Information

Warfare

Incident Response and

Recovery
 Information Security: The protection of
information against unauthorized
disclosure, transfer, modification, or
destruction, whether accidental or
intentional. (U.S. federal standards)
Information assurance: Information security
+ defensive information warfare
Information Warfare: Only intentional
attacks + offensive operations

CSCE 727 - F 2
 Information Warfare
Information resources
Players
Offensiveoperations
Defensive operations

WIN-LOSE NATURE OF OPERATIONS

CSCE 727 - F 3
 Value of Resources
Exchange value
Determined by market value
Quantifiable
Operational value
Determined by the benefits that can be derived from using
the resource
May no be quantifiable
May not be the same value for each player
(offensive and defensive players)
Actual (before) and potential (after) value

CSCE 727 - F 4
 Players
Offense: motives, means, opportunity
Insiders, hackers, criminals, corporations, government,
terrorists
Defense: protection
Federal Bureau of Investigation
U.S., Secret Service
Department of Treasury
Department of Defense
National Institute of Standards and technology

ROLE OF GOVERNMENT

CSCE 727 - F 5
Offensive Information Warfare
Target: particular information resources
resources does not need to be owned or managed
by the defense
Objective: increase the value of the resource for
the offense and decrease it for the defense
Gain: financial, strategic, thrill, etc.
Loss (defense): financial, strategic, reputation,
human loss, etc.

CSCE 727 - F 6
 Cost of Information Warfare
Monetary expense
Personal time
Risk of getting caught
Punishment
Resources used

CSCE 727 - F 7
 Offense
Increaseavailability of resource
Decrease integrity of resource
Decrease availability of resource for
defense

CSCE 727 - F 8
 Defense
Prevent availability of resource for offense
Ensure integrity
Ensure availability

CSCE 727 - F 9
Offense: Increased availability
Collection of secret:
Espionage (illegal) and intelligence (may be
legal)
Piracy
Penetration (hacking)
Superimposition fraud
Identity theft
Perception management

CSCE 727 - F 10
Offense: Decrease Availability
for Defense
Physicaltheft
Sabotage
Censorship

CSCE 727 - F 11
 Offense: Decreased Integrity
Tampering
Penetration
Cover up
Virus, worm, malicious code
Perception management
Fabrication, forgeries, fraud, identity theft,
social engineering

CSCE 727 - F 12
 Defense
Prevention: keeps attacks from occurring
Deterrence: makes attack unattractive
Indications and warning: recognize attacks
before it occurs
Detection: recognize attacks
Emergency preparedness: capability to
recover from and response to attacks
Response: actions taken after the attack

CSCE 727 - F 13
Open Sources
 Open Source
Unclassified information in the public
domain or available from commercial
services
Example: newspapers, magazines, scientific
publications, television and radio
broadcasting, databases, etc.

CSCE 727 - F 15
 Open Source Intelligence
Intelligence operation that uses open source
data
Goal: answer specific question in support of
some mission
Process:
Requirement analysis
Data collection/filtering/analysis
Information integration Intelligence about

CSCE 727 - F 16
 IW and Open Source
Intelligence
Generally legal (uses readily available information)
Attacker gains access to protected information,
e.g.,
Business trade secrets
Military strategy,
Personal information
Protectedinformation: readily available in public
domain, can be inferred from public data, or
deduced from aggregated public data

CSCE 727 - F 17
 Open Source Intelligence
Widely used (e.g., Department of Defense)
Cheap, fast, or timely
Most often legal
Advantages: no risk for collector, provides
context, mode of information acquisition, cover
for data discovery by secret operations
Disadvantages: may not discover important
information, assurance of discovery(?)

CSCE 727 - F 18
 Online Open Source
Intelligence
Large amount of public data online
Web pages, online databases, digital
collections, organizations on line, government
offices, etc.
Freedom and Information Act (FOIA):
industry data
U.S. Patent Office: copies of U.S. patents
Trade shows, public records, etc.

