• <div class="header-image" style="background-image: url(/live/image/gid/4/2611_Header_V6N2_web_4.rev.1518551584.jpg);">​</div><div class="header-background-color"/>

Cyberwarfare: Policy Challenges for 21st Century Threats

December 06, 2016
Cyberwarfare poses a significant threat to the US government and US businesses. How can policy help to mitigate these threats? What gaps exist today?

By Gavin Alcott

In June of 2010 computer security analysts in Belarus discovered a set of apparently pedestrian malicious files while diagnosing an Iranian client’s computer. However, with some examination, what appeared to be a common virus was actually a highly sophisticated bug targeting vulnerabilities inherent to all Windows systems. Posting their findings online, the bug, dubbed Stuxnet, quickly grabbed the attention of the cyber security community because of its unprecedented complexity.[1] Only after years of analysis and an eventual confidential confirmation by US officials, was the significance of Stuxnet revealed.[2] Jointly developed by Israeli and US intelligence services to target the Iranian nuclear program, Stuxnet was the world’s first digital weapon[3], successful in destroying almost a quarter of Iranian Uranium centrifuges[4], and the first round fired in the latest form of warfare—cyberwar.

The State of Cyberwarfare

Since Stuxnet there has been an exponential acceleration of the development of both offensive and defensive cyber capabilities across the world in both the public and private sector. The US has consolidated its position as a global cyber superpower through increased organization and spending. In 2009 the US united its cyberwar capabilities under the US Cyber Command (USCYBERCOM) headed by the director of the NSA. Since then, spending on cyber capabilities has exploded, with the 2017 Department of Defense budget calling for a 15% increase in spending for cyber operations, bringing the total budget of the program to $6.7 billion dollars.[5] Though most experts concede that American cyber capabilities are superior worldwide, parallel development by rival nations means that US preeminence faces challenges.[6] Notably, other cyber-powerhouses include Russia, China, and Iran, all of whom have been suspected in attacks targeting the US and her interests. Russia, for instance, has been implicated in a host of attacks, including the recent breach at the DNC.[7] In 2009, China was suspected of stealing information on the development of the F-35, the US Air Force’s costly new fighter jet, and using the information to develop a suspiciously similar plane.[8] Finally, Iran has also targeted us interests in cyber-space, including a 2013 attack on major US banks and even the computer systems of a NY state dam.[9] Clearly, despite US supremacy in cyber-space, vulnerabilities still exist. In fact, the US Director of National Intelligence identifies cyber-attacks as the single greatest threat to national security.[10] He is not alone in this analysis, as Pew Research found in May of this year, Americans rank cyber-attacks as the second greatest global threat to national security, only falling behind ISIS.[11] But what are these of these vulnerabilities? What gaps in policy remain regarding the use and responses to cyber warfare attacks?


Significant US Cyber Vulnerabilities


Private Sector Vulnerabilities

Broadly speaking, the most significant of US cyber vulnerabilities lies not in the public, but private sector. As US Army General Martin E. Dempsey explains, civilian businesses and infrastructure are attractive targets because of their significantly lower security (when compared to government targets) and potential to disrupt national security.[12] Exposure in the private sector is significant, with Justin Harvey of Fidelis Cybersecurity estimating that 90% of US companies are not equipped to defend against current cyber threats. The most common attacks targeting US firms are cyber espionage and service disruption through distributed denial of service (DDoS) attacks, which in total cost US companies an estimated $300 billion per year. The vast majority of these threats are from China, from which 70% of corporate intellectual property hacks originate

Infrastructure Vulnerabilities

The greatest dangers to national security in terms of magnitude of impact come from the potential for a devastating attack targeted at key infrastructure. Today computers control everything from hospitals to transportation systems to the electrical grid and an attack on any of these systems could prove devastating. The threat to these systems is very real, as demonstrated in an experiment by the Department of Homeland Security in 2009, which proved that vulnerabilities in the power grid could be exploited using computer-based attacks on control systems to cease operations and destroy vital equipment.[13] While the likelihood of such an attack is remote compared to cyber espionage and cyber thievery, the potential destruction from just one such attack warrants significant concern.

Government Targets

Despite the best efforts of cyber defense experts, the US government remains susceptible to cyber-attacks. Since 2006 the number of cyber-attacks against federal agencies has exploded by 1,300% to more than 70,000 last year.[14] Even more alarmingly, 11 out of 18 agencies with ‘high-impact systems’—systems that “hold information, that if lost could cause ‘catastrophic harm to individuals, the government of the country’, reported attacks affecting their systems. This included an attack on the Office of Personnel Management which resulted in the stealing of personal information, including Social Security numbers and fingerprints of 5.6 million Americans.

