Strategic Competition in Cyberspace + A Cyber Commons?

Question 1

What is the “tragedy of the cyber commons” analogy?

Answer 1

The risk that unregulated shared digital resources (like open networks) will be exploited by individual actors for selfish gain, leading to collective harm (e.g., DDoS attacks, data breaches).

Question 2

Name three UN cyber norms and a challenge to their implementation.

Answer 2

(1) No attacks on critical infrastructure (e.g., power grids), (2) State responsibility for non-state actors (e.g., Russia’s tolerance of REvil), (3) Assistance requests during cyber incidents. Challenge: Vague definitions (e.g., “critical infrastructure” varies by state). Evaluation: 2017 GGE deadlock shows geopolitical divides (US vs. Russia/China).

Question 3

Why did the UN GGE process fail in 2017?

Answer 3

Due to disagreements over: 1) Rules for cyber conflict, 2) State control of information, 3) Applicability of Article 2(4) on use of force

Question 4

What are the five categories of the EU Cyber Diplomacy Toolbox?

Answer 4

1) Preventive (confidence-building), 2) Cooperative (dialogues), 3) Stability (signaling), 4) Restrictive (sanctions), 5) Support to member states (Joint Cyber Unit).

Question 5

How does the NIS Directive enhance EU cybersecurity?

Answer 5

Requires essential services (energy, transport) to report cyber incidents and appoint CSIRTs, but criticized for vague reporting thresholds.

Question 6

What is the key difference between cyber diplomacy and digital diplomacy?

Answer 6

Cyber diplomacy negotiates international cyber norms/laws; digital diplomacy uses digital tools (e.g., Twitter) for traditional diplomacy.

Question 7

What was the significance of NATO’s 2014 Article 5 cyber commitment?

Answer 7

Recognized cyber attacks could trigger collective defense, but left thresholds undefined (unlike kinetic attacks).

Question 8

Name three examples of Russian state-linked cyber operations.

Answer 8

1) Moonlight Maze (1999), 2) Estonia DDoS (2007), 3) Internet Research Agency election interference (2016).

Question 9

What percentage of U.S. persons did Russian IRA Facebook posts reach in 2016?

Answer 9

Estimated 126 million people (29 million directly).

Question 10

What is China’s doctrine of “Active Defense” in cyberspace?

Answer 10

Justifies preemptive cyber strikes against perceived threats, often conflated with IP theft (e.g., Microsoft Exchange hack 2021).

Question 11

What are “patriot hackers” in China’s cyber strategy?

Answer 11

Non-state actors tolerated/encouraged by the PLA to conduct “deniable” attacks (e.g., APT41).

Question 12

What is the U.S. “defend forward” strategy?

Answer 12

Persistent Engagement doctrine allowing preemptive cyber ops to disrupt adversaries (e.g., 2018 takedown of Russian troll farms).

Question 13

What was the Five Eyes network’s role in U.S. cyber strategy?

Answer 13

Enabled mass surveillance via PRISM (2007), sharing signals intelligence among US, UK, Canada, Australia, NZ.

Question 14

What are three examples of U.S.-China cyber rivalry?

Answer 14

1) Huawei 5G bans, 2) APT10 Cloud Hopper attacks, 3) TikTok data privacy disputes.

Question 15

What was the operational impact of the SolarWinds hack (2020)?

Answer 15

Compromised 18,000 networks via software updates, including U.S. Treasury and DOJ, exposing supply chain vulnerabilities.

Question 16

How does the Budapest Convention address cybercrime?

Answer 16

First international treaty on cybercrime (2001), but rejected by Russia/China over sovereignty concerns.

Question 17

What is the key criticism of multistakeholder models like IGF?

Answer 17

Lack enforcement power while allowing authoritarian states to legitimize participation without compliance.

Question 18

What are three types of cyber norms proposed by the UN GGE?

Answer 18

1) No attacks on critical infrastructure, 2) No tampering with supply chains, 3) Assist states under attack.

Question 19

How did Colonial Pipeline (2021) demonstrate ransomware risks?

Answer 19

Caused fuel shortages across U.S. Southeast, paid $4.4M ransom, revealed critical infrastructure vulnerabilities.

Question 20

What is the “cyber sovereignty” model advocated by China/Russia?

Answer 20

State control over domestic internet (e.g., Great Firewall, Runet laws) vs. Western “open internet” ideals.

