Course Syllabus

Course Assignments:

Access to reading materials: All materials assigned for the course syllabus are available through the Tufts library system. Please see note regarding the Book Review assignment.

Group discussion preparation: Except for April 7 when you will all be doing presentations, beginning on January 27, each class will include 20-25 minute breakout sessions. The discussion groups will be small; size will depend on course enrollment, but is likely to be around 6 students. Each group will have two students in charge of leading the discussion (this is a rotating responsibility that will change weekly). That week's group leaders will meet with me prior to class—most likely on Mondays—having prepared a set of questions and discussion points for the group discussion. After each group has cycled through its group leaders, I'll create a new set of groups so that you'll have a chance to mix with multiple students during the term.

Written material by the group leaders will be due Sunday night at midnight before the group discussion on Wednesday. Grading will be based partially on the written materials and partially on the response of the group to the quality of discussion. Preparation for and running the group discussion will count 20% of the grade.

Briefing memo: On December 14, 2020, the EU announced its Cyberstrategy for the Digital Decade. Pick one of the strategic initiatives outlined in 3 of the FAQ and write a 1000-word briefing document for the chair of the Senate Foreign Intelligence Committee explaining what the initiative is about, its likelihood of success, and, if applicable, why it is being addressed now. This is due February 12 and is worth 10% of the grade.

Two-part "not-quite-a-simulation" exercise:

Part 1: country analysis: You will write a short—2000-word—briefing paper on the cyber threats facing a particular nation. I am in the process of preparing that list, but it will be one of the nations that we have not studied in class (the list will be available by beginning of term). The analysis will need to take into account historical and current enemies, the nation's dependence on cyber, the level of sophistication of its cyber defense, and the level of sophistication of its adversaries. The discussion must be fact based, logical, and analytical. More details will be forthcoming. The analysis will be due March 14 and is worth 25% of the grade.

Part 2: response and presentation: This is a group project; you will be divided into groups by the nations you've picked for Part 1 (I'll limit how many of you can pick a particular country). On March 17th I will provide each nation with a scenario; your job will be to develop a response. You will prepare a group written response (1500 words) and a presentation for the April 14 class. The length of the presentation is not yet determined (it depends partially on enrollment). The group briefing document and presentation will count 15% of the grade.

Book review:  There are many popular books on cyber threats, many written by journalists. These can be useful in beginning the education of someone who is new to the field. I have chosen some of the most important recent ones (one will be published this spring).  The final assignment will be a two-part book review from the following list or a book of your choice (the latter choice must be approved in advance by me).

The first part of the assignment is a 1500-word review of the text with an assessment as to accuracy, where accuracy includes whether the author has focused on the most important cybersecurity issues. The second is a 300-word briefing to the newly appointed chair of the Senate Intelligence Committee, whose previous experience in cyber is minimal, as to why they should—or should not—read this book and what issues the policymaker should expect to learn from the text. One constant in cyber, and especially cyber conflict, is change; your review and briefing should take these into account (albeit in different ways). This assignment is due April 30 and is worth 20% of the course grade.

Andy Greenberg, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers, Doubleday, 2019.

Shane Harris, @War: The Rise of the Military-Internet Complex, First Mariner Books, 2014.

Nicole Perlroth, This is How They Tell Me The World Ends, Bloomsbury Publishing, 2021.

David Sanger, The Perfect Weapon, B\D\W\Y Broadway Books, 2018.

Adam Segal, The Hacked World Order, Public Affairs, 2016.

P. W. Singer and Allan Friedman, Cybersecurity and Cyberwar: What Everyone Needs to Know, Oxford University Press, 2014.

Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World's First Cyberweapon, Crown Publishing, 2015.

Important Note regarding the Book Review: All of the proposed books are available through the Tufts library, but only Cybersecurity and Cyberwar allows unlimited users at a time. I recommend that early in the term, you chose a book and ensure that you will have access to it, either by obtaining a copy or by reading it early if it is not one of  with unlimited access.

Please note: I may add some additional material to the reading list; assignments and order of classes are fixed.

 

January 20: Introduction to the Conundrum: Why is it that thirty-five years after the first cyber exploit, cyber incidents are growing more serious? More pointedly, what are the causes for the failure to reach international agreements on securing aspects of our digital infrastructure? Today's class will provide an overview of the technical, political, and economic reasons behind the world's growing cyber conflict.

 

January 27: History of Attacks, Part I: What is the nature of cyberconflict? What did "attacks" look like during the initial period (1986-2010) of cyberconflict? What were nation-state responses? Were they appropriate? Why or why not?

