forms.huffmanisd.netforms.huffmanisd.net/debate/cases/zero days affirmati… · web...

Zero-Days Aff - Michigan 7

Contentszero-days aff................................................................................................................................... 4

notes............................................................................................................................................ 5aff background......................................................................................................................... 6plan text/mechanism background............................................................................................8

1ac............................................................................................................................................... 91ac inherency......................................................................................................................... 101ac ip theft advantage............................................................................................................121ac critical infrastructure advantage.....................................................................................211ac oco’s advantage...............................................................................................................251ac plan – version 1................................................................................................................301ac plan – version 2................................................................................................................311ac solvency........................................................................................................................... 32

topicality.................................................................................................................................... 372ac domestic surveillance (version 2)....................................................................................382ac domestic surveillance (version 1)....................................................................................401ar topicality.......................................................................................................................... 44at: oriola concludes neg.........................................................................................................45

inherency................................................................................................................................... 462ac inherency......................................................................................................................... 47

solvency..................................................................................................................................... 492ac corporate trust key..........................................................................................................502ac modeling.......................................................................................................................... 512ac plan solves zero day demand...........................................................................................522ac plan solves cybersecurity................................................................................................532ac surveillance solves...........................................................................................................542ac “relevant vendors”...........................................................................................................552ac us key to zero day markets..............................................................................................562ac zero days key...................................................................................................................57at: businesses won’t cooperate..............................................................................................59at: ids solves........................................................................................................................... 60at: squo solves cybersecurity.................................................................................................61

ip theft advantage.....................................................................................................................622ac econ add-on.....................................................................................................................631ar ip theft key to econ..........................................................................................................641ar econ impact...................................................................................................................... 662ac disease add-on................................................................................................................. 67

1

Zero-Days Aff - Michigan 72ac innovation add-on............................................................................................................692ac organized crime add-on...................................................................................................732ac plan solves ip theft..........................................................................................................74at: china war defense.............................................................................................................76at: heg resilient...................................................................................................................... 77at: russia war defense............................................................................................................78at: no russian modernization..................................................................................................81at: no russian ip theft.............................................................................................................82

critical infrastructure advantage..............................................................................................842ac critical infrastructure brink.............................................................................................852ac food shortages add-on.....................................................................................................872ac econ add-on.....................................................................................................................892ac plan solves critical infrastructure....................................................................................90at: critical infrastructure safe................................................................................................92at: grid defense...................................................................................................................... 93at: water supply safe..............................................................................................................95at: water shortage impact d...................................................................................................98

oco’s advantage.......................................................................................................................1012ac cooperation key.............................................................................................................1022ac cyber arms race now.....................................................................................................1032ac cyberwar impact............................................................................................................1042ac russia cyberwar impact.................................................................................................1062ac vulnerabilities now........................................................................................................107at: cyberwar won’t escalate.................................................................................................108at: no cyberwar.................................................................................................................... 109at: no miscalc....................................................................................................................... 111

disadvantages.......................................................................................................................... 1122ac cyber-deterrence da......................................................................................................113at: china/taiwan....................................................................................................................118at: korea war........................................................................................................................ 120at: politics............................................................................................................................. 121at: spending links.................................................................................................................123at: terrorism da.................................................................................................................... 124

counterplans............................................................................................................................ 126at: i-law cp............................................................................................................................ 127at: internal review solves.....................................................................................................128at: nato cp............................................................................................................................ 129at: national security pic........................................................................................................130

2

Zero-Days Aff - Michigan 7at: regulations cp.................................................................................................................131at: oversight cp.................................................................................................................... 132

3


ZERO-DAYS AFFThanks to Alex M., Camelia, Christina, Dylan, Eugenia, Kalen, Jackie, Jasmine, and Tristen for all of their hard work!

#GHJPXX

4


NOTES Feel free to email me ([email protected]) if you have any questions about the aff/neg.

5

mailto:[email protected]

Zero-Days Aff - Michigan 7AFF BACKGROUND

Please read this. It will answer 90% of your questions. This aff would be fairly confusing to anyone who hasn’t read about zero-day vulnerabilities or exploits, but it only takes a few minutes to learn the basic background behind the aff.

Who or what is a “zero-day”? Is this some kind of weird K aff? Zetter 14 [Kim, award-winning journalist who covers cybercrime and security for Wired, “Hacker Lexicon: What Is A Zero Day,” Wired, April 15, 2014, http://www.wired.com/2014/04/obama-zero-day/]

ZERO DAY ACTUALLY refers to two things—a zero-day vulnerability or a zero-day exploit . Zero-day vulnerability refers to a security hole in software—such as browser software or operating system software—that is yet unknown to the software maker or to antivirus vendors . This means the vulnerability is also not yet publicly known , though it may already be known by attackers who are quietly exploiting it. Because zero day vulnerabilities are unknown to software vendors and to antivirus firms, there is no patch available yet to fix the hole and generally no antivirus signatures to detect the exploit, though sometimes antivirus scanners can still detect a zero day using heuristics (behavior-tracking algorithms that spot suspicious or malicious behavior).Zero-day exploit refers to code that attackers use to take advantage of a zero-day vulnerability. They use the exploit code to slip through the hole in the software and plant a virus, Trojan horse or other malware onto a computer or device. It’s similar to a thief slipping through a broken or unlocked window to get into a house.

Okay. Why is it called a zero-day?Zetter 14 [Kim, award-winning journalist who covers cybercrime and security for Wired, “Hacker Lexicon: What Is A Zero Day,” Wired, April 15, 2014, http://www.wired.com/2014/04/obama-zero-day/]

The term “zero-day” refers to the number of days that the software vendor has known about the hole. The term apparently originated in the days of digital bulletin boards, or BBSs, when it referred to the number of days since a new software program had been released to the public. Zero day software was unreleased software and was highly coveted by hackers who wanted to be the first to obtain it.

How many of these zero-days are out there? Zetter 14 [Kim, award-winning journalist who covers cybercrime and security for Wired, “Hacker Lexicon: What Is A Zero Day,” Wired, April 15, 2014, http://www.wired.com/2014/04/obama-zero-day/]

Zero day vulnerabilities used to be extremely rare. Out of more than a million pieces of malware security firms discovered and processed each month, only about one or two were zero-day exploit code. These days, however, more zero days are being used and discovered. That’s in part due to the emergence of a large market for buying and selling zero-day vulnerabilities and exploits, driven largely by the demand from government intelligence agencies .

What does any of this have to do with surveillance?Mick 13 [Jason, news editor and columnist for the leading science and technology online publication, “Tax and Spy: How the NSA Can Hack Any American, Stores Data 15 Years,”

6

http://www.wired.com/2014/04/obama-zero-day/



Zero-Days Aff - Michigan 7DailyTech, December 31, 2013, http://www.dailytech.com/Tax+and+Spy+How+the+NSA+Can+Hack+Any+American+Stores+Data+15+Years/article34010.htm]

According to him, the NSA has zero day vulnerabilities on hand that allow it to penetrate virtually any Wi-Fi router, Windows PC, external storage device, server, tablet, or smartphone.

Rather than give this data to private sector firms to offer increased security to users , the NSA turns around and exploits these flaws to spy on everyone -- sort of a digital equivalent of "sometimes you have to burn a village to save it."The NSA calls its attack toolkit "FOXACID". FOXACID is packed with "QUANTUM" tools, which are NSA's digital lockpicks. Like many clumsy picks, they can damage the lock they attack, but it appears the NSA isn't terribly concerned about that.

There’s a market for zero-days? Where can I get them?Zetter 14 [Kim, award-winning journalist who covers cybercrime and security for Wired, “Hacker Lexicon: What Is A Zero Day,” Wired, April 15, 2014, http://www.wired.com/2014/04/obama-zero-day/]

The zero-day market has three parts. These include the black underground market where criminal hackers trade in exploit code and vulnerability information to break into systems and steal passwords and credit card numbers; the white market , which encompasses the bug bounty programs where researchers and hackers disclose vulnerability information to vendors, in exchange for money, so the holes can be fixed—this market includes security companies that purchase zero-day exploits to use in their penetration-testing products to determine if a customer’s system is vulnerable to attack; and the “gray” market , where researchers and companies, some of them military defense contractors, sell zero-day exploits and vulnerability information to militaries, intelligence agencies and law enforcement to use for surveillance and offensive computer operations .

What have they been used for? Zetter 14 [Kim, award-winning journalist who covers cybercrime and security for Wired, “Hacker Lexicon: What Is A Zero Day,” Wired, April 15, 2014, http://www.wired.com/2014/04/obama-zero-day/]

Some of the most famous attacks that used zero-day exploits are:Stuxnet —a virus/worm that targeted computers in Iran’s uranium enrichment plant at Natanz and used five zero-day exploits to spread and gain privileged access on systems. Though one of the vulnerabilities was patched by Microsoft before the attackers could unleash their code, so technically, at the time Stuxnet was discovered, it was using only four zero-days.Aurora —in 2010 hackers believed to be from China broke into Google, Adobe, and more than a dozen other companies using a zero-day vulnerability found in several versions of Microsoft’s Internet Explorer browser software. The attackers were targeting, at least in part, Google’s source code—possibly to study it and discover additional zero-day vulnerabilities for future use. The group behind those attacks is still active and has been caught using at least eight other zero-day exploits since then.

7



http://www.dailytech.com/Tax+and+Spy+How+the+NSA+Can+Hack+Any+American+Stores+Data+15+Years/article34010.htm


Zero-Days Aff - Michigan 7What is our current policy regarding these vulnerabilities? Zetter 14 [Kim, award-winning journalist who covers cybercrime, civil liberties, privacy, and security for Wired, “Obama: NSA must reveal bugs like Heartbleed, unless they help the NSA,” Wired, April, 2014, http://www.wired.com/2014/04/obama-zero-day/]

AFTER YEARS OF studied silence on the government’s secret and controversial use of security vulnerabilities, the White House has finally acknowledged that the NSA and other agencies exploit some of the software holes they uncover, rather than disclose them to vendors to be fixed .The acknowledgement comes in a news report indicating that President Obama decided in January that from now on any time the NSA discovers a major flaw in software, it must disclose the vulnerability to vendors and others so that it can be patched, according to the New York Times.But Obama included a major loophole in his decision , which falls far short of recommendations made by a presidential review board last December: According to Obama, any flaws that have “a clear national security or law enforcement” use can be kept secret and exploited . This, of course, gives the government wide latitude to remain silent on critical flaws like the recent Heartbleed vulnerability if the NSA, FBI, or other government agencies can justify their exploitation .

8


Zero-Days Aff - Michigan 7PLAN TEXT/MECHANISM BACKGROUND

The most common reform regarding zero-day vulnerabilities that anti-surveillance advocates push for is to have the NSA disclose zero-day’s to relevant vendors (basically, the firm/organization that released the software and antivirus vendors that have the proper clearances to deal with software vulnerabilities from that company, common ones being McAfee, Norton, etc.) The solvency cards all assume this disclosure mechanism.

There are two versions of the plan that attempt to contrive topical methods to do the plan, each of which has advantages and disadvantages.

Version 1: The United States federal government should substantially curtail its domestic surveillance using computer software vulnerabilities or exploits unknown to relevant vendors.

This version of the plan, which simply reduces surveillance activities that use zero-day vulnerabilities, is definitively topical, but it may not solve the aff. There are two solvency flaws in this text that negative teams can exploit:

1. “Surveillance” --- although surveillance is a major use for zero-day vulnerabilities, it is not the only one. Cyber capabilities, which the aff would ideally like to reduce, may be able to continue as usual…. There is a card in solvency under “2ac surveillance solves” that attempts to answer this claim most specifically by saying that surveillance is a prerequisite to cyberweapons (i.e. disruptive cyber operations), which means that disallowing surveillance is tantamount to disallowing cyberweapons.

2. “Domestic surveillance” --- the aff basically has the same problem that PRISM affs have by using the word “domestic.” If “domestic electronic surveillance” limits the targets of surveillance in any meaningful way, the NSA can presumably keep zero-day’s as long as they’re targeting non-domestic persons.

That being said, even if the neg wins either of those arguments (and I don’t think they’re necessarily easy victories), the aff can probably still disclose enough vulnerabilities to solve the corporate trust internal links.

Version 2: The United States federal government should substantially curtail its domestic surveillance of computer software vulnerabilities or exploits unknown to relevant vendors.

This version, with a very precise definition of terms, is a way of topically phrasing the proposal discussed above (disclosure of vulnerabilities). My reading of this sentence’s functional meaning is basically “the NSA/other agencies should stop acquiring and maintaining their current cache of zero-day vulnerabilities/exploits.”

How is this topical? Well, define “domestic surveillance” as “acquiring nonpublic information about U.S. persons.” Given that:1) “U.S. persons” includes corporations; and2) “Nonpublic information” includes “intellectual property.”3) Zero-day vulnerabilities/exploits are “intellectual property.”

As a result, it could be argued that disclosing zero-day vulnerabilities to corporations would definitionally curtail the USFG (e.g. NSA)’s acquisition of nonpublic information (zero-day’s,

9

Zero-Days Aff - Michigan 7which are intellectual property) of U.S. persons (corporations).

One last note about the aff: the DA and CP sections of the file may not appear particularly robust, but the case sections have more than enough material to answer the cyberdeterrence DA and oversight/regulation CP. Some assembly may be required, but most of the aff advocate’s responses to those proposals are represented in the file.

10


1AC

11

Zero-Days Aff - Michigan 71AC INHERENCY

Obama announced that the US would disclose zero-day vulnerabilities, or unknown software flaws, to their vendors --- but loopholes allow the NSA to stockpile zero-days and jeopardize widespread cybersecuritySoghoian and Roubini 2015 (Chris Soghoian, Principal Technologist and Senior Policy Analyst, American Civil Liberties Union Speech, Privacy, and Technology Project & Sonia Roubini, ACLU Speech, Privacy, and Technology Project, “Feds Refuse to Release Documents on “Zero-Day” Security Exploits”, March 3, 2015, https://www.aclu.org/blog/feds-refuse-release-documents-zero-day-security-exploits)//CLi

Federal agencies served with a Freedom of Information Act request are refusing to release documents related to their purchase, use and disclosure of zero-day exploits, keeping the American public in the dark about a practice that leaves the Internet and its users less secure. Zero-day exploits are special software programs that take advantage of security vulnerabilities in software that are unknown to the software’s manufacturer. These exploits are frequently used by intelligence agencies and the military as well as, we suspect, by federal law enforcement agencies. But they can be used by any hackers, whether they work for the U.S. government, a foreign government, a criminal group, or anyone else. Zero-day vulnerabilities and the tools that exploit them are extremely powerful, because there is very little that potential targets can do to protect themselves. But the effectiveness of such exploits depends on their secrecy— if the companies that make the affected software are told about the flaws, they will issue software updates to fix them . Governments thus have a strong incentive to keep information about the exploits they have developed or purchased secret from both the public and the companies who create the software we all use. On February 5, we received a response from the Office of the Director of National Intelligence (ODNI) to a Freedom of Information Act request we filed for the disclosure of guidance or directives related to the government’s policies for the purchase, discovery, disclosure and exploitation of zero-days. The ODNI claimed that these records are classified under Executive Order 13526, Section 1.4(c), which states that information can be considered for classification if its disclosure could reasonably be expected to cause damage to national security issues pertaining to “intelligence activities (including covert action), intelligence sources or methods, or cryptology.” This response is consistent with the Obama administration’s refusal to make public most information related to its surveillance and cybersecurity policies. The formal United States policy regarding zero-day exploits, published in April 2014, states that federal agencies should reveal any major flaws in Internet security to companies in order to ensure that they are promptly resolved. However, this policy also carves out a broad exception for flaws that are

being exploited for national security or law enforcement purposes— a loophole that effectively ensures that the government can and will continue to quietly exploit zero-days without warning companies or individuals of their existence. It is also unclear whether this policy only applies to zero days that government employees discover, or whether it also applies to vulnerabilities and exploits purchased from defense contractors, boutique security firms and exploit brokers. While zero-day exploits are no doubt useful to U.S. law enforcement and intelligence agencies, their use raises serious public policy concerns. Zero-days are also regularly used by foreign, hostile governments,

criminals and hackers engaging in cyberattacks. That means our government’s choice to purchase, stockpile and use zero-day exploits instead of promptly notifying manufacturers is effectively a choice to leave both the Internet and its users less secure . This policy of prioritizing cyber offense over defense is highly problematic, particularly given Congress and the White House’s recent focus on cybersecurity. On February 2, Obama pledged $14 billion towards improving cybersecurity defenses, and proposed new legislation intended to help prevent cyberattacks, some form of which is expected to pass through Congress this legislative session. If, as we are told, cybersecurity is such a top priority for the government , federal agencies should be doing everything in their power to ensure that vulnerabilities are fixed as soon as they are discovered , not months or years later after they have been fully exploited by law enforcement and intelligence agencies. At a time when cybersecurity legislation that would weaken existing privacy laws is being pushed through Congress, the American public deserves to know more about the government’s policies regarding the purchase, use and disclosure of zero days. There is an important public debate that must be had about the government’s role in cybersecurity, but without documents like the ones we have requested, this debate cannot take place.

12

https://www.aclu.org/blog/feds-refuse-release-documents-zero-day-security-exploits

https://www.aclu.org/blog/feds-refuse-release-documents-zero-day-security-exploits

https://www.aclu.org/bio/sonia-roubini

https://www.aclu.org/bio/sonia-roubini

https://www.aclu.org/bio/chris-soghoian

Zero-Days Aff - Michigan 7Additionally, loopholes let the NSA stockpile zero-days purchased from the grey market Zetter 14 [Kim, award-winning journalist who covers cybercrime, civil liberties, privacy, and security for Wired, “Obama: NSA must reveal bugs like Heartbleed, unless they help the NSA,” Wired, http://www.wired.com/2014/04/obama-zero-day/] //khirn

Healey notes that the public statements on the new policy leave a lot of questions unanswered and raise the possibility that the government has additional loopholes that go beyond the national security exception . The statement by the Office of the Director of National Intelligence about the new

bias toward disclosure, for example, specifically refers to vulnerabilities discovered by federal agencies ,

but doesn’t mention vulnerabilities discovered and sold to the government by contractors ,

zero-day brokers or individual researchers , some of whom may insist in their sale agreements that the vulnerability not be disclosed . If purchased zero days vulnerabilities don’t have to be disclosed, this potentially leaves a loophole for the secret use of these vulnerabilities and also raises the possibility that the government may decide to get out of the business of finding zero days, preferring to purchase them instead . “It would be a natural bureaucratic response for the NSA to say ‘why should we spend our money discovering vulnerabilities anymore if we’re going to have to disclose them?'” Healey says. “You can imagine a natural reaction would be for them to stop spending money on finding vulnerabilities and use that money to buy them off the grey-market where they don’t have to worry about that bias.” The government’s new statement about zero days also doesn’t address whether it applies only to vulnerabilities discovered in the future or to the arsenal of zero-day vulnerabilities the government already possesses .

13


Zero-Days Aff - Michigan 71AC IP THEFT ADVANTAGE

Advantage: IP theft

Intellectual property theft is expanding on a massive scale --- disclosing zero-days builds trust with companies --- info-sharing legislation is keyJaffer 15 [Jamil N., Adjunct Professor of Law and Director, Security Law Program, George Mason University Law School, Occasional Papers Series, published by the Dean Rusk Center for International Law and Policy, 4-1-2015, “Cybersecurity and National Defense: Building a Public-Private Partnership,” http://digitalcommons.law.uga.edu/cgi/viewcontent.cgi?article=1008&context=rusk_oc] //khirn

JAMIL N. JAFFER: Thank you Dr. Johnson. Well, I’ll actually pick up right where Quentin left off, and I think this is the important thing to talk about when you’re talking about the national security threat that faces our nation in cyberspace . And that is a sort of notion of a Pearl Harbor-style attack and these day-to-day cybersecurity risks that our nation, both the government and the private sector, faces. And a lot of people spend a lot of time talking about the Pearl Harbor scenario — what happens when the power grid goes down, what happens when the banking system goes down. As Quentin points out, that’s a possibility, but it’s one that we focus on to our detriment. And it’s one that we have to account for, one we have to prepare for and be ready to deal with. But there’s a larger problem going on day-to-day, a nation-state-driven problem that is much more present and much more threatening to our economic viability. And that is the constant day-in and day-out , walking out the back door of every major U.S. company of core intellectual property . And so, we know today . . . it has now been sort of publicly discussed: the very fact that there are major nation-states, including China, that are targeting not only the U.S. government. That’s sort of standard that we expect that we, like a nation-state, go to collect intelligence from our opponents around the world, and they collect intelligence on us. That’s an understood sort of concept, whether it’s surveillance . . . putting aside all the controversy that Edward Snowden has created with his disclosures, other nation-states know that we collect intelligence on them, and they collect intelligence on us — that’s just part of the game. What’s different today though in cyberspace is the fact that at least one nation that’s been publicly discussed and others that haven’t been — China in the case of the one that has been publicly discussed — is not only targeting the government for collection, but it is,

at a corporate national level, targeting American private sector corporations, stealing our core intellectual property — the very thing that drives the American economy and makes us the most innovative, most diverse, most successful economy in the world today — and taking it and transferring it to Chinese corporations in the private sector, both the public and private space. In China that distinction is blended, where the government provides a tremendous amount of support to their industry, both in the form of stolen IP and in the form of low-interest or no-interest loans to help them fund these efforts . And so, what we see is a very odd situation where a nation-state is engaged in an effort to take private sector intellectual property, convert it to both public and private use there, thereby undermining our ability to compete in the global marketplace. And what makes it a particularly hard challenge is: What is the U.S. government going to do about it? How does the U.S. government respond to that threat? For years we knew this was a fact and had a hard time to even talk about it publicly because the way we knew was through intelligence accesses and the like. Dare I say, by the way, that all of my remarks are my own thoughts and not those of my current or former bosses, so I don’t get any of them in any trouble, and I don’t get myself fired. But we’ve known this for a long time. We’ve known about this threat that both China and other nation-states pose to the U.S. private sector as well as the U.S. 12 government, but it’s been hard for us to talk about it. And we’ve finally now realized 1) the threat is such that we need to talk about it and 2) the government can’t do the protection of the private sector itself. The vast majority of the Internet and the connected networks out there are owned and operated by the private sector . The U.S. government simply has no insight into those networks . No matter what you hear about the U.S. government’s capabilities in signals intelligence and in cyberspace, the reality is that we can’t, nor do we want to be, nor do our laws permit us to, be on every network at all times to know what’s going on. It’s not something that the American people want. It’s not something the government wants to do, nor is it something we have the capability to do. H ence, the question becomes:

14

http://digitalcommons.law.uga.edu/cgi/viewcontent.cgi?article=1008&context=rusk_oc

http://digitalcommons.law.uga.edu/cgi/viewcontent.cgi?article=1008&context=rusk_oc

Zero-Days Aff - Michigan 7How can the government work with the private sector to enable the private sector to better defend itself ? And how do private sector companies work with each other internally to defend themselves from this very threat? A lot of people think that one of the best ways to achieve that goal is to have the government intervene in the market and say, “Look — the private sector is not doing what it needs to do to protect itself. We need to tell them how to do it, right? Here are some regulations. Here are some laws. Here’s how you need to accommodate yourself to this new reality of nation-states threatening you and your core intellectual property and your systems, either to avoid a Pearl Harbor-style attack or to avoid this walking out the back door of your intellectual property.” That, I think, is the discussion that was had over the last couple of years, and it has faded into the background in large part because industry has shown a huge resistance to having government-imposed regulations and laws and for good reason. Industry and the U.S. private sector are very innovative and oftentimes the government regulation in places where there is not a market failure can stifle innovation rather than embolden it. The question becomes: How do you determine whether there’s a market failure here, or not, in this industry? There can be no doubt that industry could, and perhaps should, be better protected against cyber threats, particularly in the nation-state space. But the question is: Why is it not? And I would posit that the reason that industry is not as well positioned today to defend itself is because industry fundamentally doesn’t understand the threat it faces. It’s only recently, in the last year or two, that we’ve begun, as a government, talking about the very real threat that industry faces from nation-states which have very high-end capabilities and both the capability and the desire to go into these companies . So, it’s only recently that companies have begun coming around to the realization that the IP is walking out the back door , and there is potential

for a Pearl Harbor or lesser attack on their networks. And even today I think everyone would admit — whether you’re

in industry or the government — that the government doesn’t tell industry enough about what it knows . So, the government knows a lot about the zero-days that might come up against them . They know a lot about what the threat looks like. And they have a very hard time talking about it to companies , either at an unclassified or even at a highly-classified level. It’s only when things get to a really hot boil that the government will be willing 13 to part with its deepest, darkest sort of most sensitive intelligence collection and even then it will only tell industries absolutely what they need to know in order to deal with that immediate threat. And that’s something that fundamentally has to change . And I think the government’s on its way there. I think that General [Keith B.] Alexander has made changes while he was at NSA, and I’m hoping that Admiral [Michael] Rogers will continue those changes, too, to think through how best to work with industry. But it’s not simply government working with industry, because it will be a great thing if we can get to a place where we can pass some sort of information-sharing legislation that allows the government to share with industry what it knows is a threat. But the reality is that today — without the government having a sense for

what industry is seeing on the 98 percent, or 95 or 96 percent, of networks that it owns and operates — it’s hard for the government to know where to focus its collection activities. For instance, today we know about the Chinese cyber actors coming up against our networks . So, it’s easy for us to target that person and try to go after his system and figure out what he or she is doing . We know for a fact that sitting right next to that person , very likely, is another hacker — government-funded — going after the U.S. private sector, but we don’t see that person, because we’re not on the private sector networks looking for that. Until industry has the ability and the desire and the willingness to share with the government what they’re seeing, it’s hard for the government to turn around and say , “We’re going to go try to target that person to see if we can figure out what they’re doing , too, in order to provide back to industry the best capabilities the U.S. government has at its disposal .” And so,

that’s one thing . . . it’s sort of freeing up that information sharing gap between public and private and creating that trust between the government and private sector to share that kind of information .

IP theft destroys military operations --- the impact is primacy Warikoo 13 professor of Himalayan and Central Asian Studies at the University of Colorado (Arun, “CYBER WARFARE: CHINA'S ROLE AND CHALLENGE TO THE UNITED STATES” p. 67-8, Jul-Dec 2013, ProQuest) | js

15


4.1 Intellectual Property (IP) Protection and Enforcement Intellectual Property or IP is a significant driver of the American economy. The President's 2006 Economic Report to the Congress states that 70% of the value of publicly traded corporations is Intellectual Property.22 Industries based on IP accounted for 34.8 percent of U.S. gross domestic product (GDP) in 2010.23 Theft of IP has a huge impact on the economy. IP theft not only means loss of revenue but also has a demoralizing effect on the inventor. Innovation is the heart of the US economy and IP theft has a crippling effect on those start-ups that are involved in innovation. The IP Commission Report estimates that hundreds of billions of dollars are lost per year to IP Theft.24 Gen. Keith Alexander, director of the National Security Agency and commander of US Cyber Command stated in a lecture at the American Enterprise Institute: "The loss of industrial information and intellectual property through cyber espionage constitutes the greatest transfer of wealth in history. U.S. companies lose about $250 billion per year through intellectual property theft, with another $114 billion lost due to cyber crime, a number that rises to $338 billion when the costs of down time due to crime are taken into account."25 According to the IP Commission Report, China accounts for roughly 70% of international IP theft.26 The report further states that the Chinese encourage IP theft and that both business and government entities engage in this practice.27 According to the U.S. National Counterintelligence Executive, "Chinese actors are the world's most active and persistent perpetrators of economic espionage" obtaining trade secrets and continuing infringement of trademarks, copyrights, and patents.28 IP are stolen from American universities, national laboratories, private think tanks, and start-up companies, as well as from the major R&D centers of multinational companies.29 4.2 Threat to U.S. National Security China's cyber espionage against the U.S. government and defense industrial base poses a major threat to U.S. military operations . Larry M Woetzel in his report before the House of Representatives has said that China's aim is to fill gaps in its own research programs, shorten R&D timeline for military technologies, gather intelligence on U.S. strategies and plans, and identify vulnerabilities in U.S. systems.30 The Department of Defense's DODs 2013 annual report to the Congress indicates the grave threat posed by the Chinese in collecting intelligence against US industries that support US defense programs.31 In one instance, a news report in

2011 revealed that malware had penetrated networks used to control U.S. military drones .32 In

another report, it is alleged that the Chinese are hacking into US electricity networks and inserting malware that could be activated later to shut down the electric grid.33 Richard Clarke, White House Cyber Security Advisor (October 2001 - March 2003), in an interview on PBS Frontline stated as follows: "We, as a country, have put all of our eggs in one basket. The reason that we're successfully dominating the world economically and militarily is because of systems that we have designed, and rely upon, which are cyberbased. It's our Achilles heel . It's an overused phrase, but it's absolutely true. It could be that, in the future, people will look back on the American empire, the economic empire and the military empire, and say, "They didn't realize that they were building their whole empire on a fragile base . They had changed that base from brick and mortar to bits and bytes, and they never fortified it. Therefore, some enemy some day was able to come around and knock the whole empire over. That's the fear."34 4.3 Threat to US Industry China's cyber espionage against U.S. commercial firms poses a significant threat to U.S. business interests and competiveness in key industries. A classic example is that of the American Superconductor Corporation that had its wind-energy software code stolen by a major customer in China resulting is not only loosing that customer but also 90% of its stock value.35 In another instance, a U.S. metallurgical company lost technology to China's hackers that cost $1 billion and 20 years to develop.36

That solves great power conflict Kagan, 2/19/2015 (Robert, Senior fellow with the Project on International Order and Strategy in the Foreign Policy program at Brookings, Ph.D. in American history from American University, “The United States must resist a return to spheres of interest in the international system”, Brookings, http://www.brookings.edu/blogs/order-from-chaos/posts/2015/02/19-united-states-must-resist-return-to-spheres-of-interest-international-system-kagan)//JBS

Great power competition has returned . Or rather, it has reminded us that it was always lurking in the background. This is not a minor development in international affairs, but it need not mean the end of the world order as we know it. The real impact of the return of great power competition will depend on how the United States responds to these changes. America needs to recognize its central role in maintaining the

16

http://www.brookings.edu/blogs/order-from-chaos/posts/2015/02/19-united-states-must-resist-return-to-spheres-of-interest-international-system-kagan)//JBS

http://www.brookings.edu/blogs/order-from-chaos/posts/2015/02/19-united-states-must-resist-return-to-spheres-of-interest-international-system-kagan)//JBS

Zero-Days Aff - Michigan 7present liberal international order and muster the will to use its still formidable power and influence to support that order against its inevitable challengers. Competition in international affairs is natural. Great powers by their very nature seek regional dominance and spheres of influence. They do so in the first instance because influence over others is what defines a great power. They are, as a rule, countries imbued with national pride and imperial ambition. But, living in a Hobbesian world of other great powers, they are also nervous about their security and seek defense-in-depth through the establishment of buffer states on their periphery. Historically, great power wars often begin as arguments over buffer states where spheres of influence intersect—the Balkans before World War I, for instance, where the ambitions of Russia and Austria-Hungary clashed. But today’s great powers are rising in a very different international environment, largely because of the unique role the United States has played since the end of the Second World War. The United States has been not simply a regional power, but rather a regional power in every strategic region. It has served as the maintainer of regional balances in Europe, Asia, and the Middle East . The result has been that, in marked contrast to past eras, today’s great powers do not face fundamental threats to their physical security. So, for example, Russia objectively has never enjoyed greater security in its history than it has since 1989. In the 20th century, Russia was invaded twice by Germany, and in the aftermath of the second war could plausibly claim to fear another invasion unless adequately protected. (France, after all, had the same fear.) In the 19th century, Russia was invaded by Napoleon, and before that Catherine the Great is supposed to have uttered that quintessentially Russian observation, “I have no way to defend my borders but to extend them.” Today that is not true. Russia faces no threat of invasion from the West. Who would launch such an invasion? Germany, Estonia, Ukraine? If Russia faces threats, they are from the south, in the form of militant Islamists, or from the east, in the form of a billion Chinese standing across the border from an empty Siberia. But for the first time in Russia’s long history, it does not face a strategic threat on its western flank. Much the same can be said of China, which enjoys far greater security than it has at any time in the last three centuries. The American role in East Asia protects it from invasion by its historic adversary, Japan, while none of the other great powers around China’s periphery have the strength or desire now or in the foreseeable future to launch an attack on Chinese territory. Therefore, neither Chinese nor Russians can claim that a sphere of influence is necessary for their defense. They may feel it necessary for their sense of pride. They may feel it is necessary as a way of restoring their wounded honor. They may seek an expanded sphere of influence to fulfill their ambition to become more formidable powers on the international stage. And they may have concerns that free, nations on their periphery may pass the liberal infection onto their own populaces and thus undermine their autocratic power. The question for the United States, and its allies in Asia and Europe, is whether we should tolerate a return to sphere of influence behavior among regional powers that are not seeking security but are in search of status, powers that are acting less out of fear than out of ambition. This question, in the end, is not about idealism, our commitment to a “rules-based” international order, or our principled opposition to territorial aggression. Yes, there are important principles at stake: neighbors shouldn’t invade their neighbors to seize their territory. But before we get to issues of principle, we need to understand how such behavior affects the world in terms of basic stability On that score, the historical record is very clear. To return to a world of spheres of influence—the world that existed prior to the era of American predominance— is to return to the great power conflicts of past centuries . Revisionist great powers are never satisfied . Their sphere of influence is never quite large enough to satisfy their pride or their expanding need for security. The “satiated” power that Bismarck spoke of is rare—even his Germany, in the end, could not be satiated. Of course, rising great powers always express some historical grievance. Every people, except perhaps for the fortunate Americans, have reason for resentment at ancient injustices, nurse grudges against old adversaries, seek to return to a glorious past that was stolen from them by military or political defeat. The world’s supply of grievances is inexhaustible. These grievances, however, are rarely solved by minor border changes. Japan, the aggrieved “have-not” nation of the 1930s, did not satisfy itself by swallowing Manchuria in 1931. Germany, the aggrieved victim of Versailles, did not satisfy itself by bringing the Germans of the Sudetenland back into the fold. And, of course, Russia’s historical sphere of influence does not end in Ukraine. It begins in Ukraine. It extends to the Balts, to the Balkans, and to heart of Central Europe. The tragic irony is that, in the process of carving out these spheres of influence, the ambitious rising powers invariably create the very threats they use to justify their actions. Japan did exactly that in the 30s. In the 1920s, following the Washington Naval Treaty, Japan was a relatively secure country that through a combination of ambition and paranoia launched itself on a quest for an expanded sphere of influence, thus inspiring the great power enmity that the Japanese had originally feared. One sees a similar dynamic in Russia’s behavior today. No one in the West was thinking about containing Russia until Russia made itself into a power that needed to be contained. If history is any lesson, such behavior only ends when other great powers decide they have had enough. We know

17

Zero-Days Aff - Michigan 7those moments as major power wars . The best and easiest time to stop such a dynamic is at the beginning. If the United States wants to maintain a benevolent world order, it must not permit spheres of influence to serve as a pretext for aggression . The United States needs to make clear now—before things get out of hand—that this is not a world order that it will accept. And we need to be clear what that response entails. Great powers of course compete across multiple spheres—economic, ideological, and political, as well as military. Competition in most spheres is necessary and even healthy. Within the liberal order, China can compete economically and successfully with the United States; Russia can thrive in the international economic order uphold by the liberal powers, even if it is not itself liberal. But security competition is different . It is specifically because Russia could not compete with the West ideologically or economically that Putin resorted to military means. In so doing, he attacked the underlying security and stability at the core of the liberal order. The security situation undergirds everything—without it nothing else functions. Democracy and prosperity cannot flourish without security. It remains true today as it has since the Second World War that only the United States has the capacity and the unique geographical advantages to provide this security . There is no stable balance of power in Europe or Asia without the United States . And while we can talk about soft power and smart power, they have been and always will be of limited value when confronting raw military power. Despite all of the loose talk of American decline, it is in the military realm where U.S. advantages remain clearest. Even in other great power’s backyards, the United States retains the capacity, along with its powerful allies, to deter challenges to the security order. But without a U.S. willingness to use military power to establish balance in far-flung regions of the world, the system will buckle under the unrestrained military competition of regional powers.

Russian IP theft now --- they can’t be deterred --- bolstering cyberdefense is key Bennett 4/12/15 cybersecurity reporter for The Hill (Cory, “Russia’s cyberattacks grow more brazen” 4/12/15, http://thehill.com/policy/cybersecurity/238518-russias-cyberattacks-grow-more-brazen) | js

Russia has ramped up cyber attacks against the United States to an unprecedented level since President Obama imposed sanctions last year on President Putin's government over its intervention in Ukraine. The emboldened attacks are hitting the highest levels of the U.S. government, according to reports, in what former officials call a “dramatic” shift in strategy. The efforts are also targeting a wide array of U.S. businesses, pilfering intellectual property in an attempt to level the playing field for Russian industries hurt by sanctions. “They're coming under a lot of pressure from the sanctions — their financial industry, their energy industry” said Dmitri Alperovitch, co-founder of cybersecurity firm CrowdStrike, which monitors critical infrastructure attacks. “And they're obviously trying to leverage cyber intrusion and cyber espionage to compensate for that.” Crowdstrike has recorded over 10,000 Russian intrusions at companies worldwide in 2015 alone. That’s a meteoric rise from the “dozens per month” that Alperovitch said the firm noted this time last year, just as the U.S. was imposing its sanctions. Many see the recent reports that Moscow infiltrated the State Department and White House networks — giving them access to President Obama’s full schedule — as a turning point in Russian government hacking. Moscow doesn’t care as much about being caught, perhaps in an attempt to prove its cyber prowess, some speculate. “I think that the calculus for them has changed,” said Will Ackerly, an eight-year National Security Agency vet who co-founded encryption firm Virtru in 2012. “It seems that they’re definitely behaving dramatically different in that regard.”The attitude, Ackerly said, is “much more brazen” than previous Russian efforts to lift intelligence information. For years, Russian hacking has operated on two tracks. On one track, Moscow has orchestrated quiet, targeted digital hits on the U.S. government to collect scraps of intelligence data. On the other, a large community of Russian cyber criminals, not necessarily affiliated with the government, has peppered the American banking industry for commercial gain. “Experienced Russian hackers often tend to target financial data,” said Tom Brown, who served until 2014 as chief of the Cyber Crime Unit at the U.S. Attorney’s Office for the Southern District of New York. Last year, Russians were charged with hacking into Nasdaq, America’s second largest stock exchange. Going further back, a notorious Russian Internet gang made off with tens of millions of dollars from Citibank in 2009. These were just two of the Russian incidents Brown helped investigate. Russian cyber crooks, he said, uniformly launch “relatively

18

http://thehill.com/policy/cybersecurity/238518-russias-cyberattacks-grow-more-brazen

http://thehill.com/policy/cybersecurity/238518-russias-cyberattacks-grow-more-brazen

Zero-Days Aff - Michigan 7sophisticated attacks.” On the government-sponsored side, researchers at security firm FireEye discovered evidence of Russian intelligence-gathering cyber campaigns stretching back to at least 2007. Moscow was searching for communications, emails, memos, phone calls and schedules that could smear adversaries’ reputations or simply shed light on their plans. Laura Galante, threat intelligence manager at FireEye, said she has seen a “resurgence” in these types of Russian government-backed cyberattacks since late February. “They really see this as much more broadly than just a tool, a piece of malware or a distinct type of activity,” said Galante. “They see this as a broader quest to get the information they need to portray themselves and their efforts in the best light in the world.”And as Russia’s economy sags under the weight of U.S. sanctions imposed in March 2014, the mercenary, criminal track has started to blur with the government-directed track, analysts said. “What they’re basically doing is in effect saying internally, ‘That’s fine, you’re going to sanction us, so we’re going to use cyber to steal your intellectual property and give it to our industry,’” Alperovitch said. The digital barrage has caught the attention of top U.S. officials. President Obama repeatedly asked his advisors whether a massive data breach at JPMorgan last fall was Russian retaliation for the sanctions, according to reports. The aides couldn’t give the president a definitive answer. Indeed, the security community is not united in its belief Russia was behind the attack. Former intelligence officials have also speculated that information discreetly passed to the media laying blame on the Russians for the State Department and White House hacks is a White House attempt to send a message to Russian authorities: “We’re on to you.” Director of National Intelligence James Clapper acknowledges the U.S. was caught off guard by this Russian hacking surge. “The Russian cyber threat is more severe than we have previously assessed,” he told a Senate committee in February. During an October speech, Clapper even said Russia has replaced cyber powerhouse China as his top concern. Ackerly said the State Department and White House intrusions are a striking example of the new Russian mentality.The attack was “much larger in breadth” than historic Russian cyber espionage efforts. “They’re much more willing to do things which there’s a high probably of detection,” Ackerly said. “They are willing to know that going in and say, ‘We’re going to do that anyway.’” Moscow’s intelligence agencies can still collect their information, while making a public point, said Christopher Cummiskey, a former acting under secretary for management at the Department of Homeland Security in 2014 who oversaw a number of the agency’s cyber efforts. “I think from their perspective it’s like, ‘Well guess what, we’ve shown the world that we’re able to actually penetrate the very sensitive systems in the U.S. government,’” he said. Until the government improves its detection capabilities, the Russians will not be deterred , Cummiskey said. “It’s not as easy to pick up on these things today with the way we’re configured as hopefully it will be in the future,” he said. “So we’ve got some work to do.”

That’s crucial to Russian modernization efforts Booz Allen Hamilton 13 [Leading provider of management and technology consulting services to the U.S. government, Economist Intelligence Unit, The Economist, “Cyber Theft of Corporate Intellectual Property: The Nature of the Threat,” July 2013, http://www.boozallen.com/insights/2013/07/Cyber-Theft-of-Corporate-Intellectual-Property] //khirn

Russia’s own espionage effort is also driven by a desire to diversify its economy and reduce its dependence on natural resources, according to the NCIX report. Russia too has a sense of grievance; it believes the global economic system is tilted in the favor of Western countries at its expense. Though Russia has denied hacking, it has enlisted its intelligence services to help carry out its economic policy goals . The director of Russia’s Foreign Intelligence Service, Mikhail Fradkov, said in December 2010 that it “aims at supporting the process of modernization of our country and creating the optimal conditions for the development of its science and technology.” IP theft threatens some companies more than others. Companies that are less dependent on IP for competitive advantage may be able to recover fairly quickly. Indeed, the EIU’s survey shows that many executives are optimistic about their companies’ abilities to respond to IP attacks, with 48% of respondents saying that while the theft of IP would cause damage in the short-term, they would be able to recover. Companies that innovate quickly–and develop new IP–may find that they continue to outpace also-ran competitors who have tried to steal their older ideas. In the most alarmist scenarios, however, IP theft by low-cost competitors manifests itself only years later in reduced industry competitiveness, slower economic growth, lost jobs, and even lower living standards. By the same token, defense technologies and secrets stolen from US industry and government networks could give China and Russia military advantages worth billions .

That causes Russian aggression Isachenov 15 [Vladimir Isachenkov, Associated Press, Business Insider, Feb. 4, 2015, “Russia continues massive military modernization despite economic woes,” http://www.businessinsider.com/russia-continues-massive-military-modernization-despite-economic-woes-2015-2#ixzz3eVw3maaO] //khirn

19

http://www.businessinsider.com/russia-continues-massive-military-modernization-despite-economic-woes-2015-2#ixzz3eVw3maaO

http://www.businessinsider.com/russia-continues-massive-military-modernization-despite-economic-woes-2015-2#ixzz3eVw3maaO

http://www.boozallen.com/insights/2013/07/Cyber-Theft-of-Corporate-Intellectual-Property


MOSCOW (AP) — Hundreds of new Russian aircraft, tanks and missiles are rolling off assembly lines. Russian jets roar through European skies under NATO's wary eye. Tens of thousands of troops take part in war games showing off the military's readiness for all-out war. The muscle flexing suggests that Russia's economic woes so far are having no impact on the Kremlin's ambitious military modernization program. Most Russian economic sectors face a 10 percent cut this year as Russia heads into recession. The military budget, meanwhile, rose by 33 percent to about 3.3 trillion rubles (some $50 billion). The buildup reflects President Vladimir Putin's apparent readiness to raise the ante in a showdown with the West over Ukraine — but it is unclear whether Russia can afford the modernization drive amid slumping oil prices and Western sanctions. The new Russian military doctrine, endorsed by Putin in December, names NATO as a top threat to Russia and lays out a response to what the Kremlin sees as the alliance's expansion into Russia's sphere of interests. In the Ukraine crisis, Moscow for the first time demonstrated its new capacity for what experts call "hybrid" warfare, a combination of military force with a degree of deniability, sleek propaganda and political and economic pressure. It is not only in Crimea — the strategic peninsula that Russia annexed from Ukraine — that the nation's 1-million strong military is beefing up its presence. Russia is also reviving Soviet-era airfields and opening new military bases in the Arctic . Last fall the military rattled sabers by briefly deploying state-of-the art missiles to Russia's westernmost Baltic exclave — Kaliningrad — and it is planning to send strategic bombers on regular patrols as far as the Caribbean and the Gulf of Mexico . The West first got a sense of Russia's revived military might during last February's Crimea invasion. The U.S. and its NATO allies were caught off guard when waves of Russian heavy-lift military transport planes landed on the Black Sea peninsula days after the ouster of Ukraine's former Moscow-friendly president, unloading special forces which swiftly took over key facilities in the region and blocked Ukrainian troops at their bases. Dressed in unmarked uniforms and equipped with state-of-the art weapons, the Russian troops were a far cry from a ragtag demoralized force the military was just a few years ago. The Kremlin first claimed they were local volunteers, but Putin recognized after the annexation that they were Russian soldiers. Another surprise for the West came a few weeks later, when well-organized groups of gunmen took over local government offices and police stations in several cities across Ukraine's mostly Russian-speaking eastern industrial heartland, triggering a rebellion that evolved into a full-scale war that killed more than 5,300 since April. As fighting escalated in the east, the Russian military showed its agility by quickly deploying tens of thousands troops near the border with Ukraine. Ukraine and the West said that thousands of them crossed into Ukraine, helping turn the tide in rebels' favor. The Kremlin denies that, although it has acknowledged that Russian volunteers have joined the insurgency. Unlike the past, when the Russian military was filled through unpopular conscription, the force has grown more professional and motivated. Relatively high salaries have attracted an increasing number of contract soldiers, whose number is set to exceed 350,000 this year from 295,000 in 2014. Russian Defense Minister Sergei Shoigu said that by the end of this year all battalion tactical groups — the core units in the Army, the Airborne Forces and the Marines — will be manned entirely by professional soldiers. And in sharp contrast to the early post-Soviet years, when combat jets were grounded and navy vessels rusted dockside for lack of fuel, the military has dramatically increased both the scope and frequency of its drills. Ground forces conducted massive maneuvers near the Ukrainian border involving tens of thousands of troops, while navy ships sailed on regular missions and combat jets flew regular patrols near European borders to probe NATO's defenses. The alliance said it intercepted Russian aircraft more than 400 times last year and complained they posed a danger to civilian flights. In Crimea, Russia had leased a major naval base even before the annexation. Now it has deployed dozens of combat jets, including nuclear-capable long-range bombers, along with air defense missiles, modern drones and other weapons. It is also preparing to dispatch more troops there. Another key priority for the military is the Arctic, where global rivalry for major untapped oil and gas reserves is intensifying as polar ice melts. The military has restored long-abandoned Soviet-era airfields and other bases in the region after two decades of neglect. It formed a separate Arctic command to oversee its troops in the region. Russia's weapons modernization plan envisages spending 20 trillion rubles on new weapons in 2011-2020. It produced some highly visible results last year, with the military receiving the highest numbers of new planes, missiles and armor since the 1991 Soviet collapse: —Last year, the Russian armed forces obtained a record number of 38 nuclear-tipped intercontinental ballistic missiles. This year they are to get another 50, allowing the military to fulfill its ambitious goal of replacing Soviet-built nuclear missiles, which are approaching the end of their lifespan. Officials say the new ICBMs have the capacity to penetrate any prospective missile defenses. —In a major breakthrough, the Russian navy finally conducted a series of successful test launches of the Bulava, a new submarine-based intercontinental ballistic missile, proving its reliability after a long and troublesome development. The navy already has two submarines equipped with the Bulava, and is to commission a third one next year. Five more are to follow. —The ground forces are receiving large batches of Iskander missiles, which are capable of hitting enemy targets up to 500 kilometers (310 miles away) with high precision. Russian officials said the missiles, which can be equipped with a nuclear or conventional warhead, could be used to target NATO's U.S.-led missile defense sites. In a show of force, Iskanders were briefly deployed in December to the Kaliningrad exclave bordering NATO members Poland and Lithuania. —The Russian air force received more than 250 new planes and helicopters last year and is set to receive more than 200 this year — numbers unseen since Soviet times. They include new models such as Su-34 bombers, Su-35 fighter jets and Mi-28 helicopter gunships equipped with sophisticated electronics and high-precision missiles. —The Russian army this year is set to receive a new tank, which also will be used as the basis for a lineup of other armored vehicles. The model called Armata will be shown to the public during a Red Square parade in May. It surpasses all Western versions in having a remotely controlled cannon and a superior level of crew protection. Its security enhanced by a new-look military , the Kremlin can be expected to pursue

20

Zero-Days Aff - Michigan 7a defiant course in Ukraine and may raise the stakes further if the peace process fails .

The threat for Putin — who has insisted that Russia will not be drawn into a costly arms race with the West — is whether the massive military buildup will stretch the nation's economic potential beyond the limit.

That escalates—we’re already on the brink of nuclear warReid 15 Professor of Law at University of St. Thomas School of Law (Charles J., University of St. Thomas Journal of Law and Public Policy, “VLADIMIR PUTIN’S CULTURE OF TERROR: WHAT IS TO BE DONE?” p. 53–5) | js

In waging such a limited war, furthermore, Putin would rely not on ICBMs but on “the first use of tactical nuclear weapons in war.” 447 And that is where we stand, in mid-March, 2015, as I write this Article. We are witnessing, on the part of NATO, an awakening to exactly the gravity of this threat. Sir Adrian Bradshaw, NATO’s deputy commander of forces in Europe, has quite rightly stated that this crisis is an existential moment for the western alliance.448 And, it is a relief to note, the alliance is finally responding to the urgency of the moment. NATO has decided to expand its rapid reaction from 13,000 troops to 30,000.449 It has also chosen to create an elite “spearhead” unit of 5,000 troops for immediate deployment in a crisis.450 Jean-Claude Juncker, the head of the European Commission has raised the subject of a European Army.451 It is imperative for many reasons that Europe achieve a greater level of political integration452 and a European Army may serve that long-term goal as well as the more immediate matter of addressing Russian aggression. The United States is also rising to the military challenge posed by Russian expansionism in Eastern Europe. A military convoy has been sent on a “show-the-flag tour” of six East European countries.453 Large numbers of soldiers and large quantities of supplies have now landed in Latvia to “participate in multinational training exercises with Latvia, Estonia, and Lithuania.”454 American military hardware and personnel are now stationed just yards from Russian territory in the Baltics.455 A Patriot anti-missile battery, together with the crew to man it, has been moved to Poland.456 Ashton Carter, President Obama’s nominee to serve as Secretary of Defense, has declared his support for providing arms to the Ukrainian military.457 Victoria Nuland has called for the creation of NATO command-and-control centers in Bulgaria, Romania, and other nations of Eastern Europe.458 And how has Putin responded? He destroyed the city of Debaltseve in Ukraine with a savagery and barbarity unknown in Europe since the days of World War II. Virtually every building in the city has been damaged or destroyed.459 Some 40,000 people (out of a population of 45,000) have been forced to flee.460 Dogs, it is said, have begun to eat the bodies of the unburied dead.461 Whole classes of persons -- Tatar Muslims who might threaten the regime, and others who fall under suspicion of State Security -- are being abducted, tortured, and being made to disappear at alarming rates.462 And Putin has renewed, once again, his threats against world order. He has dispatched nuclear-capable strategic bombers to Crimea.463 He has sent nuclear-capable cruise missiles to the Polish border.464 Dozens of aerial provocations have been occurring along the European, British, and North American coasts.465 Putin is conducting military exercises on a scale and with a sophistication “not seen since the end of the Cold War.”466 He has proclaimed his readiness to use nuclear weapons openly, on Russian television.467 When Denmark indicated a desire to be protected behind a future missile shield, Mikhail Vanin, Russian Ambassador to Denmark, threatened Danish shipping with tactical nuclear weapons.468 In a deliberate provocation that may open to the door to further aggression, Putin’s forces abducted an Estonian military officer from Estonian territory.469 Will there be a war between the superpowers, a large war, one with devastating consequences?470 Some sober-minded and experienced minds are beginning to contemplate that horrific thought. Michael Fallon, British Defence Minister has said that Vladimir Putin, with his reckless words and deeds, has “’lowered the threshold’ for using nuclear weapons.”471 Retired British commander of NATO forces Sir Richard Shirreff has warned that Putin’s conduct risks the “threat of total war.”472 And that great and wise man Mikhail Gorbachev, when asked whether “there could be another major war in Europe” responded: “Such a scenario shouldn’t even be considered. Such a war today would inevitably lead to a nuclear war. But the statements from both sides and the propaganda lead me to fear the worst. If one side loses its nerves in this inflamed atmosphere, then we won’t survive the coming years .” 473 Thus has Putin’s culture of terror brought us to the brink of the unthinkable, a nuclear standoff where the risk of miscalc ulation is large . International law, over the last two decades, has moved decisively in the direction of

delegitimizing even the threat of the offensive use of nuclear weapons. Vladimir Putin’s loose talk and his aggressive military posturing are returning us to the dark days of an older generation, when nuclear threats hung heavy over the planet. We must make sure such threats do not emanate again from a world leader.

