Defining The Cyber Domain Essay Paper.
The term “cyber security” has been the subject of academic and popular literature that has largely viewed
the topic from a particular perspective. Based on the literature review described in this article, we found that the term is used broadly and its definitions are highly
variable, context-bound, often subjective, and, at times, uninformative. There is a paucity of literature on what
the term actually means and how it is situated within
various contexts. The absence of a concise, broadly acceptable definition that captures the multidimensionality of cybersecurity potentially impedes technological
and scientific advances by reinforcing the predominantly technical view of cybersecurity while separating
disciplines that should be acting in concert to resolve
complex cybersecurity challenges. For example, there is
a spectrum of technical solutions that support cybersecurity. However, these solutions alone do not solve the problem; there are numerous examples and considerable scholarly work that demonstrate the challenges related to organizational, economic, social, political, and other human dimensions that are inextricably tied to
cybersecurity efforts (e.g., Goodall et al., 2009; Buckland
et al., 2010; Deibert, 2012). Fredrick Chang (2012),
former Director of Research at the National Security
Agency in the United States discusses the interdisciplinary nature of cybersecurity:
“A science of cybersecurity offers many opportunities for advances based on a multidisciplinary approach, because, after all, cybersecurity is fundamentally
about an adversarial engagement. Defining The Cyber Domain Essay Paper.Humans must defend
machines that are attacked by other humans using machines. So, in addition to the critical traditional fields of computer science, electrical engineering, and mathematics, perspectives from other fields are needed.”
ORDER A CUSTOM-WRITTEN PAPER HERE
In attempting to arrive at a more broadly acceptable definition aligned with the true interdisciplinary nature of cybersecurity, we reviewed relevant literature to
identify the range of definitions, to discern dominant themes, and to distinguish aspects of cybersecurity.
This research was augmented by multiple engagements with a multidisciplinary group of cybersecurity practi-
Cybersecurity is a broadly used term, whose definitions are highly variable, often subject-
ive, and at times, uninformative. The absence of a concise, broadly acceptable definition
that captures the multidimensionality of cybersecurity impedes technological and scientific
advances by reinforcing the predominantly technical view of cybersecurity while separating
disciplines that should be acting in concert to resolve complex cybersecurity challenges. In
conjunction with an in-depth literature review, we led multiple discussions on cybersecur-
ity with a diverse group of practitioners, academics, and graduate students to examine mul-
tiple perspectives of what should be included in a definition of cybersecurity. In this article,
we propose a resulting new definition: “Cybersecurity is the organization and collection of
resources, processes, and structures used to protect cyberspace and cyberspace-enabled
systems from occurrences that misalign de jure from de facto property rights.” Articulating
a concise, inclusive, meaningful, and unifying definition will enable an enhanced and en-
riched focus on interdisciplinary cybersecurity dialectics and thereby will influence the ap-
proaches of academia, industry, and government and non-governmental organizations to
cybersecurity challenges. Defining The Cyber Domain Essay Paper.
these two activities resulted in a new, more inclusive,
and unifying definition of cybersecurity that will hopefully enable an enhanced and enriched focus on inter- disciplinary cybersecurity dialectics and thereby
influence the approaches of academia, industry, and
government and non-government organizations to cy- bersecurity challenges. This article reflects the process used to develop a more holistic definition that better
situates cybersecurity as an interdisciplinary activity, consciously stepping back from the predominant technical view by integrating multiple perspectives.
Our literature review spanned a wide scope of sources,
including a broad range of academic disciplines including: computer science, engineering, political studies, psychology, security studies, management, education, and sociology. The most common disciplines covered in
our literature review are engineering, technology, computer science, and security and defense. But, to a much
lesser extent, there was also evidence of the topic of cybersecurity in journals related to policy development, law, healthcare, public administration, accounting,
management, sociology, psychology, and education. Defining The Cyber Domain Essay Paper.
Cavelty (2010) notes there are multiple interlocking dis-
courses around the field of cybersecurity. Deconstruct-
ing the term cybersecurity helps to situate the
discussion within both domains of “cyber” and “secur-
ity” and reveals some of the legacy issues. “Cyber” is a
prefix connoting cyberspace and refers to electronic
communication networks and virtual reality (Oxford,
2014). It evolved from the term “cybernetics”, which re-
ferred to the “field of control and communication the-
ory, whether in machine or in the animal” (Wiener,
1948). The term “cyberspace” was popularized by Willi-
am Gibson’s 1984 novel, Neuromancer, in which he de-
scribes his vision of a three-dimensional space of pure
information, moving between computer and computer
clusters where people are generators and users of the in-
formation (Kizza, 2011). What we now know as cyberspace was intended and designed as an information environment (Singer & Friedman, 2013), and there is an expanded appreciation of cyberspace today. For ex-ample, Public Safety Canada (2010) defines cyberspace as “the electronic world created by interconnected net- works of information technology and the information on those networks. It is a global commons where…people are linked together to exchange ideas, services and friendship.” Cyberspace is not static; it is a dynamic, evolving, multilevel ecosystem of physical infrastructure, software, regulations, ideas, innovations, and interactions influenced by an expanding population of contributors (Deibert & Rohozinski, 2010), who represent the range of human intentions.
