Course Syllabus

Course Assignments:

Access to reading materials: All materials assigned for the course syllabus are available through the Tufts library system. Important note: sometimes the links break. All the items listed are either stored in files on Canvas or, more likely, available through the Tufts library system.  If you find a broken link, do let me know, but also log in to the Tufts library and access the material directly. Thanks.

Important Note: While assignments and order of classes are fixed, I may add reading assignments. Be sure to check the reading the week before to see if there are any updates.

 

January 24: Introduction to the Conundrum: Why is it that thirty-five years after the first cyber exploit, cyber incidents are growing more serious? More pointedly, what are the causes for the failure to reach international agreements on securing aspects of our digital infrastructure? Today's class will provide an overview of the technical, political, and economic reasons behind the world's growing cyber conflict.

January 31: History of Attacks:  What is the nature of cyberconflict? What did "attacks" look like during the initial period (1986-2010) of cyberconflict? What were nation-state responses? Were they appropriate? In what ways did international international cyberconflict change over the 2010s? What caused these changes? What does that bode for the future?

Readings:

• Claus von Clausvitz, On War (Links to an external site.) chapter 1, What is War? Section 4-10, 13, 18-24.
• David Clark, Thomas Berson, and Herbert S. Lin, eds., At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues (Links to an external site.), National Research Council, 2014, pp. 18-40 (Chapter 2 and 3.-3.3.) . Note that the pdf of the report can be downloaded for free.
• Joe Nye, Cyber Power (Links to an external site.), Belfer Center, Harvard Kennedy School, May 2010.
• Jason Healey, ed., A Fierce Domain: Conflict in Cyberspace, 1986-2012, Atlantic Council, 2013, read sections on Solar Sunrise; Moonlight Maze; From TITAN RAIN to BYZANTINE HADES (available on reserve at Ginn Library).
• Thomas Rid, Cyberwar Will Not Take Place,Links to an external site. Journal of Strategic Studies, Vol. 35, Issue 5, 2011.
• Daniel Drezner, Technological Change and International Relations, International Relations, March 2019.
• Nadiya Kostyuk and Erik Gartzke, Why Cyber Dogs Have Yet to Bark Loudly in Russia's Invasion of Ukraine, Texas National Security Review, Summer 2022.
• IMPORTANT NOTE:  those who are unfamiliar with the communications structure of the Internet are strongly advised to attend the technical tutorial on January 28, time TBD. In addition, please also read or view the following material;
• A Packet’s Tale: How Does the Internet Work? (Links to an external site.)

• Cloudflare, The 6 Steps in a DNS Lookup in Cloudflare in What is DNS? How DNS Works (Links to an external site.)

•  (Links to an external site.)Techquickie    00:00-4:20 What is TCP/IP? (Links to an external site.)  (Links to an external site.)

 

February 7: The Technical Side of Cyberweapons:  How do cyberweapons work? What role do vulnerabilities play? How is their use controlled? Is the use of vulnerabilities really controlled?  How did we end up here?

• Watch Zero Days (Links to an external site.), 2016.
• Ben Buchanan, The cybersecurity dilemma: hacking, fear, and trust between nations, Oxford University Press, 2016, Chapter 2.
  
• S. Bellovin, S. Landau, and H. Lin, Limiting the Undesired Impact of Cyber Weapons: Technical Requirements and Policy Implications (Links to an external site.), Journal of Cybersecurity (Links to an external site.), Vol. 3, Issue 1 (2017), pp. 59-68.
• Max Smeets, A matter of time: On the transitory nature of cyberweapons (Links to an external site.), Journal of Strategic Studies 41, Issue 1-2, 2018.
• Marietje Schaake, The Lawless RealmLinks to an external site., Foreign Affairs, November/December 2020.
• Matt Tait, The Kaseya Ransomware Attack is a Really Big Deal, (Links to an external site.) Lawfare, July 5, 2021.

 

February 14: Laws and Norms with Guest speaker: Fletcher's Tom Dannenbaum on International Humanitarian Law: Why have law and norms failed to provide protection against cyber exploits and attacks? is the flaw in policy? Is the failure a result of the technology? Or something else?

