Through 19 of the 44 pages:
"The United States gains tremendous economic, social, and military advantages from cyberspace. However, our pursuit of these advantages has created extensive dependencies on highly vulnerable information technologies and industrial control systems. As a result, U.S. national security is at unacceptable and growing risk.
..."Of critical importance, known cyber attacks on the United States to date do not represent the “high-end” threats that could be conducted by U.S. adversaries today – let alone the much more daunting threats of cyber attack the Nation will face in coming years as adversary capabilities continue to grow rapidly. A large-scale cyber attack on civilian critical infrastructure could cause chaos by disrupting the flow of electricity, money, communications, fuel, and water...
...
"...While progress is being made to reduce the pervasive cyber vulnerabilities of U.S. critical infrastructure, improvements are not on a pace to reduce risks to acceptable levels within the next decade...The unfortunate reality is that, for at least the coming five to ten years, the offensive cyber capabilities of our most capable potential adversaries are likely to far exceed the United States’ ability to defend and adequately strengthen the resilience of its critical infrastructures.
[Bleak, this is bleak, the unfortunate reality is this is bleak.]
"Responding to adversary cyber attacks and costly cyber intrusions carries a risk of escalation (and quite possibly intelligence loss), but not responding carries near- certainty of suffering otherwise deterrable attacks in the future.
[This is a shot at Obama's lack of even a proportionate second-strike against Russia for the election interference.]
...
"Although it may appear desirable in theory to find effective arms control approaches to stabilize the cyber balance between major powers – U.S.-Russia and U.S.-China – in practice cyber arms control is not viable...
[This is very repetitious, which is always a sign that the authors don't have much to say.]
...
"Although it may appear desirable in theory to find effective arms control approaches to stabilize the cyber balance between major powers – U.S.-Russia and U.S.-China – in practice cyber arms control is not viable...
[This is very repetitious, which is always a sign that the authors don't have much to say.]
...
"The United States and Russia, and the United States and China, share extremely strong stakes in avoiding major war, including through misperception and inadvertent escalation. The dynamics of cyber offensive weapons will increase challenges to crisis stability, as each side is likely to perceive significant advantages and relatively low risks (no direct casualties, no visible damage) to going first with offensive cyber against the other side’s military.
[Liverpool beat Arsenal 3-1.]
...
"Thus, as offensive cyber capabilities continue to grow, and are likely to outpace cyber defense and resilience, there are likely to be growing risks of misperception that could lead to rapid cyber escalation – and the potential for rapid escalation to armed conflict.
[Liverpool beat Arsenal 3-1.]
...
"Thus, as offensive cyber capabilities continue to grow, and are likely to outpace cyber defense and resilience, there are likely to be growing risks of misperception that could lead to rapid cyber escalation – and the potential for rapid escalation to armed conflict.
...
"Because deterrence operates by affecting the calculations of specific decision-making individuals in another nation or group – the goal being to convince these decision makers that the expected costs of an attack outweigh its expected benefits – deterrence planning must focus on what key leaders on the other side value, and on how they are likely to make decisions. Some adversary leaders may place highest value on the security and economic well-being of their people; in other cases they may place significant value on their own financial well-being or status.
[Putin, peut etre?]
"DoD’s priority focus for cyber deterrence should be on key leadership individuals (including those who influence them) in the top four cyber threat nation-states: Russia, China, Iran, and North Korea. ISIS and other terrorist groups are pursuing more advanced cyber capabilities; however deterrence of cyber (or other) attacks by such groups may not be possible in many scenarios, so that prevention/preemption and defense should be the principal U.S. approach.
...
"...Many if not most cyber exploits – whether intended to facilitate the collection of intelligence or to facilitate a later attack – require clandestine intrusion well in advance of any action in order to achieve an objective or effect. However, the subject of such exploits may not be able to discern whether the intent is “legitimate” espionage/collection activities or pre-positioning of disruptive or destructive tools.
"Because deterrence operates by affecting the calculations of specific decision-making individuals in another nation or group – the goal being to convince these decision makers that the expected costs of an attack outweigh its expected benefits – deterrence planning must focus on what key leaders on the other side value, and on how they are likely to make decisions. Some adversary leaders may place highest value on the security and economic well-being of their people; in other cases they may place significant value on their own financial well-being or status.
[Putin, peut etre?]
"DoD’s priority focus for cyber deterrence should be on key leadership individuals (including those who influence them) in the top four cyber threat nation-states: Russia, China, Iran, and North Korea. ISIS and other terrorist groups are pursuing more advanced cyber capabilities; however deterrence of cyber (or other) attacks by such groups may not be possible in many scenarios, so that prevention/preemption and defense should be the principal U.S. approach.
...
"...Many if not most cyber exploits – whether intended to facilitate the collection of intelligence or to facilitate a later attack – require clandestine intrusion well in advance of any action in order to achieve an objective or effect. However, the subject of such exploits may not be able to discern whether the intent is “legitimate” espionage/collection activities or pre-positioning of disruptive or destructive tools.
"As a key example, is it acceptable or unacceptable for nations to pre-position malicious software in each other’s electrical grids, as appears to have occurred to the United States with “HAVEX” and “BlackEnergy” malware? If it is acceptable, then the United States may wish to take such actions – if for no other reason than to deter an adversary from “pulling the trigger” on similar implants it may have placed in U.S. systems. If it is unacceptable, then the United States should work to identify and impose costs on any nation that undertakes such an action.
[In other words, we haven't even determined the rules of engagement.]
...
"...there is an important distinction between Russia and China on the one hand, and Iran and North Korea on the other.
[In other words, we haven't even determined the rules of engagement.]
...
"...there is an important distinction between Russia and China on the one hand, and Iran and North Korea on the other.
"The United States must lean heavily on cost imposition for deterring Russia and China cyber threats...it will not be possible (for the foreseeable future) to deny highly capable actors the ability to conduct catastrophic cyber attacks on the United States. This is primarily because the limited U.S. efforts to defend U.S. information systems to date are unlikely to accelerate (in the near- to mid-term at least) to the point where they can offset the combination of major powers’ technical wherewithal, vast supply of resources (including a supporting intelligence apparatus), and the ability to influence supply chains and exploit vulnerabilities at scale."
[Can we go off the grid? Un-wire? There is nothing we can do to defend against cyber attacks and cyber attacks can destroy us. We haven't even been hit with a "high-end" attack. Even so we risk "death by a thousand hacks." Can't we "consciously uncouple"? (I bet not.)]
(more)