorities alone, protecting nuclear weapons against cyberattacks and determining the mix of weapons necessary to punish all-out cyber-aggressors. Then there are private computer security companies. Such firms, naturally, are keen to pocket some of the government's money earmarked for cybersecurity. And hype is the means to that end. Mandiant's much-noted report linking a coordinated and coherent campaign of espionage attacks dubbed Advanced Persistent Threat 1, or "APT1," to a unit of the Chinese military is a case in point: The firm offered far more details on attributing attacks to the Chinese than the intelligence community has ever done, and the company should be commended for making the report public. But instead of using cocky and over-confident language, Mandiant's analysts should have used Words of Estimative Probability, as professional intelligence analysts would have done. An example is the report's conclusion, which describes APT1's work: "Although they control systems in dozens of countries, their attacks originate from four large networks in Shanghai -- two of which are allocated directly to the Pudong New Area," the report found. Unit 61398 of the People's Liberation Army is also in Pudong. Therefore, Mandiant's computer security specialists concluded, the two were identical: "Given the mission, resourcing, and location of PLA Unit 61398, we conclude that PLA Unit 61398 is APT1." But the report conspicuously does not mention that Pudong is not a small neighborhood ("right outside of Unit 61398's gates") but in fact a vast city landscape twice the size of Chicago. Mandiant's report was useful and many attacks indeed originate in China. But the company should have been more careful in its overall assessment of the available evidence, as the computer security expert Jeffrey Carr and others have pointed out. The firm made it too easy for Beijing to dismiss the report. My class in cybersecurity at King's College London started poking holes into the report after 15 minutes of red-teaming it -- the New York Times didn't. Which leads to the next point: The media want to sell copy through threat inflation. "In Cyberspace, New Cold War," the headline writers at the Times intoned in late February. "The U.S. is not ready for a cyberwar," shrieked the Washington Post earlier this week. Instead of calling out the above-mentioned Pentagon report, the paper actually published two supportive articles on it and pointed out that a major offensive cyber capability now seemed essential "in a world awash in cyber-espionage, theft and disruption." The Post should have reminded its readers that the only military-style cyberattack that has actually created physical damage -- Stuxnet -- was actually executed by the United States government. The Times, likewise, should have asked tough questions and pointed to some of the evidential problems in the Mandiant report; instead, it published what appeared like an elegant press release for the firm. On issues of cybersecurity, the nation's fiercest watchdogs too often look like hand-tame puppies eager to lap up stories from private firms as well as anonymous sources in the security establishment.

55

Zero Days Negative – MI 72NC RETALIATION

Attribution difficulty makes retaliation highly improbableKrepinivich 12 [Andrew, President of the Center for Strategic and Budgetary Assessments, “CYBER WARFARE A “NUCLEAR OPTION”?, Center for Strategic and Budgetary Assessments] //khirn

As the discussion of attack attribution earlier in this report suggests, for at least the near term the source of a nuclear attack is far more likely to be identified than the source of a cyber attack. The difficulty in determining attribution of a cyber attack is a significant and perhaps enduring character of cyber warfare. This is due in part to the potential large number of actors that can execute cyber attacks, and to the relative ease by which cyber attackers can mask the origins of an at- tack. To date even substantial efforts to determine attribution of a sophisticated attack have not produced a “smoking gun” level of evidence, and have taken con- siderable time and resources to pursue. 237 This suggests that in the case of a cyber attack whose purpose is to inflict catastrophic destruction, the victim may have difficulty determining its source. To the extent this is the case, the victim will also want to avoid being deceived into engaging in a catalytic war by retaliating against the apparent source of an attack that was actually conducted by a third party. Moreover, cyber weapons could also be employed to trigger a catalytic nu- clear war in other ways; for example, by feeding false information into a state’s early warning system to spoof operators into believing their country is under attack when in fact it is not. 238 It seems unlikely that nuclear weapons could be employed to trigger a catalytic cyber war, at least given the current state of nuclear proliferation. This may change as more states or even groups acquire nuclear weapons. 23

56

Zero Days Negative – MI 72NC STATUS QUO SOLVES

IDSs Solve for monitoring Balon-Perin & Gamback 13 – Software Engineer and Professor in Language Technology at Norwegian University of Science and Technology (Alexandre, Bjorn, 2013, Ensembles of Decision Trees for Network Intrusion Detection System, International Journal on Advances in Security, vol 6 no 1 & 2,http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.362.1200&rep=rep1&type=pdf#page=69, pg. 62) /AMarbIntrusion detection systems (IDSs) are monitoring devices that have been added to the wall of security in order to prevent malicious activity on a system. Here we will focus on network intrusion detection systems mainly because they can detect the widest range of attacks compared to other types of IDSs. In particular the paper discusses machine learning based mechanisms that can enable the network IDS to detect modified versions of previously seen attacks and completely new types of attacks [1].

Algorithms help detect zero-day vulnerabilities Balon-Perin & Gamback 13 – Software Engineer and Professor in Language Technology at Norwegian University of Science and Technology (Alexandre, Bjorn, 2013, Ensembles of Decision Trees for Network Intrusion Detection System, International Journal on Advances in Security, vol 6 no 1 & 2,http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.362.1200&rep=rep1&type=pdf#page=69, pg. 63) /AMarbThe most popular technique of unsupervised learning is clustering, where the algorithm exploits the similarity of the examples in order to form clusters or groups of instances. Examples belonging to the same cluster are assumed to have similar properties and belong to the same class. In contrast to supervised learning, disadvantages of unsupervised learning include manual choice of the number of cluster that the algorithm must form, lower accuracy of the prediction, and that the meaning of each cluster must be interpreted to understand the output. However, unsupervised learning is more robust to large variations. This is a very important advantage when applied to the problem of intrusion detection, since it means that unsupervised learning is able to generalize to new types of attacks much better than supervised learning. In particular, this property could be quite beneficial when trying to detect zero-day vulnerabilities.

57

Zero Days Negative – MI 72NC US STRIKES FIRST

Cyber war is inevitable—US will strike first Clarke 12 former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism for the United States (Richard A., Cyber War: The Next Threat to National Security and What to Do About It, p.26 4/20/10) | jsThe perception that cyberspace is a “domain” where fighting takes place, a domain that the U.S. must “dominate,” pervades American military thinking on the subject of cyber war. The secret-level National Military Strategy for Cyber Operations (partially declassified as a result of a Freedom of Information Act request) reveals the military’s attitude toward cyber war, in part because it was written as a document that we, the citizens, were never supposed to see. It is how they talk about it behind the closed doors of the Pentagon. What is striking in the document is not only the acknowledgment that cyber war is real, but the almost reverential way in which it is discussed as the keystone holding up the edifice of modern war-fighting capability. Because there are so few opportunities to hear from the U.S. military on cyber war strategy, it is worth reading closely the secret-level attempt at a cyber war strategy. The document, signed out under a cover letter from the Secretary of Defense, declares that the goal is “to ensure the US military [has] strategic superiority in cyberspace.” Such superiority is needed to guarantee “freedom of action” for the American military and to “deny the same to our adversaries.” To obtain superiority, the U.S. must attack, the strategy declares. “Offensive capabilities in cyberspace [are needed] to gain and maintain the initiative.” At first read, the strategy sounds like a mission statement with a bit of zealotry thrown in. On closer examination, however, the strategy reflects an understanding of some of the key problems created by cyber war. Speaking to the geography of cyberspace, the strategy implicitly acknowledges the sovereignty issue (“the lack of geopolitical boundaries…allows cyberspace operations to occur nearly anywhere”) as well as the presence of civilian targets (“cyberspace reaches across geopolitical boundaries…and is tightly integrated into the operations of critical infrastructure and the conduct of commerce”). It does not, however, suggest that such civilian targets should be off-limits from U.S. attacks. When it comes to defending U.S. civilian targets, the strategy passes the buck to the Department of Homeland Security. The need to take the initiative, to go first, is dictated in part by the fact that actions taken in cyberspace move at a pace never before experienced in war (“cyberspace allows high rates of operational maneuver…at speeds that approach the speed of light…. [It] affords commanders opportunities to deliver effects at speeds that were previously incomprehensible”). Moreover, the strategy notes that if you do not act quickly, you may not be able to do so because “a previously vulnerable target may be replaced or provided with new defenses with no warning, rendering cyberspace operations less effective.” In short, if you wait for the other side to attack you in cyberspace, you may find that the opponent has, simultaneously with their attack, removed your logic bombs or disconnected the targets from the network paths you expected to use to access them. The strategy does not discuss the problems associated with going first or the pressure to do so.

58

Zero Days Negative – MI 7AT: CHINA IMPACT

No China cyber warGoldsmith 10 [Jack, teaches at Harvard Law School and is a visiting fellow at the Hoover Institution at Stanford University, “The New Vulnerability,” New Republic, June 7, 2010, http://www.newrepublic.com/article/books-and-arts/75262/the-new-vulnerability] //khirn

There is much to agree with in Clarke’s analysis, including his description of the absorption of cyber weapons into all aspects of military planning, his account of the secret cyber-arms race among nations, and his assessment of America’s cyber-security weaknesses, especially in its privately owned critical infrastructure sectors. But there are problems as well. The first is with his obsessive focus on cyber war. There is little doubt that several nations have significant offensive cyber capacities that could in theory cause enormous destruction. What Clarke never adequately explains is why nations would use these weapons in this way. Yes, China is stockpiling cyber weapons and planning for cyber war. But so, too, is the United States. Capacities and contingency plans, taken alone, do not add up to a serious threat. There must also be a plausible scenario in which a nation has the motivation to use these weapons. Clarke addresses this issue briefly, in trying to explain why China might destroy American infrastructure by means of a cyber attack even though “China’s dependence on U.S. markets for its manufactured goods and the trillions the country has invested in U.S. treasury bills mean that China would have a lot to lose.” His explanation is weak. He says that the United States and China might be drawn into a war over Taiwan or the oil-rich islands in the South China Sea. Perhaps. But it is hard to imagine that China would wipe out the New York Stock Exchange or the electrical grid of the East Coast unless it were in a total war over those islands--the sort of war that would also involve enormously destructive non-cyber weapons, including even nuclear weapons. This does not mean we should stop worrying about China’s offensive cyber weapons. Clarke is right that these weapons might (like China’s conventional forces) deter the United States from intervening against China in a Pacific Rim contest. But he should also acknowledge that this deterrent is weakened by China’s dependency on a functioning American economy, which significantly reduces the credibility of its cyber threat. It is also true, as Clarke argues, that the stealth cyber-arms race, the difficulty of knowing for sure which nation is behind a cyber attack, and the absence of norms to govern such attacks combine to create an unstable situation in which destructive cyber activities might escalate by accident. We should indeed worry about cyber war. But Clarke does not justify his central claim that cyber war is in fact the most serious cyber threat, the one we should worry most about and take the most aggressive steps to meet. His error is to focus on the worst-case cyber-war scenario without a hard-nosed assessment of its likelihood, and without comparing its expected harms, given its small likelihood, with the expected total harms from other smaller but more likely cyber threats. A cyber-attack threat that Clarke appears to understate comes from terrorists, some of whom have powerful motives to destroy our domestic infrastructure and nothing to lose from doing so. For years the government insisted that Al Qaeda and its friends lacked the technological capacity to inflict cyber attacks and had shown no interest in doing so. “Cyber terrorism is largely a red herring,” says Clarke, repeating the old government line. But some have worried that Al Qaeda might purchase cyber capabilities on the black market. And while Clarke’s book was in production, the government changed its tune. In November, the FBI announced that it was investigating individuals affiliated with Al Qaeda “who have recognized and discussed the vulnerabilities of U.S. infrastructure to cyber attack, who have demonstrated an interest in elevating their computer hacking skills, and who are seeking more sophisticated capabilities from outside of their close-knit circles.” There is a good case to be made that the greatest cyber threats are not cyber-attacks by states or terrorists, but rather cyber espionage and cyber theft. Private cyber criminals are growing in numbers and sophistication, and they are causing enormous economic damage. Presumably the efficiencies of online banking and stock trading (to take two out of thousands of examples) still outweigh the costs of these criminal activities, but the balance of benefits to costs is probably shrinking. Consumer trust in online activities--an essential ingredient for successful e-commerce

and more generally for the continued flourishing of the Internet-- is certainly shrinking . In contrast to the very uncertain

motives that states have to engage in cyber war, untold and growing thousands of cyber criminal miscreants have powerful incentives to steal from American firms, and are doing so daily. And so, too, are states. “The extent of Chinese government hacking against U.S., European, and Japanese industries and research facilities is without precedent in the history of espionage,” Clarke notes. “The secrets behind everything from pharmaceutical formulae, to bioengineering designs, to nanotechnology, to weapons systems, to everyday industrial products have been taken by the People’s Liberation Army and been given to China, Inc.” Clarke provides no convincing explanation why China would jeopardize this economic bonanza and its economic prosperity more generally by destroying the networks that make this massive wealth transfer possible. Nor does he explain why he thinks the serious damage caused by ongoing public and private cyber espionage and cyber theft should be less feared than the possible evils of a cyber war.

59

Zero Days Negative – MI 7

60

Zero Days Negative – MI 7

OFFCASE ARGUMENTS

61

Zero Days Negative – MI 7

ADVANTAGE COUNTERPLANS

62

Zero Days Negative – MI 71NC OVERSIGHT CP

The United States federal government should: -support and increase encryption efforts in US companies;-move the NSA Information Assurance Directorate to the Department of Homeland Security;-establish executive and public oversight over the disclosure of zero-day exploits and vulnerabilities.

Counterplan solves the case and avoids the deterrence DA Nojeim 13 (Greg Nojeim, former Associate Director and Chief Legislative Counsel of the ACLU’s Washington Legislative Office. Greg graduated from the University of Rochester in 1981 with a B.A. in Political Science. He received his J.D. from the University of Virginia in 1985 and sat on the Editorial Board of the Virginia Journal of International Law. He is now the senior counsel and director of the freedom, security, and technology project. “Sweeping Review Group Recommendations Will Fuel NSA Reform Effort”, https://cdt.org/blog/sweeping-review-group-recommendations-will-fuel-nsa-reform-effort, December 18, 2013 )//CLi

The Review Group’s report rightly recognizes the importance of strong encryption to the proper functioning of the Internet. It indicates that it found no systematic effort by the NSA to undermine the security of communications by coercing companies to build in backdoors to the Internet-based services they offer or by inserting backdoors surreptitiously. Documents released by Edward Snowden and interviews with industry officials reportedly showed the opposite, including that the NSA “began collaborating with technology companies in the United States and abroad to build entry points into their products,” as the New York Timesreported on September 5. My colleague, Joseph Lorenzo Hall, blogged about concerns from the cryptographic community that the NSA may have attempted to undermine the NIST cryptographic standard, SHA-3. These concerns came on the heels of allegations that the NSA deliberately inserted a backdoor into a particular random number generator. The Review Group did not address these

reports. It did, however, make three important statements and recommendations about cybersecurity and encryption: Support

Strong Encryption and Secure Software. The Review group said in no uncertain terms in Recommendation 29 that

the U.S. should “fully support and not undermine efforts to create encryption standards ; not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and, increase the use of encryption and urge US companies to do so , in order to better protect data in

transit, at rest, in the cloud, and in other storage.” These are exceedingly strong statements that recognize that global online commerce, infrastructure , and increasingly social activity are mediated by products that must be secure so people can trust them when they are used . Much of the uncertainty in recent months about the surveillance disclosures has centered around how secure or insecure are the products and services we use every day at work and at home. The Review Group’s ringing support for secure communications, software, and interoperable standards go some way towards reducing this uncertainty. Its recommendation that the government not subvert the security of commercial software is particularly welcome. Move NSA’s Cybersecurity Activities To a Different DOD Element. NSA has two conflicting missions: breaking into the computers and networks of foreign adversaries and securing the computer networks of elements of the U.S. intelligence community and certain government contractors. The NSA’s Information Assurance Directorate does the cybersecurity work and the Review Group recommended (Recommendation 25) this function be removed from NSA to the Department of Defense (DOD). Cisco, for example, recently reported that its overseas business was being hurt by a perception that NSA was

requiring it and other companies to build in backdoors so the NSA could listen in. Remov ing the Information Assurance Directorate from the NSA could enhance trust in its mission and in the products the Directorate helps make more secure . However, the Directorate would stay within the

Department of Defense, which could diminish the desired effect of this move. Putting the cybersecurity function where it belongs, at the Department of Homeland Security or at the Department of Commerce would have been a more effective reform and refute inferences that the separation of these functions was not

63

Zero Days Negative – MI 7sufficient. Disclose Zero Day Vulnerabilities . Like other intelligence agencies, and like commercial and other hackers, the NSA uses software vulnerabilities to gain access to computers and steal information from adversaries. The most useful vulnerabilities are the “zero day” vulnerabilities – those that have never been exploited before, and which the software maker therefore has not yet developed and distributed to users a patch for the vulnerability. When the NSA discovers a zero day vulnerability, it has a decision to make: does it sit on it and use the vulnerability to gain access to an adversary’s computer, or does it reveal the vulnerability to the software maker so it can be patched? Or, to put it another way, does NSA’s intelligence collection mission trump its cybersecurity mission when it comes to zero days? The Review Group’s recommendation is that cybersecurity should almost always win out and that such vulnerabilities should be immediately disclosed to the software manufacturer, except in very narrow cases with very tight oversight from the White House. The presumption is that NSA will inform the software so a patch can be fashioned, but that in rare instances, the intelligence community could briefly exploit a zero day for a high priority target before informing the software manufacturer.

64

Zero Days Negative – MI 72NC OVERSIGHT SOLVES

Public oversight is crucial to solve Bellovin et al. 14 [Steven M., professor of computer science at Columbia University, Matt Blaze, associate professor of computer science at the University of Pennsylvania, Sandy Clark, Ph.D. student in computer science at the University of Pennsylvania, Susan Landau, 2012 Guggenheim Fellow; she is now at Google, Inc., April, 2014, “Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet,” Northwestern Journal of Technology and Intellectual Property, 12 Nw. J. Tech. & Intell. Prop. 1] //khirn

C. Providing Oversight P187 There is potential danger that an operationalized exploit may proliferate past its intended target. Stuxnet n267 provides an interesting case in point. Although aimed at Iran, the malware spread to computers in other countries, including India and Indonesia. n268 It is unclear from the public record how this happened. It may have been due to a flaw in the code, as Sanger contends; n269 alternatively, it may have been foreseeable but unavoidable collateral damage from the means chosen to launch the attack against Iran. Either possibility, though, represents a process that may be acceptable for a military or intelligence operation but is unacceptable for law enforcement. Only the legally authorized target should be put at risk from the malware used. P188 Given the public policy issues raised by the use of vulnerabilities, it would be appropriate to have public accountability on the use of this technique. For example, annual reports on vulnerability use similar to the AO's Wiretap Reports, presenting such data as: How many vulnerabilities were used by law enforcement in a given year? Were they used by federal or state and local? Was the vulnerability subsequently patched by the vendor, and how quickly after being reported? Was the vulnerability used by anyone outside of law enforcement? Was the vulnerability exploited outside law enforcement during the period that law enforcement was aware of the problem but had not yet told the vendor? Did the operationalized vulnerability spread past its intended target? What damages occurred from its exploitation? Making such information open to public analysis should aid in decisions about the right balance between efficacy and public safety. n270

Cp solves the entirety of case—oversight and transparency key to trustFidler 14 (Mailyn Fidler, graduate student at the Center for International Security and Cooperation Freeman Spogli Institute for International Studies, Stanford University. “ANARCHY OR REGULATION: CONTROLLING THE GLOBAL TRADE IN ZERO-DAY VULNERABILITIES”, May 2014, https://stacks.stanford.edu/file/druid:zs241cm7504/Zero-Day%20Vulnerability%20Thesis%20by%20Fidler.pdf)//CLi

3.4.3 Analysis of the Potential Application of Oversight Mechanisms to U.S. Government Zero Day Vulnerability Purchase and Use Existing zero-day oversight stems from the executive branch. No evidence publicly exists that legislative or judicial mechanisms have yet dealt with zero-day vulnerabilities. The Obama administration has set

standards to encourage greater disclosure of vulnerabilities to companies, and could continue to augment that policy. An executive order or presidential policy directive could establish common definitions and policies across agencies . 423 Executive branch oversight has a significant amount of flexibility in placing effective procedural limits on zero-day vulnerability use. In terms of expanding

existing executive oversight for zero-day vulnerabilities, an executive order could , for instance, require the approval of the president or an executive branch department head on certain kinds of purchase, use, or disclosure of vulnerabilities. It could also facilitate cooperation between agencies to facilitate greater price transparency between competing government purchasers , an idea I will address further in the next section. Scott Charney of Microsoft suggests additional possibilities: “you can do things like an Inspector General’s report, an outside review, and independent audit by cleared people.”424 Charney emphasizes that what you really want is “rigor over the equities process...for there to be a real bias toward defense,” but that the real challenge is “how do you convince outside people that the process has rigor?”425 In sum, executive oversight is a relatively available path to increased oversight and is more easily adapted to changing