As for the term “security”, in the literature we re-
viewed, there appeared to be no broadly accepted
concept, and the term has been notoriously hard to
define in the general sense (Friedman & West, 2010;
Cavelty, 2008). According to Buzan, Wæver, and Wilde
(1998), discourses in security necessarily include and
seek to understand who securitizes, on what issues (threats), for whom (the referent object), why, with what results, and under what conditions (the structure). Although there are more concrete forms of security (e.g., the physical properties, human properties,
information system properties, or mathematical definitions for various kinds of security), the term takes on meaning based on one’s perspective and what one values. It remains a contested term, but a central tenet of security is being free from danger or threat (Oxford,
2014). Further, although we have indicated that secur-
ity is a contested topic, Baldwin (1997) states that one
cannot use this designation as “an excuse for not formulating one’s own conception of security as clearly
and precisely as possible”. Defining The Cyber Domain Essay Paper.
As a result of our literature review, we selected nine definitions of cybersecurity that we felt provided the material perspectives of cybersecurity:
1. “Cybersecurity consists largely of defensive methods
used to detect and thwart would-be intruders.”
2. “Cybersecurity entails the safeguarding of computer
networks and the information they contain from
penetration and from malicious damage or disruption.” (Lewis, 2006)
3. “Cyber Security involves reducing the risk of malicious attack to software, computers and networks.
This includes tools used to detect break-ins, stop vir-
uses, block malicious access, enforce authentication,
enable encrypted communications, and on and on.” (Amoroso, 2006)
4. “Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets.” (ITU, 2009)
5. “The ability to protect or defend the use of cyber-
space from cyber-attacks.” (CNSS, 2010)
6. “The body of technologies, processes, practices and
response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to en- sure confidentiality, integrity and availability.” (Public Safety Canada, 2014)
7. “The art of ensuring the existence and continuity of
the information society of a nation, guaranteeing
and protecting, in Cyberspace, its information, as-
sets and critical infrastructure.” (Canongia & Man-
8. “The state of being protected against the criminal or
unauthorized use of electronic data, or the measures
taken to achieve this.” (Oxford University Press,
9. “The activity or process, ability or capability, or state
whereby information and communications systems
and the information contained therein are protected
from and/or defended against damage, unauthor-
ized use or modification, or exploitation.” (DHS,
Although some of these definitions include references
to non-technical activities and human interactions,
they demonstrate the predominance of the technical
perspective within the literature. As stated by Cavelty
(2010), the discourse and research in cybersecurity “ne-
cessarily shifts to contexts and conditions that determ-
ine the process by which key actors subjectively arrive
at a shared understanding of how to conceptualize and
ultimately respond to a security threat”. Accordingly, within their particular context, the definitions above are helpful but do not necessarily provide a holistic view that supports interdisciplinarity. Defining The Cyber Domain Essay Paper.Referring back to
Buzan, Wæver, and Wilde’s (1998) discussion of securitization studies, any definition should be able to capture an understanding of the actor, subject, the referent object, the intentions and purposes, the out- comes, and structure. In our review of the literature, we did not find a definition that is inclusive, impactful, and unifying. Cybersecurity is a complex challenge re- quiring interdisciplinary reasoning; hence, any resulting definition must attract currently disparate
cybersecurity stakeholders, while being unbiased, meaningful, and fundamentally useful.
Towards a New Definition
Faced with many definitions of cybersecurity from the literature, we opted for a pragmatic qualitative research approach to support the definitional process, which melds objective qualitative research with subjective qualitative research (Cooper, 2013). In effect, the result is a notional definition that is grounded in objectivity (e.g., an intrusion-detection system) versus supposition (e.g., the intentions of a hacker). This definitional process included: a review of the literature, the identification of dominant themes and distinguishing aspects, and the development of a working definition. This definition was in turn introduced to the multidisciplinary group discussions for further exploration, expansion, and refinement to arrive at the posited definition.
In our literature review, we identified five dominant themes of cybersecurity: i) technological solutions; ii) events; iii) strategies, processes, and methods; iv) human engagement; and v) referent objects (of security).
Not only do these themes support the interdisciplinary nature of cybersecurity, but, in our view, help to provide critical context to the definitional process.
In conjunction with the emergence of the themes, we formulated distinguishing aspects of cybersecurity, initially through discussion amongst the authors to be re-
fined later through the multidisciplinary group discussions. In the end, we identified that cybersecurity
is distinguished by:
• its interdisciplinary socio-technical character
• being a scale-free network, in which the capabilities of network actors are potentially broadly similar
• high degrees of change, connectedness, and speed of interaction
Through the process, there was consensus within the multidisciplinary group to adopt the view that the Internet is a scale-free network (e.g., Barabási & Albert,1999), meaning it is a network whose degree distribution follows a power law, at least asymptotically. Even though this characterization of the Internet is a subject of debate (e.g., Wallinger et al., 2009), we argue that there are cyber-attack scenarios, and especially the evolution of malware markets, where the capabilities
Dan Craigen, Nadia Diakun-Thibault, and Randy Purse for launching attacks has been largely commoditized, hence flattening the space of network actors.
Throughout the initial part of the process that resulted in a working paper, we intentionally attempted to redress the technical bias of extant definitions in the cybersecurity literature by ensuring that scholars and practitioners contributed to the discussion and were
provided an opportunity to review and comment on
our initial definition, themes, and distinguishing aspects. To expand the discussion and create additional
scholarly dialogue, we posited an original “seed” definition for discussion and further refinement during two three-hour engagements with a multidisciplinary group of cybersecurity practitioners, academics, industry experts from the VENUS Cybersecurity Institute ( venus cyber.com), and graduate students in the Technology Innovation Management program (
timprogram.c) at Carleton University in Ottawa, Canada.