21


IP theft causes Chinese modernizationHager 2013 (Nicholas, Nicholas Hager is an intern at the Streit Council. U.S. and European Intellectual Property: Strategies to Circumscribe Theft by China; October 3, 2013; http://blog.streitcouncil.org/2013/10/03/u-s-and-european-intellectual-property-strategies-to-circumscribe-theft-by-china/) //JRW

China’s relatively new foray into drone creation serves as a reminder of how extensively, and rapidly, it has modernized. But it also underscores a problem which has been both pervasive and intractable. China’s government and businesses are committing intellectual property (IP) theft on a vast scale, and this threatens the national and economic security of the U.S. and European States. The IP – defined by the World Intellectual Property Organization as “inventions, literary and artistic works, and symbols, names, images and designs used in commerce” – of firms within both the U.S. and Europe has been repeatedly expropriated by, or at the behest of, China, and has affected industries as diverse as the production of cleaning equipment, chemical engineering, and internet service provision. The true economic impact of this theft is staggering. One estimate suggests that it costs the U.S. alone $300 billion per year, which is “roughly the equivalent of the current American trade balance with Asia.” This is not only a clear violation of the principle of jus inter gentes in public international law – here exemplified by the Paris Convention of 1883, of which both China and the U.S. are signatories – but also of international rules, such as the WTO’s TRIPS agreement. Given that this problem is prevalent, pernicious, and clearly prohibited, the question becomes: How do we address it? There are at least two principle categories of action, neither of which are exhaustive or exclusive of each other. One possible avenue is a legal offensive. At first glance, this seems to be a problematic because, while China has acceded to the Paris Convention, it has done so with the stipulation that it not be bound to the Convention’s provisions for dispute resolution. This abrogates the legal grounds by which to seek arbitration by the International Court of Justice. That said, China’s actions appear to clearly violate the TRIPS agreement, which counts the aforementioned Paris Convention among its primary legal referents. And unlike the Convention, the TRIPS agreement, accedence to which is implicit in WTO membership, has a robust enforcement mechanism. As a rapidly developing and expanding economy, China has a vested interest in maintaining its ability to work within the WTO – not only because that provides it a place at the table in international trade negotiations, but because it wants to preserve its ability to settle economic disputes through WTO arbitration, which it has done frequently. Because of these factors, China will probably feel compelled to address these complaints – as it already did in a previous dispute involving DVD piracy – and may be more likely to fully and genuinely implement the arbitration’s ruling. Additionally, there is, in the nascent Transatlantic Trade and Investment Partnership (TTIP) and Transpacific Partnership (TPP), hope that China can be checked by the combined economic leverage that the U.S., EU, and others would gain from their conclusion. The TTIP, whose focus is the “creation of a massive trade bloc” between the U.S. and EU, has the potential to change the current dynamics of the global economy by boosting the “competitiveness and expanding [the] market share” of U.S. and EU companies. Because Europe and the U.S. are China’s largest export markets, they could make things very difficult for China if it were to oppose them on an important issue like IP theft. And the economic boost and harmonization that may emerge from the TTIP would increase this leverage. “Chinese products [would already be] less competitive in [those] markets,” as a result of the TTIP, and if the U.S. and EU wanted to, they could effectively “[bottle] up [China’s exports] within its shores.” This is not to suggest that the TTIP could, or should, be used to impose unfair trade conditions, or to begin a trade war, but the extraordinary amount of influence it would provide would undoubtedly alter the Chinese calculus. And, in combination with the TPP, it would probably be enough to extract at least a modicum of compliance from them. The TPP, which could eventually include most of Southeast Asia, East Asia, and Australia, but might not include China, has obvious consequences for the Chinese economy, regardless of outcome. If China does “join the TPP, [it will be] on US terms [because it is] a creature fashioned largely by Washington.” While China’s presence in the TPP would be valuable, the Partnership would nonetheless remain a viable and powerful economic coalition and could easily carry on in its absence. China, on the other hand, “[already] suffering from diminishing competitiveness, [should be] keen to avoid any further hits to its trade position,” and it also wouldn’t want to risk exclusion from the benefits of “a successful and extensive TPP, [such as] tariff-free or…reduced [exports].” To avoid having its regional economic dominance undermined, China will need to accept “Washington’s…strong standards [for protection of] intellectual property, labor and [the] environment along with [regulating] state-owned enterprises.” Moreover, if China declines to join the Partnership, either through unwillingness or an inability to meet these demanding standards, it will be so much the worse for it. The TPP, absent China, has the potential to undo much of its regional power by making “the region’s markets…better integrated and more competitive,” which could see Chinese products and labor being bypassed for cheaper options. China has undertaken its quest to modernize through stolen intellectual property with relative impunity because there has been no real mechanism or response to deter it. With the threat of losing ground in its biggest export markets, locally and farther afield, it would be forced to heed much more serious warnings to halt its illicit activities. While these agreements are far from finalized and have a multiplicity of moving parts, both of which confound efforts to predict their utility as a viable method of coercion, it nonetheless seems like they, in conjunction with WTO arbitration, should give the U.S., EU, and others the ability to successfully press for China’s compliance.

22

Zero-Days Aff - Michigan 7That leads to global nuclear warTwomey 2009 (Christopher, co-directs the Center for Contemporary Conflict and is an assistant professor in the Department of National Security Affairs, both at the Naval Postgraduate School, Monterey, California, Arms Control Association, Chinese-U.S. Strategic Affairs: Dangerous Dynamism, http://www.armscontrol.org/act/2009_01-02/china_us_dangerous_dynamism#Twomey) // JRW

China and the United States are not in a strategic weapons arms race. Nonetheless, their modernization and sizing decisions increasingly are framed with the other in mind. Nuclear weapons are at the core of this interlocking pattern of development. In particular, China is the only permanent member of the UN Security Council expanding its arsenal; it is also enhancing its arsenal. The basic facts of Chinese strategic modernization are well known, if the details remain frustratingly opaque. China is deploying road-mobile, solid-fueled missiles, giving it a heighted degree of security in its second-strike capability. It is beginning to deploy ballistic missile submarines (SSBNs). It is researching a wide range of warhead and delivery systems technologies that will lead to increased accuracy and, more pointedly, increased penetration against ballistic missile defenses. The size of China's deliverable arsenal against the United States will undoubtedly increase beyond the few dozen that it possessed recently.[1] The pace of growth thus far has been moderate, although China has only recently developed reliable, survivable delivery systems. The final endpoint remains mired in opacity and uncertainty, although several score of deliverable warheads seems likely for the near term. These developments on the strategic side are coupled with elements of conventional modernization that impinge on the strategic balance.[2] The relevant issue, however, is not simply an evaluation of the Chinese modernization program, but rather an evaluation of the interaction of that modernization with U.S. capabilities and interests. U.S. capabilities are also changing. Under the provisions of START and SORT, the United States has continued to engage in quantitative reductions of its operational nuclear arsenal. At the same, there is ongoing updating of warhead guidance and fusing systems. Ballistic missile defense systems of a variety of footprints are being deployed. The U.S. SSBN force now leans more toward the Pacific than the Atlantic, reversing the Cold War deployment. Guam's capacity to support heavy bombers and attack submarines has been enhanced. Furthermore, advances in U.S. conventional weaponry have been so substantial that they too promise strategic effects: prompt global strike holds out the promise of a U.S. weapon on target anywhere in the world in less than an hour and B-2s with highly accurate weapons can sustain strategic effects over a campaign. What are the concerns posed by these two programs of dynamic strategic arsenals? Most centrally, the development of the strategic forces detailed above has increasingly assumed an interlocked form. The U.S. revolution in precision guided munitions was followed by an emphasis on mobility in the Chinese missile force. U.S. missile defense systems have clearly spurred an emphasis on countermeasures in China's ICBM force and quantitative buildups in its regional missile arsenals.[3] Beijing's new submarine-based forces further enhance the security of China's second-strike capability in the face of a potential U.S. strike but are likely to lead to increased attention to anti-submarine warfare in the United States. China's recent anti-satellite test provoked a U.S. demonstration of similar capabilities. Such reciprocal responses have the potential to move toward a tightly coupled arms race and certainly have already worsened threat perceptions on each side. The potential for conflict is not simply that of inadvertent escalation; there are conflicts of interests between the two. Heightening threat perceptions in that context greatly complicates diplomacy. Further, the dangers of inadvertent escalation have been exacerbated by some of these moves. Chinese SSBN deployment will stress an untested command-and-control system. Similar dangers in the Cold War were mitigated, although not entirely overcome, over a period of decades of development of personnel and technical solutions. China appears to have few such controls in place today. U.S. deployment of highly accurate nuclear warheads is consistent with a first-strike doctrine and seems sized for threats larger than "rogue" nations. These too would undermine stability in an intense crisis.

23

Zero-Days Aff - Michigan 71AC CRITICAL INFRASTRUCTURE ADVANTAGE

Advantage: Critical Infrastructure

Effective information sharing makes cyberdefense effective and prevents devastating attacks on critical infrastructure --- status quo legal framework works, but government action is keyBush 15 [Wes, Chairman, Chief Executive Officer and President, Northrop Grumman Corporation, “Cyber Security: The New Threat; The New Normal,” April 22, 2015, address to the Metropolitan Club, http://www.northropgrumman.com/MediaResources/Presentations/2015/Pages/04222015WesBushAtMetropolitanClub.aspx] //khirn

Right now, many organizations are facing cyber threats alone. Currently, as soon as a potential cyber attacker learns of a software or hardware vulnerability, every single company that uses that product is immediately at grave risk. However, when the private sector can share threat information with each other -- and between itself and the government – that risk of cyber attack is greatly reduced. This is because we leverage our collective cyber defenses by sharing threat information – like attack methods, known bad sites, malware, or social media probes. Yes, there are legitimate privacy and liability concerns. However, an effective cyber threat information sharing framework can balance these issues while also providing enhanced cyber protection for all of us. This need is even more obvious at the public-private tier. Critical infrastructure providers currently find information sharing with their government partners in the national intelligence and law enforcement communities very, very difficult because it raises sensitive and complex issues. Individuals value their privacy, particularly when the Government is involved. But the fact remains that the cyber defense of our critical infrastructure simply is not possible without cyber threat information sharing between those three communities . One example from awhile back, related in congressional testimony, told of an incident in which the National Security Agency detected a foreign entity trying to steal three gigabytes of information from an American defense contractor. The information-sharing rules would not let the NSA warn the contractor of what was about to happen to them. The head of the NSA at that time likened it to seeing a cyber-intrusion happen at network speed but then being required to warn the company under attack with a letter sent through the conventional mail. Legislative efforts to

deal with the information-sharing issue occur every few years. Currently, another effort seems to be building .

Those of us who watch this issue have our fingers crossed. I’m guardedly optimistic. First, because this issue has been elevated by recent cyber attacks on large companies: Sony, J.P. Morgan, Target, Anthem, Home Depot and others. And they have focused attention on the issue among the most powerful people in America – the taxpayers – voters who feel less and less secure about their personal information and bank accounts. The other reason I’m optimistic is because, legislation or not, government and the private sector have not been idle. What hampered the last legislative effort were concerns over the regulatory burden. In the wake of that last legislative effort, the National Institute of Science and Technology – NIST for short – worked together with industry to develop and issue a framework for improving critical cyber security infrastructure. It was intended as a voluntary set of guidelines. But now at its one-year mark, it has become the de facto standard for private sector cyber security as viewed by regulators and lawyers. The framework helps a company to critically assess its cyber security health, capabilities and efforts; then the company can perform a risk/return analysis to determine where it wants its cyber security capabilities to be, and when. It then develops a plan to get itself from its current state, to its intended end point. Companies utilizing this framework are motivated toward improvement because, in the event of a successful attack against them, any company would have to explain to customers and creditors why it chose not to participate in a security improvement program that its competitors are likely using. It also doesn’t hurt that the framework is being used as an industry baseline for cyber insurance underwriting.

Zero-days are key --- inadequate cooperation risks multiple critical sectors --- like electricity and waterStockton and Golabek-Goldman 13 [Paul and Michele, " Curbing the market for cyber weapons," Yale Law & Policy Review, Forthcoming, pg. 108-109

24

Zero-Days Aff - Michigan 7<http://ssrn.com/abstract=2364658>] /eugchen

Øday exploits are dual-use.24 They can be deployed by good-willed researchers to test computer systems for vulnerabilities and therefore safeguard systems against attacks.25 However, they can also be deployed to gather sensitive commercial or intelligence information, incapacitate computer systems, or inflict widespread physical damage. For example, a weaponized Øday exploit targeting the air traffic control system could send false signals to planes in the air, causing them to crash or collide.26 Department of Transportation audits have confirmed that the U.S. air traffic control

system remains highly vulnerable to cyberattacks.27 An attack on the electric grid could leave entire regions of the country in the dark for weeks, incapacitating the economy and resulting in numerous casualties.28 As the threats to the air traffic control system and electric grid make clear, the most potent and dangerous Øday- exploit attacks are those that target the nation’s “ critical infrastructure ” sectors . The 2013 Presidential Policy Directive on Critical Infrastructure Security and Resilience defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”29 The air-traffic control system and other transportation systems are considered critical infrastructure , along with the chemical, communications, emergency services, financial, water , power , and nuclear reactor sectors. 30 A high percentage of

America’s critical infrastructure is owned and operated by private civilian companies .31 These companies

generally operate and monitor critical infrastructure by relying on industrial-control systems , including Supervisory Control and Data Analysis (“SCADA”) systems, distributed-control systems, and programmable-logic controllers.32 These systems enable companies to open and shut water pump valves, react to pressure, and change volume levels automatically and remotely.33 As technology has evolved, companies have sought to improve operational efficiency by designing ICS systems that are Internet compatible.34 Internet connectivity has rendered these systems and their applications layer much more susceptible to Øday-exploit attacks since perpetrators can access and penetrate them more easily.35 Today’s Øday-exploit attacks are especially targeted at the vulnerable applications layer.36 In spite of this increased threat, private companies have failed to adequately invest in cyber measures to secure critical infrastructure from attack. The government has also failed to provide sufficient support to private companies to safeguard the nation’s critical infrastructure. According to the Department of Homeland Security’s recent Inspector General Report, the United States Computer Emergency Readiness Team (US-CERT) is “understaffed” and lacks the legal authority to require private companies to implement stronger protections against cyber intrusions.37

Grid attacks take out command and control ---causes retaliation and nuclear warTilford 12 [Robert, Graduate US Army Airborne School, Ft. Benning, Georgia, “Cyber attackers could shut down the electric grid for the entire east coast” 2012, http://www.examiner.com/article/cyber-attackers-could-easily-shut-down-the-electric-grid-for-the-entire-east-coa] //khirn

To make matters worse a cyber attack that can take out a civilian power grid, for example could also cripple the U.S. military. The senator notes that is that the same power grids that supply cities and towns, stores and gas stations, cell towers and heart monitors also power “every military base in our country.” “Although bases would be prepared to weather a short power outage with backup diesel generators, within hours, not days, fuel supplies would run out”, he said. Which means military command and control centers could go dark . Radar systems that detect air threats to our country would shut Down completely . “Communication between commanders and their troops would also go silent. And many weapons systems would be left without either fuel or electric power”, said Senator Grassley. “So in a few short hours or days, the mightiest military in the world would be left scrambling to maintain base functions”, he said. We contacted the Pentagon and officials confirmed the threat of a cyber attack is something very real. Top national security officials—including the Chairman of the Joint Chiefs, the Director of the National Security Agency, the Secretary of Defense, and

25

Zero-Days Aff - Michigan 7the CIA Director— have said, “preventing a cyber attack and improving the nation’s electric grids is among the most urgent priorities of our country” (source: Congressional Record). So how serious is the Pentagon taking all this? Enough to start, or end a war over it, for sure (see video: Pentagon declares war on cyber attacks http://www.youtube.com/watch?v=_kVQrp_D0kY&feature=relmfu ). A cyber attack today against the US could very well be seen as an “Act of War” and could be met with a “full scale” US military response.

That could include the use of “nuclear weapons ”, if authorized by the President.

US water security on the brink nowDimick 14 (Dennis Dimick is National Geographic's Executive Editor for the Environment. National Geographic: “If You Think the Water Crisis Can't Get Worse, Wait Until the Aquifers Are Drained” published August 21st, 2014. Accessed June 25th, 2015. http://news.nationalgeographic.com/news/2014/08/140819-groundwater-california-drought-aquifers-hidden-crisis/#) KalM

This coincides with a nationwide trend of groundwater declines. A 2013 study of 40 aquifers across the United States by the U.S. Geological Survey reports that the rate of groundwater depletion has increased dramatically since 2000, with almost 25 cubic kilometers (six cubic miles) of water per year being pumped from the ground. This compares to about 9.2 cubic kilometers (1.48 cubic miles) average withdrawal per year from 1900 to 2008. Scarce groundwater supplies also are being used for energy. A recent study from CERES, an organization that advocates sustainable business practices, indicated that competition for water by hydraulic fracturing—a water-intensive drilling process for oil and gas known as "fracking"—already occurs in dry regions of the United States. The February report said that more than half of all fracking wells in the U.S. are being drilled in regions experiencing drought, and that more than one-third of the wells are in regions suffering groundwater depletion. Satellites have allowed us to more accurately understand groundwater supplies and depletion rates. Until these satellites, called GRACE (Gravity Recovery and Climate Experiment), were launched by NASA, we couldn't see or measure this developing invisible crisis. GRACE has given us an improved picture of groundwater worldwide, revealing how supplies are shrinking in several regions vulnerable to drought: northern India, the North China Plain, and the Middle East among them. As drought worsens groundwater depletion, water supplies for people and farming shrink, and this scarcity can set the table for social unrest . Saudi Arabia, which a few decades ago began pumping deep underground aquifers to grow wheat in the desert, has since abandoned the plan, in order to conserve what groundwater supplies remain, relying instead on imported wheat to feed the people of this arid land.

Water supplies are uniquely vulnerable to cyber-attacksGinter 15 (Andrew Ginter is the vice president of industrial security at Waterfall Security Solutions, a provider of Unidirectional Security Gateways for industrial control networks and critical infrastructures. WaterWorld.com: “High-Tech Threats: Top Cybersecurity Issues Facing Water Utility Control Systems.” Copyright date is 2015. Accessed June 25th, 2015. http://www.waterworld.com/articles/print/volume-29/issue-10/editorial-features/high-tech-threats-top-cybersecurity-issues-facing-water-utility-control-systems.html) KalM

Recent Department of Homeland Security reports have highlighted poor security among the nation's water utilities, where operations networks and control systems are inadequately protected. The security situation in critical infrastructure is raising ratepayer concerns and prompting utilities to ask hard questions about which actions can truly improve their cybersecurity situations. Are firewalls - the most common form of security in the market - capable of combatting modern threats? Would water system utilities be better protected if they completely isolated their control-system networks from public networks? Or is there a third option that would retain the efficiencies and cost savings that come from access to real-time operations information, while also protecting plants from cyber attacks? Technology that routinely protects industrial control networks in power plants and other critical infrastructures can help water utilities answer these questions. Firewalls and Modern Security Threats Firewalls are a staple of industrial cybersecurity programs, but they have many inherent flaws that water facilities must identify, consider and address. Firewalls are complex software systems because they are difficult to configure, and their configurations are difficult to understand and verify. The smallest error in these configurations can introduce vulnerabilities. Defects are frequently discovered in firewall software and in the complex operating systems underlying that software, some of which can be exploited as security vulnerabilities . In

26

http://www.waterworld.com/articles/print/volume-29/issue-10/editorial-features/high-tech-threats-top-cybersecurity-issues-facing-water-utility-control-systems.html


http://news.nationalgeographic.com/news/2014/08/140819-groundwater-california-drought-aquifers-hidden-crisis/


Zero-Days Aff - Michigan 7order to prevent exploitation of known defects and vulnerabilities, firewall vendors issue a steady stream of security updates, which must be applied promptly. Even worse, because the firewalls provide not only real-time data but also online access to mission-critical systems and networks, the firewalls fundamentally expose these environments to numerous types of attacks. For example, phishing attacks send email through a firewall to persuade recipients to either reveal passwords or to download and run malware. Meanwhile, vulnerabilities as simple as hard-coded passwords and hard-coded encryption keys have been reported in industrial firewalls. In addition, cross-site scripting vulnerabilities in HTTP-based "VPN" proxy servers are difficult or impossible to fix because they are essential to the design of the firewall's features. Waterfall Security Solutions. Defects are frequently discovered in firewall software and in the complex operating systems underlying that software, some of which can be exploited as security vulnerabilities. Photo courtesy of Waterfall Security Solutions. Even if connections through firewalls are initiated from the control network side, once the connections are established, they permit bi-directional data to flow through the firewalls. Any of those flows can be used to launch attacks back to systems on the protected network. This means that utilities cannot deliver any confidence that their operational assets are adequately protected by firewalls. The level of risk is unacceptably high, and water utilities must compensate for it.

Water insecurity risks global war Aleem 3/6/15 ---Zeeshan Aleem is a reporter and editor at the The Huffington Post, Politico, The Atlantic Wire, and BBC News. He was educated at the Sidwell Friends School, Oxford University, George Washington, and the University of Chicago. (“Zeeshan Aleem”; Why Water Shortages Are the Greatest Threat to Global Security; http://mic.com/articles/111644/why-water-shortages-are-the-greatest-threat-to-global-security)\\pranav/KalMAccording to a United Nations report presented at U.N. headquarters in New York last week, about 2.9 billion people in 48

countries will be facing water shortages within 10 years that could destabilize and jeopardize the "very existence"

of some countries. By 2030, there will be a global supply shortfall of 40%. And it could pose a major threat to global security. "People do not have the luxury of living without water and when faced with a life or death decision, people tend to do whatever they must to survive," the report said. "In this manner, changes in fundamental hydrology are likely to cause new kinds of conflict , and it can be expected that both water scarcity and

flooding will become major transboundary water issues ." Global warming is causing extreme weather events that are nudging water supply issues from bad to desperate. On their own, vanishing rivers or droughts could devastate a

year's worth of crops but combined and over time, they pose a civilizational threat. At this point, U.S. intelligence agencies consider the prospect of water shortage a threat to be considered alongside terrorism and weapons of mass destruction. Understanding the water shortage: To be clear, the world isn't exactly running out of usable water. Freshwater is a very small portion of the planet's entire water supply: It accounts for only about 2.5% of all water, and just 1% of freshwater is readily accessible. But it is all over the world, and it's renewable. The main problem with water isn't about total volume — it's about distribution. Water isn't always where people need it when they need it, and all societies need it for everything: health, sanitation, agricultural production, energy and industry. The ability to handle distribution to meet these demands is largely a function of wealth. While affluent countries are generally able to manage the resources to meet demand, poorer countries frequently lack the infrastructure to deliver clean, safe water. Their economies also tend to rely disproportionately on deregulated and dirty extractive industries like coal mining that contaminate already-scarce water supplies. Impoverished nations are already suffering from serious water woes. Three-quarters of a billion people lack access to clean water, and water-related disease takes the lives of about 840,000 a year, according to Water.org. Women and children spend 140 million hours a day collecting usable water, often from unclean sources. A growing problem: As the world's population grows and endures increasingly volatile weather patterns, water management problems are on the brink of becoming far worse for much larger swathes of the global population. "The ways we need water and the way the environment provides water are increasingly not matching up, because things like climate change make it less and less predictable," Janet Redman, the climate policy director at the Institute for Policy Studies in Washington D.C., told Mic. "We built our society around when we can get water, when we can grow food, how we have to house ourselves, because we understand the environment around us after living in it for hundreds and hundreds and hundreds of generations. "The problem now, partly due to climate change, we can't predict the patterns, of rainfall, where water is going to be when, when things melt, how floods and droughts work — we're out of sync with the environment because we've changed the environment in a pretty significant way." How shortages breed conflict: The decline in our ability to predict the flow of the world's water based on historical patterns, called "relative hydrological stationarity" in the scientific community, is a game changer. "The loss of stationarity is playing poker with a deck in which new cards you have never seen before keep appearing more and more often, ultimately disrupting your hand to such an extent that the game no longer has coherence or meaning," the report said. That trickling in of new cards is dangerous. Lack of water has played a role in countless conflicts on a sub-national level. The Pacific Institute has documented hundreds of instances of water-related conflict in the past half-century which range from Kenyan tribes clashing over water amidst droughts to riots in South Africa over lack of access to clean water. As water supply experts Shira Yoffe and Aaron Wolf have noted, scarcity of clean freshwater has contributed to many episodes of acute violence on a small geographic scale across the world, such as bloody conflict between states within India over access to the Kaveri River. Adel Darwish, co-author of Water Wars: Coming Conflicts in the Middle East, has argued that access to water has played a significant role

27

http://mic.com/articles/111644/why-water-shortages-are-the-greatest-threat-to-global-security)%5C%5Cpranav/KalM

http://mic.com/articles/111644/why-water-shortages-are-the-greatest-threat-to-global-security)%5C%5Cpranav/KalM

Zero-Days Aff - Michigan 7in the Arab-Israeli conflict, including the 1967 war. More recent conflicts include a hidden element of water scarcity to them. Inter-ethnic conflict in Sudan in the 2000s was also driven by warring over access to clean water. Today, the militant Islamist State group is reportedly using control of water in Iraq and Syria as a tool of war. It affects everyone: It's increasingly clear that even rich countries cannot keep their water supplies safe from the consequences of climate change and extreme weather events — or from the instability that follows. In recent years California has experienced its worst drought in recorded history, which has rippled through both the local and national economy. Floods in the Canadian province of Manitoba in 2011 and 2014 caused the government's budget deficit to swell and ultimately led to political leaders resigning, according to the U.N. report. Insecurity can bubble up in even the places that are taken for granted as stable. The world's water supply crisis is a serious one: By 2050, sustaining the planet will require at least 50% more water than it does today, according to the New Yorker.

28

Zero-Days Aff - Michigan 71AC OCO’S ADVANTAGE

Advantage: Offensive Cyber Operations

Cyber arms race now --- the US is rapidly expanding offensive capabilities under the guise of surveillanceCorrea 15 [Gordon, security correspondent, BBC News, “Rapid escalation of the cyber arms race,” 29 April 2015, http://www.bbc.com/news/uk-32493516] //khirn

Rapid proliferation What surprised cyber-experts is the speed with which cyber-attack capabilities are now proliferating. No-one was surprised that the first tier of cyber-states - the US, UK, China, Israel and Russia - were capable of carrying out destructive attacks on infrastructure, but the speed with which others - such as Iran - were able to do the same has caused consternation and is a sign of how far cyber-attack can be a force-equaliser between different nations who might otherwise have wildly different

capabilities. Capabilities are also spreading to non-state actors . Criminals have long used ransomware to

extort money from people or else see their computers locked. But terrorist groups may also now be toying with more than just low-level disruptive attacks that deface or take off-line websites. France's TV5 Monde saw the

real-world effects of a cyber-attack when it was taken off air by people who claimed to belong to the "cyber-caliphate " affiliated to the group calling itself Islamic State . There are fears the use of destructive attacks against industrial control systems - like Stuxnet - could also spread. Closing down a city At a recent Cyber Security Challenge, Dr Kevin Jones, from Airbus, showed me how a model city connected up to the internet could have its power switched off remotely. "Unless we put a security architecture in place, this is very possible," he says. A German government report said a steel mill had been damaged by a cyber-attack last year - the perpetrators were unknown. Dr Jones believes the attackers got in through the regular corporate infrastructure, although it is not clear how far they deliberately targeted the control systems for the blast furnace that was damaged. When it comes to the cyber-arms race, are Western countries still in the lead? Some argue the top end of cyber-espionage tools may well still be in the hands of the US. The security firm Kaspersky Labs, for instance, recently revealed the work of hackers they called the Equation Group, who were highly sophisticated. "The Equation Group are masters of cloaking and hiding," says Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Labs, pointing to the ability of the group to get inside the firmware of machines and then launch highly advanced attacks. "This is insanely complicated to be honest," he says. Kaspersky Labs will not directly point the finger, but the widespread assumption is that the Equation Group is linked to America's National Security Agency (there are links with the codes used in Stuxnet as well). Documents released by the American whistle-blower Edward Snowden have also raised the profile of Britain's cyber-activities. "GCHQ has formidable resources," says Eric King, of the group Privacy International, whose concern lies in the lack of a transparent framework of accountability over offensive hacking. "In the last year and a half, we've seen their malware. The depth of the work and where they are going is very formidable." He says: "We have non-existent policies, practices, legal safeguards to oversee this." (GCHQ always maintains its activities are lawful and subject to oversight). Commercially available Another concern is the way in which such some of these cyber-espionage capabilities are now commercially available and being used by more authoritarian states. "Companies are providing surveillance as a consultancy service ," says Mr King, who adds foreign law enforcement and intelligence agencies can then use the bought services to hack dissidents and activists based in the UK. The capabilities may be spreading to more and more actors but a small handful of states still operate at the highest level. One senior Western intelligence official believes the Russians are already ahead of the US and UK - partly

because of the level of resources, mainly people - they throw at finding and exploiting vulnerabilities. That official, of course, may be bluffing, but they also said they did not think it would be long before the Chinese had also not just caught up but moved ahead .

That goes nuclear due to command and control hacking, crisis instability, and fracturing nuclear agreements Austin 13 [Director of Policy Innovation at the EastWest Institute, “Costs of American Cyber Superiority,” 8/6, http://www.chinausfocus.com/peace-security/costs-of-american-cyber-superiority/] //khirn

The United States is racing for the technological frontier in military and intelligence uses of cyber space. It is ahead of all others, and has mobilized massive non-military assets and private

29

http://www.bbc.com/news/uk-32493516

Zero-Days Aff - Michigan 7contractors in that effort. This constellation of private sector opportunity and deliberate government policy has been aptly labeled in recent months and years by so many credible observers (in The Economist, The Financial Times and the MIT Technology Review) as the cyber industrial complex. The United States is now in the unusual situation where the head of a spy agency (NSA) also runs a major military unified command (Cyber Command). This is probably an unprecedented alignment of Praetorian political power in any major democracy in modern political history . This allocation of such political weight to one military commander is of course for the United States to decide and is a legitimate course of action. But it has consequences. The Snowden case hints at some of the blow-back effects now visible in public. But there are others, less visible. The NSA Prism program exists because it is technologically possible and there have been no effective restraints on its international targeting. This lack of restraint is especially important because the command and control of strategic nuclear weapons is a potential target both of cyber espionage and offensive cyber operations . The argument here is not to suggest a similarity between the

weapons themselves, but to identify correctly the very close relationship between cyber op eration s and nuclear weapons planning . Thus the lack of restraint in cyber weapons might arguably affect ( destabilize ) pre-existing agreements that constrain nuclear weapons deployment and possible

use. The cyber superiority of the United States, while legal and understandable, is now a cause of strategic instability between nuclear armed powers . This is similar to the situation that persisted with nuc lear weapon s themselves until 19 69 when the USSR first proposed an end of the race for the technological frontier of potential planetary devastation. After achieving initial capability, the U.S. nuclear missile build up was not a rational military response to each step increase in Soviet military capability. It was a race for the technological frontier – by both sides – with insufficient recognition of the consequences. This conclusion was borne out by a remarkable Top Secret study commissioned in 1974 by the U.S. Secretary of Defense, Dr James Schlesinger. By the time it was completed and submitted in 1981, it assessed that the nuclear arms build-up by both sides was driven – not by a supposed tit for tat escalation in capability of deployed military systems – but rather by an unconstrained race for the technological limits of each side’s military potential and by its own military doctrinal preferences. The decisions of each side were not for the most part, according to this now declassified study, a direct response to particular systems that the other side was building. In 1969, the USSR acted first to propose an end to the race for the technological frontier of nuclear weapons because it knew it was losing the contest and because it knew there was political sentiment in the United States and in its Allied countries that supported limitations on the unbridled nuclear fetish. As we ponder the American cyber industrial complex of today, we see a similar constellation of opposition to its power emerging. This constellation includes not just the political rivals who see they are losing in cyber space (China and Russia), but nervous allies who see themselves as the likely biggest victims of the American race for cyber superiority, and loyal American military commanders who can see the risks and dangers of that quest. It is time for the United States to take stock of the collateral damage that its quest for cyber military power, including its understandable quest for intelligence superiority over the terrorist enemy, has caused amongst its allies. The loss has not yet been seen at the high political level among allies, in spite of several pro forma requests for information from countries such as Germany. The loss of U.S. credibility has happened more at the popular level. Around the world, once loyal supporters of the United States in its war on terrorism had a reasonable expectation to be treated as faithful allies. They had the expectation, perhaps naïve, that privacy was a value the Americans shared with them. They did not expect to be subject to such a crude distinction (“you are all non-Americans now”). They did not want to know that their entire personal lives in cyber space are now recoverable – should someone so decide – by the running of a bit of software in the NSA. After the Prism revelations, so many of these foreign citizens with an internationalist persuasion and solidarity for the United States now feel a little betrayed. Yet, in the long run, the most influential voice to end the American quest for cyber military superiority may come from its own armed forces . There are military figures in the United States who have had responsibility for nuclear weapons command and control systems and who, in private, counsel caution . They advocate the need to abandon the quest for cyber dominance and pursue a strategy of “ mutual security ” in cyber space – though that has yet to be defined. They cite military exercises where the Blue team gets little or no warning of Red team disruptive cyber attack on systems that might affect critical nuclear command and control or wider war mobilization functions. Strategic nuclear stability may be at risk because of uncertainty about innovations in cyber attack capability . This question is worth much more attention . U.S. national security strategy in cyber space needs to be brought under stronger civilian oversight and subject to more rigorous public scrutiny . The focus on Chinese cyber espionage has totally preempted proper debate

30

Zero-Days Aff - Michigan 7about American cyber military power. Most in the United States Congress have lined up to condemn Snowden. That is understandable. But where are the critical voices looking at the bigger picture of strategic instability in cyberspace that existed before Snowden and has now been aggravated because of him? The Russian and Chinese rejections of reasonable U.S. demands for Snowden’s extradition may be every bit as reasonable given their anxiety about unconstrained American cyber superiority.

Independently risks miscalc --- hair-trigger status causes nuclear warJapan Times 15 [May 1, 2015, “U.S., Russian ‘hair-trigger’ nuclear alert urged ended, especially in age of cyberattack,” http://www.japantimes.co.jp/news/2015/05/01/world/u-s-russian-hair-trigger-nuclear-alert-urged-ended-especially-age-cyberattack/#.VZIjlflVikp] //khirn

WASHINGTON – Former U.S. and Russian commanders Thursday called for scrapping “ hair- trigger ” alerts on nuclear weapons that carry grave risks of a potential atomic disaster —

especially in an age of cyberattacks . Retired military officers from the United States, Russia and other nuclear powers issued a report warning of the mounting dangers of the short fuses that allow hundreds of atomic weapons to be launched within minutes.The high alert status is a legacy of outdated Cold War doctrine, when U.S. and Soviet leaders feared a devastating first strike that could “decapitate” an entire nuclear force, according to the report sponsored by the disarmament group Global Zero.“Hundreds of missiles carrying nearly 1,800 warheads are ready to fly at a moment’s notice,” said the report. “These legacy postures of the Cold War are anachronisms but they remain fully operational.”The hair-trigger alert, which applies to half of the U.S. and Russian arsenals, is particularly dangerous in an era when “warning and decision timelines are getting shorter, and consequently the potential for fateful human error in

nuclear control systems is growing larger.”The growing threat of cyberassault also exacerbates the risks of the alert status, opening the way for false alarms or even a hijacking of the control systems for the weapons , it said.“Vulnerability to cyber attack . . . is a new wild card in the deck,” it said.The report calls for the United States and Russia to renounce the prompt-alert arrangements and to require 24 to 72 hours before a nuclear weapon could be launched. And it also urges forging a binding agreement among all countries to refrain from putting their nuclear forces on high alert.“There are a set of vulnerabilities particularly for the U.S. and Russia in these systems that were built in the fifties, sixties, seventies and eighties,” said James Cartwright, the retired four-star general who once was in charge of the U.S. nuclear arsenal.“Many of these old systems are subject to false alarms ,” Cartwright said at a news conference.

And, low response times means there’s a greater timeframe and probability than traditional nuclear escalationDycus 10 [Stephen is a Professor of national security law at Vermont Law School, former member of the National Academies committee on cyber warfare, LLM, Harvard University, LLB, BA, Southern Methodist University, “Congress’ Role in Cyber Warfare,” Journal of National Security Law & Policy, 4(1), 2010, p.161-164, http://www.jnslp.com/read/vol4no1/11_Dycus.pdf] //khirn

In other ways, cyber weapons are critically different from their nuclear counterparts . For one

thing, the time frame for response to a cyber attack might be much narrower. A nuclear weapon delivered by a land-based ICBM could take 30 minutes to reach its target. An electronic attack would arrive instantaneously, and leave no time to consult with or even inform anyone outside the executive branch before launching a counterstrike, if that were U.S. policy.

Uniquely true because of misperception fostered by offensive dominance Rosenzweig 9 [Paul, founder of Reid Branch Consulting, specializing in homeland security, senior advisor to the Chertoff Group, Carnegie Fellow at Northwestern, professor at National Defense University, Editorial board at the Journal of National Security Law & Policy, deputy assistant secretary for policy at the US Department of Homeland Security, "National Security Threatsin Cyberspace" merican Bar Association Standing Committee on Law and National Security And National Strategy Forum, September 2009,

31

http://www.japantimes.co.jp/news/2015/05/01/world/u-s-russian-hair-trigger-nuclear-alert-urged-ended-especially-age-cyberattack/#.VZIjlflVikp

http://www.japantimes.co.jp/news/2015/05/01/world/u-s-russian-hair-trigger-nuclear-alert-urged-ended-especially-age-cyberattack/#.VZIjlflVikp

Zero-Days Aff - Michigan 7www.utexas.edu/law/journals/tlr/sources/Issue%2088.7/Jensen/fn137.Rosenwieg.pdf] //khirn

Offensive dominance creates a great risk of cyber arms races . State and non-state actors are

likely to view the prevalence of offensive cyber threats as a legitimate rationale for bolstering their own capabilities , both defensive and offensive, thus fueling an action-reaction dynamic of iterative

arming. Experts believe that at least 20 nations are engaged in a cyber arms competition and possess the type of advanced capabilities needed to wage cyber war aainst the United States.121 As Michael Nacht, Former Assistant Secretary of Defense for Global Strategic Affairs, told us, “An arms race is already going on in cyberspace and it is very intense.”122 Conflict in cyberspace is uniquely predisposed to escalation given uncertainties about what constitutes an act of war and the growing number of state and non-state

actors seeking offensive capabilities. Actors are more likely to misperceive or miscalculate actions in cyberspace, where there is no widely understood strategic language for signaling intent, capability and resolve.123 Uncertainty will encourage states to prepare for worst-case contingencies, a condition that could fuel escalation. Furthermore, “false flag” attacks, in which an actor purposefully makes an attack look like it came from a third party, could also ignite a conflict.124

Disclosing vulnerabilities instead of using them for surveillance prevents arms races --- builds legitimacy to negotiate international cyberdefense agreements Schneier 14 (Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School and a program fellow at the New America Foundation's Open Technology Institute. “Should U.S. Hackers Fix Cybersecurity Holes or Exploit Them?”, May 19, 2014, http://www.theatlantic.com/technology/archive/2014/05/should-hackers-fix-cybersecurity-holes-or-exploit-them/371197/)//CLi

The implications of U.S. policy can be felt on a variety of levels. The NSA's actions have resulted in a widespread mistrust of the security of U.S. Internet products and services, greatly affecting American business. If we show that we're putting security ahead of surveillance, we can begin to restore that trust . And by making the decision process much more public than it is today,

we can demonstrate both our trustworthiness and the value of open government. An unpatched vulnerability puts everyone at risk, but not to the same degree. The U.S. and other Western countries are highly vulnerable, because of our critical electronic infrastructure, intellectual property, and personal wealth. Countries like China and Russia are less vulnerable—North Korea much less—so they have considerably less incentive to see vulnerabilities fixed. Fixing vulnerabilities isn't disarmament; it's making our own countries much safer.

We also regain the moral authority to negotiate any broad international reductions in cyber-weapons ; and we can decide not to use them even if others do. Regardless of our policy towards

hoarding vulnerabilities, the most important thing we can do is patch vulnerabilities quickly once they are disclosed. And that’s what companies are doing, even without any government involvement, because so many vulnerabilities are discovered by criminals. We also need more research in automatically finding and fixing vulnerabilities, and in building secure and resilient software in the first place. Research over the last decade or so has resulted in software vendors being able to find and close entire classes of vulnerabilities. Although there are many cases of these security analysis tools not being used, all of our security is improved when they are. That alone is a good reason to continue disclosing vulnerability details, and something the NSA can do to vastly improve the security of the Internet worldwide. Here again, though, they would have to make the tools they have to automatically find vulnerabilities available for defense and not attack. In today's cyberwar arms race , unpatched vulnerabilities and stockpiled cyber-weapons are inherently destabilizing , especially because they are only effective for a limited time. The world's militaries are investing more money in finding vulnerabilities than the commercial world is investing in fixing them. The vulnerabilities they discover affect the security of us all. No matter what cybercriminals do, no matter what other countries do, we in the U.S. need to err on the side of security and fix almost all the vulnerabilities we find. But not all, yet.

32

http://oti.newamerica.net/

http://oti.newamerica.net/

http://cyber.law.harvard.edu/

http://cyber.law.harvard.edu/

http://www.utexas.edu/law/journals/tlr/sources/Issue%2088.7/Jensen/fn137.Rosenwieg.pdf

Zero-Days Aff - Michigan 7That spurs international coop and mitigates offensive use Clark et. al. 9 (David Clark, Senior Research Scientist at the MIT Computer Science and Artificial Intelligence Laboratory, Whitfield Diffie, Internet Corporation for Assigned Names and Numbers, Abraham Sofaer, former federal judge for the United States District Court for the Southern District of New York, and then a Legal Adviser to the United States State Department, “Cyber Security and International Agreements”, http://cs.brown.edu/courses/csci1800/sources/lec17/Sofaer.pdf)//CLi

The potential utility of international cybersecurity agreements deserves to be carefully examined. International agreements covering other transnational activities, including armed conflict,

communications, air and sea transportation, health, agriculture, and commerce, among other areas, have been widely adopted by states to enhance safety and efficiency through processes that could well be useful in regulating cyber activities. Transnational agreements that contribute to cybersecurity will only be possible, however, if they take into account the substantial differences that exist between activities regulated by established international regimes and cyber systems. Many states will be unprepared at this time to agree to limit their control of cyber activities they regard as essential to their national security interests. International agreements will also be impossible where irreconcilable differences in policies exist among states, particularly regarding political uses of the Internet, privacy, and human rights. But, while these factors limit the potential scope and utility of international cyber-security agreements, they do allow for international cooperation on many issues that could prove beneficial. The potential for improving cyber security through international agreements can best be realized through a program that identifies: the activities likely to be subjects of such agreements and those that are not; the measures likely to be used by parties to improve cyber security in each area of activity appropriate for international cooperation; and the form which any international body that may be utilized or established for this purpose should assume, the authority such a body would be assigned, and the basis upon which its activities would be governed. International agreements negotiated on the basis of these practical premises could help to create a more secure cyber environment through measures that go beyond conventional forms of deterrence.

Eliminating offensive cyberattacks allows the US to set global norms in cyberspace --- that’s key to prevent cyber arms races Goldsmith 10 [Jack, teaches at Harvard Law School and is a visiting fellow at the Hoover Institution at Stanford University, “Can we stop the Cyber Arms Race,” Washington Post, February 1, 2010, http://articles.washingtonpost.com/2010-02-01/opinions/36895669_1_botnets-cyber-attacks-computer-attacks] //khirn

In a speech this month on "Internet freedom," Secretary of State Hillary Clinton decried the cyberattacks that threaten U.S. economic and national security interests. "Countries or individuals that engage in cyber attacks should face consequences and international condemnation," she warned, alluding to the China-Google kerfuffle. We should "create norms of behavior among states and encourage respect for the global networked commons." Perhaps so. But the problem with Clinton's call for accountability and norms on the global network -- a call frequently heard in policy discussions about cybersecurity -- is the enormous array of cyberattacks originating from the United States . Until we acknowledge these attacks and signal how we might control them, we cannot make progress on preventing cyberattacks emanating from other countries. An important weapon in the cyberattack arsenal is a botnet, a cluster of thousands and sometimes millions of compromised computers under the ultimate remote control of a "master." Botnets were behind last summer's attack on South Korean and American government Web sites, as well as prominent attacks a few years ago on Estonian and Georgian sites. They are also engines of spam that can deliver destructive malware that enables economic espionage or theft. The United States has the most, or nearly the most, infected botnet computers and is thus the country from which a good chunk of botnet attacks stem. The government could crack down on botnets, but doing so would raise the cost of software or Internet access and would be controversial. So it has not acted, and the number of dangerous botnet attacks from America grows. The United States is also a leading source of "hacktivists" who use digital tools to fight oppressive regimes. Scores of individuals and groups in the United States design or employ computer payloads to attack government Web sites, computer systems and censoring tools in Iran and China. These efforts are often supported by U.S. foundations and universities, and by the federal government. Clinton boasted about this support seven paragraphs after complaining about cyberattacks. Finally, the U.S. government has

33

http://cs.brown.edu/courses/csci1800/sources/lec17/Sofaer.pdf)//CLi

https://en.wikipedia.org/wiki/United_States_State_Department

https://en.wikipedia.org/wiki/United_States_District_Court_for_the_Southern_District_of_New_York

https://en.wikipedia.org/wiki/United_States_District_Court_for_the_Southern_District_of_New_York

Zero-Days Aff - Michigan 7perhaps the world's most powerful and sophisticated offensive cyberattack capability . This capability remains highly classified. But the New York Times has reported that the Bush administration used cyberattacks on insurgent cellphones and computers in Iraq, and that it approved a plan for attacks on computers related to Iran's nuclear weapons program. And the government is surely doing much more. "We have U.S. warriors in cyberspace that are deployed overseas" and "live in adversary networks," says Bob Gourley, the former chief technology officer for the Defense Intelligence Agency. These warriors are now under the command of Lt. Gen. Keith Alexander, director of the National Security Agency. The NSA, the world's most powerful signals intelligence organization, is also in the business of breaking into and extracting data from offshore enemy computer systems and of engaging in computer attacks that, in the NSA's words, "disrupt, deny, degrade, or destroy the information" found in these systems. When the Obama administration created "cyber command" last year to coordinate U.S. offensive cyber capabilities, it nominated Alexander to be in charge. Simply put, the United States is in a big way doing the very things that Clinton criticized. We are not, like the Chinese, stealing intellectual property from U.S. firms or breaking into the accounts of democracy advocates. But we are aggressively using the same or similar computer techniques for ends we deem worthy. Our potent offensive cyber operations matter for reasons beyond the hypocrisy inherent in undifferentiated condemnation of cyberattacks. Even if we could stop all cyberattacks from our soil, we wouldn't want to. On the private side, hacktivism can be a tool of liberation. On the public side, the best defense of critical computer systems is sometimes a good offense. "My own view is that the only way to counteract both criminal and espionage activity online is to be proactive," Alexander said last year, adding that if the Chinese were inside critical U.S. computer systems, he would "want to go and take down the source of those attacks." Our adversaries are aware of our prodigious and growing offensive cyber capacities and exploits. In a survey published Thursday by the security firm McAfee, more

information technology experts from critical infrastructure firms around the world expressed concern about the United States as a source of computer network attacks than about any other country. This awareness,

along with our vulnerability to cyberattacks, fuels a dangerous public and private cyber arms race in an arena where the offense already has a natural advantage .

34

Zero-Days Aff - Michigan 71AC PLAN – VERSION 1

The United States federal government should substantially curtail its domestic surveillance using computer software vulnerabilities or exploits unknown to relevant vendors.

35

Zero-Days Aff - Michigan 71AC PLAN – VERSION 2

The United States federal government should substantially curtail its domestic surveillance of computer software vulnerabilities or exploits unknown to relevant vendors.

36

Zero-Days Aff - Michigan 71AC SOLVENCY

The plan solves effective information sharing between the government and private sector --- a signal of clear commitment and a steady flow of actionable disclosure is key to cooperative cyberdefense --- overcomes legal barriers Rosenzweig 12 [Paul, leading cybersecurity expert, founder of Red Branch Consulting PLLC, a homeland security consulting company, and a Senior Advisor to The Chertoff Group, “Cybersecurity and Public Goods: The Public/Private “Partnership,” An Emerging Threats Essay, Hoover Institution, Stanford] //khirn

Information Sharing, Public Goods, and the Law This economic understanding of cybersecurity suggests why a significant fraction of the policy debate about cybersecurity and public/private partnerships revolves around the challenge of effectively sharing security information . Some people insist that existing legal restrictions prevent the private sector from creating cybersecurity. They say some restrictions weaken the government’s ability to adequately share threat information with the private sector, while others limit how the private sector shares information with the government or amongst itself. In other words, the “received wisdom” is that our collective response to new threats is limited by law— the government can’t share some threat information about new malicious software with the private sector because of classification rules, and privacy rules prevent private sector actors from sharing the same information with the government or their peers. The focus on information sharing makes sense when seen through the prism of our theoretical model: because threat and vulnerability information may have characteristics of a public good, it is in society’s interest to foster their creation and distribution. If existing laws did, in fact, restrain and restrict those aims—if classification and privacy laws limited information sharing—that would be a policy dissonance. However, on closer examination, many of these legal limitations may be less constricting than they are perceived to be. In the end, what really restricts cooperation are the inherent caution of lawyers who do not wish to push the envelope of legal authority and/or policy and economic factors such as proprietary self-interest that limit the desire to cooperate. The information in question will relate, broadly speaking, either to specific threats from external actors (for example, knowledge from an insider that an intrusion is planned) or to specific vulnerabilities (for example, the identification of a security gap in a particular piece of software). In both situations, the evidence of the threat or vulnerability can come in one of two forms: either non-personalized information related to changes in types of activity on the network, or personalized information about the actions of a specific individual or group of individuals.48 Needless to say, the sharing of the latter category of Personally Identifiable Information (PII) is of greater concern to civil libertarians than the sharing of network traffic information.49 Information Sharing from the Government to the Private Sector Some suggest that the principal barriers to an effective public/private partnership in combating cyber threats are limitations on the government’s ability to share threat and vulnerability information with the private sector. Sometimes the government has collected this information using sources and methods that are classified, and disclosure of the information risks compromising those sources and methods. Less frequently, the existence of the threat or vulnerability is itself classified information, since disclosure of its existence or scope might adversely affect security. In general, classification rules serve a salutary purpose—they protect information whose disclosure “reasonably could be expected to cause exceptionally grave damage to the national security.”50 That instinct against disclosure, however,

conflicts with a newer post-9/11 standard of enhanced information sharing . In the realm of cybersecurity, these conflicting impulses are a constant source of tension. For example, the Government Accountability Office reported last year that a survey of private sector actors showed that what they want most is for their federal partners to provide “timely and actionable cyber threat and alert information —

[that is,] providing the right information to the right persons or groups as early as possible to give them time to take appropriate action.” However, “only 27 percent of private sector survey respondents reported that they were receiving timely and actionable cyber threat information and alerts to a great or moderate extent.”51 Likewise, private sector actors report that they do not routinely receive the security clearances required to adequately receive and act upon classified threat information.52 For the most part, these problems are ones of policy, rather than law. No legal barrier prevents provision of the requisite security clearances—it is simply a matter of inadequate resources. Likewise, the untimeliness of US-CERT’s alert process is more the product of the need for internal review and the government’s insistence on accuracy over timeliness than it is of any legal barrier to sharing. And, indeed, this policy choice may be the right one, since inaccuracy will erode the government’s credibility—but the cautious impulse still makes government information sharing less effective. Still, there may be some legal restrictions beyond classification that do interfere with information sharing. According to the GAO, DHS officials report that “US-CERT’s ability to provide information is impacted by restrictions that do not allow individualized treatment of one private sector entity over another private sector entity—making it difficult to formally share specific information with entities that are being directly impacted by a cyber threat.”53 The apparent need to avoid the appearance of favoritism amongst private sector actors may be a barrier that needs re-consideration (though this reference is the only time the author has seen this problem identified, raising a question about its general applicability).54 Even this limited legal prohibition

37

Zero-Days Aff - Michigan 7seems to have had little practical effect. As Google’s request for assistance to the NSA demonstrates, there are plainly situations in which company-specific assistance can be rendered by the government . Indeed, the Google experience is in the midst of being generalized. Recently the Department of Defense announced the continuation of a pilot project wherein it would share threat signature information with Internet Service Providers (ISPs) which, in turn, would use that information to protect the systems of private corporations that are part of the Defense Industrial Base (DIB).55 This pilot program is voluntary and involves only the one-way transfer of information from the government to the private sector—a structure that alleviates most , if not all, of the legal concerns about government surveillance activities. 56 More broadly, the Obama administration’s draft cybersecurity proposal would codify authority for DHS to provide assistance to the private sector upon request. 57 Thus, these problems are not likely to be ones of law, but of commitment .

Disclosing zero-days disarms cyberattackers globallyMasnick 14 [Mike, founder and CEO of Floor64 and editor of the Techdirt blog, “Obama Tells NSA To Reveal, Not Exploit, Flaws... Except All The Times It Wants To Do The Opposite,” Techdirt, April 14, 2014, https://www.techdirt.com/articles/20140413/07094726892/obama-tells-nsa-to-reveal-not-exploit-flaws-except-all-times-it-wants-to-do-opposite.shtml] //khirn

However, the NY Times had a story this weekend about how this move has forced the administration to clarify its position on zero day exploits. It's already known that the NSA buys lots of zero day exploits and makes the internet weaker as a result of it . Though, in the past, the NSA has indicated that it only makes use of the kinds of exploits that only it can use (i.e., exploits that need such immense computing power that anyone outside of the NSA is unlikely to be able to do anything). However, the NY Times article notes that, following the White House's intelligence review task force recommendation that the NSA stop weakening encryption and other technologies, President Obama put in place an official rule that the NSA should have a "bias" towards revealing the flaws and helping to fix them, but leaves open a massive loophole: But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons. Amusingly, the NY Times initially had a title on its story saying that President Obama had decided that the NSA should "reveal, not exploit, internet security flaws," but the title then changed to the much more accurate: "Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say." Of course, the cold war analogy used by people in the article seems... wrong: “We don’t eliminate nuclear weapons until the Russians do,” one senior intelligence official said recently. “You are not going to see the Chinese give up on ‘zero days’ just because we do.” Except, it's meaningless that no one expects the Chinese (or the Russians or anyone else) to give up zero days. The simple fact is that if the NSA were helping to stop zero days that would better protect everyone against anyone else using those zero days. In fact, closing zero days is just like disarming both sides , because it takes the vulnerability out of service . It's not about us giving up our "weapons," it's about building a better defense for the world. And yet the NSA isn't willing to do that. Because they're not about protecting anyone -- other than themselves.