CSCE 727 - F 19
 Privacy
Use open source to find out confidential
data about people
Find confidential data about people while
they browse through open source (e.g., Web
searches)

CSCE 727 - F 20
 Online Investigative Tools
Find out confidential data for small fee
Net Detective (http://ndet.jeanharris.com/
Dig Dirt (http://www.classified3.com/ )
Accurate Info Search (
http://www.accurate-people-finder.com/links/b
ackgroundchecks.html
)
Privacy Tools (
http://www.epic.org/privacy/tools.html )
CSCE 727 - F 21
 Legislations
Privacy Act of 1974, U.S. Department of Justice (
http://www.usdoj.gov/04foia/04_7_1.html )
Family Educational Rights and Privacy Act (FERPA), U.S.
Department of Education, (
http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html )
Health Insurance Portability and Accountability Act of 1996
(HIPAA), (http://www.cms.hhs.gov/hipaa/ )
Privacy Initiatives, Federal Trade Commission, (
http://www.ftc.gov/privacy/ )
Telecommunications Consumer Privacy Act (
http://www.senate.leg.state.mn.us/departments/scr/billsumm/SF487
.HTM
)
Electronic Privacy Information Center (http://www.epic.org/ )

CSCE 727 - F 22
 Privacy Violations
Snooping via Open Sources
Online activities
Questionnaires
Customers data
Web site data collection (Cookies, IP address,
operating system, browser, requested page, time
of request, etc.) without users permission

CSCE 727 - F 23
 Other Open Source Attacks
Piracy
Available in open source, but still protected by copyright, patent,
trademark, etc.
Copyright Infringement
Acquisition of protected work without the owners permission
and sold for a fee
Human perception: not serious crime
Significant loss for marketing/manufacturing/owner
Berman Bill (http://www.digitalspeech.org/berman.shtml )
Copyright Law of the United States (
http://www.copyright.gov/title17/ )
Trademark Infringement

CSCE 727 - F 24
Domestic Intelligence,
Counterintelligence
What is Intelligence?

Information
Activities
Organization

CSCE 727 - F 26
 Activity
Activities:
Collection and analysis on intelligence
information
Counterintelligence

CSCE 727 - F 27
 Counterintelligence
National Security
Nature of regime
Law

CSCE 727 - F 28
 Goal of
Counterintelligence
National Security
Kinds of threats
Information to be collected
Purpose served
Legislation
Democracy

CSCE 727 - F 29
Counterintelligence
Foreign intelligence guidelines: classified
Investigation of:
Illegal activities: detecting and preventing foreign
espionage and terrorist activities
Legal activities: foreign legal political activities like fund-
raising, organizational work, etc.
Domestic intelligence guidelines (Levi Guidelines):
public
Investigation of groups that
hostile to government policies and fundamental principles
seeks to deprive some class of people

has violent approach to political change

CSCE 727 - F 30
 Domestic
Surveillance
Surveillance of own citizens
Legislations
Circumstances permitting surveillance
Limits
Amount and kind of surveillance
U.S.: Constitutional law
Fourth Amendment: prohibition against unreasonable
searches and seizures (e.g., wiretap)

CSCE 727 - F 31
 FISA
1978: Foreign Intelligence Surveillance Act (FISA)
Regulates governments collection of foreign intelligence for
the purpose of counterintelligence
Electronic eavesdropping and wiretapping
1994: amended to physical entries in connection with security
investigations
1998: amended to permit pen/trap orders
FISA applications for search warrant:
Probable cause that the surveillance target is a foreign power or
agent
Does not need to be criminal activity
Foreign Intelligence Surveillance Court
Attorney General

CSCE 727 - F 32
Psyops and Perception
Management
 Perception
Management
Information operations that aim to affect
perception of others to influence
Emotions
Reasoning
Decisions
Actions

CSCE 727 - F 34
 Covert Action

attempt by one government to pursue its

foreign policy objectives by conducting
some secret activity to influence the
behavior of a foreign government or
political, military, economic, or societal
events and circumstances in a foreign
country.
(Silent Warfare)
CSCE 727 - F 35
 Covert

Total secrecy: details or even the existence

of activities are confidential
Unaccounted; actions are public knowledge,
government involvement is concealed
Goal: direct furthering of national foreign
policy objectives
Wide range of activities:
Todays topic: perception management

CSCE 727 - F 36
 Perception of a
Foreign Government
Goal: change foreign governments policy
to support offenses political interest
Influence
Foreign governments perception
Perceptions of elements of foreign society

CSCE 727 - F 37
 Agents of Influence
Influence directly government policy
Data collection is not necessary
Persuade colleagues to adopt certain policies
E.g., government officials
1930-40s: Soviet intelligence agents working for U.S.
government (Harry Dexter White Assistant Secretary
of the Dept. of Treasury)
1976: in France Pierre-Charles Pathe founded Synthese
(political newsletter). 1979: convicted for espionage
and being an agent of influence.