65

Zero Days Negative – MI 7circumstances than legislative and judicial oversight. Executive oversight may lack public transparency, but a congressional or judicial approach would also be 423 It is possible that classified executive mechanisms such as executive orders or presidential policy directives already exist pertaining to the zero-day field. 424 Charney. 425 Charney. 109 considerably shrouded from public view in light of the involvement of intelligence and military equities. The judicial review mechanisms addressed here, primarily FISA/FISC, deal with the authorization of foreign intelligence activities. As such, they are tool-neutral: foreign intelligence surveillance enabled by a zero-day vulnerability or via wiretapping would likely be treated the same by this statute and court. Given this aspect, there is not an obvious role for judicial oversight of use or purchase of zero-day vulnerabilities. Establishing FISC oversight over purchase, use, or disclosure of zero-days is not in keeping with the judiciary’s role in this context and would likely be opposed by the intelligence community as heavy-handed and unnecessary. The intelligence community would likely, and perhaps rightly, question whether an operation carried out using a purchased zero-day vulnerability deserves greater judicial scrutiny than other operations. Congressional action could also implement controls on when and how zero-days can be bought and used. Congressional action could be used to impose the limits discussed in the executive oversight section: limits on purchase, use, and disclosure of zero-day vulnerabilities. It could also require reporting to relevant Congressional committees when a zero-day is not disclosed. Congressional oversight provides an avenue for longer-lasting oversight regimes, in contrast with more easily alterable executive orders, and also could be accompanied by additional funding for oversight or the threat of cutting off appropriations if the executive branch fails to follow oversight rules. However, congressional oversight is likely politically difficult to achieve. Snowden has made most cyber topics politically fraught, and Congress is currently generally perceived as dysfunctional. Beyond these political considerations, congressional oversight has traditionally 110 been reserved for oversight programs with a broader purview, such as establishing principles that apply to all foreign intelligence activities or covert operations, not principles that apply just a specific tool. 3.4.4 Select Possibilities for Expanded Executive Branch Oversight of Zero-Day Vulnerabilities Taking into account the three major forms for oversight and the NSA Review Panel’s recommendations, this section presents several specific examples of the broader categories of oversight examined above. These models have been developed through conversations and interviews with experts. They are not intended to serve as policy recommendations, but rather, they demonstrate the range and flexibility the mechanisms could possess and specifically target the holes in the current policy that this research has demonstrated. Particularly, these sketches attempt to synthesize an oversight approach that could address both use and purchase of zero-day vulnerabilities, whereas current oversight seems to focus exclusively on appropriate disclosure. This section previously analyzed oversight of executive branch actions through executive branch oversight, judicial review, and legislative action. Based on the emerging culture of executive oversight of zero-days and its advantages of relatively easy implementation and alteration, oversight established by the executive branch appears to have the most promise as a zero-day oversight mechanism. The first potential way to expand

executive oversight would be to encourage increased transparency of government practices. Transparency is a typical first-stage oversight approach and could take a variety of forms. Currently, U.S. government agencies seem to make zero-day purchases separately, without coordination, potentially bidding prices up.426 To address this issue, one possible transparency mechanism might be to have government agencies that purchase 111 zero-days participate in a registry available to other agencies, where prices for purchases are listed.427 Economists have demonstrated that price transparency generally leads to lower and more uniform prices, although effects vary depending on the product.428,429,430 To address bidding wars that drive prices extremely high or low, Jonathan Mayer suggested mitigating competition by also instituting “a priority list, so if DEA [Drug Enforcement Agency] and NSA bid on a vulnerability, NSA could get it.”431 This shared-list mechanism would be a form of buyer coordination, which has been demonstrated as one way of achieving lower prices.432,433 Intelligence agencies have so far resisted public disclosure of prices paid for zero-day vulnerabilities, redacting this information from documents released through the Freedom of Information Act, but buyer coordination could represent a middle path, hopefully resulting in lower prices for purchasing agencies while not requiring public sharing of price lists.434 Transparency mechanisms can be criticized for weakness. Mayer suggests several mechanisms that could help ensure transparency mechanisms are more than gestures. As one example, he could envision a policy that states “after three years, zero-days will be banned, but at two years a report is due, which leaves a year to decide whether to keep the ban or not” on the I credit Chris Soghoian for the original inspiration for this idea. 428 Austin, D. Andrew, and Gravelle, Jane G. “Does Price Transparency Improve Market Efficiency? Implications of Empirical Evidence in Other Markets for the Health Sector.” Congressional Research Service. 29 April 2008, 2. 429 Bloomfield, Robert, and O’Hara, Maureen. “Market Transparency: Who Wins and Who Loses?” Review of Financial Studies 12.1 (1999): 5-35. 430 In financial and online markets, especially price comparison sites for insurance and airline tickets, transparency has been demonstrated to generally decrease prices (see Austin & Gravelle, 2). In some market structures, particularly those involving intermediate goods or middlemen, price transparency can make strategic bargaining and collusion easier for the sellers, raising prices (See Austin & Gravelle, 7). 431 Mayer. 432 Phillips, Owen R., Menkhaus, Dale J., and Coatney, Kalyn T. “Collusive Practices in Repeated English Auctions: Experimental Evidence on Bidding Rings.” The American Economic Review 93.3 (2003): 965-979, 965. 433 United States Department of Agriculture. “Assessment of the Cattle and Hog Industries Calendar Year 2000.” Grain Inspection, Packers, and Stockyards Administration. June 2001, 30. 434 NSA-Vupen Contract. 112 basis of how well the players are responding to the transparency mechanisms.435 However, Mayer concedes, “politically speaking, you’re probably not going to be able to get the sword of Damocles to hang over industry right now,” and transparency mechanisms would likely have only baby teeth, if that.436 Transparency mechanisms for the seller-side of the trade are also worth exploring. I will only briefly address these here, because industry oversight would require Congressional action, and this section primarily focuses on potential paths to executive oversight. Possible public private transparency measures might include requiring a vendor to report to the government if a vulnerability they sold or discovered is used in an illegal attack.437 Alternatively, a vendor could be required to inform the government if a vulnerability they sold or discovered is subsequently found by a second party.438 Other potential public-private transparency building mechanisms are conceivable; these represent a few possibilities. This topic would be fruitful to explore in further research. Beyond transparency, executive oversight could be used to strengthen the equities process for disclosure of vulnerabilities, extending what was recently announced. Particularly, instituting a post-use or post-

66

Zero Days Negative – MI 7stockpiling review process could ensure frequent reevaluation of vulnerabilities that were exempted from disclosure during first-round review . This review process could make sure that the original national security need exempting the vulnerability from disclosure continues to validate keeping the vulnerability undisclosed.

Cp solves net better—aff’s all or nothing approach leaves us vulnerable to terroristsErwin 15 (Marshall was the intelligence specialist at the Congressional Research Service, focusing upon National Security Agency surveillance leaks and legislative changes to the FISA statute, non-residential fellow at Stanford University. “An Intelligence Committee Agenda Part III: Zero-day Vulnerability Disclosure” http://www.overtaction.org/2015/01/an-intelligence-committee-agenda-part-iii-zero-day-vulnerability-disclosure/, January 2015)

If those committees want to make a singular, genuine impact on this emerging threat, they should focus on oversight of the Administration’s zero-day vulnerability disclosure process. Zero-day vulnerabilities are flaws in software and hardware that aren’t known to the companies or

developers that make the technology. Those vulnerabilities can provide a useful tool to intelligence services, as well as to criminal groups and other nefarious actors. The Stuxnet computer worm that attacked Iranian centrifuges in 2010 utilized several zero-day vulnerabilities. It has often been suggested that the National Security Agency (NSA) has a huge ‘stockpile’ of such vulnerabilities that it uses to conduct surveillance operations. As valuable as these vulnerabilities might be to intelligence services, they can also become a threat to millions of computer and Internet users in the United States and around the globe if they are present in widely used software and hardware. This is why many have suggested that organizations like NSA should disclose the vulnerabilities they discover and allow the broader public to reap the security benefits of disclosures. In April, in response to apparently unfounded concerns that NSA had known about theHeartbleed vulnerability, the White House Cybersecurity Policy Coordinator Michael Daniel commented publicly about the Administration’s zero-day disclosure process. Here is how he characterized the issues: [T]here are legitimate pros and cons to the decision to disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences. Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks. Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run. Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area. Daniel went on to describe a “re-invigorated” interagency process put in place in 2014 dedicated to weighing the pros and cons and determining whether a zero-day known to the U.S. government should be disclosed. He also listed nine questions that need to be answered whenever an agency proposes withholding knowledge of a vulnerability. This new processapparently improved upon a process originally established in 2010 and run by NSA. Zero-day vulnerability disclosure decisions require a careful balancing that will be difficult to achieve under the best of circumstances. This is made all the more difficult by the fact that, regardless of whatever process is put in place, incentives will still favor non-disclosure. The benefits of disclosure are broad and global while any cost will be felt acutely by intelligence services that will lose capabilities. The current process in essence

depends on the benign hegemony of the executive branch in cyberspace.

67

Zero Days Negative – MI 71NC REGULATIONS CP

The United States federal government should: require firms that transact in software security vulnerabilities permit the federal

government to participate in any offerings or service they provide the sale of zero-day exploits and vulnerabilities that are unreported to the National Security Agency;

require confidential reporting for transactions zero-day exploits and vulnerabilities; and establish a reward system for researchers who share zero-day vulnerabilities and exploits

with the government.

Counterplan solves zero-day use and boosts cyberdefense --- prevents every 1ac impact Bambauer 14 [Derek E., Professor of Law, James E. Rogers College of Law, University of Arizona, “Ghost in the Network,” April, 2014, University of Pennsylvania Law Review, 162 U. Pa. L. Rev. 1011, lexis] //khirn

B. Partial Defenses While a complete defense to zero-day attacks is impossible, policymakers can improve cybersecurity with three regulatory moves : (1) mandatory access to public zero-day markets for the federal government, (2) required confidential reporting on transactions by firms in those markets, and (3) a reward system for researchers who share vulnerabilities with the government. [*1085] Congress should pass legislation to implement these measures, and the United States should move to convert unknown unknowns to known unknowns. First, firms that transact in software security vulnerabilities should be required to permit the federal government to participate in any offerings or services they provide, on nondiscriminatory terms. If Vupen, for example, sought to sell zero-day exploits to France's security services, but not to the United States' NSA, that would be problematic. Software security firms should be legally bound to provide paid access to the U.S. government as a necessary condition of continued operation. This would enable the government to develop and deploy countermeasures to at least some zero-day attacks. Congress has taken analogous measures for other potential risks to national security. For example, one cannot obtain a patent for inventions in nuclear materials or weapons, n492 but such inventions are eligible for a governmental reward scheme. n493 And, the statute transfers rights to the invention from the inventor to the federal government. n494 Similarly, export controls restrict private firms' ability to engage in transactions with foreign countries. One may not transfer software utilizing encryption to countries such as Iran or North Korea, n495 and one may not sell certain supercomputers to countries such as China or Russia. n496 These rules apply to all firms within U.S. jurisdiction. Thus, Congress has either mandated or forbidden certain transactions based on national security concerns and could mount a similar effort for zero-day sales . Not all zero-day merchants fall under U.S. jurisdiction or enforcement.

Even those operating abroad, however, likely have contacts with the United States. Vupen's employees, for example, visit the United States. n497 Many, if not all, such firms use financial or payment processing companies that are [*1086] subject to U.S. regulation. Some software companies, such as Microsoft, are eager to access U.S. government data on vulnerabilities and threats and have demonstrated a willingness to provide the NSA with exploit information before making it public. n498 These links provide potential leverage. Congress could attach provisions to this legislation that would allow the executive branch to designate firms that do not provide access to the government and to require banks and payment processors to forgo transactions with them. n499 Analogous measures have been implemented to interdict financing for terrorist groups n500 and have been proposed to deal with websites illegally offering prescription drugs or copyrighted works. n501

68

Zero Days Negative – MI 72NC REGULATIONS CP

Mandated transaction reporting allows effective countermeasures Bambauer 14 [Derek E., Professor of Law, James E. Rogers College of Law, University of Arizona, “Ghost in the Network,” April, 2014, University of Pennsylvania Law Review, 162 U. Pa. L. Rev. 1011, lexis] //khirn

Second, Congress should mandate a transaction-reporting system for firms trading in vulnerabilities. These companies should have to report, on a confidential basis, the purchaser's identity in all transactions of zero-day exploits to the NSA. This data would remain confidential and should be designated as statutorily immune from discovery or other use unless the NSA expressly chooses to share it. n502 The statute should enable auditing of firms' records by the NSA if the Agency is able to demonstrate an objectively reasonable basis to suspect inaccuracies or falsification. To make this provision less objectionable for the vulnerability merchants, Congress should include payments to the reporting firms. While additional spending [*1087] is politically difficult, this expenditure would be a small but worthwhile investment in security. Similar reporting systems are widely used to mitigate risk. NASA, for example, encourages confidential reporting of "near-miss incidents" - those that nearly resulted in aviation mishaps - to improve safety procedures and detect product defects. n503 Similarly, insurers offering policies for medical malpractice liability must report judgments and settlements to the National Health Practitioner Data Bank. n504 This malpractice information is available for use by state medical licensing boards and federal agencies, but is otherwise confidential. n505 In addition, the Federal Railroad Administration is testing a Confidential Close Call Reporting System to identify risks in rail operations via confidential reporting of near-miss incidents. n506 The Department of Veterans Affairs has a similar reporting system for patient safety. n507 And finally, the Federal Communications Commission has one for network outages. n508 Thus, the federal government already has well-established confidential reporting systems to help manage risk. A zero-day reporting system has several benefits. It would enable the government to detect problematic sales , particularly to unfriendly states and insecure parties. It would increase the effectiveness of countermeasures that mitigate zero-day exploits by providing a rough guide to how widely distributed a particular attack tool is. It would allow the government to identify whether firms follow their stated criteria for sales (such as Vupen's self-imposed limit to NATO countries and clients) and to scrutinize suspect firms more closely. Lastly, it would provide a crude estimate of the ebb and flow of zero-day threats and of the platforms and applications viewed by the merchant as worthy of attention (and payment).

Bug bounty programs solve cyberdefense while boosting effective offensive capacity Bambauer 14 [Derek E., Professor of Law, James E. Rogers College of Law, University of Arizona, “Ghost in the Network,” April, 2014, University of Pennsylvania Law Review, 162 U. Pa. L. Rev. 1011, lexis] //khirn

Finally, Congress should authorize a "bug bounty" program. n509 Its goal would be to collect zero-day exploits and encourage researchers to sell their [*1088] findings to the U.S. government rather than to private firms or other nation-states. A government agency, such as the NSA or the U.S.

Computer Emergency Readiness Team (CERT), should be provided funds to buy zero-day vulnerability information . n510 The entity selling the exploit, such as a security research firm, would have to certify under penalty of perjury that it had not previously shared the vulnerability information with others and would have to agree contractually not to do so in the future. n511 Congress should consider backing these requirements with substantial criminal penalties as it has done in other contexts. n512 Arms dealers who sell to both sides are held in low esteem. Similar private bounty programs

implemented by Google and Mozilla have had considerable success in identifying and remediating bugs. n513 The funding and amount paid per bug should be generous: removing zero-days from the Internet ecosystem is highly beneficial . Moreover, generous payments will have further positive effects. First, these payments will spur researchers to search for additional bugs. These bugs are like latent defects in

69

Zero Days Negative – MI 7a product - they lurk, creating risk, until they are discovered. Second, paying above-market rates makes it more difficult for others to purchase zero-days. Pushing others out of the zero-day market is useful both offensively and defensively . Offensively, accumulating zero-days provides the United States with the building blocks for future Stuxnets. Defensively, it reduces the likelihood that U.S. firms or government entities will fall victim to attack .

Developing zero-day regulatory frameworks allows for the creation of multilateral frameworksCastelli 14 (Christopher J. Castelli, Senior Correspondent at Inside Cybersecurity, “Report urges policymakers to curb booming cyber-arms sales”, http://insidecybersecurity.com/Cyber-Daily-News/Daily-News/report-urges-policymakers-to-curb-booming-cyber-arms-sales/menu-id-1075.html, January 13, 2014)//CLi

Reining in booming sales of cyber weapons that could threaten critical infrastructure will require policymakers to shield software developers from liability, create export controls and enable prosecutions of digital-arms dealers, a former defense official argues in a new essay. There is a significant risk that hackers could discover and exploit previously unknown weaknesses -- so-called "zero day" vulnerabilities -- in the applications layer of the industrial control systems that underpin the U.S. electric grid and other critical infrastructure sectors, former Pentagon homeland-defense chief Paul Stockton and a co-author write in an essay for the Yale Law and Policy Review. Such exploits could be used to gather sensitive commercial or intelligence information, incapacitate computer systems, or inflict widespread physical damage -- by targeting the air traffic control system to cause collisions, for example, the essay states. A three-step approach is needed to mitigate the risk, according to Stockton and his co-author, Yale Law School student Michele Golabek-Goldman. First, Congress must address the threat's root cause by incentivizing developers of critical software to enhance their products' security, state the authors, who call for amending the Support Anti-Terrorism by Fostering Effective Technologies Act of 2002 to extend liability coverage to these developers. Second, U.S. officials and international partners must develop criteria for "illegitimate" sales of zero-day exploits and establish uniform export controls through the Wassenaar Arrangement, the essay states. It credits the Senate Armed Services Committee for raising the visibility of this proliferating threat and for seeking measures to address it. House and Senate authorizers, in their fiscal year 2014 defense authorization bill, included a provision directing the White House to work with industry to develop a policy that would control the proliferation of cyber weapons through various means. How such controls should be structured is unclear, but only a multilateral approach can succeed, the essay argues. The authors say the United States should implement the Wassenaar Arrangement's recommended exploit controls through its Commerce Control List. A significant limitation is that China is not a member of the arrangement, but on the other hand China has made progress in adhering to international norms, the essay states. Finally, the authors contend, Congress should strengthen the capacity to prosecute individuals who sell zero-day exploits targeting critical infrastructure to U.S. adversaries. They urge Congress to amend the Computer Fraud and Abuse Act, the United States' most significant federal computer-crime statute. The amended law should require sellers of zero-day exploits to show that they "reasonably investigated" buyers' backgrounds and had "reasonable grounds to believe" that buyers would not attack industrial control systems -- and it should enable prosecutions of U.S. and foreign vendors who sell zero-day exploits to U.S. persons who deploy them to attack critical infrastructure, the authors write. In some cases, they argue, the United States should be able to extradite researchers abroad who have violated the law.

70

Zero Days Negative – MI 71NC WASSENAAR REGULATIONS CP

The United States federal government should require vendors of zero-day exploits and vulnerabilities to obtain licenses from the Department of Commerce. The United States federal government should propose the creation of new rules controlling exports of zero day vulnerabilities to other members of the Wassenaar Agreement.

Control of øDay sales would deter researchers from exploitationGolabek-Goldman 14 [Michele, A New Strategy for Reducing the Threat of Dangerous Øday Sales to Global Security and the Economy," Available at SSRN 2438164, <http://ssrn.com/abstract=2438164>] /eugchenThis multilateral effort would help foster international norms among many nations on illegitimate Øday purchases and build international consensus on states’ responsibility to halt dangerous sales from within their borders. Most importantly, multilateral export controls would increase the costs associated with selling dangerous Ødays to those seeking to deploy them for malicious purposes. Many of the leading gray market firms that sell Ødays are located in Wassenaar member nations, including the United States, Malta, and France.193 These firms would now have to apply for licenses to sell dangerous Ødays, move their operations elsewhere, or risk significant criminal penalties for contravening export controls and operating on the black market. For example, intentional violation of the Export Administration Regulations (“EAR”) would result in criminal penalties of up to $1 million and prison sentences of up to 20 years. 194 Such high penalties—especially if accompanied by stronger enforcement 195—would likely deter many researchers from engaging in illicit transactions. Therefore, as part of a broader effort to stem dangerous Øday sales, creating uniform export controls through the Wassenaar Arrangement would constitute a critical step forward in safeguarding nations from malicious cyber activities.