US is the lynchpin of the zero-days market---that sustains the arms race and global cyberattacks—the plan reverses that and reduces the market drasticallyPerlroth and Sanger 13 (Nicole Perlroth covers cyberattacks, hackers and the cybersecurity industry for The Times’s business news section. She is a graduate of Princeton University, Stanford University’s Graduate School of Journalism and is a guest lecturer at Stanford’s graduate schools of business and communications. David Sanger is the chief Washington correspondent of The New York Times. “Nations Buying as Hackers Sell Flaws in Computer Code”, July 13, 2013, http://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html)//CLi

38

http://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html

http://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html


Now, the market for information about computer vulnerabilities has turned into a gold rush. Disclosures by Edward J. Snowden, the former N.S.A. consultant who leaked classified documents, made it clear that the United States is among the buyers of programming flaws. But it is hardly alone. Israel, Britain, Russia, India and Brazil are some of the biggest spenders. North Korea is in the market, as are some Middle Eastern intelligence services. Countries in the Asian Pacific, including Malaysia and Singapore, are buying, too, according to the Center for Strategic and International Studies in Washington. To connect sellers and buyers, dozens of well-connected brokers now market information on the flaws in exchange for a 15 percent cut. Some hackers get a deal collecting royalty fees for every month their flaw is not discovered, according to several people involved in the market. Some individual brokers, like one in Bangkok who goes by “the Grugq” on Twitter, are well known. But after the Grugq spoke to Forbes last year, his business took a hit from the publicity, according to a person familiar with the impact, primarily because buyers demand confidentiality. A broker’s approach need not be subtle. “Need code execution exploit urgent,” read the subject line of an e-mail sent from one contractor’s intermediary last year to Billy Rios, a former security engineer at Microsoft and Google who is now a director at Cylance, a security start-up. “Dear Friend,” the e-mail began. “Do you have any code execution exploit for Windows 7, Mac, for applications like Browser, Office, Adobe, SWF any.” “If yes,” the e-mail continued, “payment is not an issue.” For start-ups eager to displace more established military contractors, selling vulnerabilities — and expertise about how to use them — has become a lucrative opportunity. Firms like Vupen in Montpellier, France; Netragard in Acton, Mass.; Exodus Intelligence in Austin, Tex.; and ReVuln, Mr. Auriemma’s and Mr. Ferrante’s Maltese firm, freely advertise that they sell knowledge of the flaws for cyberespionage and in some cases for cyberweapons. Outside Washington, a Virginia start-up named Endgame — in which a former director of the N.S.A. is playing a major role — is more elusive about its abilities. But it has developed a number of tools that it sells primarily to the United States government to discover vulnerabilities, which can be used for fighting cyberespionage and for offensive purposes. Like ReVuln, none of the companies will disclose the names of their customers. But Adriel Desautels, the founder of Netragard, said that his clients were “strictly U.S. based” and that Netragard’s “exploit acquisition program” had doubled in size in the past three years. The average flaw now sells from around $35,000 to $160,000. Chaouki Bekrar, the founder of Vupen, said his company did not sell to countries that are “subject to European Union, United States or United Nations restrictions or embargoes.” He also said revenue was doubling every year as demand surged. Vupen charges customers an annual $100,000 subscription fee to shop through its catalog, and then charges per sale. Costs depend on the sophistication of the vulnerability and the pervasiveness of the operating system. ReVuln specializes in finding remote vulnerabilities in industrial control systems that can be used to access — or disrupt — water treatment facilities, oil and gas pipelines and power plants. “They are engaging in willful blindness,” said Christopher Soghoian, a senior policy analyst at the American Civil Liberties Union. Many technology companies have started “bug bounty” programs in which they pay hackers to tell them about bugs in their systems rather than have the hackers keep the flaws to themselves — or worse, sell them on the black market. Nearly a decade ago the Mozilla Foundation started one of the first bounty programs to pay for bugs in its Firefox browser. Since then, Google, Facebook and PayPal have all followed suit. In recent months, bounties have soared. In 2010, Google started paying hackers up to $3,133.70 — the number is hacker code for “elite” — for bugs in its Web browser Chrome. Last month, Google increased its cash prize to $20,000 for flaws found in some of its widely used products. Facebook began a similar program in 2011 and has since paid out $1 million. (One payout included $2,500 to a 13-year-old. The most it has paid for a single bug is $20,000.) “The program undermines the incentive to hold on to a bug that might be worth nothing in a day,” said Joe Sullivan, Facebook’s chief security officer. It had also had the unintended effect of encouraging ethical hackers to turn in others who planned to use its bugs for malicious use. “We’ve seen people back-stab other hackers by ratting out a bug that another person planned to use maliciously,” he said. Microsoft, which had long resisted such a program, did an about-face last month when it announced that it would pay hackers as much as $150,000 for information about a single flaw, if they also provided a way to defend against it. Apple still has no such program, but its vulnerabilities are some of the most coveted. In one case, a zero-day exploit in Apple’s iOS operating system sold for $500,000, according to two people briefed on the sale. Still, said Mr. Soghoian of the A.C.L.U., “The bounties pale in comparison to what the government pays.” The military establishment, he said, “ created Frankenstein by feeding the market .” In many ways, the United States government created the market . When the United States and Israel used a series of flaws — including one in a Windows font program — to unleash what became known as the Stuxnet worm, a sophisticated cyberweapon used to temporarily cripple Iran’s ability to enrich uranium, it showed the world what was possible. It also became a catalyst for a cyberarms race . When the Stuxnet code leaked out of the Natanz nuclear enrichment plant in Iran in the summer of 2010, the flaws suddenly took on new value. Subsequent discoveries of sophisticated state-sponsored computer viruses named Flame and Duqu that used flaws to spy on computers in Iran have only fueled interest. “I think it is fair to say that no one anticipated where this was going,” said one person who was involved in the early American and Israeli strategy. “And today, no one is sure where it is going to end up.” In a prescient paper in 2007, Charlie Miller, a former N.S.A. employee, described the profitable alternatives for hackers who may have otherwise turned their information about flaws over to the vendor free, or sold it for a few thousand dollars to programs like Tipping Point’s Zero Day Initiative, now run by Hewlett-Packard, which used them to enhance their security research. He described how one American government agency offered him $10,000 for a Linux bug. He asked another for $80,000, which agreed “too quickly,” Mr. Miller wrote. “I had probably not asked for enough.” Because the bug did not work with a particular flavor of Linux, Mr. Miller eventually sold it for $50,000. But the take-away for him and his fellow hackers was clear: There was serious money to be made selling the flaws. At their conventions, hackers started flashing signs that read, “No more free bugs.” Hackers like Mr. Auriemma, who once gave away their bugs to software vendors and antivirus makers, now sound like union organizers declaring their rights. “Providing professional work for free to a vendor is unethical,” Mr. Auriemma said. “Providing professional work almost for free to security companies that make their business with your research is even more unethical.” Experts say there is limited incentive to regulate a market in which government agencies are some of the biggest participants.

39

Zero-Days Aff - Michigan 7Disclosing vulnerabilities amounts to disarming the NSA --- zero-days are key Kehl et al. 14 [Danielle Kehl is a Policy Analyst at New America’s Open Technology Institute (OTI). Kevin Bankston is the Policy Director at OTI, Robyn Greene is a Policy Counsel at OTI, and Robert Morgus is a Research Associate at OTI, New America is a nonprofit, nonpartisan public policy institute that invests in new thinkers and new ideas to address the next generation of challenges facing the United States, Policy Paper, “Surveillance Costs: The NSA’s Impact on the Economy, Internet Freedom & Cybersecurity,” July 2014, https://www.newamerica.org/oti/surveillance-costs-the-nsas-impact-on-the-economy-internet-freedom-and-cybersecurity/] //khirn

In April 2014, Bloomberg reported that the NSA had known for at least two years about the Heartbleed bug, a security vulnerability in the OpenSSL protocol that reportedly affected millions of websites worldwide, “and regularly used it to gather critical intelligence.”282 Although the allegations—which the Office of the Director of National Intelligence quickly denied—appear to be false,283 the story turned the spotlight on one of the least reported NSA practices: that the agency routinely stockpiles knowledge about security holes that it discovers so that it can later exploit the vulnerabilities to collect information or infect target devices with malware, rather than

disclosing the vulnerabilities to companies so that they can be patched.284 The practice was referred to indirectly or in passing in a number of the stories about the NSA programs , particularly in the December 2013 Der Spiegel series describing the behavior of the NSA’s Tailored Access Operations Unit.285 But the emphasis at that time was on the malicious activity the NSA was able to carry out as a result of those vulnerabilities , and not on the security risk created by the stockpiling itself , which leaves companies and ordinary users open to attack not just from the NSA but from anyone who discovers or learns about the flaws . In recent years, a substantial market for information about security vulnerabilities has sprung up, with governments joining companies and security researchers in hunting for and trading information about how to exploit holes in mass-market software and services .286 According to the leaks, the NSA and related branches of the U.S. intelligence apparatus

spend millions of dollars looking for software flaws and other vulnerabilities , targeting everything from the commercial software sold by American companies to widely used open- source protocols like OpenSSL .287 The NSA employs more than a thousand researchers and experts using a variety of sophisticated techniques to look for bugs. 288 ‘ Zero-day’ exploits , a term that refers to vulnerabilities that have been discovered but have not yet been disclosed to the public or the

vendor,289 are particularly coveted because it is much harder to protect systems from an attack against an unknown weakness . “Not surprisingly, officials at the N.S.A. and at its military partner, the United States Cyber Command, warned that giving up the capability to exploit undisclosed vulnerabilities would amount to ‘ unilateral disarmament ,’” wrote cybersecurity expert David E. Sanger.290 According to Sanger, one senior White House official told him, “I can’t imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.”291 In theory, the NSA’s dual mission of carrying out signals intelligence (SIGINT) and protecting communications security (COMSEC) for military and diplomatic communications should be mutually beneficial when it comes to vulnerabilities and exploits, because SIGINT could inform COMSEC about potential weaknesses and vice versa. However, as Steven Bellovin, Matt Blaze, Sandy Clark, and Susan Landau write, “reality is in fact very different. COMSEC’s awareness of the need to secure certain communications channels has often been thwarted by SIGINT’s desire that patching be delayed so that it can continue to exploit traffic using the vulnerability in question.”292 When the NSA discovers vulnerabilities in communications technologies and other

products, it has a strong disincentive to promptly disclose those vulnerabilities to the companies since the companies will patch them , forcing the NSA to look for new ways to access the information it seeks . Thus—as in the case of encryption standards—the NSA’s signals intelligence mission has interfered with the NSA’s information assurance mission, and the agency has built a massive catalogue of software and hardware vulnerabilities that is has stockpiled for its own purposes rather than disclosing them to vendors so that they can be fixed. 293 The Director of National Intelligence recently revealed the existence of an interagency process—referred to as the “Vulnerabilities Equities

40

https://www.newamerica.org/oti/surveillance-costs-the-nsas-impact-on-the-economy-internet-freedom-and-cybersecurity/


Zero-Days Aff - Michigan 7Process”—designed to facilitate the responsible disclosure of vulnerabilities,294 but the extent to which the NSA provides information through the process is unclear.295 NSA Director and Commander of U.S. Cyber Command Vice Admiral Michael S. Rogers explained to the Senate Armed Services Committee during his confirmation that “within NSA, there is a…process for handling ‘0-day’ vulnerabilities discovered in any commercial product or system (not just software) utilized by the U.S. and its allies… [where] all vulnerabilities discovered by NSA… are documented, subject to full analysis, and acted upon promptly.”296

The status quo provides incentives for writing software with vulnerabilities --- the signal of the plan is crucial to long-term cybersecuritySchneier 12 [Bruce, security expert with 13 books, fellow at the Berkman Center for Internet & Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute and the CTO of Resilient Systems, “The Vulnerabilities Market and the Future of Security,” Forbes, 5/30/2012, http://www.forbes.com/sites/bruceschneier/2012/05/30/the-vulnerabilities-market-and-the-future-of-security/] //khirn

Recently, there have been several articles about the new market in zero-day exploits: new and unpatched computer vulnerabilities. It’s not just software companies, who sometimes pay bounties to researchers who alert them of security vulnerabilities so they can fix them. And it’s not only criminal organizations, who pay for vulnerabilities they can exploit. Now there are governments, and

companies who sell to governments, who buy vulnerabilities with the intent of keeping them secret so they can exploit them . This market is larger than most people realize , and it’s becoming even larger. Forbes recently published a price list for zero-day exploits, along with the story of a hacker who received $250K from “a U.S. government contractor” (At first I didn’t believe the story or the price list, but I have been convinced that they both are true.) Forbes published a profile of a company called Vupen, whose business is selling zero-day exploits. Other companies doing this range from startups like Netragard and Endgame to large defense contractors like Northrop Grumman, General Dynamics, and Raytheon. This is very different than in 2007, when researcher Charlie Miller wrote about his attempts to sell zero-day exploits; and a 2010 survey implied that there wasn’t much money in selling zero days. The market has matured substantially in the past few years. This new market perturbs the economics of finding security vulnerabilities. And it does so to the detriment of us all. I’ve long argued that the process of finding vulnerabilities in software system increases overall security. This is because the economics of vulnerability hunting favored disclosure. As long as the principal gain from finding a vulnerability was notoriety, publicly disclosing vulnerabilities was the only obvious path. In fact, it took years for our industry to move from a norm of full-disclosure — announcing the vulnerability publicly and damn the consequences — to something called “responsible disclosure”: giving the software vendor a head start in fixing the vulnerability. Changing economics is what made the change stick: instead of just hacker notoriety, a successful vulnerability finder could land some lucrative consulting gigs, and being a responsible security researcher helped. But regardless of the motivations, a disclosed vulnerability is one that — at

least in most cases — is patched. And a patched vulnerability makes us all more secure . This is why the

new market for vulnerabilities is so dangerous; it results in vulnerabilities remaining secret and unpatched. That it’s even more lucrative than the public vulnerabilities market means that more hackers will choose this path. And unlike the previous reward of notoriety and consulting gigs, it gives software programmers within a company the incentive to deliberately create vulnerabilities in the products they’re working on — and then secretly sell them to some government agency . No commercial vendors perform the level of code review that would be necessary to detect, and prove mal-intent for, this kind of sabotage. Even more importantly, the new market for security vulnerabilities results in a variety of government agencies around the world that have a strong interest in those vulnerabilities remaining unpatched . These range from law-enforcement agencies (like the FBI and the German police who are trying to build targeted Internet surveillance tools, to intelligence agencies like the NSA who are trying to build mass Internet surveillance tools , to military organizations who are trying to build cyber-weapons. All of these agencies have long had to wrestle with the choice of whether to use newly discovered vulnerabilities to protect or to attack. Inside the NSA, this was traditionally known as the “equities issue,” and the debate was between the COMSEC (communications security) side of the NSA and the SIGINT (signals intelligence) side. If they found a flaw in a popular cryptographic algorithm, they could either use that knowledge to fix the algorithm and make everyone’s communications more secure, or they could exploit the flaw to eavesdrop on others — while at the same time allowing even the people they wanted to protect to remain vulnerable. This debate raged through the decades inside the NSA. From what I’ve heard, by 2000, the COMSEC side had largely won, but things flipped completely around after 9/11. The whole point of

41

http://www.forbes.com/sites/bruceschneier/2012/05/30/the-vulnerabilities-market-and-the-future-of-security/

http://www.forbes.com/sites/bruceschneier/2012/05/30/the-vulnerabilities-market-and-the-future-of-security/

Zero-Days Aff - Michigan 7disclosing security vulnerabilities is to put pressure on vendors to release more secure software. It’s not just that they patch the vulnerabilities that are made public — the fear of bad press makes them implement more secure software development processes. It’s another economic process; the cost of designing software securely in the first place is less than the cost of the bad press after a vulnerability is announced plus the cost of writing and deploying the patch. I’d be the first to admit that this isn’t perfect — there’s a lot of very poorly written software still out there — but it’s the best incentive we have. We’ve always expected the NSA, and those like them, to keep the vulnerabilities they discover secret. We have been counting on the public community to find and publicize vulnerabilities, forcing vendors to fix them. With the rise of these new pressures to keep zero-day exploits secret, and to sell them for exploitation, there will be even less incentive on software vendors to ensure the security of their products. As the incentive for hackers to keep their vulnerabilities secret grows, the incentive for vendors to build secure software shrinks. As a recent EFF essay put it, this is “security for the 1%.” And it makes the rest of us less safe.

42


TOPICALITY

43

Zero-Days Aff - Michigan 72AC DOMESTIC SURVEILLANCE (VERSION 2)

Counter-interpretation: domestic surveillance is the acquisition of nonpublic information concerning United States persons --- the plan meets because it curtails the acquisition of American companies’ intellectual property Small 8 [Matthew L., United States Air Force Academy, 2008, “His Eyes are Watching You: Domestic Surveillance, Civil Liberties and Executive Power during Times of National Crisis,” http://www.thepresidency.org/storage/documents/Fellows2008/Small.pdf] //khirn

Before one can make any sort of assessment of domestic surveillance policies, it is first necessary to narrow the scope of the term “domestic surveillance.” Domestic surveillance is a subset of intelligence gathering. Intelligence, as it is to be understood in this context, is “information that meets the stated or understood needs of policy makers and has been collected, processed and narrowed to meet those needs” (Lowenthal 2006, 2). In essence, domestic surveillance is a means to an end; the end being intelligence. The intelligence community best understands domestic surveillance as the acquisition of nonpublic information concerning United States persons (Executive Order 12333 (3.4) (i)). With this definition domestic surveillance remains an overly broad concept.

US persons include corporations IRS 15 [Internal Revenue Service, “Classification of Taxpayers for U.S. Tax Purposes,” May 5, 2015, <irs.gov/Individuals/International-Taxpayers/Classification-of-Taxpayers-for-U.S.-Tax-Purposes>] //khirn

United States PersonsThe term ''United States person'' means:A citizen or resident of the United StatesA domestic partnershipA domestic corporationAny estate other than a foreign estateAny trust if:A court within the United States is able to exercise primary supervision over the administration of the trust, andOne or more United States persons have the authority to control all substantial decisions of the trustAny other person that is not a foreign person.

“Nonpublic information” includes intellectual propertyTriQuint Semiconductor, Inc. 11 [“Investor Relations,” 8/4/11, http://www.triquint.com/products/d/investor-relations] //khirn

Definition of Material Nonpublic InformationIt is not possible to define all categories of material information. However, information should beregarded as material if there is a reasonable likelihood that it would be considered important toan investor in making an investment decision regarding the purchase or sale of the Company’ssecurities.While it may be difficult under this standard to determine whether particular information ismaterial, there are various categories of information that are particularly sensitive and, as ageneral rule, should always be considered material. Examples of such information may include,without limitation: Financial results

44

http://www.triquint.com/products/d/investor-relations

http://www.irs.gov/Individuals/International-Taxpayers/Classification-of-Taxpayers-for-U.S.-Tax-Purposes

http://www.irs.gov/Individuals/International-Taxpayers/Classification-of-Taxpayers-for-U.S.-Tax-Purposes

http://www.thepresidency.org/storage/documents/Fellows2008/Small.pdf

Zero-Days Aff - Michigan 7 Known but unannounced future earnings or losses Execution or termination of significant contracts with customers, distributors, originalequipment manufacturers, collaborators and other business partners News of a pending or proposed merger or other acquisition News of the disposition, construction or acquisition of significant assets Impending bankruptcy or financial liquidity problems Patent or other intellectual property milestones Scientific achievements or other developments from research efforts Significant developments involving corporate relationships Changes in dividend policy New product announcements of a significant nature Significant product defects or modifications Stock splits New equity or debt offerings Positive or negative developments in outstanding litigation Significant litigation exposure due to actual or threatened litigation Major changes in senior management Both positive and negative information may be material.Nonpublic information is information that has not been previously disclosed to the general publicand is otherwise not readily available to the general public .

Software vulnerabilities impinge on intellectual propertyOriola 11 [Taiwo A. Oriola, The School of Law, University of Ulster, Northland Road, Londonderry, United Kingdom, “BUGS FOR SALE: LEGAL AND ETHICAL PROPRIETIES OF THE MARKET IN SOFTWARE VULNERABILITIES,” Summer, 2011, The John Marshall Journal of Computer & Information Law, 28 J. Marshall J. Computer & Info. L. 451] //khirn

C. Could Vulnerabilities Research Impinge on Intellectual Property ? Whilst software is protected by both patent law n375 and copyright statute, n376 the most likely challenging intellectual property related statute [*508] for software vulnerabilities research and disclosure in the United States is the Digital Millennium Copyright Act ("DMCA"), n377 designed to strengthen digital copyright protection. n378 To this end, the DMCA prohibits circumventing access control to technology safeguarding digital copyright such as encryption. n379 Additionally, the DMCA forbids dissemination of devices or technologies that have few secondary commercial uses other than to primarily facilitate circumvention. n380 The DMCA also prohibits the removal or alteration of copyright management information appended to copyright files. n381 Significantly, the DMCA makes a limited exception for encryption research, which is defined as: activities necessary to identify and analyze flaws and vulnerabilities of encryption technologies applied to copyrighted works, if these activities are conducted to advance the of knowledge in the field of encryption technology or to assist in the development of encryption products... n382

We meet --- disclosing zero-day’s curtails the NSA’s ability to surveil Mick 13 [Jason, news editor and columnist for the leading science and technology online publication, “Tax and Spy: How the NSA Can Hack Any American, Stores Data 15 Years,” DailyTech, December 31, 2013, http://www.dailytech.com/Tax+and+Spy+How+the+NSA+Can+Hack+Any+American+Stores+Data+15+Years/article34010.htm] //khirn

According to him, the NSA has zero day vulnerabilities on hand that allow it to penetrate virtually any Wi-Fi router, Windows PC, external storage device, server, tablet, or smartphone. Rather than give this data to private sector firms to offer increased security to users , the NSA

45



Zero-Days Aff - Michigan 7turns around and exploits these flaws to spy on everyone -- sort of a digital equivalent of "sometimes you

have to burn a village to save it." The NSA calls its attack toolkit "FOXACID". FOXACID is packed with "QUANTUM" tools, which are NSA's digital lockpicks. Like many clumsy picks, they can damage the lock they attack, but it appears the NSA isn't terribly concerned about that.

46

Zero-Days Aff - Michigan 72AC DOMESTIC SURVEILLANCE (VERSION 1)

Software vulnerabilities, like all surveillance techniques, are dual-use --- even if they can be used for other purposes, the plan’s restriction is topical Bellovin et al. 14 [Steven M., professor of computer science at Columbia University, Matt Blaze, associate professor of computer science at the University of Pennsylvania, Sandy Clark, Ph.D. student in computer science at the University of Pennsylvania, Susan Landau, 2012 Guggenheim Fellow; she is now at Google, Inc., April, 2014, “Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet,” Northwestern Journal of Technology and Intellectual Property, 12 Nw. J. Tech. & Intell. Prop. 1] //khirn

P189 As we have mentioned, even without considering its use by law enforcement, information about software vulnerabilities is inherently "dual use" --useful for both offense and defense. Related to the issue of reporting and proliferation is the question of how the law should treat information about vulnerabilities and the development of software tools that exploit them by non-law enforcement persons. Should information about vulnerabilities, and tools that exploit them, be restricted by law? How do existing statutes treat such information and tools? P190 The issue of how to handle such dual-use technologies is not new. The computer security community has grappled for years with the problem of discouraging illicit exploitation of newly discovered vulnerabilities by criminals while at the same time allowing legitimate users and researchers to learn about the latest threats, in part to develop effective defenses. n271 It is all but impossible to prevent information about vulnerabilities or software exploits that use them from getting in to the hands of criminals without hampering efforts at defense. On the one hand, information about zero-day vulnerabilities is coveted by criminals who seek unauthorized and illicit access to the computers of others. But the same zero-day information is also used, and sought out by, legitimate security researchers and computer scientists who are engaged in building defenses against attack and in analyzing the security of new and existing systems and software. P191 Even software tools that exploit vulnerabilities are inherently dual use. They can be used by criminals on the one hand, but are also useful to defenders and researchers. For example, computer and network system administrators routinely use tools that attempt to exploit vulnerabilities to test the security of their own systems and to verify that their defenses are effective. Researchers who discover new security vulnerabilities or attack methods often develop "proof of concept" attack software to test and demonstrate the methods they are studying. It is not unusual for software that demonstrates a new attack method to be published and otherwise made freely available by academics and other researchers. Such software is quite mainstream in the computer science research community. n272 [*63] P192 The software used by malicious, criminal attackers to exploit vulnerabilities can thus be very difficult to meaningfully distinguish from mainstream, legitimate security research and testing tools. It is a matter of context and intent rather than attack capabilities per se, and current law appears to reflect this. P193 Current wiretap law does not generally regulate inherently dual-use technology. The provision of Title III concerned with wiretapping equipment, 18 USC § 2512, generally prohibits possession and trafficking in devices that are "primarily useful" for "surreptitious interception" of communications, n273 which does not appear to apply to a wide range of current software exploit tools developed and used by researchers. We believe this is as it should be . The security research community depends on the open availability of software tools that can test and analyze software vulnerabilities. Prohibiting such software generally would have a deleterious effect on progress in understanding how to build more secure systems, and on the ability for users to determine whether their systems are vulnerable to known attacks. In addition, we note that given that the majority of vulnerability markets are outside the U.S., and that national security agencies are heavy purchasers of these vulnerabilities, n274 regulating them is not a plausible option. P194 The specialized tools developed by law enforcement to collect and exfiltrate evidence from targets' computers, however, might fall more comfortably under the scope of 18 U.S.C. § 2512 (2006) as it is currently written. These tools would not be developed to aid research or test systems, but rather to accomplish a law enforcement interception goal . They would have narrowly focused features designed to make their installation surreptitious and their ongoing operation difficult to detect. They would also have features designed to identify and collect specific data, and would have no alternative use outside the surreptitious interception application for which they were developed. Such tools,

unlike those used by researchers, could more easily meet section 2512's test of [*64] being "primarily useful" for "surreptitious interception," and thus would be unlawful if someone "manufactures,

47

Zero-Days Aff - Michigan 7assembles, possesses, or sells" them except under the circumstances spelled out in that section .

Zero-days are forms of targeted cyber surveillance Bae 14 [Eirik, “Nation-State Cyber Surveillance Options: The role of suppliers,” Master’s Thesis, Master of Science in Information Security, Department of Computer Science and Media Technology, Gjøvik University College, 2014, http://brage.bibsys.no/xmlui/bitstream/id/211999/EBae.pdf] //khirn

Nation-State Cyber Surveillance Options: The role of suppliers 4.2.2 Data at Rest In this thesis, the definition of data at rest is when data is residing in the device where the information is stored, and all the way, until it leaves the location or device. In order to access data at rest, it will require some sort of targeted access to the suspect’s device. This can be achieved by legal or less legal means, by either physical seizing the equipment or perform a technical infiltration. It would be fair to assume that governmental agencies choose to adhere to laws and stay as much as possible within the policies and regulations that they have. Alternatives for targeted cyber surveillance are described in Section 4.2.2. Targeted Cyber Surveillance In order to perform targeted cyber surveillance it would in most cases be necessary to somehow examine information on their target’s device. There are different ways that the governmental agencies could access this information. Possible ways to do this is to seize the device, or exploit it either locally or remotely. This section explains options we observed that could be used for performing targeted cyber surveillance by nation-states. Seizing of devices Seizing of devices is an approach that enables the nation-state to get a hold of the device. This can be done in a legal way where a warrant is required to seize the device [68]. The less legal way is also optional, in which the device is simply being stolen from their target. Seizing devices is not a part of a cyber-operation, but it is an effective way to get a hold of devices that store important information. Device exploitation The alternative to physically seizing the device is to use a semi-legal approach to infiltrate the device locally or remotely, e.g. phishing, and then rely on some sort of surveillance software or hardware installations for data collection. For most exploitation, there is a need to get a hold of exploits that can be used on vulnerable targets. In order to make sure that the exploit has a high rate of success it could be necessary to use zero-day exploits , i.e. exploits that are not yet disclosed to the world, and therefore not yet been patched [69, p. 1]. Such zero-day exploits can exploit vulnerabilities in software and hardware. Options for acquisition of exploits are shown in Table 4.

Zero-days are surveillance --- hot debate in the literature Greenberg 14 [Andy, “Kevin Mitnick, once the world’s most wanted hacker, is now selling zero-day exploits,” Wired, 9/24/2014, http://www.wired.com/2014/09/kevin-mitnick-selling-zero-day-exploits/] //khirn

As the zero day market has come to light over the last several years, freelance hackers’ sale of potential surveillance tools to government agencies has become a hotly debated ethical quandary in the security community. The notion of Kevin Mitnick selling those tools could be particularly eyebrow-raising; After all, Mitnick became a symbol of government oppression in the late 1990s, when he spent four and a half years in prison and eight months in solitary confinement before his trial on hacking charges. The outcry generated a miniature industry in “Free Kevin” T-shirts and bumper stickers. Enabling targeted surveillance also clashes with Mitnick’s new image as a

privacy advocate; His forthcoming book titled “The Art of Invisibility” promises to teach readers “cloaking and countermeasures” against “Big Brother and big data.”

Vulnerability exploitation is a type of electronic surveillance Bellovin et al. 14 [Steven M. Bellovin, Matt Blaze, Sandy Clark, and Susan Landau, “Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet”, 12 Nw. J. Tech. & Intell. Prop. 1 (2014), http://scholarlycommons.law.northwestern.edu/njtip/vol12/iss1/1] //khirn

Vulnerability exploitation has more than a whiff of dirty play about it; who wants law enforcement to be developing and using malware to break into users’ machines? We agree that this proposal is disturbing. But as long as

48

http://scholarlycommons.law.northwestern.edu/njtip/vol12/iss1/1

http://www.wired.com/2014/09/kevin-mitnick-selling-zero-day-exploits/

http://www.wired.com/2014/09/kevin-mitnick-selling-zero-day-exploits/

http://brage.bibsys.no/xmlui/bitstream/id/211999/EBae.pdf

Zero-Days Aff - Michigan 7wiretaps remain an authorized investigatory tool, law enforcement will press for ways to accomplish electronic surveillance even in the face of communications technologies that make it very difficult. We are at a crossroads where the choices are to reduce everyone’s security or to enable law enforcement to do its job through a method that appears questionable but that does not actually make us less secure. In this debate, our proposal provides a clear win for both innovation and security.

Zero-days are surveillance tools ISN 14 [“Exporting Surveillance: A New International Security Issue,” The International Relations and Security Network, 31 July 2014, http://www.isn.ethz.ch/Digital-Library/Articles/Detail/?id=182246] //khirn

From the Stasi in Cold War East Germany to security forces in contemporary Syria, surveillance has long been an effective tool for authoritarian governments to root out dissent and identify potential points of unrest. Before the widespread use of the Internet and social media, domestic surveillance depended on a heavy police presence, human intelligence methods, and the occasional use of technology to bug a room or tap a wire. Today, governments are increasingly using these new technologies to collect and monitor the data and conversations of their citizens on an unprecedented scale. Until recently, the global trade in equipment enabling electronic surveillance was largely unchecked. It first entered the spotlight after the Arab uprisings. When the archives of fallen Arab regimes opened to the public, they provided a unique insight into those regimes’ inner workings and trade relationships. As a result, the French government opened a judicial inquiry into Amesys, a French company that sold surveillance technology to Gadhafi’s security forces. Remnants of Blue Coat operating systems , sold by an American company, were also uncovered in Syria. This made it clear that companies in the U.S. and Europe were providing these technologies to regimes with dubious human rights records that used them against their citizens. The global market for surveillance tools has ballooned in recent years. According to the Wall Street Journal , the retail market for these technologies “sprung up from ‘nearly zero’ in 2001 to around $5 billion a year” in 2011. This explosion in demand reflects the shifting dynamics of surveillance associated with the move online. While these technologies, such as Hacking Team’s Remote Control System and Gamma International’s FinFisher, can be useful for law enforcement purposes, they become problematic when exported to countries without the rule of law and with little respect for human rights. Recent reports even suggest that the Ethiopian government used kits supplied by European firms to spy on people living in the United States and the United Kingdom.

The aff is a key part of topic literature Fidler 14 [Mailyn, Stanford University, “Anarchy or regulation: Controlling the global trade in zero-day vulnerabilities,” thesis submitted to the Interschool Honors Program in International Security Studies, May 2014, https://stacks.stanford.edu/file/druid:zs241cm7504/Zero-Day%20Vulnerability%20Thesis%20by%20Fidler.pdf] //khirn

U.S. policy towards zero-days has received significant attention for multiple reasons. The U.S. government, specifically the NSA, is a known purchaser of vulnerabilities.55 The United States is believed to have used zero-days in a major cyber operation (Stuxnet), and the Snowden documents revealed additional information about U.S. government vulnerability use. In the aftermath of Snowden, U.S. vulnerability policy was included in discussions about the need for reform of cyber surveillance policy . Then, the recent Heartbleed bug situation forced the White House to be more transparent about the zero-day issue than it had before. These policy explanations indicated the administration has a “bias” towards responsibly disclosing vulnerabilities , but that the U.S. government reserves the right to keep vulnerabilities secret by making “a broad exception for ‘a clear national security or law enforcement need.’”56 Chapter 3 analyzes U.S. vulnerability policy in more detail. The level of attention paid to U.S. policy on the zero-day issue, both pre-Snowden and post-Snowden, is an indicator that the zero-day issue is a serious national and international security problem.

Zero-days are surveillance toolsFidler 14 [Mailyn, Stanford University, “Anarchy or regulation: Controlling the global trade in zero-day vulnerabilities,” thesis submitted to the Interschool Honors Program in International

49

https://stacks.stanford.edu/file/druid:zs241cm7504/Zero-Day%20Vulnerability%20Thesis%20by%20Fidler.pdf


http://www.isn.ethz.ch/Digital-Library/Articles/Detail/?id=182246

Zero-Days Aff - Michigan 7Security Studies, May 2014, https://stacks.stanford.edu/file/druid:zs241cm7504/Zero-Day%20Vulnerability%20Thesis%20by%20Fidler.pdf] //khirn

The judicial review mechanisms addressed here, primarily FISA/FISC, deal with the authorization of foreign intelligence activities. As such, they are tool-neutral: foreign intelligence surveillance enabled by a zero-day vulnerability or via wiretapping would likely be treated the same by this statute and court. Given this aspect, there is not an obvious role for judicial oversight of use or purchase of zero- day vulnerabilities. Establishing FISC oversight over purchase, use, or disclosure of zero-days is not in keeping with the judiciary’s role in this context and would likely be opposed by the intelligence community as heavy-handed and unnecessary. The intelligence community would likely, and perhaps rightly, question whether an operation carried out using a purchased zero-day vulnerability deserves greater judicial scrutiny than other operations.

Any attempt to limit out zero-days is super arbitrary Fidler 14 [Mailyn, Stanford University, “Anarchy or regulation: Controlling the global trade in zero-day vulnerabilities,” thesis submitted to the Interschool Honors Program in International Security Studies, May 2014, https://stacks.stanford.edu/file/druid:zs241cm7504/Zero-Day%20Vulnerability%20Thesis%20by%20Fidler.pdf] //khirn

Despite King’s confidence that “if we keep the text as is, we’re fine,” the existing language does raise questions. The language attempts to establish a difference between, for instance, a root kit and the tool that deploys or communicates the root kit. This difference matters, because it determines the tools actually controlled by the change. In theory, this distinction regulates surveillance tools but not the components of surveillance tools; it would control the system using a zero-day vulnerability, but not the zero-day. This difference would theoretically mean security researchers could continue to use tools vital to their work, because they do not typically deploy the same large-scale systems orchestrating or communicating such tools that the targeted companies deploy. The distinction, despite not targeting zero-days, may have secondary effects on the zeroday market. For instance, VUPEN is suspected of supplying Hacking Team with zero-days.599 If Hacking Team’s market for surveillance systems decreases, they may not buy as many component zero-days, decreasing VUPEN’s customer base. However, VUPEN has many other clients besides surveillance system sellers , particularly government clients, and so these secondary effects on companies like VUPEN may not be very dramatic.

Cyberwar instruments are topical --- the NSA uses them for surveillance Ranger 15 [Steve Ranger, May 6, 2015, “The impossible task of counting up the world's cyber armies,” ZDNet, UK editor-in-chief, TechRepublic and ZDNet] //khirn

Calculating the scale of the world's cyber-warfare forces is a tricky business. Even for Western governments which are relatively open about the scale of their armed forces, cyber warfare is one area where most clam up.That's partly because they are reluctant to tip off potential adversaries about their capabilities, but the bigger issue is that it's intelligence agencies like the NSA and GCHQ that have been pioneering the use of the internet for surveillance and have the highest-level skills. As spies like to operate in the shadows, that means that a veil of secrecy is thrown over most details of military cyber operations, even though the scale of the investment and operations continues to grow.

50





Zero-Days Aff - Michigan 71AR TOPICALITY

Technical precision w/r/t surveillance definitions is impossible --- prefer guiding the topic by centering debate around core literature controversies Fidler 14 [Mailyn, Stanford University, “Anarchy or regulation: Controlling the global trade in zero-day vulnerabilities,” thesis submitted to the Interschool Honors Program in International Security Studies, May 2014, https://stacks.stanford.edu/file/druid:zs241cm7504/Zero-Day%20Vulnerability%20Thesis%20by%20Fidler.pdf] //khirn

The distinction also raises technical questions. When are lines of code “specially designed” for installation of intrusion software? Is it just the line that says “install rootkit.exe” that is controlled? 600 If so, the regulation would be meaningless, because such a line is easily added or removed. Is any program that includes an install line included? If so, the regulation is overbroad . These examples

are simple, because one line of code is often not the extent of the installation architecture, but it demonstrates the point. Without greater regulatory and technical clarity about the distinction between peripheral software and the components of intrusion software, the attempt to control digital surveillance tools may be thwarted or damage legitimate security research .

51



Zero-Days Aff - Michigan 7AT: ORIOLA CONCLUDES NEG

The DMCA restricts vulnerabilities research --- acquiring vulnerabilities is acquiring intellectual property Oriola 11 [Taiwo A. Oriola, The School of Law, University of Ulster, Northland Road, Londonderry, United Kingdom, “BUGS FOR SALE: LEGAL AND ETHICAL PROPRIETIES OF THE MARKET IN SOFTWARE VULNERABILITIES,” Summer, 2011, The John Marshall Journal of Computer & Information Law, 28 J. Marshall J. Computer & Info. L. 451] //khirn

It is noteworthy, however, that, but for a special representation made by the encryption research community to the Congress, which urged the research exception prior to the release of the final version and enactment of the DMCA, there would be no encryption research exception in the DMCA at all. n394 Nevertheless, the limited encryption research exception has been criticized for imposing too restrictive operative conditions . These range from the narrow conception of what encryption research entails, n395 to the requirement that researchers must first seek authorization of copyright owners prior to engaging in research , n396 to the ostensible exclusion of non-academic researchers (such as non-affiliated individual researchers or "hobbyists") from the list of qualified encryption researchers, n397 to the restrictive conditions for the publication or dissemination of research information or outcomes. n398 There is indeed ample evidence that security and encryption researchers are wary of the possible civil and criminal penalties that a violation of any of the restrictive provisions of the DMCA on encryption research, security testing, and reverse engineering of software could engender. n399 Notable amongst such incidents was the much publicized [*511] event in which Professor J. Alex, Halderman, then a graduate student at Princeton University delayed the publication of the existence of several security vulnerabilities that he found in the CD copy-protection software on dozens of Sony-BMG titles. He delayed disclosing the vulnerabilities for several weeks whilst he sought legal advice from lawyers on how to avoid running afoul of DMCA pitfalls, a measure that left millions of music fans unnecessarily at risk. n400 The fear of prosecution or litigation by vulnerabilities researchers is not entirely unfounded as exemplified by several incidents of actual threats of DMCA lawsuits. For example, in April 2003, the educational software company, Blackboard Inc., obtained a temporary restraining order to stop the presentation of research on security vulnerabilities in its software products at the InterzOne II conference in Atlanta. n401 The said software security vulnerabilities pertained to the Blackboard ID card system used by university campus security systems. However, the students who were scheduled to speak on the vulnerabilities and the conference organizers had no opportunity to challenge the temporary restraining order, which was obtained ex parte on the eve of the event. n402

52


INHERENCY

53

Zero-Days Aff - Michigan 72AC INHERENCY

Recent leaks show that the NSA is sitting on mounds of zero-days Crocker 15 [Andrew, staff attorney on the Electronic Frontier Foundation’s civil liberties team, J.D. Harvard University, “The Government Says It Has a Policy on Disclosing Zero-Days, But Where Are the Documents to Prove It?,” March 30, 2015, https://www.eff.org/deeplinks/2015/03/government-says-it-has-policy-disclosing-zero-days-where-are-documents-prove-it] //khirn

We have known for some time that the U.S. intelligence and law enforcement community looks to find and exploit vulnerabilities in commercial software for surveillance purposes. As part of its reluctant, fitful transparency efforts after the Snowden leaks, the government has even officially acknowledged that it sometimes uses so-called zero-days. These statements are intended to reassure the public that the government nearly always discloses vulnerabilities to software vendors, and that any decision to instead exploit the vulnerability for intelligence purposes is a thoroughly considered one. But now, through documents EFF has obtained from a Freedom of Information Act (FOIA) lawsuit, we have learned more about the extent of the government’s policies, and one thing is clear: there’s very little to back up the Administration’s reassuring statements . In fact, despite the White House’s claim that it had “reinvigorated” its policies in spring 2014 and “established a disciplined, rigorous and

high-level decision-making process for vulnerability disclosure,” none of the documents released in response to our lawsuit appear to be newer than 2010. Last spring, the Office of the Director of National Intelligence (ODNI) issued a strong denial of press reports that the NSA knew about and exploited the Heartbleed vulnerability in the OpenSSL library. As part of that denial, the ODNI described the “Vulnerabilities Equities Process” (VEP), an “interagency process for deciding when to share vulnerabilities” with developers. EFF submitted a FOIA request to ODNI and NSA to learn more about the VEP and then sued to force the agencies to release documents. ODNI has now finished releasing documents in response to our suit, and the results are surprisingly meager. Among the handful of heavily redacted documents is a one-page list of VEP “Highlights” from 2010. It briefly describes the history of the interagency working group that led to the development of the VEP and notes that the VEP established an office called the “Executive Secretariat” within the NSA. The only other highlight left unredacted explains that the VEP “creates a process for notification, decision-making, and appeals.” And that’s it. This document, which is almost five years old, is the most recent one released. So where are the documents supporting the “reinvigorated” VEP 2.0 described by the White House in 2014? Nor do the documents we have seen do much to back up the claim that VEP 1.0 ever functioned as a guide for helping the government decide whether to disclose zero-days. Meanwhile, reports describing the CIA’s annual hacker “jamboree” instead suggest that there’s little stopping the government from exploiting vulnerabilities it comes across. Indeed, none of the documents describing the CIA’s jamboree contain the slightest suggestion that the VEP was actively considered. Writing about the newly released documents in Wired, Kim Zetter places them in the context of the government's development of the Stuxnet worm: We know that Stuxnet, a digital weapon designed by the U.S. and Israel to sabotage centrifuges enriching uranium for Iran’s nuclear program, used five zero-day exploits to spread between 2009 and 2010—before the equities process was in place. One of these zero-days exploited a fundamental vulnerability in the Windows operating system that, during the time it remained unpatched, left millions of machines around the world vulnerable to attack. Since the equities process was established in 2010, the government has continued to purchase and use zero days supplied by contractors. The older documents [.pdf] released to EFF by ODNI are so thoroughly redacted that it’s difficult to glean much from them, though they seem mainly to report progress made by the working group developing the VEP over the course of several months in 2008. One suggests that the working group recognized different considerations between the government’s “Offense” and “Defense” functions in dealing with zero-days. Another tantalizingly mentions that the working group asked stakeholders to begin “drafting of scenarios (vignettes)” to illustrate the policy issues involved in the VEP, but of course any such vignettes in the documents are redacted. The core of the concern over the government’s use of zero-days is that these vulnerabilities often exist in products that are used widely by the general public. If the government keeps a vulnerability secret for intelligence purposes, it does not notify the developer, which would likely otherwise issue a patch and protect users from online adversaries such as identity thieves or foreign governments who may also be aware of the zero-day . Nevertheless, the Snowden leaks have shown that the government apparently routinely sits on zero-days , something that President Obama’s own Review Group strongly recommended against [.pdf]. The VEP is supposedly an

54

Zero-Days Aff - Michigan 7answer to these concerns, but right now it looks like just so much vaporware .

Loopholes allow continued secrecy Zetter 14 [Kim, award-winning journalist who covers cybercrime, civil liberties, privacy, and security for Wired, “Obama: NSA must reveal bugs like Heartbleed, unless they help the NSA,” Wired, http://www.wired.com/2014/04/obama-zero-day/] //khirn

AFTER YEARS OF studied silence on the government’s secret and controversial use of security vulnerabilities, the White House has finally acknowledged that the NSA and other agencies exploit some of the software holes they uncover, rather than disclose them to vendors to be fixed. The acknowledgement comes in a news report indicating that President Obama decided in January that from now on any time the NSA discovers a major flaw in software, it must disclose the vulnerability to vendors and others

so that it can be patched, according to the New York Times. But Obama included a major loophole in his decision, which falls far short of recommendations made by a presidential review board last December: According to Obama, any flaws that have “a clear national security or law enforcement” use can be kept secret and exploited . This, of course, gives the government wide latitude to remain silent on critical flaws like the recent Heartbleed vulnerability if the NSA, FBI, or other government agencies can justify their exploitation. A so-called zero-day vulnerability is one that’s

unknown to the software vendor and for which no patch therefore exists. The U.S. has long wielded zero-day exploits for espionage and sabotage purposes, but has never publicly stated its policy on their use. Stuxnet, a digital weapon used by the U.S. and Israel to attack Iran’s uranium enrichment program, used five zero-day exploits to spread.

No disclosure now --- multiple government agencies purchasing zero-daysMimiso 15 [Michael, responsible for the editorial direction of the Security Media Group at TechTarget, including Information Security magazine, “US Navy Soliciting Zero Days,” ThreatPost, June 15, 2015, https://threatpost.com/us-navy-soliciting-zero-days/113308] //khirn

The National Security Agency may find and purchase zero days, but that doesn’t mean it’s sharing its hoard with other government agencies such as the U.S. Navy, which apparently is in the market for some unpatched, undisclosed vulnerabilities of its own. A request for proposal posted last Wednesday—which has since been taken down—to FedBizOpps.gov was a solicitation by the Naval Supply Systems Command seeking a CMMI-3 (Capability Maturity Model Integration) contractor capable of producing operational exploits that integrate with commonly used exploitation frameworks, the RFP said. The Navy said it was looking for vulnerability intelligence, exploit reports and operational exploit binaries for commercial software, including but not limited to Microsoft, Adobe, [Oracle] Java, EMC, Novell, IBM, Android, Apple, Cisco IOS, Linksys WRT and Linux, among others. Microsoft, IBM and EMC (parent company of RSA Security) declined to comment for this article. Requests for comment were also made to Adobe and Apple, neither of which was returned prior to publication. “The vendor shall provide the government with a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old). This list should be updated quarterly and include intelligence and exploits affecting widely used software,” the RFP said. “The government will select from the supplied list and direct development of exploit binaries. “Completed products will be delivered to the government via secured electronic means,” the RFP continues. “Over a one year period, a

minimum of 10 unique reports with corresponding exploit binaries will be provided periodically (no less than 2 per quarter) and designed to be operationally deployable upon delivery.” Per the solicitation, it would seem the Navy is looking not only for offensive weapons, but also those that meet the need internally to emulate hacker tactics and capabilities. “Reading the call, it seems as much about N-day (N<6 months) as 0-day for the red team when evaluating their own systems,” said Nicholas Weaver, a senior network security and malware researcher with the University of California at Berkeley. “And it’s as much about the capability of turning vulnerability reports into exploits. “I wouldn’t think of it as too out of the ordinary for such a solicitation about ‘offensive tools for defensive use,'” Weaver added. The request, however, does require the contractor to develop exploits for future released CVEs. “Binaries must support configurable, custom, and/or government owned/provided payloads and suppress known network

signatures from proof of concept code that may be found in the wild,” the RFP said. The government’s involvement in the use and purchasing of zero days has always been a contentious point, not only over how the exploits will be used, but also because details won’t be disclosed to the vendor leaving potentially millions of users exposed to attacks. Shortly after the disclosure last year of the Heartbleed vulnerability in OpenSSL, White House cybersecurity coordinator and special assistant to the president Michael Daniel explained the executive branch’s position on disclosure, which somewhat lines up with the NSA’s stance, in that there are occasions when the government won’t share bug details with

vendors. “Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest . But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run,” Daniel wrote in April 2014. “Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area.” Daniel’s memo shares the high-level questions the government considers when an agency proposes

withholding vulnerability details from a vendor. The Electronic Frontier Foundation (EFF) today wrote that it’s skeptical the so-called Vulnerabilities Equities Process results in many disclosures considering the financial

55

https://threatpost.com/us-navy-soliciting-zero-days/113308


Zero-Days Aff - Michigan 7investment that, in this case, the U.S. Navy would make in contracting zero-day development;

individual zero-days reportedly can sell for as much as six figures in legitimate and underground markets. “What’s

more noteworthy is how little regard the government seems to have for the process of deciding to exploit vulnerabilities,” wrote Nate Cardozo and Andrew Crocker of the Electronic Frontier Foundation. “As

we’ve explained before, the decision to use a vulnerability for ‘offensive’ purposes rather than disclosing it to the developer is one that prioritizes surveillance over the security of millions of users .” The NSA,

for example, has a twofold mission to not only protect American networks, but also to gather data from foreign networks, which could include penetrating those networks using vulnerabilities the agency has

discovered or purchased. The need to keep those vulnerabilities under wraps is of great value to the NSA,

something director Adm. Michael S. Rogers said during a November speech that he discussed with the president. “He also said, look, there are some instances when we’re not going to [share vulnerability information]. The thought process as we go through this policy decision, the things

we tend to look at are, how foundational and widespread is this potential vulnerability? Who tends to use it? Is it something you tend to find in one nation state? How likely are others to find it? Is this the only way for us to generate those insights we need or is there another alternative we could use?” Rogers said. “Those answers shape the decision.”

56


SOLVENCY

57

Zero-Days Aff - Michigan 72AC CORPORATE TRUST KEY

Only building trust fosters trust cooperation between the private sector and the government --- surveillance is keyNtim 15 (Andrew Ntim, Research Assistant at the Stanford University Social Psychology lab, “Cybersecurity in an Age of Distrust”, 2/20/2015, http://stanfordpolitics.com/2015/02/cybersecurity-in-an-age-of-distrust/)//CLi

The central problem is that Obama’s plan fails to tackle the most important part of cybersecurity: how exactly cooperation between the public and private sector will work. As Obama said in his address, “This has to be a shared mission … Government cannot do this alone. But the private sector cannot do it alone, either.” And Obama’s plan, for all its positive contributions, does remarkably little to facilitate this sort of necessary cooperation from either a policy or a procedural standpoint. What does it take to get government and business to work together productively in the cyber security realm? Ken Chenault, American Express CEO, made it clear in his panel discussion at Friday’s cybersecurity summit: “What we’re really talking about when we talk about cybersecurity is trust.” The extent to which consumers trust companies like American Express to behave safely, ethically, and respectfully in their online dealings is integral to the companies’ bottom line. Trust between the private sector and the government is integral to internet security . But the fact of the

matter is that recent governmental power-grabs, from those revealed in Snowden’s leaks to the more recent situation of government-sponsored spying programs hidden in US products,

give private corporations few reasons to trust the government in today’s digital realm . Obama is aware of the existence of this mistrust. The day after his Stanford appearance, in aninterview with Re/code’s Kara Swisher, he noted that “the Snowden disclosures were really harmful in terms of the trust between the government and many of these companies.” So, in this post-Snowden world, how do we promote a greater level of trust between the federal government and private companies? Here are two suggestions that can at least lead us in the right direction. First, we should work to make government more transparent. If companies aren’t able to see how their shared data is being used by the

government, what incentive do they have to give it up? More transparency would be a catalyst for cooperation , and would also help ensure customers that companies aren’t betraying them when giving up their data for cybersecurity purposes. Yet in past years, more FOIA (Freedom of Information Act) requests have been denied than ever before, and confidential requests for personal data through the Foreign Intelligence Surveillance Act are on the rise. These things need to change before the government and private sector can cooperate adequately. Second, government must genuinely respect consumers’ right to privacy. Consumers’ trust that a company will respect their privacy online is critical to its economic success. However, by attempting to crack down on private companies’ protection of their customers’ data, and even at times forcing them to install backdoors to their encryption methods, the Obama administration has hurt consumers and companies alike. And by ignoring the privacy concerns raised by their actions, the administration has further eroded the already shaky trust between business and government. If Obama expects companies to voluntarily share their cybersecurity information and algorithms in the future, it’s important for policies such as these to be discontinued. To conclude his speech, Obama quoted one of the key philosophies from Google — that, with the help of technology, “the future is awesome.” But I think there might have been a more apt Google catchphrase for him to use: “There’s always more information out there.” When it comes to cybersecurity, it’s no secret that we’ve got a long way to go in learning about and deterring the threats present to our internet today. Merely creating information sharing networks, such as the ISAOs in Obama’s executive order, cannot be enough. Only when we have an attitude of trust and respect between the government and private sectors can the meaningful cooperation necessary for a more secure internet exist . And if we can’t address the concerns of transparency and privacy that have held back this trust for so long, the future may be a very un-awesome place indeed.

58

http://www.itproportal.com/2014/10/02/us-government-frightened-of-apple-and-google-encryption

http://recode.net/2015/02/15/white-house-red-chair-obama-meets-swisher/

http://recode.net/2015/02/15/white-house-red-chair-obama-meets-swisher/

http://www.reuters.com/article/2015/02/16/us-usa-cyberspying-idUSKBN0LK1QV20150216

http://stanfordpolitics.com/2015/02/cybersecurity-in-an-age-of-distrust/)//CLi

Zero-Days Aff - Michigan 72AC MODELING

US policies spillover—leads to international cooperationFidler 14 (Mailyn Fidler, graduate student at the Center for International Security and Cooperation Freeman Spogli Institute for International Studies, Stanford University. “ANARCHY OR REGULATION: CONTROLLING THE GLOBAL TRADE IN ZERO-DAY VULNERABILITIES”, May 2014, https://stacks.stanford.edu/file/druid:zs241cm7504/Zero-Day%20Vulnerability%20Thesis%20by%20Fidler.pdf)//CLi

International cooperation is needed on the zero-day issue, but U.S. leadership is required to catalyze such cooperation. Snowden’s disclosures have caused significant problems for the United States, reducing receptivity to cooperation with the United States on cyber issues. This 178 problem is exacerbated by the need to have the United States, as a major cyber player, involved in international negotiations. Existing confusion and controversy over national U.S. policies towards zero-day vulnerabilities create further obstacles to addressing these issues at an international level. The U nited S tates needs to establish policy clarity at a national level to set the stage for collective action, signaling to other nations its seriousness about the problem and the nature of American interests towards it. Richard Clarke and Peter Swire agree: “we create a more secure and useful global Internet if other nations, including China and Russia, adopt and implement similar policies” to what the Obama administration recently announced about U.S. zero-day policy, but “because they [other nations] are unlikely to do so any time soon, the Obama administration should also step up its efforts” and create “the basis for an international norm of behavior.”669 This thesis argues that the U.S. government must do more to strengthen its own zero-day policies as a necessary element of addressing the need for collective action.

US security policies modeled globally—plan spills overDemchak 14 (Chris Demchak , Professor of Cyber Security and Co-Director, Center for Cyber Conflict Studies and Peter Dombrowski, professor of strategy at the Naval War College where he serves as the chair of the Strategic Research Department. He has also been affiliated with research institutions including the East-West Center, The Brookings Institution, the Friedrich Ebert Foundation, and the Watson Institute for International Studies at Brown University among others. “Rise of a Cybered Westphalian Age: The Coming Decades”, The Global Politics of Science and Technology - Vol. 1, July 24, 3014, http://link.springer.com/chapter/10.1007/978-3-642-55007-2_5)//CLi

In the fall of 2010, the US Cyber Command became operational after an exceptionally rapid year of institutional and legal preparation (Whitney 2010). This institutional response to the rise of the cybered conflict age emerged to anchor a future cybered border for the whole nation. Its initial mission was to protect only military organizations from cyber attack, but as soon as a military unit existed to create a cyber safety wrapper around US critical military assets, political statements emerged about creating the same protection for the whole nation (Lynn 2010). From the RMA to net-centric warfare, the United States has long provided innovative models for national security that diffuse internationally (Golfman and Eliason 2003). For the United States to announce a new national cyber command automatically provokes a new debate in the international military and legal communities (Shackelford 2009). Whether or not other nations need, want, or can afford to have a singular military unit focused on cybered conflict, their leaders, doctrine writers, and strategic thinkers will contemplate the potential benefits of the model. If patterns of military emulation hold true, many nations will develop organizations that look like a national cyber command. Already we have seen nations closely associated with the United States either creating their own cyber commands or declaring an interest in approximating the functions of US Cyber Command.