Our engagement with the multidisciplinary group
primarily consisted of providing selected readings from the literature, an initial presentation and discussion of our own work to date, followed by a syndicate activity related to distinguishing aspects and defining cybersecurity. Three syndicates were formed from the group and they were asked to develop their own definitions.
These definitions, along with the authors’ brief critiques, are presented in Table 1. The first two definitions were developed by the authors, whereas the next three definitions arose from group participants. Defining The Cyber Domain Essay Paper.
We propose the following definition, which integrates key concepts drawn from the literature and engagement with the multidisciplinary group: Cybersecurity is the organization and collection of resources, processes, and structures used to protect cyberspace and cyberspace-enabled systems from occurrences that misalign de jure from defacto property rights.
We deconstruct this definition as follows:
• …the organization and collection of resources, processes, and structures…: This aspect captures the multiple, interwoven dimensions and inherent complexity of cybersecurity, which ostensibly involve interactions between humans, between systems, and between humans and systems. By avoiding discussion of which re- sources, processes, or structures, the definition
becomes non-prescriptive and recognizes the dynamic nature of cybersecurity.
• …used to protect cyberspace and cyberspace-enabled systems…: This aspect includes protection, in the
broadest sense, from all threats, including intentional, accidental, and natural hazards. This aspect also incorporates the traditional view of cyberspace but includes those systems that are not traditionally viewed
as part of cyberspace, such as computer control systems and cyber-physical systems. By extension, the
protection applies to assets and information of concern within cyberspace and connected systems.
• …from occurrences…: This aspect recognizes that “protections” are intended to address the full range of intentional events, accidental events, and natural hazards. It also suggests that some of the occurrences are
• …that misalign de jure from de facto property rights…: This aspect incorporates the two separate notions of ownership and control that dominate discussion of cybersecurity and digital assets introduced in the property rights framework of Ostrom and Hess (2007), which include access, extraction, contribution, removal, management, exclusion, and alienation. Any event or activity that misaligns actual (de facto) property rights from perceived (de jure) property rights, whether by intention or accident, whether known or unknown, is a cybersecurity incident.
Substantiating Our Definition
As discussed earlier, our definition should engender
greater interdisciplinary and collaborative efforts on cybersecurity. Our goal is to “bring together” not to “push
apart” or “isolate”. Our success (or failure) can be partly validated if we can demonstrate that:
1. We can map other definitions of cybersecurity into
our definition. Defining The Cyber Domain Essay Paper.
2. Our definition is unifying and inclusive in that it sup- ports interdisciplinarity.
To assist in the analysis and mapping of the definitions to our new definition, we identified conceptual categories from definitions drawn from the literature as well as our own definition (Table 2). Unless otherwise cited, the category definitions are drawn largely from the Oxford (2014) online dictionary. The exact wordings of the definitions are meant to be as encompassing as possible.
A number of definitions of cybersecurity were presented
in this article. Some of the definitions are from the literature and drive the perspectives of certain communities. Other definitions arose through our group
discussions and related activities. Table 3 provides ex-
amples of how our analysis was applied to sample defin-
itions from the literature and group discussions.
The above analysis helps to demonstrate that our new
definition is inclusive of key components from a sampleof extant and participant definitions. Furthermore, three of the dominant themes – technological solutions;
strategies, processes, and methods; and human engagement – are all refinements of the “the organization and
collection of resources, processes, and structures used to protect…” component of our definition. The dominant theme of “events” is a refinement of “occurrences.”
We also view “referent objects (of security)” as a refinement of “cyberspace and cyberspace-enabled systems.”
Retrospectively, we therefore show how our definition is
consistent with the dominant themes of cybersecurity
and reflects the previously identified distinguishing aspects. Therefore, this mapping illustrates how our definition supports interdisciplinarity.
We have provided a new, more inclusive, and unifying
definition of cybersecurity that we believe will enable an
enhanced and enriched focus on interdisciplinary cy-
Dan Craigen, Nadia Diakun-Thibault, and Randy Purse
bersecurity dialectics and, thereby, will influence the ap-
proaches of researchers, funding agencies, and organiza-
tions to cybersecurity challenges. For example, the new
definition and associated perspectives could lead to
changes in public policy and inform legislative actions.
The definition resulting from the work reported herein
has a number of potentially salutary features, including:
1. Contributing a major unifying theme by positioning
cybersecurity as an interdisciplinary domain, not a
2. Supporting inclusiveness demonstrated through the
relationship to the five dominant cybersecurity
themes and mapping to previous definitions.
3. Incorporating the evolution towards a more intercon-
nected world through inclusion of both cyberspace
and cyberspace-enabled systems. The latter includes
cyber-physical systems and control systems.
4. Using protection – as a fundamental concept within
security – in a broad sense within the definition, in-
cluding protection from intentional events, accident-
al events, and natural hazards.
5. Incorporating the “property rights” framework of Os-
trom and Hess (2007), which includes access, extrac-
tion, contribution, removal, management, exclusion,
and alienation. Thus, the discussion moves beyond
traditional assets and information terms to broadly in-
clude that which has meaning or value.
The absence of a concise, universally acceptable defini-
tion that captures the multidimensionality of cyberse-
curity impedes technological and scientific advances by
reinforcing the predominantly technical view of cybersecurity while separating disciplines that should be acting in concert to resolve complex cybersecurity challenges.
It has become increasingly apparent that cybersecurity is interdisciplinary. The more inclusive, unifying definition presented in this article aims to facilitate interdis-ciplinary approaches to cybersecurity. We hope that the definition will be embraced by the multiple disciplines engaged in cybersecurity efforts, thereby opening the door to greater understanding and collaboration needed to address the growing and complex threats to cyber- space and cyberspace-enabled systems. Defining The Cyber Domain Essay Paper.