Readings:

• Jason Healey, ed., A Fierce Domain: Conflict in Cyberspace, 1986-2012, Atlantic Council, 2013, read sections on Solar Sunrise; Moonlight Maze; From TITAN RAIN to BYZANTINE HADES. 
• David Clark, Thomas Berson, and Herbert S. Lin, eds., At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues, National Research Council, 2014, pp. 18-40 (Chapter 2 and 3.-3.3.) . Note that the pdf of the report can be downloaded for free.
• IMPORTANT NOTE:  those who are unfamiliar with the communications structure of the Internet are strongly advised to attend the technical tutorial on January 23, time TBD. In addition, please also read or view the following material;
• A Packet’s Tale: How Does the Internet Work? (Links to an external site.)

• Cloudflare, The 6 Steps in a DNS Lookup in Cloudflare in What is DNS? How DNS Works (Links to an external site.)

•  (Links to an external site.)Techquickie    00:00-4:20 What is TCP/IP? (Links to an external site.)

 

February 3: History of Attacks, Part II (including disinformation): In what ways did international international cyberconflict change over the 2010s? What caused these changes? What does that bode for the future?

Readings:

• Thomas Rid, Cyberwar Will Not Take Place, Journal of Strategic Studies, Vol. 35, Issue 5, 2011.
• Robert M. Lee, Michael J. Assante, and Tim Conway, German Steel Mill Cyber Attack, ICS Defense Use Case, SANS, December 30, 2014.
• Gordon Corera, How France's TV5 Was Almost Destroyed by 'Russian Hackers', BBC News, October 10, 2015.
• Christopher Bronk and Eeneken Tikk-Ringas, The Cyber Attack on Saudi Aramco, Survival 38, no. 4 (April 2013).
• Andy Greenberg, How an Entire Nation Became Russia's Test Lab for Cyberwar, Wired, June 28, 2017.
• Susan Landau, Russia's Hybrid Warriors Got the White House, Now They're Coming for America's Town Halls, Foreign Policy, September 26, 2017.
• Marie Baezner, Use of Cybertools in Regional Conflicts in Southeast Asia, Research Collection, ETH Zurich, August 2018.
• Tim Maurer, Cyber Mercenaries: The State, Hackers, and Power, Cambridge University Press, 2018, chapter 3.
• Minority Staff Report prepared for the use of the Committee on Foreign Relations, United States Senate, Putin's Asymmetric Assault on Democracy in Russia and Europe: Implications for U.S. National Security, January 10, 2018, pp. 37-50.
• Skim: Graphika and Stanford Internet Observatory, More-Troll Kombat: French and Russian Influence Operations Go Head-to-Head Targeting Audiences in Africa, December 2020.

 

February 10: The Technical Side of Cyberweapons:  How do cyberweapons work? What role do vulnerabilities play? How is their use controlled? Is the use of vulnerabilities really controlled?  How did we end up here?

• Watch Zero Days, 2016.
• Ben Buchanan, The cybersecurity dilemma: hacking, fear, and trust between nations, Oxford University Press, 2016, Chapter 2.
• S. Bellovin, S. Landau, and H. Lin, Limiting the Undesired Impact of Cyber Weapons: Technical Requirements and Policy Implications, Journal of Cybersecurity, Vol. 3, Issue 1 (2017), pp. 59-68.
• Eric Gartzke and Jon Lindsay, Weaving Tangled Webs: Offense, Defense, and Deception in Cyberspace,  Security Studies 24, no, 2,  2015.
• Max Smeets, A matter of time: On the transitory nature of cyberweapons, Journal of Strategic Studies 41, Issue 1-2, 2018.
• Marietje Schaake, The Lawless Realm, Foreign Affairs, November/December 2020.

 

February 17: Cyber Conflict: US and European Perspectives: What is current US cyber strategy? Is this strategy likely to be successful?—and what does success actually mean?  How is US cyber strategy different from that of its close allies?

Readings:

• C. Robert Kehler, Herbert Lin, and Michael Sulmeyer, Rules of engagement for cyberspace operations: a view from the USA, Journal of Cybersecurity 3, no. 1 (2017).
• United States Cyber Command, Achieve and Maintain Cyberspace Superiority, March 2018.
• Read Pillar III, skim the rest of: National Cyber Strategy of the United States of America, September 2018.
• Paul M. Nakasone, A Cyber Force for Persistent Operations, Joint Force Quarterly 92 (1st Quarter, 2019).
• William A. Owens, Kenneth W. Dam, and Herbert S. Lin (eds.), Committee on Offensive Warfare, Technology, Policy, Law, and Ethics Regarding Acquisition and Use of Cyberattack Capabilities, National Research Council, 2009, 1.8.4-1.8.5.
• HM Government, National Cyber Security Strategy 2016-2021, pp. 18-52 and 63-64.
• Ryan Gallagher, Operation Socialist: The Inside Story of How British Spies Hacked Belgium's Largest Telco, The Intercept, December 12, 2014 and How UK Spies Hacked a European Ally and Got Away with It, The Intercept, February 17, 2018.
• The EU's Cybersecurity Strategy in the Digital Decade, December 16, 2020.