Question 21

What are the three dimensions of national cyber power according to Klimberg?

Answer 21

1) Government coordination, 2) International alliances, 3) Non-state actor cooperation.

Question 22

What was unique about the Viasat hack (2022)?

Answer 22

Kinetic-cyber hybrid attack disrupting Ukrainian military comms hours before Russia’s invasion.

Question 23

What is the EU Cybersecurity Act’s certification framework?

Answer 23

Standardizes security requirements for ICT products (e.g., IoT devices), though adoption remains slow.

Question 24

Why is attribution difficult in cyber conflicts?

Answer 24

1) Use of proxies (e.g., patriot hackers), 2) VPNs/Tor masking, 3) False flag operations.

Question 25

What was the LockBit ransomware group's peak ransom demand?

Answer 25

$50M (2023 attack on Boeing), exemplifying criminal-state nexuses in Russia.

Question 26

How does GDPR intersect with cyber regulation?

Answer 26

Mandates 72-hour breach notifications (Article 33), creating de facto global standards due to extraterritoriality.

Question 27

What are three examples of cyber confidence-building measures?

Answer 27

1) Hotlines (US-China 2015), 2) Transparency reports, 3) Joint exercises (NATO Cyber Coalition).

Question 28

What is the "zero-day market" and its regulatory challenges?

Answer 28

Trade in unpatched vulnerabilities; criticized for arming governments (e.g., NSO Group's Pegasus).

Question 29

How did NotPetya (2017) blur crime-war distinctions?

Answer 29

Russian malware disguised as ransomware caused $10B+ damage globally, but avoided Article 5 response.

Question 30

What is the OEWG's key difference from the UN GGE?

Answer 30

Open to all UN states (vs. GGE's 25 experts), but diluted outcomes with non-binding recommendations.

Question 31

What are three limitations of international cyber law?

Answer 31

1) No universal treaty, 2) Jurisdictional conflicts, 3) Vague applicability of LOAC to cyberspace.

Question 32

What was the 780th Military Intelligence Brigade's role?

Answer 32

First U.S. "Cyber Brigade" (2006), pioneering military cyber ops later institutionalized under Cyber Command.

Question 33

How does APEC address cybersecurity?

Answer 33

Through non-binding initiatives like the Cybersecurity Strategy (2002), focusing on economic resilience.

Question 34

What are three trends in AI-enabled cyber threats?

Answer 34

1) Deepfake disinformation, 2) Automated phishing, 3) AI-powered vulnerability scanning.

Question 35

What is the "Cyber Defence Pledge" by NATO?

Answer 35

2016 agreement for members to allocate resources to cyber defense, but lacks specific spending targets.

Question 36

How did the 2014 Sony hack escalate US-NK tensions?

Answer 36

Attributed to NK, led to first cyber sanctions under Obama's EO 13694, testing proportionality norms.

Question 37

What is ENISA's role in EU cyber regulation?

Answer 37

Provides certification frameworks and threat analyses, but lacks enforcement powers.

Question 38

What are three examples of Chinese cyber espionage targets?

Answer 38

1) Defense contractors, 2) University research, 3) Healthcare data (e.g., COVID vaccine IP).

Question 39

What is the "Kill Chain" model in cyber defense?

Answer 39

Lockheed Martin's 7-stage framework (Recon to Actions) to disrupt attacks early.

Question 40

What are three arguments for/against the Cyber Crime Treaty?

Answer 40

For: Harmonizes laws; Against: 1) Expands surveillance, 2) Weakens encryption, 3) Lacks human rights safeguards.

Question 41

What was the significance of the 2010 Stuxnet attack?

Answer 41

First known cyber weapon (US/Israel vs. Iran) physically damaging nuclear centrifuges, setting a kinetic precedent.

Question 42

How does the NIS 2 Directive (2023) improve upon NIS 1?

Answer 42

Expands sectors covered (e.g., social media), mandates stricter incident reporting, and harmonizes sanctions.

Question 43

What are three challenges to cyber deterrence?

Answer 43

1) Attribution difficulties, 2) Asymmetric incentives, 3) Escalation risks (e.g., Stuxnet retaliation).

Question 44

What is the "Cyber Ranges" initiative by NATO?

Answer 44

Simulated environments (e.g., Tallinn) for allied cyber defense training and strategy testing.