Over the last centuries, the world saw economically interwoven countries and a tendency
to lower the use of force moving towards veiled warfare. It is one of the few tools which
can be used to conduct actions against an adversary without necessarily sparking chaos
in the international arena. Indeed, it seems that cyber operations are currently en vogue.
The cyber campaign Olympic Games, commonly referred to only as Stuxnet and its
relatives, is the poster-boy of the development. Various cyber weapons were developed
to work together in order to infiltrate, analyse, sabotage and ultimately erase their traces
[BPBF12][Gb12][FMC10]. Olympic Games hit Iran’s centre of nuclear activity, a
research and production facility which otherwise could have only been affected by a
physical attack (e.g. a precise air strike). The latter would have caused the death of many
people and might have destabilized this region even further.
ORDER A CUSTOM-WRITTEN PAPER HERE
Even though Robinson, Jones and Janicke [Rm15] researched and listed a
comprehensive list of current research challenges for cyber warfare, they did not include
cyber strategies as one of them. With the public discussion mainly revolving around
deterrence (either by denial or by punishment), there are actually a number of strategies
which can be applied to cyber operations. Knowing the various options is vital because
1 Edited and abbreviated excerpt based on the PhD thesis ‘Anti-War and the Cyber Triangle: Strategic
Implications of Cyber Operations and Security for the State’ submitted to the University of Hull by Sven
Herpig in 2014. Currently pending for final approval.
2 Bundesamt für Sicherheit in der Informationstechnik, Godesberger Alle 185-189, 53175, Bonn,
‘[a] grand strategic vision of cyberspace can assist states in navigating the informational
turbulence in which contemporary international politics appears to find itself. […]
Cyberspace has its myriad of problems, but a true strategic sensibility demands that
long-term interests prevail over short-term opportunism’ [BS11]. Defining The Cyber Domain Essay Paper.A cyber strategy can be
thought of as an umbrella for various individual cyber operations with the ultimate aim
to achieve a strategic and / or political goal. Kuehl identifies a cyber strategy as ‘the
development and employment of strategic capabilities to operate in cyberspace,
integrated and coordinated with the other operational domains, to achieve or support the
achievement of objectives across the elements of national power in support of national
security strategy’ [Kd09]. Starr sees it as ‘the development and employment of
capabilities to operate in cyberspace, integrated and coordinated with the other
operational domains, to achieve or support the achievement of objectives across the
elements of national power’ [Ss06]. Thus, cyber strategies can be defined as ‘the
development and employment of cyber operations, integrated and coordinated with other
operational domains and forms of information warfare, to achieve or support the
achievement of political objectives. Cyber operations refer to the targeted use and hack
of digital code by any individual, group, organization or state using digital networks and
connected devices, which is directed against critical national, military or civilian
information infrastructure in order to alter, destroy, disrupt or deny functionality with the
ultimate aim to weaken and/ or harm the targeted political unit’ [Hs15].
Thus, a comprehensive cyber strategy consists inter alia of a certain implementation of
cyber security as well as all the cyber operations carried out under its umbrella,
connecting them to achieve a particular political or strategic goal. Discussions about the
general idea of cyber strategies started with Libicki’s works on deterrence and have been
developed ever since [Lm09a][Lm09b] but also go far beyond that. This paper identifies
and discusses the five existing cyber strategies on a macro level and analyses their
implications with focus on national cyber security. The discussion is based on the
academic examination of 50 cyber operations from the perspective of strategic studies
and a case study of the Olympic Games campaign (empirical contribution) as well as
extensive research on the subject matter (theoretical contribution) including more than
300 sources on strategy, cyber warfare and related areas [Hs15]. It shall therefore
provide a strategic umbrella for bridging the gap between the more technical nature of
cyber operations and policy-maker understanding of their implications.
2 Cyber Strategies
2.1 Going Dark
This strategy is an extended and broader implementation of the security mechanism of
air-gaping networks. Going Dark means that all systems and networks which are part of
the (critical) national information infrastructure of a country are not connected neither to
wider networks nor to the Internet. Gervais mentions this strategy, stating that: ‘[…] when
Strategic Operations and Cyber Security
it comes to states, like North Korea, that are less technologically advanced, cyber
reprisals have little effect. Reprisals to cyber attacks, therefore, ought to manifest
themselves as physical countermeasures when necessary’ [Gm11]. It can also mean that
there is no such an infrastructure to speak of yet, due to the low level of development of
this state. Relying on this strategy shows that the adopting state does not believe in its
ability to defend its networks properly–or their vitality, therefore making them go dark
completely. Implementing this strategy can be done partially–only the classified
networks are air-gaped – or for the active networks and systems structure. This approach
tries to deny the adversary any access to the systems and networks which hold valuable
data or can lead to casualties. The delineation between going dark and deterrence by
denial is the fact that going dark does not include any additional measures of protecting
systems and networks, whereas deterrence by denial includes a comprehensive set of
hardening activities (see 2.2). The Olympic Games campaign has been an
implementation of a shashou jian strategy (compare 2.4) consisting of different
operations which targeted an infrastructure which can be considered as ‘gone dark’ – and
partially succeeded [FMC10]. Defining The Cyber Domain Essay Paper.