59

https://stacks.stanford.edu/file/druid:zs241cm7504/Zero-Day%20Vulnerability%20Thesis%20by%20Fidler.pdf)//CLi

https://stacks.stanford.edu/file/druid:zs241cm7504/Zero-Day%20Vulnerability%20Thesis%20by%20Fidler.pdf)//CLi

Zero-Days Aff - Michigan 72AC PLAN SOLVES ZERO DAY DEMAND

Absent agency demand, the zero-day market declines and reduces vulnerabilityStockton and Goldman 13 (Paul Stockton, former Assistant Secretary of Defense for Homeland Defense and America’s Security Affairs, and Michele Golabek-Goldman, who has a JD from Yale Law School. “Curbing the Market for Cyber Weapons”, December 18th, 2013, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2364658)//CLi

Threading through much of our analysis is an underlying policy issue: the tradeoff for U.S. agencies between the benefits of access to an unfettered market for weaponized Øday exploits, versus the benefits of clamping down on that mar-ket. Some have suggested that the United States created the cyberweapons market by being the first to pay extraordinarily high prices for zero-days. They have ac-cused the United States of

“creat[ ing] Frankenstein by feeding the market . ”147 Others have gone so far as to propose that, rather than regulating the supply side of the market, U.S. government agencies should curb the demand side by relinquishing their own purchases of exploits .148 If agencies did so, the market would lose some of its most well-paying buyers, potentially deterring suppliers from scouring software for vulnerabilities . Before relinquishing such purchases, U.S. policymakers would first need to examine the potential costs of doing so in terms of foregoing potentially valuable information from the exploit market. Some analysts have indicated that if U.S. agencies halted their exploit-purchasing program, they would be deprived of crit-ical tools for defending U.S. networks against attack.150 Law enforcement agencies would likewise forgo valuable technologies for tracking underground crimi-nals.151 But do these agencies weigh these benefits against the potentially cata-strophic risks that the Øday market poses to U.S. security? We have seen no evi-dence that they do. The time has come for Congress, Executive Branch leaders, the software industry, and scholars to bring this tradeoff analysis into the open and determine whether staying at the extreme end of the policy spectrum—that of de facto support for a dangerous bazaar for Øday-exploits—best serves U.S. national security.

60

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2364658)//CLi

Zero-Days Aff - Michigan 72AC PLAN SOLVES CYBERSECURITY

Laundry list of reasons supporting zero day market is badHerley et al. 13 (Serge Egelman, University of California, Berkeley, CA, USA; Cormac Herley, Microsoft Research, Redmond, WA, USA; Paul C. van Oorschot, Carleton University, Ottawa, Ontario, Canada. Published in NSPW '13 Proceedings of the 2013 workshop on New security paradigms workshop; Pages 41-46. “Markets for zero-day exploits: ethics and implications.” Published 2013. Accessed June 24th, 2015. http://dl.acm.org/citation.cfm?id=2535818 (must follow link to full text PDF to access full text.)) KalM

Injecting money into dubious circles is morally suspect. Cybercriminal circles intersect with organized crime, drug cartels and terrorism. We should not be involved in financing these operations. • The cobra effect: 5 paying for exploits creates an adverse incentive to plant bugs for later harvest. Humans are extraordinarily good at gaming any system put in place, and the chance of software that is less (vs. more) secure is very real. • Is this just a way for companies like Microsoft, Google and Apple to outsource product testing on the cheap? If they can get away with getting work done without paying salary and benefits, they will. Is it good for society, or the industry, if that happens? • 0-day markets encourage the private sale (and nondisclosure) of details of exploits, to better allow the buyer to execute the exploit for private benefit. • Markets create attractive incentives for more smart people to spend time finding vulnerabilities—and if it is true that the more you look, the more bugs you will find, then such attractive markets will increase the number of (privately-known) vulnerabilities.

Hoarding knowledge bad – causes widespread insecurity Comninos and Seneque 14 [Alex, Justus-Liebig University Giessen, and Gareth, Geist Consulting, “Cyber security, civil society and vulnerability in an age of communications surveillance,” GIS Watch, 2014, http://giswatch.org/en/communications-surveillance/cyber-security-civil-society-and-vulnerability-age-communications-sur] //khirn

The NSA is also believed to hoard knowledge about vulnerabilities rather than sharing them with developers, vendors and the general public,40 as well as even maintaining a catalogue of these vulnerabilities for use in surveillance and cyber attacks.41 None of these activities serve to make the internet more secure. In fact, they do the very opposite. As US Congresswoman Zoe Lofgren commented: “When any industry or organisation builds a backdoor to assist with electronic surveillance into their product, they put all of our data security at risk. If a backdoor is created for law enforcement purposes, it’s only a matter of time before a hacker exploits it, in fact we have already seen it happen."42 The fact that the NSA is actively working to make the internet insecure points to the contradictions in its dual mandate: simultaneously securing and breaking cyber security. On the one hand it is tasked with securing information and communications networks (falling under its “Information Assurance” mandate), and on the other hand it is tasked with surveilling information and communications networks (its “Signals Intelligence” mandate).43 Similar tensions exist within the US military, which is tasked with both defending national networks from hacking attacks as well as with conducting offensive hacking attacks. The US "cyber command", the military command for the “cyber domain”, is under the stewardship of the NSA commander. This conflict of interest in the NSA's dual role has not been addressed in current NSA reform. Tasked with “national security”, intelligence agencies like the NSA have a conflicting mandate that cannot enable them to actually provide US citizens with cyber security, in the same way that states are for example able to provide us with physical security. It will always be against the interests of intelligence agencies to assure the provision of secure technologies that cannot be eavesdropped on. This is exacerbated by a cyber security-surveillance industrial complex of government agencies and private contractors selling hacking and surveillance products, with revolving doors between the two. We need to be very wary of intelligence agencies being given roles as stewards of cyber security.

61

http://giswatch.org/en/communications-surveillance/cyber-security-civil-society-and-vulnerability-age-communications-sur


http://dl.acm.org/citation.cfm?id=2535818

Zero-Days Aff - Michigan 72AC SURVEILLANCE SOLVES

The plan solves cyber operations --- surveillance is a prerequisite to NSA digital warfare Appelbaum et al. 15 [Jacob Appelbaum, Aaron Gibson, Claudio Guarnieri, Andy Müller-Maguhn, Laura Poitras, Marcel Rosenbach, Leif Ryge, Hilmar Schmundt and Michael Sontheimer, “The Digital Arms Race: NSA Preps America for Future Battle,” January 17, 2015, http://www.spiegel.de/international/world/new-snowden-docs-indicate-scope-of-nsa-preparations-for-cyber-battle-a-1013409.html] //khirn

Surveillance only 'Phase 0' From a military perspective, surveillance of the Internet is merely "Phase 0" in the US digital war strategy. Internal NSA documents indicate that it is the prerequisite for everything that follows . They show that the aim of the surveillance is to detect vulnerabilities in enemy systems . Once "stealthy implants" have been placed to infiltrate enemy systems, thus allowing "permanent accesses," then Phase Three has been achieved -- a phase headed by the word "dominate" in the documents. This enables them to "control/destroy critical systems & networks at will through pre-positioned accesses (laid in Phase 0)." Critical infrastructure is considered by the agency to be anything that is important in keeping a society running: energy, communications and transportation. The internal documents state that the ultimate goal is "real time controlled escalation".

62

http://www.spiegel.de/international/world/new-snowden-docs-indicate-scope-of-nsa-preparations-for-cyber-battle-a-1013409.html

http://www.spiegel.de/international/world/new-snowden-docs-indicate-scope-of-nsa-preparations-for-cyber-battle-a-1013409.html

Zero-Days Aff - Michigan 72AC “RELEVANT VENDORS”

[This answers arguments about vulnerabilities in “orphaned” software]

Relevant vendors are software vendors, standards bodies, or the public at large if nobody’s responsibleBellovin et al. 14 [Steven M., professor of computer science at Columbia University, Matt Blaze, associate professor of computer science at the University of Pennsylvania, Sandy Clark, Ph.D. student in computer science at the University of Pennsylvania, Susan Landau, 2012 Guggenheim Fellow; she is now at Google, Inc., April, 2014, “Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet,” Northwestern Journal of Technology and Intellectual Property, 12 Nw. J. Tech. & Intell. Prop. 1] //khirn

P171 To whom should a vulnerability report be made? In many cases, there is an obvious point of contact: a software vendor that sells and maintains the product in question, or, in the case of open-source software, the community team maintaining it. In other cases, however, the answer is less clear. Not all software is actively maintained; there may be "orphan" software without an active vendor or owner to report to. n253 Also, not all vulnerabilities result from bugs in specific software products. For example, standard communications protocols are occasionally found to have vulnerabilities, n254 and a given protocol may be used in many different products and systems. In this situation, the vulnerability would need to be reported not to a particular vendor, but to the standards body responsible for the protocol. Many standards bodies operate entirely in the open, n255 however, which can make quietly reporting a vulnerability--or hiding the fact that it has been reported by a law enforcement agency--problematic. In this situation, the choice is simple: report it openly.

63

Zero-Days Aff - Michigan 72AC US KEY TO ZERO DAY MARKETS

US key to the global market for zero-daysPaganini 13 (Pierluigi Paganini, Chief Information Security Officer at Bit4Id, firm leader in identity management, member of the ENISA (European Union Agency for Network and Information Security)Treat Landscape Stakeholder Group. He is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", “Zero-day Market, the Government are the Main Buyers”, http://securityaffairs.co/wordpress/14561/malware/zero-day-market-governments-main-buyers.html)

Governments, and in particular US one, are principal buyers of zero-day vulnerabilities according a report published by Reuters. Zero-days exploits are considered a primary ingredient for success of a cyber attack, the knowledge of zero-day flaw gives to the attacker guarantee of success, state-sponsored hackers and cyber criminals consider zero-day exploits a precious resources around which is grown a booming market. Zero-day exploits could be used to as an essential component for the design of a cyber weapon or could be exploited for cyber espionage purposes, in both cases governments appear the most interested entities for the use of these malicious code. Recent cyber attacks conducted by Chinese hackers might lead us to think Chinese Government is primary buyer/developer for zero-day vulnerabilities, but a report recently published by Reuters claimed the US government is the “biggest buyer in a burgeoning gray market where hackers and security firms sell tools for breaking into computers.” Reuters revealed

that the US Government, in particular its intelligence agency and the DoD are “spending so heavily for information on holes in commercial computer systems, and on exploits taking advantage of them, that they are turning the world of security research on its head.”, it’s a news way to compete with adversary in cyberspace. Recent tension between China and US gave security experts the opportunity to discuss about the development of the two countries of efficient cyber strategy that improve both offensive and defensive cyber capabilities. Both countries are largely invested in the creation of new cyber units, but according intelligence sources, offensive approach seems to be most stimulated by the need to preserve the security in the cyberspace. NSA chief General Keith Alexander told Congress that the US Government is spending billions of dollars every year on “cyberdefense and constructing increasingly sophisticated cyberweapons ” this led to the birth of “more than a dozen offensive cyber units, designed to mount attacks, when necessary, at foreign computer networks.” Popular hacker Charlie Miller, security researcher at Twitter, with a past collaboration with NSA confirmed the offensive approach to cyber security: “The only people paying are on the offensive side,” The emerging zero-day market is fueled by intense activities of talented hackers who sell information on flaws in large use products. According Reuters defense contractors and intelligence agencies “spend at least tens of millions of dollars a year just on exploits ”. The zero-day market is very complex due high “perishability” of the goods, following some key figures of a so complex business Difficulty finding buyers and sellers – It’s a closed market not openly accessible. Find a buyer or identify a possible seller is a critical phase. Checking the buyer reliability – The reduced number of reliable brokers able to locate a buyer pushes the researcher to try to tell many individuals about the discovery in an attempt to find a buyer with obvious risks. Value cannot be demonstrated without loss – One of the most fascinating problems a researcher attempting to sell vulnerability information or a 0-day exploit may face is proving the validity of the information without disclosing the information itself. The only way to prove the validity of the information is to either reveal it or demonstrate it in some fashion. Obviously, revealing the information before the sale is undesirable as it leaves the researcher exposed to losing the intellectual property of the information without compensation. Exclusivity of rights – The final hurdle involves the idea of the exclusive rights of the information. In order to receive the largest payoffs, the researcher must be willing to sell all rights to the information to the buyer. However, the buyer has no way to protect themselves from the researcher selling the information to numerous parties, or even disclosing the information publicly, after the sale. Current approaches to zero-day vulnerabilities are to be bought up exploits avoiding that they could be acquired by government’s opponents such as dictators or organized criminals, many security firms sell subscriptions for exploits, guaranteeing a certain number per year. The trend to exploit zero-day for offensive purposes has been followed by intelligence agencies and also private companies, both actors have started to code their own zero-day exploits. “Private companies have also sprung up that hire programmers to do the grunt work of identifying vulnerabilities and then writing exploit code. The starting rate for a zero-day is around $50,000, some buyers said, with the price depending on such factors as how widely installed the targeted software is and how long the zero-day is expected to remain exclusive.” The Reuters report also revealed the participation of government representatives to the Secret Snoop Conference for Government and law enforcement spying, clearly with the intent to acquire new

64

http://securityaffairs.co/wordpress/14561/malware/zero-day-market-governments-main-buyers.html

http://securityaffairs.co/wordpress/14561/malware/zero-day-market-governments-main-buyers.html

Zero-Days Aff - Michigan 7technologies to conduct cyber espionage through malware based attacks able to compromise target networks. The choice of a government to acquire a zero-day exploit to use it against a foreign governments hide serious risks for its country, cyber terrorist, cyber criminals or state-sponsored hackers could reverse engineer the source code to compose new malicious agent to use against the same authors .

65

Zero-Days Aff - Michigan 72AC ZERO DAYS KEY

Zero-days are key --- crucial to the development of cyber arms bazaarGjelten 13 (Tim Gjelten covered U.S. diplomacy and military affairs, first from the State Department and then from the Pentagon. He was NPR's lead Pentagon reporter during the early war in Afghanistan and the invasion of Iraq, “First Strike: US Cyber Warriors Seize the Offensive, http://www.worldaffairsjournal.org/article/first-strike-us-cyber-warriors-seize-offensive , January 2013)//CLi

Offensive operations in cyberspace have expanded so rapidly in recent years that legal, regulatory, and

ethical analyses have not kept up. The development of the zero-day market , the inclination of some private companies to

mimic the Pentagon by going on the offense rather than continuing to depend on defensive measures to protect data, the design and development of cyberweapons, and the governmental use of such weapons against unsuspecting targets all raise serious and interesting questions, and the answers are far from obvious. Given the destructive use to which they could be put, the lack of transparency in the buying and selling of zero-days may be problemati c. The consequence could be the development of a global cyber arms bazaar , where criminals or terrorist groups could potentially find tools to use . The US government regulates the export of sensitive technologies out of a fear that adversaries could use them in a way hostile to US interests, but whether such restrictions apply to the sale of zero-day vulnerabilities is not entirely clear. Current law restricts the export of “ encryption commodities and software that provide penetration capabilities that are capable of attacking , denying, disrupting, or otherwise impairing the use of cyber infrastructure or networks .” Does that language cover the possibility that some researcher or broker may try to sell a back-door exploit, or even a cyberweapon, to a foreign agent who could put it to destructive use? “I think it does cover the export of some kinds of cyberweapons,” says Washington lawyer Roszel Thomsen, who helped write the regulations and specializes in export control law. But other specialists are not convinced. There is also the legal question of whether private firms who have been subject to cyber attacks can legally strike back against attackers who penetrate their networks and steal their data. Steven Chabinsky, formerly the top cyber lawyer at the FBI, argues that if a company can identify the server from which a cyber attack originated, it should be able to hack into that server to delete or retrieve its stolen data. “It is universally accepted that in the physical world you have the right to protect your property without first going to law enforcement,” Chabinsky argued at a recent cyber symposium. Other computer consultants have a different view. “I get asked this all the time,” said Richard Bejtlich, chief security officer at Mandiant, a prominent cybersecurity firm, speaking at the Air Force’s CyberFutures conference. “People in hacked companies want to hit back. ‘We want to go get these guys,’ they tell us. But almost always, our lawyers say, ‘Absolutely not.’” In addition, there are policy questions raised by the escalating government investment in offensive cyber war capabilities. One fear is that each new offensive cyberweapon introduced into use will prompt the development of an even more lethal weapon by an adversary and trigger a fierce cyber arms race . A hint of such an escalatory cycle may be seen in the confrontation with Iran over its nuclear program. US officials suspect the Iranian government was responsible for the recent wave of cyber attacks directed against Aramco, the Saudi oil company, and may also have been behind a series of denial-of-service attacks on US financial institutions. Such attacks could be in retaliation for the Stuxnet worm. Some writers foresee a dangerous new world, created by the United States and Israel with the deployment of Stuxnet. Misha Glenny, writing in the Financial Times, argued that the tacit US admission of responsibility for Stuxnet will act “as a starting gun; countries around the world can now argue that it is legitimate to use malware pre-emptively against their enemies.” One danger is that US adversaries, notably including Russia and China, may now cite the use of Stuxnet to support their argument that an international treaty regulating the use of cyberweapons may be needed. The United States has long opposed such a treaty on the grounds that it would undermine its own technological advantages in cyberspace and could also lead to efforts to regulate the Internet in ways that would harm freedom of expression and information. Some of these issues will be resolved as cyber activities mature and the cyber domain becomes more established. The US military as yet has not set up its own rules of engagement for cyber conflict, even though the head of the US Cyber Command, Army General Keith Alexander, says they are necessary. Neither has the US government articulated a “declaratory policy” regarding the use of cyberweapons analogous to government statements on when and where nuclear weapons may be used. All these are serious issues. It is now obvious that adversarial actions in cyberspace have fundamentally changed warfighting, crime, espionage, and business competition. Our institutions must adapt to this new reality, and quickly, or we will face the danger of cyber chaos and anarchy.

66

Zero-Days Aff - Michigan 7Collecting zero-days for cyberoffense leaves our infrastructure to cyberattacksZetter 14 (Kim Zetter, staff reporter at Wired, a writer and editor at PC World. She has been a guest on NPR and CNN. Author of Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon. “How Obama Endangered us all with Stuxnet”, http://www.thedailybeast.com/articles/2014/11/13/how-obama-endangered-us-all-with-stuxnet.html, 11/13/14)//CLi

The cybersabotage campaign on Iran’s nuclear facilities didn’t just damage centrifuges. It

undermined digital security everywhere . A few months after President Obama took office in 2009, he announced that securing the nation's critical infrastructure -- its power generators, its dams, its airports, and its trading floors -- was a top priority for his administration. Intruders had already probed the electrical grid, and Obama made it clear the status quo around unsecured systems was unacceptable. A year later, however, a sophisticated digital weapon was discovered on computers in Iran that was designed to attack a uranium enrichment plant near the town of Natanz. The virus, dubbed Stuxnet, would eventually be identified by journalists and security experts as a U.S.-engineered attack. Stuxnet was unprecedented in that it was the first malicious code found in the wild that was built not to steal data, but to physically destroy equipment controlled by the computers it infected—in this case, the cylindrical centrifuges Iran uses to enrich uranium gas. Much has been said about Stuxnet in the years since its discovery. But little of that talk has focused on how use of the digital weapon undermined Obama’s stated priority of protecting critical infrastructure, placed that vulnerable infrastructure in the crosshairs of retaliatory attacks, and illuminated our country’s often-contradictory policies on cyberwarfare and critical infrastructure security. Even less has been said about Stuxnet’s use of five so-called “zero-day” exploits to spread itself and the troubling security implications of the government's stockpile of zero-days -- malicious code designed to attack previously-unknown vulnerabilities in computer software. Because a zero-day vulnerability is unknown, there is no patch available yet to fix it and no signatures available to detect exploit code built to attack it. Hackers and cyber criminals uncover these vulnerabilities and develop zero-day exploits to gain entry to susceptible systems and slip a virus or Trojan horse onto them, like a burglar using a crowbar to pry open a window and slip into a house. But organizations like the NSA and the U.S. military also use them to hack into systems for surveillance purposes, and even for sabotage, such as the case with the centrifuges in Iran. Generally when security researchers uncover zero-day vulnerabilities in software, they disclose them to the vendor to be fixed; to do otherwise would leave critical infrastructure systems and other computers open to attack from criminal hackers, corporate spies and foreign intelligence agencies. But when the NSA uncovers a zero-day vulnerability, it has traditionally kept the information secret in order to exploit

the security hole in the systems of adversaries. In doing so, it leaves critical systems in the U.S — government computers and other systems that control the electric grid and the financial sector— vulnerable to attack. It's a government model that relies on keeping everyone vulnerable so that a targeted few can be hacked—the equivalent of withholding vaccination from an entire population so that a select few can be infected with a strategic biological virus. It's also a policy that

pits the NSA’s offensive practices against the Department of Homeland Security's defensive ones, since it's the latter's job to help secure critical infrastructure. That’s more than just poor policy. It’s a combination that could someday lead to disaster. Much has been said about Stuxnet in the years since its discovery. But little of that talk has focused on how use of the digital weapon placed our own vulnerable infrastructure in the crosshairs of retaliatory attacks . None of this would be so troubling if the use of zero-days in Stuxnet were an isolated event. But the U.S. government has been collecting zero day vulnerabilities and exploits for about a decade,

result ing in a flourishing market to meet this demand and a burgeoning arms race against other countries racing to stockpile their own zero day tools. The trade in zero days used to be confined to the underground hacker forums, but in the last ten years, it's gone commercial and become populated with small boutique firms whose sole business is zero-day bug hunting and large defense contractors and staffing agencies that employ teams of professional hackers to find security holes and create exploits for governments to attack them. Today, a zero-day exploit can sell for anywhere from $1,000 to $1 million. Thanks to the injection of government dollars, what was once a small and murky underground trade has ballooned into a vast, unregulated cyber weapons bazaar.

67

http://www.thedailybeast.com/articles/2014/11/13/how-obama-endangered-us-all-with-stuxnet.html

http://www.thedailybeast.com/articles/2014/11/13/how-obama-endangered-us-all-with-stuxnet.html

https://en.wikipedia.org/wiki/CNN

https://en.wikipedia.org/wiki/NPR

https://en.wikipedia.org/wiki/PC_World_(magazine)

https://en.wikipedia.org/wiki/Wired.com

Zero-Days Aff - Michigan 7AT: BUSINESSES WON’T COOPERATE

Open disclosure creates more trust among companiesMaurushat 13 (Alana Maurushat, Senior Lecturer, Academic Co-Director of the Cyberspace Law and Policy Centre. She spent the last decade working abroad in Hong Kong, France, the United States, Canada and Australia in the fields of intellectual property, information technology law and cybercrime/cybersecurity. “Disclosure of Security Vulnerabilities: Legal and Ethical Issues”. Springerbriefs in Cybersecurity, Winter 2013)//CLi

While there remains some tension between closed security/security through obscurity and open security/full disclosure advocates, the pendulum is swinging towards open security. There is less argument about the benefits and detriments of no disclosure versus full disclosure, with emphasis being placed on responsible disclosure. In particular, technology companies see value in inviting hackers to identify vulnerabilities in their systems. Companies such as Google, Microsoft and Sony now routinely organise and run hacking competitions of their products. There are also bounty programs whereby organisations pay for both exploit information, as well as information leading to the source of the exploit. Other more conventional companies outside of the technology realm, have been slower to see open security as a benefit. In spite of the gain in momentum and acceptance of the open security principle, security researchers are not immune to criminal provisions and legal liability for disclosure of security vulnerabilities.Open disclosure potentially allows for vulnerabilities to be found and fixed in a more efficient manner. It also allows for the possibility of vulnerabilities being fixed before an exploit is used for some malicious purpose such as intellectual property theft or fraud. It is also thought that open disclosure incentivises companies to more quickly patch vulnerabilities

Private businesses want the government to cooperate --- key to protect critical infrastructure Tucker 14 [Patrick, Defense One, “Major Cyber Attack Will Cause Significant Loss of Life By 2025, Experts Predict,” October 29, 2014, http://www.defenseone.com/threats/2014/10/cyber-attack-will-cause-significant-loss-life-2025-experts-predict/97688/] //khirn

But some political leaders say that the response from industry to cyber threats has outpaced that of

government. Just ask Rep. Mike Rogers, R-Mich., chairman of the House Intelligence Committee, who said that private businesses were increasingly asking government to defend them from cyber attacks from other nation state actors, and even launch first strikes against those nations. “Most of the offensive talk is from the private sector, they say we’ve had enough,” Rogers said at a recent Washington Post cyber security summit. It’s worth noting that the Pew survey was made public one day after the group FireEye released a major report stating that a Russian-government affiliated group was responsible for hacking into the servers of a firm keeping classified U.S. military data. In his remarks at the summit, Rogers singled out Russia as a prime target for future, U.S.-lead cyber operations. But SCADA vulnerabilities look quaint compared to the exploitable security gaps that will persist across the Internet of Things as more infrastructure components are linked together. “Current threats include economic transactions, power grid, and air traffic control. This will expand to include others such as self-driving cars, unmanned aerial vehicles, and building infrastructure,” said Mark Nall, a program manager for NASA [emphasis added].

68

Zero-Days Aff - Michigan 7AT: IDS SOLVES

IDSs fail for zero-day vulnerabilities Balon-Perin & Gamback 13 – Software Engineer and Professor in Language Technology at Norwegian University of Science and Technology (Alexandre, Bjorn, 2013, Ensembles of Decision Trees for Network Intrusion Detection System, International Journal on Advances in Security, vol 6 no 1 & 2,http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.362.1200&rep=rep1&type=pdf#page=69, pg. 62) /AMarbNetwork IDSs analyse traffic to detect on-going and incoming attacks on a network. Additionally, they must provide concise but sound reports of attacks in order to facilitate the prevention of future intrusions and to inform the network administrators that the system has been compromised. Current commercial IDSs mainly use a database of rules (signatures), to try to detect attacks on a network or on a host computer. This detection method is presently the most accurate, but also the easiest to evade for experienced malicious users, because variants of known attacks (with slightly different signatures) are considered harmless by the IDS and can pass through without warning. New attacks and attacks exploiting zero-day vulnerabilities can also slip through the security net if their signatures are unknown to the IDS . A zero-day vulnerability is a software weakness unknown by the system developers, which potentially could allow an attacker to compromise the system. ‘Zero-day’ refers to the first day, day zero, that the vulnerability was observed.

69

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.362.1200&rep=rep1&type=pdf#page=69

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.362.1200&rep=rep1&type=pdf#page=69

http://www.ntnu.no/english/

Zero-Days Aff - Michigan 7AT: SQUO SOLVES CYBERSECURITY

Vulnerable systems now --- closing loopholes is key to solveGoldsmith 10 [Jack, teaches at Harvard Law School and is a visiting fellow at the Hoover Institution at Stanford University, “The New Vulnerability,” New Republic, June 7, 2010, http://www.newrepublic.com/article/books-and-arts/75262/the-new-vulnerability] //khirn

Many factors make computer systems vulnerable, but the most fundamental factor is their extraordinary complexity. Most computers connected to the Internet are general-purpose machines designed to perform multiple tasks. The operating-system software that manages these tasks--as well as the computer’s relationship to the user--typically has tens of millions, and sometimes more than one hundred million, lines of operating instructions, or code. It is practically impossible to identify and to analyze all the different ways these lines of code can interact or might fail to operate as expected. And when the operating-system software interfaces with computer processors, various software applications, Web browsers, and the endless and endlessly complex pieces of hardware and software that constitute the computer and telecommunications networks that make up the Internet, the potential for unforeseen mistakes or failures becomes unfathomably large. The complexity of computer systems often leads to accidental mistakes or failures. We have all suffered computer crashes, and sometimes these crashes cause serious problems. Last year the Internet in Germany and Sweden went down for several hours due to errors in the domain name system that identifies computers on the Internet. In January of this year, a software problem in the Pentagon’s global positioning system network prevented the Air Force from locking onto satellite signals on which they depend for many tasks. The accident on the Washington Metro last summer, which killed nine people and injured dozens, was probably caused by a malfunction in the computer system that controls train movements. Three years ago, six stealth F-22 Raptor jets on their maiden flights were barely able to return to base when their onboard computers crashed. The same complexity that leads to such malfunctions also creates vulnerabilities that human agents can use to make computer systems operate in unintended ways. Such cyber threats come in two forms. A cyber attack is an act that alters, degrades, or destroys adversary computer systems or the information in or transiting through those systems. Cyber attacks are disruptive activities. Examples include the manipulation of a computer system to take over an electricity grid, or to block military communications, or to scramble or erase banking data. Cyber exploitations, by contrast, involve no disruption, but merely monitoring and related espionage on computer systems, as well as the copying of data that is on those systems. Examples include the theft of credit card information, trade secrets, health records, or weapons software, and the interception of vital business, military, and intelligence communications. Both cyber attacks and cyber exploitations are very hard to defend against. “The aggressor has to find only one crucial weakness; the defender has to find all of them, and in advance,” wrote Herman Kahn in 1960 in his famous book On Thermonuclear War. This generally true proposition about defense systems has special salience for computer networks. Even if (as is often not the case) those trying to find and patch computer vulnerabilities outnumber those trying to find and exploit the vulnerabilities, the attacker often still has an advantage. Under the Kahn principle, some fraction of the time the attacker will discover a vulnerability that the defender missed. And she need only find one, or a few, vulnerabilities to get in the system and cause trouble. Once a vulnerability is identified, an attack or exploitation is relatively easy to disguise , because the operation of a computer is almost entirely hidden from the user. Malware can be embedded in a computer system without the user’s knowledge, either remotely (when the user downloads an infected program or when she visits an infected website) or at any point in the multi-country global supply chain that develops and produces most commercial software. And once it is embedded, malware can be used for any number of tasks, including data destruction, theft, taking over the computer for various purposes, recording keystrokes to discover passwords, and much more. Many forms of malware are hard for engineers to find through diagnostic testing and are missed by anti-virus software. Computer users often do not discover malware before an attack makes clear that something has gone wrong. They often never discover malware that facilitates computer exploitations or, as in the Google case, they discover it too late. The inherent insecurity of computer systems is exacerbated by the number and incentives of actors around the globe who are empowered to take advantage of computer vulnerabilities. In real space, geography serves as a natural barrier to attack, theft, and espionage: only if you get near the Pentagon can you attack it; only if you get near the Citibank branch in New York can you rob it. And if you are near these places in real space, American law enforcement and military authorities can exercise their full powers, within U.S. sovereignty, to check or deter the attack. In cyberspace, geography matters much less because the Internet links computers globally with speed-of-light communication. As the Google case shows, someone sitting at a terminal in China can cause significant harm in the United States. And of course there are countless people around the globe with access to a computer who would like to do bad things inside the United States. To the extent that they are located outside the United States, American law enforcement authorities have much less effective power to stop or to deter them. The FBI must rely on law enforcement authorities in foreign countries who are often slow and uncooperative, giving bad cyber actors time to cover their tracks. And the American military cannot enter a

70

http://www.newrepublic.com/article/books-and-arts/75262/the-new-vulnerability

Zero-Days Aff - Michigan 7foreign country unless the threat or attack rises to the level of war.

71


IP THEFT ADVANTAGE

72

Zero-Days Aff - Michigan 72AC ECON ADD-ON

International IP Theft causes economic decline in the U.S. and economic growth in ChinaThe National Bureau of Asian Research, 2013 (The IP Commission Report, http://www.ipcommission.org/report/ip_commission_report_052213.pdf) // JRW

The Impact of International IP Theft on the American Economy Hundreds of billions of dollars per year. The annual losses are likely to be comparable to the current annual level of U.S. exports to Asia—over $300 billion. The exact figure is unknowable, but private and governmental studies tend to understate the impacts due to inadequacies in data or scope. The members of the Commission agree with the assessment by the Commander of the United States Cyber Command and Director of the National Security Agency, General Keith Alexander, that the ongoing theft of IP is “the greatest transfer of wealth in history.” Millions of jobs. If IP were to receive the same protection overseas that it does here, the American economy would add millions of jobs. A drag on U.S. GDP growth. Better protection of IP would encourage significantly more R&D investment and economic growth. Innovation. The incentive to innovate drives productivity growth and the advancements that improve the quality of life. The threat of IP theft diminishes that incentive. Long Supply Chains Pose a Major Challenge Stolen IP represents a subsidy to foreign suppliers that do not have to bear the costs of developing or licensing it. In China, where many overseas supply chains extend, even ethical multinational companies frequently procure counterfeit items or items whose manufacture benefits from stolen IP, including proprietary business processes, counterfeited machine tools, pirated software, etc.International IP Theft Is Not Just a Problem in China. Russia, India, and other countries constitute important actors in a worldwide challenge. Many issues are the same: poor legal environments for IPR, protectionist industrial policies, and a sense that IP theft is justified by a playing field that benefits developed countries. The Role of China Between 50% and 80% of the problem. The major studies range in their estimates of China’s share of international IP theft; many are roughly 70%, but in specific industries we see a broader range. The evidence. Evidence comes from disparate sources: the portion of court cases in which China is the destination for stolen IP, reports by the U.S. Trade Representative, studies from specialized firms and industry groups, and studies sponsored by the U.S. government. Why does China stand out? A core component of China’s successful growth strategy is acquiring science and technology. It does this in part by legal means—imports, foreign domestic investment, licensing, and joint ventures—but also by means that are illegal. National industrial policy goals in China encourage IP theft, and an extraordinary number of Chinese in business and government entities are engaged in this practice. There are also weaknesses and biases in the legal and patent systems that lessen the protection of foreign IP. In addition, other policies weaken IPR, from mandating technology standards that favor domestic suppliers to leveraging access to the Chinese market for foreign companies’ technologies.

Economic decline leads to war – empirics: Jobs and econ decline can each trigger the impactMead 9 (2/4, Walter Russell, Henry A. Kissinger Senior Fellow in U.S. Foreign Policy at the Council on Foreign Relations, Only Makes You Stronger: Why the recession bolstered America, The New Republic, http://www.newrepublic.com/article/only-makes-you-stronger-0) //JRW

None of which means that we can just sit back and enjoy the recession. History may suggest that financial crises actually help capitalist great powers maintain their leads--but it has other, less reassuring messages as well. If financial crises have been a normal part of life during the 300-year rise of the liberal capitalist system under the Anglophone powers, so has war. The wars of the League of Augsburg and the Spanish Succession; the Seven Years War; the American Revolution; the Napoleonic Wars; the two World Wars; the cold war: The list of wars is almost as long as the list of financial crises. Bad economic times can breed wars. Europe was a pretty peaceful place in 1928, but the Depression poisoned German public opinion and helped bring Adolf Hitler to power. If the current crisis turns into a depression, what rough beasts might start slouching toward Moscow, Karachi, Beijing, or New Delhi to be born? The United States may not, yet, decline, but, if we can't get the world economy back on track, we may still

73

Zero-Days Aff - Michigan 7have to fight.

74

Zero-Days Aff - Michigan 71AR IP THEFT KEY TO ECON

Cyber attacks and consequences cost billions of dollars to US companies(Report to Congress of the U.S.-China Economic and Security Review Commission, 113th Cong., 2nd sess., November 2014, 68-9;6 http://origin.www.uscc.gov/sites/default/files/annual_reports/Complete%20Report.PDF) //JRW

Chinese State-Sponsored Cyber Theft Cyber-enabled theft of intellectual property (IP) and commercial espionage are among the biggest risks facing U.S. companies today. In the United States, the annual cost of cyber crime and cyber espionage is estimated to account for between $24 billion and $120 billion (or 0.2 to 0.8 percent of GDP), and results in the loss of as many as 200,000 U.S. jobs annually.220 The Chinese government’s engagement in cyber espionage for commercial advantage was exposed on May 19, 2014, when the U.S. Department of Justice charged five PLA officers for cyber-enabled theft and other related offenses committed against six U.S. victims, including Westinghouse Electric Co. (Westinghouse), U.S. subsidiaries of SolarWorld AG (SolarWorld), United States Steel Corp. (U.S. Steel), Allegheny Technologies Inc. (ATI), Alcoa Inc., and the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union (USW or Steelworkers Union).221 According to the indictment, PLA Unit 61398 * 222 officers Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui hacked, or attempted to hack, into the victims’ computers to steal information that would be useful to competitors in China, including SOEs.223 One victim, SolarWorld, subsequently petitioned the U.S. Department of Commerce to investigate the allegations made in the indictment as they directly related to SolarWorld’s ongoing trade dispute over imports of solar products from China.224 The Chinese government strongly denied what it called the ‘‘fabricated’’ allegations,’’ 225 and within days of the indictment, China retaliated both economically and politically against the United States. The Chinese government suspended participation in a U.S.-China Cyber Working Group, which was established in 2013 as a bilateral dialogue on cyber security.226 China also announced that its government offices were forbidden from using Microsoft’s Windows 8 operating system and ordered security checks on foreign IT products and services seemingly directed at U.S. companies, including Cisco Systems.227 Likewise, the PBOC and the Chinese Ministry of Finance asked banks to replace IBM servers with those produced by domestic brands to protect financial security.228 In the same week, the Chinese government instructed SOEs to sever ties with U.S. consulting companies, including McKinsey, Boston Consulting Group, Bain & Company, and Strategy & Co. (formerly known as Booz & Co.), and urged SOEs to establish teams of domestic consultants out of fears that U.S. consultants are government spies.229 Chinese entities have long been engaging in cyber-enabled theft against U.S. companies for commercial gain; however, the May 19 indictment represents the ‘‘first ever charges against known state actors for infiltrating U.S. commercial targets by cyber means’’.230 In addition, the indictment states that ‘‘Chinese firms hired the same PLA Unit where the defendants worked to provide information technology services.’’ 231 This established a channel through which the Chinese firms could issue tasking orders to the PLA defendants to engage in cyber theft and commercial espionage. For example, in one case, according to the indictment, a Chinese SOE hired the PLA Unit ‘‘to build a ‘secret’ database to hold corporate ‘intelligence.’’’ 232 Of the 141 organizations allegedly compromised by PLA Unit 61398 since 2006, 81 percent were located or headquartered in the United States.233 In June 2013, the U.S. Department of Justice indicted Chinese energy firm Sinovel for cyber-enabled IP theft committed against Massachusetts-based American Superconductor (AMSC).* Florida-based biofuel company Algenol, which is developing technology that converts algae into fuels while decreasing greenhouse gas emissions, fell victim to more than 39 million hacking attempts since mid-2013.234 According to Algenol’s technology chief, 63,000 hacking attempts came from China, of which 6,653 attempts came from IP addresses identified by cyber security firm Mandiant as belonging to PLA Unit 61398.235 Algenol’s investigation also identified Alibaba’s cloud computing subsidiary Aliyun as an originator of hacking attempts, though Alibaba claimed that Algenol mischaracterized ordinary Internet traffic as hacking attempts.236

IP theft destroys the economyFrost & Sullivan 12 – the company addresses global challenges and growth opportunities that affect market participants (Frost & Sullivan, 2012, The Growing Hacking Threat to Websites: An Ongoing Commitment to Web Application Security, http://expo-itsecurity.ru/upload/iblock/e3b/the_growing_hacking_threat_to_websites.pdf, pg. 16, Google Scholar) /AMarb

All organisations are potential victims. Intuitively, one would assume that large organisations with valuable data were exposed to a much higher risk than smaller organisations overall. Certainly, a number of high-profile attacks have involved prestigious names (e.g., Sony, RSA, Citicorp, Startfor, AT&T), with an excess of $200 million in

75

http://expo-itsecurity.ru/upload/iblock/e3b/the_growing_hacking_threat_to_websites.pdf

Zero-Days Aff - Michigan 7losses. These breaches have generated a stronger awareness about the need for network security systems. In addition, several states have laws that require companies to publicly report any event in which their customers’ personal information has been compromised, meaning that these are the attacks the public hears about. A 2010 Canadian government report asserted that 86 percent of large Canadian companies had been victims or targeted attacks from Black Hats, and that efforts to steal intellectual property from the private sector had doubled since 2008. No empirical data exists quantifying the impact of hacking as a whole, but many modelling attempts have been made to estimate its impact. The German intelligence agency BfV, for example, estimates that Germany loses $21 billion to $71 billion of revenue and 30,000 to 70,000 jobs each year due to intellectual property theft through hacking. In Frost & Sullivan’s opinion, the majority of serious website intrusions are never detected or never made public. True Black Hats always try to keep a low profile and remain as silent as possible. Hacking attacks in the media are usually caused by young hackers and hacktivists. There is clearly more “glory” involved in hacking a Charles Schwab than an unknown SME. Hence, decision-makers erroneously believe that Web hacks only target large organisations.

76

Zero-Days Aff - Michigan 71AR ECON IMPACT

Economic crisis causes war—strong statistical support proves

Royal 2010 (Jedediah Royal, Director of Cooperative Threat Reduction at the U.S. Department of Defense, 2010, “Economic Integration, Economic Signaling and the Problem of Economic Crises,” Economics of War and Peace: Economic, Legal and Political Perspectives, ed. Goldsmith and Brauer, p. 213-215 https://books.google.com/books?hl=en&lr=&id=HmcwrzBU6dsC&oi=fnd&pg=PA205&dq=Economic+Integration,+Economic+Signaling+and+the+Problem+of+Economic+Crisis&ots=aZ0lgMVudZ&sig=6Asm0R-CJGcjnSniv5sYOpNYLUE#v=onepage&q=Economic%20Integration%2C%20Economic%20Signaling%20and%20the%20Problem%20of%20Economic%20Crisis&f=false ) //JRW

Less intuitive is how periods of economic decline may increase the likelihood of external conflict. Political science literature has contributed a moderate degree of attention to the impact of economic decline and the security and defense behaviour of interdependent slates. Research in this vein has been considered at systemic, dyadic and national levels. Several notable contributions follow. First, on the systemic level. Pollins (2008) advances Modelski and Thompson's (19%) work on leadership cycle theory, finding that rhythms in the global economy are associated with the rise and fall of a pre-eminent power and the often bloody transition from one pre-eminent leader to the next. As such, exogenous shocks such as economic crises could usher in a redistribution of relative power (sec also Gilpin. 1981) that leads to uncertainty about power balances, increasing the risk of miscalculation (Fearon, 1995). Alternatively, even a relatively certain redistribution of power could lead to a permissive environment for conflict as a rising power may seek to challenge a declining power (Werner, 1999). Separately. Pollins (1996) also shows that global economic cycles combined with parallel leadership cycles impact the likelihood of conflict among major, medium and small powers, although he suggests that the causes and connections between global economic conditions and security conditions remain unknown. Second, on a dyadic level. Copeland's (1996. 2000) theory of trade expectations suggests that 'future expectation of trade' is a significant variable in understanding economic conditions and security behaviour of states. He argues that interdependent states are likely to gain pacific benefits from trade so long as they have an optimistic view of future trade relations. However, if the expectations of future trade decline, particularly for difficult to replace items such as energy resources, the likelihood for conflict increases as states will be inclined to use force to gain access to those resources. Crises could potentially be the trigger for decreased trade expectations either on its own or because it triggers protectionist moves by interdependent states.4 Third, others have considered the link between economic decline and external armed conflict at a national level. Blomberg and Hess (2002) find a strong correlation between internal conflict and external conflict, particularly during periods of economic downturn. They write, The linkages between internal and external conflict and prosperity are strong and mutually reinforcing. Economic conflict tends to spawn internal conflict, which in turn returns the favour. Moreover, the presence of a recession lends lo amplify the extent to which international and external conflicts self-reinforce each other. (Blomberg & I less. 2002. p. 89) Economic decline has also been linked with an increase in the likelihood of terrorism (Blomberg. Hess. & Wccrapana. 2004). which has the capacity to spill across borders and lead to external tensions. Furthermore, crises generally reduce the popularity of a silting government. "Diversionary theory' suggests that, when facing unpopularity arising from economic decline, sitting governments have increased incentives to fabricate external military conflicts to create a 'rally around the flag' effect. Wang (1996), DcRoucn (1995), and Blomberg. Mess, and Thacker (2006) find supporting evidence showing that economic decline and use of force are at least indirectly correlated. Gelpi (1997), Miller (1999), and Kisangani and Pickering (2009) suggest that the tendency towards diversionary tactics are greater for democratic states than autocratic states, due to the fact that democratic leaders are generally more susceptible to being removed from office due to lack of domestic support. DcRoucn (2000) has provided evidence showing that periods of weak economic performance in the United States, and thus weak Presidential popularity, are statistically linked to an increase in the use of force. In summary, recent economic scholarship positively correlates economic integration with an increase in the frequency of economic crises, whereas political science scholarship links economic decline with external conflict at systemic, dyadic and national levels.5 This implied connection between integration, crises and armed conflict has not featured prominently in the economic-security debate and deserves more attention. This observation is not contradictory to other perspectives that link economic interdependence with a decrease in the likelihood of external conflict, such as those mentioned in the first paragraph of this chapter. Those studies tend to focus on dyadic interdependence instead of global interdependence and do not specifically consider the occurrence of and conditions created by economic crises. As such, the view presented here should be considered ancillary to those views.

77

Zero-Days Aff - Michigan 72AC DISEASE ADD-ON

IP Theft causes counterfeit drug manufacture and saleNCPC, no date (The National Crime Prevention Council’s mission is to be the nation's leader in helping people keep themselves, their families, and their communities safe from crime. To achieve this, NCPC produces tools that communities can use to learn crime prevention strategies, engage community members, and coordinate with local agencies, http://www.ncpc.org/topics/intellectual-property-theft/trends-globalization-and-digitalization-usher-in-a-new-era-of-intellectual-property-theft) // JRWThe World Health Organization recently warned that as much as half of the world’s drug supply may soon consist of fake pharmaceutical drugs. Counterfeiting of drugs, in fact, could soon be one of the world’s fastest-growing industries. Profits in the counterfeit drug “industry” are estimated to have doubled since 2005. These counterfeit drugs often have useless, non-therapeutic ingredients or even contain dangerous and poisonous ingredients. They are almost always sub-potent. Hundreds of thousands of deaths have been caused by fake pharmaceuticals around the world. Fortunately, in the United States, thanks to better regulations and the efforts of skilled and dedicated law enforcement officers, only a small handful have died. Counterfeit drugs are overwhelmingly manufactured in India, where the government is now cracking down on the manufacturing of counterfeit drugs and lawmakers are enacting stiff new criminal penalties. One recent report recently stated that the profits from the sale of counterfeit drugs are now eclipsing the profits being made from the sale of heroin and cocaine, attracting the involvement of organized crime and terrorists seeking income to fund other criminal activities. Moreover, there are fears that the growing expertise of counterfeiters combined with the involvement of criminals and terrorists could result in threats to national security from the use of poisons or biological products. The Russian mafia, Colombian drug cartels, Chinese triads, and Mexican gangs have all been implicated in producing and trafficking in counterfeit drugs, as has Al Qaeda, according to one report.

Counterfeit drugs lead to disease Newton et. al., 2010 (Paul N., Michael D. Green, Facundo M. Fernández. Newton works at Centre for Clinical Vaccinology and Tropical Medicine, Churchill Hospital, University of Oxford, Green at the Division of Parasitic Diseases, Centers for Disease Control and Prevention, Atlanta, Georgia, and Fernández at the School of Chemistry and Biochemistry, Georgia Institute of Technology, Atlanta, Georgia. “Impact of poor-quality medicines in the ‘developing’ world.” Science Direct, Volume 31 Issue 3. http://www.sciencedirect.com/science/article/pii/S016561470900203X ) // JRW

Considering the vast scale of the global pharmaceutical industry and the incidence of potentially fatal diseases, any amount of poor-quality medicine is unacceptable because it increases morbidity and mortality (Box 2). The impact of poor-quality medicines is most clearly evident if they contain lethal incorrect active ingredients. Until recently, it was often assumed that counterfeits were inert. However, forensic chemistry has demonstrated that many contain harmful ingredients – as tragically illus- trated by the death of 500 children after ingesting para- cetamol containing a renal toxin [2]. Patients may also suffer adverse effects of unexpected ingredients, e.g. co- trimoxazole containing diazepam; reused ceftazidime vials containing streptomycin; and counterfeit artesunate tablets containing artemisinin, chloramphenicol, parace- tamol, and metamizole. Patients may be allergic to these covert pharmaceuticals, or may experience confusing adverse events. Some substandard drugs contain more active ingredient than stated [10] and, for anti-infectives with narrow therapeutic ratios, this may increase the prevalence of adverse effects. The use of counterfeit anti-malarials, and the conse- quent failure of patients to improve, has led to false reports of drug resistance to malaria [13]. An example of the potential dangers of sub-therapeutic dosage were illus- trated when heavier tourists, dosed without taking patient body weight into account, and not their thinner co-trave- lers, developed P. vivax relapses [11]. Anti-infectives con-taining sub-therapeutic amounts of the active ingredient (whether counterfeit or substandard) increase the risk of the selection and spread of drug-resistant pathogens [13]. Selection depends on a wide variety of factors, i.e. pathogen biomass; host immunity; relationships between the drug pharmacokinetic profile; pharmacodynamic effects on the pathogen; anti-microbial susceptibility of the the pathogen; and the fitness of resistant mutants. If resistant pathogens infect or arise de novo within a host and encoun- ter sub-lethal concentrations of a slowly eliminating anti- microbial, they will have a survival advantage and multiply faster than sensitive pathogens [12]. Although models of the emergence and spread of resistance to anti-malarial drugs suggest that poor-quality drugs are important, it is very difficult to tease apart the

78

Zero-Days Aff - Michigan 7effects of the misuse of anti- infectives by health workers, patient adherence, and poor- quality drugs. Counterfeits containing no active ingredient will not provide this ‘drug pressure’, and it is likely that substandard medicines are more important in engendering resistance. However, fakes containing sub-therapeutic amounts of the stated ingredient, or incorrect anti- microbial ingredients, may facilitate the emergence and spread of drug-resistant pathogens. For diseases treated with combination therapy (e.g. tuberculosis, HIV, falciparum malaria), poor-quality combination medicines risk the spread of resistance due to the poor-quality active ingredient and the ‘unprotected’ co-ingredient. Artemisi- nin derivatives-based combination therapies (ACTs) hold great hope for controlling malaria in Africa but, most alarmingly, poor-quality ACTs are already widespread [2,6,13]. Plasmodium falciparum artesunate resistance has recently been described on the Thailand–Cambodia border and the wide use of monotherapy, substandard artesunate, and fake artesunate containing sub-therapeutic quantities of artemisinin and artesunate in South-East Asia have probably contributed to this potentially disastrous problem [8]. Poor-quality tuberculosis (TB) drugs [14] are a neglected link between TB treatment, therapeutic failure and the increasing burden of TB drug resistance.

Diseases cause extinctionYu 09 (Victoria Yu (cites the CDC and R. Calsbeek, a lecturer at Dartmouth), Dartmouth Undergraduate Journal of Science, May 22, 2009, "Human Extinction: The Uncertainty of Our Fate", accessed December 28, 2011, http://dujs.dartmouth.edu/spring-2009/human-extinction-the-uncertainty-of-our-fate) // JRW

A pandemic will kill off all humans. In the past, humans have indeed fallen victim to viruses. Perhaps the best-known case was the bubonic plague that killed up to one third of the European population in the mid-14th century (7). While vaccines have been developed for the plague and some other infectious diseases, new viral strains are constantly emerging — a process that maintains the possibility of a pandemic-facilitated human extinction. Some surveyed students mentioned AIDS as a potential pandemic-causing virus. It is true that scientists have been unable thus far to find a sustainable cure for AIDS, mainly due to HIV’s rapid and constant evolution. Specifically, two factors account for the virus’s abnormally high mutation rate: 1. HIV’s use of reverse transcriptase, which does not have a proof-reading mechanism, and 2. the lack of an error-correction mechanism in HIV DNA polymerase (8). Luckily, though, there are certain characteristics of HIV that make it a poor candidate for a large-scale global infection: HIV can lie dormant in the human body for years without manifesting itself, and AIDS itself does not kill directly, but rather through the weakening of the immune system. However, for more easily transmitted viruses such as influenza, the evolution of new strains could prove far more consequential. The simultaneous occurrence of antigenic drift (point mutations that lead to new strains) and antigenic shift (the inter-species transfer of disease) in the influenza virus could produce a new version of influenza for which scientists may not immediately find a cure. Since influenza can spread quickly, this lag time could potentially lead to a “global influenza pandemic,” according to the Centers for Disease Control and Prevention (9). The most recent scare of this variety came in 1918 when bird flu managed to kill over 50 million people around the world in what is sometimes referred to as the Spanish flu pandemic. Perhaps even more frightening is the fact that only 25 mutations were required to convert the original viral strain — which could only infect birds — into a human-viable strain (10).

79

Zero-Days Aff - Michigan 72AC INNOVATION ADD-ON

Chinese Cyber Espionage Decimating US Competitiveness – Its Economic Advantage is InnovationGjelten 13 (Tom Gjelten, NPR News Reporter, NPR, 5/7/13, http://www.npr.org/2013/05/07/181668369/u-s-turns-up-heat-on-costly-commercial-cyber-theft-in-china) /dylsbury

American companies that do business with China make good money. They also lose a lot of money there to cyberthieves, who routinely hack into the computers of the U.S. firms and steal their trade and technology secrets.China's theft of U.S. intellectual property has gotten serious enough in recent months to warrant President Obama's attention and prompt a series of visits to Beijing by senior members of Obama's Cabinet. A new Pentagon report on Chinese military developments adds to the U.S. complaints. The report says some computer intrusions carried out by hackers in China "appear to be attributable directly to the Chinese government and military." A recent survey by the American Chamber of Commerce in China , which represents more than a thousand U.S. businesses there, turned up widespread concern about the loss of intellectual property. Twenty-six percent of those responding to the survey reported somebody stealing business data from their computers, and 42 percent said the problem is getting worse. "They know they're under attack," says Greg Gilligan, the group's chairman. "They just don't know who's attacking."The problem of data theft is well-known among U.S. companies operating in China. American businessmen have long complained that their laptops are hacked, their emails intercepted, and their technology and negotiation plans compromised. But with more than a billion Chinese as potential customers for American goods, the temptation to do business with China has been irresistible."For the last 15 or 20 years, companies have been willing to make the bet," says Adam Segal, a China expert at the Council on Foreign Relations. "[Their attitude is] 'We know we're going to lose our technology in China, but being in the China market is so important that we're going to take that bet.' "The U.S. cybersecurity firm Mandiant identified a cyber unit of China's People's Liberation Army as the likely culprit behind much of the industrial espionage directed against U.S. companies. Mandiant researchers said the PLA unit is systematically taking intellectual property — technology blueprints, manufacturing secrets, negotiation plans — from the U.S. companies it targets.The Mandiant finding certainly caught the attention of Gilligan, a leader among U.S. businesses operating in China. "The salient point of that report was [the statement] that there is some organized effort by some group attacking business interests," Gilligan says. "This is not government to government. It's not military to military. It's [someone] attacking the economic interests of United States companies."A classified National Intelligence Estimate earlier this year concluded that cyber-espionage from China is now threatening U.S. economic competitiveness. The concern is that if Chinese businesses can steal U.S. technology, they can blunt the one big advantage U.S. companies have in the global economy, which is their capacity to innovate. It is that spirit that explains the emergence of U.S. companies like Microsoft, Apple or Google. Such companies, business experts say, have been far less likely to originate in China, because the business culture in China does not favor creativity. But they can always steal the products of U.S. creativity."There are certainly some companies that are seeing [intellectual property theft] as part of a strategy for becoming more competitive internationally, taking innovation from somewhere else and incorporating it in their products," says Robert Hormats, the U.S. undersecretary of state for economic growth, energy and the environment.