Collaboration with the international community through the Wassenaar Arrangement key to controlling zero day salesGolabek-Goldman 14 [Michele, A New Strategy for Reducing the Threat of Dangerous Øday Sales to Global Security and the Economy," Available at SSRN 2438164, < http://ssrn.com/abstract=2438164>] /eugchenThe United States should therefore consider collaborating with the international community to develop export control criteria through the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (“Wassenaar Arrangement”). 148 The Wassenaar Arrangement, which was established in 1996, is a superior alternative to the other three existing multilateral export regimes—the Nuclear Suppliers Group, the Missile Technology Control Regime, and the Australia Group—for implementing export controls of Øday sales. Since the Nuclear Suppliers Group’s overarching objective is to “prevent nuclear exports for commercial and peaceful purposes from being used to make nuclear weapons,” incorporating controls of Ødays into this arrangement would fall outside the purview of the regime. 149 Likewise, the Missile Technology Control Regime seeks to curb “proliferation of missiles and missile technology,” which is irrelevant for addressing Øday sales. 150 The Australia Group, whose mission is to “ensure that exports do not contribute to the development of chemical or biological weapons,”151 is also ill-suited for curbing indiscriminate sales of Ødays. Unlike these other multilateral export regimes, the Wassenaar Arrangement has a broad mission that could aptly encompass Øday sales: to “contribute to regional and international security and stability, by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations.”152 The arrangement, which currently includes 41 member nations, strives to achieve this objective by establishing uniform “control lists” of dual-use technologies, sharing information on dual-use transfers, and consulting with members on national export policies and denials of export license applications.153 Wassenaar members could incorporate Øday sales into the Arrangement’s dual-use lists, which already cover certain types of code and software, including encryption software. 154 Furthermore, the Wassenaar Arrangement already provides for controls of “intangible technology,” which members have agreed are “critical to the credibility and effectiveness of [a Participating State’s] domestic export control regime.”155 The Arrangement defines “intangible technology” as “specific information necessary for the ‘development,’ ‘production’ or ‘use’ of a product,” including “technical data or technical assistance.”156 Selling technical knowledge on how to exploit vulnerabilities in computer software appropriately falls under this

71

Zero Days Negative – MI 7definition.157

72

Zero Days Negative – MI 72NC SOLVENCY

Collaboration with the international community through the Wassenaar Arrangement key to controlling zero day salesGolabek-Goldman 14 [Michele, A New Strategy for Reducing the Threat of Dangerous Øday Sales to Global Security and the Economy," Available at SSRN 2438164, < http://ssrn.com/abstract=2438164>] /eugchen

The United States should therefore consider collaborating with the international community to develop export control criteria through the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (“Wassenaar Arrangement”). 148 The Wassenaar Arrangement, which was established in 1996, is a superior alternative to the other three existing multilateral export regimes—the Nuclear Suppliers Group, the Missile Technology Control Regime, and the Australia Group—for implementing export controls of Øday sales. Since the Nuclear Suppliers Group’s overarching objective is to “prevent nuclear exports for commercial and peaceful purposes from being used to make nuclear weapons,” incorporating controls of Ødays into this arrangement would fall outside the purview of the regime. 149 Likewise, the Missile Technology Control Regime seeks to curb “proliferation of missiles and missile technology,” which is irrelevant for addressing Øday sales. 150 The Australia Group, whose mission is to “ensure that exports do not contribute to the development of chemical or biological weapons,”151 is also ill-suited for curbing indiscriminate sales of Ødays. Unlike these other multilateral export regimes, the Wassenaar Arrangement has a broad mission that could aptly encompass Øday sales: to “contribute to regional and international security and stability, by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations.”152 The arrangement, which currently includes 41 member nations, strives to achieve this objective by establishing uniform “control lists” of dual-use technologies, sharing information on dual-use transfers, and consulting with members on national export policies and denials of export license applications.153 Wassenaar members could incorporate Øday sales into the Arrangement’s dual-use lists, which already cover certain types of code and software, including encryption software. 154 Furthermore, the Wassenaar Arrangement already provides for controls of “intangible technology,” which members have agreed are “critical to the credibility and effectiveness of [a Participating State’s] domestic export control regime.”155 The Arrangement defines “intangible technology” as “specific information necessary for the ‘development,’ ‘production’ or ‘use’ of a product,” including “technical data or technical assistance.”156 Selling technical knowledge on how to exploit vulnerabilities in computer software appropriately falls under this definition.157

CP effectively regulates øDay sales – deters researchers from engaging in illicit dealsGolabek-Goldman 14 [Michele, A New Strategy for Reducing the Threat of Dangerous Øday Sales to Global Security and the Economy," Available at SSRN 2438164, < http://ssrn.com/abstract=2438164>] /eugchen

Since the recent changes were instituted, there has been significant confusion among experts regarding the “intended scope of these clauses.” 164 Some gray market vulnerability research firms, including the French-based VUPEN, broadly interpreted the Wassenaar Arrangement’s new “intrusion software” controls to apply to Øday sales. 165 They therefore immediately took extra precautions by altering their sales policies to comply with the Arrangement’s end-user restrictions. 166 Nevertheless, in recent months, delegates to the Arrangement have clarified that the new inclusion of “intrusion software” is only meant to apply to software deployed to “disseminate and implement intrusion software,” rather than the “malware, rootkits, or exploits” themselves.167 While Øday sales have yet to be regulated under the Arrangement, these recent changes and growing acknowledgement among Wassenaar members that dual use cyber technologies can be deployed to endanger international security should pave the way for future incorporation of Øday sales into the Arrangement’s dual-use lists. Furthermore, it is very revealing that firms such as VUPEN that interpreted the Wassenaar Arrangement’s new controls to govern Øday sales—even if their interpretation was ultimately incorrect—rapidly altered their sales policies. This demonstrates that, unlike regulatory skeptics contend, increasing the risks and penalties associated with indiscriminately selling Ødays can deter researchers from entering into illicit transactions.

73

Zero Days Negative – MI 7Empirics prove control of intangible data is feasibleGolabek-Goldman 14 [Michele, A New Strategy for Reducing the Threat of Dangerous Øday Sales to Global Security and the Economy," Available at SSRN 2438164, < http://ssrn.com/abstract=2438164>] /eugchenSome might counter that it is impractical to control “intangible” data transfers like Ødays. However, the government has successfully limited exports of dangerous technical data for years under the Export Administration Regulations (“EAR”), the International Traffic in Arms Regulations (“ITAR”), and the Atomic Energy Act (“AEA”). 181 It is indisputable that it has the statutory authority to regulate information that can be deployed in the “development,” “production,” or “use” of prohibited defense materials.182 For example, pursuant to these statutes, the government prevents individuals and universities from training or sharing information with foreigners on how to develop a nuclear weapon, missiles, and other dangerous technologies.183 The “intangible” electronic or digital transmission of “blueprints, diagrams, manuals, instructions, [and] software” related to controlled items is also forbidden.184 BIS would be able to deploy the same procedures to control information transfers regarding exploiting vulnerabilities in our nation’s computer systems.***Note BIS= Commerce Department’s Bureau of Industry and Security

74

Zero Days Negative – MI 7AT: CP DOESN’T SOLVE CHINA

The Wassenaar Arrangement would spillover to China and other non-member nationsGolabek-Goldman 14 [Michele, A New Strategy for Reducing the Threat of Dangerous Øday Sales to Global Security and the Economy," Available at SSRN 2438164, < http://ssrn.com/abstract=2438164>] /eugchenWhile this report advocates for designating the PLA and its agents as illegitimate Øday end-users under the Wassenaar Arrangement in order to

safeguard U.S. security interests, it acknowledges the significant disadvantages of this approach and recommends that this issue be the subject of highlevel diplomacy, including meetings at the U.S.-China Strategic Security Dialogue’s Cyber Working Group. One strategy would be for diplomats to highlight both nations’ mutual vulnerability to indiscriminate Øday sales, especially in the realm of cybercrime. For example, although China’s own vulnerability to cyber threats is rarely covered in the press, China is also suffering major economic losses from cybercrime.191 In 2012 alone, cybercrimes such as online identity theft and cyber-enabled fraud cost China approximately $46.4 billion. 192 By stressing these mutual concerns, members of the Wassenaar Arrangement might persuade China to join this aspect of the Wassenaar Arrangement and at least adopt part of the regime’s export control list recommendations for Øday sales. The Wassenaar Arrangement should consider using similar engagement strategies with other non-member states including Pakistan, India, and Israel.

75

Zero Days Negative – MI 7AT: CAN’T CATCH ALL VULNERABILITIES

Catch-all provision would be a safety net to new øday vulnerabilitiesGolabek-Goldman 14 [Michele, A New Strategy for Reducing the Threat of Dangerous Øday Sales to Global Security and the Economy," Available at SSRN 2438164, < http://ssrn.com/abstract=2438164>] /eugchenIn addition to enumerating specific categories of Ødays on the Wassenaar Arrangement’s and CCL’s controlled items lists, member nations could also curb dangerous sales through export “catch-all” provisions.176 In the context of weapons of mass destruction and missile material controls, “catch-all” provisions are defined as controls that “provide a legal and/or regulatory basis to require government permission to export unlisted items when there is reason to believe such items are intended for a WMD/Missile end-use or end-user.”177 Member nations would need to define “catch-all” provisions in the Øday context and specify under which conditions such a provision would govern. For example, the “catch-all” provision might be invoked when sellers have “reason to know” that their Ødays will be deployed for “malicious cyber activity,”178 which could be defined as including cyberattacks and cyber espionage.179 Due to the rapidly evolving nature of technologies and discoveries of new vulnerabilities, the international community may be unable to immediately incorporate newly discovered Ødays into their control lists. A “catch-all” provision for dangerous Øday sales would therefore provide a critical safety net in this context.180

76

Zero Days Negative – MI 7

CYBERDETERRENCE DA

77

Zero Days Negative – MI 71NC CYBERDETERRENCE DA

Maintaining zero day’s is key to offensive cyber operations and rapid crisis responseCushing 14 [Seychelle, B.A. in political science from Simon Fraser University, “Leveraging Information as Power: America’s Pursuit of Cyber Security,” Simon Fraser University, 11/28/14 <http://summit.sfu.ca/system/files/iritems1/14703/etd8726_SCushing.pdf>]//eugchen

In comparison, the zero-days used in cyber weapons require the US to constantly discover new vulnerabilities to maintain a deployable cyber arsenal . Holding a specific zero-day does not guarantee that the vulnerability will remain unpatched for a prolonged period of time by the targeted state.59 Complicating this is the fact that undetected vulnerabilities, once acquired, are rarely used immediately given the time and resources it takes to construct a cyber attack.60 In the time between acquisition and use, a patch for the vulnerability may be released, whether through routine patches or a specific identification of a security hole, rendering the vulnerability obsolete. To minimize this, America deploys several zero-days at once in a cyber attack to increase the odds that at least one (or more) of the vulnerabilities remains open to provide system access.61 Multiple backdoor entry points are preferable given that America cannot be absolutely certain of what vulnerabilities the target system will contain62 despite extensive pre-launch cyber attack testing63 and customization.64 A successful cyber attack needs a minimum of one undetected vulnerability to gain access to the target system. Each successive zero-day that works adds to the strength and sophistication of a cyber assault. 65 As one vulnerability is patched, America can still rely on the other undetected vulnerabilities to continue its cyber strike. Incorporating multiple undetected vulnerabilities into a cyber attack reduces the need to create new cyber attacks after each zero-day fails. Stuxnet, a joint US-Israel operation, was a cyber attack designed to disrupt Iran’s progress on its nuclear weapons program.66 The attack was designed to alter the code of Natanz’s computers and industrial control systems to induce “chronic fatigue,” rather than destruction, of the nuclear centrifuges.67 The precision of Stuxnet ensured that all other control systems were ignored except for those regulating the centrifuges.68 What is notable about Stuxnet is its use of four zero-day exploits (of which one was allegedly purchased)69 in the attack.70 That is, to target one system, Stuxnet entered through four different backdoors. A target state aware of a specific vulnerability in its system will enact a patch upon detection and likely assume that the problem is fixed. Exploiting multiple vulnerabilities creates variations in how the attack is executed given that different backdoors alter how the attack enters the target system.71 One patch does not stop the cyber attack. The use of multiple zero-days thus capitalizes on a state’s limited awareness of the vulnerabilities in its system. Each phase of Stuxnet was different from its previous phase which created confusion among the Iranians. Launched in 2009, Stuxnet was not discovered by the Iranians until 2010.72 Yet even upon the initial discovery of the attack, who the attacker was remained unclear. The failures in the Natanz centrifuges were first attributed to insider error73 and later to China74 before finally discovering the true culprits.75 The use of multiple undetected vulnerabilities helped to obscure the US and Israel as the actual attackers.76 The Stuxnet case helps illustrate the efficacy of zero-day attacks as a means of attaining political goals . Although Stuxnet did not produce immediate results in terminating Iran’s nuclear program, it helped buy time for the Americans to consider other options against Iran. A nuclear Iran would not only threaten American security but possibly open a third conflict for America77 in the Middle East given Israel’s proclivity to strike a nuclear Iran first. Stuxnet allowed the United States to delay Iran’s nuclear program without resorting to kinetic action.78

Losing our comparative advantage emboldens China to take Taiwan – that breaks down cyber deterrence and turns heg Hjortdal 11 [Magnus Hjortdal is a researcher asso ciated with CHINA-SEC, Centre for Military Studies at the University of Copenhagen. He ho lds an M.Sc. in Political Science from the University of Copenhagen and is owner of MH International Relations, which advise s private and public institutions, “China's Use of Cyber Warfare: Espionage Meets Strategic Deterrence” Journal of Strategic Security , 4 (2): 1-24] //khirn

China's military strategy mentions cyber capabilities as an area that the People's Liberation Army (PLA) should invest in and use on a large scale. 13 The U.S. Secretary of Defense, Robert Gates, has also declared that China's development in the cyber area increasingly concerns him, 14 and that there has been a decade-long trend of

78

Zero Days Negative – MI 7cyber attacks emanating from China. 15 Virtually all digital and electronic military systems can be attacked via cyberspace . Therefore, it is essential for a state to develop capabilities in this area if it wishes to challenge the present American hegemony . The interesting question then is

whether China is developing capabilities in cyberspace in order to deter the United States. 16 China's military strategists describe cyber capabilities as a powerful asymmetric opportunity in a deterrence strategy. 19 Analysts consider that an "important theme in Chinese writings on computer-network operations (CNO)

is the use of computer-network attack (CNA) as the spearpoint of deterrence ." 20 CNA increases the enemy's costs to become too great to engage in warfare in the first place, which Chinese analysts judge to be essential for deterrence. 21 This could , for example, leave China with the potential ability to deter the U nited S tates from intervening in a scenario concerning Taiwan . CNO is viewed as a focal point for the P eople's Liberation Army, but it is not clear how the actual capacity functions or precisely what condit ions it works under. 22 If a state with superpower potential (here China) is to create an opportunity to ascend militarily and politically in the international system, it would require an asymmetric deterrence capability such as that described here. 23 It is said that the "most significant computer network attack is characterized as a pre-emption weapon to be used under the rubric of the rising Chinese strategy of [...] gaining mastery before the enemy has struck." 24 Therefore, China, like other states seeking a similar capacity, has recruited massively within the hacker milieu inside China. 25 Increasing resources in the PLA are being allocated to develop assets in relation to cyberspace. 26 The improvements are visible: The PLA has established " information warfare " capabilities, 27 with a special focus on cyber warfare that, according to their doctrine, can be used in peacetime. 28 Strategists from the PLA advocate the use of virus and hacker attacks that can paralyze and surp rise its enemies. 29

That goes nuclearGlaser 11 [Professor of Political Science and International Affairs – George Washington University, “Will China’s Rise Lead to War?” Foreign Affairs Vol. 9 Iss. 2, March/April] //khirn

THE PROSPECTS for avoiding intense military competition and war may be good, but growth in China's power may nevertheless require some changes in U.S. foreign policy that Washington will find disagreeable--particularly regarding Taiwan. Although it lost control of Taiwan during the Chinese Civil War more than six decades ago, China still considers Taiwan to be part of its homeland, and unification remains a key political goal for Beijing. China has made clear that it will use force if Taiwan declares independence, and much of China's conventional military buildup has been dedicated to increasing its ability to coerce Taiwan and reducing the United States' ability to intervene. Because China places such high value on Taiwan and because the United States and China--whatever they might formally agree to--have such different attitudes regarding the legitimacy of the status quo, the issue poses special dangers and challenges for the U.S.-Chinese relationship, placing it in a

different category than Japan or South Korea. A crisis over Taiwan could fairly easily escalate to nuclear war, because each step along the way might well seem rational to the actors involved. Current U.S. policy is designed to reduce the probability that Taiwan will declare independence and to make clear that the United States will not come to Taiwan's aid if it does. Nevertheless, the United States would find itself under pressure to protect Taiwan against any sort of attack, no matter how it originated. Given the different interests and perceptions of the various parties and the limited control Washington has over Taipei's behavior, a crisis could unfold in which the United States found itself following events rather than leading them. Such dangers have been around for decades, but ongoing improvements in China's military capabilities may make Beijing more willing to escalate a Taiwan crisis . In addition

to its improved conventional capabilities, China is modernizing its nuclear forces to increase their ability to survive and retaliate following a large-scale U.S. attack. Standard deterrence theory holds that Washington's current ability to destroy most or all of China's nuclear force enhances its bargaining position. China's nuclear modernization might remove that check on Chinese action, leading Beijing to behave more boldly in future crises than it has in past ones. A U.S. attempt to preserve its ability to defend Taiwan, meanwhile, could fuel a conventional and nuclear arms race . Enhancements to U.S. offensive targeting capabilities and

79

Zero Days Negative – MI 7strategic ballistic missile defenses might be interpreted by China as a signal of malign U.S. motives, leading to further Chinese military efforts and a general poisoning of U.S.-Chinese relations.

80

Zero Days Negative – MI 72NC LINK/TURNS CASE WALL

The plan destroys offensive cyber-capabilities and cedes cyberspaces to China Aitel and Rampersaud 14 [Dave, CEO of Immunity Inc., a leading offensive security firm that serves major financial institutions, industrials, Fortune/Global 500s and US government/military agencies, former NSA computer scientist and DARPA contractor, and Skylar, a former NSA computer scientist and director of vulnerability analysis at Immunity, “Some People Want A Time Limit On The NSA's 'Zero-Day' Exploits — Here's Why That's A Terrible Idea,” Business Insider, July 2, 2014, http://www.businessinsider.com/why-a-time-limit-on-zero-days-is-a-bad-idea-2014-7] //khirn

In particular, people have suggested that the NSA be restrained from collecting a “zero-day” stockpile and that one of the logical ways to do this was to force them to report any discovered vulnerabilities to the vendor for patching after a certain time period has elapsed, presumably so they could use them in the meantime for intelligence collection. First, some context from the White House’s NSA task force and their own blog: Recommendation 30: “US policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks. In rare instances, US policy may briefly authorize using a Zero Day for high priority intelligence collection, following senior, interagency review involving all appropriate departments.” “But there are legitimate pros and cons to the decision to disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences. Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.” However, people with experience in the field of information operations, computer and network exploitation, or any related signals intelligence occupation know that assigning a time limit to your methods is madness . Specifically, computer and network operations are

fragile in the sense that they are often linked together. Take one simple sample operation for example: penetrating the Iranian nuclear establishment. This may involve at a minimum three different kinds of 0days (penetrating into a computer, taking full control of that computer, and spreading from that computer to other computers), but it also involves special software for maintaining a presence on the network and getting large volumes of data out of the network (think FLAME). These tools are known as “implants.” Obviously, the first time someone discovers the implant, they can hunt down all other machines that have been infected and start making guesses as to what information you were after, or may have gotten. This is why the minute you become aware that someone has found you, you clean up every possible operation using that implant. What is less well known is how the discovery of vulnerability information (“0days”) can affect operations. In particular, the modern age of cloud computing allows countries to store and analyze huge volumes of their traffic (or indeed, other countries’ traffic, as Snowden has helpfully pointed out). This means that when a vulnerability goes public they can search through all of history to find out when any traffic matching that vulnerability may have happened. They then rush to look at that machine, and will likely find any implant on it. In other words, releasing a vulnerability means that all of your implants in Iran must be removed if any of them were installed using that vulnerability. In addition, hard targets are often compromised with the help of human agents, recruited by human intelligence organizations. These people’s lives are then put at risk if any computer they have touched is discovered to have been compromised by a tool that can be linked back to the United States or her Allies. In addition, you are not just releasing the information that the vulnerability exists. If you are giving that vulnerability information to the vendor, you are also saying that it was definitely the United States government that was involved with that operation. This solves the “attribution problem” for your enemy. But it solves more difficult problems for your enemy too. Software bugs are often related, and the knowledge that a bug exists can lead them to find different bugs in the same code or similar bugs in other products. By looking at all the vulnerabilities you release, they know the state of your vulnerability-finding programs. They know how far ahead or behind of you they are. They can focus their own vulnerability-finding resources with greater precision. They will be able to find vulnerabilities that you have not found - and they will have the added advantage of knowing when to wrap up their own exploit operations. Vulnerabilities are a finite thing - taking the tack of releasing them over time means that eventually the United States’ ability to find them will be heavily drained, but China’s will not , much like exhausting an oil reserve. Even if we ignore the problem of adversarial nation-states gaining an advantage in vulnerability research, the discussion of a limited-use window appears based on a non-existent thing: a static set of intelligence priorities. The idea being presented is that the NSA would find a vulnerability, use it for some amount of time to exploit its “high priority” intelligence targets, then send it off to be patched. This ignores the fact that intelligence priorities can change rapidly and often , hindering NSA’s ability to respond

81

Zero Days Negative – MI 7rapidly to world events . In addition, computer network operations are continuous things that often involve waiting for windows of opportunity--something that is incompatible with many of your tools having a time-limited lifespan. Integrating 0days into a toolkit, testing them and using them may cost millions of dollars before it pays off with valuable intelligence. Keep in mind as

well, that not all 0days pay off , and any can be discovered and destroyed in an instant and you have the very picture of a resource you can’t afford to waste. Because of the interconnected nature of the

entire computer and network exploitation framework, forcing the NSA to report vulnerabilities to vendors would force it to give up using vulnerabilities altogether . This is not a considered and wise action , even in light of Snowden’s revelations.