CSCE 727 - F 38
Agent of Influence

Trusted contact willing to work for a

foreign government, no detailed
instructions, not paid
Controlled agent receives precise
instructions, usually paid
Manipulated agent unaware of serving a
foreign government

CSCE 727 - F 39
 Use of Information
and Disinformation
Providing information (or misinformation)
Influence a desired action
E.g., revealing identities of opponents intelligence
agents
Originof information
Sender of information
Misinformation
Plausible
silent forgery
deception operation

CSCE 727 - F 40
Perception of Foreign
Society
Hardto measure
Cumulative effect over long period of time
Agents of Influence
Reach public journalists, TV commentator,
etc.
Prominent person political figure, aid
organization, etc.
Culture

CSCE 727 - F 41
 Unattributed
Propaganda
Black propaganda: origin is concealed
Disseminating opinions, information or
misinformation via media
Government may not be directly associated
with materials
Increase believability
Government may not want to be associated
with certain opinions

CSCE 727 - F 42
 Unattributed
Propaganda
Gray propaganda: origin not public
knowledge
E.g., Radio Free Europe, Radio Liberty
Information about targets own countries
Information about the West
Set up as private U.S. organizations but were
run by CIA
Planting stories in independent news media

CSCE 727 - F 43
 Offensive
Operations
Information Space
Communication Medium: any (TV, radio,
Internet, Web sites, e-mail, news groups,
etc.)
Target: individuals, groups, nations, World

CSCE 727 - F 44
 Internet
Global Access mass audiences
Easy to set up Web sites
Low cost (compare with broadcasting
radio, TV, etc.)
great equalizer
Authority over Internet?

CSCE 727 - F 45
Tools for Perception
Management
In War and Anti-War by Alvin and Heidi Toffler:
1. Atrocity accusations
2. Hyperbolic inflations
3. Demonization and/or dehumanization
4. Polarization
5. Claim of divine sanction
6. Meta-propaganda

CSCE 727 - F 46
 Psyops

Affect human psyche

Goal: influence behavior
Means: fear, desire, logic, etc.

CSCE 727 - F 47
 Lies and
Distortions
Widely used
Destroys the integrity of the carrying media
Ethical/unethical?
Bad/Useful?
Digital media
Fabrication, spoofed originator, modification, etc.
Easy to carry out
Trust in observation (senses: see, hear, touch, taste,
etc.)

CSCE 727 - F 48
 Distortion
Distort information
Conscious/Unconscious
Important elements ignored, down played
Insignificant elements made to appear
important
Digital media:
Web page metatags: hidden data

CSCE 727 - F 49
 Fabrication

Fake information
Must seem legitimate
Goal: influence decision/activities of enemy
or competition, financial gain, popularity,
etc.
Can be very effective
Must know target
Errors and intentional fabrications

CSCE 727 - F 50
 Hoaxes
Fabrications to
Amuse
Create fear
Discredit/damage
Digital media:
Easy to send hoax mail or post information
Virus hoaxes

CSCE 727 - F 51
 Social
Engineering
Trickpeople into doing something they
would not do if the truth is known.
Means:
Impersonating
Threatening
Pretend position/relationship/urgency/etc.

CSCE 727 - F 52
 Denouncement
Discredit, defame, demonize, or dehumanize an
opponent
Goal: gain of support for the entity performing the
denouncement and loss for the adversary
Military/politics/economy/personal
Hate groups
Conspiracy theory
Defamation: damage the reputation and good
name of another
CSCE 727 - F 53
 Harassment
Targets
opponent directly
Unwanted, threatening messages
Communication: in person, via medium
Examples:
Physical threat
Hate mails
Sexual harassment