80

http://www.npr.org/2013/05/07/181668369/u-s-turns-up-heat-on-costly-commercial-cyber-theft-in-china

http://www.npr.org/2013/05/07/181668369/u-s-turns-up-heat-on-costly-commercial-cyber-theft-in-china

Zero-Days Aff - Michigan 7Decline in Competitiveness Leads to Economic Collapse and Fiscal Crisis – Empirics in France ProveTully 13 (Shawn Tully, editor at Fortune, Fortune, 6/20/15, http://fortune.com/author/shawn-tully/) /dylsbury

A deeper look shows that France is mired in no less than an economic crisis. The eurozone’s second-largest economy (2012 GDP: 2 trillion euros) is suffering more than any other member from a shocking deterioration in competitiveness. Put simply, France’s products — its cars, steel, clothing, electronics — cost far too much to produce compared with competing goods both from Asia and its European neighbors, including not just Germany but even Spain and Italy. That’s causing a sharp and accelerating fall in its exports, and a significant decline in manufacturing and the services that support it.The virtual implosion of French industry is overlooked by analysts and pundits who claim that the eurozone had dodged disaster and entered a new, durable period of stability. In fact, it’s France — not Greece or Spain — that now poses the greatest threat to the euro’s survival. France epitomizes the real problem with the single currency: The inability of nations with high and rising production costs to adjust their currencies so that their products remain competitive in world markets.So far, the worries over the euro have centered on dangerously rising debt and deficits. But those fiscal problems are primarily the result of a loss of competitiveness. When products cost too much to make, the economy stalls or actually declines, so that even modest increases in government spending swamp nations with big budget shortfalls and excessive borrowings. In this no-or-negative growth scenario, the picture is usually the same: The private economy shrinks while government keeps expanding. That’s already happened in Italy, Spain and other troubled eurozone members. The difference is that those nations are adopting structural reforms to restore their competitiveness. France is doing nothing of the kind. Hence, its yawning competitiveness gap will soon create a fiscal crisis. It’s absolutely astonishing that an economy so large, and so widely respected, can be unraveling so quickly.

Cyber Espionage Leads to Massive Decline in Innovation – No Incentive to InvestLukas 13 (Carrie Lukas, managing director of the Independent Women’s Forum, U.S. News, 6/4/13, http://www.usnews.com/opinion/articles/2013/06/04/chinas-industrial-cyberespionage-harms-the-us-economy) /dylsbury

Cyberwarfare and corporate espionage sound like the basis of a good summer beach read: the perfect escape from the too-gloomy realities of an economy that continues to sputter, leaving millions of Americans out of work and millions more underemployed. Yet Americans should be aware that far from fiction, industrial espionage has become a common occurrence and one that adds heavily to our economic woes. The numbers involved are staggering. The director of the National Security Agency, Gen. Keith Alexander, called cybercrime "the greatest transfer of wealth in history." The price tag for intellectual property theft from U.S. companies is at least $250 billion a year. That's far more than what businesses pay in federal corporate income taxes. Imagine what recouping those lost billions would mean to our economy and American workers: More jobs, higher pay, and lower prices would be the immediate result. It would also mean more innovation and a higher standard of living in the future. Today, business leaders have reason to be reluctant to invest scarce resources on research and development since that information and innovation may be stolen before they can bring new products to market. Without the specter of this crime, more money would be invested in identifying new technologies and medical breakthroughs that would make our lives healthier and richer. Of course, there is no way that America can identify, let alone stop, every cyberhacker. Yet cyber-espionage isn't primarily just the work of entrepreneurial, tech-savvy criminals. Much of the dirty work is done by state-sponsored cyberspies, who are purposefully draining information

81

http://www.usnews.com/opinion/articles/2013/06/04/chinas-industrial-cyberespionage-harms-the-us-economy

http://www.usnews.com/opinion/articles/2013/06/04/chinas-industrial-cyberespionage-harms-the-us-economy

http://fortune.com/author/shawn-tully/

http://fortune.com/author/shawn-tully/

Zero-Days Aff - Michigan 7from vital U.S. infrastructure systems and businesses. The Virginia-based cyber security firm Mandiant recently released a report detailing one source of persistent cyber attacks, the Chinese People's Liberation Army. Mandiant estimates that since 2006, a single Chinese army cyberattack unit has compromised "141 companies spanning 20 major industries, from information technology and telecommunications to aerospace and energy," using a "well-defined attack methodology, honed over years and designed to steal large volumes of valuable intellectual property."

Only Innovation Can Solve Warming – Current Tech Won’t WorkKoningstein 14 (Ross Koningstein, Engineer at Google, IEEE Spectrum, 11/18/14, http://spectrum.ieee.org/energy/renewables/what-it-would-really-take-to-reverse-climate-change) /dylsbury

As we reflected on the project, we came to the conclusion that even if Google and others had led the way toward a wholesale adoption of renewable energy, that switch would not have resulted in significant reductions of carbon dioxide emissions. Trying to combat climate change exclusively with today’s renewable energy technologies simply won’t work; we need a fundamentally different approach. So we’re issuing a call to action. There’s hope to avert disaster if our society takes a hard look at the true scale of the problem and uses that reckoning to shape its priorities. Climate scientists have definitively shown that the buildup of carbon dioxide in the atmosphere poses a looming danger. Whether measured in dollars or human suffering, climate change threatens to take a terrible toll on civilization over the next century. To radically cut the emission of greenhouse gases, the obvious first target is the energy sector, the largest single source of global emissions. RE<C invested in large-scale renewable energy projects and investigated a wide range of innovative technologies, such as self-assembling wind turbine towers, drilling systems for geothermal energy, and solar thermal power systems, which capture the sun’s energy as heat. For us, designing and building novel energy systems was hard but rewarding work. By 2011, however, it was clear that RE<C would not be able to deliver a technology that could compete economically with coal, and Google officially ended the initiative and shut down the related internal R&D projects. Ultimately, the two of us were given a new challenge. Alfred Spector, Google’s vice president of research, asked us to reflect on the project, examine its underlying assumptions, and learn from its failures.We had some useful data at our disposal. That same year, Google had completed a study on the impact of clean energy innovation, using the consulting firm McKinsey & Co.’s low-carbon economics tool. Our study’s best-case scenario modeled our most optimistic assumptions about cost reductions in solar power, wind power, energy storage, and electric vehicles. In this scenario, the United States would cut greenhouse gas emissions dramatically: Emissions could be 55 percent below the business-as-usual projection for 2050.While a large emissions cut sure sounded good, this scenario still showed substantial use of natural gas in the electricity sector. That’s because today’s renewable energy sources are limited by suitable geography and their own intermittent power production. Wind farms, for example, make economic sense only in parts of the country with strong and steady winds. The study also showed continued fossil fuel use in transportation, agriculture, and construction. Even if our best-case scenario were achievable, we wondered: Would it really be a climate victory?A 2008 paper by James Hansen [PDF], former director of NASA’s Goddard Institute for Space Studies and one of the world’s foremost experts on climate change, showed the true gravity of the situation. In it, Hansen set out to determine what level of atmospheric CO2 society should aim for “if humanity wishes to preserve a planet similar to that on which civilization developed and to which life on Earth is adapted.” His climate models showed that exceeding 350 parts per million CO2 in the atmosphere would likely have catastrophic effects. We’ve already blown past that limit. Right now, environmental monitoring shows concentrations around 400 ppm. That’s particularly problematic because CO2 remains in the atmosphere for more than a century; even if we shut

82

http://spectrum.ieee.org/energy/renewables/what-it-would-really-take-to-reverse-climate-change

http://spectrum.ieee.org/energy/renewables/what-it-would-really-take-to-reverse-climate-change

Zero-Days Aff - Michigan 7down every fossil-fueled power plant today, existing CO2 will continue to warm the planet.We decided to combine our energy innovation study’s best-case scenario results with Hansen’s climate model to see whether a 55 percent emission cut by 2050 would bring the world back below that 350-ppm threshold. Our calculations revealed otherwise. Even if every renewable energy technology advanced as quickly as imagined and they were all applied globally, atmospheric CO2 levels wouldn’t just remain above 350 ppm; they would continue to rise exponentially due to continued fossil fuel use. So our best-case scenario, which was based on our most optimistic forecasts for renewable energy, would still result in severe climate change, with all its dire consequences: shifting climatic zones, freshwater shortages, eroding coasts, and ocean acidification, among others. Our reckoning showed that reversing the trend would require both radical technological advances in cheap zero-carbon energy, as well as a method of extracting CO2 from the atmosphere and sequestering the carbon.

Warming Causes ExtinctionJamail 13 (Dahr Jamail, journalist and award-winning author, Mother Jones, 12/17/13, http://www.motherjones.com/authors/dahr-jamail) /dylsbury

I haven't returned to Mount Rainier to see just how much further that glacier has receded in the last few years, but recently I went on a search to find out just how bad it might turn out to be. I discovered a set of perfectly serious scientists—not the majority of all climate scientists by any means, but thoughtful outliers—who suggest that it isn't just really, really bad; it's catastrophic. Some of them even think that, if the record ongoing releases of carbon dioxide into the atmosphere, thanks to the burning of fossil fuels, are aided and abetted by massive releases of methane, an even more powerful greenhouse gas, life as we humans have known it might be at an end on this planet. They fear that we may be at—and over—a climate change precipice hair-raisingly quickly.Mind you, the more conservative climate science types, represented by the prestigious Intergovernmental Panel on Climate Change (IPCC), paint scenarios that are only modestly less hair-raising, but let's spend a little time, as I've done, with what might be called scientists at the edge and hear just what they have to say."We've Never Been Here as a Species" "We as a species have never experienced 400 parts per million of carbon dioxide in the atmosphere," Guy McPherson, professor emeritus of evolutionary biology, natural resources, and ecology at the University of Arizona and a climate change expert of 25 years, told me. "We've never been on a planet with no Arctic ice, and we will hit the average of 400 ppm…within the next couple of years. At that time, we'll also see the loss of Arctic ice in the summers…This planet has not experienced an ice-free Arctic for at least the last three million years."For the uninitiated, in the simplest terms, here's what an ice-free Arctic would mean when it comes to heating the planet: minus the reflective ice cover on Arctic waters, solar radiation would be absorbed, not reflected, by the Arctic Ocean. That would heat those waters, and hence the planet, further. This effect has the potential to change global weather patterns, vary the flow of winds, and even someday possibly alter the position of the jet stream. Polar jet streams are fast flowing rivers of wind positioned high in the Earth's atmosphere that push cold and warm air masses around, playing a critical role in determining the weather of our planet. McPherson, who maintains the blog Nature Bats Last, added, "We've never been here as a species and the implications are truly dire and profound for our species and the rest of the living planet." While his perspective is more extreme than that of the mainstream scientific community, which sees true disaster many decades into our future, he's far from the only scientist expressing such concerns. Professor Peter Wadhams, a leading Arctic expert at Cambridge University, has been measuring Arctic ice for 40 years, and his findings underscore McPherson's fears. "The fall-off in ice volume is so fast it is going to bring us to zero very quickly," Wadhams told a reporter. According to current data, he estimates "with 95 percent confidence" that the Arctic will have completely ice-free summers by 2018. (US Navy

83

http://www.motherjones.com/authors/dahr-jamail

Zero-Days Aff - Michigan 7researchers have predicted an ice-free Arctic even earlier—by 2016.) British scientist John Nissen, chairman of the Arctic Methane Emergency Group (of which Wadhams is a member), suggests that if the summer sea ice loss passes "the point of no return," and "catastrophic Arctic methane feedbacks" kick in, we'll be in an "instant planetary emergency." McPherson, Wadham, and Nissen represent just the tip of a melting iceberg of scientists who are now warning us about looming disaster, especially involving Arctic methane releases. In the atmosphere, methane is a greenhouse gas that, on a relatively short-term time scale, is far more destructive than carbon dioxide (CO2). It is 23 times as powerful as CO2 per molecule on a 100-year timescale, 105 times more potent when it comes to heating the planet on a 20-year timescale—and the Arctic permafrost, onshore and off, is packed with the stuff. "The seabed," says Wadham, "is offshore permafrost, but is now warming and melting. We are now seeing great plumes of methane bubbling up in the Siberian Sea…millions of square miles where methane cover is being released." According to a study just published in Nature Geoscience, twice as much methane as previously thought is being released from the East Siberian Arctic Shelf, a two million square kilometer area off the coast of Northern Siberia. Its researchers found that at least 17 teragrams (one million tons) of methane are being released into the atmosphere each year, whereas a 2010 study had found only seven teragrams heading into the atmosphere.The day after Nature Geoscience released its study, a group of scientists from Harvard and other leading academic institutions published a report in the Proceedings of the National Academy of Sciences showing that the amount of methane being emitted in the US both from oil and agricultural operations could be 50 percent greater than previous estimates and 1.5 times higher than estimates of the Environmental Protection Agency. How serious is the potential global methane build-up? Not all scientists think it's an immediate threat or even the major threat we face, but Ira Leifer, an atmospheric and marine scientist at the University of California, Santa Barbara, and one of the authors of the recent Arctic Methane study pointed out to me that "the Permian mass extinction that occurred 250 million years ago is related to methane and thought to be the key to what caused the extinction of most species on the planet." In that extinction episode, it is estimated that 95 percent of all species were wiped out.

84

Zero-Days Aff - Michigan 72AC ORGANIZED CRIME ADD-ON

IP Theft encourages gangs, terror and organized crime. NCPC, no date (The National Crime Prevention Council’s mission is to be the nation's leader in helping people keep themselves, their families, and their communities safe from crime. To achieve this, NCPC produces tools that communities can use to learn crime prevention strategies, engage community members, and coordinate with local agencies, http://www.ncpc.org/topics/intellectual-property-theft/trends-globalization-and-digitalization-usher-in-a-new-era-of-intellectual-property-theft) // JRWThe human costs associated with intellectual property theft are on the rise. People are losing jobs and companies are losing profits, but lives are put in danger not just from things like counterfeit drugs and counterfeit consumer goods, but from the spread of gangs, organized crime groups, and terrorist organizations. All of these groups are benefiting from the manufacturing of counterfeit drugs, piracy of music and movies, and theft of trade and state secrets. Some observers even say there may be a cost in personal freedom, as freedom of speech and the media are pitted against the rights of companies to keep their secrets and not have the secrets aired when they are leaked as a result of an intellectual property crime.

Terrorism causes extinctionSid-Ahmed 2004 (Mohamed Sid-Ahmed (Al-Ahram Weekly political analyst), Al-Ahram Weekly, August 26, 2004, "Extinction!", no. 705, http://weekly.ahram.org.eg/2004/705/op5.htm]) //JRWWhat would be the consequences of a nuclear attack by terrorists? Even if it fails, it would further exacerbate the negative features of the new and frightening world in which we are now living. Societies would close in on themselves, police measures would be stepped up at the expense of human rights, tensions between civilisations and religions would rise and ethnic conflicts would proliferate. It would also speed up the arms race and develop the awareness that a different type of world order is imperative if humankind is to survive. But the still more critical scenario is if the attack succeeds. This could lead to a third world war, from which no one will emerge victorious. Unlike a conventional war which ends when one side triumphs over another, this war will be without winners and losers. When nuclear pollution infects the whole planet, we will all be losers.

Organized crime kills economy and threatens national securityFinklea 2010 (Kristin M. Analyst in Domestic Security; Organized Crime in the United States: Trends and Issues for Congress. December 22, 2010 http://fas.org/sgp/crs/misc/R40525.pdf) //JRW

Organized crime threatens multiple facets of the United States, including the economy and national security. In fact, the Organized Crime Council was reconvened for the first time in 15 years to address this continued threat. Organized crime has taken on an increasingly transnational nature, and with more open borders and the expansion of the Internet, criminals endanger the United States not only from within the borders, but beyond. Threats come from a variety of criminal organizations, including Russian, Asian, Italian, Balkan, Middle Eastern, and African syndicates. Policymakers may question whether the tools they have provided the federal government to combat organized crime are still effective for countering today’s evolving risks. Organized crime could weaken the economy with illegal activities (such as cigarette trafficking and tax evasion scams) that result in a loss of tax revenue for state and federal governments. This is particularly of issue given the current state of the country’s economic health. Fraudulent activities in domains such as strategic commodities, credit, insurance, stocks, securities and investments could further weaken the already-troubled financial market. On the national security front, experts and policymakers have expressed concern over a possible nexus between organized crime and terrorism. Despite the difference in motivation for organized crime (profit) and terrorism (ideology), the linking element for the two is money. Terrorists may potentially obtain funding for their operations from partnering directly with organized crime groups or modeling their profitable criminal acts. Even if organized crime groups and terrorist organizations do not form long-term alliances, the possibility of short-term business alliances may be of concern to policymakers.

85

Zero-Days Aff - Michigan 72AC PLAN SOLVES IP THEFT

Public-private partnerships are crucial to solve IP theft Hare 9 PhD in Public Policy, Air Attaché for the US Air Force, Military Officer for the NSA, adjunct professor at Johns Hopkins University, Adjunct Professor at Georgetown University, Cyberspace Operations Policy at US DoD, Division Chief for Information Operations at CJTF-Horn of Africa, Knowlton Award for Military Intelligence, US Army (Forrest, “Borders in Cyberspace: Can Sovereignty Adapt to the Challenges of Cyber Security?” p. 111-2, The Virtual Battlefield: Perspectives on Cyber Warfare, http://ir.nmu.org.ua/bitstream/handle/123456789/126171/073c9f3d821984e039c4800f6b83b534.pdf) | js

National security is about existential threats to the state. Obtaining knowledge of a national security value can create an existential threat by allowing potential adversaries to gain the knowledge to develop effective counter-measures to a nation’s advanced military and other defenses. In addition, cyber attacks that degrade the ability to command and control national security assets and attacks that disrupt critical infrastructure have direct implications to national security. This infrastructure may be civilian, military, or both. In the United States, for example, the Department of Defense relies heavily on the nation’s public and private cyber infrastructure backbone for communications purposes [13].4 Some security measures are currently in place to protect against the threats articulated above. Such measures are employed by both government agencies and the private sector owners of much of a nation’s critical infrastructure [see 14]. An obvious measure to defend against the theft of sensitive information would be to place all critical information and correspondence on closed systems that are not connected to the publicly accessible Internet. In the United States, for example, this would entail containing the information within the national security system architecture managed by the National Security Agency and Defense Information Systems Agency. Certainly, governments secure much of their critical information in this manner. However, it is also the case that, as we become more reliant on the Internet for collaboration on all activities, especially between the public and private sector, it is becoming increasingly difficult to keep critical information controlled in this manner. A recent incident regarding a potential loss of design information for the F- 35 Joint Strike Fighter highlights this problem. The information was stolen from private , proprietary

industry networks (meaning no government access or frequent auditing), and it apparently contained several terabytes of design data on the future air defense capability for several nations [15]. Remaining disconnected from the greater cyberspace could be a measure employed by critical infrastructure owners and operators also. The control networks could be closed, proprietary systems with no remote access. In fact, older generation control systems employed tailored protocols and were only managed through proprietary, closed systems because there was no Internet available at the time. 4 Note that the focus for this article does not include industrial espionage unrelated to national security, hacking for pleasure, identity theft, and the use of the Internet for training, messaging, and internal transactions of bad actors. Though these can all be considered criminal acts in their own right, they are outside the scope of this discussion. 5 For an overview of the U.S. National Security System, refer to the CNSS website at www.cnss.gov91 However, the trend has been to install remotely maintained systems employing common OS architectures to leverage the connectivity benefits of the Internet [16]. Therefore, these critical infrastructure systems have assumed a risk common to all those dependent on the effective functioning of the Internet. The United States, as a sovereign country, certainly has the inherent right to control all of its borders in any domain [17]. With the above considerations, it is clear the public sector cannot manage all necessary security actions alone. Private companies are an important part of the dynamic that is absent in other areas of national security where the actions of the military, or law enforcement, dominate the response options. We have no early warning radar system or Coast Guard to patrol the borders in cyberspace. Unlike in other domains, information of an attack will come first from those being attacked. Therefore it is highly unlikely that a

government organization, unless it is actually the target of a cyber attack, will have greater situational awareness. An effort must be made to incentivize the private sector to invest in cyber security as well . In many

cases, national security depends on it. But if none of the measures being employed have a border patrol component, does that necessarily mean that borders are not significant in cyberspace? The next two sections will introduce two different frameworks to address this question. In the first of the two analytic frameworks, I will compare the problems of securing a nation against cyber threats to the challenges of securing a nation against international drug trafficking.

86

http://ir.nmu.org.ua/bitstream/handle/123456789/126171/073c9f3d821984e039c4800f6b83b534.pdf

http://ir.nmu.org.ua/bitstream/handle/123456789/126171/073c9f3d821984e039c4800f6b83b534.pdf

Zero-Days Aff - Michigan 7Zero-day disclosure key to combatting IP theftVillasenor 14 professor of electrical engineering and public policy at UCLA, nonresident senior fellow at the Brookings Institution, member of the World Economic Forum’s Global Agenda Council on Cybersecurity, member of the Council on Foreign Relations, and an affiliate at the Center for International Security and Cooperation (CISAC) at Stanford (John, American Intellectual Property Law Association Quarterly Journal, “Corporate Cybersecurity Realism: Managing Trade Secrets in a World Where Breaches Occur” 8/28/14, http://www.hoover.org/sites/default/files/ip2-wp14012-paper.pdf) | jsIt is impossible to know how many trade secret misappropriation incidents are tied to cybersecurity breaches. But there is good reason to believe that many of them are. For starters, trade secrets are valuable and are therefore a prime target. According to a 2010 Forrester Consulting paper, “[s]ecrets comprise two-thirds of the value of firms’ information portfolios.”37 In 2012, then-NSA Director Gen. Keith B. Alexander wrote that the “ongoing cyber-thefts from the networks of public and private organizations, including Fortune 500 companies, represent the greatest transfer of wealth in human history.”38 For obvious reasons, merging information about vulnerabilities and incidents to place a specific value on economic losses due to cyber-enabled trade secret misappropriation is very difficult. Among other challenges, reported incidents are not typically described in terms that enable valuation calculations. In addition, while companies have reporting obligations when breaches expose personal data of their customers, they are not generally obligated to publicize intrusions that expose trade secret information unrelated to customer privacy. 39 Most fundamentally, most intrusions probably go undetected. Despite these challenges, there have been some efforts to put a number on losses. Symantec has written that IP theft (including but not limited to cyber-enabled theft) “is staggeringly costly to the global economy: U.S. businesses alone are losing upwards of $250 billion every year.”40 A May 2013 report from the Commission on the Theft of American Intellectual Property claimed that annual losses to the American economy due from international IP theft were likely over $300 billion.41 Reasonable people can of course differ regarding the accuracy of these assessments. It is beyond doubt, however, that the annual cost to American companies of trade secret theft generally, and of cyber-enabled trade secret theft specifically, is many billions of dollars. Valuable trade secrets attract the attention of highly skilled attackers who have access to a continuing stream of new exploits. Citing data from the National Vulnerability Database,42 HP’s 2013 “Cyber risk report” noted that over 4700 new vulnerabilities were reported through November 2013, and that this number was about 6% lower than the corresponding number for 2012.43 Stated another way, the number of reported new vulnerabilities averages well over ten per day; the number of unreported new vulnerabilities is clearly higher. The HP report also cited approximately 250 vulnerabilities disclosed in 2013 through HP’s Zero Day Initiative, which provides compensation to researchers who disclose verified vulnerabilities and then coordinates the release of patch by the affected product vendor.44 In addition, cyberespionage attacks are notable both in their sophistication and in their increasing frequency. The Verizon 2014 Data Breach Investigations Report45 examined 511 cyberespionage incidents in 2013, noting “consistent, significant growth of incidents in the dataset”46 and that cyberespionage “exhibits a wider variety of threat actions than any other pattern.”47

87

http://www.hoover.org/sites/default/files/ip2-wp14012-paper.pdf

Zero-Days Aff - Michigan 7AT: CHINA WAR DEFENSE

A China-US war escalates to nuclear—weapons overlap and miscalculationRiqiang 14 Associate Professor at the School of International Studies, Renmin University of China, Ph.D. in political science (Wu, “China-US Inadvertent Nuclear Escalation” 5/2/14, http://d3qi0qp55mx5f5.cloudfront.net/cpost/i/docs/Wu_Policy_Memo.pdf) | jsThe fog of war refers to the difficulty of collecting and interpreting information of an ongoing war, and using it to control the war. The impact of the fog of war on the escalatory risk is twofold. First, it makes the U.S. military difficult to discriminate between China’s nuclear and conventional systems, so the U.S. military might attack Chinese nuclear weapons inadvertently. Second, the fog of war also makes the Chinese military difficult to know how many nuclear weapons survive, and the readiness of the surviving weapons, creating high uncertainty in Chinese leaders’ confidence of nuclear retaliation. China’s command and control system is a priority target of the U.S. military. Should a conventional war occur, the combination of Chinese and American military strategies would cause very high escalatory risk. The core of China’s military strategy is “active defense” (jiji fangyu), under which detailed military strategy guidelines were developed. The latest guideline is to win “local war under informationalized conditions.” Given U.S. conventional superiority, the basic principle of Chinese military planning is “asymmetric strategy,” which means to develop asymmetric capabilities to attack the weak links of American kill chain, with the hope of degrading the war-fighting effectiveness of the whole weapon system. Among other capabilities, missiles and submarines, so called anti-access/area denial (A2/AD) capabilities (in Chinese, shashoujian, Assassin’s Mace), are the backbone of China’s asymmetric strategy

88

http://d3qi0qp55mx5f5.cloudfront.net/cpost/i/docs/Wu_Policy_Memo.pdf

Zero-Days Aff - Michigan 7AT: HEG RESILIENT

IP theft destroys American technological superiority Melnitzky 12 Assistant Attorney General at Office of the Attorney General of the State of New York (Alexander B., Cardozo Journal of International and Comparative Law, “NOTE: DEFENDING AMERICA AGAINST CHINESE CYBER ESPIONAGE THROUGH THE USE OF ACTIVE DEFENSES” p.566-7, Winter 2012, Lexis) | js

Because it only takes a few key strokes to initiate this 'transformation,' cyber espionage should be treated as a potential armed attack from the outset. Relying on the potential transformation of cyber espionage into a more lethal attack to justify the use of active defenses skirts the more difficult issue of whether cyber espionage, by itself, is ever enough to justify such defensive actions. Under the effects- based approach, cyber espionage alone can be sufficient to warrant military action. The severity of the problem of data theft is simply too great and its effects are too harmful. Today, "the speed, volume, and global reach of cyber activities make cyber espionage fundamentally and qualitatively different from""" more traditional forms of spying. The scale of theft is unprecedented: "Every year, an amount of intellectual property many times larger than all the intellectual property contained in the Library of Congress is stolen from networks maintained by U.S. businesses, universities, and government agencies."""' So too, is the lack of risk.""' In the case of the theft of the F-35 data, "[i]f a Cold War spy wanted to move that much information out of a secret, classified facility, he would have needed a small moving van and a forklift. He also would have risked getting caught or killed."2"" As already mentioned, the U.S. government cites the loss in economic value of intellectual property to U.S. businesses in 2008 alone as upwards of $1 trillion.2'" America is being robbed of its most valuable asset: its technological superiority. Prior to the Internet, looting on such a scale could only have been accomplished by a military occupation. The effects-based approach requirement that a cyberattack must cause damage only previously possible by traditional military force is therefore satisfied. In Offensive Cyber Operations and the Use of Force, Lin provides a series of hypothetical cyberattacks and analyzes whether such attacks would constitute an armed attack." One hypothetical involves a cyberattack that disrupts the stock exchange of the fictitious country of Zendia.2"3 Lin provides the following analysis: Bombs dropped on Zendia's stock exchanges at night. so that casualties were minimized, would be regarded as a use of force or an armed attack by most observers, even if physical backup facilities were promptly available so that actual trading was disrupted only for a few hours. The posited cyber attack could have the same economic effects, except that the buildings themselves would not be destroyed. In this case, the cyber attack may be less likely to be regarded as a use of force than a kinetic attack with the same (temporary) economic effect, simply because the lack of physical destruction would reduce the scale of the damage caused. However, a cyber attack against the stock exchanges that occurs repeatedly and continually, so that trading is disrupted for an extended period of time, for days or weeks, would surely constitute a use of force or even an armed attack, even if no buildings were destroyed. 2"' At the heart of Lin's analysis seems to be the idea that a cyberattack causing sustained and substantial economic damage, without any physical damage, can rise to the level of an armed attack. The argument this Note makes regarding cyber espionage is no different, except with cyber espionage, the assault has not lasted mere days or weeks, but years. The important point is that once it is accepted that an armed attack can occur without physical damage, to limit the use of active defenses to cyber "attacks"-the corruption of data-as opposed to cyber "espionage"-the theft of data-is an overly mechanical distinction, which ignores the basic idea of the effects-based approach. It is the effect that matters most.

89

Zero-Days Aff - Michigan 7AT: RUSSIA WAR DEFENSE

War with Russia likely and devastating Nichols 5/7/15 Professor of National Security Affairs at the Naval War College and an adjunct at the Harvard Extension School (Tom, The National Interest, “How America and Russia Could Start a Nuclear War” 5/7/15, http://www.nationalinterest.org/feature/how-america-russia-could-start-nuclear-war-12826)Part of the problem is that Russia now openly considers the use of nuclear weapons in any scenario in which they begin to lose to a superior force. In an ironic reversal of the situation during the Cold War, NATO is now the dominant conventional coalition in Europe, while Russia is a weak state with a large but less powerful army. The Russian Federation has no significant ability to project power far from its borders, and likely cannot sustain a major conventional engagement with a capable opponent for any prolonged period. As a result of this imbalance, the Kremlin has embraced a doctrine of “de-escalation” in which Russia would threaten to use nuclear weapons during a conflict in order to deter an opponent from pursuing further military gains. (While China maintains a public pledge never to be the first to use nuclear arms, Beijing likely has a similar plan should war with the Americans go badly.) How might this doctrine come into play during a crisis? There is far less at stake between Russia and the West now, and the Russians are not commanding a global empire dedicated to a revolutionary ideology. That does not mean, however, that Russian leaders, including President Vladimir Putin, accept the outcome of the Cold War. And so imagine, in the wake of Russia’s successes in Ukraine, that the Russian leadership under

Vladimir Putin decides to test its belief that NATO, as a political alliance, can be broken with a show of force. To this end, the Kremlin attempts to replicate the 2014 Ukraine operation, only this time in a NATO nation,

perhaps in the Baltics or Poland. “Little green men” begin assisting “separatists” in isolating a slice of NATO territory. This time, however, the target responds forcefully: instead of the hapless and disorganized Ukrainians of 2014, the Russians find themselves facing troops with better training and superior Western weapons, who briskly dispatch the Russian “volunteers” and showcase an array of captured Russian arms. The Kremlin, now watching its plans unspool, doubles down. Clinging to the assumption that NATO will fracture and abandon the victim to Russian aggression, the men in Moscow send in Russian regulars to help their “brothers” in the struggle. NATO leaders, contrary to these unrealistic Russian expectations, activate Article V of the NATO charter. Now it’s a real war, and after they clear the skies of inferior Russian aircraft, Western jets soon begin pounding Russian soldiers and obliterating Russian equipment in numbers that defy even the most pessimistic assumptions of the Russian General Staff. Russian losses, viewed instantly and globally across the internet, are heavy. The Russians soon realize they face the prospect of a humiliating defeat. Worse, they may fear a counter-offensive that could spill into Russian territory. The idea of NATO stepping even an inch into Russia fills the generals and their president with dread, especially as the Russian public watches their soldiers being cut to pieces in a foreign country. The Kremlin, at this point, threatens to use nuclear weapons. The West responds by reiterating its demands that the Russians leave NATO territory, by initiating a renewed offensive against the invading forces, and by increasing U.S., British, and French nuclear readiness."As during the Cold War, the keys to a strategic nuclear exchange are rigid military planning, political misperception, and natural human frailty." What happens next is too hard to predict in political terms. If the Russians pull back and borders are restored, the crisis is over.

If, on the other hand, they decide to go all in on what was supposed to be a bluff, they might launch a limited number of tactical nuclear strikes against NATO targets, such as a small number of airfields or command posts, in order to “de-escalate” the situation. (If all of this sounds crazy, remember that this is exactly the scenario the Russians exercised in 1999—while the far more pro-American Russian President Boris Yeltsin was still in power—and have repeatedly practiced since.) As the world reels from the news that nuclear weapons have been detonated in Europe, the Kremlin then issues a warning: everything stops right here, right now, with all forces left in place. Or else. Before the ink dries on the Russian demand, NATO’s response is quick, calibrated, and forceful. A few symbolic targets are chosen: a Russian naval formation in the Black Sea or in the Baltic are destroyed with submarine-launched nuclear weapons. Russian territory is not breached (Yet.) All Western strategic forces are on full alert, ready to strike the entire Russian nuclear infrastructure, including Moscow. The Russians, likewise, are ready to strike hundreds of North American ICBM sites, along with U.S., British, and French submarine pens and bomber bases. If the Russians respond with another round of nuclear strikes inside NATO, a combined Anglo-American (or even Anglo-Franco-American) attack on targets inside Russia near the fighting might be the West’s last ditch to convince the Russians to pull away from their failed gambit. Once a nuclear weapon explodes on Russian soil, however, Russian hardliners, civilian and military, will demand a strike on America or Britain, or both, as revenge and as a show of

resolve. If the crisis goes beyond this initial exchange of nuclear force, with hundreds of thousands of people already dead and injured from nuclear strikes in multiple countries, we can expect all sides to execute their Cold War-era plans, since they’re really still the only ones anyone has. Driven by fear and military logic, the United States and Russia will attack each other’s strategic nuclear capability as quickly as possible, including command and control centers located in or near major cities

like Washington and Moscow. Carefully crafted nuclear war plans, with all their elegant, complicated options, will fall apart in the midst of chaos. Even taking into account weapons destroyed by surprise, rendered inactive by flawed orders, or neutralized

by some kind of technical malfunction, a combined total of several hundred nuclear weapons will fall on each country, including a fair number on Canada, the United Kingdom and France. In the United States, much of the eastern seaboard will burn.

Even a limited strike will require the immediate destruction of Washington along with Navy nuclear installations from Virginia to Florida. In the west, San Diego and Seattle will suffer the most. Omaha, the home of the U.S. Strategic Command, will be gone, along with missile bases and airfields in the mountain states. Fallout will kill many more to the east of all of these targets, and irradiate large swaths of America’s agricultural heartland. In the immediate aftermath, governors will take control of their states as best they can until something like a U.S. government can reconstitute itself. National Guardsmen, along with state and local police forces, will be forced to cope with a terrified and gravely wounded population. Soldiers and cops will find themselves doing everything from protecting food stocks to euthanizing doomed burn victims.

90

Zero-Days Aff - Michigan 7Along with the grisly human cost, the damage to the fragile, electronically-based U.S. infrastructure will be massive. Areas that were untouched in the strikes, from Northern New England to the Deep South, will drown under an influx of refugees. Civil disorder will eventually spiral out of the control of even the most dedicated state military organizations and police forces. Martial law will be common and persistent. In Russia, the situation will be even worse. The full disintegration of the Russian Empire, begun in 1905 and interrupted only by the Soviet aberration, will finally be complete. A second Russian civil war will erupt, and Eurasia, for decades if not longer, will be a patchwork of crippled ethnic states led by strongmen. Some Russian rump state may emerge from the ashes, but it will likely be forever suffocated by a Europe unwilling to forgive so much devastation. I am not enough of an expert on Chinese strategy to know if this situation would be replicated in the Pacific. I cannot help but wonder, however, if the weak and insecure Chinese state, faced by a stunning conventional loss, might panic and take the nuclear option, hoping to shock America into a cease-fire. The devastation to America might even be worse in this case: in order to achieve maximum effect, the small Chinese strategic nuclear force is almost certainly targeted against American cities, from the West Coast inward. The United States of America, in some form, will survive. The People’s Republic of China, like the Russian Federation, will cease to exist as a political entity. How any of this might happen is pure speculation. The

important point is that it is not, in any sense, impossible.

Russia eager to exercise nuclear capabilities—war will go globalFisher 6/29/15 foreign affairs editor for Vox (“How World War III became possible” 6/29/15, http://www.vox.com/2015/6/29/8845913/russia-war)The Western side believes it is playing a game where the rules are clear enough, the stakes relatively modest, and the competition easily winnable. The Russian side, however, sees a game where the rules can be rewritten on the fly, even the definition of war itself altered. For Russia, fearing a threat from the West it sees as imminent and existential, the stakes are unimaginably high, justifying virtually any action or gamble if it could deter defeat and, perhaps, lead to victory. Separately, the ever-paranoid Kremlin believes that the West is playing the same game in Ukraine. Western support for Ukraine's government and efforts to broker a ceasefire to the war there, Moscow believes, are really a plot to encircle Russia with hostile puppet states and to rob Russia of its rightful sphere of influence. Repeated Russian warnings that it would go to war to defend its perceived interests in Ukraine, potentially even nuclear war, are dismissed in most Western capitals as bluffing, mere rhetoric. Western leaders view these threats through Western eyes, in which impoverished Ukraine would never be worth risking a major war. In Russian eyes, Ukraine looks much more important: an extension of Russian heritage that is sacrosanct and, as the final remaining component of the empire, a strategic loss that would unacceptably weaken Russian strength and thus Russian security. Both side are gambling and guessing in the absence of a clear understanding of what the other side truly intends, how it will act, what will and will not trigger the invisible triplines that would send us careening into war. Today's tensions bear far more similarity to the period before World War I During the Cold War, the comparably matched Western and Soviet blocs prepared for war but also made sure that war never came. They locked Europe in a tense but stable balance of power; that balance is gone. They set clear red lines and vowed to defend them at all costs. Today, those red lines are murky and ill-defined. Neither side is sure where they lie or what really happens if they are crossed. No one can say for sure what would trigger war. That is why, analysts will tell you, today's tensions bear far more similarity to the period before World War I: an unstable power balance, belligerence over peripheral conflicts, entangling military commitments, disputes over the future of the European order, and dangerous uncertainty about what actions will and will not force the other party into conflict. Today's Russia, once more the strongest nation in Europe and yet weaker than its collective enemies, calls to mind the turn-of-the-century German Empire, which Henry Kissinger described as "too big for Europe, but too small for the world." Now, as then, a rising power, propelled by nationalism, is seeking to revise the European order. Now, as then, it believes that through superior cunning, and perhaps even by proving its might, it can force a larger role for itself. Now, as then, the drift toward war is gradual and easy to miss — which is exactly what makes it so dangerous. But there is one way in which today's dangers are less like those before World War I, and more similar to those of the Cold War: the apocalyptic logic of nuclear weapons. Mutual suspicion, fear of an existential threat, armies parked across borders from one another, and hair-trigger nuclear weapons all make any small skirmish a potential armageddon. In some ways, that logic has grown even more dangerous. Russia, hoping to compensate for its conventional military forces' relative weakness, has dramatically relaxed its rules for using nuclear weapons. Whereas Soviet leaders saw their nuclear weapons as pure deterrents, something that existed precisely so they would never be used, Putin's view appears to be radically different. Russia's official nuclear doctrine calls on the country to launch a battlefield nuclear strike in case of a conventional war that could pose an existential threat. These are more than just words: Moscow has repeatedly signaled its willingness and preparations to use nuclear weapons even in a more limited war. This is a terrifyingly low bar for nuclear weapons use, particularly given that any war would likely occur along Russia's borders and thus not far from Moscow. And it suggests Putin has adopted an idea that Cold War leaders considered unthinkable: that a "limited" nuclear war, of small warheads dropped on the battlefield, could be not only survivable but winnable. "It’s not just a difference in rhetoric. It’s a whole different world," Bruce G. Blair, a nuclear weapons scholar at Princeton, told the Wall Street Journal. He called Putin's decisions more dangerous than those of any Soviet leader since 1962. "There’s a low nuclear threshold now that didn’t exist during the Cold War." Nuclear theory is complex and disputable; maybe Putin is right. But many theorists would say he is wrong, that the logic of nuclear warfare means a "limited" nuclear strike is in fact likely to trigger a larger nuclear war — a doomsday

91

Zero-Days Aff - Michigan 7scenario in which major American, Russian, and European cities would be targets for attacks many times more powerful than the bombs that leveled Hiroshima and Nagasaki. Even if a nuclear war did somehow remain limited and contained, recent studies suggest that environmental and atmospheric damage would cause a "decade of winter" and mass crop die-outs that could kill up to 1 billion people in a global famine.

US and Russian cyber capabilities increase risk of nuclear war—miscalculation Cimbala 14 Distinguished Professor of Political Science, Penn State Brandywine, author of numerous books and articles in the fields of international security studies, defense policy, nuclear weapons and arms control, intelligence (Stephen J., Air & Space Power Journal 28.2, “Nuclear Deterrence and Cyber: The Quest for Concept” p. 88 – 90, Mar/Apr 2014, ProQuest) | jsWhat are the implications of potential overlap between concepts or practices for cyber war and for nuclear deterrence?4 Cyber war and nuclear weapons seem worlds apart. Cyber weapons should appeal to those who prefer a nonnuclear or even a postnuclear military-technical arc of development. War in the digital domain offers, at least in theory, a possible means of crippling or disabling enemy assets without the need for kinetic attack or while minimizing physical destruction.5 Nuclear weapons, on the other hand, are the very epitome of "mass" destruction, such that their use for deterrence or the avoidance of war by the manipulation of risk is preferred to the actual firing of same. Unfortunately, neither nuclear deterrence nor cyber war will be able to live in distinct policy universes for the near or distant future. Nuclear weapons, whether held back for deterrence or fired in anger, must be incorporated into systems for command, control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR). The weapons and their C4ISR systems must be protected from attacks both kinetic and digital in nature. In addition, the decision makers who have to manage nuclear forces during a crisis should ideally have the best possible information about the status of their own nuclear and cyber forces and command systems, about the forces and C4ISR of possible attackers, and about the probable intentions and risk acceptance of possible opponents. In short, the task of managing a nuclear crisis demands clear thinking and good information. But the employment of cyber weapons in the early stages of a crisis could impede clear assessment by creating confusion in networks and the action channels that depend upon those networks.6 The temptation for early cyber preemption might "succeed" to the point at which nuclear crisis management becomes weaker instead of stronger. Ironically, the downsizing of US and post-Soviet Russian strategic nuclear arsenals since the end of the Cold War, while a positive development from the perspectives of nuclear arms control and nonproliferation, makes the concurrence of cyber and nuclear attack capabilities more alarming. The supersized deployments of missiles and bombers and expansive numbers of weapons deployed by the Cold War Americans and Soviets had at least one virtue. Those arsenals provided so much redundancy against first-strike vulnerability that relatively linear systems for nuclear attack warning, command and control, and responsive launch under-or after-attack sufficed. At the same time, Cold War tools for military cyber mischief were primitive compared to those available now. In addition, countries and their armed forces were less dependent on the fidelity of their information systems for national security. Thus the reduction of US, Russian, and possibly other forces to the size of "minimum deterrents" might compromise nuclear flexibility and resilience in the face of kinetic attacks preceded or accompanied by cyber war.7 Offensive and defensive information warfare as well as other cyberrelated activities is obviously very much on the minds of US military leaders and others in the American and allied national security establishments.8 Russia has also been explicit about its cyber-related concerns. President Vladimir Putin urged the Russian Security Council in early July 2013 to improve state security against cyber attacks.9 Russian security expert Vladimir Batyuk, commenting favorably on a June 2013 US-Russian agreement for protection, control, and accounting of nuclear materials (a successor to the recently expired Nunn-Lugar agreement on nuclear risk reduction), warned that pledges by Presidents Putin and Barack Obama for cooperation on cybersecurity were even more important: "Nuclear weapons are a legacy of the 20th century. The challenge of the 21st century is cybersecurity."10 On the other hand, arms control for cyber is apt to run into daunting security and technical issues, even assuming a successful navigation of political trust for matters as sensitive as these. Of special significance is whether cyber arms-control negotiators can certify that hackers within their own states are sufficiently under control for cyber verification and transparency. The cyber domain cuts across the other geostrategic domains for warfare as well: land, sea, air, and space. However, the cyber domain, compared to the others, suffers from the lack of a historical perspective. One author argues that the cyber domain "has been created in a short time and has not had the same level of scrutiny as other battle domains."11 What this might mean for the cyber-nuclear intersection is far from obvious. Thble 1 summarizes some of the major attributes that distinguish nuclear deterrence from cyber war, according to experts, but the differences between nuclear and cyber listed here do not contradict the prior observation that cyber and nuclear domains inevitably interact in practice. According to research professors Panayotis A. Yannakogeorgos and Adam B. Lowther at the US Air Force Research Institute, "As airmen move toward the future, the force structure-and, consequently, force-development programs-must change to emphasize the integration of manned and remotely piloted aircraft, space, and cyber-power projection capabilities."12

92

Zero-Days Aff - Michigan 7AT: NO RUSSIAN MODERNIZATION

Russian nuclear militarization nowReid 15 Professor of Law at University of St. Thomas School of Law (Charles J., University of St. Thomas Journal of Law and Public Policy, “VLADIMIR PUTIN’S CULTURE OF TERROR: WHAT IS TO BE DONE?” p. 47 – 49)By the end of 1999, however, with Vladimir Putin the rising power in the Kremlin, shifts were becoming discernible. Instead of viewing nuclear weapons as a last resort where national survival was at stake,390 nuclear doctrine was revised to reserve to Russia “[t]he use of all forces and means at its disposal, including nuclear weapons, in case [Russia] needs to repel an armed aggression, if all other measures of resolving the crisis situation have been exhausted or proved ineffective.”391 Commentators immediately noticed that the revised doctrine struck a far different nuclear posture from the Gorbachev/Yeltsin policy.392 Nikolai Sokov wrote that Putin’s doctrine now “allowed for the use of nuclear weapons as a deterrence to smaller-scale wars that do not necessarily threaten Russia’s existence and sovereignty.”393 Ian Traynor found something else to worry about in the Putin’s new pronouncement: He had in another part of his statement “unequivocally declar[ed] the West a hostile power that must be resisted.”394 Furthermore, even while he said he would not increase his nuclear arsenal, Putin promised from his first days in office to modernize and upgrade it.395 And as if to underscore his altered focus, in 2001 Putin moved tactical nuclear weapons to Kaliningrad, the former East Prussian city of Königsberg, now a small Russian enclave set among the Baltic States and geographically separated from Russia proper.396 In the years since, Putin has taken steps to build a nuclear arsenal with what is known as intermediate force capability. At law, there is an obstacle to such development. In 1987, Ronald Reagan and Mikhail Gorbachev agreed to the Intermediate Range Nuclear Forces Treaty,397 which called for the elimination of cruise missiles and ground-launched inter-continental ballistic missiles with a range between 500 and 5,500 kilometers (300 to 3,400 miles).398 In February, 2007, Putin indicated a desire to withdraw from the Treaty.399 The Americans, he said, had taken actions inconsistent with its obligations by proposing to construct a missile defense in Eastern Europe400 and there was additionally a need to deter growing Chinese nuclear capability.401 Putin did not formally withdraw from the intermediate forces treaty,402 although the evidence is compelling that he has now developed a modern and sophisticated arsenal of intermediate-range nuclear weapons. It was alleged in a letter to the Russian government in the summer of 2014 that as far back as 2008, Russia began testing “a prohibited ground-launched cruise missile.”403 Without providing supporting documentation, the United States Department of State subsequently declared categorically that “the Russian Federation is in violation of its obligations under the INF Treaty not to possess, produce, or flight-test a ground-launched cruise missile [within the prohibited range].”404 There has been substantial speculation as to the types of missiles Putin has been testing.405 Some have suggested that the Russians might have modified the R-500 short-range cruise missile to a range that now falls within the Treaty’s prohibition.406 Others have guessed that Russia has modified a sea-launched cruise missile for land-based deployment.407 In response to the Department of State’s allegations, Russia threatened to withdraw from the Treaty.408 In September, 2014, Vladimir Putin issued a series of more direct challenges. He reminded the world that “Russia is one of the most powerful nuclear nations. This is a reality, not just words.”409 He test-fired an inter-continental ballistic missile.410 And he declared that Russia is, indeed, working on new generation of “nuclear and conventional weapons.”411

93

Zero-Days Aff - Michigan 7AT: NO RUSSIAN IP THEFT

Russian IP theft will target US military technologyONCIX 11 United States Office of the National Counterintelligence Executive (“FOREIGN SPIES STEALING US ECONOMIC SECRETS IN CYBERSPACE” p. 7-8, Oct. 2011, http://www.ncsc.gov/publications/reports/fecie_all/Foreign_Economic_Collection_2011.pdf) | jsLittle change in principal threats. The IC anticipates that China and Russia will remain aggressive and capable collectors of sensitive US economic information and technologies, particularly in cyberspace. Both will almost certainly continue to deploy significant resources and a wide array of tactics to acquire this information from US sources, motivated by the desire to achieve economic, strategic, and military parity with the United States. China will continue to be driven by its longstanding policy of “catching up fast and surpassing” Western powers. An emblematic program in this drive is Project 863, which provides funding and guidance for efforts to clandestinely acquire US technology and sensitive economic information. The project was launched in 1986 to enhance China’s economic competitiveness and narrow the science and technology gap between China and the West in areas such as nanotechnology, computers, and biotechnology. • The growing interrelationships between Chinese and US companies—such as the employment of Chinese-national technical experts at US facilities and the off-shoring of US production and R&D to facilities in China—will offer Chinese Government agencies and businesses increasing opportunities to collect sensitive US economic information. • Chinese actors will continue conducting CNE against US targets. Two trends may increase the threat from Russian collection against US economic information and technology over the next several years. • The many Russian immigrants with advanced technical skills who work for leading US companies may be increasingly targeted for recruitment by the Russian intelligence services. • Russia’s increasing economic integration with the West is likely to lead to a greater number of Russian companies affiliated with the intelligence services—often through their employment of ostensibly retired intelligence officers—doing business in the United States. Technologies likely to be of greatest interest. Although all aspects of US economic activity and technology are of potential interest to foreign intelligence collectors, we judge that the highest interest may be in the following areas. Information and communications technology (ICT). ICT is a sector likely to remain one of the highest priorities of foreign collectors. The computerization of manufacturing and the push for connectedness mean that ICT forms the backbone of nearly every other technology used in both civilian and military applications. • Beijing’s Project 863, for example, lists the development of “key technologies for the construction of China’s information infrastructure” as the first of four priorities. Military technologies. We expect foreign entities will continue efforts to collect information on the full array of US military technologies in use or under development. Two areas are likely to be of particular interest: • Marine systems. China’s desire to jump-start development of a blue-water navy—to project power in the Taiwan Strait and defend maritime trade routes—will drive efforts to obtain sensitive US marine systems technologies. • Aerospace/aeronautics. The air supremacy demonstrated by US military operations in recent decades will remain a driver of foreign efforts to collect US aerospace and aeronautics technologies.

Russian IP theft motivated by need for economic and military developmentSmith 12 Director of the Potomac Institute Cyber Center; former US Ambassador at the US-Soviet Defense and Space talks, Chief Operating Officer of the National Institute for Public Policy, President of Global Horizons, Inc. consulting on defense and international security, Chief of Staff for Arizona Congressman Jon Kyl, Assistant for Strategic Policy and Arms Control to Senate Republican Leader Bob Dole, professional staff for the Senate Committee on Foreign Relations, staff of the Joint Chiefs of Staff (David J., Defense Dossier, “How Russia Harnesses Cyberwarfare” p. 14, Aug. 2012, http://www.afpc.org/files/august2012.pdf) | jsUnsurprisingly, Russia’s diplomatic activities on the cyber front reflect its policies on information warfare and information security. While steadfastly refusing to sign the European Convention on Cybercrime, a highly effective international approach to cyber security challenges, it joins China and a few others in plying proposals aimed at enhancing information security—that is, shielding autocratic states from the free flow of information across the Internet. Meanwhile, Russia has undertaken a major effort at strategic cyber espionage against the United States. It is strategic in the sense that it is not just a government’s spy agency trying to steal bits of classified information or an enterprise conducting industrial espionage. Rather, it is a concerted effort to steal American intellectual property to achieve a level technological development that Russia cannot achieve on its own. In this regard, it is worth repeating an October 2011 finding of the U.S. Counterintelligence Executive. Motivated by Russia’s high dependence on natural resources, the need to diversify its economy, and the belief that the global economic system is tilted toward US and other Western interests at the expense of Russia, Moscow’s highly capable intelligence services are using HUMINT, cyber, and other operations to collect economic information and technology to support Russia’s economic development and security.8 In sum, Russia—in its capabilities and its intent—presents a major cyber challenge to the United States. The only difference

94

http://www.afpc.org/files/august2012.pdf

http://www.ncsc.gov/publications/reports/fecie_all/Foreign_Economic_Collection_2011.pdf

Zero-Days Aff - Michigan 7between it and China may be, as Jeff Carr points out, that it is seldom caught. And that, alone, may make it the number one cyber threat.

Russian IP theft motivated by need for economic and military developmentBooz Allen Hamilton 12 American consulting firm (“Cyber Theft of Corporate Intellectual Property: The Nature of The Threat” p. 15, http://www.boozallen.com/media/file/Cyber-Espionage-Brochure.pdf) Russia's own espionage effort is also driven by a desire to diversify its economy and reduce its dependence on natural resources, according to the NCIX report. Russia too has a sense of grievance; it believes the global economic system is tilted in the favor of Western countries at its expense. Though Russia has denied hacking, it has enlisted its intelligence services to help carry out its economic policy goals. The director of Russia's Foreign Intelligence Service, Mikhail Fradkov, said in December 2010 that it 'aims at supporting the process of modernization of our country and creating the optimal conditions for the development of its science and technology.' IP theft threatens some companies more than others. Companies that are less dependent on IP for competitive advantage may be able to recover fairly quickly. Indeed, the ElU's survey shows that many executives are optimistic about their companies'abi|ities to respond to IP attacks, with 48% of respondents saying that while die theft of IP would cause damage in the short-term, they would be able to recover. Companies that innovate quickly-and develop new IP-may find that they continue to outpace aIso-ran competitors who have tried to steal their older ideas. In the most alarmist scenarios, however, IP theft by low-cost competitors manifests itself only years later in reduced industry competitiveness, slower economic growdi, lost jobs, and even lower living standards. By the same token, defense technologies and secrets stolen from US industry and government networks could give China and Russia military advantages worth billions.