Maintaining zero-day exploits creates long-term cyber resiliency – that’s the only effective cyberdefenseCushing 14 [Seychelle, B.A. in political science from Simon Fraser University, “Leveraging Information as Power: America’s Pursuit of Cyber Security,” Simon Fraser University, 11/28/14 <http://summit.sfu.ca/system/files/iritems1/14703/etd8726_SCushing.pdf>]//eugchen

Cyber defence is an initially disadvantaged position167 given that cyber barriers cannot stop all attacks from penetrating its systems. The ability to absorb a cyber attack, while inconvenient, helps America identify holes in its own security. Although

America may be aware of a number of vulnerabilities, additional unaccounted for vulnerabilities will always exist in its

systems. A cyber strike thus helps the United States identify where additional previously unknown vulnerabilities exist and, as a result, the US can direct its security apparatus to develop counter-capabilities. The United States, through the Department of Homeland Security, has launched both passive and active cyber sensors to detect network intrusions. EINSTEIN 2, the passive sensor, was launched in 2008 to detect network intrusions.168 Building on the capabilities of EINSTEIN 2 was EINSTEIN 3, an active sensor designed to provide realtime threat detection capable of stopping known malware before it reaches the targeted government network.169 Passive defences

“scan, firewall, and patch” in an attempt to protect a system. These defences, however, have little utility against sophisticated cyber attacks, such as Stuxnet, or against attacks employing zero-days. Active defences, in comparison, build on passive defences to try and stop the cyber attack170 but the success rates of such measures in the US security architecture remains unknown.171 In reality, the EINSTEIN systems only detect and (in the case of EINSTEIN 3) stop known malware entering through known vulnerabilities.172 Nevertheless, every vulnerability subsequently discovered through attack absorption allows EINSTEIN 3 to erect new cyber barriers in its systems. A cyber-

capable adversary may undertake multiple attempts to create sustained access to a target system or network.173 Absorbing the initial attack becomes necessary to find and fix the exploited vulnerability to avert subsequent strikes. If only the first intrusion succeeds, the attacker will be forced to adjust its strike strategy to reopen the system access it once had. By erecting cyber obstacles, one is able to discourage weaker actors from exploiting the same vulnerability before it is patched. Adapting from vulnerabilities to defensive barriers may not stop cyber attacks altogether but it can frustrate cyber-capable states from “easily succeeding in […subsequent] attacks.”174 Allowing a cyber attack, while counterintuitive, allows the US to gather valuable information on its attacker. By

identifying how an attacker got into an American system or network and what information was sought, the US is positioned to better understand not only its vulnerabilities but also the capabilities and intentions of its adversaries.

Resiliency through attack absorption diminishes the prospect of long-term disruption to American networks. As a result, the benefits to an attacker diminish.175 What was an initial disadvantage can be converted into a long-term security gain.

That means the status quo solves the aff by maintaining cyber innovationCushing 14 [Seychelle, M.A. Political Science, Simon Fraser U, “Leveraging information as cyberpower: America’s pursuit of cybersecurity,” November 28, 2014, http://summit.sfu.ca/item/14703] //khirn

The Internet has made information seeking easier given its lax security structure that privileges offense over defence. Where the US once relied on its own ingenuity to support its national security innovations, it can now also purchase the necessary tools keep up with its peer competitors in cyberspace. Buying zero days in the

82

Zero Days Negative – MI 7vulnerabilities market thus serves a dual purpose: it takes away potential attack tools from its adversaries while building America’s own cyber arsenal. The problem, however, is that zero days may not work when you need them. Unlike nuclear or conventional weapons, there is no guarantee that an acquired zero-day can remain dormant yet functional. As a result, the US must consistently discover and collect zero-days to maintain a deployable cyber arsenal . America, despite its cyber superiority, cannot credibly threaten to use crushing cyber power to defeat its adversaries without revealing part of its capabilities. Compounding this problem is the fact that a cyber attack alone, while disruptive, is survivable at this time. America is thus experiencing a shift in its security strategy, albeit incrementally. What previously worked in the physical domain does not necessarily translate into successful primacy in the electronic domain. Although Cold War models of deterrence by denial and retribution may help frame the cyber problem, these models will eventually need to give way to new thinking about security in cyberspace. Deterrence, despite its Cold War successes, is not enough to stop your adversaries from attacking you in cyberspace. Instead, resiliency to absorb a cyber attack will carry America further in securing a net security advantage. While absorbing attacks seems counterintuitive, it is a short term risk that will garner important information. Resiliency then is as much about learning about your adversaries, their capabilities, and targets, and it is about comparatively measuring your own vulnerabilities and strengths in cyber offense and defence.

The more information America can acquire, the better equipped it will be to face the cyber threat .

Preparations for kinetic conflict are likely to begin in cyberspace as states collect vast information about their adversaries . Tapping into the millions of gigabytes of data that passes through the Internet is necessary to help America build a better picture of its adversaries’ actions and intent , including “the readiness of foreign militaries .”250 America, despite its cyber

sophistication, cannot undertake such a task alone.251 Instead, the United States strategically shares information and capabilities with its partners to influence the intelligence priorities of the Five Eyes.252 Sharing initially puts the United States in a vulnerable position – exclusive control over a part of its cyber capabilities are conceded to its partners. From a vulnerable position, American cyber power can nevertheless influence conditions necessary to execute innovative, albeit high risk, intelligence operations. Information gathered from cyber can both reflect the strengths and weaknesses of America’s (and by extension, its adversaries’) offensive and defensive capabilities both within and outside cyberspace. Amassing an informational advantage to use against its adversaries will enable the US to enhance its security posture. Information , as the new realm of cyber security illustrates, is still a growing foundation of power . Leveraging information in cyberspace is key to producing a long-term net gain in security. In seeking a cyber advantage, the United States must endure short-term cyber insecurity. Tipping the security seesaw may not produce immediate advantages but instead, can be understood as a step towards long-term security. Consistently working to tip the seesaw towards advantage, while managing the associated vulnerabilities, helps produce a long-term advantage. The US’ ability to enhance its cyber posture while managing the associated vulnerabilities ultimately produces a net gain in national security.

Innovation is crucial to preventing cyberattack Cushing 14 [Seychelle, M.A. Political Science, Simon Fraser U, “Leveraging information as cyberpower: America’s pursuit of cybersecurity,” November 28, 2014, http://summit.sfu.ca/item/14703] //khirn

Adversaries study America’s cyber tool and techniques “to capitalize on [US…] ideas” for their own strategic advantage.89 On the one hand, innovating on its own code allows America to continue executing its security objectives in cyberspace. On the other hand, innovation allows the United States to speculate on how variations in its attack code may evolve to help anticipate potential attacks from its adversaries. While the United States may not be able to close all of its potential vulnerabilities,90 it can at least flag the unpatched vulnerabilities most likely exploited in a cyber strike. Red-teaming cyber games further allow the US to test both anticipated attacks and potential responses to maintain an informational advantage.91 Cyber favours offense over defence given its lax security architecture. Sophisticated cyber states that are able to innovate first will enjoy a relative advantage.92 Amassing an arsenal of undetected vulnerabilities does not necessarily produce an immediate, usable advantage. Instead, these vulnerabilities provide important information to gauge the strengths and weaknesses of America’s offensive and defensive capabilities. Finding undetected vulnerabilities, and knowing how to exploit those, positions the US to capitalize on the offense-

83

Zero Days Negative – MI 7defence innovation cycle to preserve a cyber advantage. The strike methods of nuclear or conventional weapons are largely unchanged and can be used to great effect. Cyber weapons, in comparison, only successfully work once. Innovation is required to not only manage the “constant pressure to keep up,”93 but to also tip the balance of informational advantage in your favour .

Maintaining zero-days forces allies to share their info with us --- that produces effective cyberdefenseCushing 14 [Seychelle, M.A. Political Science, Simon Fraser U, “Leveraging information as cyberpower: America’s pursuit of cybersecurity,” November 28, 2014, http://summit.sfu.ca/item/14703] //khirn

A capabilities gap exists in the alliance between America, the primary, technologically sophisticated, and well-resourced partner, and the secondary partners of the UK and Canada, in particular, but also Australia and New Zealand.190 As a result, the intelligence burden is unequally shared among the partners. The United States reinforces an asymmetric relationship that “bind[s] its all[ies…] more firmly to the [alliance]”191

by perpetuating a continued dependence on American SIGINT capabilities . Dependence,

as a result of the capabilities gap, entrenches America’s hegemonic position within the Five Eyes.192 The NSA shares its technologies and capabilities in exchange for strongly influencing the intelligence priorities of its partners.193 Sharing occurs in two ways: (1) the NSA directly supplies computing resources to its partners194 or, (2) the NSA funds a partner to “develop [specific] technologies.”195 Capabilities sharing becomes a strategic tool of America’s larger efforts of guaranteeing partner cooperation to prioritize its own security interests within the alliance. 196 The technology directly shared, reported to be mostly American in origin,197 creates a level of interoperability between the Five Eyes’ systems. Integration can help mitigate unexpected cyber shocks that would otherwise disrupt American intelligence gathering and processing functions. In 2000, for example, the NSA experienced a “‘system overload’” where its computers were unable to process intelligence for four days.198 During this time, the US reassigned the processing of American SIGINT to its partners.199 To carry out the Five Eyes mission – defending government systems in cyber and providing information to support governmental decision-making – access to high- level intelligence is required.200 The alliance partners, however, are dependent on American capabilities to produce comprehensive intelligence.201 Rejecting an American-dictated reprioritization of its intelligence tasks could potentially jeopardize an alliance member’s national interests. The partners, in a comparatively weaker position, acquiesced to American needs during the NSA’s blackout to ensure future access to significant intelligence assets. 202 Integrated systems allowed American intelligence efforts to carry on despite experience a significant systems blackout.203 Although the NSA’s systems overload resulted from a computer glitch rather than a cyber attack,204 it nevertheless provides an example for future outages. Should the United States experience a significant cyber attack targeting availability in the future, America can still direct its alliance partners to collect intelligence and produce assessments. The US will still get the information it needs to make strategic security decisions.

1NC Cushing ev says that maintaining the offensive use of zero-days allows rapid crisis response capabilities --- the impact is every major security threat Berkowitz, 8 - research fellow at the Hoover Institution at Stanford University and a senior analyst at RAND. He is currently a consultant to the Defense Department and the intelligence community (Bruce, STRATEGIC ADVANTAGE: CHALLENGERS, COMPETITORS, AND THREATS TO AMERICA’S FUTURE, p. 1-4)

THIS BOOK is intended to help readers better understand the national security issues facing the United States today and offer the general outline of a strategy for dealing with

them. National security policy—both making it and debating it — is harder today because the issues that are involved are more numerous and varied. The problem of the day can change at a moment's notice . Yesterday, it might have been proliferation; today, terrorism; tomorrow, hostile regional powers. Threats are also more likely to be intertwined—proliferators use the same networks as narco-traffickers, narco-traffickers support terrorists, and terrorists align themselves with regional powers. Yet, as worrisome as these immediate concerns may be, the long-term challenges are

even harder to deal with, and the stakes are higher. Whereas the main Cold War threat — the Soviet Union — was brittle, most of the potential adversaries and challengers America now faces are resilient. In at least one dimension where the Soviets were weak (economic efficiency, public morale, or leadership), the new threats are strong. They are going to be with us for a long time. As a result, we need to reconsider how we think

about national security. The most important task for U.S. national security today is simply to retain the 84

Zero Days Negative – MI 7strategic advantage . This term, from the world of military doctrine, refers to the overall ability of a nation to control, or at least influence, the course of

events.1 When you hold the strategic advantage, situations unfold in your favor, and each round ends so that you are in an advantageous position for the next. When you do not hold the strategic advantage, they do not. As national goals go, “keeping the strategic advantage” may not have the idealistic ring of “making the world safe for democracy” and

does not sound as decisively macho as “maintaining American hegemony.” But keeping the strategic advantage is critical, because it is essential for just about everything else America hopes to achieve — promoting freedom, protecting the homeland, defending its values, preserving peace , and so on . The Changing Threat If one needs proof of this new, dynamic environment, consider the recent record. A search of the media during the past fifteen years suggests that there were at least a dozen or so events

that were considered at one time or another the most pressing national security problem facing the United States — and thus the organizing concept for U.S. national security. What is most interesting is how varied and different the issues were, and how many different sets of players they involved — and

how each was replaced in turn by a different issue and a cast of characters that seemed, at least for the moment, even more pressing. They included, roughly in

chronological order, • regional conflicts — like Desert Storm — involving the threat of war between conventional armies; • stabilizing “failed states” like Somalia, where government broke down in toto; • staying economically competitive with Japan; • integrating Russia into the international

community after the fall of communism and controlling the nuclear weapons it inherited from the Soviet Union; • dealing with “rogue states,” unruly nations like North Korea that engage in trafficking and proliferation as a matter of national policy; • combating international crime, like the scandal involving the Bank of Credit and Commerce International, or imports of illegal drugs; • strengthening international

institutions for trade as countries in Asia, Eastern Europe, and Latin America adopted market economies; • responding to ethnic conflicts and civil wars triggered by the reemergence of culture as a political force in the “clash of civilizations”; • providing relief to millions of people affected by natural catastrophes like earthquakes, tsunamis,

typhoons, droughts, and the spread of HIV/AIDS and malaria; • combating terrorism driven by sectarian or religious extremism; • grassroots activism on a global scale,

ranging from the campaign to ban land mines to antiglobalization hoodlums and environmentalist crazies; • border security and illegal immigration; • the worldwide ripple effects of currency fluctuations and the collapse of confidence in complex financial securities; and • for at least one fleeting moment, the safety of toys imported from China. There is some overlap in this list, and one might want to group some of the events differently or add others. The important point, however, is that when you look at these problems and how they evolved during the past fifteen years, you do not see a single lesson or organizing principle on which to base U.S. strategy. Another way to see the dynamic nature of today's national security challenges is to consider the annual threat briefing the U.S. intelligence community has given Congress during the past decade. These briefings are essentially a snapshot of what U.S. officials worry most about. If one briefing is a snapshot, then several put together back to back provide a movie, showing how views have evolved.2 Figure 1 summarizes these assessments for every other year between 1996 and 2006. It shows when a particular threat first appeared, its rise and fall in the rankings, and in some cases how it fell off the chart completely. So, in 1995, when the public briefing first became a regular affair, the threat at the very top of the list was North Korea. This likely reflected the crisis that had occurred the preceding year, when Pyongyang seemed determined to develop nuclear weapons, Bill Clinton's administration seemed ready to use military action to prevent this, and the affair was defused by an agreement brokered by Jimmy Carter. Russia and China ranked high as threats in the early years, but by the end of the decade they sometimes did not even make the list. Proliferation has always been high in the listings, although the particular countries of greatest concern have varied. Terrorism made its first appearance in 1998, rose to first place after the September 11, 2001, terrorist attacks, and remains there today. The Balkans appeared and disappeared in the middle to late 1990s. A few of the entries today seem quaint and overstated. Catastrophic threats to information systems like an “electronic Pearl Harbor” and the “Y2K problem” entered the list in 1998 but disappeared after 2001. (Apparently, after people saw an airliner crash into a Manhattan skyscraper, the possible loss of their Quicken files seemed a lot less urgent.) Iraq first appeared in the briefing as a regional threat in 1997 and was still high on the list a decade later—though, of course, the Iraqi problem in the early years (suspected weapons of mass

destruction) was very different from the later one (an insurgency and internationalized civil war). All this is why the United States needs agility . It not only must be able to refocus its resources repeatedly; it needs to do this faster than an adversary can focus its own resources .

85

Zero Days Negative – MI 7LINK – LEGAL RESTRICTIONS

Legal restrictions on cyber capabilities destroy our ability to prevent attacks – court clog and military paralysisBaker 11 [Stewart, former official at the U.S. Department of Homeland Security and the National Security Agency, “Denial of Service,” Foreign Policy, Sept. 30, http://www.foreignpolicy.com/articles/2011/09/30/denial_of_service] //khirn

Lawyers don't win wars. But can they lose one? We're likely to find out, and soon. Lawyers across the U.S. government have raised so many show-stopping legal questions about cyberwar that they've left the military unable to fight or even plan for a war in cyberspace. But the only thing they're likely to accomplish is to make Americans less safe. No one seriously denies that

cyberwar is coming . Russia pioneered cyberattacks in its conflicts with Georgia and Estonia, and cyberweapons went mainstream when the developers of Stuxnet sabotaged Iran's Natanz uranium-enrichment plant, setting back the Islamic Republic's nuclear weapons program more effectively than a 500-pound bomb ever could. In war, weapons that work get used again . Unfortunately, it

turns out that cyberweapons may work best against civilians. The necessities of modern life -- pipelines, power grids, refineries, sewer and water lines -- all run on the same industrial control systems that Stuxnet subverted so successfully. These systems may be even easier to sabotage than the notoriously porous computer networks that support our financial and telecommunications infrastructure. And the consequences of successful sabotage would be devastating . The body charged with

ensuring the resilience of power supplies in North America admitted last year that a coordinated cyberattack on the continent's power system "could result in long-term (irreparable) damage to key system components" and could "cause large population centers to lose power for extended periods." Translated from that gray prose, this means that foreign militaries could reduce many of U.S. cities to the state of post-Katrina New Orleans -- and leave them that way for months. Can the United States keep foreign militaries out of its networks? Not today . Even America's premier national security agencies have struggled to respond to this new threat. Very sophisticated network defenders with vital secrets to protect have failed to keep attackers out. RSA is a security company that makes online credentials used widely by the Defense Department and defense contractors. Hackers from China so badly compromised RSA's system that the company was forced to offer all its customers a new set of credentials. Imagine the impact on Ford's reputation if it had to recall and replace every Ford that was still on the road; that's what RSA is experiencing now. HBGary, another well-respected security firm, suffered an attack on its system that put thousands of corporate emails in the public domain, some so embarrassing that the CEO lost his job. And Russian intelligence was able to extract large amounts of information from classified U.S. networks -- which are not supposed to touch the Internet -- simply by infecting the thumb drives that soldiers were using to move data from one system to the next. Joel Brenner, former head of counterintelligence for the Office of the Director of National Intelligence, estimates in his new book, America the Vulnerable, that billions of dollars in research and design work have been stolen electronically from the Defense Department and its contractors. In short, even the best security experts in and out of government cannot protect their own most precious secrets from network attacks. But the attackers need not stop at stealing secrets. Once they're in, they can just as easily sabotage the network to cause the "irreparable" damage that electric-grid guardians fear. No agency has developed good defenses against such attacks. Unless the United States produces new technologies and new strategies to counter these threats, the hackers will get through . So far, though, what the United States has mostly produced is an

outpouring of new law-review articles, new legal opinions, and, remarkably, new legal restrictions . Across the

federal government, lawyers are tying themselves in knots of legalese. Military lawyers are trying to articulate when a cyberattack can be classed as an armed attack that permits the use of force in response. State Department and National Security Council lawyers are implementing an international cyberwar strategy that relies on international law "norms" to restrict cyberwar. CIA lawyers are invoking the strict laws that govern covert action to prevent the Pentagon from launching cyberattacks. Justice Department lawyers are apparently questioning whether the military violates the law of war if it does what every cybercriminal has learned to do -- cover its tracks by routing attacks through computers located in other countries. And the Air Force recently surrendered to its own lawyers, allowing them to order that all

86

Zero Days Negative – MI 7cyberweapons be reviewed for "legality under [the law of armed conflict], domestic law and international law" before cyberwar capabilities are even acquired. The result is predictable, and depressing. Top Defense Department officials recently adopted a cyberwar strategy that simply omitted any plan for conducting offensive operations, even as Marine Gen. James Cartwright, then vice chairman of the Joint Chiefs of Staff, complained publicly that a strategy dominated by defense would fail : "If it's OK to attack me and I'm not going to do anything other than improve my defenses every time you attack me, it's very difficult to come up with a deterrent strategy." Today, just a few months later, Cartwright is gone, but the lawyers endure.

And apparently the other half of the U.S. cyberwar strategy will just have to wait until the lawyers can agree on what kind of offensive operations the military is allowed to mount .

87

Zero Days Negative – MI 7LINK – TRANSPARENCY

Establishing transparency undermines deterrence and turns the aff – ambiguity is the only way to maintain cyber dominanceMowchan 11 [Lieutenant Colonel, member of the staff and faculty at the Center for Strategic Leadership, U. S. Army War College, where he teaches cyber warfare and national intelligence, career Army intelligence officer and holds a master’s degree in strategic intelligence from the National Intelligence University, served for 20 years in a variety of tactical, theater, and strategic intelligence positions and is a member of the U.S. Naval Institute’s Editorial Board, Don’t Draw the (Red) Line,” Proceedings Magazine - October 2011, Vol 137, no 10/1304, http://www.usni.org/magazines/proceedings/2011-10/dont-draw-red-line] //khirn

In a strategic environment that has become more volatile, complex, and uncertain, the United States increasingly relies on cyberspace to advance its national interests. Simultaneously, our adversaries, particularly nation states, are afforded more opportunities to undermine our efforts through their own nefarious activities in the digital domain. While not every act in coming years will pose an imminent threat to U.S. national security, economic well-being, or social stability, some will. Because of this, strategists, government leaders, and scholars frequently disagree over whether the United States should establish thresholds (or “red lines”) for responding to such hostile acts. Red-line proponents assert that thresholds can decrease the

ambiguity of U.S. policies, bolster deterrence, and facilitate swift, decisive action. Establishing cyber red lines ,

however, is folly . Given the evolving threat, current strategies, and the challenges of attribution in this domain, the United States is better served by not delineating them. Maintaining ambiguity on when and how U.S. instruments of national power will be used after a cyber attack gives government leaders the flexibility to tailor responses much as they would to threats in the

other global domains. Sources of Invisible Threats To properly frame the issue, it is necessary to understand the evolving digital threat environment and current U.S. strategies. Hazards to national security and economic prosperity in cyberspace are multiplying. As the world becomes more interconnected, diverse state and non-state actors will have greater access and operational maneuverability to conduct malicious activities.