CSCE 727 - F 54
 Advertising
Scam: cone artists lure customers into scam
Fake prizes, telemarketing, etc.
Internet: easy solicitations junk e-mail, chat
room, newsgroups, Web site, etc.
Spam: junk e-mail
Time consuming: read/process/delete
Unwanted/useless/harmful data

CSCE 727 - F 55
 Censorship
Offensive: denies population access to certain
materials
Defensive: protect society from materials that would
undermine its culture or governance
Internet: makes censorship difficult
Children Internet Protection Act, 2000 (
http://www.ifea.net/cipa.html ,
http://www.cybertelecom.org/cda/cipa.htm )
Free speech online
Electronic Frontier Foundation http://www.eff.org/br/
http://www.anu.edu.au/mail-archives/link/link9810/0378.html

CSCE 727 - F 56
Incident Response
 Incident Response
Federal Communications Commission: Computer
Security Incident Response Guide, 2001,
http://csrc.nist.gov/fasp/FASPDocs/incident-response
/Incident-Response-Guide.pdf

Incident Response Team, R. Nellis,

http://www.rochissa.org/downloads/presentations/I
ncidence%20Response%20Teams.ppt

NIST special publications,

CSCE 727 - F 58
http://csrc.nist.gov/publications/nistpubs/index.html
 Intrusion Recovery
Actions to avoid further loss from intrusion
Terminate intrusion and protect against reoccurrence
Law enforcement
Enhance defensive security
Reconstructive methods based on:
Time period of intrusion
Changes made by legitimate users during the effected
period
Regular backups, audit trail based detection of effected
components, semantic based recovery, minimal roll-back
for recovery.

CSCE 727 - F 59
 What is Survivability?
To decide whether a computer system is
survivable, you must first decide what
survivable means.

CSCE 727 - F 60
 Vulnerable Components

1. Hardware
2. Software
3. Data
4. Communications
5. People

CSCE 727 - F 61
 Effect Modeling and Vulnerability
Detection
Seriously Weakly
effected effected
components component

Cascading
effects Not effected
components

CSCE 727 - F 62
 Robust System Development
Effects and system dependencies cascading effects
Cascading and escalating effect modeling
vulnerabilities
Vulnerabilities and their priorities reduce
vulnerabilities: installing safeguards, reconstruct
network, redundancy, etc.
Reduced vulnerabilities estimation of components
security (reliability, correctness, trustworthiness)
Estimation of components security: cost effective
dynamic network resource allocations

CSCE 727 - F 63
 Due Care and Liability
Organizational liability for misuse
US Federal Sentencing Guidelines: chief executive
officer and top management are responsible for fraud,
theft, and antivirus violations committed by insiders or
outsiders using the companys resources.
Fines and penalties
Base fine
Culpability score (95%-400%)
Good faith efforts: written policies, procedures, security
awareness program, disciplinary standards, monitoring
and auditing, reporting, and cooperation with
investigations

CSCE 727 - F 64
 How to Respond?

CSCE 727 - F 65
 How to Respond?

CSCE 727 - F 66
 How to Respond?

CSCE 727 - F 67
 How to Response?
Actions to avoid further loss from intrusion
Terminate intrusion and protect against reoccurrence
Law enforcement prosecute
Enhance defensive security
Reconstructive methods based on:
Time period of intrusion
Changes made by legitimate users during the effected
period
Regular backups, audit trail based detection of effected
components, semantic based recovery, minimal roll-back
for recovery.

CSCE 727 - F 68
 Roles and Responsibilities
User:
Vigilant for unusual behavior
Report incidents
Manager:
Awareness training
Policies and procedures
System administration:
Install safeguards
Monitor system
Respond to incidents, including preservation of evidences

CSCE 727 - F 69
 Computer Incident Response
Team
Assist in handling security incidents
Formal
Informal
Incidentreporting and dissemination of incident
information
Computer Security Officer
Coordinate computer security efforts
Others: law enforcement coordinator, investigative
support, media relations, etc.

CSCE 727 - F 70
Incident Response Process 1.
Preparation
Baseline Protection
Planning and guidance
Roles and Responsibilities Training
Incident response team

CSCE 727 - F 71
Incident Response Process 2.
Identification and assessment
Symptoms
Nature of incident
Identify perpetrator, origin and extent of attack
Can be done during attack or after the attack
Gather evidences
Key stroke monitoring, honey nets, system logs, network
traffic, etc.
Legislations on Monitoring!
Report on preliminary findings

CSCE 727 - F 72
Incident Response Process 3.
Containment
Reduce the chance of spread of incident
Determine sensitive data
Terminate suspicious connections, personnel,
applications, etc.
Move critical computing services
Handle human aspects, e.g., perception
management, panic, etc.