• William A. Owens, Kenneth W. Dam, and Herbert S. Lin (eds.), Committee on Offensive Warfare, Technology, Policy, Law, and Ethics Regarding Acquisition and Use of Cyberattack Capabilities (Links to an external site.), National Research Council, 2009, 1.8.3, 7.2.1.2 (Jus in Bello), and 7.2.2.
• Eric Talbot Jensen, The Tallinn Manual 2.0: Highlights and Insights (Links to an external site.), Skim sections II and III. Georgetown Journal of International Law 48, 2017.
• Michael Schmitt, Tallinn Manual 2.0 on the International Law of Cyber Operations: What It Is and Isn't (Links to an external site.), Just Security, February 9, 2017.
• Harriet Moynihan, The Application of International Law to State Cyberattacks: Sovereignty and Non-intervention, (Links to an external site.) International Law Program, Chatham House, 2019.
• Martha Finnemore and Duncan B. Hollis, Beyond Naming and Shaming: Accusations and International Law in CybersecurityLinks to an external site., European Journal of International Law, 2020.
• David Hechler, What is the Point of these Nation-State Indictments? (Links to an external site.), Lawfare, February 8, 2021.
• Duncan Hollis, A Brief Primer on International Law and Cyberspace, Carnegie Endowment for International Peace, June 14, 2021.
• Kubo Macak, This is Cyber: 1+3 Challenges for the Application of International Humanitarian Law in Cyberspace, Exeter Center for International Law, Working Paper 2019/2.
• Przemyslav Roguski, An Overview of International Humanitarian Law in France's New Cyber Document, Just Security, September 27, 2019.
• Peter Pascucci, Kurt Sanger, Cyber Norms in the Context of Armed Conflict, Lawfare, November 16, 2022.

 

February 21: The US Perspective: What has been the development of US cyber strategy? What is current strategy? Is this strategy likely to be successful?—and what does success actually mean?

Readings:

• Keir Giles and William Hagestad II, Divided by a Common Language: Cyber Definitions in Chinese, Russian, and English, in Proceedings of the 5th International Conference on Cyber Conflict, (Links to an external site.) 2013, pp. 413-429.
• William A. Owens, Kenneth W. Dam, and Herbert S. Lin (eds.), Committee on Offensive Warfare, Technology, Policy, Law, and Ethics Regarding Acquisition and Use of Cyberattack Capabilities (Links to an external site.), National Research Council, 2009, 1.8.4-1.8.5.
• C. Robert Kehler, Herbert Lin, and Michael Sulmeyer, Rules of engagement for cyberspace operations: a view from the USA (Links to an external site.), Journal of Cybersecurity 3, no. 1 (2017).
• United States Cyber Command, Achieve and Maintain Cyberspace Superiority (Links to an external site.), March 2018.
• Read Pillar III, skim the rest of: National Cyber Strategy of the United States of America (Links to an external site.), September 2018.
• Paul M. Nakasone, A Cyber Force for Persistent Operations (Links to an external site.), Joint Force Quarterly 92 (1st Quarter, 2019).
• Tim Maurer, Cyber Mercenaries: The State, Hackers, and Power (Links to an external site.), Cambridge University Press, 2018, pp. 50-58, chapter 4.
• Emily O. Goldman,  The Cyber Paradigm Shift (Links to an external site.), in Ten Years In; Implementing Strategic Approaches to Cyberspace, (Links to an external site.)  U.S. Naval War College, 2020.
• Ciaran Martin, Cyber 'Deterrence': A Brexit Analogy (Links to an external site.), Lawfare, January 15, 2021.
• Jack Goldsmith, Empty Threats and Warnings on Cyber, (Links to an external site.) Lawfare, July 12, 2021.

 

February 28: The Russian Perspective: Both Russia and China seek to focus on "information security" rather than "cyber security." What's the distinction and why is it important? Both Russia and China entered the cyber domain significantly later than the United States, yet seem to have succeeded in "attacking" the U.S. Does that mean US policy "failed"? We'll start by looking at Russia.

Readings:

• Reread: Keir Giles and William Hagestad II, Divided by a Common Language: Cyber Definitions in Chinese, Russian, and English, in Proceedings of the 5th International Conference on Cyber Conflict, (Links to an external site.) 2013, pp. 413-429.
• Keir Giles, Handbook of Russian Information Warfare (Links to an external site.), NATO Defense College, 2016.
• Tim Maurer, Cyber Mercenaries: The State, Hackers, and Power (Links to an external site.), Cambridge University Press, 2018, pp. 58-61 and Chapter 6.
• Jack Goldsmith and Stuart Russell, Strengths Become Vulnerabilities: How a Digital World Disadvantages the United States in its International Relations (Links to an external site.), Hoover Institution Essay, Aegis Paper Series 1806, June 2018.
• Andy Greenberg, The Untold Story of the 2018 Olympics Cyberattack, (Links to an external site.) The Most Deceptive Hack in History, Wired, October 10, 2019.
• George Perkovich and Wyatt Hoffman, From Cyberswords to Plowshares (Links to an external site.), Carnegie Endowment for International Peace, October 14, 2019.