Intentional ambiguity is key – provides flexibility and guarantees deterrenceMowchan 11 [Lieutenant Colonel, member of the staff and faculty at the Center for Strategic Leadership, U. S. Army War College, where he teaches cyber warfare and national intelligence, career Army intelligence officer and holds a master’s degree in strategic intelligence from the National Intelligence University, served for 20 years in a variety of tactical, theater, and strategic intelligence positions and is a member of the U.S. Naval Institute’s Editorial Board, Don’t Draw the (Red) Line,” Proceedings Magazine - October 2011, Vol 137, no 10/1304, http://www.usni.org/magazines/proceedings/2011-10/dont-draw-red-line] //khirn

While DOD’s strategy is defensive in nature, it states that U.S. military power will be used if necessary: “The Department will work with interagency and international partners to encourage responsible behavior and oppose those who would seek to disrupt networks and systems, dissuade and deter malicious actors, and reserve the right to defend these vital national assets as necessary and appropriate.” 12 Both plans lead to several key observations. First, the ISC and DSOC are intentionally ambiguous. Neither defines a hostile act in cyberspace, nor is there language explicitly stating when, how, and to what extent the United States will respond to such acts. Second, both strategies acknowledge that there are no simple solutions to the challenges of the day. Finally, decisions will continue to be shaped by the dynamic interplay of a surfeit of political, economic, military, and social variables in the international environment, and because the world is more “gray” than black-and-white, responses to hostile acts in the digital domain will be determined as strategic responses are in conventional warfare. The Case for Thresholds Red-line advocates believe that creating thresholds will decrease the ambiguity of our policies, bolster deterrence, and

88

Zero Days Negative – MI 7facilitate a more timely response. Some pundits criticize the ISC and DSOC, arguing they take ambiguity too far. The DSOC in particular, they think, should outline response thresholds that if crossed, would result in diplomatic or military retaliation. Following the release of DOD’s strategy, Representative Jim Langevin (D-RI) acknowledged the DSOC represented a good start but said it was deficient in several key areas, including its fixation on defense and the identification of acceptable red lines. 13 After the DSOC was published, now-retired Marine Corps General James Cartwright, the former vice chairman of the Joint Chiefs of Staff, remarked that the strategy was too defensive, stating “we are supposed to be offshore convincing people if they attack, it won’t be free . . . [and that] disabling computerized patient records at a hospital such that the patients cannot be treated would be a violation of the law of armed conflict [which could] then [trigger a] proportional response.” 14 General Cartwright went on to emphasize the nation will need stronger deterrents. Although he did not say what the deterrents should be or what instruments of national power would be used, his words lend support to red-line advocates who demand greater specificity in U.S. policies, greater clarity on what constitutes a hostile act, and clear thresholds. Why Ambiguity Is Good Those arguing for establishing red lines fail to comprehend the complexity of the digital domain, in which adaptation and anonymity are the norm. The United States is better served in the long run by not establishing such thresholds, for four reasons. First, not doing so allows government leaders the latitude to tailor response options based on a hostile act, its physical and digital effects, and how it relates to the current state of affairs in the international system. As retired Air Force General Kevin Chilton remarked in 2009 as commander, U.S. Strategic Command, “I don’t think you take anything off the table when you provide [response] options to the president to decide. Why would we constrain ourselves on how we would respond [to hostile acts in cyberspace]?” 15 Such an approach does not differ from the way the United States addresses hostile acts in other domains. If red lines are established, we will be compelled to respond to each threat that crosses the line, which is unrealistic, given that our computer networks are subjected to millions of probes, scans, and attacks on a daily basis. Even if red lines are narrowly focused (e.g., employing military force if a cyber attack results in the deaths of U.S. citizens), the first time the United States fails to respond accordingly, it will undermine the credibility and deterrence effect of our other capabilities. A second reason in favor of ambiguity is that if our adversaries know our response to such acts, they will adjust accordingly. Because neither the national nor the defense strategy explicitly defines a hostile act in cyberspace or exactly how the United States will respond, this leaves it open to interpretation. As one military official remarked, “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.” 16 In addition, hostile actors may perceive a green light for certain acts that do not cross a particular response threshold. While one such act below this threshold may not be harmful to U.S. interests, what if 100 million are? Again, maintaining ambiguity concerning when, how, and to what extent to respond gives the United States greater latitude. Third, because cyberspace is a global domain that emphasizes open access, the free flow of information, and anonymity, it is extremely difficult to determine where the threat or attack originated. For example, U.S. military networks are probed more than six million times a day by assailants operating in one corner of the world using computer networks or servers in another corner. Most perpetrators are never identified, except for a computer Internet protocol address or a one-time user alias. Army General Keith Alexander, commander of U.S. Cyber Command and Director, National Security Agency, emphasized this challenge, saying, “Too often, the military discovers through forensics that network probes have been successful [and] as a consequence, response becomes policing up after the fact versus mitigating it real time.” 17 If red lines demand a timely response and there is no one to pin responsibility on, then how can a response be implemented? Finally, even if the source of the attacks is determined in a timely manner, automatic triggers for a response, particularly those that employ military force, could create negative second- and third-order effects that make a bad situation even worse. Given that nation states pose the greatest threat to U.S. networks, red lines that automatically result in a response could escalate an already volatile situation. For example, in 2009 individuals in China and Russia penetrated computer networks operating parts of the U.S. electrical power grid. 18 They reportedly inserted malware that could destroy infrastructure components. Although their identities or associations with the Russian and Chinese governments were not disclosed, it validates the point that response options must be tailored. If Russia or China, two nuclear powers, were responsible, a U.S. response would be markedly different than if they had they been conducted by a non-nuclear state. Clearly the diplomatic, information, and economic instruments of national power versus military force would receive more emphasis with China or Russia for what could be considered a hostile act in cyberspace. Given the complex and indeterminate 21st century international system and the multitude of current threats, U.S. interests will be better

89

Zero Days Negative – MI 7served by not establishing clear thresholds . Ambiguity is a powerful tool to shape our adversaries’ actions in all domains and allows us the maneuverability to respond where, when, and how we choose. Red-line advocates must understand that thresholds only constrain our actions and could undermine credibility and the power to effectively deter our adversaries.

90

Zero Days Negative – MI 7BRINK – NO CYBERWAR NOW

No cyber war now --- but on the brinkSinger 15 [Peter Singer, strategist at New America think tank, interview with Passcode] initial article: [ Sara Sorcher, “Peter Singer: How a future World War III could be a cyberconflict,” Passcode, 6/24/15, http://www.csmonitor.com/World/Passcode/2015/0624/Peter-Singer-How-a-future-World-War-III-could-be-a-cyberconflict]//eugchenIt's simple: The reason there is no cyber war right is that there is no actual wars right now between states with cybercapacities. The reason we have seen this restraint in cyber operations between say the US and China, or the US and Iran, is the very same reason they aren’t dropping actual bombs on each other: Because the two sides are not at war. But if they did go to war, which could happen for any number of reasons, accidental or by choice, of course you would see cyberoperations against each other that would be of a different kind of scale and impact than we’ve seen so far. The first Cyber Pearl Harbor might happen from a decision to reorder the global politics in the 2020s, or it could happen just because two warships accidentally scrape paint over some reef in the South China Sea no one can find on a map.

91

Zero Days Negative – MI 7INTERNAL LINK – CHINA WAR

Offensive cyber responses key to deter China from aggressive military movesSchmitt 13 [Gary, co-directs the Marilyn War Center for Security Studies at the American Enterprise Institute, “How to meet the threat from China's army of cyber guerrillas” June 6, 2013, Fox News] //khirn

When President Obama meets woth Chinese President Xi Jinping Friday and Saturday in Southern California, a major topic of conversation between the two will be Chinese cyber-attacks and cyber-espionage against American commercial and government targets. According to U.S. counterintelligence officials, billions upon billions of dollars worth of information has been “lifted” out of American computers and servers in recent years. In fact, only last week, newspapers were reporting that an internal Defense Department review had concluded that China had used cyber attacks to gather data on more than three dozen key U.S. military programs, including the country’s most advanced missile defense systems, naval warships and even the F-35 Joint Strike Fighter—the stealthy, fifth-generation jet that will be the backbone of the American military’s ability to sustain air superiority in the decades ahead. As one might expect, the Chinese government has denied any complicity in these attacks. And it is doubtful, given how successful Chinese efforts have been, that even “blunt” talk by the president to the new Chinese leader, will have much effect on Chinese practices. The reality is, the Chinese government is engaged in a form of warfare—new to be sure in its technological aspects but not new in the sense that cyber attacks harm our relative military strength and damage the property (intellectual and proprietary) of citizens and companies alike. So far, the American government’s response has largely been defensive, either talking to the Chinese about establishing new, agreed-upon “rules of road” for cyberspace or working assiduously to perfect new security walls to protect government and key private sector

computer systems. Although neither effort should be abandoned, they are no more likely to work than , say,

before World War II, the Kellogg-Briand Pact could outlaw war and the Maginot Line could protect France from an invading Germany. This last point is especially important. When it comes to cyberspace, according to Cyber Command head and director of the National Security Agency, General Keith Alexander, those on the offensive side of the computer screen–that is, those hacking into or compromising computer systems–have the advantage over those on the defensive side who are trying to keep systems secure. Walls have always been breached and codes broken. Moreover, attempts to beef up security are complicated by the fact that our own cyber warriors are undoubtedly reluctant to provide those charged with protecting systems here at home with the latest in their own capabilities. In addition to increasing the chance such information might leak by expanding the number of persons in the know, efforts to use that information to plug our own vulnerabilities can inadvertently alert a potential adversary on the very backdoors American would want to save for using in a future crisis or conflict. All of which leads to the conclusion that to stem the tide of harmful cyber attacks by the Chinese (or, for that matter, Iran, Russia or North Korea), there has to be a cyber response on America’s part that deters continued cyber aggression . Reprisals that are proportionate, in self-defense and designed to stop others from such behavior falls well within the bounds of international law as traditionally understood. Nor is it the case that such reprisals should be limited to responding to government-on-government cyber attacks. The U.S. government has always understood that it has an affirmative duty to protect the lives and property of its citizens from foreign aggression and, in times both past and current, this has meant using American military might. That need not be the case here, however. Indeed, one advantage of the cyber realm is the wide variety of options it offers up for reprisal that can inflict economic harm without causing loss of life or limb. The good news is that the U.S. government has been gradually beefing up its offensive cyber capabilities. Indeed, a little over a month ago in open testimony before the House Armed Services Committee, Gen. Alexander said that he created thirteen new teams that would go on the offensive if the nation were hit by a major cyber attack. And new reports coming out of the Pentagon indicate that the Joint Chiefs would like to empower geographic combatant commanders to counter cyber attacks with offensive cyber operations of their own. These are necessary steps if we hope to create a deterrent to Chinese cyber aggression; however, they are not sufficient. The threat posed by China’s army of cyber “guerrillas” is constant, is directed at both the U.S. government and the private sector, and ranges from the annoying to the deadly serious. A truly adequate response would require meeting the Chinese challenge on all these fronts. And no amount of summitry between the American and Chinese leaders is likely to substitute for the cold, hard fact that, when it comes to Chinese misbehavior, upping the cost to Beijing is a necessary first step to reclaiming the peaceful potential of the newest of the “great commons,” cyberspace.

92

Zero Days Negative – MI 7INTERNAL LINK/IMPACT – KOREA WAR

Credible cyberdefensive posture gives the US coercive leverage to deescalate North Korean nuclear brinksmanship --- speed is keyLibicki 13 [Martin C., Senior Management Scientist @ RAND and adjunct fellow @ Georgetown’s Center for Security Studies, 2013, “Brandishing Cyberattack Capabilities,” RAND, http://www.rand.org/pub s/research_reports/RR175.html] //khirn

Our inquiry is therefore more humble. Could a U.S. threat that it might interfere with a rogue state’s nuclear weapon delivery help shape a nuclear confrontation? For this question, assume a rogue nuclear power with a handful of weapons capable of hitting nearby countries (but generally incapable of hitting the continental United States). The United States has a robust cyberattack capability (in general terms), from which the rogue state’s nuclear arsenal is not provably immune . Although the United States enjoys escalation

dominance, the rogue state is far more willing to go to the nuclear brink than the United States is. The rogue

state (thinks it) has more at stake (i.e., regime survival). Furthermore, it may act in ways that are irrational by Western perspectives. We first model a two-state confrontation, then later introduce a friendly state on whose behalf the United States has intervened. The United States enters this scenario facing the choice of acting when doing so risks the rogue state releasing a nuclear weapon. Whether the threat is explicit or implicit is secondary. The usual calculus applies. The rogue state is better off if its threat leads the United States to stop. The United States is better off ignoring the threat and going ahead with what it would have done in the absence of the threat if the threat can be nullified but cannot know that it will be for certain. The rogue state understands that if it does use nuclear weapons, it could face great retaliation.1 If the United States acts (successfully) in the face of warning and if the rogue state does not use nuclear weapons, the United States achieves its objectives and wins the overall confrontation.2 If the United States flinches, the rogue state wins. If the rogue state uses its nuclear weapons and if, as is likely, the United States responds likewise, the rogue state loses greatly, but the United States is also far worse off.3 Two-Party Confrontations In a confrontation in which disaster would result from both sides carrying out their threats, each must ask: Are such threats credible? If one side thinks the other will yield, it pays to stand firm. If it thinks, however, that the other is implacable, it may have no good choice but to yield itself. The projection of implacability is beneficial, but the reality of implacability is frequently suicidal. Note that the basis for the implacability can also be entirely subjective, which is to say, unfounded on the facts of the matter. If one party is convinced that it will never pay a high price for being implacable, communicates as much, and acts as if it were so, the other cannot take any comfort from the fact that the first has no technical basis for the belief. The only consideration is whether the first party actually believes as much, is willing to act accordingly, and can ignore the logic that whispers that no one can possibly be completely confident on the basis of iffy information. To one party, the willingness to act on the basis of the impossible seems like cheating. To use an analogy, imagine a game of “chicken” in which the driver of one of the two oncoming cars throws the steering wheel out the window. This cheat forces the opponent to choose between a certain crash or veering away (and thus losing). However, when the consequences of a crash are far greater than the benefits of winning, this strategy is irrational if there is a nontrivial likelihood that the other side will be intent on punishing cheaters at the cost of all other values. In the analogy, the second driver might rather crash than lose to a cheater.4 But in general, a strategy of implacability, can, if credible, do well, as long as the other side is not equally implacable. So, the United States creates the belief (whether by saying so, hinting, or letting others draw their own conclusion) that the rogue state cannot carry out its nuclear threat. That is, the

United States acts as though a flaw somewhere in the nuclear c ommand- and - c ontrol cycle , probably an

induced flaw, prevents immediate nuclear use. A lesser case is that the command and control is less certain, the weapon is weaker, and/or the delivery system is far less accurate than feared.5 Although permanently disabling a nuclear command-and-control system is quite a stretch for cyberwar, it is less fantastic to imagine that the United States could delay a weapon’s use. A temporary advantage, though, may still give the United States time to cross the red line and thereby attain a fait accompli. So posturing, the United States prepares to cross the red line, while communicating its confidence that the rogue state will not retaliate. This confidence stems from a combination of its own nuclear deterrence capability plus its ability to confound the rogue state’s nuclear capability : The rogue nuclear state probably will not decide to retaliate, and if it did decide to, probably cannot retaliate. The combination, in this case, is what reduces the odds of a nuclear response to a sufficiently low level , if the rogue state is at all rational. Even if it later assures itself and others that its nuclear capacity is intact, but the United States has already acted, the onus then falls on the rogue nuclear state to respond to what could well be a done deal. If the rogue state understands the logic before brandishing its own nuclear weapons, it may choose not to ratchet up tensions in advance of the U.S. crossing red lines.

93

Zero Days Negative – MI 7IMPACT – CHINA WAR

US-China tensions are rising – makes conflict and miscalc likelyZenko 14 [Micah, Douglas Dillon Fellow – Council on Foreign Relations, “How to Avoid a Naval War With China,” Foreign Policy, 3-24, http://www.foreignpolicy.com/articles/2014/03/24/how_ to_avoid_a_naval_war_with_china] //khirn

War between the United States and China is not preordained. But tensions are high , especially in the fiercely contested waters of the East and South China seas -- and even further into the Pacific. Communication is the best medicine: the United States should be explicit with what it needs to know about China's behavior in the waters near its coast. Unfortunately, the intentions and supporting doctrine for Beijing's growing naval capabilities are unclear, specifically regarding disputes with China's Exclusive Economic Zone (EEZ). Most countries, including the United States, agree that territorial waters extend 12 nautical miles from a nation's coastline, while EEZs extend much further -- usually up to 200 nautical miles. There is also consensus that while the United Nations Convention on the Law of the Sea (UNCLOS) established EEZs as a feature of international law and gives coastal states the right to regulate economic activities within them, it does not provide coastal states the right to regulate foreign military activities in their EEZs beyond their 12-nautical-mile territorial waters. However, China and some other countries like North Korea interpret UNCLOS as giving coastal states the right to regulate all economic and foreign military activities within their EEZs. There are numerous international agreements that regulate interactions at sea. The United States and Soviet Union signed the Incidents at Sea Agreement (INCSEA) in 1972 after Soviet warships collided with a U.S. destroyer. While INCSEA allowed for U.S. and Russian commanders to communicate directly, and ultimately avoid an escalation of force between warships, it really functioned as a stopgap between the 1972 signature and 1977 implementation of the International Regulations for Preventing Collisions at Sea (COLREGS). And while the 2000 Code for Unalerted Encounters at Sea (CUES) is not an international agreement or legally binding, it does offer safety measures and procedures, and a means to limit mutual interference and uncertainty when warships, submarines, public vessels, or naval aircraft are in close proximity. The fundamental difference of interpretation between China and most of the world exists on parts IV (archipelagic states) and V (EEZ) of the UNCLOS. The disagreement between China and the United States centers on three issues: First, China asserts that military activities in the EEZ are subject to coastal state approval. Second, excessive maritime claims of territorial sovereignty are a significant sticking point between China and many other nations operating in the East China Sea and the South China Sea. And third, China's demarcation line in the South China Sea, commonly referred to as the "nine-dashed line," is nebulous and defined as neither a territorial sea nor EEZ. Beijing appears to purposefully leave this description vague. Until China agrees that its EEZ is not to be treated as territorial waters, COLREGS, CUES, and any INCSEA-like agreement offers only a partial solution to avoiding dangerous interactions on the high seas. While there are a growing number of U.S.-China military exchanges among senior uniformed officers, these efforts must be bolstered by China's willingness to operate appropriately within their EEZ, thus helping to prevent conflict at sea. The United States and China must also agree that all of its government-controlled ships, including those of the State Oceanic Administration (SOA) and Fisheries Law Enforcement Command (FLEC), must operate in accordance with COLREGS and CUES, because many encounters between the United States and China -- outside China's territorial waters but within its EEZ -- have been between U.S. ships and those of the FLEC and SOA. The United States could be drawn into a conflict over a territorial dispute involving China , especially since the United States has bilateral defense treaties with Japan and the Philippines. Clear and unambiguous understanding of expected actions in the EEZs by China and the United States has both near and long-term implications. The immediate effect could be safer, more professional, and more respected interactions between Chinese and non-Chinese ships. Clearly agreed upon interpretations of what are appropriate actions within this body of water would immediately improve transparency and predictability, and hopefully prevent military conflict. In the longer-term, this effort could serve as a springboard to resolving other U.S.-China diplomatic, military, and economic issues.

High risk of China war—no defenseMiller 11 [Paul, assistant professor of international security studies at National Defense University, December 16, 2011, Foreign Affairs, http://shadow.foreignpolicy.com/posts/2011/12/16/how_dangerous_is_the_world_part_ii] //khirn

China in 2011 is even more clearly a danger equal to or greater than the danger it posed during the Cold War.  We went through two phases with China:  from 1950 to 1972 the United States and China were declared enemies and fought to a very bloody stalemate in the Sino-America battles of the Korean War, but the overt hostility was less dangerous because of China's crippling economic weakness.  From 1972 to 1989, the U.S. and China lessened their hostility considerably, but China's power also began to grow quickly as it liberalized its economy and modernized its armed forces.  In other words, in phase one, China was hostile but weak; in phase two, more friendly but also more powerful. We have never faced a China that was both powerful and hostile.

94

Zero Days Negative – MI 7That is exactly the scenario that may be shaping up.  China's economic and military modernization has clearly made it one of the great powers of the world today, including nuclear weapons, a ballistic-missile capability, and aspirations for a blue-water navy.   At the same time, Chinese policymakers, like their Russian counterparts, continue to talk openly about their intent to oppose American unipolarity, revise the global order, and command a greater share of global prestige and influence.  There are several flashpoints where their revisionist aims might lead to conflict:  Taiwan, the Korean Peninsula, the South China Sea, etc.   And U.S. relations with China are prone to regular downward spikes (as during the Tiananmen Square Massacre in 1989, the 1996 cross-straits crisis, the accidental embassy bombing in 1999, the EP3 incident in 2001, the anti-satellite missile test in 2007, and the current trade and currency dispute, to say nothing of our annual weapons sales to Taiwan).  A militarized conflict with China is more likely today, with greater consequences, than at almost any point since the Korean War .