CSCE 727 - F 73
Incident Response Process 4.
Eradication
Determine and remove cause of incident if
economically feasible
Improve defenses, software, hardware,
middleware, physical security, etc.
Increase awareness and training
Perform vulnerability analysis

CSCE 727 - F 74
Incident Response Process 5.
Recovery
Determine course of action
Reestablish system functionality
Reporting and notifications
Documentation of incident handling and
evidence preservation

CSCE 727 - F 75
 Follow Up Procedures
Incident evaluation:
Quality of incident (preparation, time to
response, tools used, evaluation of response,
etc.)
Cost of incident (monetary cost, disruption, lost
data, hardware damage, etc.)
Preparing report
Revise policies and procedures

CSCE 727 - F 76
The Economic Impact of
Cyber Attacks
The Global Picture
Csilla Farkas John Rose
farkas@cse.sc.edu rose@cse.sc.edu

Center of Information Assurance Engineering

Department of Computer Science and Engineering
University of South Carolina
 Risk Assessment
Threats

RISK

Vulnerabilities Consequences

CSCE 727 - F 78
 Financial Loss
Dollar Amount Losses by Type

Total Loss (2006): $53,494,290 CSI/FBI Computer Crime and Security Survey
Computer Security Institute
CSCE 727 - F 79
 Security
Percentage of IT Budget
Protection
Percentage of Organizations
Spent on Security Using ROI, NPV, or IRR Metrics

CSI/FBI Computer Crime and Security Survey

Computer Security Institute

CSCE 727 - F 80
 Real Cost of Cyber Attack
Damage of the target may not reflect the real
amount of damage
Services may rely on the attacked service,
causing a cascading and escalating damage
Project Goal: support decision makers to
Evaluate risk and consequences of cyber attacks
Support methods to prevent, deter, and mitigate
consequences of attacks
CSCE 727 - F 81
 THEMIS: Threat Evaluation
Metamodel for Information
Systems
OFFENSE DEFENSE

Computer
Attack System
Cascading and Escalating
Effects

Affected
Assets
Attacker
Characteristics

Policy
Response

CSCE 727 - F 82
 Jess-Based Modeling
Graphicaltool to model system
components, values,
dependencies, and
compensating rules

CSCE 727 - F 83
Cascading and Escalating Effects
Model cascading and escalating damage.

CSCE 727 - F 84
 Ongoing Work
Developing simulation components and requirements
Requirement analysis
Level of abstraction
Information hiding
Types of dependencies
Compensating dependencies
Throughput
Adaptation

CSCE 727 - F 85
 Ongoing Work
Temporal modeling
Real time analysis and response
Long-term analysis
Macro- and microeconomics
National-level perspective
Organizational level perspective

CSCE 727 - F 86
 Legal Aspects
National law
International law
Legal regime to apply
Gray areas of law
Legal response
Evidence preservation

CSCE 727 - F 87
THEMIS: Threat Evaluation Metamodel
for Information Systems

Presented at the 2nd Symposium on Intelligence and Security

Informatics, 2004
Csilla Farkas, Thomas Wingfield, James B. Michael
Duminda Wijesekera

Themis, Goddess of Justice

 Attacks Against Critical
Infrastructures
Swedish hacker jammed 911 in central Florida in 1997
Juvenile hacker penetrated and disabled a telco computer
servicing Worcester Airport in March 1997
Brisbane hacker used radio transmissions to create raw sewage
overflows on Sunshine coast in 2000
Hackers broke into Gazproms system controlling gas flows in
pipelines in 1999
Hackers got into California Independent Service Operator (ISO)
development network for regional power grid in spring 2001
Numerous denial-of-service attacks against ISPs some shut
down
Source: D. Denning Information Warfare

CSCE 727 - F 89
 Rules Defining the Use of Force
Schmitt Analysis
Sources:
Thomas Wingfield: The Law of Information Conflict:
National Security Law in Cyberspace
Michael N. Schmitt: Computer Network Attack and the
Use of Force in International Law: Thoughts on a
Normative Framework

CSCE 727 - F 90
CSCE 727 - F 91
 Spectrum of Conflict

CSCE 727 - F 92
 Spectrum of Conflict

CSCE 727 - F 93
 Spectrum of Conflict

Art. 39

The Security Council shall determine the existence of

any threat to the peace, breach of the peace, or act of
aggression and shall make recommendations, or decide
what measures shall be taken in accordance with
Articles 41 and 42, to maintain or restore international
peace and security.