 

February 24: Cyber Conflict: Perspectives from Russia and China: Russia and China both focus on "information security" rather than "cyber security." What's the distinction and why is it important? Both Russia and China entered the cyber domain significantly later than the United States, yet seem to have succeeded in "attacking" to the U.S. Does that mean US policy "failed"?

Readings:

• Keir Giles and William Hagestad II, Divided by a Common Language: Cyber Definitions in Chinese, Russian, and English, in Proceedings of the 5th International Conference on Cyber Conflict, 2013, pp. 413-429.
• Adam Segal, Chinese Cyber Diplomacy in a New Era of Uncertainty, Hoover Institution Essay, Aegis Paper Series 1703,  2017.
• Keir Giles, Handbook of Russian Information Warfare, NATO Defense College, 2016.
• Tim Maurer, Cyber Mercenaries: The State, Hackers, and Power, Cambridge University Press, 2018, Preface and Chapter 6.
• Jack Goldsmith and Stuart Russell, Strengths Become Vulnerabilities: How a Digital World Disadvantages the United States in its International Relations, Hoover Institution Essay, Aegis Paper Series 1806, June 2018.
• George Perkovich and Wyatt Hoffman, From Cyberswords to Plowshares, Carnegie Endowment for International Peace, October 14, 2019.
• Charlotte Jee, Russia wants to cut itself off from the global internet. Here's what it really means., MIT Technology Review, March 21, 2019.

 

March 3: Perspectives from smaller players—and the role of non-state actors: What do North Korea, Iran, and Israel hope to accomplish in cyber? What level of capabilities do they need to do so? What type of roles do non-state actors play? How does one determine if these are proxies or independent actors? What impact do they have on state actions in cyber? How capable are states of controlling such adversaries?

Readings:

• Collin Anderson and Karim Sadjadpour, Iran's Cyber Threat: Espionage, Sabotage, and Revenge, Carnegie Endowment for International Peace, 2018 (you may omit Chapter 4: Internal Threats).
• Tim Maurer, Cyber Mercenaries: The State, Hackers, and Power, Cambridge University Press, 2018, Chapter 5.
• Jason Bartlett, Exposing the Financial Footprints of North Korea's Hackers, Center for a New American Security, November 18, 2020 (you may skip the policy recommendations).
• Gabriella Coleman, Anonymous in Context: The Politics and Power Behind the Mask, CGI Governance Papers, Paper #3, September 2013.
• Niels Nagelhus Schia, The cyber frontier and digital pitfalls in the Global South, Third World Quarterly 39, issue 5, 821-837.
• Owen Barak, Amit Sheniak, and Assaf Shapira, The shift to defence in Israel's hybrid military strategy, Journal of Strategic Studies 43, 2020.

 

March 10:  Deterrence and Attribution: Can deterrence theory apply within the cyber domain? What is the "attribution problem"? Is it a serious problem, and if so, in what ways?

Readings:

• Martin Libicki, Cyberdeterrence and Cyberwar, RAND, 2009, Chapters 1-3.
• Joseph Nye, Nuclear Lessons for Cyber Security, Strategic Studies Quarterly 5, no. 4 (winter 2011).
• Nicholas Tsagourias, Cyber attack, self defence, and the problem of attribution, Journal of Conflict and Security Law 17, no. 2 (2012).
• Mandiant, API1: Exposing One of China's Cyber Espionage Units, 2013.
• Herbert Lin, Attribution of Malicious Cyber Incidents: From Soup to Nuts, Hoover Institution Aegis Paper #1607, Series on National Security, Technology, and Law, 2016.
• Michael P. Fischerkeller and Richard J. Harknett, Deterrence is Not a Credible Strategy for Cyberspace, Orbis 61, Issue 2 (Summer 2017).
• Sasha Romanosky, Private-Sector Attribution of Cyber Attacks: A Growing Concern for the U.S. Government, Lawfare, December 21, 2017.
• Joseph Nye, Deterrence and Dissuasion in Cyberspace, International Security 41, no. 3 (Winter 2016/2017).

 

March 17: The Role Laws and Norms Play in Limiting Cyberattacks: Why have law and norms failed to provide protection against cyber exploits and attacks? is the flaw in policy? Is the failure a result of the technology? Or something else?