Small conflicts with China could escalate into a nuclear conflict – err on the side of cautionFisher 11 [Max, Associate Editor at the Atlantic, Editor of the International Channel, “5 Most Likely Ways the US and China Could Spark Accidental Nuclear War”] //khirn

There's a near- infinite number of small-scale conflicts that could come up between the U.S. and China, and though none of them should escalate any higher than a few tough words between diplomats, it's the unpredictable events that are the most dangerous . In 1983 alone, the U.S. and Soviet Union almost went to war twice over bizarre and unforeseeable events. In September, the Soviet Union shot down a Korean airliner it mistook for a spy plane; first Soviet officials feared the U.S. had manufactured the incident as an excuse to start a war, then they refused to admit their error, nearly pushing the U.S. to actually start war. Two months later, Soviet spies misread an elaborate U.S. wargame (which the U.S. had unwisely kept secret) as preparations for an unannounced nuclear hit on Moscow, nearly leading them to launch a preemptive strike. In both cases, one of the things that ultimately diverted disaster was the fact that both sides clearly understood the others' red lines -- as long as they didn't cross them, they could remain confident there would be no nuclear war. But the U.S. and China have not yet clarified their red lines for nuclear strikes . The kinds of bizarre, freak accidents that the U.S. and Soviet Union barely survived in 1983 might well bring today's two Pacific powers into conflict -- unless, of course, they can clarify their rules. Of the many ways that the U.S. and China could stumble into the nightmare scenario that neither wants, here are five of the most likely. Any one of these appears to be extremely unlikely in today's

95

Zero Days Negative – MI 7AT: CYBERDEFENSE

Cyber defense methods are insufficient to combat zero day vulnerabilitiesAverbuch and Siboni 13 [Amir Averbuch, professor of computer science at Tel-Aviv university, and Gabi Siboni, Senior Research Fellow, head of the Program on Military and Strategic Affairs and Program on Cyber Security @ the Institute for National Security Studies, “The Classic Cyber Defense Methods Have Failed – What Comes Next?” Military and Strategic Affairs, Volume 5 - No. 1, p. 45-46, May 2013, < http://www.inss.org.il/uploadImages/systemFiles/MASA5-1Eng5_Averbuch%20and%20Siboni.pdf>]//eugchenThe classic defense methods employed throughout the world in recent decades are proving unsuccessful in halting modern malware attacks that exploit unknown (and therefore still unsolved) security breaches called “zero-day vulnerabilities.” Viruses, worms, backdoor, and Trojan horses (remote management/access tools – RATs) are some examples of these attacks on the computers and communications networks of large enterprises and providers of essential and critical infrastructure and services. The classic defense methods, which include firewall-based software and hardware tools, signatures and rules, antivirus software, content filters, intruder detection systems (IDS), and the like, have completely failed to defend against unknown threats such as those based on zeroday vulnerabilities or new threats. These sophisticated and stealth threats impersonate reliable and legal information and data in the system, and as a result, the classic defense methods do not provide the necessary defense solution. The current defensive systems usually protect against known attacks, creating heuristic solutions based on known signatures and analysis that are already known attacks,1 but they are useless against the increasing number of unfamiliar attacks that lack any signature.

Cyber defense fails for both broadcast and targeted attacksAverbuch and Siboni 13 [Amir Averbuch, professor of computer science at Tel-Aviv university, and Gabi Siboni, Senior Research Fellow, head of the Program on Military and Strategic Affairs and Program on Cyber Security @ the Institute for National Security Studies, “The Classic Cyber Defense Methods Have Failed – What Comes Next?” Military and Strategic Affairs, Volume 5 - No. 1, p. 47-48, May 2013, < http://www.inss.org.il/uploadImages/systemFiles/MASA5-1Eng5_Averbuch%20and%20Siboni.pdf>]//eugchenThe realm of attack in cyberspace can be divided into two types of attacks that exploit numerous weaknesses, including zero-day vulnerabilities: a. Broadcast attacks are attacks that try to damage computers indiscriminately. They also feature extensive infection of software agents in order to create an entire network of computers (Botnet), with the aim of making these computers execute independent commands at a later stage or retrieve commands from a control server. As noted above, when information about new threats reaches the antivirus companies, they identify the signature or investigate them heuristically. By means of regular updates, the computers can be protected against these attacks. Given the extensive target community, the information about such threats will undoubtedly reach the relevant companies rapidly and be inserted into future versions of their products. In some cases, the goal of an attack of this kind is to reach a large number of computers – for example, employees (in the case of an attack against an organizational network) or customers (in the case of an attack against a financial institution, an attempt to steal credit cards via the internet, and so on). After the computer is infected, a Trojan horse is installed on it, making it possible to steal information or access the computer from a remote location. These attacks include various types of malicious code, even codes that vary from one infection to another in order to render identification through a signature more difficult (polymorphic viruses). There is still no complete defense since Trojan horse developers regularly check whether the antivirus software programs have already identified the hostile code and created the signature or group of heuristic rules to intercept it. In most cases, if the detection systems manage to identify the hostile code, the developers change the way it spreads or the way it operates in order to prevent its detection. In this way, many Trojan horses consistently succeed in evading detection by the leading defensive software. b. Targeted attacks are planned especially for a specific need, and exploit unknown weaknesses in the operating systems or widely known software packages while independently spotting new weaknesses. The vast majority of antivirus software, which is by nature based on signature defense, is incapable of identifying and preventing this type of attack, and the limited target community enables such attacks to evade the “radar” of antivirus manufacturers. It should be noted that threats are rapidly developing in the direction of focused attacks on high caliber targets.

96

Zero Days Negative – MI 7Cyber defense can’t detect unknown threats, malware appears to be legal, and operating systems can’t deal with multiple types of attacksAverbuch and Siboni 13 [Amir Averbuch, professor of computer science at Tel-Aviv university, and Gabi Siboni, Senior Research Fellow, head of the Program on Military and Strategic Affairs and Program on Cyber Security @ the Institute for National Security Studies, “The Classic Cyber Defense Methods Have Failed – What Comes Next?” Military and Strategic Affairs, Volume 5 - No. 1, p. 48-49, May 2013, < http://www.inss.org.il/uploadImages/systemFiles/MASA5-1Eng5_Averbuch%20and%20Siboni.pdf>]//eugchenThe quantity of malware successfully penetrating all the existing defense systems and overcoming all the signature and rule-based classic defenses is increasing by leaps and bounds. The rate of increase has been in the three-digit percentages from 2011 until the present time.6 The existing systems are based mainly on preventing and thwarting known threats through the use of signatures and rules that are known in advance. Having no known signature at any given moment, these systems cannot detect zero-day attacks. They also find it difficult to identify Trojan horses and backdoors, and many sophisticated stealth attacks have no known signatures. Because they appear to be legal data and code, and do not look like malware, they can penetrate almost any computer system. The attacks succeed in penetrating organizational networks and end-user computers despite all the defense systems; this is attributable to the fact that the initial appearance and behavior of the malware appears to be legal and proper. Furthermore, most of today’s operating systems are built to handle a certain kind of attack, and are unable to deal with a broad range of attacks with mutations and secondary attacks.

97

Zero Days Negative – MI 7AT: CYBEROFFENSE BAD

Cyber offense prevents cyber warHarris 13 [Chandler, “Hacking for Change – Could Revealing Cyber Capabilities Prevent Cyber War?” 6/26/13 < http://news.clearancejobs.com/2013/06/26/hacking-for-changing-could-revealing-cyber-capabilities-prevent-cyber-war/>]//eugchenRevealing the capabilities of the U.S. nuclear arsenal is a key part of the U.S. nuclear deterrence strategy. So when it comes to the U.S. cyber warfare capabilities, the same tactic could be used to deter cyber war, claims a new paper by the Rand Corporation. Offisive cyber operations may be a legitimate deterrence strategy. The paper, Brandishing Cyberattack Capabilities, was prepared for the Office of the Secretary of Defense, and seeks to identify if demonstrations, or “brandishing” cyberwar capabilities, serve as effective deterrents to a potential cyber war. The paper says that brandishing cyberattack capabilities would accomplish three things: declare a capability, suggest the possibility of its use in a particular circumstance, and indicate that such use would really hurt. “The most obvious way to demonstrate the ability to hack into an enemy’s system is to actually do it, leave a calling card, and hope it is passed forward to national decision-makers,” the report says. “This should force the target to recalculate its correlation of forces against the attacker.” “Advertising” cyberwar capabilities may be helpful as a backup a deterrence strategy by dissuading other countries from performing harmful activities. Plus, it could limit a country’s confidence in the reliability of its information, command and control, or weapon systems, the paper says.

98

Zero Days Negative – MI 7AT: DETERRENCE IMPOSSIBLE

Deterrence is possible – but only with decision-making flexibilityAlperovitch 11 [Dmitri, “Towards Establishment of Cyberspace Deterrence Strategy,” 2011, 3rd International Conference on Cyber Conflict, http://www.ccdcoe.org/publications/2011proceedings/TowardsEstablishmentOfCyberstapeDeterrenceStrategy-Alperovitch.pdf] //khirn

Advanced defensive tactics, technologies and highly trained personnel will contribute to the shrinking of the detection and classification gap. Separation of defensive and offensive resources, such as storage of offensive cyberweapons in offline locations which are less vulnerable to virtual targeting

and distributing the retaliatory information systems and networks across wide virtual and physical space will help to build credible resilience to the counter-strike force. This can reduce the reliance on rapid detection and classification of inbound attack by providing the means for the decision makers to retaliate even after suffering a devastating first strike, minimizing the chance that the adversary can count on taking out all of the counter-strike assets in a single attack. Second, is the need to preserve a rapid C2 decision-making and execution of a counter-strike option when facing a devastating cyber attack. This can be accomplished by preserving the resiliency and integrity of command chain communications by instituting or preserving offline communications channels that are less likely to be impacted by cyber attacks, such as dedicated traditional secure POTS (plain old telephone service) lines and encrypted radio and satellite communications that are physically separated from virtual networks which can carry attack codes. Third, the counter-strike itself must be capable of instituting devastating damage on the attacker’s own virtual and physical infrastructure to make the first-strike prohibitively expensive. Limited public demonstrations of cyber offensive capabilities can serve a useful purpose in alerting potential opponents to what they may face should they decide to attack. However, this part of the deterrence equation presents the biggest challenge to developed nation-states with advanced cyber defensive and offensive capabilities but who face developing nation-state adversaries with dangerous offensive cyber weapons but are themselves not reliant on cyberspace for their national economic or military interests. It is hard to cause 92 prohibitively devastating damage on your opponent through cyber means alone if his vital infrastructure is completely disconnected from the network. This problem presents a serious conundrum to policy makers, who face the unappealing choice of rising up the escalatory ladder and retaliating with conventional or perhaps even nuclear weapons in response to a cyber-only attack, in the process risking violations of international norms of proportional response, or absorbing the attack without a response and looking weak to their enemies, friends and populations alike. Yet, while this is a significant unresolved policy problem today, it is reasonable to expect that its consequences will lessen with time , as more and more developing countries rapidly increase their reliance on cyberspace in order to reap the economic, efficiency and force- multiplier benefits it affords.

99

Zero Days Negative – MI 7AT: DETERRENCE DOESN’T APPLY TO CYBER

Deterrence is a state of mind – making our capabilities appear more robust linearly decreases the chances of useBeidleman 9 [Lieutenant Colonel Scott W., Director, Development Planning, Space and Missile Systems Center (SMC) Los Angeles Air Force Base, California, January 6, 2009, “Defining and Deterring Cyber War,” Strategy Research Project] //khirn

In general, deterrence is a state of mind. It is the concept of one state influencing another state to choose not to do something that would conflict with the interests of the influencing state. Similarly, the central idea of deterrence from the perspective of the Department of Defense is “to decisively influence the adversary’s decision-making calculus in order to prevent hostile actions against U.S. vital interests .” Deterred states decide not to take certain actions because they perceive or fear that such actions would produce intolerable consequences . The idea of influencing states’ decisions assumes that states are rational actors “willing to

weigh the perceived costs of an action against the perceived benefits, and to choose a course of action” logically based on “some reasonable cost-benefit ratio.” Thus the efficacy of cyber deterrence relies on the ability to impose or raise costs and to deny or lower benefits related to cyber attack in a state’s decision-making calculus. Credible cyber deterrence is also dependent on a state’s willingness to use these abilities and a potential aggressor’s awareness that these abilities, and the will to use them, exist. While a state’s ability to deter cyber attacks is a subset of its overarching defense strategy comprised of all instruments of national power, this paper focuses on states’ actions to deter cyber attack within the cyberspace domain. Effective cyber deterrence in cyberspace will employ a comprehensive scheme of offensive and defensive cyber capabilities supported by a robust international legal framework. Offensive capabilities are the primary tools used to impose or raise costs in deterrence . Offensive cyber capabilities and operations provide a state the means and ways for retaliation and enhance the perceived probability that aggressors will pay severely for their actions. A more robust capability translates to a more credible imposition of costs. Until recently, U.S. efforts to develop offensive cyber capabilities have lagged efforts on the defensive side. The daily onslaught of attacks on U.S. networks, coupled with the likelihood that potential U.S. adversaries will be less dependent on electronic networks than the U.S., has prioritized intelligence gathering and defending U.S. capabilities over disrupting enemy capabilities.

And, deterrence is the only way to solve Schreier 12 [Fred, consultant for the DCAF, a retired colonel, has served in various command and general staff positions and in different functions in the Swiss Ministry of Defense as a senior civil servant, “On Cyberwarfare,” DCAF Horizon, 2015 Working Paper Series, The Geneva Centre for the Democratic Control of Armed Forces (DCAF) is one of the world’s leading institutions in the areas of security sector reform and security sector governance] //khirn

Nonetheless, cyber attacks loom on the horizon as a threat that is best understood as an extraordinary means to a wide variety of political and military ends, many of which can have serious national security ramifications. For example, computer hacking can be used to steal offensive weapons technologies, including weapons of mass destruction technology. Or it could be used to render adversary defenses inoperable during a conventional military attack. As long as

secure passive cyber defense is impossible, deterrence seems the only feasible path . In that light,

attempting proactively to deter cyber attacks may become an essential part of national strategy . However, deterrence is pointless without attribution. Attribution means knowing who is attacking you, and being able to respond appropriately against the actual place that the attack is originating from.Attribution as it relates to cyber

warfare is also defined as “determining the identity or location of an attacker or an attacker’s intermediary.” In the case of a cyber attack, an attacker’s identity may be a name or an account number, and a location may be a physical address or a virtual location such as an IP address.But if retaliation does not hit the attacker, he will not be deterred. And it is of legal importance as well.

100

Zero Days Negative – MI 7Retaliation against the wrong actor is unjust and a crime of war. Thus attribution is a necessary condition for the law of war. An attacker has to be identified and, to make it an armed attack and not just a criminal act, the attacker has to be a state actor or those acting on behalf of a state. At the level of the nation-state, there are two possible deterrence strategies: denial and punishment .

101

Zero Days Negative – MI 7AT: DETERRENCE FAILS (ATTRIBUTION)

Deterrence via attribution is effective – actual threats will self reportGlaser 11 [Charles L., Professor of Political Science and International Affairs Elliot School of International Affairs, George Washington University, “Deterrence of Cyber Attacks and U.S. National Security,” Report GW-CSPRI-2011-5, June 1, 2011, http://www.offnews.info/downloads/2011-5CyberDeterrenceGlaser.pdf] //khirn

Many experts are quite pessimistic about the feasibility of attribution. For example, William Lynn, the U.S. Deputy Secretary of Defense recently wrote, “The forensic work necessary to identify an attacker may take months, if identification is possible at all.” Cyber deterrence and the attribution problem 4 Richard Clarke reports that a leading group of cyber experts concluded that it is “fruitless” to try to attribute the source of cyber attacks.5 This view, however, may exaggerate the attribution problem by overlooking either the purposes of the attacker or the scenario in which the attack occurs.6 A state that launches a “countervalue” attack against the United States’ economic infrastructure, economy and/or society is likely to have a political purpose. Possible purposes could include compelling the United States to make political concessions during a crisis before a war starts, compelling the United States to stop fighting a war, and reducing the U.S. ability to fight a war by weakening its economy and industrial infrastructure. For these compelling threats to be effective, the state would have to make demands and spell out its threat. In addition, it would have to provide the United States with some confidence that attacks would stop if the United States meets that attacker’s demands. These communication requirements would largely eliminate the attribution problem. For the scenario of attacking to weaken the U.S. ability to fight, the country the United States was fighting would be immediately identified as the likely suspect; the possibility that the United States would likely come to this conclusion could be sufficient to deter the adversary’s cyber attack. Alternatively, the attacker might not be deterred because the costs of U.S. retaliation were not large compared to the costs of the on-going war; but in this case the failure of deterrence would not result from the attribution problem but instead from the size of the retaliatory costs the United States was threatening. Of course, actors that lack political objectives are not covered by this argument. Terrorist groups are therefore a natural concern, as they are often viewed as motivated simply by the desire to damage the United States. A very different perspective disagrees, however, arguing that terrorist groups, including al Qaeda, are motivated by political goals and use terror attacks as a means to achieve their political ends.7 The attribution issue for “counterforce” attacks—those directed against U.S. capabilities—is quite different, but may be even less of a problem than with counter value attacks launched by states. This type of attack is most likely to occur during a crisis or war, with the adversary employing the cyber attack to gain a military advantage. Attribution will likely not be a problem, because the United States will know which state it is involved within a conflict. This is not to say that deterring this type of attack will not be difficult; it might be for reasons other than attribution. This is a separate issue that we deal with briefly below. If this is the case, a terrorist group will find itself facing communication requirements that are not unlike those facing states. A terrorist group might be hard to deter by retaliation because there are no good targets to hit in retaliation, and almost certainly no important cyber targets, but again the difficulty of deterrence would not result from attribution problems, but the more familiar problem of threatening attacks that would inflict sufficiently high costs on a terrorist group. Another type of actor that might be of concern here are hackers who are motivated by the technical challenge of undermining U.S. cyber systems and not by political objectives. All of this said, the difficulty of attribution does create a variety of potential dangers. One possibility is dangerous mischief: a third party—country, terrorist group, or hacker—could launch a cyber attack against the United States while it was involved in a crisis or war with another state. Based on the logic sketched above, this could lead to misattribution, because the United States’ first inclination would likely be to attribute the attack to the country it was already fighting. Consequently, the third party could use such an attack to generate escalation in the on-going conflict, with the goal of increasing the damage that the United States and/or its adversary would suffer. Another problem is that the inability to attribute attacks undermines the U.S. ability to deter (and otherwise respond) to much lower level cyber attacks, including data stealing, espionage, and disruption of commerce. At a minimum, attribution would enable the United States to try to deter these types of attacks by promising to pursue legal actions. But for the most part, these types of attacks do not threaten vital U.S. national security interests, so from a security perspective the attribution problem does not generate large risks.

102

Zero Days Negative – MI 7AT: NO RETALIATION

Retaliation can happen Cushing 14 (Seychelle, Cushing, SFU Vice President of Research, November 11th 2014,” Leveraging Information as Power: America’s Pursuit of Cyber Security”, Simon Fraser University Summit Intstitutional Repository, http://summit.sfu.ca/item/14703,CE)

If the United States revealed what retaliation would look like in cyberspace, it would, in effect, expose part of its cyber capabilities. One of China’s longest intrusions, taking place over the better part of a decade, was within America’s military networks and systems. Information on American weapons systems and other military technology was accessed according to a classified Defense Science Board report.132 Assume for a moment that the United States makes its retaliation strategy explicit. For every instance of Chinese infiltration into Department of Defense networks to steal information, for example, the US will hack back into Chinese military networks to deny access to information. In this theoretical example, public disclosure reveals two things about American capabilities: (1) that it has access to Chinese military networks and, (2) that it has the capability to launch availability attacks. In doing so, the United States has essentially told the Chinese what part of its cyber capabilities are and the extent of penetration into Chinese networks. With this knowledge, the Chinese could shore up their networks and create better cyber strikes to circumvent an American retaliatory response.133 American disclosure thus limits the usefulness of such retaliatory capabilities in the future. 134

103

Zero Days Negative – MI 7AT: OTHER AGENCIES SOLVE

NSA is the only agency that can solveMcConnell 10 [Mike McConnell was the director of the National Security Agency in the Clinton administration and the director of national intelligence during President George W. Bush's second term. A retired Navy vice admiral, he is executive vice president of Booz Allen Hamilton, which consults on cybersecurity for the private and public sector. 2/28/10,”Mike McConell on How to Won the Cyber War We’re Losing” http://www.washingtonpost.com/wp-dyn/content/article/2010/02/25/AR2010022502493.html] //khirn

There are many organizations (including al-Qaeda) that are not motivated by greed, as with criminal organizations, or a desire for geopolitical advantage, as with many states. Rather, their worldview seeks to destroy the systems of global commerce, trade and travel that are undergirded by our cyber-infrastructure. So deterrence is not enough; preemptive strategies might be required before such adversaries launch a devastating cyber-attack. We preempt such groups by degrading, interdicting and eliminating their leadership and capabilities to mount cyber-attacks, and by creating a more resilient cyberspace that can absorb attacks and quickly recover. To this end, we must hammer out a consensus on how to best harness the capabilities of the National Security Agency, which I had the privilege to lead from 1992 to 1996. The NSA is the only agency in the United States with the legal authority, oversight and budget dedicated to breaking the codes and understanding the capabilities and intentions of potential enemies. The challenge is to shape an effective partnership with the private sector so information can move quickly back and forth from public to private -- and classified to unclassified -- to protect the nation's critical infrastructure.