CSCE 727 - F 94
 Spectrum of Conflict

Art. 2(4)

All members shall refrain in their international

relations from the threat or use of force against
the territorial integrity or political independence
of any state, or in any other manner inconsistent
with the Purposes of the United Nations.

CSCE 727 - F 95
 Spectrum of Conflict

Art. 51

Nothing in the present Charter shall impair the inherent right of

individual or collective self-defense if an armed attack occurs
against a Member of the United Nations, until the Security Council
has taken measures necessary to maintain international peace and
security. Measures taken by Members in the exercise of this right of
self-defense shall be immediately reported to the Security Council
and shall not in any way affect the authority and responsibility of
the Security Council under the present Charter to take at any time
such action as it deems necessary in order to maintain or restore
international peace and security.

CSCE 727 - F 96
 Rules Defining the Use of Force

Art. 39 Art. 2(4) Art. 51

Threat of force Use of force

R Armed attack
E Threat to
S the peace
Hostile intent Hostile act
P
O
N
S Anticipatory Self-defense
E self-defense
Jus ad bellum applies Jus in bello applies

Peacetime regime applies

CSCE 727 - F 97
 Use of Force in Cyberspace

Cyber vs. Kinetic Attack

Academic State-of-the-Art: Effects-Based Analysis
Problem: Charter Paradigm Means-Based
The Schmitt Reconciliation
Distinguishing Military from Diplomatic and Economic Coercion
Seven Factors

CSCE 727 - F 98
 Schmitt Factors
Severity
Immediacy
Directness
Invasiveness
Measurability
Presumptive Legitimacy
Responsibility

CSCE 727 - F 99
 Severity

Armed attacks threaten How many people were

physical injury or People
People Killed;
Killed; killed?
destruction of property Severe
Severe Property
Property Damage
Damage How large an area was
to a much greater extent
attacked? (Scope)
than other forms of
coercion. Physical How much damage was
well-being usually People Injured; done within this area?
occupies the [lowest, Moderate
(Intensity)
Property Damage
most basic level] of the
human hierarchy of
need.
People Unaffected;
No Discernable
Property Damage

CSCE 727 - F 100

 Immediacy

The negative Over how long a period

consequences of armed People Killed; did the action take
Seconds to Minutes
coercion, or threat Severe Property Damage place? (Duration)
thereof, usually occur
How soon were its
with great immediacy,
effects felt?
while those of other
forms of coercion How soon until its
Hours to Days
develop more slowly. effects abate?

Weeks to Months

CSCE 727 - F 101

 Directness

The consequences of Was the action distinctly

armed coercion are Action SoleKilled;
People Cause of identifiable from
more directly tied to the Result Damage
Severe Property parallel or competing
actus reus than in other actions?
forms of coercion,
Was the action the
which often depend on
Action Identifiable as proximate cause of the
numerous contributory One Cause of Result, effects?
factors to operate. and to an Indefinite
Degree

Action Played No
Identifiable Role in
Result

CSCE 727 - F 102

 Invasiveness

In armed coercion, the act Did the action involve

causing the harm usually Border Physically physically crossing the
People Killed;
crosses into the target state, Crossed; Action Has
Severe Property Damage target countrys
whereas in economic warfare Point Locus
borders?
the acts generally occur
beyond the targets borders. Was the locus of the
As a result, even though action within the target
Border Electronically
armed and economic acts
Crossed; Action Occurs country?
may have roughly similar
Over Diffuse Area
consequences, the former
represents a greater intrusion
on the rights of the target
state and, therefore, is more Border Not Crossed;
likely to disrupt international Action Has No
stability. Identifiable Locus in
Target Country