 

March 7: China's Cyber Activity: China is an emerging power. Thirty years ago, the discussion of China as a cyberpower did not seem plausible, but in ensuing decades, the nation has developed various types of capabilities and uses them for various purposes. What is China's long-term strategy and how does cyber fit into it?

Readings:

• Jason Healey, China is a Cyber Victim, Too, Foreign Policy, April 16, 2013.
  
• Andrew J. Nathan  and Andrew Scobell, How China sees America: The sum of Beijing's fears, Foreign Affairs Vol. 91, October 2012.
• Tim Maurer, Cyber Mercenaries: The State, Hackers, and Power (Links to an external site.), Cambridge University Press, 2018, pp. 61-64.
• Adam Segal, Chinese Cyber Diplomacy in a New Era of Uncertainty (Links to an external site.), Hoover Institution Essay, Aegis Paper Series 1703,  2017.
• Kadri Kaska, Henrik Beckvard, and Tomas Minarik, Huawei, 5G, and China as a Security Threat (Links to an external site.), NATO Cooperative Cyber Defence Center of Excellence, 2019.
• Adam Segal, China's Vision for Cyber Sovereignty and the Global Governance of Cyber Conflict, An Emerging China-Centric Order (Links to an external site.), National Bureau of Asian Research, NBR Special Report # 87, August 25, 2020, pp. 85-100.
• Ciaran Martin, Cyber Realism in a Time of War, Lawfare, March 2, 2022.
• Anne Applebaum, Russians Caught Red-Handed by Dutch in Cyber Spying, (Links to an external site.) The Telegraph, October 10, 2018.

Recommended:

• Tim Maurer, Cyber Mercenaries: The State, Hackers, and Power (Links to an external site.), Cambridge University Press, 2018, Chapter 7.

 

March 14: Perspectives from other nations: What do North Korea, Iran, and Israel hope to accomplish in cyber? What level of capabilities do they need to do so?

Readings:

• Collin Anderson and Karim Sadjadpour, Iran's Cyber Threat: Espionage, Sabotage, and Revenge (Links to an external site.), Carnegie Endowment for International Peace, 2018 (you may omit Chapter 4: Internal Threats).
• Jason Bartlett, Exposing the Financial Footprints of North Korea's Hackers (Links to an external site.), Center for a New American Security, November 18, 2020 (you may skip the policy recommendations).
• Owen Barak, Amit Sheniak, and Assaf Shapira, The shift to defence in Israel's hybrid military strategy (Links to an external site.), Journal of Strategic Studies 43, 2020.
• Citizen Lab and Amnesty International, Devices of Palestinian Human Rights Defenders Hacked with NSO's Groups Pegasus Spyware, (Links to an external site.) November 8, 2021.

 

March 21: Spring break: No class.

 

March 28: The role of non-state actors and attribution: What type of roles do non-state actors play? How does one determine if these are proxies or independent actors? What impact do they have on state actions in cyber? How capable are states of controlling such adversaries? Why is attribution hard? What makes it possible? Guest speaker: Gabriella Coleman.

Readings:

• Gabriella Coleman, Anonymous in Context: The Politics and Power Behind the Mask (Links to an external site.), CGI Governance Papers, Paper #3, September 2013.
• Tom Friedman,The Cancellation of Mother Russia is Underway, New York Times, March 6, 2022.
• Erik Gartzke and Jon Lindsay, Weaving Tangled Webs: Offense, Defense, and Deception in Cyberspace, (Links to an external site.) Security Studies, 2015.
• Herbert Lin, Attribution of Malicious Cyber Incidents, 2016, Three Meanings of Attribution, 5-13.

Recommended:

• Tarah Wheeler and Ciaran Martin, Should ransomware payments be banned?, (Links to an external site.) TechStream, Brookings, July 26, 2021.
• Erica Lonegran and Lauren Zabierek, What is Cyber Command's Role in Combating Ransomware? (Links to an external site.), Lawfare,  August 28, 2021.
• Erica Lonegran and Lauren Zabierek, Cyber Command is in the Ransomware Game—Now What?, (Links to an external site.) Lawfare, December 16, 2021.

 

April 4:  First half of class: Deterrence: Can deterrence theory apply within the cyber domain? 