Deterrence in the cyber domain is the most developed and analysed cyber strategy today,
if not the only one that has been discussed thoroughly so far. In general, deterrence is
subdivided into deterrence by denial and deterrence by punishment. Deterrence by denial
is ‘[…] to deny an adversary the ability to achieve its military and political objectives […]’
[Gs61] whereas ‘[t]he goal of deterrence by punishment is to prevent aggression by
threatening greater aggression in the form of painful and perhaps fatal retaliation’
The most important point of deterrence is its credibility [Kr09]. The adversary has to
believe that the opponent’s threat of retaliation is credible. If the adversary believes it, he
will not attack and is therefore deterred, or as Gray put it: ‘[t]he deterree has to agree to
be deterred, no matter how unwillingly’ [Gc99]. One common misconception about
cyber deterrence is to be highlighted first. Cyber operations are used as a means to deter
any domain adversarial aggression. Cyber deterrence does not mean the use of any
domain means to deter an adversarial cyber aggression. For example: the threat of use of
nuclear weapons as retaliation for a cyber attack is not cyber deterrence but nuclear
deterrence. If both stakeholders then implement cyber retaliation, it might lead to a
‘mutually assured disruption’ [Gk11].
Thus, deterrence in the cyber domain may need offensive and defensive capabilities to
be in place at the same time to create credible deterrence. However, airtight defensive
security could make up for the lack of offensive capabilities. The ultimate aim
subsequently is to increase the own security. Kugler states that ‘[…] the potential payoff
of a well-conceived cyber deterrence strategy is considerably greater security than exists
today’ [Kr09]. Deterrence using cyber operations can be implemented in various ways.
Payne and Walton define three types of deterrence 1. deterrence as direct attack, 2.
deterrence as preventing from doing a provocative act and 3. aggression becomes
unprofitable [PW02]. Kugler’s suggestions are similar. He states that the three types of
how deterrence in the framework of cyber operations could work are 1. deterrence by
denying benefits, 2. deterrence by incentives as well as 3. deterrence by imposing costs
[Kr09]. Defining The Cyber Domain Essay Paper.
Deterrence is not an either-or decision. Strategies can all work at once, or equally fail
together. Therefore, Starr suggested a concept where cyber deterrence is custom-tailored
to the adversary [Ss09]. In the case of states, Starr suggests to carry out cyber espionage
activities against them to be able to tailor the deterrence strategy. This conclusion can be
derived from the nature of cyber armoury. If state A were able to penetrate the networks
of state B, it can be assumed that malicious software has been planted, the perception is a
persuasive here as actuality. Therefore, state B might be deterred from attacking A
because it assumes that A can detonate those time bombs any time. In addition, A might
have gained knowledge about the weapons that B has and can harden and shield its
networks from likely retaliation which effectively render B’s potential attacks useless. A
might have even found more vulnerabilities to exploit B’s networks for future
endeavours. Therefore, credible cyber deterrence needs to be custom-tailored and relies
on information acquired through intelligence operations.
Despite the opportunities mentioned, cyber deterrence faces several challenges and some
authors therefore regard it as void [CK10][LX10]. Lewis for example states that, ‘[t]he
fundamental assumption is that a correct interpretation by opponents will lead them to
reject certain courses of action as too risky or too expensive. The problem is that
potential opponents may misinterpret deterrent threats while others may be not feel
threatened, and are therefore harder to deter’ [Lj10]. In case of cyber deterrence against
cyber attacks, the primary challenge is proper attribution, mentioned earlier this chapter,
which undermines the credibility of cyber deterrence to a large degree. If an attacker
cannot be properly identified, it cannot produce deterrence by punishment. Therefore
cyber deterrence might fail. If an attacker can be identified it can still be an act of
deception. There can be no 100% proof whether the clues leading to the possible attacker
are genuine or as distraction as part of a deceiving cyber operation. Therefore, cyber
deterrence would also fail as long as no perpetrator officially takes responsibility for the
attack. Defining The Cyber Domain Essay Paper.Even then, terrorists for example might claim ownership of a cyber attack to
spread terror, whereas the actual attacker does not want to make his involvement public.
Hence, the lack of proper attribution is a large problem for credibility, and hence
successful deterrence. Thus, in case of an attack and subsequent possible retaliation, the
decision is deferred to the political level.
Another challenge is that some cyber attacks might be too small to retaliate against
[Kr09] and subsequently undermine a zero tolerance policy [He10]. If a state
communicates that it will retaliate against every cyber attack (zero tolerance) it is
doomed to fail because of the sheer number of attacks and the lack of resources to
respond to them. Having declared retaliation against every cyber attack but failing to do
so, undermines a state’s credibility. The political level therefore has to set and
communicate a threshold: how much damage a cyber attack has to do for a cyber
Strategic Operations and Cyber Security
retaliation to trigger and therefore deterrence to take place. All cyber attacks below this
threshold do not produce the effect of deterrence. The other option would be the
implementation of a zero tolerance policy which would inadvertently fail and therefore
diminish the credibility of cyber deterrence.
Cyber deterrence against cyber attacks (as well as other attacks) struggles to deal
effectively with non-state stakeholders [Lm09b]. While not covered by this research, this
potential challenge warrants mention. The threat of wiping an individual’s computer is
not credible enough to prevent him from trying to shut down the power grid of a country.
This leads to the next challenge, the lack of impact in case of cyber retaliation against a
state. Compared to nuclear weapons, cyber operations lack the ability for mutual assured
destruction [Aj01] or ‘unexpected higher- order effects’ [Ss09]. If country A plans to
invade country B and has a high chance of success, A would unlikely be deterred by B’s
potential to shut down the power grid and wipe important databases. A is more likely to
be deterred, however if B could wipe-out A’s capital city as a response to the invasion.