Number of reported cybersecurity threats on US government targetsNumber of reported cybersecurity threats on US government targets

Policy Gaps Related to Cyber-warfare

While the US must clearly take specific steps to close gaps in its cyber-defenses, there remain many unanswered policy questions related to cyber-warfare. While the DOD has published specific strategic goals for the development of defensive and offensive cyber options and acknowledged that these options will be integral to future conflict, many gaps still exist in the existing policy framework surrounding the use and misuse of cyber capabilities.[15] At the moment, the decision-making calculus with regard to cyberwar is extremely inconsistent, leading to potentially dangerous situations. While cyber-attacks are certainly dangerous and harmful, it is unclear how responses should manifest or how they fit into the framework of conventional war. For instance, in the case of Stuxnet, from Iran’s perspective, had Iranian centrifuges been destroyed by more conventional means (perhaps an air strike), they could rightfully interpret such an attack as an offensive declaration of war. However, with cyberwar the waters are much murkier. It is generally difficult to identify the source of a cyber-attack with high levels of certainty and thus retaliation is difficult to mount, and policy ambiguity reflects this reality. Additionally, even when formal accusations are made, a nation can easily point to a group of rogue ‘cyber-terrorists’ in their country and blame the attacks on a group outside of their control. Because of these unique characteristics, cyber-attacks are conducive to deniable, ‘black’ operations. However, at the same time, there is significant danger for miscalculation and incorrect or disproportionate retaliation. In order to address these issues, significant steps have to be taken to develop a cyber ‘rules of engagement’, to better outline the appropriate role of cyberwarfare both offensively and defensively.


Despite world-class cyber capabilities, US policymakers and other government agencies have a long way to go to develop both public and private sector best practices in this new technological age. Although arguably a global leader in both offensive and defensive cyber operations, there remain significant and potentially catastrophic gaps in security in key areas of US cyberspace. Additionally, more coherent and specific rules of engagement must be developed to reduce the risks for miscalculation and to better define the appropriate use of cyber war capabilities in decades to come.


  [1] https://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/

  [2] https://www.washingtonpost.com/world/national-security/stuxnet-was-work-of-us-and-israeli-experts-officials-say/2012/06/01/gJQAlnEy6U_story.html

  [3] https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/

  [4] https://www.washingtonpost.com/opinions/navigating-the-uncharted-waters-of-cyberwarfare/2016/04/13/6e13aa26-00d9-11e6-b823-707c79ce3504_story.html?utm_term=.cdfc6154ec57

  [5] http://www.militaryaerospace.com/articles/2016/02/cyber-security-dod-budget.html

  [6] https://www.weforum.org/agenda/2016/05/who-are-the-cyberwar-superpowers/

  [7] http://www.npr.org/2016/10/10/497423592/u-s-blames-russian-hackers-for-high-profile-cyber-attacks

  [8] http://www.defenseone.com/threats/2015/09/more-questions-f-35-after-new-specs-chinas-copycat/121859/

  [9] http://www.cnn.com/2016/03/23/politics/iran-hackers-cyber-new-york-dam/

  [10] http://time.com/3928086/these-5-facts-explain-the-threat-of-cyber-warfare/

  [11] http://www.people-press.org/2016/05/05/3-international-threats-defense-spending/

  [12] http://www.defense.gov/News/Article/Article/603952


  [14] http://www.thefiscaltimes.com/2016/06/22/Cyberattacks-Against-US-Government-1300-2006

  [15] http://www.politico.com/agenda/story/2015/12/defense-department-cyber-offense-strategy-000331

Student Blog Disclaimer
  • The views expressed on the Student Blog are the author’s opinions and don’t necessarily represent the Penn Wharton Public Policy Initiative’s strategies, recommendations, or opinions.