Readings:

• Martin Libicki, Cyberdeterrence and Cyberwar (Links to an external site.), RAND, 2009, Chapters 1-3; feel free to skim chapters 1 and 2; material up to page 36 of chapter 2 should be quite familiar to you at this point.
• Joseph Nye, Nuclear Lessons for Cyber SecurityLinks to an external site., Strategic Studies Quarterly 5, no. 4 (winter 2011).
• Joseph Nye, Deterrence and Dissuasion in Cyberspace (Links to an external site.), International Security 41, no. 3 (Winter 2016/2017).
• Michael P. Fischerkeller and Richard J. Harknett, Deterrence is Not a Credible Strategy for CyberspaceLinks to an external site., Orbis 61, Issue 2 (Summer 2017).

Recommended:

• Sarah Kreps and Jacqueline Schneider, Escalation firebreaks in the cyber, conventional, and nuclear domains: moving beyond effects-based logics, (Links to an external site.) Journal of Cybersecurity, 2019.
• Dmitri Alperovitch and Ian Ward, How Should the U.S. Respond to the Solar Winds and Microsoft Exchange Hacks?, (Links to an external site.) Lawfare, February 12, 2021.

Second half of class: Lightning Talks.

 

April 11: First half of class: Cyber Conflict "Off the Battlefield": With its peculiar mix of private and public sector control, international cyber conflict plays out in multiple domains, including heavily in the private sector. How important to national security are the conflicts over Internet governance, Internet standards, and privacy?

Readings:

• Henry Farell and Abraham Newman, The Transatlantic Data War: Europe Fights Back Against the NSA, (Links to an external site.) Foreign Affairs, January/February 2016.
• Dillon Reisman, Where is Your Data Really?: The Technical Case Against Data Localization (Links to an external site.), Lawfare, May 22, 2017.
• Erik Gartzke and Jon Lindsay, Weaving Tangled Webs: Offense, Defense, and Deception in Cyberspace, (Links to an external site.) Security Studies, 2015.

Second half of class: Lightning Talks.

 

April 18: The Role of Policy and Ethics in Cyber Conflict: Cyber is a mixed battlefield. Stuxnet leaked out of Natanz. While it didn't destroy equipment elsewhere, its capabilities were duly noted—and the cyber arms race escalated. NotPetya destroyed infrastructure not just in Ukraine but around the world. A civil-sector company, Solar Wind, was used as a vector to exfiltrate and perhaps prepare a battlefield against the U.S. What are a nation's obligations as it develops cyber weapons and attacks? Is a "Digital Geneva Convention" possible? 

Readings:

• Gary L. Scott and Craig L. Carr, Are States Moral Agents? (Links to an external site.), Social Theory and Practice, 12, no. 1 (Spring 1986), pp. 75-102. 
• Microsoft Policy Blog,  A Digital Geneva Convention to protect cyberspace (Links to an external site.); Brad Smith, The Need for a Digital Geneva Convention (Links to an external site.), February 14, 2017 (view video).
• David Wallace and Mark Visger, Responding to the Call for a Digital Geneva Convention (Links to an external site.), Journal of Law & Cyberwarfare 6, no. 2 (Winter 2018).
• UK, Global Britain in a Competitive Age: the Integrated View of Security, Defence, Development, and Foreign Policy (Links to an external site.), 2021, Read section Responsible, democratic cyber power.

Recommended:

• Kim Zetter, Hacking Team Leak Shows How Secretive Zero-Day Exploits Work (Links to an external site.), Wired, July 24, 2015.
• Ari Schwartz and Robert Knake, Government's Role in Vulnerability Disclosure: Creating a Permanent and Accountable Equities Process (Links to an external site.), Belfer Center for Science and International Affairs, Kennedy School of Government, June 2016.
• Sven Herpig and Ari Schwartz, The Future of Vulnerabilities Equities Processes Around the World (Links to an external site.), Lawfare, January 4, 2019.
• Andi Wilson Thompson, Assessing the Vulnerabilities Equities Process, Three Years After the VEP Charter (Links to an external site.), Lawfare, January 13, 2021.

 

April 25:  Future Technologies—and Other Disruptions from Cyber

Readings:

• National Academies of Science, Engineering, and Medicine, Implications of Artificial Intelligence for Cybersecurity: Proceedings of a Workshop (Links to an external site.), 2019, Chapters 1, 2, and 7 (Chapter 7 only through page 64).
• Eric Rosenbach, Prepared Statement (Links to an external site.) before the United States Senate Committee on Commerce, Science and Transportation Hearing on “China: Challenges to US Commerce," March 7, 2019.