Due to the nature of cyber weapons, cyber deterrence as a strategy also faces the
problem that most cyber weapons are one use only [He10]. They exploit vulnerabilities
and once the adversary notices, he can fix the vulnerability and therefore render the
weapon useless (against him). The knowledge of this increases the threshold of
retaliation for the deterrer owing to hesitancy to use up his cyber arsenal. This increases
the threshold to a level that retaliation as a result from cyber deterrence always borders
between escalation and impunity, [Kr09] or as Hjortdal puts it ‘[t]he strategy of
deterrence is thus two-sided and, as such, contradictory—a balancing act is needed
between hiding the maximum level of capability on the one hand, and communicating
and proving that the capability exists on a sufficiently high level to deter other states on
the other’ [Hm11], a thin line. For further research on this issue, when taking into
account a multi- stakeholder setting, cyber deterrence faces the challenge of extended
cyber defense and collective cyber retaliation only to work if applied sub rosa but not
Sharma sees cyber deterrence as the only vital defence against cyber attacks [Sa09]. This
is partly accurate. It is the only viable cyber defence strategy which can be applied
across the (critical) national information infrastructure – as opposed to going dark which
can only be partly applied. However, cyber deterrence is heavily restricted in what it can
achieve. Defining The Cyber Domain Essay Paper.
Extraction and disruption operations using networks and computer system have been
coined sub rosa activities by Libicki [Lm09b]. Subsequently, a sub rosa cyber strategy
‘has some aspects of intelligence operations, and some aspects of special operations –
although it is neither. Of note, sub rosa warfare is almost impossible to conduct with
tanks, much less nuclear weapons’ [Lm09b]. Sub rosa cyber strategy are covered in some
works in a blurred pool of cyber operations, information warfare and intelligence
operations, but not often distinctly discussed as a single and genuine strategy or
approach. It bears close resemblance with traditional sub rosa activities such as
espionage or sabotage but is conducted through cyber operations. Thus, a sub rosa cyber
strategy can be part of a major intelligence operation which also involves other elements
such as human intelligence (HUMINT). Defining The Cyber Domain Essay Paper.
States are aware of this strategy, as Gervais suggests when stating that ‘[a]necdotal
evidence suggests that cyber espionage is a familiar practice of state governments’
[Gm11]. Betz and Stevens even suggest that sub rosa cyber strategy are aspiring to be
the most prevalent cyber strategy, as compared with strategies with a higher level of
A sub rosa cyber strategy is only sub rosa as long as both parties agree it to be, or as
Libicki phrases it: ‘[p]aradoxically, maintaining sub rosa warfare requires the tacit assent
of the other side, and is therefore quite fragile’ [Lm09b]. The reason to keep it secret is
that the less the public knows, the easier it is to de-escalate the conflict [Lm09b]. If one
of the stakeholders decides to end its secretive conduct, the sub rosa operations, if
continued, turn into for example shashou jian strategy (see 2.4). This strategy has a
higher level of intensity and therefore does not only mean to turn a covert operation
overt, but also to increase the risk of escalation and subsequent retaliation. Keeping
operations sub rosa through this strategy means decreasing the likelihood of entering the
retaliation cycle [Lm09b]. The more intense and physical sub rosa operations are, the
more likely they are to escalate. If state A shuts down state B’s power grid, B is
politically pressured to react – even more so if the perpetrator becomes public
knowledge. Defining The Cyber Domain Essay Paper.The sub rosa cyber strategy is therefore a limited intensity strategy with a likelihood of the involved stakeholders being aware of the operations but deliberately
keeping them covert in order to avoid decreasing political leeway.
There is a thin line between a sub rosa cyber strategy and the shashou jian cyber strategy.
It is prudent however to differentiate those two strategies from one another for several
reasons. Apart from the difference in indicators which are discussed in the respective
categorization paragraphs, the core distinction is that the sub rosa strategy mainly refers
to intelligence, not sabotage. This crucial element coincides with the covertness of a sub
rosa cyber strategy as compared to a potentially overt character of shashou jian
operations as acts of sabotage are more difficult to keep covert. Sub rosa, is not,
however, anything new. It is covert intelligence operations carried out through the use of
cyber operations. Therefore it is necessary to distinguish it from other cyber strategies, it
is less necessary to do so from other intelligence operations.
From a state’s perspective, it is prudent to start implementing a sub rosa strategy by
actually strengthening the own cyber security approach. When engaging in offensive
cyber activities, one can expect to be attacked as well – either as retaliation or just
because of the assumption that certain attacks can just not be backtracked and
subsequently attributed. It is vital to develop the defense at least to the level that it could
withstand an attack mirroring the power and effort oneself puts into offensive cyber
operations. Defining The Cyber Domain Essay Paper.
Strategic Operations and Cyber Security
2.4 Shashou Jian
Shashou jian is the Chinese translation for assassin’s mace, a strategy which refers to the
ability of striking the enemy decisively and stealthily – making the fight fit the weapons
[CK10][Nl05]. Incorporating this strategy into the cyber operations framework is based
on the alleged Chinese use of shashou jian as a means to achieve its geo-strategic goals
[Nl05]. The use of the term in this work might exceed the depth of shashou jian in the
Chinese original meaning. It seems however useful to keep the term and extend the
description as it reflects not only the use by Chinese strategists in general but also the
connection of Sun Tzu’s teachings to this concept. Sun Tzu describes this kind of
strategy in his writings as relying on speed, stating that ‘[s]peed is the essence of war.