Readings:

• Duncan Hollis, New Tools, New Rules: International Law and Information Operations in Ideas as Weapons: Information and Perception in Modern Warfare 59 (G. David and T. McKeldin, eds.), Potomac, 2009.
• William A. Owens, Kenneth W. Dam, and Herbert S. Lin (eds.), Committee on Offensive Warfare, Technology, Policy, Law, and Ethics Regarding Acquisition and Use of Cyberattack Capabilities, National Research Council, 2009, 1.8.3, 7.2.1.2 (Jus in Bello), and 7.2.2.
• Michael Schmitt, Tallinn Manual 2.0 on the International Law of Cyber Operations: What It Is and Isn't, Just Security, February 9, 2017.
• Eric Talbot Jensen, The Tallinn Manual 2.0: Highlights and Insights, Georgetown Journal of International Law 48, 2017.
• Bobby Chesney, Title 10 and Title 50 Issues When Computer Network Operations Impact Third Countries, Lawfare, April 12, 2018.
• Harriet Moynihan, The Application of International Law to State Cyberattacks: Sovereignty and Non-intervention, International Law Program, Chatham House, 2019.
• Martha Finnemore and Duncan B. Hollis, Beyond Naming and Shaming: Accusations and International Law in Cybersecurity, European Journal of International Law, 2020.

 

March 24: No class (Fletcher spring break)

 

March 31: The Role of Policy and Ethics in Cyber Conflict: Cyber is a mixed battlefield. Stuxnet leaked out of Natanz. While it didn't destroy equipment elsewhere, its capabilities were duly noted—and the cyber arms race escalated. NotPetya destroyed infrastructure not just in Ukraine but around the world. A civil-sector company, Solar Wind, was used as a vector to exfiltrate and perhaps prepare a battlefield against the U.S. What are a nation's obligations as it develops cyber weapons and attacks? Is a "Digital Geneva Convention" possible?

Readings:

• David Wallace and Mark Visger, Responding to the Call for a Digital Geneva Convention, Journal of Law & Cyberwarfare 6, no. 2 (Winter 2018).
• Gary L. Scott and Craig L. Carr, Are States Moral Agents?, Social Theory and Practice, 12, no. 1 (Spring 1986), pp. 75-102. 
• Kim Zetter, Hacking Team Leak Shows How Secretive Zero-Day Exploits Work, Wired, July 24, 2015.
• Ari Schwartz and Robert Knake, Government's Role in Vulnerability Disclosure: Creating a Permanent and Accountable Equities Process, Belfer Center for Science and International Affairs, Kennedy School of Government, June 2016.
• Andi Wilson Thompson, Assessing the Vulnerabilities Equities Process, Three Years After the VEP Charter, Lawfare, January 13, 2021.
• Microsoft Policy Blog,  A Digital Geneva Convention to protect cyberspace (Links to an external site.); Brad Smith, The Need for a Digital Geneva Convention (Links to an external site.), February 14, 2017 (view video).
• Sven Herpig and Ari Schwartz, The Future of Vulnerabilities Equities Processes Around the World, Lawfare, January 4, 2019.

 

April 7: Cyber Conflict "Off the Battlefield": With its peculiar mix of private and public sector control, international cyber conflict plays out in multiple domains, including heavily in the private sector. How important to national security are the conflicts over Internet governance, Internet standards, and privacy?

Readings:

• Adam Segal, China's Vision for Cyber Sovereignty and the Global Governance of Cyber Conflict, An Emerging China-Centric Order, National Bureau of Asian Research, NBR Special Report # 87, August 25, 2020, pp. 85-100.
• Dillon Reisman, Where is Your Data Really?: The Technical Case Against Data Localization, Lawfare, May 22, 2017.

 

April 14: Class presentations

 

April 16:  On April 16-17, the Cyber Security and Policy Program will be hosting our third annual Student Symposium in Cybersecurity Policy, which is largely devoted to high-level and insightful discussions of student research papers; papers in previous years have subsequently appeared in law journals, been discussed in Lawfare, and elsewhere. You're urged to attend (12:45-4:30). Dr. Ian Levy, Technical Director of the UK's National Cyber Security Centre, will be giving the keynote on April 16. Sign up with joshua.anderson@tufts.edu.

 

 

April 21: What Might the Future Bring?

Readings:

• National Academies of Science, Engineering, and Medicine, Implications of Artificial Intelligence for Cybersecurity: Proceedings of a Workshop, 2019, Chapters 1, 2, and 7 (Chapter 7 only through page 64).
• Eric Rosenbach, Prepared Statement before the United States Senate Committee on Commerce, Science and Transportation Hearing on “China: Challenges to US Commerce," March 7, 2019.
• Kadri Kaska, Henrik Beckvard, and Tomas Minarik, Huawei, 5G, and China as a Security Threat, NATO Cooperative Cyber Defence Center of Excellence, 2019.