95

http://www.boozallen.com/media/file/Cyber-Espionage-Brochure.pdf

http://www.boozallen.com/media/file/Cyber-Espionage-Brochure.pdf


CRITICAL INFRASTRUCTURE ADVANTAGE

96

Zero-Days Aff - Michigan 72AC CRITICAL INFRASTRUCTURE BRINK

Critical infrastructure is on the brink now—risk of cyberattacks has surpassed terrorism as the biggest threatAssante 14 (Mr. Assante is director of Industrial Control Systems as well as Supervisory Control and Data Acquisition Networks for the SANS Institute. “America’s critical infrastructure vulnerable to cyberattacks”. 11/11/2014, http://www.forbes.com/sites/realspin/2014/11/11/americas-critical-infrastructure-is-vulnerable-to-cyber-attacks/)

Even as the U.S. government confronts rival powers over widespread Internet espionage, it has become the biggest buyer in a burgeoning gray market where hackers and security firms sell tools for breaking into computers. The strategy is spurring concern in the technology industry and intelligence community that Washington is in effect encouraging hacking and failing to disclose to software companies and customers the vulnerabilities exploited by the purchased hacks. That's because U.S. intelligence and military agencies aren't buying the tools primarily to fend off attacks. Rather, they are using the tools to infiltrate computer networks overseas, leaving behind spy programs and cyber-weapons that can disrupt data or damage systems. The core problem: Spy tools and cyber-weapons rely on vulnerabilities in existing software programs, and these hacks would be much less useful to the government if the flaws were exposed through public warnings. So the more the government spends on offensive techniques, the greater its interest in making sure that security holes in widely used software remain unrepaired. Moreover, the money going for offense lures some talented researchers away from work on defense , while tax dollars may end up flowing to skilled hackers simultaneously supplying criminal groups. "The only people paying are on the offensive side," said Charlie Miller, a security researcher at Twitter who previously worked for the National Security Agency. A spokesman for the NSA agreed that the proliferation of hacking tools was a major concern but declined to comment on the agency's own role in purchasing them, citing the "sensitivity" of the topic. America's offensive cyber-warfare strategy - including even the broad outlines and the total spending levels - is classified information. Officials have never publicly acknowledged engaging in offensive cyber-warfare, though the one case that has been most widely reported - the use of a virus known as Stuxnet to disrupt Iran's nuclear-research program - was lauded in Washington. Officials confirmed to Reuters previously that the U.S. government drove Stuxnet's development, and the Pentagon is expanding its offensive capability through the nascent Cyber Command. Stuxnet, while unusually powerful, is hardly an isolated case. Computer researchers in the public and private sectors say the U.S. government , acting mainly through defense contractors, has become the dominant player in fostering the shadowy but large-scale commercial market for tools known as exploits, which burrow into hidden computer vulnerabilities. In their most common use, exploits are critical but interchangeable components inside bigger programs. Those programs can steal financial account passwords, turn an iPhone into a listening device, or, in the case of Stuxnet, sabotage a nuclear facility. Think of a big building with a lot of hidden doors, each with a different key. Any door will do to get in, once you find the right key. The pursuit of those keys has intensified. The Department of Defense and U.S. intelligence agencies, especially the NSA, are spending so heavily for information on holes in commercial computer systems, and on exploits taking advantage of them, that they are turning the world of security research on its head, according to longtime researchers and former top government officials. Many talented hackers who once alerted companies such as Microsoft Corp to security flaws in their products are now selling the information and the exploits to the highest bidder, sometimes through brokers who never meet the final buyers. Defense contractors and agencies spend at least tens of millions of dollars a year just

on exploits , which are the one essential ingredient in a broader cyber-weapons industry generating hundreds of millions annually, industry executives said privately. Former White House cybersecurity advisors Howard Schmidt and Richard Clarke said in interviews that the government in this way has been putting too much emphasis on offensive capabilities that by their very nature depend on leav ing U.S. business and consumers at risk . "If the U.S. government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell U.S. users," Clarke said. "There is supposed to be some mechanism for deciding how they use the information, for offense or defense. But there isn't." Acknowledging the strategic trade-offs, former NSA director Michael Hayden said: "There has been a traditional calculus between protecting your offensive capability and strengthening your defense. It might be time now to readdress that at an important policy level, given how much we are suffering." The issue is sensitive in the wake of new disclosures about the breadth and scale of hacking attacks that U.S. intelligence officials attribute to the Chinese government. Chinese officials deny the allegations and say they too are hacking victims. Top U.S. officials told Congress this year that poor Internet security has surpassed terrorism to become the single greatest threat to the country and that better information-sharing on

97

http://www.forbes.com/sites/realspin/2014/11/11/americas-critical-infrastructure-is-vulnerable-to-cyber-attacks/

http://www.forbes.com/sites/realspin/2014/11/11/americas-critical-infrastructure-is-vulnerable-to-cyber-attacks/

Zero-Days Aff - Michigan 7risks is crucial. Yet neither of the two major U.S. initiatives under way - sweeping cybersecurity legislation being weighed by Congress and President Barack Obama's February executive order on the subject - asks defense and intelligence agencies to spread what they know about vulnerabilities to help the private sector defend itself. Most companies, including Microsoft, Apple Inc and Adobe Systems Inc, on principle won't pay researchers who report flaws, saying they don't want to encourage hackers. Those that do offer "bounties", including Google Inc and Facebook Inc, say they are hard-pressed to compete financially with defense-industry spending. Some national-security officials and security executives say the U.S. strategy is perfectly logical: It's better for the U.S. government to be buying up exploits so that they don't fall into the hands of dictators or organized criminals. UNINTENDED CONSEQUENCES When a U.S. agency knows about a vulnerability and does not warn the public, there can be unintended consequences. If malign forces purchase information about or independently discover the same hole, they can use it to cause damage or to launch spying or fraud campaigns before a company like Microsoft has time to develop a patch. Moreover, when the U.S. launches a program containing an exploit, it can be detected and quickly duplicated for use against U.S. interests before any public warning or patch.

98

Zero-Days Aff - Michigan 72AC FOOD SHORTAGES ADD-ON

The rest of the world depends on the US for food, but Water disruption collapses ag Smith 14 (Ron Smith is editor at Southwest Farm Press. Farm Futures: “U.S. Ag: Poised to Feed the World?” published January 12th, 2014. http://farmfutures.com/story-ag-poised-feed-world-18-107236) KalMThe challenge is daunting: Within 40 years, farmers across the world will need to double production and do it with fewer resources - especially water - to feed, clothe and provide energy for a global population of 9 billion souls. “Farmers will need to produce as much food, feed and fiber during the first half of this century as has been produced over the last 100 centuries combined to meet the growing demand,” says Greg Hart, John Deere sales manager for the U.S. Western Region. Hart says the “future of the world depends on agriculture,” and much of that increased production will come from U.S. farmers. “U.S. agriculture will be at the forefront of solving food production challenges for the world," he says. "No one is better positioned than U.S. farmers.” It will not be easy. Most of the population growth expected to occur by 2050 will take place where diets are already less than adequate. Africa will account for 41% of the population growth, second to Asia’s 49%. North American growth is anticipated to increase only 4% and South America only 7%. Europe’s population could decline by about 1%. Obstacles include meshing productivity with sustainability and resource stewardship. Lack of a skilled labor force, especially in developing nations, also poses significant problems. “Our challenge is to do more with less skilled labor,” Hart says. Production variables will continue to challenge farmers. Weather is the big one. Hart said agricultural yield has followed a strong upward trend since the early 1990s. “But we also had a reduction in 2012 from drought. In 2013, the Southwest had a late spring that hurt production.” Much of the region remains in a three-year drought cycle. “We are just one or two weather events away from either a surplus or a deficit. That’s the volatility of agriculture. We must continue to work to optimize production and continue to improve that trend line.” Increased production Agriculture has to increase productivity with more limited resources. “The resource base is shrinking. In 10 years, water demand will be 17& higher than availability,” Hart says. Improving irrigation efficiency will help. Currently, 18% of the world’s agricultural land is irrigated, but that 18% provides 40% of crop production and 60% of cereal production. “But more than half of the world’s irrigation is by the most inefficient method, gravity flow,” Hart adds. Focusing on more efficient systems, such as low energy precision application (LEPA) and subsurface drip irrigation (SDI), will help. “Agriculture will have to compete for water, and we will see more regulation and higher costs.” Including energy production into the equation puts even more pressure on agricultural productivity. Achieving production targets, he says, will demand “smart use of available resources.

WMD conflict and extinctionLugar, 4 (Richard G., former U.S. Senator – Indiana and Former Chair – Senate Foreign Relations Committee, “Plant Power”, Our Planet, 14(3), http://www.unep.org/ourplanet/imgversn/143/lugar.html)

In a world confronted by global terrorism, turmoil in the Middle East, burgeoning nuclear threats and other crises, it is easy to lose sight of the long-range challenges. But we do so at our peril. One of the most daunting of them is meeting the world’s need for food and energy in this century. At stake is not only preventing starvation and saving the environment, but also world peace and security . History tells us that states may go to war over access to resources, and that poverty and famine have often bred fanaticism and terrorism . Working to feed the world will minimize factors that contribute to global instability and the proliferation of w eapons of mass destruction. With the world population expected to grow from 6 billion people today to 9 billion by mid-century, the demand for affordable food will increase well beyond current international production levels. People in rapidly developing nations will have the means greatly to improve their standard of living and caloric intake. Inevitably, that means eating more meat. This will raise demand for feed grain at the same time that the growing world population will need vastly more basic food to eat. Complicating a solution to this problem is a dynamic that must be better understood in the West: developing countries often use limited arable land to expand cities to house their growing populations. As good land disappears, people destroy

timber resources and even rainforests as they try to create more arable land to feed themselves. The long-term

99

http://www.unep.org/ourplanet/imgversn/143/lugar.html

Zero-Days Aff - Michigan 7environmental consequences could be disastrous for the entire globe. Productivity revolution To meet the expected demand for food over the next 50 years, we in the United States will have to grow roughly three times more food on the land we have. That’s a tall order. My farm in Marion County, Indiana, for example, yields on average 8.3 to 8.6 tonnes of corn per hectare – typical for a farm in central Indiana. To triple our production by 2050, we will have to produce an annual average of 25 tonnes per hectare. Can we possibly boost output that much? Well, it’s been done before. Advances in the use of fertilizer and water, improved machinery and better tilling techniques combined to generate a threefold increase in yields since 1935 – on our farm back then, my dad produced 2.8 to 3 tonnes per hectare. Much US agriculture has seen similar increases. But of course there is no guarantee that we can achieve those results again. Given the urgency of expanding food production to meet world demand, we must invest much more in scientific research and target that money toward projects that promise to have significant national and global impact. For the United States, that will mean a major shift in the way we conduct and fund agricultural science. Fundamental research will generate the innovations that will be necessary to feed the world. The United States can take a leading position in a productivity revolution. And our success at increasing food production may play a decisive humanitarian role in the survival of billions of people and the health of our planet.

100

Zero-Days Aff - Michigan 72AC ECON ADD-ON

Cyber-attacks are the biggest threat to the US economyMoy 15 (Ed Moy: B.A. from the University of Wisconsin-Madison with majors in economics, international relations and political science. News Max Finance: “Cyber Attacks Pose Biggest Unrecognized Threat to Economy” published May 8th, 2015. Accessed June 25, 2015. http://www.newsmax.com/Finance/Ed-Moy/cyber-attack-terrorism-economy/2015/05/07/id/643241/) KalMThere is no shortage of threats to the U.S. economy: fragile growth, increasing regulation, the timing of the Fed’s raising interest rates, White House and congressional inaction, out-of-control entitlements, and a punitive and complicated tax system. Yet the biggest threat may be one that is least mentioned: cyber attacks. Cyber attacks have been expanding quickly from criminal gain to corporate espionage to ideological warfare. And these attacks have been increasing in frequency, scale, sophistication and severity. The primary reason for cyber attacks has been financial gain. Criminals go where the money is and there is easy money using personal data to commit fraud. Credit card data are sold to other criminals who use them to make purchases. Medical data are used to create new personal identities for credit card and bank fraud. Health insurance information is used to make false claims, access addictive prescription drugs and get free medical treatment. As a result, stealing personal data has reached epidemic proportions. The numbers from recent data breaches are staggering: credit card information from 56 million Home Depot and 70 million Target customers, 145 million login credentials from eBay, contact information for 76 million J.P. Morgan Chase customers and 80 million Anthem customers. Even small companies are not immune to these cyber attacks. From card skimmers to point-of-sale intrusions, data theft rings have targeted relatively unprotected small businesses as a new and vast profit center. The economic costs are monumental. It costs the breached organization an average of $200 per compromised record, mostly from business disruption and revenue loss. That does not include intangible costs like losing customer loyalty or hurting a company’s brand. To add insult to injury, corporate espionage attacks are increasing. Stealing intellectual property and spying on competitors comprises a growing number of attacks and come at huge costs to the company that has been hacked. And the big difference with corporate spying is that the attacker usually does not give up until they are successful. Finally, and most dangerous, are ideologically and politically motivated attacks. Cyber attacks have proven that computers are very vulnerable. But like any profit-driven enterprise, criminals and corporations are adverse to killing the goose that lays their golden eggs. Even nation states like China and Russia may be too co-dependent on the U.S. But the growth of ideologically driven movements is changing the risk. It is not a huge leap of imagination to envision a radical environmental group hacking into our energy infrastructure. Or terrorist groups like ISIS, Boko Haram and al Qaeda wanting to bring down our banking system. Ideological or political enemies can exploit the same vulnerabilities but have no remorse about maiming or killing the goose. In the recent annual threat assessment delivered to Congress, the National Director of Intelligence said that cyber attacks by politically and criminally motivated actors are the biggest threat to U.S. national security. In this brave new world, the good guys are playing catch up to the bad guys, who seem to always be one step ahead.

Economic decline leads to war – empirics: Jobs and econ decline can each trigger the impactMead 9 (2/4, Walter Russell, Henry A. Kissinger Senior Fellow in U.S. Foreign Policy at the Council on Foreign Relations, Only Makes You Stronger: Why the recession bolstered America, The New Republic, http://www.newrepublic.com/article/only-makes-you-stronger-0) //JRW

None of which means that we can just sit back and enjoy the recession. History may suggest that financial crises actually help capitalist great powers maintain their leads--but it has other, less reassuring messages as well. If financial crises have been a normal part of life during the 300-year rise of the liberal capitalist system under the Anglophone powers, so has war. The wars of the League of Augsburg and the Spanish Succession; the Seven Years War; the American Revolution; the Napoleonic Wars; the two World Wars; the cold war: The list of wars is almost as long as the list of financial crises. Bad economic times can breed wars. Europe was a pretty peaceful place in 1928, but the Depression poisoned German public opinion and helped bring Adolf Hitler to power. If the current crisis turns into a depression, what rough beasts might start slouching toward Moscow, Karachi, Beijing, or New Delhi to be born? The United States may not, yet, decline, but, if we can't get the world economy back on track, we may still have to fight.

101

http://www.newsmax.com/Finance/Ed-Moy/cyber-attack-terrorism-economy/2015/05/07/id/643241/

http://www.newsmax.com/Finance/Ed-Moy/cyber-attack-terrorism-economy/2015/05/07/id/643241/


102

Zero-Days Aff - Michigan 72AC PLAN SOLVES CRITICAL INFRASTRUCTURE

Absent federal action, zero-day vulnerabilities threaten critical US infrastructureCastelli 14 (Christopher J. Castelli, Senior Correspondent at Inside Cybersecurity, “Policy debate looms on U.S. role in market for 'zero-day' cyber threats”, May 5, 2014, http://insidecybersecurity.com/Cyber-General/Cyber-Public-Content/policy-debate-looms-on-us-role-in-market-for-zero-day-cyber-threats/menu-id-1089.html)//CLi

In a bid to address questions about the federal government's willingness to conceal and exploit cybersecurity vulnerabilities for intelligence purposes, the White House last week issued a statement on how it decides whether to reveal such a flaw, noting a key factor is protecting critical infrastructure. But there remains a looming policy debate about how to control the proliferation of zero-day exploits and whether the United States is in some ways contributing to the problem. The United States has been accused of creating and fueling the market for zero-day exploits by paying very high prices for them, former Pentagon homeland-defense chief Paul Stockton and a co-author noted earlier this year in an essay for the Yale Law and Policy Review. Both "white hat" and "black hat" markets have emerged for identified zero-day threats, which exploit previously unknown vulnerabilities. The re is also a " burgeoning gray market ," the essay notes, where companies sell the exploits to governments and other unreported customers with screening that is "far too lenient to safeguard critical U.S. infrastructure from attack ." Stockton's essay -- which underscored the risk the exploits pose to the U.S. electric grid and other critical infrastructure sectors -- urged U.S. policymakers to consider reining in the practice of paying so much for the flaws, adding there is "no evidence" that the agencies who exploit them weigh the benefits against the "potentially catastrophic risks" that the zero-day market poses to U.S. security. "The time has come for Congress, Executive Branch leaders, the software industry, and scholars to bring this tradeoff analysis into the open and determine whether staying at the extreme end of the policy spectrum -- that of de facto support for a dangerous bazaar for zero-day-exploits -- best serves U.S. national security," wrote Stockton and co-author Michele Golabek-Goldman, a student at Yale University Law School. Last spring, in a speech at Georgetown University, Eric Rosenbach, then the Pentagon's deputy assistant secretary of defense for cyber policy, voiced serious concern about the black market for cyber vulnerabilities. "I am very, very concerned about that growing market for zero-day exploits, for destructive malware," he said at the time. But when asked last week whether the Obama administration is considering reducing purchases of zero-day exploits to control the booming market, Laura Lucas Magnuson, a spokeswoman for White House Cybersecurity Coordinator Michael Daniel, disputed the notion of a booming market. "The U.S. government does not see evidence that there is a booming market for zero-day exploits," she told Inside Cybersecurity. "Instead, the private sector is stepping up to create innovative solutions to our cybersecurity challenges such as 'bug bounty' programs or crowd-sourcing the process of vulnerability discovery." These kinds of " innovative solutions . . . are critical to improving how we identify and patch unknown vulnerabilities and protect U.S. networks and the Internet as a whole ," she continued. "We are looking at whether the U.S. government can or should play a role in encouraging the development of such solutions." Congress has taken an interest in controlling the proliferation of zero-day and other cyber exploits. How the administration responds to recent legislation could shed light on the way ahead. The fiscal year 2014 National Defense Authorization Act directs the president to launch an interagency process to create an integrated policy to control the proliferation of cyber weapons through various means. The legislation also mandates the development of a new cyber deterrence policy.

Cooperation with private sector key to defend critical infrastructureKramer et al 9 distinguished research fellow in the Center for Technology and National Security Policy at the National Defense University, Distinguished Fellow at the Brent Scowcroft Center on International Security; former Assistant Secretary of Defense for International Security Affairs, Deputy Assistant Secretary of Defense for European and NATO Affairs, Principal Deputy Assistant Secretary of Defense for International Security Affairs, Special Assistant to the Assistant Secretary of Defense for International Security Affairs, president of the World Affairs Council of Washington, D.C, advisor for the Center for National Policy, advisor for the Technical Advisory Committee for the Center for Naval Analyses' Strategic Policy Analysis Group, member of the International Institute for Strategic Studies, principal of the Council for Excellence in Government (Franklin, Cyber Power and National Security, p.553-4) | js

103

http://insidecybersecurity.com/Cyber-Daily-News/Daily-News/report-urges-policymakers-to-curb-booming-cyber-arms-sales/menu-id-1075.html

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2364658

http://www.whitehouse.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities


Here, too, the Federal Government has not yet provided leadership on international cyber response and recovery issues. The government must provide a clear definition of the factors that determine a cyber incident of national significance, including specific triggers and protocols for response escalation. This policy should clarify the legal authorities of the Federal Government during a cyber incident and set goals for expected Federal interactions with the private sector and with government entities at the state and local level. It should strengthen international understanding of and cooperation on cyber issues and establish initiatives to engage the international community in discussion of appropriate actions during cyber crises. The Federal Government should also set expectations for the private sector. The business community plays a major role in critical infrastructure protection, but there is widespread confusion as to how it should prepare for, respond to, or recover from catastrophic cyber incidents. The private sector owns and operates a large share of the critical infrastructure in the United States, but the Federal Government, too, owns and operates much of it. As part of its traditional role of managing catastrophic incidents, the government has a responsibility to protect this infrastructure. The U.S. Government should leverage its extensive global networks to establish early warning and information-sharing protocols that could be used by both the government and private sector in the event of emergency. In serving as a leader to the private sector, the Federal Government should inform the private sector of what it can expect from government departments and agencies; establish minimum expectations for actions from the private sector; and mandate liabilities for failure to perform in a satisfactory manner. It should also establish central points of contact that are easily accessible to private sector stakeholders. These government actions to manage catastrophic incidents should be clearly defined, so as to provide clear guidelines to the private sector. The private sector also has a responsibility to protect its infrastructure. The business community must take the initiative and not simply wait for guidance from the Federal Government. Private sector stakeholders must join to form their own points of contact. The Information Sharing and Analysis Centers (ISACs) now established in several critical industry sectors are a start, but more is needed. The private sector should communicate with the government to establish joint expectations that are acceptable to both the public and private sectors. Business leaders should focus efforts on learning how to manage important economic issues that may be affected by a cyber disruption, such as public trust and confidence in the markets.29 CEOS and other senior business officials must plan within their own companies and industries in order to maintain business functionality during catastrophic incidents.

104

Zero-Days Aff - Michigan 7AT: CRITICAL INFRASTRUCTURE SAFE

Software vulnerability products are used to target variety of critical infrastructureScott 08 (Michael D. Scot, M.D. “Tort liability for vendors of insecure software: Has the time finally come?” Maryland Law Review 67, 2 (2008); http://digitalcommons.law.umaryland.edu/cgi/viewcontent.cgi?article=3320&context=mlr.) KalM

Software vulnerabilities cost businesses and consumers tens of billions of dollars each year.2

Every day brings news of freshly discovered security flaws in major software products.3 While Microsoft, due to its prominence in the operating system market,4 gets the brunt of the criticism for these flaws,5 there are many other companies whose software is also targeted for security-related complaints.6 Yet, software vendors have traditionally refused to take responsibility for the security of their software, and have used various risk allocation provisions of the Uniform Commercial Code (U.C.C.) to shift the risk of insecure software to the licensee.7 There were a few early cases in which licensees sought to have courts hold vendors liable for distributing defective

software. These cases were unsuccessful.8 Since September 11, 2001,9 increased attention has been given to the security of critical infrastructures ,10 including transportation, finance,11 the power grid,12 water supply and waste management sys-tems,13 computer networks,14 military,15 and homeland security and disaster recovery,16 to name but a few.17 These sectors “are increasingly dependent on the evolving information infrastructure,”18 which in turn is increasingly dependent on secure software.19 The

growing risks inherent in insecure information technology systems have prompted corporate executives,20

computer security experts,21 commentators,22 lawyers,23 and government officials24 to call for action.

Software vulnerabilities are abused for cyber attacksKuehn 14 (Andreas Kuehn: School of Information Studies, Syracuse University 221 Hinds Hall Syracuse, New York 13244; Milton Mueller: School of Information Studies, Syracuse University 307 Hinds Hall Syracuse, New York 13244. NSPW '14 Proceedings of the 2014 workshop on New Security Paradigms Workshop Pages 63-68: “Shifts in the Cybersecurity Paradigm: Zero-Day Exploits, Discourse, and Emerging Institutions.” Published 2014. Accessed June 24th, 2015.Software vulnerabilities and exploits have attracted significant attention recently because of their implications for cybersecurity, cyber crime, and cyber war. In recent years, actors began to realize the economic and military value of retaining exclusive knowledge of vulnerabilities. A market has developed for the production and distribution of software vulnerabilities; buyers sometimes pay over USD 100,000 for software exploits. Major software companies now run bug bounty programs to acquire vulnerabilities in order to patch their products. Security firms, such as VUPEN, Endgame, Netragard, and TippingPoint’s Zero Day Initiative bring together suppliers and buyers in this market. U.S. government intelligence services have become a de facto regulator by virtue of their ability to spend millions to develop or acquire software exploits. A software vulnerability, also referred to as a security bug, is a flaw in computer code that can compromise the security of a computer system. Software and network protocols often contain security vulnerabilities that are unintended consequences of design choices or mathematical errors in models. An exploit makes use of such vulnerabilities to circumvent security mechanisms and allows unauthorized actors to intrude into, destroy, manipulate or steal data from an information system. A zero-day exploit (ZDE) is a special type of exploit. It makes use of an undisclosed vulnerability, whose existence is kept secret. Thus, established security procedures and technologies such as antivirus or intrusion detection systems cannot defend against them. Hence, ZDEs are a central component and provide effective means in cyber operations and attacks for offensive and defensive ends. Stuxnet, Flame, and Aurora are examples of cyber weapons that made use of ZDEs [12, 24]. 1.1 Research Problem The proliferation of exploits and ZDEs raises fundamental questions about the relationship between technology and society and heightens concerns about the unaccountable use of cyber attack capabilities. Labeled a ‘digital arms race’ by some, it is generating a transnational debate about control and regulation, the role of secrecy and disclosure, and the ethics of exploit production and use (e.g., [18, 4]). The controversy reflects underlying conflicting rationales: while intelligence and military circles are concerned about national security, industrial and civilian logics emphasize matters of trade, innovation and freedom. Recent revelations about NSA spying have amplified this debate, including reports that the NSA spent USD 25 million in 2013 to acquire exploits [6]. The U.S. President’s Review Group made specific recommendations regarding software exploits [2]. Issues regarding secrecy and disclosure, knowledge and ignorance, and transparency and concealment are paramount in this debate [21, 22]. There is a longstanding debate in computer security about the role of disclosure in improving or undermining security (e.g., [20]). Since cybersecurity is one of the key problems facing our globally interconnected

105

http://digitalcommons.law.umaryland.edu/cgi/viewcontent.cgi?article=3320&context=mlr

Zero-Days Aff - Michigan 7society, understanding how software vulnerabilities and exploits – and cyber weapons more generally – are used, de-

fined, and controlled is of utmost importance for society as a whole and for policy-makers.

106

Zero-Days Aff - Michigan 7AT: GRID DEFENSE

Power grid at risk from terror attackSnyder 4/8 (Christopher Snyder is the Joel Z. and Susan Hyatt Professor in the Department of Economics at Dartmouth College, where he serves as Undergraduate Research Coordinator. Fox News: “Power grid’s failing infrastructure at risk of cyberattack.” Published on April 8th 2015. Accessed June 26th, 2014. http://www.foxnews.com/tech/2015/04/08/power-grids-failing-infrastructure-at-risk-of-cyberattack/) KalMFox News National Security Analyst KT McFarland spoke to experts Darren Hammell and Jonathan Pollet about potential threats. The power grid “is very vulnerable, whether its physical attacks, mistakes like this one or even cyberattacks … there have been a lot of high visibility outages lately and there are just more we can expect,” said Hammell, chief strategy officer and co-founder of the energy management firm Princeton Power Systems. Other notable incidents include last December’s power outage in Detroit caused by an aging underground cable failing. In 2011, a major transmission line went offline, causing outages in Arizona and Southern California. “The problem is we’ve taken this old infrastructure and only upgraded the computer technology … but the actual assets are still old,” Pollet, founder of consulting firm Red Tiger Security, told FoxNews.com. Through the Recovery Act, the Energy Department has so far invested roughly $4.5 billion to modernize and enhance the reliability of the nation's grid. Without action, the current setup will allow for potential cyberattacks against the system. “We’ve taken an infrastructure that is older and we have this modernized equipment on top of it that is vulnerable to the same type of hacking attack that you see with [companies] like Target,” said Pollet.

Power grid threatened by cyber terrorDOE 15 (The United States Department of Energy is a Cabinet-level department of the United States Government concerned with the United States' policies regarding energy and safety in handling nuclear material. Energy.gov: “CYBERSECURITY.” No publishing date provided, but the post indicates a series of goals announced on January 8th, 2015. Accessed June 26th, 2015. http://energy.gov/oe/services/cybersecurity) KalMAddressing cybersecurity is critical to enhancing the security and reliability of the nation’s electric grid. Ensuring a resilient electric grid is particularly important since it is arguably the most complex and critical infrastructure that other sectors depend upon to deliver essential services. Over the past two decades, the roles of electricity sector stakeholders have shifted: generation, transmission, and delivery functions have been separated into distinct markets; customers have become generators using distributed generation technologies; and vendors have assumed new responsibilities to provide advanced technologies and improve security. These changes have created new responsibilities for all stakeholders in ensuring the continued security and resilience of the electric power grid.

The grid is under constant threat: organized attacks would be hugeReilly 3/24 (Steve Reilly: Investigative Reporter and Data Specialist, B.A. in Political Science from Vassar College, reporter for USA Today. USA Today: “Bracing for a big power grid attack: 'One is too many'” published March 24th 2015. Accessed June 26th, 2015. http://www.usatoday.com/story/news/2015/03/24/power-grid-physical-and-cyber-attacks-concern-security-experts/24892471/) KalMAbout once every four days, part of the nation's power grid — a system whose failure could leave millions in the dark — is struck by a cyber or physical attack, a USA TODAY analysis of federal energy records finds. Although the repeated security breaches have never resulted in the type of cascading outage that swept across the Northeast in 2003, they have sharpened concerns about vulnerabilities in the electric system. A widespread outage lasting even a few days could disable devices ranging from ATMs to cellphones to traffic lights, and could threaten lives if heating, air conditioning and health care systems exhaust their backup power supplies. Some experts and officials fear the rash of smaller-scale incidents may point to broader security problems, raising questions about what can be done to safeguard the electrical grid from an attack that could leave millions without power for days or weeks, with potentially devastating consequences. "It's one of those things: One is too many, so that's why we have to pay attention," said Federal Energy Regulatory Commission Chairman Cheryl LaFleur. "The

107

http://www.usatoday.com/story/news/2015/03/24/power-grid-physical-and-cyber-attacks-concern-security-experts/24892471/

http://www.usatoday.com/story/news/2015/03/24/power-grid-physical-and-cyber-attacks-concern-security-experts/24892471/

http://energy.gov/oe/services/cybersecurity

http://www.foxnews.com/tech/2015/04/08/power-grids-failing-infrastructure-at-risk-of-cyberattack/

http://www.foxnews.com/tech/2015/04/08/power-grids-failing-infrastructure-at-risk-of-cyberattack/

Zero-Days Aff - Michigan 7threats continue to evolve, and we have to continue to evolve as well." An examination by USA TODAY in collaboration with more than 10 Gannett newspapers and TV stations across the country, and drawing on thousands of pages of government records, federal energy data and a survey of more than 50 electric utilities, finds: • More often than once a week, the physical and computerized security mechanisms intended to protect Americans from widespread power outages are affected by attacks, with less severe cyberattacks happening even more often. • Transformers and other critical equipment often sit in plain view, protected only by chain-link fencing and a few security cameras. • Suspects have never been identified in connection with many of the 300-plus attacks on electrical infrastructure since 2011. • An organization funded by the power industry writes and enforces the industry's own guidelines for security, and decreased the number of security penalties it issued by 30% from 2013 to 2014, leading to questions about oversight. Jon Wellinghoff, former chairman of the Federal Energy Regulatory Commission, said the power grid is currently "too susceptible to a cascading outage" because of its reliance on a small number of critical substations and other physical equipment. USA TODAY When the lights go out Because the nation's electrical grid operates as an interdependent network, the failure of any one element requires energy to be drawn from other areas. If multiple parts fail at the same time, there is the potential for a cascading effect that could leave millions in the darks for days, weeks or longer .

Grid failure causes societal collapse and mass starvationLewis 14 (Patrice Lewis is a freelance writer. WND Commentary: “If the grid fails, will you die?” published May 23rd, 2014 accessed June 26th, 2015. http://www.wnd.com/2014/05/if-the-grid-fails-will-you-die/) KalMIt seems too many people are flippant or dismissive of the potential hardships. “An electromagnetic pulse is a joke and would be minor at best,” notes one person. “I say that because most people know how to survive without all the modern conveniences.” Or, “We’d go back to the 1800s. Big deal. People lived just fine in the 1800s.” I’m not here to argue about the odds of an EMP taking out the grid. I’m not going to discuss the technicalities of Faraday cages or the hardening of electronics. I’m here to state that if you think life in America without electricity will merely revert us to pioneer days, you are dead wrong (no pun intended, I hope). We wouldn’t regress to the 1800s; we would regress to the 1100s or earlier. Life would become a bitter, brutal struggle for survival. Society thrived in the 1800s for four very simple reasons: 1) a non-electric infrastructure already existed; 2) people had the skills, knowledge and tools to make do; 3) our population levels were far lower, and most people lived rural and raised a significant portion of their own food; and 4) there were relatively few people who didn’t earn their way. To be blunt, if you didn’t work, you seldom ate. Those who couldn’t work (the disabled, the elderly, etc.) were cared for by family members or charitable institutions. There were no other options. These conditions no longer exist. Homes do not come equipped with outhouses, hand water pumps and a trained horse stabled in the back. Many people don’t have the faintest clue how to cook from scratch, much less grow or raise their own food. Eighty percent of Americans live in cities and are fed by less than 2 percent of the population, which means farmers must mass-produce food for shipments to cities. And there are far too many people on multi-generational entitlement programs who literally know no other lifestyle except an endless cycle of EBT cards and welfare payments. Additionally, the interconnectivity that exists in today’s society is complex beyond belief. It’s been proven again and again that a single weak link can bring down the whole chain. A trucker’s strike or a massive storm at one end of the country can mean interrupted food deliveries at the other end. Even the most humble object – a pencil, for example – has a pedigree of such unimaginable complexity that its manufacture requires the cooperation of millions, and not one single person on the planet knows how to make one from start to finish. Read this essay to see what I mean. How much more complex would it be to rebuild a fallen electrical grid than a pencil? And yet some people claim that a grid-down situation will be a minor inconvenience. They think that because they line-dry their clothes and have a few tomatoes on their patio, that they’ll be able to survive a situation in which all services cease. They think food production and distribution is somehow independent of fuel and electricity. In fact, it’s intimately connected. Ever try to till a 3,500-acre wheat field by horse-drawn plow? Shut off power and you shut off food. Period. Some people contemptuously dismiss the hardships that would ensue after grid-down by noting that we already posses the know-how for technological and medical advances. We know how to treat or cure illness and injury. We know how to provide electrical power. We know how to make engines. Therefore, it will be easy to rebuild America’s infrastructure in the event of a grid-down situation. And these people are right – we do possess the knowledge. What we would lack is the infrastructure to rebuild the infrastructure. We lack the stop-gap services that would allow engineers and manufacturers to rebuild society without facing starvation first. And if the people with the specialized knowledge to rebuild die off in the interim before the

108

http://www.wnd.com/2014/05/if-the-grid-fails-will-you-die/

http://www.wnd.com/2014/05/if-the-grid-fails-will-you-die/

Zero-Days Aff - Michigan 7infrastructure gets rebuilt, then where will we be? America’s connectivity, more than anything else, will cripple our society should the power fail. It’s all well and good for a surgeon to have the knowledge of how to operate on a cancerous tumor, but if sterile scalpels and anesthesia and dressings and other surgical accouterments are not available, the surgeon’s abilities regress almost to the point of a tribal witch doctor by the lack of infrastructure, services and supplies.

109

Zero-Days Aff - Michigan 7AT: WATER SUPPLY SAFE

Water supplies are uniquely vulnerable to cyber-attacksGinter 15 (Andrew Ginter is the vice president of industrial security at Waterfall Security Solutions, a provider of Unidirectional Security Gateways for industrial control networks and critical infrastructures. WaterWorld.com: “High-Tech Threats: Top Cybersecurity Issues Facing Water Utility Control Systems.” Copyright date is 2015. Accessed June 25th, 2015. http://www.waterworld.com/articles/print/volume-29/issue-10/editorial-features/high-tech-threats-top-cybersecurity-issues-facing-water-utility-control-systems.html) KalMRecent Department of Homeland Security reports have highlighted poor security among the nation's water utilities, where operations networks and control systems are inadequately protected. The security situation in critical infrastructure is raising ratepayer concerns and prompting utilities to ask hard questions about which actions can truly improve their cybersecurity situations. Are firewalls - the most common form of security in the market - capable of combatting modern threats? Would water system utilities be better protected if they completely isolated their control-system networks from public networks? Or is there a third option that would retain the efficiencies and cost savings that come from access to real-time operations information, while also protecting plants from cyber attacks? Technology that routinely protects industrial control networks in power plants and other critical infrastructures can help water utilities answer these questions. Firewalls and Modern Security Threats Firewalls are a staple of industrial cybersecurity programs, but they have many inherent flaws that water facilities must identify, consider and address. Firewalls are complex software systems because they are difficult to configure, and their configurations are difficult to understand and verify. The smallest error in these configurations can introduce vulnerabilities. Defects are frequently discovered in firewall software and in the complex operating systems underlying that software, some of which can be exploited as security vulnerabilities . In order to prevent exploitation of known defects and vulnerabilities, firewall vendors issue a steady stream of security updates, which must be applied promptly. Even worse, because the firewalls provide not only real-time data but also online access to mission-critical systems and networks, the firewalls fundamentally expose these environments to numerous types of attacks. For example, phishing attacks send email through a firewall to persuade recipients to either reveal passwords or to download and run malware. Meanwhile, vulnerabilities as simple as hard-coded passwords and hard-coded encryption keys have been reported in industrial firewalls. In addition, cross-site scripting vulnerabilities in HTTP-based "VPN" proxy servers are difficult or impossible to fix because they are essential to the design of the firewall's features. Waterfall Security Solutions. Defects are frequently discovered in firewall software and in the complex operating systems underlying that software, some of which can be exploited as security vulnerabilities. Photo courtesy of Waterfall Security Solutions. Even if connections through firewalls are initiated from the control network side, once the connections are established, they permit bi-directional data to flow through the firewalls. Any of those flows can be used to launch attacks back to systems on the protected network. This means that utilities cannot deliver any confidence that their operational assets are adequately protected by firewalls. The level of risk is unacceptably high, and water utilities must compensate for it.

The rest of the world depends on the US for food, but production is on the brink; Water disruption collapses it empirically.Smith 14 (Ron Smith is editor at Southwest Farm Press. Farm Futures: “U.S. Ag: Poised to Feed the World?” published January 12th, 2014. http://farmfutures.com/story-ag-poised-feed-world-18-107236) KalMThe challenge is daunting: Within 40 years, farmers across the world will need to double production and do it with fewer resources - especially water - to feed, clothe and provide energy for a global population of 9 billion souls. “Farmers will need to produce as much food, feed and fiber during the first half of this century as has been produced over the last 100 centuries combined to meet the growing demand,” says Greg Hart, John Deere sales manager for the U.S. Western Region. Hart says the “future of the world depends on agriculture,” and much of that increased production will come from U.S. farmers. “U.S. agriculture will be at the forefront of solving food production challenges for the world," he says. "No one is better positioned than U.S. farmers.” It will not be easy. Most of the population growth expected to occur by 2050 will take place where diets are already less than adequate. Africa will account for 41% of the population growth, second to Asia’s 49%. North American growth is anticipated to increase only 4% and South America only 7%. Europe’s population could decline by about 1%. Obstacles include meshing productivity with sustainability and resource stewardship. Lack of a skilled labor force, especially in developing nations, also poses significant problems. “Our challenge is to do more with less skilled labor,” Hart says. Production variables will continue to challenge farmers. Weather is the big one. Hart said agricultural yield has followed a

110

http://farmfutures.com/story-ag-poised-feed-world-18-107236

http://farmfutures.com/story-ag-poised-feed-world-18-107236



Zero-Days Aff - Michigan 7strong upward trend since the early 1990s. “But we also had a reduction in 2012 from drought. In 2013, the Southwest had a late spring that hurt production.” Much of the region remains in a three-year drought cycle. “We are just one or two weather events away from either a surplus or a deficit. That’s the volatility of agriculture. We must continue to work to optimize production and continue to improve that trend line.” Increased production Agriculture has to increase productivity with more limited resources. “The resource base is shrinking. In 10 years, water demand will be 17& higher than availability,” Hart says. Improving irrigation efficiency will help. Currently, 18% of the world’s agricultural land is irrigated, but that 18% provides 40% of crop production and 60% of cereal production. “But more than half of the world’s irrigation is by the most inefficient method, gravity flow,” Hart adds. Focusing on more efficient systems, such as low energy precision application (LEPA) and subsurface drip irrigation (SDI), will help. “Agriculture will have to compete for water, and we will see more regulation and higher costs.” Including energy production into the equation puts even more pressure on agricultural productivity. Achieving production targets, he says, will demand “smart use of available resources.

Water security on the brink nowGoldenberg 14 (Suzanne Goldenberg is the US environment correspondent of the Guardian. The Guardian: “Why global water shortages pose threat of terror and war” published February 8th, 2014. Accessed June 25, 2015. http://www.theguardian.com/environment/2014/feb/09/global-water-shortages-threat-terror-war) KalMAlready a billion people, or one in seven people on the planet, lack access to safe drinking water. Britain, of course, is currently at the other extreme. Great swaths of the country are drowning in misery, after a series of Atlantic storms off the south-western coast. But that too is part of the picture that has been coming into sharper focus over 12 years of the Grace satellite record. Countries at northern latitudes and in the tropics are getting wetter. But those countries at mid-latitude are running increasingly low on water. "What we see is very much a picture of the wet areas of the Earth getting wetter," Famiglietti said. "Those would be the high latitudes like the Arctic and the lower latitudes like the tropics. The middle latitudes in between, those are already the arid and semi-arid parts of the world and they are getting drier." On the satellite images the biggest losses were denoted by red hotspots, he said. And those red spots largely matched the locations of groundwater reserves. "Almost all of those red hotspots correspond to major aquifers of the world. What Grace shows us is that groundwater depletion is happening at a very rapid rate in almost all of the major aquifers in the arid and semi-arid parts of the world." The Middle East, north Africa and south Asia are all projected to experience water shortages over the coming years because of decades of bad management and overuse. Watering crops, slaking thirst in expanding cities, cooling power plants, fracking oil and gas wells – all take water from the same diminishing supply. Add to that climate change – which is projected to intensify dry spells in the coming years – and the world is going to be forced to think a lot more about water than it ever did before. The losses of water reserves are staggering. In seven years, beginning in 2003, parts of Turkey, Syria, Iraq and Iran along the Tigris and Euphrates rivers lost 144 cubic kilometres of stored freshwater – or about the same amount of water in the Dead Sea, according to data compiled by the Grace mission and released last year. A small portion of the water loss was due to soil drying up because of a 2007 drought and to a poor snowpack. Another share was lost to evaporation from lakes and reservoirs. But the majority of the water lost, 90km3, or about 60%, was due to reductions in groundwater. Farmers, facing drought, resorted to pumping out groundwater – at times on a massive scale. The Iraqi government drilled about 1,000 wells to weather the 2007 drought, all drawing from the same stressed supply. In south Asia, the losses of groundwater over the last decade were even higher. About 600 million people live on the 2,000km swath that extends from eastern Pakistan, across the hot dry plains of northern India and into Bangladesh, and the land is the most intensely irrigated in the world. Up to 75% of farmers rely on pumped groundwater to water their crops, and water use is intensifying. Over the last decade, groundwater was pumped out 70% faster than in the 1990s. Satellite measurements showed a staggering loss of 54km3 of groundwater a year. Indian farmers were pumping their way into a water crisis. The US security establishment is already warning of potential conflicts – including terror attacks – over water. In a 2012 report, the US director of national intelligence warned that overuse of water – as in India and other countries – was a source of conflict that could potentially compromise US national security. The report focused on water basins critical to the US security regime – the Nile, Tigris-Euphrates, Mekong, Jordan, Indus, Brahmaputra and Amu Darya. It concluded: "During the next 10 years, many countries important to the United States will experience water problems – shortages, poor water quality, or floods – that will risk instability and state failure, increase regional tensions, and distract them from working with the United States." Water, on its own, was unlikely to bring down governments. But the report warned that shortages could threaten food production and energy supply and put additional stress on governments struggling with poverty and social tensions. Some of those tensions are already apparent on the ground. The Pacific Institute, which studies issues of water and global security, found a fourfold increase in violent confrontations over water over the last decade. "I think the risk of conflicts over water is growing – not shrinking – because of increased competition, because of bad management and, ultimately, because of the impacts of climate change," said Peter Gleick, president of

111

http://www.theguardian.com/environment/2014/feb/09/global-water-shortages-threat-terror-war

http://www.theguardian.com/environment/2014/feb/09/global-water-shortages-threat-terror-war

Zero-Days Aff - Michigan 7the Pacific Institute. There are dozens of potential flashpoints, spanning the globe. In the Middle East, Iranian officials are making contingency plans for water rationing in the greater Tehran area, home to 22 million people. Egypt has demanded Ethiopia stop construction of a mega-dam on the Nile, vowing to protect its historical rights to the river at "any cost". The Egyptian authorities have called for a study into whether the project would reduce the river's flow. Jordan, which has the third lowest reserves in the region, is struggling with an influx of Syrian refugees. The country is undergoing power cuts because of water shortages. Last week, Prince Hassan, the uncle of King Abdullah, warned that a war over water and energy could be even bloodier than the Arab spring. The United Arab Emirates, faced with a growing population, has invested in desalination projects and is harvesting rainwater. At an international water conference in Abu Dhabi last year, Crown Prince General Sheikh Mohammed bin Zayed al-Nahyan said: "For us, water is [now] more important than oil." The chances of countries going to war over water were slim – at least over the next decade, the national intelligence report said. But it warned ominously: "As water shortages become more acute beyond the next 10 years, water in shared basins will increasingly be used as leverage; the use of water as a weapon or to further terrorist objectives will become more likely beyond 10 years." Gleick predicted such conflicts would take other trajectories. He expected water tensions would erupt on a more local scale. "I think the biggest worry today is sub-national conflicts – conflicts between farmers and cities, between ethnic groups, between pastoralists and farmers in Africa, between upstream users and downstream users on the same river," said Gleick. "We have more tools at the international level to resolve disputes between nations. We have diplomats. We have treaties. We have international organisations that reduce the risk that India and Pakistan will go to war over water but we have far fewer tools at the sub-national level." And new fault lines are emerging with energy production. America's oil and gas rush is putting growing demands on a water supply already under pressure from drought and growing populations. More than half the nearly 40,000 wells drilled since 2011 were in drought-stricken areas, a report from the Ceres green investment network found last week. About 36% of those wells were in areas already experiencing groundwater depletion. How governments manage those water problems – and protect their groundwater reserves – will be critical. When California emerged from its last prolonged dry spell, in 2010, the Sacramento and San Joaquin river basins were badly depleted. The two river basins lost 10km3 of freshwater each year in 2012 and 2013, dropping the total volume of snow, surface water, soil moisture and groundwater to the lowest levels in nearly a decade. Without rain, those reservoirs are projected to drop even further during this drought. State officials are already preparing to drill additional wells to draw on groundwater. Famiglietti said that would be a mistake. "We are standing on a cliff looking over the edge and we have to decide what we are going to do," he said.

Water shortages are destabilizingAhmed 15 (Nafeez Ahmed PhD, is an investigative journalist and an international security scholar. Ecologist: “Global water crisis causing failed harvests, hunger, war and terrorism.” Published March 27th, 2015. Accessed June 25th, 2015. http://www.theecologist.org/News/news_analysis/2803979/global_water_crisis_causing_failed_harvests_hunger_war_and_terrorism.html) KalMThe world is already experiencing water scarcity driven by over-use, poor land management and climate change, writes Nafeez Ahmed. It's one of the causes of wars and terrorism in the Middle East and beyond, and if we fail to respond to the warnings before us, major food and power shortages will soon afflict large parts of the globe fuelling hunger, insecurity and conflict. Countries like Iraq, Syria and Yemen, where US counter-terrorism operations are in full swing, are right now facing accelerating instability from terrorism due to the destabilising impacts of unprecedented water shortages. The world is already in the throes of an epidemic of local and regional water shortages, and unless this trend is reversed, it will lead to more forced migrations, civil unrest and outbreaks of conflict Behind the escalating violence in Iraq, Syria and Yemen, as well as the epidemic of civil unrest across the wider region, is a growing shortage of water. New peer-reviewed research published by the American Water Works Association (AWWA) shows that water scarcity linked to climate change is now a global problem playing a direct role in aggravating major conflicts in the Middle East and North Africa.

US water security on the brink nowDimick 14 (Dennis Dimick is National Geographic's Executive Editor for the Environment. National Geographic: “If You Think the Water Crisis Can't Get Worse, Wait Until the Aquifers Are Drained” published August 21st, 2014. Accessed June 25th, 2015. http://news.nationalgeographic.com/news/2014/08/140819-groundwater-california-drought-aquifers-hidden-crisis/#) KalMThis coincides with a nationwide trend of groundwater declines. A 2013 study of 40 aquifers across the United States by the U.S. Geological Survey reports that the rate of groundwater depletion has increased dramatically since 2000, with almost 25 cubic kilometers (six cubic miles) of water per year being pumped from the ground. This compares to about 9.2 cubic kilometers (1.48 cubic miles) average withdrawal per year from 1900 to 2008. Scarce groundwater supplies also are being used for energy. A recent study from CERES, an organization that advocates sustainable business practices, indicated that competition for water by hydraulic fracturing—a water-intensive drilling process for oil and gas known as "fracking"—already occurs in dry regions of

112



http://www.theecologist.org/News/news_analysis/2803979/global_water_crisis_causing_failed_harvests_hunger_war_and_terrorism.html


Zero-Days Aff - Michigan 7the United States. The February report said that more than half of all fracking wells in the U.S. are being drilled in regions experiencing drought, and that more than one-third of the wells are in regions suffering groundwater depletion. Satellites have allowed us to more accurately understand groundwater supplies and depletion rates. Until these satellites, called GRACE (Gravity Recovery and Climate Experiment), were launched by NASA, we couldn't see or measure this developing invisible crisis. GRACE has given us an improved picture of groundwater worldwide, revealing how supplies are shrinking in several regions vulnerable to drought: northern India, the North China Plain, and the Middle East among them. As drought worsens groundwater depletion, water supplies for people and farming shrink, and this scarcity can set the table for social unrest . Saudi Arabia, which a few decades ago began pumping deep underground aquifers to grow wheat in the desert, has since abandoned the plan, in order to conserve what groundwater supplies remain, relying instead on imported wheat to feed the people of this arid land.

113

Zero-Days Aff - Michigan 7AT: WATER SHORTAGE IMPACT D

Water shortages are destabilizingAhmed 15 (Nafeez Ahmed PhD, is an investigative journalist and an international security scholar. Ecologist: “Global water crisis causing failed harvests, hunger, war and terrorism.” Published March 27th, 2015. Accessed June 25th, 2015. http://www.theecologist.org/News/news_analysis/2803979/global_water_crisis_causing_failed_harvests_hunger_war_and_terrorism.html) KalMThe world is already experiencing water scarcity driven by over-use, poor land management and climate change, writes Nafeez Ahmed. It's one of the causes of wars and terrorism in the Middle East and beyond, and if we fail to respond to the warnings before us, major food and power shortages will soon afflict large parts of the globe fuelling hunger, insecurity and conflict. Countries like Iraq, Syria and Yemen, where US counter-terrorism operations are in full swing, are right now facing accelerating instability from terrorism due to the destabilising impacts of unprecedented water shortages. The world is already in the throes of an epidemic of local and regional water shortages, and unless this trend is reversed, it will lead to more forced migrations, civil unrest and outbreaks of conflict Behind the escalating violence in Iraq, Syria and Yemen, as well as the epidemic of civil unrest across the wider region, is a growing shortage of water. New peer-reviewed research published by the American Water Works Association (AWWA) shows that water scarcity linked to climate change is now a global problem playing a direct role in aggravating major conflicts in the Middle East and North Africa.

Water Shortages cause instability, state failure, and conflict Goldenberg 4/9/14- Suzanne Goldenberg is the US environment correspondent of the Guardian and is based in Washington DC (“Suzanne Goldenber”;Why Global Water Shortages Pose Threat of Terror and War; http://www.commondreams.org/views/2014/02/09/why-global-water-shortages-pose-threat-terror-and-war)\\pranav/KalM

The Middle East, north Africa and south Asia are all projected to experience water shortages over the coming years because of decades of bad management and overuse. Watering crops, slaking thirst in expanding cities, cooling power plants, fracking oil and gas wells – all take water from the same diminishing supply. Add to that climate change – which is projected to intensify dry spells in the coming years – and the world is going to be forced to think a lot more about water than it ever did before. The losses of water reserves are staggering. In seven years, beginning in 2003, parts of Turkey, Syria, Iraq and Iran along the Tigris and Euphrates rivers lost 144 cubic kilometres of stored freshwater – or about the same amount of water in the Dead Sea, according to data compiled by the Grace mission and released last year. A small portion of the water loss was due to soil drying up because of a 2007 drought and to a poor snowpack. Another share was lost to evaporation from lakes and reservoirs. But the majority of the water lost, 90km3, or about 60%, was due to reductions in groundwater. Farmers, facing drought, resorted to pumping out groundwater – at times on a massive scale. The Iraqi government drilled about 1,000 wells to weather the 2007 drought, all drawing from the same stressed supply. In south Asia, the losses of groundwater over the last decade were even higher. About 600 million people live on the 2,000km swath that extends from eastern Pakistan, across the hot dry plains of northern India and into Bangladesh, and the land is the most intensely irrigated in the world. Up to 75% of farmers rely on pumped groundwater to water their crops, and water use is intensifying. Over the last decade, groundwater was pumped out 70% faster than in the 1990s. Satellite measurements showed a staggering loss of 54km3 of groundwater a year. Indian farmers were pumping their way into a water crisis. The US security establishment is already warning of potential conflicts – including terror attacks – over water. In a 2012 report, the US director of national intelligence warned that overuse of water – as in India and other countries – was a source of conflict that could potentially compromise US national securit y . The report focused on water basins critical to the US security regime – the Nile, Tigris-Euphrates, Mekong, Jordan, Indus, Brahmaputra and Amu Darya. It concluded: "During the next 10 years, many countries important to the United States will experience water problems – shortages,

poor water quality, or floods – that will risk instability and state failure , increase regional tensions, and distract them from working with the United States." Water, on its own, was unlikely to bring down governments. But the report warned that shortages could threaten food production and energy supply and put additional stress on governments struggling with poverty and social tensions. Some of those tensions are already apparent on the ground. The Pacific Institute, which studies issues of water and global security, found a fourfold increase in violent confrontations over water over the last decade. "I think the risk of conflicts over water is growing – not shrinking – because of increased competition, because of bad management and, ultimately,

114



Zero-Days Aff - Michigan 7because of the impacts of climate change," said Peter Gleick, president of the Pacific Institute. There are dozens of potential flashpoints , spanning the globe. In the Middle East, Iranian officials are making contingency plans for

water rationing in the greater Tehran area, home to 22 million people. Egypt has demanded Ethiopia stop construction of a mega-dam on the Nile, vowing to protect its historical rights to the river at "any cost". The Egyptian authorities have called for a study into whether the project would reduce the river's flow. Jordan, which has the third lowest reserves in the region, is struggling with an influx of Syrian refugees. The country is undergoing power cuts because of water shortages. Last week, Prince Hassan, the uncle of King Abdullah, warned that a war over water and energy could be even bloodier than the Arab spring. The United Arab Emirates, faced with a growing population, has invested in desalination projects and is harvesting rainwater. At an international water conference in Abu Dhabi last year, Crown Prince General Sheikh Mohammed bin Zayed al-Nahyan said: "For us, water is [now] more important than oil." The chances of countries going to war over water were slim – at least over the next decade, the national intelligence report said. But it warned ominously: "As water shortages become more acute beyond the next 10 years, water in shared basins will increasingly be used as leverage; the use of water as a weapon or to further terrorist objectives will become more likely beyond 10 years."