Take advantage of the enemy’s unpreparedness, travel by unexpected routes and strike
him where he has taken no precautions’ [SG63]. In conventional terms, an assassin’s
mace strategy can be pictured as an attacker coming out from cover to deal a swift blow
to the victim – and at once disappears.
Libicki discusses three key roles which a cyber attack might play: ‘[i]t might cripple
adversary capabilities quickly, if the adversary is caught by surprise. It can be used as a
rapier in limited situations, thereby affording a temporary but potentially decisive
military advantage. It can also inhibit the adversary from using its system confidently’
[Lm09a]. Defining The Cyber Domain Essay Paper.All the three roles are goals that can be achieved with a shashou jian cyber strategy. It aims at the decisive points [Ja68] or centres of gravity [Rg01] of the enemy to
carry out a precise blow, ignoring the rules of conduct [Fj08] to achieve a coup de grâce
[Tm67]. One targeted blow against parts of the (critical) national information
infrastructure that brings about a huge impact (for example bringing down the state’s
entire power grid).
Shashou jian is very versatile can be carried out in the framework of warfare or under the
umbrella of intelligence operations. When linked to the latter, it is most likely affiliated
with sabotage rather than espionage activities. Shashou jian does not necessarily work in
supplement to other forms of warfare or intelligence operations, but can be a standalone
strategy. Hence, sub rosa and shashou jian are not only cyber strategies, but can also be
conducted under the umbrella of intelligence operations. Even if to distinguish between
espionage and sabotage activities seems arbitrary, it is not. The genuine difference
between sub rosa and shashou jian strategies is that shashou jian still works as an overt
operation after it has successfully been carried out stealthily. Defining The Cyber Domain Essay Paper.
2.5 Cyber War
Schneier analyses the strategy of cyber war appropriately, ‘[a]nd for there to be a
cyberwar, there first needs to beawar’ [Sb09]. Libicki phrased it similarly arguing that,
‘[o]perational cyberwar consists of wartime cyber attacks against military targets and
military-related civilian targets’ [Ml09a]. One of the options for cyber operations is to
supplement conventional warfare [CK10] the research refers to this strategy as cyber
war. The often hyped ‘First Cyberwar’ against Estonia was merely a precursor to fullyĖĻğ
fledged cyber war; conducted with low technology means and without any formal
declaration of war [Cm07]. At the same time, there were no conventional forms of
warfare which those attacks supplemented. If a state of war had been acknowledged by
either one or both of the participating states, the operations could have been described as
being embedded in a cyber war strategy.
The intensity and objectives with which cyber war can supplement conventional warfare
varies. Lonsdale mentioned the ability of cyber warfare to substitute tactical bombing
[Ld04]. In general, the intensity of cyber operations during a cyber war is not limited. As
Libicki puts it: ‘once something is called war, a victim’s responsibility for the
consequences of its acts dissipates’ [Lm96]. Defining The Cyber Domain Essay Paper. Compared to the other kinds of cyber
operations, escalation plays a minor role, given that war is already underway. The war
can still turn from conventional and cyber weapons to using nuclear weapons (an
escalation) but the probability that cyber operations contribute to this escalation rather
than conventional warfare is comparatively low. A state would probably more be worried
and prone to escalate as response to armies invading its territory and killing its citizens
and armies than about the loss of electricity in the capital for example.
The difference between shashou jian and cyber war is not only the setting (cyber war can
only take place during war). In addition, cyber war does not necessarily strike stealthily
or at decisive points. A cyber war operation could, for example, aim to use distributed
denial-of-service attacks to deny the whole country Internet access. It could also utilize
destructive viruses to destroy as much data and information within the adversary’s state
(including private computers, companies etc.) as possible. These broad, destructive and
overt operations could be part of a coercing cyber war strategy. They would not fall
within a shashou jian framework. Defining The Cyber Domain Essay Paper.
The analysis of possible cyber strategies shows that there is a certain cyber strategy for
every occasion. In times like this, when the number of stakeholders participating in
international cyber conflicts is constantly increasing and no end of hostilities seems
likely, it is vital to step up the corresponding security measures, in this case: cyber
In terms of strategies, deterrence by denial strategy would be well-chosen to focus on
securing the state’s ‘cyber borders’. This would mean a strong focus, policy- and
resource-wise, on enhancing information security – hardening systems, monitoring
networks, creating public-private cooperation, research and development e. g. of
advanced persistent and volatile threats, sharing information about attacks and raising
public awareness. If states wish to engage in offensive cyber strategies, it is even more
important to secure the own (critical) national information infrastructure in order to deal
with possible retaliation. Thus, improving cyber defenses should always come first.
Cyber security which aims at securing the nation’s (critical) information infrastructure
Strategic Operations and Cyber Security
has to take a proactive approach. One way of doing so is to focus research on traps, the
so-called honeypots and honeynets – either in a virtual / sandbox environment or as raw
steel version. Their research, development and deployment allow the analysis of attack
vectors and behaviours, therefore allowing an adaptation of the defensive measures in
order to counter future attacks following those patterns. Finding and sharing information
about zero-day exploits before their use allows its correction before harm is done. In
order to implement a holistic and sustainable cyber security paradigm, knowledge about
offensive capabilities is crucial. In cyber security, being seconds too late can already
make the difference between having an effective security in place and having none at all. Defining The Cyber Domain Essay Paper.
ORDER A CUSTOM-WRITTEN PAPER HERE
Amoroso, E. 2006. Cyber Security. New Jersey: Silicon Press.
Baldwin, D. A. 1997. The Concept of Security. Review of International
Studies, 23(1): 5-26.