104

Zero Days Negative – MI 7AT: TRANSPARENCY SOLVES WAR

Disclosing posture fails – encourages enflaming arms races Goldsmith 11 [Jack, Professor, Harvard Law, “General Cartwright on Offensive Cyber Weapons and Deterrence,” Nov 8, 2011, http://www.lawfareblog.com/2011/11/general-cartwright-on-offensive-cyber-weapons-and-deterrence/] //khirn

One cannot read too much into snippets of an interview, but of course matters are more complex than this. First, talking about offensive cyber-capabilities is a tricky business. Merely talking about the weapons in general terms,

without revealing and perhaps demonstrating their capabilities, cannot advance deterrence very much. But on the

other hand, too much detail about what the weapons can do make it easier , and potentially very easy, for adversaries to defend against these weapons by (among other things) closing the vulnerabilities that the weapons exploit. Moreover, openly demonstrating or even discussing cyber capabilities would further enflame the cyber arms race in ways that might be self-defeating. Second, revealing the circumstances in which these weapons will be used might invite infiltrations just short of those circumstances. “As soon as you declare a red line, you’re essentially telling people that everything up to that line is OK,” noted former Pentagon official Eric Sterner in the Reuters story. Third, and to my mind most fundamental, revealing the weapons capabilities and the (possible) circumstances of their use will not go far toward establishing deterrence unless the United States can credibly commit to using the weapons. This, I think, is hard to do. The main threat today is cyber-exploitation (i.e. espionage, theft, copying) that does not violate international law and that would not warrant any use of force under international law. I have a hard time understanding how a law-sensitive DOD will credibly commit to ever using cyber-weapons, or kinetic weapons for that matter, in response to even the most devastating cyber-exploitations.

105

Zero Days Negative – MI 7AT: TREATIES SOLVE

Legal restrictions will only constrain America – maintaining military control of OCO’s crucial to prevent global cyberwarBaker 11 [Stewart, former official at the U.S. Department of Homeland Security and the National Security Agency, “Denial of Service,” Foreign Policy, Sept. 30, http://www.foreignpolicy.com/articles/2011/09/30/denial_of_service] //khirn

American lawyers' attempts to limit the scope of cyberwar are just as certain to fail as FDR's limits on air war -- and perhaps more so. It's true that half a century of limited war has taught U.S. soldiers to operate under strict restraints, in part because winning hearts and minds has been a higher priority than destroying the enemy's infrastructure. But it's unwise to put too much faith in the notion that this change is permanent. Those wars were limited because the stakes were limited, at least for the United States. Observing limits had a cost, but one the country could afford. In a way, that was true for the Luftwaffe, too, at least at the start. They were on offense, and winning, after all. But when the British struck Berlin, the cost was suddenly too high. Germans didn't want law and diplomatic restraint; they wanted retribution -- an eye for an eye. When cyberwar comes to America and citizens start to die for lack of power, gas, and money, it's likely that they'll want the same. More likely, really, because Roosevelt's bargain was far stronger than any legal restraints we're likely to see on cyberwar. Roosevelt could count on a shared European horror at the aerial destruction of cities. The modern world has no such understanding -- indeed, no such shared horror -- regarding cyberwar. Quite the contrary. For some of America's potential adversaries, the idea that both sides in a conflict could lose their networked infrastructure holds no horror. For some, a conflict that reduces both countries to eating grass sounds like a contest they might be able to win. What's more, cheating is easy and strategically profitable . America's compliance will be enforced by all those lawyers. Its adversaries' compliance will be enforced by, well, by no one . It will be difficult, if not

impossible , to find a return address on their cyberattacks . They can ignore the rules and say --

hell, they are saying -- "We're not carrying out cyberattacks. We're victims too. Maybe you're the attacker. Or maybe it's Anonymous. Where's your proof?" Even if all sides were genuinely committed to limiting cyberwar, as they were in 1939, history shows that it only takes a single error to break the legal limits forever . And error is inevitable. Bombs dropped by desperate pilots under fire go astray -- and so do cyberweapons. Stuxnet infected thousands of networks as it searched blindly for Iran's uranium-enrichment centrifuges. The infections lasted far longer than intended. Should we expect fewer errors from code drafted in the heat of battle and flung at hazard toward the enemy? Of course not.

But the lesson of all this for the lawyers and the diplomats is stark : Their effort to impose limits on cyberwar is almost certainly doomed . No one can welcome this conclusion, at least not in the United States. The country has advantages in traditional war that it lacks in cyberwar. Americans are not used to the idea that launching even small wars on distant continents may cause death and suffering at home. That is what drives the lawyers -- they hope to maintain the old world. But they're being driven down a dead end . If America wants to defend against the horrors of cyberwar, it needs first to face them, with the candor of a Stanley Baldwin. Then the country needs to charge its military strategists, not its lawyers, with constructing a cyberwar strategy for the world we live in, not the world we'd like to live in.

106

Zero Days Negative – MI 7

NATO COUNTERPLAN

107

Zero Days Negative – MI 71NC NATO COUNTERPLAN

The United States federal government should propose the development of a zero-day vulnerability and exploit threat sharing program to the North Atlantic Treaty Organization. The United States federal government should disclose zero-day vulnerabilities and exploits to the North Atlantic Treaty Organization.

The counterplan solves the aff and reinvigorates NATO --- bolsters international cyberdefense capabilities while maintaining strategic use of offensive cyber operations Fidler 15 -- Marshall Scholar, Department of Politics and International Relations, University of Oxford (Mailyn, Summer 2015, REGULATING THE ZERO-DAY VULNERABILITY TRADE: A PRELIMINARY ANALYSIS, http://moritzlaw.osu.edu/students/groups/is/files/2015/06/Fidler-Second-Review-Changes-Made.pdf, pg. 72-74) /AMarbNATO is an influential body, and, if it addressed trade in zero-days, its policies would have global importance. NATO has been relatively successful in addressing new collective defense challenges, so it may have the institutional flexibility to take on zero-days. NATO membership maps well with participants in the zero-day market, including countries with notable buyers and sellers. Additionally, because NATO is a collective defense organization for allies, conceptions of the underlying security problem and opinions about approach may be more aligned than among states not engaged in collective defense. Given the difficulties of other forms of international cooperation, achieving consensus among allies might be strategically attractive. NATO has developed a focus on cyber defense, and zero-days are relevant to that agenda. Not only could trade in zero-days facilitate attacks against NATO networks, but the stockpiling behavior of member states also leaves other members vulnerable. Key NATO members, such as the United States and United Kingdom, are purchasers of zero-days.327 NATO’s commitment to cyber defense has resulted in the development of a cyber policy- and decision-making structure and processes that could also be used to address the zero-day issue without significant alteration. Despite this institutional base, NATO would have to experience a policy shift before addressing zero-days. Zero-days are inherently exploitable: although they have significant implications for cyber defense, they are also closely tied with offensive capabilities of member states and the potential for NATO offensive capabilities. NATO, as an organization, is currently not positioned to discuss offensive cyber issues and has demonstrated wariness of an expanded cyber mandate. Still, as demonstrated by Libya and Russia’s actions in Crimea, cyber is an increasing reality of security threats facing NATO. NATO must address cyber capabilities, not just passive cyber defense. Zero-days, as a technology that overlaps both categories, could be a useful place to start this shift. If this shift occurred, NATO could use its existing structure to foster guidelines for addressing zero-days. The Cyber Defense Management Board (CDMB), which implemented the 2011 Action Plan, could be a starting place for discussions about zero-day policy. NATO could do this in several ways, including using CDMB to increase transparency and information sharing about zero-day issues within member states. For instance, NATO could establish a zero-day threat-sharing program, in which governments share information about the nature of the zero-day threats they face. This kind of program would probably be least resisted by member states, but NATO could go further. NATO could institute a group disclosure program: when one member stockpiles a vulnerability, it could also disclose the vulnerability to a NATO clearinghouse . NATO

members could then protect themselves against that vulnerability or make use of it. NATO could also push for harmonized purchasing policies, perhaps agreeing that NATO members will only purchase or stockpile certain vulnerabilities from certain countries or suppliers. However, given NATO’s lack of appetite for discussing offensive capabilities, NATO can, at best, function as a place to start a conversation among likeminded states. For instance, the CDMB could facilitate discussion of the zero-day issue at the next NATO defense ministers meeting. But even that, as demonstrated, may be a difficult topic to broach. NATO simply may not be ready to address something as complex and controversial as the zero-day trade. NATO is also not an entity designed for addressing trade in dual-use technologies. It could discuss zero-days, particularly government use and purchasing of zero-days, but it is not designed to influence global trade. NATO has only 28 members; even though many members are active buyers or host active sellers, and may share enough interests to come to consensus, an agreement among a limited group could only produce governance of limited global effect.

108

Zero Days Negative – MI 7The plan and permutation disrupt the counterplan’s process for handling zero-day vulnerabilities by unilaterally disclosing all of them to vendors --- that endangers the national security of allies Zetter 14 –award-winning reporter at Wired covering cybercrime, privacy, and security (Kim, 4/15/14, “Obama: NSA must reveal bugs like Heartbleed, unless they help the NSA,” Wired, http://www.wired.com/2014/04/obama-zero-day/) /AMarb

Rogers said that within the NSA “there is a mature and efficient equities resolution process for handling ‘0-day’ vulnerabilities discovered in any commercial product or system (not just software) utilized by the U.S. and its allies.” The policy and process, he said, ensures that “all vulnerabilities discovered by NSA in the conduct of its lawful missions are documented, subject to full analysis, and acted upon promptly.” He noted that the NSA is “now working with the White House to put into place an interagency process for adjudication of 0-day vulnerabilities.” He also said that “the balance must be tipped toward mitigating any serious risks posed to the U.S. and allied networks” and that he intended to “sustain the emphasis on risk mitigation and defense” over offensive use of zero days. Rogers noted that when the NSA discovers a vulnerability, “Technical experts document the vulnerability in full classified detail, options to mitigate the vulnerability, and a proposal for how to disclose it.” The default is to disclose vulnerabilities in products and systems used by the U.S. and its allies, said Rogers, who was confirmed by the Senate and took command of the NSA and US Cyber Command in March. “When NSA decides to withhold a vulnerability for purposes of foreign intelligence, then the process of mitigating risks to US and allied systems is more complex . NSA will attempt to find other ways to mitigate the risks to national security systems and other US systems, working with stakeholders like CYBERCOM, DISA, DHS, and others, or by issuing guidance which mitigates the risk.”

That alienates NATO allies --- they don’t want to be treated as junior partners Keohane et al 14 (Daniel (Research director in NATO), Stefan Lehne (MA in IR), Ulrich Speck (PhD at University of Frankfurt), and Jan Techau (Director of Carnegie Europe which works on EU integration and foreign policy), Oct. 28,2014, A New Ambition for Europe: A Memo to the European Union Foreign Policy Chief, Carnegie Europe, http://carnegieeurope.eu/publications/?fa=57044) /AMarb

Clarify the EU’s partnership with the United States on security challenges. The EU should not play the role of an American junior partner nor automatically side with the United States. But it should cooperate and coordinate with Washington whenever possible, as not only do interests on many issues converge but the United States is also the EU’s closest international partner. The EU should define its own positions on Asian security challenges based on international law (such as the UN Convention on the Law of the Sea) and communicate these positions to all sides. Militarily, the EU cannot do much, but it can help build a multilateral order and security architecture in the region to the extent that governments in the region are interested. ASEAN, although a Southeast Asian grouping, could be the nucleus of a new Asia-Pacific rules-based order, for instance via the ASEAN-affiliated East Asia Summits, and the EU should support such efforts. There may also be potential for offering EU experience with nonmilitary approaches to security, such as mediation, crisis management, confidence building, and application of the rule of law, to help reduce geopolitical tensions.

Preventing NATO fragmentation crucial to curbing Russian aggression Stewart 14 (Brian, 3-28-14, "Ukraine crisis: Can a weakened NATO stand up to Putin?" CBC News) www.cbc.ca/news/world/ukraine-crisis-can-a-weakened-nato-stand-up-to-putin-1.2589288)

Even leaving Ukraine aside, NATO has other potential crises on its flanks, where it is obliged by treaty to protect increasingly nervous NATO members who are also neighbours of Russia. These include

109

Zero Days Negative – MI 7the three former Soviet Union satellites, Estonia, Latvia and Lithuania, all with fragile economies and significant Russian minorities; as well as the much larger Poland, a former member of the Soviet Union's Warsaw Pact military alliance. Including Estonia, Latvia and Lithuania was always controversial within NATO because they are so far east and so difficult to defend. Still, they made it in and now demand NATO show it would be ready to honour its famous (Article 5) guarantee that an attack on one member involves an attack on all. In recent weeks, the U.S., with U.K. support to come, has rushed in limited fighter plane and other air support for the Baltic members, as well as 300 support staff and some naval units. UKRAINE-CRISIS/ Russian sailors mill about onboard the Suzdalets at the Crimean port of Sevastopol earlier this week. As many as 150,000 Russian troops are also taking part in exercises along Ukraine's eastern boundary. (Reuters) But so cautious a response has not eased the nervousness in the region, which has been warning NATO for years about Russian ambitions. Some of their fears stem from the large military exercises Moscow has run in the Baltic region in recent years, including some that simulate attacks on Lithuania and Poland. NATO, it should be noted, also exercises units in the Baltic region, while Poland has recently launched a substantial arms buildup of its own in response to Russia's. These days, NATO is also hearing rising security concerns and demands for reassurance from nations such as Hungary, Romania and Bulgaria , as well as both the Czech and Slovak Republics. Here, NATO's worries are not limited to military pressure-tactics, but encompass the deep political crises and anti-democratic trends in some of these Eastern Europe countries, where crony-capitalism and the leverage of Russian gas supplies open new doors to Putin's influence. No, this is not the old Cold War. Today's Russia is weaker than the West, even with few European powers ready for yet another arms race with Moscow. But if Putin's regime really does feel that NATO's once triumphant march to the east is at least in part reversible, given the right pressure points, then NATO's very credibility is about to be severely tested, yet again.

The impact is global nuclear war Fisher 14 (Max, Political Analyst @ Vox, 9/3/14 "Obama's Russia paradox: Why he just threatened WWIII in order to prevent it," http://www.vox.com/2014/9/3/6101507/obama-just-committed-the-us-to-war-against-russia-if-it-invades) President Obama gave a speech on Wednesday, in a city most Americans have never heard of, committing the United States to possible war

against Russia. He said that the North Atlantic Treaty Organization, a Western military alliance better known as NATO, would fight to defend eastern European members like Estonia against any foreign aggression. In other words, if Russian President Vladimir Putin invades Estonia or Latvia as he invaded Ukraine, then Putin would trigger war with the US and most of Europe. Obama's speech from the Estonian capital of Tallinn, though just a speech, may well be America's most important and aggressive step yet against Russia for its invasion of Ukraine. While the speech will do nothing for Ukraine, it is meant to stop Russia from invading, or perhaps from sponsoring rebellions in, other European countries — so long as those European countries are part of NATO, as most are. "We'll be here for Estonia. We will be here for Latvia. We will be here for Lithuania," President Obama said from the capital of Estonia, one of the three Baltic states that were once part of the Soviet Union but now are members of NATO. "You lost your independence once before. With NATO, you will never lose it again." Obama was making a promise, and a very public one meant to reverberate not just in European capitals but in Moscow as well: If Russia invades any member of NATO, even these small Baltic states on the

alliance's far periphery, then it will be at war with all of them — including the United States. "The defense of Tallinn and Riga and Vilnius is just as important as the defense of Berlin and Paris and London," Obama said. To be really clear: that defense means war with Russia, which has the world's second-largest military and second-largest nuclear arsenal, a

prospect so dangerous that even during the angriest moments of the Cold War, the world managed to avoid it. The idea, though, is not that Obama wants to go to war with Russia, it's that he wants to avoid war with Russia — this is also why the

US and Europe are not intervening militarily in Ukraine to push back the Russian tanks — but that avoiding war with Russia means deterring Russian President Vladimir Putin from invading these Baltic states in the first place by scaring him off. The risk of such an invasion , by the way, is real: these countries are about one-quarter ethnic Russian, and

Ukraine's own Russian minority which was Putin's excuse for invading Crimea in March. Putin also clearly sees former Soviet states as fair game; he has invaded Ukraine and Georgia, both marked in red on the above map. So the Baltic states are rightly terrified that they are next. Here is Obama's dilemma, and Europe's: They want to prove to Putin that they will definitely defend Estonia and Latvia and other eastern European NATO members as if they were American or British or German soil, so that Putin will not invade those countries as he did in Ukraine. But the entire world, including Putin, is suspicious as to whether or not this threat is a bluff. And the worst possible

thing that could happen, the thing that could legitimately lead to World War Three and global nuclear war , is for Putin to call Obama's bluff, invade Estonia, and have Obama's bluff turn out to not be a bluff.

110

Zero Days Negative – MI 72NC NATO CP SOLVENCY

NATO is key to solve cyberattacks – the counterplan produces cooperation with companies at the discretion of NATO allies Thompson 14 -- writes about national security (Loren, 9/19/14, Cyber Alliances: Collective Defense Becomes Central To Securing Networks, Data, Forbes, http://www.forbes.com/sites/lorenthompson/2014/09/19/cyber-alliances-collective-defense-becomes-central-to-securing-networks-data/) /AMarb

When the North Atlantic Treaty Organization — NATO — wrapped up its summit in Wales earlier this month, the member-states issued a lengthy communique expressing solidarity on major defense challenges. One of the challenges mentioned was cybersecurity. The alliance stated that “cyber defence is part of NATO’s core task of collective defence,” presenting concerns so severe that they might lead to invocation of Article Five of the North Atlantic Treaty — the article calling on all members to come to the defense of a threatened nation. The communique went on to stress that “strong partnerships play a key role in addressing cyber threats and risks,” and committed alliance members to intensified cooperation in pursuit of integrated solutions. It isn’t hard to see why NATO is worried about threats in cyberspace, given Russia’s recent use of on-line attacks against Ukraine and other countries in a style of combat that has come to be called “hybrid warfare.” However, a report by the Pentagon’s prestigious Defense Science Board released last year suggests that the cyber challenge reaches far beyond the use of botnets and distributed denial-of-service tactics. Describing the extensive vulnerability of U.S. military forces to cyber assault, the report then observed, The impact of a destructive cyber attack on the civilian population would be even greater with no electricity, money, communications, TV, radio or fuel (electrically pumped). In a short time, food and medicine distribution systems would be ineffective; transportation would fail or become so chaotic as to be useless. Law enforcement, medical staff, and emergency personnel capabilities could be expected to be barely functional in the short term and dysfunctional over sustained periods. These sustained periods, the science board stated, might last “months or years” as government and industry sought to rebuild damaged infrastructure — a possibility that led the panel to compare the specter of state-sponsored cyber attacks to the threat of nuclear war. So if you think that 56 million payment cards being compromised atHome Depot HD +0.3% is about as bad as cyber threats can get, think again. Civilians and soldiers alike have hardly begun to experience how destructive the coming age of information warfare is going to be. But like NATO, private industry is beginning to grasp the challenge. And also like NATO, industry has begun to embrace the value of collective defense in meeting that challenge. Earlier this month, McAfee and Symantec SYMC -1.57% — the nation’s two biggest cybersecurity firms — agreed to join a Cyber Threat Alliance founded in May by Fortinet and Palo Alto Networks PANW -1.5%. The goal of the new consortium, quoting a white paper it issued, is “to disperse threat intelligence on advanced adversaries across all member organizations to raise the overall situational awareness in order to better protect their organizations and their customers.” What that rather bland formulation indicates is that even the biggest players in cybersecurity have come to doubt that the kind of “advanced persistent threats” they are now encountering can be defeated unless industry emulates NATO in embracing some form of collective defense. In the past, companies like McAfee and Symantec would have resisted the kind of deep collaboration now being proposed for fear of losing competitive advantage. But attacks on networks and data repositories have become so pervasive and clever that collective defense — the one-for-all and all-for-one approach — may be crucial to averting castastrophe. Under this emerging construct, the industry alliance will focus on generating actionable intelligence about zero-day exploits and other dangers that can be quickly disseminated to members. Zero-day exploits are attack vectors and methods not previously observed for which no off-the-shelf solution currently exists. They may require drastic action like shutting down a network before it can be thoroughly compromised, and because time is of the essence the dissemination of threat details will probably have to be automated. Over time, the Cyber Threat Alliance will generate standards spelling out how this should be done, presumably using software such as the Trusted Automated Exchange of Indicator Information (TAXII) framework developed by MITRE and the Department of Homeland Security. Industry’s bid for greater collaboration in meeting the cyber challenge has been matched by efforts at broader cooperation by the government. For instance, during the first Obama Administration, former Deputy Secretary of Defense Bill Lynn drove efforts to forge a cybersecurity alliance between his department and its contractors, which now has blossomed into the Defense Industrial Base Cybersecurity/Information Assurance Program. Under that program, industry and the military share information about cyber threats that is quickly analyzed and disseminated to counter emerging dangers. A broader effort managed in conjunction with the Department of Homeland Security provides similar support to companies operating critical

111

Zero Days Negative – MI 7infrastructure — including sometimes sharing highly classified threat indications. However, a well-known federal advisor in such matters told me this week that the government unwittingly creates disincentives for industry to cooperate, for example by failing to protect sensitive information provided by companies that have experienced cyber attacks. McAfee president Gert-Jan Schenk has cited the absence of legislation promoting cross-national collaboration on cyber threats as one area where industry has to work harder to make up for government’s failure to act. His enterprise, which has invested heavily in cybersecurity research since being acquired by Intel in 2011, has become a leading proponent of collaborative efforts at closing the seams between organizations and domains that on-line criminals exploit. So it seems that collective defense is no longer solely the province of diplomats and military allies. Companies, even when they are competing in the same markets, increasingly see the advantages of working together to counter shared threats. Some will say this demonstrates the ability of market forces to encourage enlightened behavior even when government does not intervene. However, a more sobering interpretation is that cyber threats are becoming so sophisticated and alarming they are forcing changes in the way people behave. Whichever interpretation you favor, it’s clear that collective defense is becoming an organizing principle for global cybersecurity efforts.