  • <h3>Internal Revenue Service: Tax Statistics</h3><p><img width="155" height="200" alt="" src="/live/image/gid/4/width/155/height/200/486_irs_logo.rev.1407789424.jpg" class="lw_image lw_image486 lw_align_left" srcset="/live/image/scale/2x/gid/4/width/155/height/200/486_irs_logo.rev.1407789424.jpg 2x" data-max-w="463" data-max-h="596"/>Find statistics on business tax, individual tax, charitable and exempt organizations, IRS operations and budget, and income (SOI), as well as statistics by form, products, publications, papers, and other IRS data.</p><p> Quick link to <strong>Tax Statistics, where you will find a wide range of tables, articles, and data</strong> that describe and measure elements of the U.S. tax system: <a href="http://www.irs.gov/uac/Tax-Stats-2" target="_blank">http://www.irs.gov/uac/Tax-Stats-2</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>
  • <h3>USDA Nutrition Assistance Data</h3><p><img width="180" height="124" alt="" src="/live/image/gid/4/width/180/height/124/485_usda_logo.rev.1407789238.jpg" class="lw_image lw_image485 lw_align_right" srcset="/live/image/scale/2x/gid/4/width/180/height/124/485_usda_logo.rev.1407789238.jpg 2x, /live/image/scale/3x/gid/4/width/180/height/124/485_usda_logo.rev.1407789238.jpg 3x" data-max-w="1233" data-max-h="850"/>Data and research regarding the following <strong>USDA Nutrition Assistance</strong> programs are available through this site:</p><ul><li>Supplemental Nutrition Assistance Program (SNAP) </li><li>Food Distribution Programs </li><li>School Meals </li><li>Women, Infants and Children </li></ul><p> Quick link: <a href="http://www.fns.usda.gov/data-and-statistics" target="_blank">http://www.fns.usda.gov/data-and-statistics</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>
  • <h3>National Bureau of Economic Research (Public Use Data Archive)</h3><p><img width="180" height="43" alt="" src="/live/image/gid/4/width/180/height/43/478_nber.rev.1407530465.jpg" class="lw_image lw_image478 lw_align_right" data-max-w="329" data-max-h="79"/>Founded in 1920, the <strong>National Bureau of Economic Research</strong> is a private, nonprofit, nonpartisan research organization dedicated to promoting a greater understanding of how the economy works. The NBER is committed to undertaking and disseminating unbiased economic research among public policymakers, business professionals, and the academic community.</p><p> Quick Link to <strong>Public Use Data Archive</strong>: <a href="http://www.nber.org/data/" target="_blank">http://www.nber.org/data/</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>
  • <h3>Congressional Budget Office</h3><p><img width="180" height="180" alt="" src="/live/image/gid/4/width/180/height/180/380_cbo-logo.rev.1406822035.jpg" class="lw_image lw_image380 lw_align_right" data-max-w="180" data-max-h="180"/>Since its founding in 1974, the Congressional Budget Office (CBO) has produced independent analyses of budgetary and economic issues to support the Congressional budget process.</p><p> The agency is strictly nonpartisan and conducts objective, impartial analysis, which is evident in each of the dozens of reports and hundreds of cost estimates that its economists and policy analysts produce each year. CBO does not make policy recommendations, and each report and cost estimate discloses the agency’s assumptions and methodologies. <strong>CBO provides budgetary and economic information in a variety of ways and at various points in the legislative process.</strong> Products include baseline budget projections and economic forecasts, analysis of the President’s budget, cost estimates, analysis of federal mandates, working papers, and more.</p><p> Quick link to Products page: <a href="http://www.cbo.gov/about/our-products" target="_blank">http://www.cbo.gov/about/our-products</a></p><p> Quick link to Topics: <a href="http://www.cbo.gov/topics" target="_blank">http://www.cbo.gov/topics</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>
  • <h3>The Penn World Table</h3><p> The Penn World Table provides purchasing power parity and national income accounts converted to international prices for 189 countries/territories for some or all of the years 1950-2010.</p><p><a href="https://pwt.sas.upenn.edu/php_site/pwt71/pwt71_form.php" target="_blank">Quick link.</a> </p><p>See all <a href="/data-resources/">data and resources</a> »</p>
  • <h3>National Center for Education Statistics</h3><p><strong><img width="400" height="80" alt="" src="/live/image/gid/4/width/400/height/80/479_nces.rev.1407787656.jpg" class="lw_image lw_image479 lw_align_right" data-max-w="400" data-max-h="80"/>The National Center for Education Statistics (NCES) is the primary federal entity for collecting and analyzing data related to education in the U.S. and other nations.</strong> NCES is located within the U.S. Department of Education and the Institute of Education Sciences. NCES has an extensive Statistical Standards Program that consults and advises on methodological and statistical aspects involved in the design, collection, and analysis of data collections in the Center. To learn more about the NCES, <a href="http://nces.ed.gov/about/" target="_blank">click here</a>.</p><p> Quick link to NCES Data Tools: <a href="http://nces.ed.gov/datatools/index.asp?DataToolSectionID=4" target="_blank">http://nces.ed.gov/datatools/index.asp?DataToolSectionID=4</a></p><p> Quick link to Quick Tables and Figures: <a href="http://nces.ed.gov/quicktables/" target="_blank">http://nces.ed.gov/quicktables/</a></p><p> Quick link to NCES Fast Facts (Note: The primary purpose of the Fast Facts website is to provide users with concise information on a range of educational issues, from early childhood to adult learning.): <a href="http://nces.ed.gov/fastfacts/" target="_blank">http://nces.ed.gov/fastfacts/#</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>