Empirics prove Fergusson 4/24/15- James Fergusson started out in journalism in 1989 on the Independent. He has written for many publications since, covering current affairs in Europe, North and East Africa, the Far East, the Caribbean and, especially, Central Asia and Afghanistan. From 1998 to 2000 he worked in Sarajevo as a press spokesman for the Office of the High Representative, the body charged with implementing the Dayton Peace Accord that ended Bosnia's civil war in 1995..(“James Fergusson”;The World Will Soon be at War Over Water; http://www.newsweek.com/2015/05/01/world-will-soon-be-war-over-water-324328.html)\\pranav/KalM

The world is at war over water . Goldman Sachs describes it as “the petroleum of the next century”. Disputes over water tend to start small and local – for instance, with the sort of protests that drought-stricken São Paolo has experienced this year. But minor civil unrest can quickly mushroom, as the bonds of civilisation snap. It is often forgotten that the revolution against Syrian president Bashar al-Assad began this way, when youths of the southern Syrian town of Daraa, angry at the local governor’s corrupt allocation of scarce reservoir water, were caught spraying anti-establishment graffiti. Their arrest and torture was the final straw for the tribes from which the youths came. It was a very similar story in Yemen, whose revolution began in 2011 in Taiz, the most water-stressed city in that country. When we think of Syria now, we cannot see far past the threat posed by Islamists. But Isis, in the end, is a symptom of social malfunction. If order is to be restored, we might do better to start focusing instead on the causes. Then we could perhaps look harder for “soft power” solutions – the restoration of governance and basic services, such as electricity and water supply – rather than for hard power ones, such as missiles and bombs. 1. THE MESOPOTAMIAN WAR As Islamic State’s leaders work to carve out their glorious new state, they have comprehended that political power in Mesopotamia has always rested on the ability to supply its citizens with water. The prosperity of ancient Nimrud, the 7th-century BC ruins that Isis recently bulldozed because they were “unIslamic”, was founded on its irrigation dam across the Tigris. The Sumerian city-state of Ur – the first city, founded in 3800BC – was abandoned by 500BC following a protracted drought and the siltation of the Euphrates. Isis is headquartered at Raqqah, a mere 40km down the Euphrates from the largest reservoir in Syria, Lake Assad. Raqqah’s economy has long depended on the cultivation of cotton irrigated by the reservoir, which was formed by the Russian-assisted construction of the

Tabqa dam in 1973, and designed to irrigate some 2,500 square miles of farmland. Last August, Isis fought fiercely for control of the largest dam in Iraq, across the Tigris at Mosul. Its fighters also took over two

other dams across the Euphrates, one at Fallujah, the other at Haditha. In all cases, it took American air strikes to drive them off, and the high value the terrorist group places on Mesopotamia’s dams suggests that further offensives against such targets are likely. Even if Isis leaders in Raqqah succeed in holding one of these key pieces of hydro-infrastructure, however, they do not control the headwaters of either the Tigris or the Euphrates, which rise in Turkey. It is the Turks, who have squabbled for 40 years with their downstream neighbours over use of the rivers, who therefore hold the keys to the long-term future of Isis – and the Islamists know it. 2. TURKEY V ISIS Last summer, Isis accused the Turkish government in Ankara, headed by Recep Tayyip Erdogan, of deliberately holding back the Euphrates through a series of dams on its territory, lowering water levels in Lake Assad by a record six metres. Isis was apoplectic. Turkey’s dams have given Ankara a vital hold over Isis’s leaders, who, for the present, twitch like puppets on a string. Ankara, it should be said, may not have been wholly responsible for the shrinking of Lake Assad. Local farmers, emboldened by the collapse of governance in Syria, were reported last year to have siphoned off vast amounts of water to irrigate their own cotton plantations. Nature played a role too; there was less than half as much rainfall in the Turkish highlands in the wet season of 2014 as in the previous year. Nevertheless, Turkey’s stranglehold over its downstream neighbours is real – and it is set to tighten further in 2015, with the completion of the controversial Ilisu hydro-dam on the Tigris, which will create a 10 billion cubic metre reservoir just 30 miles north of the Syrian border. The dam is the latest of 22 envisioned under the Southeastern Anatolia Project (or GAP, to use its Turkish acronym), a vast regional development plan that was originally mooted by Kemal Ataturk in the 1930s. The father of modern Turkey could not have foreseen how completely his country’s “blue gold” would one day replace oil as the region’s most important resource. Iraq’s oil industry requires 1.8 billion cubic metres of water a year in order to function at all. Ankara has adopted a canny and forward foreign policy for years now, extending its influence everywhere from Somalia to Afghanistan. What is happening in Anatolia now suggests that “neo-Ottomanism” is not just political posturing: it really is the future for this part of the Middle East. Hydrologists in Sweden recently suggested that by 2040, the volume of water

115

Zero-Days Aff - Michigan 7being extracted from the mighty Tigris and Euphrates – rivers that once delineated and sustained the cradle of civilisation – could

be so great that they no longer reach the sea. 3. THE YANGTZE PROBLEM There are dozens of potential dam-related flashpoints around the world. The Permanent Court of Arbitration in The Hague,

which handles international water disputes, says 263 river basins are contested globally. There are already more than 40,000 large dams around the world. These icons of post-war Western development irrigate millions of square miles of farmland and produce a fifth of the world’s electricity through hydropower. An area the size of California – 0.3% of the world’s total land mass – has been lost to artificial reservoirs since the golden age of dam-building began in the 1950s. The number of major schemes tailed off in the 1990s, as environmental concerns grew and the economic efficiency of the largest projects was called into question. But booming demand has since dramatically revived the industry. New mega-dams are now among the largest and most expensive engineering projects on the planet. The costliest so far is China’s South-to-North Water Diversion Project, a scheme to divert the waters of the River Yangtze via dams, tunnels and three vast canals to the arid north of the country. The project is still only half finished, yet by last year had swallowed more than $79bn (€73bn). Hundreds of thousands of villagers have been forced from their homes by the project. The scheme’s long-term effect on the environment and economy of the south remains uncertain. Far to the south, meanwhile, on the River Mekong, Laos is copying China by building two major dams that could devastate not just the local economies but the lives of its downstream neighbours, Cambodia and Vietnam. The diet of some 50 million people is based on fish caught in the Mekong, which is already the most dammed river in the world. Then there is the Rogun hydro-dam on the Amu Darya in Tajikistan which, when completed, could be 355 metres high: the tallest dam in the world. The possible effect on the Amu Darya worries downstream Uzbekistan, which has responded with sanctions and travel restrictions on the Tajiks. Congo A general view of Inga dam's eight massive turbines, only three of which work, on the mighty Congo River. With a flow second only to the Amazon, the mighty Congo river spews forth 1.5 million cubic feet (42.5 million litres) into the Atlantic every second. Experts say it could generate over 40,000 megawatts (MW) of electricity -- more than twice the projected capacity of China 's massive Three Gorges Dam, and a major step to keeping up with fast-growing demand for electricity in Africa and beyond. MARLENE RABAUD/REUTERS 4. THE CONGO AND THE NILE The most productive hydro-power dam, the Grand Inga, has recently been proposed for the River Congo, 225km south-west of Kinshasa. With a projected price tag of £80bn (€74bn), developers claim it will “light up Africa”. Critics say that the electricity generated will mostly be transmitted to distant cities, and that the continent’s poorest will see little benefit. The cost overruns in this notoriously corrupt part of the world could also end up making the South-to-North China project look cheap. This month, Egypt and Ethiopia signed a treaty over the latter’s half-built Grand Renaissance dam on the Blue Nile, which will be the largest hydro-scheme in Africa when it comes on stream in 2017. Downstream Egypt, whose development has depended on the Nile since ancient times, originally objected so strongly that in June 2013 a meeting of the cabinet of the then president, Mohammad Morsi, was caught on live television discussing ways of destroying the dam, including via covert support for anti-government rebels. Sanity seems now to have prevailed. 5. AFGHANISTAN DRIES UP

Nato’s recently concluded engagement in southern Afghanistan is not normally cast as a water conflict , although that is largely what it was. Helmand, the most hotly-disputed province, was once one of Afghanistan’s

breadbaskets thanks to the Helmand Valley Authority, an irrigation scheme set up in the 1950s by American engineers. But mismanagement of the scheme’s 300 miles of canals, coupled with a period of protracted drought, meant that the area of irrigated land halved between 1979 and 2002. Local tribes, spurred on by the vast profits to be made from the cultivation of poppies, fought over what remained, with the Taliban exploiting the conflict. One of the centrepieces of the HVA was the Kajaki hydro-dam, completed in 1953 by the same US firm that built the Hoover Dam on the River Colorado. The Americans returned in 2001, this

time in order to bomb it. 6. INDIA V PAKISTAN The territorial dispute between India and Pakistan over Kashmir – both the highest and longest-running in the world – is largely about control of the headwaters of the River Indus, on which Pakistan’s agricultural economy downstream has become ever more dependent. There are 200 million people in Pakistan: double the number 30 years ago. Yet Dutch scientists think shrinking glaciers caused by climate change could reduce the Indus by 8% by 2050. India, which has built or proposed some 45 hydro-schemes on the Indus’s upper reaches, insists that flow will never be affected. But Pakistan is as paranoid about India as Isis is about Turkey, with a long track-record of blaming India for social ills at home. The rhetoric of extremists is already hot. Hafiz Saeed, a militant linked to the Mumbai hotel atrocity of 2008, has spoken in the past of India’s “water terrorism”, and campaigned under slogans like “Water flows, or blood”. Could diminishing water supply push these nuclear-armed neighbours towards a new war? Red Sea A plant is seen on the parched shore of the Dead Sea. The Dead Sea is slowly but surely drying up, and could be gone completely in 50 years if no action is taken. The water level is dropping at close to one metre (three feet) per year due to a sharp decrease in inflow from the Jordan and other rivers whose waters now irrigate fields. BAZ RATNER/ REUTERS 7. ISRAEL V PALESTINE Finally, there is Israel and Palestine, arguably the [precursor] grand-daddy of all water conflicts. Israel, a state founded on Ben-Gurion’s dream of “making the desert bloom”, diverted the River Jordan half a century ago, east and southwards towards the Negev desert, via a canal called the National Water Carrier. The Dead Sea has lost a third of its surface area as a direct consequence, and the River Jordan of biblical antiquity has become a muddy trickle in a ditch. The reason Israel still occupies the Golan Heights, captured from Syria in the Six-Day War of 1967, is because that is where the Jordan rises. All this has come at the expense of the Palestinians, who accuse Israel of manipulating water supply to suppress them.

116


OCO’S ADVANTAGE

117

Zero-Days Aff - Michigan 72AC COOPERATION KEY

Government and industry must cooperate to prevent cyber-attack escalation to kinetic warAshford 11 security editor for Computer Weekly (Ashford, Computer Weekly, “When IT threats turn into cyber war” 3/1/11, p.8) | js

RISK MANAGEMENT At what point do challenges to IT security warrant international government intervention? Warwick Ashford reports Governments in the UK, US and elsewhere axe prioritising cyber security. There is plenty of talk of cyber war, but little consensus as to what the term actually means. There seems to be more agreement about what cyber war is not. G? security experts say cyber war is distinct from criminal activity aimed at financial gain, industrial espionage aimed at commercial advantage and military espionage aimed at stealing information about military hardware. Michael Chertoff, former US Secretary of Homeland Security, says IT security threats comprise a spectrum of challenges ranging from theft to espionage, to destruction of data, GG systems and physical entities. Lower level attacks will be tolerated, depending on the consequences, but there is a point after which the consequences will demand action from government, he says, but it is difficult to say where the shift occurs. "What constitutes cyber war, depends on scale and genesis," he told delegates at the RSA Conference 2011 in San Francisco. But destruction alone cannot be used as a criterion for cyber war, says Bruce Schneier, chief security technology officer at BT. "In some instances, attacks that cause destruction may simply be some form of cyber criminal activity. Classifying an attack as being an act of cyber war depends on who is carrying out the attack and why," he told die RSA Conference. Mutual destruction deterrent Despite the ambiguity of the term cyber war, Chertoff says it helps to emphasise the risk by reflecting the severity of the consequences. Cyber attacks are not only about G? systems, but can result in loss of life. The good news is that, while state actors are best equipped to carry out devastating cyber attacks, they are the least likely to do so because of the power of other nation states to retaliate in kind. But while there is a potential cold war situation of mutual assured destruction acting as a deterrent, die concern voiced by many security experts is me potential of non-state actors to acquire such capabilities. "The world is used to the model where, except for criminal matters, force is dealt will by the state, but in cyber space there are no bystanders because attacks take place on the networks and computers of individuals. The familiar categories no longer fit," said Chertoff. There is no single fix, he said, because threats to supply chains, insider threats and network attacks require different remedies. For this reason, there has to be an appropriate legislative framework, says Mike McConnell, executive vice-president at consultancy firm Booz Allen Hamilton. "We need to understand the vulnerabilities to business and the global economy and ensure we have measures in place to mitigate the risk," he said. Government Intervention Schneier suggests the inflexion point may be the point at which the market will not mitigate the risk. Business will secure against risk up to the value of the business but no further, he says, and that is the point at which government will have to take over to fill the gap. But history shows governments typically wait for a catastrophic event before taking action, said McConnell. Lessons can be learned from the cyber attacks in Estonia in 2007, says Chertoff. Governments considering smart grids should use architectures conducive to security and enable compartmentalisation akin to the watertight compartments in warships. "It would be foolish not to recognise that we could get into a cyber war, because there is no doubt cyber will be a domain of conflict in any act of war that will be capable of destroying systems and will not be dealt with by market forces," he said. Rules of engagement It is important governments consider wbat they are capable of doing - and what they are authorised to do - in such a situation, said Chertoff. McConnell agreed a cyber element will be a part of any future kinetic war, as demonstrated during Russia's incursion into Georgia in 2008. Schneier said that, in

future conflicts, cyber attacks may be the first wave of aggression that will be followed by air attacks and ultimately military action on the ground . Chertoff said governments need to decide policies on what would be a reasonable response to cyber attack. McConnell believes informed dialogue and debate should be directed at encouraging governments to address these issues before it is too late, but Schneier says the concern is that this debate is taking place too far down the command chain. There is also a risk that experimental cyber weapons may be unleashed on the internet by accident, said Schneier. That is why there is a need for international agreements and treaties. At the least there should be obligations on the creators of such weapons to warn of the threats and attempt to disable them, said Chertoff. If there is any consensus around cyber war, it is this: although the term is over-used and over-hyped, the threat is real - Stuxnet has proved that physical damage can be caused by cyber attack - and governments ought to be preparing an appropriate defence capability. Enterprise Involvement But, according to the US government and military, while the public sector is doing everything it can to secure cyber space, the private sector has an important role to play as well. "We need industry because cyber security is a team sport that brings together government, industry and international allies," said General Keith Alexander, commander of US Cyber Command. US deputy secretary of defence, William

118

Zero-Days Aff - Michigan 7Lynn, also called for greater collaboration between government and the private sector in tackling cyber thareats. He appealed to the information security industry for help in developing technology to ensure government and business stay ahead in the cyber arms race.

119

Zero-Days Aff - Michigan 72AC CYBER ARMS RACE NOW

Current cyberspace engaged in an arms race—will escalateRanger 14 (Steve Ranger, UK editor of TechRepublic. He has been writing about the impact of technology on people, business and culture for more than a decade. ’Inside the Secret Digital Arms Race: Facing the Threat of a Global Cyberwar”, http://www.techrepublic.com/article/inside-the-secret-digital-arms-race/, April 24, 2014)//CLi

The military has been involved with the internet since its the start. It emerged from a US Department of Defense-funded project, so it's no surprise that the armed forces have kept a close eye on its potential. And politicians and military leaders of all nations are naturally attracted to digital warfare as it offers the opportunity to neutralise an enemy without putting troops at risk. As such, the last decade has seen rapid investment in what governments and the military have dubbed " cyberwa r " — sometimes shortened to just "cyber." Yes, it sounds like a cheaply sensational term borrowed from an airport thriller, (and to some the use of such an outmoded term reflects the limited level of understanding of the issues involved by those in charge) but the intent behind the investment is deadly serious. The UK's defence secretary Philip Hammond has made no secret of the country's interest in the field, telling a newspaper late last year, "We will build in Britain a cyber strike capability so we can strike back in cyberspace against enemies who attack us, putting cyber alongside land, sea, air and space as a mainstream military activity." One of the participants in the UK cybersecurity wargame scenario analyzes the situation. Image: Steve Ranger The UK is thought to be spending as much as £500m on the project over the next few years. On an even larger scale, last year General Alexander revealed the NSA was building 13 teams to strike back in the event of an attack on the US. "I would like to be clear that this team, this defend-the-nation team, is not a defensive team," he said told the Senate Armed Services Committee last year. And of course, it's not just the UK and US that are building up a digital army. In a time of declining budgets, it's a way for defence ministries and defence companies to see growth, leading some to warn of the emergence of a twenty-first century cyber-industrial complex. And the shift from investment in cyber-defence initiatives to cyber-offensives is a recent and, for some, worrying trend. Peter W. Singer, director of the Center for 21st Century Security and Intelligence at the Brookings Institution, said 100 nations are building cyber military commands of that there are about 20 that are serious players, and a smaller number could carry out a whole cyberwar campaign. And the fear is that by emphasising their offensive capabilities, governments will up the ante for everyone else. "We are seeing some of the same manifestations of a classic arms race that we saw in the Cold War or prior to World War One. The essence of an arms race is where the sides spend more and more on building up and advancing military capabilities but feel less and less secure — and that definitely characterises this space today," he said. It's taken less than a decade for digital warfare to go from theoretical to the worryingly possible. Politicians may argue that building up these skills is a deterrent to others, and emphasise such weapons would only be used to counter an attack, never to launch one. But for some, far from scaring off any would-be threats, these investments in offensive cyber capabilities risk creating more instability. " In international stability terms, arms races are never a positive thing : the problem is it's incredibly hard to get out of them because they are both illogical [and] make perfect sense," Singer said. Similarly Richard Clarke, a former presidential advisor on cybersecurity told a conference in 2012, "We turn an awful lot of people off in this country and around the world when we have generals and admirals running around talking about 'dominating the cyber domain'. We need cooperation from a lot of people around the world and in this country to achieve cybersecurity and militarising the issue and talking about how the US military have to dominate the cyber domain is not helpful." Thomas Rid, a reader in War Studies at King's College London said that many countries now feel that to be taken seriously they need to have a cyber command too. "What you see is an escalation of preparation. All sorts of countries are preparing and because these targets are intelligence intensive you need that intel to develop attack tools you see a lot of probing, scanning systems for vulnerabilities, having a look inside if you can without doing anything, just seeing what's possible," Rid said. As a result, in the shadows, various nations building up their digital military presence are mapping out what could be future digital battlegrounds and seeking out potential targets, even leaving behind code to be activated later in any conflict that might arise.

120

http://www.youtube.com/watch?v=6_ek8mugOUc

http://www.nytimes.com/2013/03/13/us/intelligence-official-warns-congress-that-cyberattacks-pose-threat-to-us.html?pagewanted=all&_r=1&

http://www.dailymail.co.uk/news/article-2436946/Hammonds-500m-new-cyber-army-As-reveals-secret-Whitehall-bunker-time-Defence-Secretary-says-future-wars-fought-viruses.html

http://www.techrepublic.com/article/inside-the-secret-digital-arms-race/

Zero-Days Aff - Michigan 72AC CYBERWAR IMPACT

Cyberwar will crush the US economy – causes World WarGerwirtz, Cybersecurity Expert 6/22 (David, 6/22/2015, Why the next World War will be a cyberwar first, and a shooting war second, http://www.zdnet.com/article/the-next-world-war-will-be-a-cyberwar-first-and-a-shooting-war-a-distant-second/) /AMarbEverything we do revolves around the Internet. Older technologies are finding themselves eclipsed by their Internet-based substitute solutions. Even technologies historically unrelated to networking (like medical instruments) are finding themselves part of the Internet, whether as a way to simply update firmware, or using the network to keep track of telemetry and develop advanced analytics. The Edward Snowden revelations have rocked governments, global businesses, and the technology world. Here is our perspective on the still-unfolding implications along with IT security and risk management best practices that technology leaders can put to good use. Whether we're talking about social networking, financial systems, communications systems, journalism, data storage, industrial control, or even government security -- it is all part of the Internet. That makes the world a very, very dangerous place. Historically, wars are fought over territory or ideology, treasure or tradition, access or anger. When a war begins, the initial aggressor wants something, whether to own a critical path to the sea or strategic oil fields, or "merely" to cause damage and build support among certain constituencies. At first, the defender defends, protecting whatever has been attacked. Over time, however, the defender also seeks strategic benefit, to not only cause damage in return, but to gain footholds that will lead to an end to hostilities, a point of leverage for negotiation, or outright conquest. Shooting wars are very expensive and very risky. Tremendous amounts of material must be produced and transported, soldiers and sailors must be put into harm's way, and incredible logistics and supply chain operations must be set up and managed on a nationwide (or multi-national level). Cyberwar is cheap. The weapons are often co-opted computers run by the victims being targeted. Startup costs are minimal. Individual personnel risk is minimal. It's even possible to conduct a cyberwar without the victims knowing (or at least being able to prove) who their attackers are. Cyberwar can be brutal, anonymous -- and profitable. But the damage done by a cyberwar can be huge, especially economically. Let's follow that idea for a moment. One of the big reasons the U.S. won the Cold War (and scored highly in many of its other conflicts) is because it had the economic power to produce goods for war, whether capital ships or food for troops. A economically strong nation can invest in weapons R&D, creating a technological generation gap in terms of leverage and per-capita effectiveness compared to weaker nations. But cyberwar can lay economic waste to a nation. Worse, the more technologically powerful a nation is, the more technologically dependent that nation becomes. Cyberwar can level the playing field, forcing highly connected nations to thrash, to jump at every digital shadow while attackers can co-opt the very resources of the defending nation to force-multiply their attacks. Sony is still cleaning up after the hack that exposed many confidential aspects of its relationship with stars and producers. Target and Home Depot lost millions of credit cards. The Snowden theft, while not the result of an outside hack, shows the economic cost of a national security breach: nearly $47 billion. Cyberwar can also cause damage to physical systems, ranging from electric power stations to smart automobiles. And when a breach can steal deeply confidential information of a government's most trusted employees, nothing remains safe or secret. The U.S. Office of Personnel Management was unwittingly funneling America's personnel data to its hackers for more than a year. Can you imagine? We think China was responsible for the OPM hack. Despite the gargantuan nation's equally gargantuan investments in America (or, perhaps, because of them), China has been accused of many of the most effective and persistent penetrations perpetrated by any nation. Providing additional reason to worry, Russia and China have recently inked an agreement where they agreed to not launch cyberattacks against each other. They have also agreed to share cyberwarfare and cyberdefense technology, creating an Asian axis of power that can split the world in half. On the other side of the geopolitical spectrum are the American NSA and British GCHQ, two organizations who sharesignals intelligence and -- if the screaming is to be believed -- spy as much upon their own citizens as enemies of the state. It is important to note that the destabilization of Allied intelligence can be traced to Edward Snowden, who ran to and is currently living in Russia after stealing a vast trove of American state secrets. Ask yourself who gained from the Snowden affair. Was it America? No. Was it Snowden? Not really. Was it Russia? You betcha. China, of course, supplies us with most of our computer gear. Every iPhone and every Android phone, nearly all our servers, laptop computers, routers -- heck, the entire technological core of American communications -- has come from China. The same China that has been actively involved in breaching American interests at all levels. Russia and China. Again and again and again. In the center of all this is the main body of Europe, where the last two incendiary world wars were fostered and fought. Nations fall when they are economically unstable. Greece is seeing the writing on the wall right now. It is but one of many weak European Union members. Other EU members are former Soviet states who look eastward towards Putin's Russia with a mixture of fear and inevitability. This time, Germany isn't the instigator of unrest, but instead finds itself caught in the middle -- subject to spying by and active in spying

121

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=0CCkQFjAC&url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FSignals_intelligence&ei=FAOIVdS_EYeXygTGr4foCw&usg=AFQjCNGKXh39SlI6QDTEwZqNwKF-v0k_7g&sig2=gAYXINQrH3gK3eRvfHPTHw&bvm=bv.96339352,d.aWw

http://www.zdnet.com/article/russia-china-cuddle-up-on-cyber-warfare-rules/

http://www.zdnet.com/article/after-opm-snowden-and-manning-are-just-the-beginning/

http://www.zdnet.com/article/after-opm-snowden-and-manning-are-just-the-beginning/

http://www.zdnet.com/article/snowden-prism-fallout-will-cost-u-s-tech-vendors-47-billion-less-than-expected/

http://www.zdnet.com/article/snowden-prism-fallout-will-cost-u-s-tech-vendors-47-billion-less-than-expected/

http://www.zdnet.com/article/the-next-world-war-will-be-a-cyberwar-first-and-a-shooting-war-a-distant-second/

http://www.zdnet.com/article/the-next-world-war-will-be-a-cyberwar-first-and-a-shooting-war-a-distant-second/

Zero-Days Aff - Michigan 7on its allies -- the only nearly-super power of the EU. An enemy (or even a supposed "friendly" nation) decides it needs the strategic upper hand. After years of breaches, it has deep access to nearly every powerful government and business figure in the United States. Blackmail provides access into command and control and financial systems. Financial systems are hit and we suffer a recession worse than the Great Recession of 2008-2009. Our budget for just about everything (as well as our will) craters. Industrial systems (especially those that might post a physical or economic threat to our attacker) are hit next. They are shut down or damaged in the way Stuxnet took out centrifuges in Iran . Every step America takes to respond is anticipated by the enemy -- because the enemy has a direct pipeline to every important piece of communication America produces, and that's because the enemy has stolen enough information to corrupt an army of Snowdens. While this is all going on, the American public is blissfully in the dark. Citizens just get angrier and angrier at the leadership for allowing a recession to take hold, and for allowing more and more foreigners to take American jobs. Europe, which has always relied on America to keep it propped-up in the worst of times, will be on its own. Russia will press in from the north east. ISIS will continue to explode in the Middle East. China will keep up its careful dance as it grows into the world's leading economic power. India, second in size only to China and a technological hotbed itself, remains a wild card, physically surrounded by Europe, the Middle East, China, and Russia. India continues to live in conflict with Pakistan, and with Pakistan both unstable and nuclear-tipped, Indo-Pak, too, is on the precipice. A world war is about huge nations spanning huge geographic territories fighting to rewrite the map of world power. Russia, China, ISIS (which calls itself the Islamic State), India, Pakistan, the US, the UK, and all of the strong and weak members of the EU: we certainly have the cast of characters for another global conflict. I could keep going (and, heck, one day I might game the full scenario). But you can see how this works. If enemy nations can diminish our economic power, can spy on our strategic discussions, and can turn some of our key workers, they can take us out of the battle -- without firing a single shot. We are heading down this path now. I worry that we do not have the national or political will to turn the tide back in our favor. This is what keeps me up at night.

122

http://www.zdnet.com/article/special-report-stuxnet-may-be-the-hiroshima-of-our-time/

Zero-Days Aff - Michigan 72AC RUSSIA CYBERWAR IMPACT

US and Russian cyber capabilities increase risk of nuclear war—miscalculation Cimbala 14 Distinguished Professor of Political Science, Penn State Brandywine, author of numerous books and articles in the fields of international security studies, defense policy, nuclear weapons and arms control, intelligence (Stephen J., Air & Space Power Journal 28.2, “Nuclear Deterrence and Cyber: The Quest for Concept” p. 88 – 90, Mar/Apr 2014, ProQuest) | jsWhat are the implications of potential overlap between concepts or practices for cyber war and for nuclear deterrence?4 Cyber war and nuclear weapons seem worlds apart. Cyber weapons should appeal to those who prefer a nonnuclear or even a postnuclear military-technical arc of development. War in the digital domain offers, at least in theory, a possible means of crippling or disabling enemy assets without the need for kinetic attack or while minimizing physical destruction.5 Nuclear weapons, on the other hand, are the very epitome of "mass" destruction, such that their use for deterrence or the avoidance of war by the manipulation of risk is preferred to the actual firing of same. Unfortunately, neither nuclear deterrence nor cyber war will be able to live in distinct policy universes for the near or distant future. Nuclear weapons, whether held back for deterrence or fired in anger, must be incorporated into systems for command, control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR). The weapons and their C4ISR systems must be protected from attacks both kinetic and digital in nature. In addition, the decision makers who have to manage nuclear forces during a crisis should ideally have the best possible information about the status of their own nuclear and cyber forces and command systems, about the forces and C4ISR of possible attackers, and about the probable intentions and risk acceptance of possible opponents. In short, the task of managing a nuclear crisis demands clear thinking and good information. But the employment of cyber weapons in the early stages of a crisis could impede clear assessment by creating confusion in networks and the action channels that depend upon those networks.6 The temptation for early cyber preemption might "succeed" to the point at which nuclear crisis management becomes weaker instead of stronger. Ironically, the downsizing of US and post-Soviet Russian strategic nuclear arsenals since the end of the Cold War, while a positive development from the perspectives of nuclear arms control and nonproliferation, makes the concurrence of cyber and nuclear attack capabilities more alarming. The supersized deployments of missiles and bombers and expansive numbers of weapons deployed by the Cold War Americans and Soviets had at least one virtue. Those arsenals provided so much redundancy against first-strike vulnerability that relatively linear systems for nuclear attack warning, command and control, and responsive launch under-or after-attack sufficed. At the same time, Cold War tools for military cyber mischief were primitive compared to those available now. In addition, countries and their armed forces were less dependent on the fidelity of their information systems for national security. Thus the reduction of US, Russian, and possibly other forces to the size of "minimum deterrents" might compromise nuclear flexibility and resilience in the face of kinetic attacks preceded or accompanied by cyber war.7 Offensive and defensive information warfare as well as other cyberrelated activities is obviously very much on the minds of US military leaders and others in the American and allied national security establishments.8 Russia has also been explicit about its cyber-related concerns. President Vladimir Putin urged the Russian Security Council in early July 2013 to improve state security against cyber attacks.9 Russian security expert Vladimir Batyuk, commenting favorably on a June 2013 US-Russian agreement for protection, control, and accounting of nuclear materials (a successor to the recently expired Nunn-Lugar agreement on nuclear risk reduction), warned that pledges by Presidents Putin and Barack Obama for cooperation on cybersecurity were even more important: "Nuclear weapons are a legacy of the 20th century. The challenge of the 21st century is cybersecurity."10 On the other hand, arms control for cyber is apt to run into daunting security and technical issues, even assuming a successful navigation of political trust for matters as sensitive as these. Of special significance is whether cyber arms-control negotiators can certify that hackers within their own states are sufficiently under control for cyber verification and transparency. The cyber domain cuts across the other geostrategic domains for warfare as well: land, sea, air, and space. However, the cyber domain, compared to the others, suffers from the lack of a historical perspective. One author argues that the cyber domain "has been created in a short time and has not had the same level of scrutiny as other battle domains."11 What this might mean for the cyber-nuclear intersection is far from obvious. Thble 1 summarizes some of the major attributes that distinguish nuclear deterrence from cyber war, according to experts, but the differences between nuclear and cyber listed here do not contradict the prior observation that cyber and nuclear domains inevitably interact in practice. According to research professors Panayotis A. Yannakogeorgos and Adam B. Lowther at the US Air Force Research Institute, "As airmen move toward the future, the force structure-and, consequently, force-development programs-must change to emphasize the integration of manned and remotely piloted aircraft, space, and cyber-power projection capabilities."12

123

Zero-Days Aff - Michigan 72AC VULNERABILITIES NOW

Cyber vulnerabilities increasing—lack of zero-day regulation poses a serious security threatFidler 14 (Mailyn Fidler, graduate student at the Center for International Security and Cooperation Freeman Spogli Institute for International Studies, Stanford University. “ANARCHY OR REGULATION: CONTROLLING THE GLOBAL TRADE IN ZERO-DAY VULNERABILITIES”, May 2014, https://stacks.stanford.edu/file/druid:zs241cm7504/Zero-Day%20Vulnerability%20Thesis%20by%20Fidler.pdf)//CLi

5.2 The Zero-Day Trade as a National and International Security Problem These continuing controversies underscore that zero-day vulnerabilities and their trade constitute serious and complex national and international security problems. Cybersecurity is of increasing concern to governments, and the zero-day problem touches nearly every dimension of cybersecurity debates . Governments use zero-days for military, intelligence, and law enforcement cyber operations. Authoritarian regimes employ them to monitor and silence citizens. Criminal organizations use them to disrupt systems and steal information. Experts fear non-state actors might utilize zero-days to attack critical infrastructure. The zero-day trade is global and

lucrative, with the United States and other nations participating as buyers. Cybersecurity experts are concerned this trade enables governments, non-state actors, and criminal organizations to obtain and improve dangerous cyber capabilities . The U.S. government’s participation in the zero-day market and their policies on zero-days amplify concerns about the trade. The U.S. government’s ability to keep purchased zero days secret to preserve military, intelligence, or law

enforcement utility undermines U.S. and global cybersecurity . The seriousness and widespread nature of the consequences of the zero-day trade have generated a growing policy debate about regulating the zero-day trade. This thesis contributes to this debate by exploring what is known about the market and analyzing domestic and international options for controlling the zero-day trade. Domestically, it analyzed criminalization, unilateral export controls, and increased oversight of U.S. government executive branch actions. It concludes that increased executive branch oversight is the best national strategy to address the problems of existing U.S. zero-day policy. Internationally, this thesis investigated international legal approaches, voluntary collective action through export controls, and cooperation through collective defense organizations. Voluntary collective action to harmonize export controls on zero days through the Wassenaar Arrangement emerges as the most feasible international option. However, the obstacles confronting effective regulation of the 170 zero-day trade are daunting, raising the real possibility that this trade will continue to contribute to the cyber “security dilemma” that is emerging in contemporary international relations.

124

Zero-Days Aff - Michigan 7AT: CYBERWAR WON’T ESCALATE

Cyberwar is escalating – Iran attacks, China hacking, and North Korea’s assault Leyden 6/4 (John, 6/4/15, We stand on the brink of global cyber war, warns encryption guru, http://www.theregister.co.uk/2015/06/04/schneier_global_cyber_war_warns/) /AMarb

We are in the early years of a cyber war arms race, security guru Bruce Schneier warned delegates at the Infosecurity Europe exhibition on Wednesday. Schneier, CTO of Resilient Systems, said the much publicised Stuxnet attacks on Iran by the US and Israel in 2010, Iran’s attack on Saudi Aramco, China’s apparent role in hacking GitHub, and the North Korean assault on Sony Pictures last year are all examples of the phenomenon. “These nations are building up for cyber war and now we're all in the blast radius,” he warned, while speaking in London. Most of these attacks — including Stuxnet and the assault on GitHub — inflict collateral damage, Schneier told El Reg, adding that cyber attacks are likely to become mainstream aspect of many conflicts. “I’m afraid things will get out of hand,” he said. During a keynote presentation, Schneier focused on a detailed commentary on last year’s attack on Sony Pictures. After months of doubting North Korea’s involvement in the attack Schneier was finally convinced of its role by a mid January article by David Sanger in the New York Times. Other theories — most notably that a disgruntled insider collaborated with elements of Anonymous to launch the attack — were widely touted in the weeks following the attack. This illustrates the wider point that attributing attacks in cyberspace is very hard, Schneier said. “You can be attacked and not be sure if it's a nuclear-powered government or two guys in a basement,” Schneier noted. The security industry has developed technology to rebuff high volume, unfocused attacks. However, skilled and focused attackers, commonly referred to in the infused biz as advanced persistent threats (APTs), or otherwise known as state-sponsored cyberspies, remain a huge challenge. “A sufficiently skilled, funded and motivated attacker will never fail to get in,” Schneier said. The “high skill, high focused” attack thrown against Sony would have floored most every target, he added. “Fundamentally, I don't think any of us could withstand this type of attack from this type of adversary,” Schneier concluded. Schneier claimed that the $15m clean-up costs booked by Sony Pictures in the wake of the attack seem to under-estimate costs and further charges will likely follow. ®

125

http://www.theregister.co.uk/2015/06/04/schneier_global_cyber_war_warns/

Zero-Days Aff - Michigan 7AT: NO CYBERWAR

Cyber war can end the Internet—US vulnerabilitiesMay 10 president of the Foundation for the Defense of Democracies, a policy institute focusing on terrorism (Clifford D., “U. S. is too vulnerable to cyber war, cyber crime” 3/8/10, p.A8, Access World News)If a top intelligence expert said America was not prepared for war, and indeed that if we went to war "we would lose," that would worry you, wouldn't it? Start worrying. The expert is Mike McConnell, who served as director of the National Security Agency under President Bill Clinton and as director of national intelligence under President George Bush. He was referring not to a conventional war or a guerrilla war. He was referring to a cyber war. But understand: Cyber war does not mean fun and video games. McConnell told a Senate committee last week that the risk we face from cyber attacks "rivals nuclear weapons in terms of seriousness." Cyber combatants could cause massive blackouts lasting for months. They could destroy the electronic processes on which our banking, commerce and financial systems have been built, stealing-- or simply wiping out--vast amounts of wealth. They could put our air transportation system in jeopardy. They might even be able to cripple our defense and national security infrastructure. It is possible to defend against such threats. But we are not doing it adequately. A year ago Jim Lewis, director of the Center for Strategic and International Studies, told Steve Kroft of "60 Minutes" that in 2007 America suffered "an espionage Pearl Harbor. Some unknown foreign power, and honestly, we don't know who it is, broke into the Department of Defense, to the Department of State, the Department of Commerce, probably the Department of Energy, probably NASA." After that, you would think a serious and comprehensive cyber-defense program would have been initiated. But in an op-ed published recently, McConnell warned that the U.S. government has "yet to address the most basic questions about cyber-conflicts. ... we lack a cohesive strategy to meet this challenge." Add to that the growing menace of cyber crime, which Joseph Menn, in his brilliant and disturbing book, "Fatal System Error," reports is already a "shadow economy that is worth several times more than the illegal drug trade, that has already disrupted national governments, and that has the potential to undermine Western affluence and security." If cyber crime is not curbed, Menn predicts, it is likely to get "far worse potentially wiping out faith in electronic transactions and rendering the Internet unfit for more than entertainment and informal, quasi-public communication." What about the nightmare scenario of cyber criminals and cyber combatants joining forces? That's already happening. "The full truth," Menn writes, "is that a number of enormously powerful national governments, especially those of Russia and China, have picked up the blossoming of the Internet age as the time to ally with organized crime. The Russian government, and possibly the Chinese government, has access to minds capable not only of stealing millions upon millions of dollars, but potentially disrupting the Western economy. Why wouldn't they encourage additional research to nurture such a weapon?" Terrorists are penetrating cyberspace as well. Menn reports that "three British jihadists convicted in 2007 for inciting murder used access to a database with 37,000 stolen credit cards to buy 250 airline tickets, night-vision goggles, hundreds of pre-paid cell phones, GPS devices and more--$3.5 million in total purchases--to assist others in the movement." Could Iranian linked or al Qaeda jihadists do the same--on their own or by making common cause with either cyber criminals or cyber combatants from countries ruled by regimes that would like to see harm done to the United States? All too easily. The good news is that there are solutions. "The problem is not one of resources,"McConnell says. "Even in our current fiscal straits, we can afford to upgrade our defenses." But he also predicts that the United States may have to suffer a catastrophic cyber attack before the public demands that its leaders make this threat a top priority. America has built an incredible high-tech society. But it is flying on gossamer wings.Our enemies know how fragile it is. So do we. The difference is they will do everything they can to destroy it. And we're not doing everything we can to defend ourselves and to defeat them.

Cyber war is real and unpredictably dangerous—four reasons Clarke 10 former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism for the United States (Richard A., Cyber War: The Next Threat to National Security and What to Do About It, p.21, 4/20/10) | jsCyber war is real. What we have seen so far is far from indicative of what can be done. Most of these well-known skirmishes in cyberspace used only primitive cyber weapons (with the notable exception of the Israeli operation). It is a reasonable guess that the attackers did not want to reveal their more sophisticated capabilities, yet. What the United States and other nations are capable of doing in a cyber war could devastate a modern nation. Cyber war happens at the speed of light. As the photons of the attack packets stream down fiber-optic cable, the time between the launch of an attack and its effect is barely measurable, thus creating risks for crisis decision makers. Cyber war is global. In any conflict, cyber attacks rapidly go global, as covertly acquired or hacked computers and servers throughout the world are kicked into service. Many

126

Zero-Days Aff - Michigan 7nations are quickly drawn in. Cyber war skips the battlefield. Systems that people rely upon, from banks to air defense radars, are accessible from cyberspace and can be quickly taken over or knocked out without first defeating a country’s traditional defenses. Cyber war has begun. In anticipation of hostilities, nations are already “preparing the battlefield.” They are hacking into each other’s networks and infrastructures, laying in trapdoors and logic bombs—now, in peacetime. This ongoing nature of cyber war, the blurring of peace and war, adds a dangerous new dimension of instability. As later chapters will discuss, there is every reason to believe that most future kinetic wars will be accompanied by cyber war, and that other cyber wars will be conducted as “stand-alone” activities, without explosions, infantry, airpower, and navies. There has not yet, however, been a full-scale cyber war in which the leading nations in this kind of combat employ their most sophisticated tools against each other. Thus, we really do not know who would win, nor what the results of such a cyber war would be. This book will lay out why the unpredictability associated with full-scale cyber war means that there is a credible possibility that such conflict may have the potential to change the world military balance and thereby fundamentally alter political and economic relations. And it will suggest ways to reduce that unpredictability.

Cyberattacks are a huge threat to national securityKshetri 10 Professor of International Affairs at the University of North Carolina (Nir, “The Global Cybercrime Industry: Economic, Institutional and Strategic Perspectives” p.6-7, 6/25/10) | jsAccording to the US Homeland Security Department, compared to 2006, there was a 52% increase in cyberattacks against US federal agencies in 2007 (United Press International, 2009). The Pentagon detected over 79,000 attempted intrusions in its network in 2005 (Reid, 2007) and more than 80,000 in 2007 (Hamilton, 2009). In a discussion of the national security impacts, attacks against the Department of Defense (DOD) networks merit mention. Note that the DoD information network represents about 20% of the entire Internet (GAO Reports June 22, 2007). In 1999, Department of Defense (DOD) networks detected 22,144 attacks on its networks compared to 5,844 in 1998 (Wolf, 2000). In 2008, the DoD estimated that its networks experienced more than 3 million attacks annually (Hess, 2008). The DoD networks were reported to receive about 6 million probes/scans a day (GAO Reports June 22, 2007). Entire infrastructure including those of emergency services call centers, electricity, nuclear power plants, communications, dams, air traffic control and transportation, commercial databases and information systems for financial institutions and health care providers, and military applications are vulnerable to attacks by cyberterrorists or hostile state actors (Ronfeldt & Arquilla, 2003, p. 314; Shackelford, 2009; The Economist, 2008). For many years, technology and policy analysts have been talking about the possibility of a "digital Pearl Harbour"-an unexpected cyberattack on a nation's infrastructure. Some reports have indicated US electricity grid infrastructures and F-35 lighter jet programs had been the target of cyberattacks (Beatty, 2009). The US President Obama noted: "We know that cyber-intruders have probed our electrical grid and that in other countries, cyberattackers have plunged entire cities into darkness" (cf. Harris, 2009). The FBI has ranked cybercrime as the third-biggest threat to US national security after nuclear war and weapons of mass destruction (Sloane, 2009). In a 2007 testimony to the US Congress, an analyst working on cyber defense systems for the Pentagon told that a mass cyberattack could leave up to 70% of the United States without electrical power for 6 months (Reid. 2007). Another estimate suggested that a loss of4% of the North American power grid will disconnect almost two-thirds of the entire grid in the region (Cetron & Davies, 2009). Likewise, a study of US Cyber Consequences Unit indicated that the costs of a single wave of cyberattacks on US infrastructures could exceed US $700 billion, which is about the same as the costs associated with 50 major hurricanes (Sloane, 2009). In a discussion of the Internet's national security impacts, cyberattacks against Estonia in April-May 2007 and those against Georgia in 2008 deserve special attention. The cyberattacks against Georgia by civilians were coordinated with physical attacks by a military force (Claburn, 2009b). Likewise, in a high-profile Distributed Denial of Service (DDOS) attacks in 2007, a botnet of up to 1 million computers attacked Estonian computer networks, which shut down the country's government ministries, parliament, and major banks (Grant, 2008). The attacks against Estonia were launched after the Estonian government moved the Soviet memorial to the "Great Patriotic War" (1941-1945) (as well as the soldiers buried there) from downtown Tallinn to a suburb location. Obviously, Russia was unhappy with this decision. Some cyberattack experts noted that they saw the involvement of the Russian government in the attacks (Economist.com, 2007). Some analysts observed that the effects of the 2007 cyberattacks in Estonia "were potentially just as disastrous as a conventional attack" (Shackelford, 2009, p. 193)

127

Zero-Days Aff - Michigan 7AT: NO MISCALC

That escalates and is uniquely dangerous—miscalculation and misattributionClarke 9 former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism for the United States (Richard A., The National Interest, “War from Cyberspace” p. 32-3, Nov/Dec 2009, http://users.clas.ufl.edu/zselden/coursereading2011/Clarkecyber.pdf) | js

We sit at a similar historical moment. War fighting is forever changed. Though it will never produce the kind of death toll of nuclear weapons, we can see echoes of these same risks and challenges in today’s newest cyber-war battlefield. We’ve developed a plethora of gee-whiz technological capabilities in the past few years, but cyber war is a wholly new form of combat, the implications of which we do not yet fully understand. Its inherent nature rewards countries that act swiftly and encourages escalation. As in the 1960s, the speed of war is rapidly accelerating. Then, long-range missiles could launch from the prairie of Wyoming and hit Moscow in only thirtyfive minutes. Strikes in cyber war move at a rate approaching the speed of light. And this speed favors a strategy of preemption, which means the chances that people can become trigger-happy are high. This, in turn, makes cyber war all the more likely. If a cyber-war commander does not attack quickly, his network may be destroyed first. If a commander does not preempt an enemy, he may find that the target nation has suddenly raised new defenses or even disconnected from the worldwide Internet. There seems to be a premium in cyber war to making the first move. And much as in the nuclear era, there is a real risk of escalation with cyber war. Nuclear war was generally believed to be something that might quickly grow out of conventional combat, perhaps initiated with tanks firing at each other in a divided Berlin. The speed of new technologies created enormous risks for crisis instability and miscalculation. Today, the risks of miscalculation are even higher, enhancing the chances that what begins as a battle of computer programs ends in a shooting war. Cyber war, with its low risks to the cyber warriors, may be seen by a decision maker as a way of sending a signal, making a point without actually shooting. An attacker would likely think of a cyber-offensive that knocked out an electric-power grid and even destroyed some of the grid’s key components (keeping the system down for weeks), as a somewhat antiseptic move; a way to keep tensions as low as possible. But for the millions of people thrown into the dark and perhaps the cold, unable to get food, without access to cash and dealing with social disorder, it would be in many ways the same as if bombs had been dropped on their cities. Thus, the nation attacked might well respond with “kinetic activity.” Responding, however, assumes that you know who attacked you. And, one of the major differences between cyber war and conventional war—one that makes the battlefield more perilous—is what cyber warriors call “the attribution problem.” Put more simply, it is a matter of whodunit. In cyberspace, attackers can hide their identity, cover their tracks. Worse, they may be able to mislead, placing blame on others by spoofing the source. In 2007, the Russian government denied that it had engaged in primitive cyber war against Estonia that took out such things as the financial-services sector, and in 2009 claimed it was not responsible for largely identical activity against Georgia; though Russia did concede that some of its citizens, outraged over the conflict in Abkhazia, might have launched the denial-of-service attacks.

128

http://users.clas.ufl.edu/zselden/coursereading2011/Clarkecyber.pdf


DISADVANTAGES

129

Zero-Days Aff - Michigan 72AC CYBER-DETERRENCE DA

Deterrence doesn’t apply to cyberspaceWeiner 12 [Sarah, research intern for the Project on Nuclear Issues, boss, internally cites Dr. Lewis who is the director of the Center for Homeland Security and Defense, https://www.hsdl.org/hslog/?q=node/9216] Others vehemently disagree with this presupposition. Jim Lewis, for example, argued earlier this month at an event at the Stimson Center that deterrence will not work in the cyber domain . He emphasized that difficulties in attributing attacks, “holding hostage” adversaries’ cyber and physical assets, and achieving a proportional response all decrease the credibility of US threats and reduce the costs of an adversaries’ hostile cyber operations. And Dr. Lewis has considerable evidence on his side: public and private entities in the US experience cyber-attacks on a daily basis. If these attacks are deterrable, we are doing a terrible job of leveraging our capabilities. For a number of reasons, trying to apply nuclear deterrence logic to cyber warfare feels a bit too much like trying to fit a square peg into a round hole. That does not mean, however, that we should abandon all attempts to draw analogies between cyber and nuclear strategy. Despite a few close calls, the basic principles of nuclear deterrence and mutually assured destruction have prevented the use of nuclear weapons for over 60 years. Understanding the reason why this largely effective and stable model of deterrence cannot map cleanly onto the cyber world may help us better conceptualize strategies for cyber-deterrence. The first difficulty is establishing an analogue between a nuclear attack and a cyber-attack. We know when a nuclear bomb explodes, and we know it is unacceptable. The spectrum of cyber-attacks, however, spans far, far below the destructiveness of a nuclear strike. Denial-of-service attacks, such as Iran’s recent shutdown of several banks’ websites, are a world away from the detonation of any weapon, not to mention a nuclear weapon. This creates the problem of credibility and proportionality Dr. Lewis spoke about: responding to such low-level attacks with a military use of force is so disproportionate that it is not a credible threat. If the US instead decides to use cyber capabilities to deter cyber-attacks, it runs into a second problem. Cyber “weapons” cannot be used in the same way we use nuclear weapons because, unlike nuclear weapons, the demonstration of a cyber-capability quickly renders that capability useless. If the US were to release the details of a cyber-weapon, intended to signal a retaliatory capability, potential adversaries could attempt to steal the technology and/or harden their cyber defenses against the US weapon’s specific attributes. This is the opposite of nuclear deterrence, in which the US pursues the most credible and reliable force so that other nations know precisely how damaging a US counterstrike would be. Demonstrating that a nation could effectively mount a second-strike in response to a nuclear attack creates a stabilizing dynamic of mutually assured destruction in which no nation believes it could gain militarily by launching a nuclear attack. The trouble with cyber weapons, however, is that they cannot be so transparently deployed. The only effective cyber-attack is an unexpected attack, and that does nothing for signaling or deterrence .

Maintaining zero-days causes more vulnerabilities Comninos and Seneque 14 [Alex, Justus-Liebig University Giessen, and Gareth, Geist Consulting, “Cyber security, civil society and vulnerability in an age of communications surveillance,” GIS Watch, 2014, http://giswatch.org/en/communications-surveillance/cyber-security-civil-society-and-vulnerability-age-communications-sur] //khirn

Cyber security and vulnerability Cyber security discourse should focus more on information security vulnerabilities, rather than on threats and responses. This focus would help to delineate what constitutes a cyber security issue, avoid cyber security escalating to a counter-productive national security issue, and place a practical focus on the protection of all internet users. A security vulnerability, also called a “bug”, is a piece of software code that contains an error or weakness that could allow a hacker to compromise the integrity, availability or confidentiality of information contained, managed or accessed by that software.17When a vulnerability is discovered, a malicious hacker may make an “exploit”18 in order to compromise data or access to a computer. Malware – viruses and Trojan horses – require exploits (or collections of exploits) that take advantage of vulnerabilities. Expertise in fixing

130



http://online.wsj.com/article/SB10000872396390444657804578052931555576700.html

http://online.wsj.com/article/SB10000872396390444657804578052931555576700.html

http://www.stimson.org/about/news/jim-lewis-of-csis-speaks-at-stimson-on-cyber-deterrence/

https://www.hsdl.org/hslog/?q=node/9216

Zero-Days Aff - Michigan 7vulnerabilities is improving but not keeping up with the pace of the growth. Compared to 15 years ago, all popular and contemporary desktop operating systems (Windows, Linux and Mac) offer regular automated security updates which fix or “patch” known vulnerabilities. While we are finding more vulnerabilities in code and viruses than ever before, we are also getting better at finding them. At the same time we keep producing more software code, meaning that the net number of vulnerabilities is increasing .19 Viruses and botnets, including Stuxnet and other state-sponsored malware,

require vulnerabilities to work . Finding and fixing vulnerabilities contributes to a safer and secure internet, counters surveillance and can even save lives. For example, a vulnerability in Adobe’s Flash software was recently used against dissidents in Syria.20 There are two categories of vulnerabilities, each requiring different user and policy responses: zero-days and forever-days. Zero-days are vulnerabilities for which there is no available fix yet, and may be unknown to developers. Forever-days are vulnerabilities which are known of, and either do not have a fix, or do have a fix in the form of a patch or an update, but they are for the most part not applied by users. Zero-day vulnerabilities When a zero-day is found, the original software developer should be notified so that they may find a fix for the vulnerability and package it as a patch or update sent out to users. Furthermore, at some stage, users of the affected software that are rendered vulnerable should also be informed, so they can understand if they are or have been vulnerable and take measures to recover and mitigate for the vulnerability. Throughout the history of computers, “hackers”21 have sought to use technology in ways that it was not originally intended. This has been a large source of technological innovation. Hackers have applied this logic to computer systems and have bypassed security and found vulnerabilities for fun, fame, money, or in the interests of a more secure internet. It is because of people that break security by finding vulnerabilities that we can become more secure. A problem for cyber security is that “good” (or “white hat”) hackers or “security researchers” may not be incentivised to find zero-days and use this knowledge for good. Rather than inform the software vendor, the project involved, or the general public of a vulnerability, hackers may decide not to disclose it and instead to sell information about a vulnerability, or package it as an exploit and sell it. These exploits have a dual use: “They can be used as part of research efforts to help strengthen computers

against intrusion. But they can also be weaponised and deployed aggressively for everything from government spying and corporate espionage to flat-out fraud .”22 There is a growing market for zero-days that operates in a grey and unregulated manner. Companies sell exploits to governments and law enforcement agencies around the world; however, there are concerns that these companies are also supplying the same software to repressive regimes and to intelligence agencies. There is also a growing black market where these exploits are sold for criminal purposes .23

Black markets bad --- causes massive IP theft Goldsmith 10 [Jack, teaches at Harvard Law School and is a visiting fellow at the Hoover Institution at Stanford University, “The New Vulnerability,” New Republic, June 7, 2010, http://www.newrepublic.com/article/books-and-arts/75262/the-new-vulnerability] //khirn

Today powerful criminal organizations operate in flourishing online black markets to buy and sell information about software vulnerabilities and an endless variety of sophisticated malware weapons that can be used to exploit these vulnerabilities. They infect, gather, and rent huge clusters of compromised zombie computers known as “botnets” that can be used for denial-of-service attacks or “phishing” expeditions (feigned trustworthy messages of the general sort that tricked the Google administrators). They buy and sell criminal services ranging from phishing-for-hire to money laundering. And they trade in stolen goods such as credit card and Social Security numbers and identification and login credentials. According to the computer security firm Symantec, a stolen credit card number fetches between eighty-five cents and thirty dollars on the black market. For twenty bucks you can buy someone’s essential identity information: name, address, birth date, and Social Security number. President Obama noted last year that cyber criminals stole an estimated $1 trillion in intellectual property from businesses worldwide in 2008. In truth, we lack both the reliable data and the metrics needed to know for certain the amount of losses from online criminal activities. Most security experts believe that the already massive online criminal industry is growing in size, sophistication, and success at a faster rate than companies, individuals, and law enforcement authorities are improving computer defenses. And the losses are surely much greater than have been made public, for most companies that are targets of cyber attacks and cyber exploitations have a powerful incentive not to report their losses, which might lead to

131

http://www.newrepublic.com/article/books-and-arts/75262/the-new-vulnerability

Zero-Days Aff - Michigan 7stock-price drops , lawsuits , and consumer anger .

Overconcentration on offense is uniquely destabilizing- makes cyberwar inevitable McGraw 13 [Gary, PhD, Chief Technology Officer of Cigital, and author of Software Security (AWL 2006) along with ten other software security books. He also produces the monthly Silver Bullet Security Podcast forIEEE Security & Privacy Magazine (syndicated by SearchSecurity), Cyber War is Inevitable (Unless We Build Security In), Journal of Strategic Studies - Volume 36, Issue 1, 2013, pages 109-119] //khirn

Also of note is the balancing effect that extreme cyber vulnerability has on power when it comes to cyber war. In the case of the Stuxnet attack, the balance of power was clearly stacked high against Iran. Subsequently, however, Iran responded with the (alleged) hijacking of a US drone being used for surveillance in Iranian airspace.10 Ironically, it may be that the most highly developed countries are more vulnerable to cyber warfare because they are more dependent on modern high-tech systems. In any case, failure to build security into the modern systems we depend on can backlash, lowering the already low barrier to entry for geopolitically motivated cyber conflict. Defending against cyberattack (by building security in) is just as important as developing offensive measures . Indeed it is more so. War has

both defensive and offensive aspects, and understanding this is central to understanding cyber war. Over-concentrating on offense can be very dangerous and destabilizing because it encourages actors to attack first and ferociously, before an adversary can. Conversely, when defenses are equal or even superior to offensive forces, actors have less incentive to strike first because the expected advantages of doing so are far lower. The United States is supposedly very good at cyber offense today, but from a cyberdefense perspective it lives in the same glasshouses as everyone else. The root of the problem is that the systems we depend on – the lifeblood of the modern world – are not built to besecure.11This notion of offense and defense in cyber security is worth teasing out. Offense involves exploiting systems, penetrating systems with cyberattacks and generally leveraging broken software to compromise entire systems and systems of systems.12 Conversely, defense means building secure software, designing and engineering systems to be secure in the first place, and creating incentives and rewards for systems that are built to be secure.13 What sometimes passes for cyber defense today – actively watching for intrusions, blocking attacks with network technologies such as firewalls, law enforcement activities, and protecting against malicious software with anti-virus technology – is little more than a cardboard shield.14 If we do not focus more attention on real cyber defense by building security in, cyber war will be inevitable .

Cyberdefense outweighs any offensive capabilities --- deliberately weakening the internet guarantees successful attacks Masnick 13 [Mike, founder and CEO of Floor64 and editor of the Techdirt blog, Oct 7th 2013, “National Insecurity: How The NSA Has Put The Internet And Our Security At Risk,” Techdirt, https://www.techdirt.com/articles/20131005/02231624762/national-insecurity-how-nsa-has-put-internet-our-security-risk.shtml] //khirn

But, really, the issue is that the NSA's actions aren't actually helping national security, but they're doing the exact opposite. They're making us significantly less safe . Bruce Schneier made this point

succinctly in a recent interview: The NSA’s actions are making us all less safe. They’re not just spying on the bad guys, they’re deliberately weakening Internet security for everyone —including the good guys. It’s sheer folly to believe that only the NSA can exploit the vulnerabilities they create. Additionally, by eavesdropping on all Americans, they’re building the technical infrastructure for a police state. The folks over at EFF have dug into this point in much greater detail as well. Undermining internet security is a really bad idea. While it may make it slightly easier

for the NSA to spy on people -- it also makes it much easier for others to attack us . For all this talk of

national security, it's making us a lot less secure. In trying to defend this situation, former NSA boss Michael

Hayden recently argued that the NSA, when it comes across security vulnerabilities, makes a judgment call on whether or not it's worth fixing or exploiting itself. He discussed how the NSA thinks about whether or

132

https://www.techdirt.com/articles/20131005/02231624762/national-insecurity-how-nsa-has-put-internet-our-security-risk.shtml

https://www.techdirt.com/articles/20131005/02231624762/national-insecurity-how-nsa-has-put-internet-our-security-risk.shtml

Zero-Days Aff - Michigan 7not it's a "NOBUS" (nobody but us) situation, where only the US could exploit the hole: You look at a vulnerability through a different lens if even with the vulnerability it requires substantial computational power or substantial other attributes and you have to make the judgment who else can do this? If there's a vulnerability here that weakens encryption but you still need four acres of Cray computers in the basement in order to work it you kind of think "NOBUS" and that's a vulnerability we are not ethically or legally compelled to try to patch -- it's one that ethically and legally we could try to exploit in order to keep Americans safe from others. Of course, that ignores just how sophisticated and powerful certain other groups and governments are these days. As that article notes, the NSA is

known as a major buyer of exploits sold on the market -- but that also means that every single one of those exploits is known by non-NSA employees, and the idea that only the NSA is exploiting those is laughable. If the NSA were truly interested in "national security" it would be helping to close those vulnerabilities, not using them to their own advantage. This leads to two more troubling issues -- the fact that the "US Cyber Command" is under the control of the NSA is inherently problematic. Basically, the NSA has too much overlap between its offensive and defensive mandates in terms of computer security. Given what we've seen now, it's pretty damn clear that the NSA highly prioritizes offensive efforts to break into computers, rather than defensive efforts to protect Americans' computers. The second issue is CISPA. The NSA and its defenders pushed CISPA heavily, claiming that it was necessary for "national security" in protecting against attacks. But a key part of CISPA was that it was designed to grant immunity to tech companies from sharing information with... the NSA, which was effectively put in control over "cybersecurity" under CISPA. It seems clear, at this point, that the worst fears about CISPA are almost certainly true. It was never about improving defensive cybersecurity, but a cover story to enable greater offensive efforts by the NSA which, in turn, makes us all a lot less secure .

Squo cyber-offense is a bad frameworkIasiello 14 (Emilio Iasiello has been a cyber-threat analyst for the past twelve years supporting the US Departments of State and Defense, as well as a private sector security firm. “Hacking Back: Not the Right Solution”. http://www.strategicstudiesinstitute.army.mil/pubs/Parameters/issues/Autumn_2014/13_IasielloEmilio_Hacking%20Back%20Not%20the%20Right%20Solution.pdf)//CLiAbstract: In cyberspace attackers enjoy an advantage over defenders, which has popularized the concept of “active cyber defense”— offensive actions intended to punish or deter the adversary . This article argues active

cyber defense is not a practical course of action to obtain tactical and strategic objectives . Instead, “aggressive cyber defense,” a proactive security solution, is a more appropriate option. Cyber Strategies Hacking Back: Not the Right Solution The ability to retaliate against cyber attackers —

irrespective of the legalities of such actions—appears to have gained traction in the United States government , but is it a practical response for achieving tactical and strategic objectives in cyberspace? Attribution limitations, collateral damage considerations, the Internet’s global architecture, and potential event escalation make the challenges of engaging in active cyber defense an ineffective course of action destined to achieve limited tactical successes at best; and it risks accelerating digital as well as physical conflict . Too many variables prevent active cyber defense deterring or punishing adversaries in cyberspace. For that reason, this article advocates a more productive solution—aggressive cyber defense—to frustrate attackers via nondestructive or damaging activities.

We have initiated a virtual Cold War—only a defensive model can deter escalation Iasiello 14 (Emilio Iasiello has been a cyber-threat analyst for the past twelve years supporting the US Departments of State and Defense, as well as a private sector security firm. “Is Cyber Deterrence an Illusory Course of Action?”, Journal of Strategic Security, http://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1337&context=jss, 2014)//CLiWith the U.S. government (USG) acknowledgement of the seriousness of cyber threats, particularly against its critical

infrastructures, as well as the Department of Defense (DoD) officially label ing cyberspace as a war fighting 133

http://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1337&context=jss

Zero-Days Aff - Michigan 7domain , security experts, policymakers , and think tank researchers have resurrected a potential Cold War strategy to implement against the new threats fermenting in cyberspace.1 It is argued that the same principles that successfully contributed to nuclear deterrence with the Soviet Union can be applied to cyberspace and the hostile actors that operate within. However compelling, similar strategies are not transferrable and the key factors that made nuclear deterrence a viable solution does not carry the same value in cyberspace. While only a handful of states have demonstrated the capability to develop nuclear weapons, more than 140 nations have or are developing cyber weapons, and more than thirty countries are creating military cyber units, according to some estimates. Moreover, this threat actor landscape does not consist of nation states alone. Included are cyber criminals, hackers, and hacktivists of varying levels of sophistication and resources willing to use their capabilities to support nefarious objectives.2 There are advocates favoring the implementation of a cyber deterrence strategy to mitigate the volume of hostile cyber activity against public and private sector interests. However, too many factors—including attribution challenges and sustainability against this vast threat actor landscape—inhibit cyber deterrence options from achieving their desired outcome in the near term. What’s more, other deterrent strategies such as those employed against nuclear weapon use, terrorism, and rogue state behavior is not suitable models for the cyber realm. Despite some commonalities, the cyber domain lacks the transparency and actor visibility required to develop deterrence measures. Despite these hindrances, nation states should seek to develop, refine, and implement national level cyber security strategies that focus on cyber defense improvements and enforce accountability to measure their successes. While there will always be sophisticated actors able to thwart the most robust cyber security defenses, the success of hostile activity against networks are the result of poor cyber security practices such as unpatched systems and users not well trained in information assurance principles. Cyber security is an ongoing effort that needs to be relentlessly monitored and adapted to a constantly changing threat environment.

Squo policies makes companies and citizens vulnerable to hackers—we need to switch to defenseClarke and Swire 14 (Richard Clarke was a National Security official in the Bush, Clinton, and Bush Administrations. Peter Swire was a White House official under Presidents Clinton and Obama, and now is a professor at the Scheller College of Business of the Georgia Institute of Technology. “The NSA Shouldn’t Stockpile Web Glitches”, 4/18/2014, http://www.thedailybeast.com/articles/2014/04/18/the-nsa-shouldn-t-stockpile-web-glitches.html)//CLiWhen word spread last week about the greatest cyberspace vulnerability in years, the aptly named Heartbleed vulnerability, the first question that many asked was “Did NSA know?” Because of the prior revelations about NSA activity, there is now a natural suspicion among many citizens that the NSA would be using such a weakness in the fabric of cyberspace to collect information. Bloomberg even reported that the NSA did know and had been exploiting the mistake in encryption. But actually no U.S. government agency was aware of the problem; they learned about it along with the rest of us. That is both reassuring and troubling. The question remains, however, what if, in a similar case in the future, the NSA or some other government agency did learn about such a flaw in software? Should it be the NSA’s decision to tell us about the problem? Should the government lean to offense, and use the vulnerability to create an exploit and collect information, or, instead, lean toward defense, alerting citizens and companies so that they can protect themselves from malicious actors who may also learn about the flaw? Although for some, the answer comes easily, it is in our minds a difficult decision. The temptation to stockpile vulnerabilities for offense is easy to understand. After all, what if you could use a software glitch to destroy machines that Iran is using to make nuclear bomb material? Or perhaps we can use a mistake in coding to get inside al Qaeda’s communications and learn about their next attack before it happens, perhaps in time to stop it. In those hypothetical cases, what is the U.S. Government’s chief responsibility? To protect us from nuclear proliferation or terrorism? Or, to patch up software that might be running critical infrastructure such as our banks, stock markets, electric power grid, or transportation systems? The President’s Intelligence Review Group recommended earlier this year that the default decision, the assumption, should be to lean toward defense. (Disclosure: We were two of the group’s five members.) The government, upon learning of a software vulnerability, should alert us and act quickly with the IT industry to fix the error. We reasoned that if the U.S. government learns about a software glitch, others will too, and it would be wrong to knowingly let U.S. citizens, companies and critical infrastructure be vulnerable to hackers and foreign intelligence cyber spies. Usually, it is the U.S. who has the most to lose when there is a hole in the fabric of cyberspace . We rely upon information technology systems and control

networks more than any other economy or society, and the potential damage that could be done to our country from malicious hacking could be devastating. We also recommended that there be the opportunity for rare exceptions to the rule. If the government learns about a vulnerability in some obscure piece of software, not widely present on U.S.

134

Zero-Days Aff - Michigan 7critical networks but running on the systems of some real threat (such as al Qaeda or Iran’s nuclear program), the president ought to be able to authorize for a limited time the use of that knowledge to collect intelligence or even to cause destruction of threatening hardware. That decision, however, should not be the NSA’s to make alone. Balancing the offense/defense equities should be a White House call, made after having heard from all sides of the issue. Those in the government who worry about defending critical, private sector networks (the departments of Treasury, Homeland Security, Energy, Transportation) should have the opportunity to make their case that it would be better to defend ourselves than to hoard our knowledge of a cyber problem to attack other nations’ networks. The reality is that there will be very few cases where a strong argument could be made for keeping a software vulnerability secret. Even then, the issue would be not whether to tell the American people about the cyberspace flaw, but how soon to tell. The president, according to a White House statement last week, has decided to accept our recommendation. The Obama administration announced that, with very rare exceptions, when the U.S. government learns of a software vulnerability, it will work with the software companies involved and with users to patch the mistake as quickly as possible. That lean toward defense is, we believe, the right answer.

135

Zero-Days Aff - Michigan 7AT: CHINA/TAIWAN

Won’t go nuclearPike 11 – last modified 5/7/2011 (John, manager, Global Security, China’s Options in the Taiwan Confrontation, http://www.globalsecurity.org/military/ops/taiwan-prc.htm)

China would almost certainly not contemplate a nuclear strike against Taiwan, nor would Beijing embark on a course of action that posed significant risks of the use of nuclear weapons. The mainland's long term goal is to liberate Taiwan, not to obliterate it, and any use of nuclear weapons by China would run a substantial risk of the use of nuclear weapons by the United States. An inability to control escalation beyond "demonstrative" detonations would cause utterly disproportionate destruction.

No miscalcCliff et al 11 – senior political scientist at the RAND Corporation [Cliff with Phillip C. Saunders Senior Research Professor at the National Defense University's Institute for National Strategic Studies and Scott Harold”March 30, 2011 New Opportunities and Challenges for Taiwan's Security” http://www.rand.org/content/dam/rand/pubs/conf_proceedings/2011/RAND_CF279.pdf Accessed July 12, 2011]

Moreover, other than pursuing the largely political goals of reunification and weakening the security relationship between Taiwan and the United States, there doesn’t seem to be any compelling military need for such measures (which is, after all, the essence of CBMs). To be sure, there is always a risk of conflict when two militaries face each other, and more, rather than less, certainty never hurts. However, there seems to be little reason to be concerned over accidental conflict or misperception. There are informal understandings (the centerline being the prime example): There is already some cooperation in rescue at sea, many (probably too many) channels of communication exist, and even some unilateral statements of intent have been made. Moreover, and very importantly, viewing the question from the mainland’s side, the frequent statements cited above regarding Taiwan’s desire to use CBMs to freeze the status quo suggest that it is questionable whether Beijing really wants to - 45 - reinforce certainty regarding its intent and thus weaken its deterrent to the independence forces, which is still considered to be so essential

Mutual consensus on avoiding deteriorationSun 11—vice president of the Prospect Foundation (Yang-ming, 5 December 2011, “The Potential Crisis of Asian-Pacific Stability,” http://www.carnegieendowment.org/2011/12/05/potential-crisis-of-asian-pacific-stability/820d, RBatra)

The structural factors that contribute to the stability of the China-Taiwan relationship stem from three different policy lines coming out of Taiwan, China, and the United States. For Taipei,

when Mr. Ma won his 2008 campaign, he didn’t hesitate to construct a policy of “maintaining cross-Strait stability”

according to his party platform. That platform was based on the 1992 Consensus, in which Beijing and Taipei agreed that there is one China, but

that each side has its own interpretation of what that means. That policy line helped eliminate the instability caused by the “one country on each side” principle that was raised by Ma’s predecessors from the Democratic Progressive Party (DPP). It implied that China and Taiwan were separate countries, not just two political spheres within one country. In Beijing, almost immediately after Ma won the presidency, there was a great debate over China’s Taiwan policy. Policymakers wondered whether Beijing should push Taiwan toward unification or maintain the current stage of cross-Strait peaceful

development. Chinese President Hu Jintao prudently concluded that the character of current cross-Strait relations should be fixed on anti-independence rather than a push for unification, suggesting that the policy of “cross-

Strait peaceful development” should remain intact. Last but not least was Washington’s policy. The United States, as the most important player in the region, has been trying to maintain the status quo. So, a stable framework was constructed through a vague saddle point to keep the current cross-Strait situation from descending into chaos: Taipei acted to maintain cross-Strait stability; Beijing promoted cross-Strait peaceful development; and Washington sought to

maintain the status quo. The stability is no longer abstract but has a distinct structure, though that framework is still fragile and each side still has to learn how to trust the others. Almost all the subsequent policies that can help bring about greater stabilization are based on this fragile structure.

There is the potential for a diplomatic truce, Taiwan’s participation in the World Health Organization, and, most importantly, Taipei’s involvement in the Economic Cooperation Framework Agreement (ECFA), a trade agreement between China and Taiwan that came into effect in September 2010. The effects of ECFA have been greatly distorted. Those who criticize the agreement believe that it will only make Taiwan more dependent on the Chinese Mainland. They argue that Beijing also sees the agreement as a way to increase Taiwan’s dependence on China, but that the Chinese use a different phrase:

“deepening the interaction of the two sides.” But for Taipei, the ECFA represents something different. First, it tells Beijing that Taiwan did not shut down all the possibilities of a common future, and this will definitely make Beijing consider similar future policies more reasonably and rationally. Second, the ECFA is a gateway for

136

Zero-Days Aff - Michigan 7Taiwan’s economy. For the first decade of the twenty-first century, there were approximately 60 meaningful free trade agreements around the pan-Pacific region. Two countries were excluded from those agreements: North Korea and Taiwan. The result is that Taiwan has been gradually marginalized. The previous Taiwanese administration tried to push Beijing on this matter. But under the leadership of Chen Shui-bian, Taiwan failed to sign any trade or investment agreements with its neighbors.

Through the ECFA, Taipei has gotten closer to Southeast Asia, America, Europe, and Japan. This helps create a favorable environment for the cross-Strait peaceful development and peaceful competition, with benefits for both sides of Taiwan Strait. This group constitutes a collective force resisting the economic magnet that is the Chinese Mainland. And this creates a strategic balance across the Straits. Simultaneously, more relaxed cross-Strait relations allow Taiwan to move closer to the West in the areas of ideology and security.

137

Zero-Days Aff - Michigan 7AT: KOREA WAR

No escalation – they can’t fight a warJohn Glaser 1-22-2014; journalist based in Washington, D.C. He has been published in The Washington Times, Al Jazeera English, the Huffington Post, among other publications. “Are U.S. troops in South Korea still necessary?” http://america.aljazeera.com/opinions/2014/1/are-u-s-troops-insouthkoreastillnecessary.html

But Seoul can easily defend itself. South Korea’s GDP is $1.13 trillion, versus North Korea’s paltry $40 billion, with similar disparities in the sizes of their respective defense budgets. The brutal authoritarian regime of North Korea is made out to be a major threat to its neighbors, but it is comparatively weak, lacking the kind of advanced industrial and technological military capacity of its

southern neighbor and, certainly, the U.S. Experts consider Pyongyang unfit to fight an extended modern battle.

Conflict will be limited and short-livedYong 11—Washington-based analyst of international affairs at Asia Times (Yong Kwon, © 2011, “Misunderstandings may prove fatal,” http://www.atimes.com/atimes/Korea/MA08Dg02.html, RBatra)

Nonetheless, there are several elements that make this analogy a dubious one when it comes to North Korea. The economic and military prowess of the DPRK in relation to South Korea has diminished to such an extent that it makes any large-scale military action implausible.Radio Free Asia reported that the shelling of the Yeonpyeong Island caused widespread panic throughout North Korea because of the belief that the United States would retaliate militarily. According to the same report, the panic caused a rush on foreign currency and forced the price of food to rise, initiating a crisis similar to the one created by the currency revaluation in December 2009. [4]

Had the North Koreans feared the loss of their relative advantage, a large-scale invasion would have commenced in the 1960s or 1970s, before the South Korean economy lifted off under the Park Chung-hee administration. With the mounting cost of coercive bargaining, the North Koreans are not playing a zero-sum strategy game like the Japanese Empire in 1941, but a post-famine negative-sum survival game.North Korea currently has two major military assets: its capacity to obliterate Seoul with its forward artillery, and its nuclear arsenal. A Pearl Harbor-like attack by North Korea

will involve one and or both of these assets. However, there are questions as to whether North Korea has either the technological know-how or the desire to actually utilize these military advantages.

There have been doubts on whether or not the two sensational nuclear tests have actually been successful.

Several observers of the North Korean nuclear crisis from both the United States and Russia have commented on the possibility that both tests may have merely "fizzled". Furthermore, Pyongyang is a long ways from actually producing an inter-continental ballistic missile that can reliably carry the necessary nuclear payload.

This leaves the direct artillery strike on Seoul as the only strategically advantageous military asset for North Korea. However, this would be an inappropriate use of force for Pyongyang's foreign policy objectives. North Korea more or less gave up on their initial objective of unifying the peninsula in the 1970s , when the DPRK leadership recognized their country's relative economic backwardness compared to South Korea. [5]

Since then, Pyongyang's policies have been geared towards coercive bargaining that will bring either legitimacy or much-needed economic assistance to the regime. Any attack on Seoul would jeopardize the fine line between much-needed subsidies and all-out war.In terms of recent clashes, the scuttling of the Cheonan and the shelling of Yeonpyeong Island revealed fatal weaknesses in

the South Korean defenses; however, it did not reduce the deterrence against all-out war because North Korea cannot afford to take any physical blows in its fragile state.

138

Zero-Days Aff - Michigan 7AT: POLITICS

Bipartisan support for NSA restrictions: recent votes proveCoca 6/12 (Onan Coca is a graduate of Liberty University (2003) and earned his M.Ed. at Western Governors University in 2012. Freedom Force: “Bipartisan House Votes for Further Restrictions on Surveillance on Americans!” Published June 12th, 2015. Accessed June 29th, 2015. http://freedomforce.com/4275/bipartisan-house-votes-for-further-restrictions-on-surveillance-on-americans/) KalM

In another win for freedom, the House voted yesterday to pass additional restrictions on the intelligence community in an effort to protect innocent Americans from being spied on. Congressmen Thomas Massie (R-KY and Zoe Lofgren (D-CA) came together to prepare the Massie-Lofgren amendment to defund surveillance “backdoors.” Their amendment passed with a confusingly bipartisan vote, 255 – 174. I say confusingly because 109 Republicans voted for it, 134 Republicans voted against it – almost a 50 – 50 split. On the Democrat side, things were less confused but still split, as 146 Democrats voted for the amendment and 40 voted against it! (You can see the roll call vote here.) Here’s what Massie said about it on Facebook: Huge News: The House just voted for additional restrictions on surveillance! Today, the House of Representatives passed the Massie-Lofgren amendment to defund two surveillance “backdoors” that currently allow intelligence agencies access to Americans’ private data and correspondence without a warrant. The amendment, which is part of the Fiscal Year 2016 Department of Defense appropriations bill (H.R. 2685), passed 255-174. #NSA Rep. Massie also released a press release explaining what the amendment was about and why it was so important that it pass. Today, the House of Representatives passed an amendment by Congressman Thomas Massie (R-KY) and Congresswoman Zoe Lofgren (D-CA) to defund two surveillance “backdoors” that currently allow intelligence agencies access to Americans’ private data and correspondence without a warrant. The amendment, which is part of the Fiscal Year 2016 Department of Defense appropriations bill (H.R. 2685), passed 255-174. “The USA Freedom Act is not the last word on surveillance reform,” said Rep. Massie. “Backdoor surveillance authorized under Section 702 of the FISA Amendments Act is arguably worse than the bulk collection of records illegally collected under Section 215 of the Patriot Act. This amendment is a much needed next step as Congress continues to rein in the surveillance state and reassert the Fourth Amendment.” “This amendment is the most meaningful step Congress can take to end warrantless bulk collection of US persons’ communications and data,” said Rep. Lofgren. “We know that mass surveillance of Americans, as reported in the news, has taken place under the FISA Section 702 authority. This vote shows once again that the House is committed to upholding the Constitution and protecting Americans from warrantless invasions of their privacy. Enacting this amendment into law will benefit our economy, protect our competitiveness abroad, and make significant strides in rebuilding the public’s trust.” Under Section 702 of the FISA Amendments Act, Americans’ private data and communications – including emails, photos, and text messages – can be collected by intelligence agencies, provided that data or communication at some point crosses the border of the United States. Given the current fluid nature of electronic communications and data storage, in which corporate and private server farms store Americans’ data all over the world, this loophole could allow intelligence agencies access to a vast swath of communications and data without warrant protection. Intelligence officials have confirmed to Congress that law enforcement agencies actively search the content of this intercepted data without probable cause, and have used evidence gathered to assist in criminal prosecutions. Government agencies have also reportedly coerced individuals and organizations to build encryption “backdoors” into products or services for surveillance purposes, despite industry and cryptologist claims that this process is not technologically feasible without putting the data security of every individual using these services at risk. The Massie-Lofgren Amendment would prohibit funding for activities that exploit these “backdoors.” An identical amendment to the Fiscal Year 2015 Department of Defense Appropriations Act last year passed the House of Representatives by an overwhelming 293-123 vote, but it was not included in the omnibus spending legislation that passed last December. The amendment is supported by a broad coalition of privacy and civil liberties groups as well as tech companies, including the American Civil Liberties Union, Bill of Rights Defense Committee, Campaign for Liberty, Constitutional Alliance, Council on American-Islamic Relations, CREDO Mobile, Defending Dissent Foundation, Demand Progress, DownsizeDC.org, Electronic Frontier Foundation, Fight for the Future, Free Press Action Fund, FreedomWorks, Friends Committee on National Legislation, Generation Opportunity, Google, Liberty Coalition, Media Alliance, New America’s Open Technology Institute, OpenMedia.org, OpenTheGovernment.org, Project On Government Oversight, Public Knowledge, Restore The Fourth, RootsAction.org, Student Net Alliance, Sunlight Foundation, TechFreedom, and X-Lab.

Policymakers knew of and didn’t change NSA problems a long time before reformSchulberg 6/1 (Jessica Schulberg is a reporter covering foreign policy and national security for The Huffington Post. She has a master's degree in international politics from American University. Huff Post Politics: “The Elephant In The Room: Senators Finally Credit Edward Snowden For Role In Patriot Act Reforms” published June 1st, 2015. Accessed June 29th, 2015. http://www.huffingtonpost.com/2015/06/01/snowden-nsa-patriot-act_n_7485702.html) KalM

WASHINGTON -- When several key provisions of the broad, post-9/11 surveillance law known as the

139

http://www.huffingtonpost.com/2015/06/01/snowden-nsa-patriot-act_n_7485702.html

http://freedomforce.com/4275/bipartisan-house-votes-for-further-restrictions-on-surveillance-on-americans/

http://freedomforce.com/4275/bipartisan-house-votes-for-further-restrictions-on-surveillance-on-americans/

Zero-Days Aff - Michigan 7Patriot Act were up for renewal five years ago, the Senate debated for just 20 seconds before reauthorizing the sweeping powers by a voice vote . The following day, the House followed the upper chamber’s lead, voting 315-97 to extend the act’s most controversial elements.

Domestic surveillance is congressionally approvedSaletan 13 (Will Saletan is a journalist for Slate. He writes about politics, science, technology, and other stuff for Slate. He’s the author of “Bearing Right”. Slate: “Stop Freaking Out About the NSA” published June 6th, 2013. Accessed June 29th, 2015. http://www.slate.com/articles/news_and_politics/frame_game/2013/06/stop_the_nsa_surveillance_hysteria_the_government_s_scrutiny_of_verizon.html) KalM3. It’s congressionally supervised. Any senator who’s expressing shock about the program is a liar or a fool. The Senate Intelligence and Judiciary Committees have been briefed on it many times . Committee members have had access to the relevant FISA court orders and opinions. The intelligence committee has also informed all senators in writing about the program, twice , with invitations to review classified documents about it prior to reauthorization. If they didn’t know about it, they weren’t paying attention.

140

http://www.slate.com/articles/news_and_politics/frame_game/2013/06/stop_the_nsa_surveillance_hysteria_the_government_s_scrutiny_of_verizon.html

http://www.slate.com/articles/news_and_politics/frame_game/2013/06/stop_the_nsa_surveillance_hysteria_the_government_s_scrutiny_of_verizon.html

Zero-Days Aff - Michigan 7AT: SPENDING LINKS

Zero day vulnerabilities bought by USFG are expensiveFung 13 (Brian Fung covers technology for The Washington Post, focusing on telecom, broadband and digital politics. The Washington Post: “The NSA hacks other countries by buying millions of dollars’ worth of computer vulnerabilities” Published August 31st, 2015. Accessed June 24th, 2015. http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/31/the-nsa-hacks-other-countries-by-buying-millions-of-dollars-worth-of-computer-vulnerabilities/) KalM

Like any government agency, the NSA hires outside companies to help it do the work it's supposed to do. But an analysis of the intelligence community's black budget reveals that unlike most of its peers, the agency's top hackers are also funneling money to firms of dubious origin in exchange for computer malware that's used to spy on foreign governments. This year alone, the NSA secretly spent more than $25 million to procure "'software vulnerabilities' from private malware vendors," according to a wide-ranging report on the NSA's offensive work by the Post's Barton Gellman and Ellen Nakashima. Companies such as Microsoft already tell the government about gaps in their product security before issuing software updates, reportedly to give the NSA a chance to exploit those bugs first. But the NSA is also reaching into the Web's shadier crevices to procure bugs the big software vendors don't even know about — vulnerabilities that are known as "zero-days." Just who might the NSA be paying in this covert marketplace? One of the most famous players in the arena is Vupen, a French company that specializes in selling zero-day exploits. A 2011 brochure made public on WikiLeaks showed Vupen boasting that it could "deliver exclusive exploit codes for undisclosed vulnerabilities discovered in-house by Vupen security researchers. "This is a reliable and secure approach to help [law enforcement agencies] and investigators in covertly attacking and gaining access to remote computer systems," the brochure continued. To take advantage of the service, governments can purchase an annual subscription. The subscription comes with a number of "credits" that are spent on buying zero-day exploits; more sophisticated bugs require more credits. In 2012, Vupen researchers who discovered a bug in Google Chrome turned down the chance to win a $60,000 bounty from the search giant, presumably in order to sell the vulnerability to a higher bidder. The company announced earlier this month that it would be opening an office in the same state as the NSA's headquarters in Fort Meade, Md. WikiLeaks identified a total of nearly 100 companies participating in the electronic surveillance industry worldwide, though not all of them are involved in the sale of software vulnerabilities. Zero-days are particularly effective weapons that can sell for up to hundreds of thousands of dollars each.

141

http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/31/the-nsa-hacks-other-countries-by-buying-millions-of-dollars-worth-of-computer-vulnerabilities/

http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/31/the-nsa-hacks-other-countries-by-buying-millions-of-dollars-worth-of-computer-vulnerabilities/

Zero-Days Aff - Michigan 7AT: TERRORISM DA

They’ve magnified the risk of the internal link—little chance that terrorists can access the zero-day marketMueller 13 (Milton Mueller, Professor at the Syracuse University School of Information Studies. His research and teaching explore the political economy of communication and information. For the past 15 years his research, teaching and public service have concentrated on problems related to global Internet governance. “REGULATING THE MARKET FOR ZERO-DAY EXPLOITS: LOOK TO THE DEMAND SIDE”, http://www.internetgovernance.org/2013/03/15/regulating-the-market-for-zero-day-exploits-look-to-the-demand-side/, March 18, 2013)

We suggest focusing policy responses on the demand side rather than the supply side. The zero-day market is largely a product of buyers, with sellers responding to that demand. And if it is true that much of the demand comes from the US Government itself , we should have a civilian agency such as DHS compile information about the scope and scale of our participation in the exploits market. We should also ask friendly nations to assess and quantify their own efforts as buyers, and share information about the scope of their purchases with us. If U.S. agencies and allies are key drivers of this market, we may have the leverage we need to bring the situation under control . One idea that should be explored is a new federal program to purchase zero-day exploits at remunerative prices and then publicly disclose the vulnerabilities (using ‘responsible disclosure’ procedures that permit directly affected parties to patch them first). The program could systematically assess the nature and danger of the vulnerability and pay commensurate prices. It would need to be coupled with strong laws barring all government agencies – including military and intelligence agencies – from failing to disclose exploits with the potential to undermine the security of public infrastructure. If other, friendly governments joined the program, the costs could be shared along with the information. In other words, instead of engaging in a futile effort to suppress the market, the US would attempt to create a near-monopsony that would pre-empt it and steer it toward beneficial ends. Funds for this purchase-to-disclose program could replace current funding for exploit purchases. Obviously, terrorists, criminals or hostile states bent on destruction or break-ins would not be turned away from developing zero-days by the prospect of getting well-paid for their exploits. But most of the known supply side of the market does not seem to be composed of terrorists or criminals, but rather profit-motivated security specialist s . And it’s likely that legitimate, well-paid talent will discover more flaws than “the dark side” in the long run. Obviously the details regarding the design, procedures and oversight of this program would need to be developed. But on its face, a demand-side approach seems much more promising than railing against the morality of so-called cyber arms dealers.

Little risk of terrorism in the world of the aff—motive but no meansChen 14 (Thomas Chen, professor in the College of Engineering at Swansea University, Swansea, United Kingdom. He has 22 years of research experience in academia and industry, and frequently collaborates with major security companies. Dr. Chen holds B.S. and M.S. degrees from the Massachusetts Institute of Technology and a Ph.D. in electrical engineering from the University of California, Berkeley. “Cyberterrorism after Stuxnet”, http://www.dtic.mil/dtic/tr/fulltext/u2/a603165.pdf, June 2014)

It is true that a multitude of easy-to-use software attack tools are readily available at no or low cost. For a small investment, attacks such as DDoS can be waged with serious and costly impact. It is also true that Islamic fundamentalist organizations such as Hamas, al-Qaeda , Algeria’s Armed Islamic Group, Hezbollah, and the Egyptian Islamic Group are known to be versed in information technology . However, the type of attacks that are possible with low-cost tools do not yet rise anywhere near the level of “breaking things and killing people.” It is very unlikely that any terrorist organization such as al-Qaeda will be able to deploy a cyberattack with the sophistication of Stuxnet. Stuxnet was developed by military expert programmers with detailed knowledge about their 16 targets. It would take enormous time and human resources to develop that level of sophisticated skills. Although terrorists might turn to the underground to hire hackers with sufficient skills, Giampiero Giacomello has argued that this approach is unlikely, because it would be far more costly than traditional physical attacks that terrorists have used more or less successfully in the past.28 In addition to IT skills, an important element of major cyberattacks is zero-day exploits (as used in Stuxnet), because no patch is

142

http://www.dtic.mil/dtic/tr/fulltext/u2/a603165.pdf

http://www.internetgovernance.org/2013/03/15/regulating-the-market-for-zero-day-exploits-look-to-the-demand-side/

http://www.internetgovernance.org/2013/03/15/regulating-the-market-for-zero-day-exploits-look-to-the-demand-side/

Zero-Days Aff - Michigan 7available to defend against them. There is a thriving market for zero-day exploits , and it might be assumed that terrorists might be able to buy them easily as needed. However, there is also competition. At the recent Black Hat conference, representatives from the U.S. military and intelligence community were among the thousands of attendees to learn about vulnerabilities and buy exploits and software tools, among other things. Many of the companies involved in discovering vulnerabilities and creating exploits are in Western countries unfriendly to terrorists, so terrorists may find it very difficult to acquire zero-day exploits.

Current zero-day vulnerabilities put us at risk of terroristsArce 2014 (Nicole Arce, staff reporter at Tech Times, “Operation Auroragold allows NSA to spy on Carriers Worldwide and Plant Bugs”, http://www.techtimes.com/articles/21550/20141206/operation-auroragold-allows-nsa-to-spy-on-carriers-worldwide-and-plant-bugs.htm, December 6,2014)//CLi

Apart from the ethical implications of hacking into private companies and spying on their customers, security experts believe Auroragold opens cellular networks ripe for the picking not just for government agencies but also for other individuals. Security researcher and cryptographer Karsten Nohl says he finds it alarming that the NSA deliberately plotted to introduce new weaknesses in worldwide communication systems for the purpose of spying. "Collecting an inventory [like this] on world networks has big ramifications," Nohl tells The Intercept. "Even if you love the NSA and you say you have nothing to hide, you should be against a policy that introduces security vulnerabilities because once NSA introduces a weakness, a vulnerability, it's not only the NSA that can exploit it." Mikko Hypponen, a security

researcher at F-Secure, agrees. Hypponen says it is not only the NSA that will benefit from the security holes advertently created in cellphone networks. The criminals and terrorists the NSA claims to target will also be able to exploit these holes. "If there are vulnerabilities on those systems known to the NSA that are not being patched on purpose, it's quite likely they are being misused by completely other kinds of attackers," Hypponen says. "When they start to introduce new vulnerabilities, it affects everybody who uses that technology; it makes all of us less secure." Auroragold is in direct conflict with the results of a surveillance review called by President Obama in December after Snowden's revelations elicited public furor when it first came to light. The panel concluded that the NSA should not "in any way subvert, undermine, weaken or make vulnerable generally available commercial software."

It also said the NSA must inform companies of newly discovered zero-day exploits, or exploits that developers had zero days to fix . The White House confirmed these results but not without throwing in an escape clause that says the NSA is allowed not to disclose security holes if in the presence of "a clear national security or law enforcement" threat. The NSA clearly sees this loophole to its advantage. NSA spokesperson Vanee' Vines says the agency operates within the bounds of law and only spies on terrorists, weapons distributors and "valid foreign targets," not "ordinary people." "NSA collects only those communications that is authorized by law to collect in response to valid foreign intelligence and counterintelligence requirements - regardless of the technical means used by foreign targets, or the means by which those targets attempt to hide their communication," Vines says.

143

http://www.techtimes.com/articles/21550/20141206/operation-auroragold-allows-nsa-to-spy-on-carriers-worldwide-and-plant-bugs.htm

http://www.techtimes.com/articles/21550/20141206/operation-auroragold-allows-nsa-to-spy-on-carriers-worldwide-and-plant-bugs.htm


COUNTERPLANS

144

Zero-Days Aff - Michigan 7AT: I-LAW CP

ILaw enforcement for cybercrime has failed – empiricsFidler 14 – Masters in International Relations (MAILYN FIDLER, May 2014, ANARCHY OR REGULATION: CONTROLLING THE GLOBAL TRADE IN ZERO-DAY VULNERABILITIES, https://direct.decryptedmatrix.com/wp-content/uploads/2014/06/Fidler-Zero-Day-Vulnerability-Thesis.pdf) /AMarbThe Convention on Cybercrime created by the Council of Europe seeks to harmonize substantive national criminal law on cybercrime and strengthen mechanisms for international law enforcement cooperation on cybercrime. The Convention entered into force in 2004 and was sponsored by the Council of Europe.463 The impetus for this treaty was the need to harmonize national cybercrime laws to increase the chances of successful prosecution of cyber crimes across borders.464 At the time, many states had yet to enact statutes criminalizing computer crimes, meaning cyber criminals could find havens in these states.465 Countries with computer crime laws suffered from cyber crime, but some responsible criminals went unpunished because they were located in other states without an adequate domestic legal framework or international legal agreement with the affected country.466 Thus, the Convention on Cybercrime represents a direct use of treaty law to address a cybersecurity problem. Ten years after the drafting of the Convention, the Obama administration stated that the Convention was “effective in breaking down barriers to transnational cooperation and communication” and that the United States is “able to respond to potential threats more quickly and effectively than ever” as a result of this collaboration.467 Still, the Convention exhibits several problems. Particularly, the treaty attempted to achieve consensus by adopting overly broad definitions and including a plethora of requested items instead of only the core items that achieved consensus.468,469 The Convention also provides fairly broad grounds for states to shirk obligations, leaving the door open for significant reneging.470

145

https://direct.decryptedmatrix.com/wp-content/uploads/2014/06/Fidler-Zero-Day-Vulnerability-Thesis.pdf

https://direct.decryptedmatrix.com/wp-content/uploads/2014/06/Fidler-Zero-Day-Vulnerability-Thesis.pdf

Zero-Days Aff - Michigan 7AT: INTERNAL REVIEW SOLVES

Internal review fails --- won’t be followed or implemented Kehl et al. 14 [Danielle Kehl is a Policy Analyst at New America’s Open Technology Institute (OTI). Kevin Bankston is the Policy Director at OTI, Robyn Greene is a Policy Counsel at OTI, and Robert Morgus is a Research Associate at OTI, New America is a nonprofit, nonpartisan public policy institute that invests in new thinkers and new ideas to address the next generation of challenges facing the United States, Policy Paper, “Surveillance Costs: The NSA’s Impact on the Economy, Internet Freedom & Cybersecurity,” July 2014, https://www.newamerica.org/oti/surveillance-costs-the-nsas-impact-on-the-economy-internet-freedom-and-cybersecurity/] //khirn

However, NSA representatives revealed few details about the depth of information on zero-day vulnerabilities the agency holds, its internal process for deciding when to disclose a vulnerability, and whether or how that process interacts with the interagency process.2 97 Meanwhile, the White House has stated that a review of the interagency process is currently underway in response to the recommendations of the President’s NSA Review Group. Michael Daniel, a Special Assistant to the President and Cybersecurity Coordinator, asserted that the Intelligence Community should not abandon the use of vulnerabilities as a tactic for intelligence collection, but did acknowledge that “building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest.”298 The White House purports to maintain a “bias” in the Vulnerabilities Equities Process toward public disclosure in the absence of a clear national security or law enforcement need,299 but the scope of the NSA’s vulnerabilities stockpile calls into question how effective this mysterious disclosure process really is. Furthermore, the government’s repeated assertions that it has “reinvigorated” the interagency process in response to the President’s NSA Review Group report suggests that it has not previously been strongly implemented or consistently followed .300 The President’s Review Group report recommended that “US policy should generally move to ensure that Zero Days are quickly blocked , so that the underlying vulnerabilities are patched on US Government and other networks .”301 The authors went on to explain

that “eliminating the vulnerabilities —‘patching’ them— strengthens the security of US Government , critical infrastructure, and other computer systems .” The group did carve out a narrow exception for a brief authorization for the delay of notification or patching of a zero-day vulnerability, but only for “high priority intelligence collection, following senior, interagency review involving all appropriate departments.”302 Security experts like Bellovin et al. also highlight that disclosure should be the default response , especially when the vulnerability itself may create a national security risk , such as affecting network routers and switches.303

146



Zero-Days Aff - Michigan 7AT: NATO CP

CP cant solve – members don’t want to share alliances and don’t trust the USFidler 15 -- 1NC Author Marshall Scholar, Department of Politics and International Relations, University of Oxford (Mailyn, Summer 2015, REGULATING THE ZERO-DAY VULNERABILITY TRADE: A PRELIMINARY ANALYSIS, http://moritzlaw.osu.edu/students/groups/is/files/2015/06/Fidler-Second-Review-Changes-Made.pdf, pg. 72-74) /AMarbNATO members, however, are “extraordinarily sensitive to the alliance having any offensive cyber capabilities or even discussing the need to think about the value of cyber capabilities and operations in missions NATO might undertake,” as NATO has done with previous technological developments affecting its mission.318 Some of this hesitancy stems from NATO members with cyber capabilities not wanting to share with less cyber-capable alliance partners. Additionally, the Snowden disclosures adversely affected prospects for advancing NATO discussions about offensive cyber capabilities because of increased mistrust toward the United States, particularly after revelations of U.S. spying on NATO allies.319

NATO can’t just focus on Russia – hybrid warfare and new countries will emerge Lewis, PhD 15 -- internationally recognized expert on cyber security (James, 2015, “The Role of Offensive Cyber Operations in NATO’s Collective Defence”, NATO Cooperative Cyber Defence, https://ccdcoe.org/sites/default/files/multimedia/pdf/TP_08_2015_0.pdf) /AMarbBeyond deterrence, two other factors point to the need for additional consideration of NATO’s public posture on offensive cyber operations. The first is that cyber techniques are essential for the kinds of combat operations that NATO forces may carry out in the future. No modern air force would enter into combat without electronic warfare (EW) capabilities; as cyber and EW merge into a single activity, air operations will require cyber support. The same is true for special forces operations. Offensive cyber capabilities will shape the battlefields of the future. Second, NATO’s potential opponents will use cyber techniques in new ways, in what some have called “hybrid warfare”.6 These include countries traditionally of concern to NATO, but cyber threats could also come from new actors, such as Iran or North Korea, and proxy or non-state actors such as the Syrian Electronic Army. These nations and groups, using cyber techniques, now have new ways to strike NATO countries

No net benefit – cooperation will cause conflicts and they won’t be able to respond Lewis, PhD 15 -- internationally recognized expert on cyber security (James, 2015, “The Role of Offensive Cyber Operations in NATO’s Collective Defence”, NATO Cooperative Cyber Defence, https://ccdcoe.org/sites/default/files/multimedia/pdf/TP_08_2015_0.pdf) /AMarbThe emphasis is on political action and opinion shaping, seeking to portray the other side as fascists and human rights violators against whom an oppressed population has risen in defiance. The US, NATO, and the West are characterised as interlopers, seeking only to extend their hegemony and weaken the sovereign rights of other nations. Such charges are intended to support the aggressor narrative and create dissension among Western nations . Western military forces and governments are ill-equipped to respond to this.9 Cyber operations used for coercive effect create uncertainty and concern within the target government. The knowledge that an attacker may have infiltrated their networks, is monitoring communications, and perhaps considering even more damaging actions, can have a paralysing effect. The vast majority of these cyber operations are likely to fall below the level of an armed attack, even under the new NATO guidelines, complicating any response . The effort to gain information superiority falls in good measure outside of NATO’s purview, but the Alliance must

147

https://ccdcoe.org/sites/default/files/multimedia/pdf/TP_08_2015_0.pdf

https://ccdcoe.org/sites/default/files/multimedia/pdf/TP_08_2015_0.pdf

http://moritzlaw.osu.edu/students/groups/is/files/2015/06/Fidler-Second-Review-Changes-Made.pdf

http://moritzlaw.osu.edu/students/groups/is/files/2015/06/Fidler-Second-Review-Changes-Made.pdf

Zero-Days Aff - Michigan 7take these into account in planning for the role of cyber activities in conflict.10

148

Zero-Days Aff - Michigan 7AT: NATIONAL SECURITY PIC

Surveillance using zero-day vulnerabilities precludes corporate cybersecurity cooperation --- closing loopholes is key to effective information sharing Sasso 14 [Brendan, technology correspondent for National Journal, previously covered technology policy issues for The Hill and was a researcher and contributing writer for the 2012 edition of the Almanac of American Politics, “The NSA Isn't Just Spying on Us, It's Also Undermining Internet Security,” National Journal, April 29, 2014, http://www.nationaljournal.com/daily/the-nsa-isn-t-just-spying-on-us-it-s-also-undermining-internet-security-20140429] //khirn

In response to the report, the administration adopted a new policy on whether the NSA can exploit “zero-days”—vulnerabilities that haven’t been discovered by anyone else yet. According to the White House, there is a “bias” toward publicly disclosing flaws in security unless “there is a clear national security or law enforcement need.” In a blog post Monday, Michael Daniel, the White House’s cybersecurity coordinator, said that disclosing security flaws “usually makes sense.” “Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest,” he said. But Daniel added that, in some cases, disclosing a vulnerability means that the U.S. would “forego an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities.” He said that the government weighs a variety of factors, such as the risk of leaving the vulnerability un-patched, the likelihood that anyone else would discover it, and how important the potential intelligence is. But privacy advocates and many business groups are still uncomfortable with the U.S. keeping security flaws secret . And many don’t trust that the NSA will only exploit the vulnerabilities with the most potential for intelligence and least opportunity for other hackers . “The surveillance bureaucracy really

doesn’t have a lot of self-imposed limits. They want to get everything,” said Ed Black, the CEO of the Computer & Communications Industry Association, which represents companies including Google, Microsoft, Yahoo, and Sprint. “Now I think people dealing with that bureaucracy have to understand they can’t take anything for granted.” Most computer networks are run by private companies, and the government must work closely with the private sector to improve

cybersecurity. But companies have become reluctant to share security information with the U.S. government, fearing the NSA could use any information to hack into their systems . “When you want to go into partnership with somebody and work on serious issues —such as cybersecurity—you want to know you’re being told the truth ,” Black said. Google and one other

cybersecurity firm discovered “Heartbleed”—a critical flaw in a widely used Internet encryption tool—in March. The companies notified a few other private-sector groups about the problem, but no one told the U.S. government until April. “Information you share with the NSA might be used to hurt you as a company ,” warned Ashkan Soltani, a technical consultant who has worked with tech companies and helped The Washington Post with its coverage of the Snowden documents.

149

http://www.nationaljournal.com/daily/the-nsa-isn-t-just-spying-on-us-it-s-also-undermining-internet-security-20140429

http://www.nationaljournal.com/daily/the-nsa-isn-t-just-spying-on-us-it-s-also-undermining-internet-security-20140429

Zero-Days Aff - Michigan 7AT: REGULATIONS CP

Strong legal framework is key --- reporting regulations fail Bellovin et al. 14 [Steven M., professor of computer science at Columbia University, Matt Blaze, associate professor of computer science at the University of Pennsylvania, Sandy Clark, Ph.D. student in computer science at the University of Pennsylvania, Susan Landau, 2012 Guggenheim Fellow; she is now at Google, Inc., April, 2014, “Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet,” Northwestern Journal of Technology and Intellectual Property, 12 Nw. J. Tech. & Intell. Prop. 1] //khirn

P167 However, this does not mean that a law enforcement exploitation laboratory will be naturally inclined to report the fruits of its labor to vendors. From the perspective of an organization charged with developing exploits, reporting might seem an anathema to the mission , since it means that the tools it develops will become obsolete more quickly . Discovering and developing exploits costs money, and an activity that requires more output would need a larger budget . n249 P168 An obligation mandating that law enforcement agencies report any zero-day vulnerabilities they intend to exploit should thus be supported by a strong legal framework . Such a framework should create bright lines for what constitutes a vulnerability that must be reported , when the reporting must occur , to whom the report should be made , and which parts of the government are required to do the reporting. There are many grey areas.

150

Zero-Days Aff - Michigan 7AT: OVERSIGHT CP

Guidelines/oversight failBellovin et al. 14 [Steven M., professor of computer science at Columbia University, Matt Blaze, associate professor of computer science at the University of Pennsylvania, Sandy Clark, Ph.D. student in computer science at the University of Pennsylvania, Susan Landau, 2012 Guggenheim Fellow; she is now at Google, Inc., April, 2014, “Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet,” Northwestern Journal of Technology and Intellectual Property, 12 Nw. J. Tech. & Intell. Prop. 1] //khirn

P175 The simplest way to implement a default reporting policy would be guidelines that mandate reporting under certain circumstances promulgated by the administration, likely the Department of Justice. n256 However, a guidelines-only approach has inherent weaknesses . First, the guidelines would be formulated, implemented, and enforced by the very department with the most interest in creating exceptions to the rule, and that most "pays the cost" when the tools it develops and uses are neutralized. Such conflicts of interest rarely end up with the strongest possible protections for the public. P176 Therefore, a legislative approach may be more appropriate. Perhaps as part of the appropriations bill that funds the exploit discovery effort, Congress could mandate that any vulnerabilities the unit discovers be reported; alternatively, a reporting mandate could be added to the wiretap statute. This second approach has the advantage that it is more permanent; however, amending the Wiretap Act has proven to be a long and contentious process. Regardless, and as noted above, such legislation would need to be carefully drafted to capture a range of different circumstances.

CP can’t solve--congressional oversight keyFidler 14 (Mailyn Fidler, graduate student at the Center for International Security and Cooperation Freeman Spogli Institute for International Studies, Stanford University. “ANARCHY OR REGULATION: CONTROLLING THE GLOBAL TRADE IN ZERO-DAY VULNERABILITIES”, May 2014, https://stacks.stanford.edu/file/druid:zs241cm7504/Zero-Day%20Vulnerability%20Thesis%20by%20Fidler.pdf)//CLi

Transparency mechanisms for the seller-side of the trade are also worth exploring. I will only briefly address these here, because industry oversight would require Congressional action, and this section primarily focuses on potential paths to executive oversight. Possible public private transparency measures might include requiring a vendor to report to the government if a vulnerability they sold or discovered is used in an illegal attack.437 Alternatively, a vendor could be required to inform the government if a vulnerability they sold or discovered is subsequently found by a second party.438 Other potential public-private transparency building mechanisms are conceivable; these represent a few possibilities. This topic would be fruitful to explore in further research. Beyond transparency, executive oversight could be used to strengthen the equities process for disclosure of vulnerabilities, extending what was recently announced. Particularly, instituting a post-use or post-stockpiling review process could ensure frequent reevaluation of vulnerabilities that were exempted from disclosure during first-round review. This review process could make sure that the original national security need exempting the vulnerability from disclosure continues to validate keeping the vulnerability undisclosed . Scott Charney reflected on the prospect of a post-use or post-stockpiling review process, and commented that, indeed, after Stuxnet, it might be interesting to see what would happen if there was a review, if the government did a good job balancing competing equities.439 Moreover, if purchased vulnerabilities are really not currently subject to the same initial review process as in-house discovered vulnerabilities, this post-use or post-stockpiling review process would extend the equities process to this important category of vulnerabilities.

151