EU can aid in solving cybersecurityKeohane et al 14 (Daniel (Research director in NATO), Stefan Lehne (MA in IR), Ulrich Speck (PhD at University of Frankfurt), and Jan Techau (Director of Carnegie Europe which works on EU integration and foreign policy), Oct. 28,2014, A New Ambition for Europe: A Memo to the European Union Foreign Policy Chief, Carnegie Europe, http://carnegieeurope.eu/publications/?fa=57044) /AMarbMake cybersecurity a priority.   The EU has a major stake in and role to play on global security challenges, such as maritime security and the potential security impact of climate change. But cybersecurity deserves particular attention since it will bring about a revolution in security thinking. Protecting the globally integrated information infrastructure from intrusion and disruption will bring together homeland security authorities, the military, and the private sector in a hitherto unknown alliance. Because of the EU’s deep collaboration with the various national ministries invested in protecting cybernetworks, the union is better suited than any other international organization to develop and implement a proactive crossborder strategy for this part of the global commons. The EU foreign policy chief should dedicate considerable internal resources to staying on top of this fast-developing area and to becoming a valuable resource for EU member states.

NATO has experience with responses to cyberattacks – solves the advantage Fidler 15 -- Marshall Scholar, Department of Politics and International Relations, University of Oxford (Mailyn, Summer 2015, REGULATING THE ZERO-DAY VULNERABILITY TRADE: A PRELIMINARY ANALYSIS, http://moritzlaw.osu.edu/students/groups/is/files/2015/06/Fidler-Second-Review-Changes-Made.pdf, pg. 69-70) /AMarbThe 2007 Estonia attacks were NATO’s cyber awakening. In this incident, Estonian government, commercial, and news web capabilities were taken down by cyber attacks in response to controversy about moving a Soviet-era war memorial in Tallinn. The Estonia attacks demonstrated to NATO the“technical scale and political implications of potential cyber attacks.”307 The 2008 Bucharest Summit addressed these implications. NATO established two institutions: the Cyber Defense Management Authority (CDMA) and the Cooperative Cyber Defense Center of Excellence (CCDCOE).308 The CDMA helps coordinate member state cyber defense, reviews capabilities, and conducts risk management. The CCDCOE helps improve cyber defense cooperation through research, information sharing, and convening thought leaders. For instance, in 2009, the CCDCOE requested that experts analyze how international law applies to cyber warfare.309 Although the resulting 2013 report is not official doctrine, it provides important analysis about how NATO members might think about international law, conflict, and cyberspace.310 In June 2011, NATO adopted the Cyber Defense Policy and Action Plan, the most advanced step in the maturation of NATO’s cyber capabilities.311 The document enumerated steps to enhance the political and operational readiness of NATO to respond to cyber incidents, including defining minimum requirements for the security of national networks

112

Zero Days Negative – MI 7critical to NATO’s operations.312 The CDMA transitioned to a group called the Cyber Defense Management Board, which has been carrying out the Action Plan. 313 The 2012 Chicago Summit reaffirmed these efforts, and NATO Defense Ministers met for the first time in 2013 to focus exclusively on cyber defense.314

113

Zero Days Negative – MI 72NC NATO IMPACT

The dilapidation of NATO shatters global economic structures and seriously threatens international security and agriculture.Ahmed 11/25/9Nafeez Mosaddeq Ahmed uthor and political scientist specialising in interdisciplinary security studies. He teaches International Relations at the School of Social Sciences and Cultural Studies, University of Sussex, Brighton, where he recently completed Doctoral research on European imperial genocides from the 15th to the 19th centuries. http://www.mediamonitors.net/mosaddeq12.html 11/25/9

For this reason, according to Robert J. Art - a research associate at the Olin Institute at Harvard, and Herter Professor of International Relations at Brandeis University - America’s “overarching stake” in Europe consists partly of “the valuable investment the United States has to protect [which] is the politico-economic cohesion of Western Europe”, the objective being to “produce an outward-looking, liberal trading community, not an inward-looking protectionist one”, [65] thus maintaining the integration of the whole of Europe under the “stability” a US- dominated international economic system. It is in this context that we may note the particular objective of eradicating socialism in the Balkans and throughout the region in general, to enforce and secure US corporate economic interests.[66] The inseparable linkage between US/Western militarism and US/Western corporate economic interests is thus absolutely clear.[67] One high-ranking and experienced Western European diplomat put it succintly: “The United States presence in Europe is crucial. The role of the United States goes beyond balancing the Soviet Union. The United States keeps our national rivalries down. We are now faced with the emergence of a friendly local superpower - Germany. Our chances of succeeding are greater if the United States stays. If it goes, however, the effects will be felt way beyond the security field - in GATT, agriculture, and so forth. If NATO breaks up, our economic structures are threatened also.”[68] By strengthening NATO and expanding US military hegemony over Europe through NATO, not only does the US manage to prevent the arisal of an independent European security apparatus that may rival NATO, but furthermore, all European nations become subordinate within the US-dominated NATO alliance, thus once more eliminating the possibility of any significant rivalry. In this way, US economic hegemony is maintained within the global “economic structures” of the international system, protected under a military hegemony dominated by American leadership.

Without NATO, free Europe doesn’t exist. Enemies from the East would move in for the attack, and the world would be plunged into global war.Steingart 10/20/06Spiegel Online 10/20/6 Gabor Steingart chief editor of Handelsblatt, Germany's leading economic newspaper. http://www.spiegel.de/international/0,1518,443306,00.htmlFor 50 years it was a highly controversial institution. Today, though, every schoolchild knows that without the North Atlantic Treaty Organization, free Europe wouldn't exist. If the Western alliance hadn’t ostentatiously demonstrated its power -- with its fighter jets, tank divisions and continually updated weaponry -- Soviet communism would have expanded westward instead of imploding as it did. By the end of the Cold War, even NATO’s fiercest critics had learned their lesson: The dove of peace could only survive because the hawk was ready on his perch. The world war for wealth calls for a different, but every bit as contradictory, solution. Alas, once again many lack the imagination to see that the aims of our economic opponents are far from peaceful. Yet what sets this situation apart from what we usually call a conflict -- what paralyzes the West -- is how quietly the enemy is advancing. The two camps are divided between Europe and America on the one side and Asia on the other. But so far there has been no shouting, no bluster and no shooting. Nor have there been any threats, demands or accusations. On the contrary, there is an atmosphere of complete amiability wherever our politicians and business executives might travel in Asia. At airports in Beijing, Jakarta, Singapore and New Delhi red carpets lie ready, Western national anthems can be played flawlessly on cue -- and they even parry Western complaints about intellectual property theft, environmental damage and human rights abuses with a polite patience that can only be admired. The Asians are the friendliest conquerors the world has ever seen

114

Zero Days Negative – MI 72NC RUSSIA CYBERWAR IMPACT

Russia is using zero-days to intercept NATO data about Ukraine --- cooperative threat reduction key to solveRashid 14 – writes about security and core internet infrastructure (Fahmida, October 14, 2014, SecurityWeek, Russia-linked Hackers Exploited Windows Zero-day to Spy on NATO, EU, Others, http://www.securityweek.com/russian-hackers-exploited-windows-zero-day-spy-nato-eu-other-high-profile-targets) /AMarb

Attackers exploited a zero-day vulnerability in Windows to spy on NATO, the European Union, Poland, Ukraine, private energy organizations, and European telecommunications companies, according to cyber-intelligence firm iSight Partners.Microsoft is expected to patch the flaw today as part of October's Patch Tuesday release.The espionage campaign began five years ago and is still in progress, iSight said in its advisory. It has evolved several times over the years to adopt new attack methods, and only began targeting the Windows zero-day with malicious PowerPoint files in August, according to the company. iSight analysts have named the operation "Sandworm Team" because the attackers included several references to Frank Herbert's Dune in the code."It is critical to note that visibility is limited and that there is a potential for broader targeting from this group (and potentially other threat actors) using this zero-day," iSight warned.Sandworm targeted victims with malicious PowerPoint documents which, when opened, triggered the zero-day bug in all supported versions of Windows, including Windows Vista, 7, or 8, Windows Server 2008 and 2012, iSight said. The exploit installed another executable file onto the infected machine to open a backdoor, thus giving remote access to attackers.The zero-day itself may not be as scary as it sounds, according to one security expert. “People shouldn’t panic about Sandworm," Ross Barrett, senior manager of security engineering at Rapid7, said over email. Even though the vulnerability is present in all supported operating systems, it is a local file format exploit, which are fairly common and routinely patched by Microsoft. While the bug can give attackers complete control of the compromised system, attackers need to launch a multi-stage attack in order to exploit this flaw. "The steps required to get there limit the impact of this vulnerability," he said.While Microsoft has patched the flaw, iSight also provided some workarounds, such as disabling the WebClient Service to prevent Web Disributed Authoring and Versioning (WebDAV) requests from being transmitted, blocking TCP ports 139 and 445, and preventing executables from being launched by setup .inf files.It's not known at this point what kind of information the attackers were after. Considering the list of victims, it's likely the attackers were looking for information regarding the Ukraine crisis, diplomatic communications, and sensitive documents related to the energy and telecomm industries. Sandworm also attempts to steal SSL keys and code-signing certificates, which may be used in future attacks.iSight believes the attackers are Russian because analysts found Russian-language files on the command server used by Sandworm. The list of victims was another clue, since they are all strategically related to the Ukrainian conflict. While researchers haven't found technical indicators linking the attackers to the Russian government, the fact that the campaign focused on cyber-espionage and not cybercrime meant nation-state involvement was highly likely, according to the company. It's also expensive and time-consuming to look for security flaws in the operating system, making it quite possible the group had nation-state funding and support.For example, the group targeted NATO computers with emails with a malicious document claiming to have information on European diplomacy back in December. An American academic with a focus on Ukraine and several Ukrainian regional government officials received spear-phishing messages just before a NATO summit over the summer. The malicious messages claimed to have information gathered by Ukrainian security services on Russian sympathizers,

115

Zero Days Negative – MI 7such as a list of pro-Russian extremists, iSight said.It’s interesting that iSight found the zero-day flaw "being used in Russian cyber espionage attacks in the wild, targeting NATO, the European Union, and the telecommunications and energy sectors, but that’s probably the most interesting aspect of it," Barrett said.Previous Sandworm attacks exploited older vulnerabilities to install the BlackEnergy exploit kit. BlackEnergy was used to create botnets with launched distributed denial-of-serve attacks against computers in Georgia during the country's conflict with Russia back in 2008. Originally a DDoS tool, BlackEnergy evolved to steal banking credentials and other information.Sandworm was previously identified by F-Secure researchers in a whitepaper on a group they called Quedach released last month. "In the summer of 2014, we noted that certain samples of BlackEnergy malware began targeting Ukranian government organizations for information harvesting," F-Secure researchers wrote at the time.iSight is sharing the detailed report with its customers but warned that malware and indicator data could be potentially misused to create "copycat exploits."

US-Russia nuclear war risks extinction – huge risk of miscalc and escalation Starr 14 (Steven, Senior Scientist for Physicians for Social Responsibility and Director of the Clinical Laboratory Science Program @ University of Missouri, “Ukraine + NATO = Nuclear War,”, 11 March 2014 13:03 pg. http://tinyurl.com/ohgfk5p)Furthermore, US/NATO naval forces should not be deployed in the Black Sea, where they would be in close proximity to Russian naval forces. In the event of a war in which Russian forces were actively engaged, the presence of US forces nearby would create a significant chance for a mistake in which US or Russian forces would fire upon each other. Supersonic fighters traveling at more than 1,000 mph can easily overfly national boundaries or "hostile" military forces. If NATO and Russian forces to come into direct military conflict, then the possibility of nuclear conflict increases exponentially . NATO cannot send in its 25,000 man Response Force and expect to defeat 150,000 Russian troops (or more) in a fight at the Russian border. In a NATO-Russian conventional conflict, in which Russian forces were prevailing, NATO would have the choice of withdrawing, calling for a ceasefire, or using its nuclear weapons against Russian forces. NATO has at least a couple hundred US B61 nuclear weapons forward deployed in Belgium, Germany, Italy, the Netherlands, and Turkey. The B61 is a "variable yield" weapon; the two models currently forward-based in Europe, the B61-3 and B61-4 both can be set to have an explosive yield of 300 tons of TNT (0.3 kilotons). In other words, the B61 is designed to be "useable" nuclear weapon, beginning with a "small" detonation that is roughly 20-30 times larger than our largest conventional weapon. However, the B61-4 can also be set to have an explosive power as much as 50,000 tons of TNT (50 kilotons), and the B61-3 as much as 170,000 tons of TNT (170 kilotons) – which is 70% greater than many of the strategic nuclear warheads carried by US nuclear subs. Even if NATO could manage to use its conventional forces to defeat Russian conventional forces, Russia would *not* allow such a defeat upon its very border. Russia would certainly use nuclear weapons to stop NATO. Russia has for some time adopted the policy of "nuclear de-escalation": "In order to maintain a credible nuclear deterrence effect under the conditions of a regional war, Russia believes it should not rely on strategic nuclear forces, or on them only, but must maintain a range of options for the limited or selective use of nuclear weapons in order to be able to inflict a precisely set level of damage to the enemy sufficient to convince him to terminate military confrontation by exposing him to the danger of further nuclear escalation . . . When introducing the concept of "nuclear de-escalation" in the late 1990s, the Russian defence establishment was obsessed with the possibility of a Kosovo-type US/NATO intervention in the war ("armed conflict") in Chechnya, which resumed in 1999. It did not exclude the possibility that, in the event of such a case, Russia would be forced to resort to nuclear weapons." In a NATO-Russian conflict, in which Russia introduced nuclear weapons, NATO would be fully capable of responding in a tit-for-tat fashion. This would be the same pattern as was seen in the NATO war games of the Cold War. Once the nuclear "firebreak" is crossed, once nuclear weapons are introduced into a military conflict in which *both sides have nuclear weapons*, there would likely be an almost inevitable escalation of conflict, a progressive use of nuclear weapons by both sides, with progressively larger targets

being taken out. Peer-reviewed scientific studies predict that a war fought with hundreds or thousands of US and Russian strategic nuclear weapons would ignite nuclear firestorms over tens of thousands of square miles. These mass fires would produce between 50 million to 150 million tons of smoke, which would quickly rise above cloud level in to the stratosphere, where winds would carry it around the Earth. In a matter of weeks or months, a global stratospheric smoke layer would form, which would block up to 70% of warming sunlight, quickly producing Ice Age weather conditions in the Northern Hemisphere. The scientists predict that temperatures in the central US and Eurasia would fall below freezing every day for about three years. The smoke, the darkness, and

116

Zero Days Negative – MI 7extreme cold weather would last for ten years or longer, eliminating growing seasons, making it impossible to grow food. Most people and animals would perish from nuclear famine. Nuclear war is suicide for the human race.

117

Zero Days Negative – MI 7AT: PERMUTATION

Perm fails – NATO is fragmented amongst membersFidler 15 -- Marshall Scholar, Department of Politics and International Relations, University of Oxford (Mailyn, Summer 2015, REGULATING THE ZERO-DAY VULNERABILITY TRADE: A PRELIMINARY ANALYSIS, http://moritzlaw.osu.edu/students/groups/is/files/2015/06/Fidler-Second-Review-Changes-Made.pdf, pg. 74) /AMarbMoreover, despite being composed of allies, NATO faces fragmentation of member policies and opinions. NATO members sometimes have domestic political or legal constraints affecting NATO decisions, and the complicated legal ecosystem affecting NATO, made up of national law, transnational law, and international law, creates legal divergence.328 As indicated by post-Snowden wariness, NATO members do not always share consensus on what activities, particularly in cyberspace, are permissible under international law, especially when activities touch sovereignty and non-intervention issues.329 Last, in 2014, NATO has been preoccupied with the Ukrainian crisis. Even though cyber played a role in the Ukrainian crisis, the cyber threats are marginal compared to the kinetic, territorial, and political security threats posed by Russian behavior.

Empirics prove perm will only harm relations Serafty, PhD 8 – PhD in polisci at Johns Hopkins (Simon, 2008, The pressures for a new Euro-Atlantic security strategy, Europe’s World, http://www.europesworld.org/NewEnglish/Home/Article/tabid/191/ArticleType/articleview/ArticleID/21138/Default.aspx) /AMarb

To some extent, these questions are not new. They were first raised, though in a highly different institutional and geopolitical context, over the failed Anglo-French intervention in Suez more than half a century ago. Ever since, European allies have often questioned what they see as an American tendency to misrepresent the diplomatic procedures for providing information about a decision, and to ignore the institutional processes that ensure genuine consultation beforehand. During the Cuban missile crisis, President Kennedy turned to the allies only after a careful internal review of the options he faced, so they were informed rather than consulted. That the Bush administration returned to the 1962 crisis to justify its approach to Iraq is not surprising: under what they saw as similarly existential conditions, the president and his advisors found the threat to be so high and so unpredictable as to be “imminent”. As Secretary of State Colin Powell, hardly the allies’ bête noire, put it at the time, the United States “tries to persuade others why this is the correct position. When it does not work, then we will take the position we believe is correct.”

Genuine high-level dialogue necessary to preserve relations. Hass, President of Council on Foreign Relations, 2004 (Richard N. July President of the Council on Foreign Relations, http://www.cfr.org/publication/8049/marriage_counseling_for_america_and_europe.html) /AMarb

Americans, for their part, must accept that a strong Europe will not be content to simply do America’s bidding. The US should support European integration, because a strong Europe is at least a potential strategic partner, whereas a weak Europe is not. Indeed, the sort of troop-intensive nation-building exercises taking place in Iraq and Afghanistan are hardly unique; they are sure to be repeated, and European

contributions will be required. That American troops are being withdrawn from Korea and sent to Iraq is both unfortunate and revealing. But genuine consultation will be necessary. Consultation cannot consist of simply informing others of what has already been decided, not adapting policies, and yet still expecting support. Nor can consultations on how to deal

with today’s central global challenges wait until a crisis. Most importantly, the US and Europe must learn how to disagree. The best guideline is to not permit disagreements to spill over and complicate or infect the relationship. Such “compartmentalization” is as

essential now as it was during the Cold War. In order to limit the consequences of disagreement, Americans should 118

Zero Days Negative – MI 7explain their position and offer alternatives when a proposed international arrangement is deemed undesirable.

119

Zero Days Negative – MI 7

POLITICS LINKS

120

Zero Days Negative – MI 71NC POLITICS LINK

Plan not popular – no work can be done in congress to disclose zero daysFidler, 15 Jun 6, 2015, Mailyn Fidler is a Marshall Scholar, Department of Politics and International Relations, University of Oxford “Regulating the Zero-day Vulnerability Trade: a Preliminary Analysis” http://moritzlaw.osu.edu/students/groups/is/files/2015/06/Fidler-Second-Review-Changes-Made.pdf

It has taken recent steps to strengthen internal checks and balances in the intelligence community, including establishing the Office of the Intelligence Community Inspector General (IG) in the Office of Director of National Intelligence (ODNI) in 2010.167 In light of the Snowden disclosures, many questioned whether congressional oversight of intelligence community (IC) activities is effective. The House attempted to prohibit the NSA’s phone records collection program in July 2013, but the bill was narrowly defeated. 168 The House approved a similar bill in 2014, but the Senate failed to secure enough votes to bring its version to a floor debate, leaving the path to legislative NSA reform highly unlikely. 169 Many proposals have been made to address this sense of failure of congressional oversight of intelligence. For instance, Fred Cate, a privacy and cybersecurity expert, suggests creating an independent agency separate from both Congress and the executive branch to provide stronger oversight. 170Congress could impose limits on purchase, use, and disclosure of zero-days. As it has done with intelligence activities and covert actions, it could require reporting from agencies and/or Inspector Generals to relevant congressional committees when a zero-day is purchased, used, disclosed, and/or not disclosed. Such requirements could be accompanied by the threat of withheld appropriations if the executive branch fails to follow oversight rules. However, congressional oversight is likely politically difficult to achieve. Snowden has made cyber topics politically fraught, and Congress is perceived as dysfunctional. Congressional oversight has also traditionally applied to broad programs, such as foreign intelligence activities within the United States or covert operations overseas, not a specific means of accomplishing law enforcement, intelligence, or military objectives.

121

Zero Days Negative – MI 7TPA SOLVES IP THEFT

TPA will guarantee IP theft isn’t a threat. Hendrie, 15(June 6, 2015 “Free Trade Agreements Will Encourage Stronger Intellectual Property Rights” http://dailycaller.com/2015/06/05/free-trade-agreements-will-encourage-stronger-intellectual-property-rights/ Alexander Hendrie is an Associate at Property Rights Alliance (PRA), an advocacy group affiliated with Americans for Tax Reform.)

The U.S. House of Representatives will soon vote on Trade Promotion Authority (TPA), legislation that outlines congressional objectives and prerogatives the president must follow when negotiating trade agreements. While TPA encompasses a diverse and comprehensive range of guidelines and objectives, perhaps most importantly it is an opportunity to strengthen global protections of intellectual property (IP). TPA includes almost 150 objectives related to agriculture, investment, labor, state-owned enterprises, currency manipulation, and more. In addition, TPA contains strong oversight provisions that give Congress the final say so that any agreement is in the best interest of the American people. In regards to intellectual property, TPA will ensure that American companies receive fair and equitable market opportunities when operating overseas. The legislation requires any trade agreement to “promote adequate and effective protection of intellectual property rights” and encourages trade partners to adopt many of the strong IP protections that are found in U.S. law. Stronger IP protections will be beneficial to all economies. IP-intensive industries are defined as any business that relies on trademarks, copyrights, or patents. This includes pharmaceuticals, automobile manufactures, film and music industries, and tech firms.

122