CSCE 727 - F 103


While the consequences of
armed coercion are usually
easy to ascertain (e.g., a
certain level of
destruction), the actual
negative consequences of
other forms of coercion are
harder to measure. This
fact renders the
appropriateness of
community condemnation,
and the degree of
vehemence contained
therein, less suspect in the
case of armed force.
CSCE 727 - F
Measurability
Effects Can Be Can the effects of the
Quantified Immediately action be quantified?
People Killed;
by
Severe Property Means
Traditional Damage
(BDA, etc.) with High Are the effects of the
Degree of Certainty action distinct from the
results of parallel or
Effects Can Be Estimated competing actions?
by Rough Order of
Magnitude with What was the level of
Moderate Certainty certainty?
Effects Cannot be
Separated from Those of
Other Actions; Overall
Certainty is Low
104
 Presumptive Legitimacy
In most cases, whether under
domestic or international
law, the application of
violence is deemed
illegitimate absent some
specific exception such as
self-defense. The cognitive
approach is prohibitory. By
contrast, most other forms of
coercionagain in the
domestic and international
sphereare presumptively
lawful, absent a prohibition
to the contrary. The
cognitive approach is
permissive.
CSCE 727 - F
Has this type of action
Action Accomplished by achieved a customary
People Killed;
Means of Kinetic Attack
Severe Property Damage acceptance within the
international
community?
Action Accomplished in
Cyberspace but Is the means
Manifested by a qualitatively similar to
Smoking Hole in others presumed
Physical Space legitimate under
international law?
Action Accomplished in
Cyberspace and Effects
Not Apparent in Physical
World
105

Armed coercion is the
exclusive province of
states; only they may
generally engage in uses of
force across borders, and in
most cases only they have
the ability to do so with
any meaningful impact. By
contrast, non-governmental
entities are often capable of
engaging in other forms of
coercion (propaganda,
boycotts, etc.).
CSCE 727 - F
Responsibility
Is the action directly or
Responsibility for
ActionPeople Killed;
Acknowledged indirectly attributable to
the acting state?
bySevere
ActingProperty
State; Damage
Degree
of Involvement Large
But for the acting states
sake, would the action
Target State Government
Aware of Acting States have occurred?
Responsibility; Public Role
Unacknowledged; Degree
of Involvement Moderate
Action Unattributable
to Acting State; Degree
of Involvement Low
106
 Overall Analysis

Have enough of the

Use People
of Force Under
Killed; qualities of a use of
SevereArticle 2(4)
Property Damage force been identified to
characterize the
information operation as
a use of force?
Arguably Use of Force
or Not

Not a Use of Force

Under Article 2(4)

CSCE 727 - F 107

 THEMIS

Threat Evaluation Metamodel for

Information Systems

CSCE 727 - F 108

 THEMIS

Attack Response Policy (ARP) language

ARP alphabet and predicates to represent attacks,
consequences, and legal concepts
Interoperablelegal ontologies
Attack evaluation and response rules
SWRL - A Semantic Web Rule Language
combining OWL and RuleML

CSCE 727 - F 109

 Security Policy Specification
Interoperable
Ontologies

Conflict
ARP
resolution specification
Default
policy

CSCE 727 - F 110

 THEMIS
FUNCTIONALITY
OFFENSE DEFENSE

Computer
Attack System
Cascading
Effects

Affected
Assets
Attacker
Characteristics

Policy
Response

CSCE 727 - F 111

 Attack Response
Policy (ARP)
ARP alphabet: constant symbols, variables,
functions, and terms
ARP predicates: used to build rules
ARP rules: reason about the damages, express
legal restrictions, and determine legitimacy of
counter actions

CSCE 727 - F 112

 Example
Predicates:
attack(a-id, a-name, orig, targ)
consequence(a-id, c-type, targ)
causes(c-type1, targ1, c-type2, targ 2)
Rule:
attack(a-id, a-name, orig, targ1)
attack(a-id, a-name, orig, targ)
consequence(a-id, c-type, targ)
causes(c-type, targ, c-type1, targ1)

CSCE 727 - F 113

 Conclusions

Automated decision support system

Attack Response Policy Language
Alphabet
Predicates
Rules
Schmitt Analysis

CSCE 727 - F 114