  • <h3>HUD State of the Cities Data Systems</h3><p><strong><img width="200" height="200" alt="" src="/live/image/gid/4/width/200/height/200/482_hud_logo.rev.1407788472.jpg" class="lw_image lw_image482 lw_align_left" srcset="/live/image/scale/2x/gid/4/width/200/height/200/482_hud_logo.rev.1407788472.jpg 2x, /live/image/scale/3x/gid/4/width/200/height/200/482_hud_logo.rev.1407788472.jpg 3x" data-max-w="612" data-max-h="613"/>The SOCDS provides data for individual Metropolitan Areas, Central Cities, and Suburbs.</strong> It is a portal for non-national data made available through a number of outside institutions (e.g. Census, BLS, FBI and others).</p><p> Quick link: <a href="http://www.huduser.org/portal/datasets/socds.html" target="_blank">http://www.huduser.org/portal/datasets/socds.html</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>
  • <h3>MapStats</h3><p> A feature of FedStats, MapStats allows users to search for <strong>state, county, city, congressional district, or Federal judicial district data</strong> (demographic, economic, and geographic).</p><p> Quick link: <a href="http://www.fedstats.gov/mapstats/" target="_blank">http://www.fedstats.gov/mapstats/</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>
  • <h3>Federal Aviation Administration: Accident & Incident Data</h3><p><img width="100" height="100" alt="" src="/live/image/gid/4/width/100/height/100/80_faa-logo.rev.1402681347.jpg" class="lw_image lw_image80 lw_align_left" srcset="/live/image/scale/2x/gid/4/width/100/height/100/80_faa-logo.rev.1402681347.jpg 2x, /live/image/scale/3x/gid/4/width/100/height/100/80_faa-logo.rev.1402681347.jpg 3x" data-max-w="550" data-max-h="550"/>The NTSB issues an accident report following each investigation. These reports are available online for reports issued since 1996, with older reports coming online soon. The reports listing is sortable by the event date, report date, city, and state.</p><p> Quick link: <a href="http://www.faa.gov/data_research/accident_incident/" target="_blank">http://www.faa.gov/data_research/accident_incident/</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>
  • <h3>NOAA National Climatic Data Center</h3><p><img width="200" height="198" alt="" src="/live/image/gid/4/width/200/height/198/483_noaa_logo.rev.1407788692.jpg" class="lw_image lw_image483 lw_align_left" srcset="/live/image/scale/2x/gid/4/width/200/height/198/483_noaa_logo.rev.1407788692.jpg 2x, /live/image/scale/3x/gid/4/width/200/height/198/483_noaa_logo.rev.1407788692.jpg 3x" data-max-w="954" data-max-h="945"/>NOAA’s National Climatic Data Center (NCDC) is responsible for preserving, monitoring, assessing, and providing public access to the Nation’s treasure of <strong>climate and historical weather data and information</strong>.</p><p> Quick link to home page: <a href="http://www.ncdc.noaa.gov/" target="_blank">http://www.ncdc.noaa.gov/</a></p><p> Quick link to NCDC’s climate and weather datasets, products, and various web pages and resources: <a href="http://www.ncdc.noaa.gov/data-access/quick-links" target="_blank">http://www.ncdc.noaa.gov/data-access/quick-links</a></p><p> Quick link to Text & Map Search: <a href="http://www.ncdc.noaa.gov/cdo-web/" target="_blank">http://www.ncdc.noaa.gov/cdo-web/</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>
  • <h3>The World Bank Data (U.S.)</h3><p><img width="130" height="118" alt="" src="/live/image/gid/4/width/130/height/118/484_world-bank-logo.rev.1407788945.jpg" class="lw_image lw_image484 lw_align_left" srcset="/live/image/scale/2x/gid/4/width/130/height/118/484_world-bank-logo.rev.1407788945.jpg 2x, /live/image/scale/3x/gid/4/width/130/height/118/484_world-bank-logo.rev.1407788945.jpg 3x" data-max-w="1406" data-max-h="1275"/>The <strong>World Bank</strong> provides World Development Indicators, Surveys, and data on Finances and Climate Change.</p><p> Quick link: <a href="http://data.worldbank.org/country/united-states" target="_blank">http://data.worldbank.org/country/united-states</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>
  • <h3>Federal Reserve Economic Data (FRED®)</h3><p><strong><img width="180" height="79" alt="" src="/live/image/gid/4/width/180/height/79/481_fred-logo.rev.1407788243.jpg" class="lw_image lw_image481 lw_align_right" data-max-w="222" data-max-h="97"/>An online database consisting of more than 72,000 economic data time series from 54 national, international, public, and private sources.</strong> FRED®, created and maintained by Research Department at the Federal Reserve Bank of St. Louis, goes far beyond simply providing data: It combines data with a powerful mix of tools that help the user understand, interact with, display, and disseminate the data.</p><p> Quick link to data page: <a href="http://research.stlouisfed.org/fred2/tags/series" target="_blank">http://research.stlouisfed.org/fred2/tags/series</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>