Barabási, A. L., & Albert, R. 1999. Emergence of Scaling in Random
Networks. Science, 286(5439): 509-512.
Buzan, B., Wæver, O., & De Wilde, J. 1998. Security: A New Framework
for Analysis. Boulder, CO: Lynne Rienner Publishers.
Canongia, C., & Mandarino, R. 2014. Cybersecurity: The New Challenge
of the Information Society. In Crisis Management: Concepts,
Methodologies, Tools and Applications: 60-80. Hershey, PA: IGI
Cavelty, M. D. 2008. Cyber-Terror—Looming Threat or Phantom
Menace? The Framing of the US Cyber-Threat Debate. Journal of
Information Technology & Politics, 4(1): 19-36. Defining The Cyber Domain Essay Paper.
Cavelty, M. D. 2010. Cyber-Security. In J. P. Burgess (Ed.), The Routledge
Handbook of New Security Studies: 154-162. London: Routledge.
Chang, F. R. 2012. Guest Editor’s Column. The Next Wave, 19(4): 1–2.
CNSS. 2010. National Information Assurance Glossary. Committee on
National Security Systems (CNSS) Instruction No. 4009:
Cooper, S. 2013. Pragmatic Qualitative Research. In M. Savin-Baden &
C. H. Major (Eds.), Qualitative Research: The Essential Guide to
Theory and Practice: 170-181. London: Routledge.
Deibert, R., & Rohozinski, R. 2010. Liberation vs. Control: The Future of
Cyberspace. Journal of Democracy, 21(4): 43-57.
DHS. 2014. A Glossary of Common Cybersecurity Terminology.
National Initiative for Cybersecurity Careers and Studies:
Department of Homeland Security. October 1, 2014:
Friedman, A. A., & West, D. M. 2010. Privacy and Security in Cloud
Computing. Issues in Technology Innovation, 3: 1-13.
Goodall, J. R., Lutters, W. G., & Komlodi, A. 2009. Developing Expertise
for Network Intrusion Detection. Information Technology & People,
ITU. 2009. Overview of Cybersecurity. Recommendation ITU-T X.1205.
Geneva: International Telecommunication Union (ITU).
Kozlenkova, I. V., Samaha, S. A., & Palmatier, R. W. 2014. Resource-
Based Theory in Marketing. Journal of Academic Marketing Science,
Kemmerer, R. A. 2003. Cybersecurity. Proceedings of the 25th IEEE
International Conference on Software Engineering: 705-715.
Lewis, J. A. 2006. Cybersecurity and Critical Infrastructure Protection.
Washington, DC: Center for Strategic and International Studies.
About the Authors
Dan Craigen is a Science Advisor at the Communications Security Establishment in Canada. Previously,
he was President of ORA Canada, a company that focused on High Assurance/Formal Methods and distributed its technology to over 60 countries. His
research interests include formal methods, the science of cyber security, and technology transfer. He was the chair of two NATO research task groups pertaining to validation, verification, and certification of embedded systems and high-assurance technologies.
He received his BScH and MSc degrees in Mathematics from Carleton University in Ottawa, Canada. Defining The Cyber Domain Essay Paper.
Nadia Diakun-Thibault is Senior Science and Analytics Advisor at the Communications Security Establishment in Canada. She holds a Master’s degree in
Public Administration from Queen’s University in
Kingston, Canada, and an ABD (PhD) degree in Slavic
Languages and Literatures from the University of
Toronto, Canada. She has served as Parliamentary Advisor to Members of Parliament and held an Order-in- Council appointment to the Province of Ontario’s Advocacy Commission. Her research interests include neurophilosophy, semiotics, linguistics, and public policy. She is also an adjunct faculty member in the Department of Computer Science and Engineering at
North Carolina State University in the United States.
Randy Purse is the Senior Learning Advisor at the Information Technology Security Learning Centre at the Communications Security Establishment in
Canada. A former officer in the Canadian Forces, he
is an experienced security practitioner and learning specialist. His research interests include the human dimensions of security and collective and transformative learning in the workplace. He has a Master’s of Education in Information Technology from Memorial
University of Newfoundland in St. John’s, Canada, and he is a PhD candidate specializing in Adult and Workplace Learning in the Faculty of Education at the University of Ottawa, Canada.
Technology Innovation Management Review October 2014 www.timreview.ca
Citation: Craigen, D., Diakun-Thibault, N., & Purse, R.
2014. Defining Cybersecurity. Technology Innovation
Management Review, 4(10): 13–21.
Keywords: cybersecurity, definition, interdisciplinary,
Ostrom, E., & Hess, C. 2007. Private and Common Property Rights. In B.
Bouckaert (Ed.), Encyclopedia of Law & Economics. Northampton,
MA: Edward Elgar.
Oxford University Press. 2014. Oxford Online Dictionary. Oxford: Oxford
University Press. October 1, 2014:
Public Safety Canada. 2010. Canada’s Cyber Security Strategy. Ottawa:
Public Safety Canada, Government of Canada.
Singer, P. W., & Friedman, A. 2013. Cybersecurity and Cyberwar: What
Everyone Needs to Know. New York: Oxford University Press.
Public Safety Canada. 2014. Terminology Bulletin 281: Emergency
Management Vocabulary. Ottawa: Translation Bureau, Government
Wallinger, W., Alderson, D., & Doyle, J. 2009. Mathematics and the
Internet: A Source of Enormous Confusion and Great Potential.
Notices of the American Mathematical Society, 56(5): 586-599. Defining The Cyber Domain Essay Paper.
Our essay writers will gladly help you with: