Modern Cyber
Deterrence Theory:
Norms,
Assumptions and Implications
Table of Contents
I.
Introduction
II.
Definition
III.
Stakeholders
IV.
Origins
V.
Norms and Assumptions
VI.
Public Goods
VII.
Institutional Structure
VIII.
Legality
IX.
Military Operations
X.
Policy Implications
XI.
Conclusion
I.
Introduction
The theoretical view that information
implies power and should be made widely available, without barriers to access,
is a fundamental construct that was outlined in the Guerilla Open Access Manifesto by Aaron Swartz.[1] The technological capabilities, philosophical
values and role of cyber warriors will have a prevailing effect on cyber
deterrence.[2] The technologies can be used by good (white
hat) and bad (black hat) hackers to express philosophical values and beliefs in
cyberspace.[3] The norms in cyberspace are not always established
by traditional institutions, but by freelance and organized hackers, who have
the ability to retaliate for perceived grievances and injustices committed by
institutions. In the aftermath of
Swartz’s suicide, Anonymous hacked the MIT and Department of Justice websites
as an indictment of their integrity.[4]
The ability of freelance and organized hackers to indict institutions for
philosophical grievances has wide-ranging implications for cyber deterrence
theory and U.S. national security policy in the 21st century.
Although the hacking of the MIT and
DOJ websites were benign in nature, it can be extrapolated that the objections of
individuals or groups, state or non-state actors can turn malicious. The malicious intent or violent outcome of a
cyber-attack can have implications for US national security interests. An example of this would be if cyber warriors
brought down US satellite communications and then sent a bombardment of surface
to air missiles at strategic targets, resulting in massive losses from air
defense being disabled. Additionally, the
effect of satellite communications being brought down would have far reaching
ramifications for transportation, navigation, military troops on the ground and
commercial activity, among others.
Mokarram (2013) stated that the
future of cyberspace will be occupied with cyber wars – these wars impose
effects on society at large and are waged at a low cost, increasing the
incentive to conduct cyber warfare operations. The purpose of this research is to analyze
cyber deterrence theory and discuss implications of the economic outcomes and
behaviors of stakeholders in relation to US national security policy. This research seeks to consider important
constructs from the prevailing literature along with norms and assumptions that
influence behavior among stakeholders involved.
Cyber warfare will be discussed in a general sense, but this is meant to
encompass a wide-range of operations that can be conducted in the cyber sphere,
particularly those that result in negative externalities or consequences for
society; including cyber terrorism, cyber-crime, cyber espionage, state and
non-state sponsored cyber-attacks.
II.
Definition
Deterrence theory suggests some form of
retaliation or motive for prevention.
Cyber deterrence can be defined as the ability of institutions and
organizations to deny, protect and retaliate against cyber-attacks. In relation to nuclear arms, Gerson (2009)
defined deterrence as “the threat of force intended to convince a potential
aggressor not to undertake a particular action because the costs will be
unacceptable or the probability of success extremely low.” The success of cyber
deterrence is instrumental to US national security policy objectives. The unfortunate aspect of success in
deterrence theory is that good deterrence cannot be seen or rewarded – much
like preventing a terrorist attack.
Adversaries who engage in cyber warfare often have psychological or
political motives. These motives are subject to interpretation of ethics,
morality and values. The ramifications and proportionality of retaliation that
ensues is a decision that can be influenced or mitigated with applicable
deterrence.[5]
III.
Stakeholders
The key stakeholders in cyber
deterrence encompass much, if not all of the developed world. Nation-states across the globe, represented
by their government structures and institutions play a vital role in cyber
deterrence – they are often targets of attacks with significant risk in
deterrence if national interests are compromised. Non-state organizations are a key stakeholder
in cyberspace with access to resources, fewer parameters and ethical boundaries
when it comes to cyber operations.
Economic stakeholders include the individuals and organizations that
benefit from cyber operations – through spending on networks, security,
information technology and services.
Specific to US National Security, institutional
stakeholders include, but are not limited to: Strategic Command; Cyber Command;
the National Security Agency; the Central Intelligence Agency; the Defense
Intelligence Agency; the Defense Information Systems Agency; the National Security Council; the Joint
Chiefs of Staff; the National Reconnaissance Office; the National
Geospatial-Intelligence Agency; Homeland
Security; the Federal Bureau of Investigation; US Treasury; The Federal
Reserve; Key players in cyberspace:
policymakers; militaries; professionals and service providers; hackers;
hacktivists; institutions; corporations; nation-states; and non-state organizations.
IV.
Origins
Historically, modern deterrence
theory began during the nuclear arms race of the Cold War. According to Schelling (1966), the most
successful threats are the ones that do not need to be acted on. Additionally, the use of violence to
influence behavior of the population is strategic and coercive. This is most
influential when it is served in close proximity or highly visible – where the
annihilation, pain and violence are most apparent. After Hiroshima and Nagasaki, the capabilities
and destruction of nuclear war were assumed – deterrence was embedded in the
annihilation and use of maximum proportionality of violence. One of the strategic goals of nuclear
deterrence was to deny the enemy access and resources.
Schelling (1966) wrote that
negotiation is merely optional with enough military force. The application of
this theory to cyberspace and cyber deterrence is problematic. Cyberspace does not contain a Geneva,
Switzerland or Camp David to negotiate treaties. Negotiation is performed
through proliferation of data, networks and information. Schelling used the
example of Genghis Khan, who exploited men, women, and children as hostages to
achieve a diplomatic solution.
Morgan (2012) believed that
conventional deterrence was something that did not always work. It may have prevented nuclear wars, but
frequently resulted in rivalry, bitterness and military conflict between
nation-states abroad. In this case, it
was the US and Russia that were indirectly confrontational in areas such as
Afghanistan, Vietnam and Korea. Morgan
argues that full-scale conflict between super powers was avoided at the expense
of smaller conflicts and provocations that became more common.
V.
Norms and Assumptions
Stevens (2012) argued that
traditional nuclear deterrence is not always applicable in cyberspace. The fundamental rule of deterrence is that
the risk (cost) is offset by the reward (benefit). Rules of engagement, norms and retaliation
have yet to be defined. Stevens advanced
six notions of why cyber deterrence does not conform to conventional deterrence
strategies: (1) significant military based-conflict is absent; (2) non-state
actors in cyberspace alter the playing field in terms of rationality; (3) the
ability to retaliate in cyberspace is compounded due to the lack of
geographical presence(e.g. problem of identification); (4) acquiring enemy
assets (e.g. hostage taking) to facilitate negotiation is complicated; (5)
rules of engagement are not commonly understood; (6) the cost of escalating a
cyber-attack is cheap, increasing the likelihood of unstable conflicts with
potential for physical confrontations.
Identification of the adversary in
cyberspace is difficult. Mokarram (2013)
stated that credible deterrence is based on efficient execution and alleged
ability to respond among the parties involved.
In conventional deterrence theory, Gerson (2009) wrote that in order for
deterrence to be credible, the adversary must perceive the political willpower
and military capabilities to be comprehensive.
It can be challenging for institutions to identify the culprit of a
cyber-attack while the entire network and communication system is down. From this example, the deterrence calculation
is influenced based on the strategy chosen by the adversary – the network being
brought down minimizes the ability to identify and retaliate against those who
committed the attacks. Indirectly, this
influences the cost-benefit (risk-reward) calculation of the parties involved.
The assumed retaliation by the US
military is a key component of war and deterrence theory. If the aggrieved
party reacts with great enough pain
and violence, the action serves as a
deterrent to future acts of violence. Gerson
(2009) wrote that credibility in conventional deterrence is based on perception
of political capital and military capabilities.
The parameters that define cyber deterrence are questionable because
they could involve any number of state or non-state actors. These actors can
use cyber espionage, cyber-crime or cyber terrorism to violate normative values
in cyberspace (Stevens 2012). The
security aspect of cyberspace is engaged with a growing field of professionals
that maintain networks, information systems and security protocols for
government and corporate clients.
In the early 1980s, the massacre of
Hama, Syria by Hafez al-Assad and interplay between political factions gave way
to Hama rules – meaning that the
absence of rules was prevalent in multifaceted civil war – revenge can be
atrocious, unpredictable and painful.[6] This absence of rules is quintessential to
understanding the development of norms in cyberspace. The freedom of thought, movement and exchange
of ideas in cyberspace is the fundamental value and assumption where black and
white hackers can find common ground.
This is a mutual understanding
between black and white hackers, that the principle of free exchange and
movement of ideas have implications for cyberspace and the political economy
at-large. First, with public
information, the internet allows for both parties in cyberspace to be privy of
complete information. This is the opposite of what happens in the presence of
asymmetric information where many market transactions take place. Second, the extent which the bureaucracy,
political systems and government hinders this movement is an inherent violation
of turf and grounds for conflict among hackers, leading to the rise and
formation of non-state hackers such as Anonymous and information sharing
networks like Wikileaks.
VI.
Public Goods
Cyberspace is essentially a public
good. The existence and security of cyberspace is vital to nearly all aspects
of developed and modern society. The premise for a public good is that everyone
benefits and it cannot be apportioned, divisible or denied. The cost of providing a public good is
prohibitively expensive such that the benefit is not large enough to justify
the provision by the market. Thus, the
security and provision of cyberspace is in unchartered territory (with a valid
internet connection) when it comes to government’s ability to distribute the
benefits of cyber security to everyone.
The public good is provisioned through the US military support for Cyber
Command (USCYBERCOM) and the role is shaped by the institutional structure and
norms within the cyber community.
Morgan
(2012) used the example of the UN Security Council as a key component of “collective
actor deterrence.” From collective action, the ability of nation-states to pool
resources to protect the public good creates positive externalities. First, the collective action is a form of
implicit deterrence. This raises the cost of cyber warfare and risk of
retaliation. Second, the use of
collective action to protect the public good reduces the risk of
independence. In the event of an attack,
collective action to protect the public space could limit the scale and allow
for retaliation, while promoting deterrence for members of the group.
VII.
Institutional Structure
According to an International Law Studies U.S. Naval War College article by Paul Walker
(2013), the role of Cyber Command (USCYBERCOM) in national security policy was
proposed based on three objectives, (1) to respond to a major breach on
Department of Defense information networks, (2) to increase capabilities and
proficiencies for global operations networks, and (3) to reorganize the Joint
Task Force –Global Network Operations (JTF-GNO) and Joint Functional Command
Component – Network Warfare (JFCC-NW) into a single unified command, enhancing
the ability of DoD to defend its networks and conduct offensive
operations. Walker (2013) stated that
the formation of US Cyber Command was driven by the DoD response to “the most
significant breach of U.S. military computers ever” (2008), with creation of
Operation Buckshot Yankee.[7]
The combination of these objectives was created in June 2009 and operationalized
in October 2010. Following the U.S. lead, Cyber Command was announced across
other countries in strategic initiatives, including China, India and
Russia.
The framework and role of cyber
deterrence in national security policy is shaped by USCYBERCOM and the
institutional structure of US Strategic Command. In a September 2010 testimony
by General Keith Alexander, he envisioned a wide-ranging role that was not
limited to simply managing DoD networks and security. This implies an offensive cyber threat under
the US national security apparatus. General
Alexander was keenly aware of the unique challenges posed by cyberspace,
stating, “the distinctions between public and private, government and
commercial, military and non-military are blurred.”
US Strategic Command (USSTRATCOM)
recently transitioned power from General Robert Kuehler to Admiral Cecil Haney
as of November 2013. This transition
took place during a publicized internal organizational battle between USCYBERCOM
and the NSA, key components of the USSTRATCOM umbrella. The resource allocation to USCYBERCOM and NSA
under the leadership of Strategic Command centralizes a significant power base
in a single command post, and thus may warrant separate leadership. The implication was that the NSA head would
be better served with a civilian leader. This was manifested in a recent Washington
Post article proposing a splitting of the duties such that NSA and USCYBERCOM
are under independent budgetary authority.[8] The argument for splitting the leadership was
that the country was better served with a separate governance structure and
less competition within USSTRATCOM.
The DoD focus on cyber deterrence and
the emerging threat has led to the formation of various entities within
USCYBERCOM – US Army Cyber Command, US Fleet Cyber Command, Air Forces CYBER/24th
Air Force.[9]
Primarily, the focus is on deterring threats and intrusions by outside actors
or nations. The US Army Cyber Command’s
stated mission is to “coordinate, integrate, synchronize, direct and conduct
network operations and defense of all Army networks in support of full spectrum
of operations to ensure US/Allied freedom of action in cyberspace, and to deny
the same to our adversaries.”[10] The mission statement implies deterrence by
denial in cyberspace – a concept developed during the Cold War. However, the
application of deterrence theory in cyberspace is fundamentally different than
past experience.
The strategic deterrence and the role
of USCYBERCOM cannot be understated. The
Washington Post’s Black Budget Report (2013) reported spending of $4.3 billion
for cyber operations. The increasing
dependence on data, surveillance, information, networks and security has driven
the demand for cyber deterrence in practice.
VIII.
Legality
The legality of cyber warfare has
much room for debate. Does a planned
cyber-attack constitute an armed attack? To what extent does the UN Security
Council regulate conflict in cyberspace?
How does the Geneva Convention apply to cyberspace? What are the rules
of engagement? Once general norms are understood, there is likely to be a
deviation or backlash against institutions before legal experts can agree on
what constitutes legality. The reason is
that it is impossible to include everyone when setting the basic principles of
internet freedom. Jus ad bellum
implies the right to self-defend and retaliate against an “armed attack.” The
violation of the free movement of information and ideas is likely to provoke organizations
or hacktivists to retaliate, much like an insurgency, for perceived injustices
committed by the institutions. The
Swartz case, as stated earlier, exemplified this concept on a small scale.
In a research paper by Eric Posner,
he stated that reciprocity has the tendency to create reinforcing engagements,
breeding collective action.[11] From the international perspective, laws are
commonly obeyed if the repercussion is unwavering and prompt. If the laws are not applied uniformly in
cyberspace then the ability to take legal action is weak. Legality in the case of cyberspace is jus ad bellum- based on norms developed
by states and institutions, widely accepted by the international
community. Jus ad bellum in cyberspace derives legitimacy through collective
action by the international community. Collective action from the international
community is not likely to advance without a crisis that creates urgency among
the European Union or United States.
IX.
Military Operations: Georgia (2008)
Goodman (2010) cited the example of
Georgia (2008) to illustrate how a state (Russia) can use cyber operations to
facilitate or pre-empt conventional military operations. Using Twitter and Facebook networks, the Russian
hackers were successful at disrupting critical network systems- so successful
that communications, electrical and internet blackouts occurred. The cyber-attack in this case was followed-up
with boots on the ground. Government,
businesses and commercial services were severely impacted by the outages, as
the Georgian government was forced to rely on allies like Poland and
corporations such as Google to get their systems back on-line. Despite the deterrence failures that
occurred, Georgia is a recent example of how cyber-attacks can be used as
political and economic leverage in anticipation of military conflict.
X.
Policy Implications
In order to deter an insurgency, the
counterinsurgent must find a way to address the underlying cause and grievance
of the population. In cyberspace, the
bureaucratic nature of government institutions, particularly in the U.S. and
Western Europe, are at an obvious disadvantage to adversaries that operate
under a different set of assumptions and rules.
Compounding this vulnerability, the rules and bureaucracy that hinder a
response to a cyber-attack can also be the very reason for the attack in the
first place. For example, the secret
nature of the NSA and CIA mitigates the bureaucracy at some level, but also
impose their own structure and ethical boundaries- of which, the structures and
integrity of the institutions themselves can be the motive for the attack in
the first place. Thus, state and
non-state hackers can choose the time and place for attacks, as well as the
proportionality of the attacks, much like an insurgent that utilizes guerilla
warfare. Like counterinsurgent
strategies, modern cyber deterrence theory ought to recognize the motive of the
insurgent (hacker).
The costs and benefits of waging
cyber warfare are significantly less expensive than what is waged with
conventional warfare or modern insurgencies.
Conversely, the cost of security and defense of these networks is
astronomical. Dr. David Kilcullen stated
that Al-Qaeda attacked the US for $400,000 to $500,000, while the US spent
trillions of dollars creating a complex national security apparatus, military
operations and resources for Iraq and Afghanistan, in addition to the loss of
human capital and opportunity costs. The opportunity cost created by 9-11 was
huge. This resulted in a fundamental shift in behavior, and economic
assumptions underlying this behavior.
Furthermore, the economic event of 9-11 resulted in symbolic attack on
physical infrastructure on some of the most expensive commercial real estate in
the world.
It is not far-fetched that a 9-11 of
cyberspace would be economically cheaper and more expensive in terms of
economic costs – with wide ranging implications. Information networks and cables could be
targeted, while physical infrastructure such as the power grid and institutions
such as governments, corporations, populations in global megacities could be
the objective. The nuclear event in cyberspace is the halt or stoppage of the
global economy - the extent which (financial) transactions are stored online
has a substantial risk. Moreover, if events like a flash crash cut off access
to money or financing, the US government and national security interests would
be severely compromised.
As stated by Stevens (2012), the
responsibility to protect cyberspace is no longer limited to network and
information security professionals- it extends beyond borders to political,
military and diplomatic stakeholders. Technological advantages by the US and
its allies proxy as de facto deterrence – much like the Cold War. However, institutional framework and the bureaucratic
nature of corporate and government resources may stifle innovation as rational
actors seek to protect turf. In my
opinion, it is possible that the nature of hacktivist organizations - to
leverage open ended information sharing networks- may gather knowledge and
technological capabilities at a rate that exceeds the government or private
sector. The black market nature of
hacking, lack of ethical boundaries and gap between institutional and
individual norms may facilitate cyber conflict in the future. It is equally plausible that false
accusations in cyberspace, due to the identification problem, may result in
negative externalities and physical violence.
The practical role of cyber
deterrence is inherently asymmetric. The
one-sided nature implies that the burden is always on the institution – to
protect, prevent and deny access to secure information sharing networks. The one-sided nature to deterrence is evident
in the hacker v. institution conflict
– the hacker does not have critical infrastructure to secure and therefore behaves
asymmetrically. When game theory exists between institution v. institution conflict, the game is more logical-
reputational risks, asset risks, legal risks, corporate risks and external
actors are at play. An example of this
is the Google v. China cyber
espionage event in 2009-2010 (Stevens 2010). Both institutions are sufficiently
large and have overarching ambitions, albeit different goals. Estonia
v. Russia (2007) is more asymmetric because of size differential between
the institutions.
Unlike nuclear deterrence, the domain
and parameters surrounding warfare and deterrence in cyberspace are ambiguous. However, the intersection of nuclear and
cyber deterrence was seen recently in use of the Stuxnet virus. Stuxnet is the
virus that was used to infect Natanz Iranian nuclear centrifuges. The virus was
widely believed to have been developed by Israeli and US agents.[12]
The result of Stuxnet led to the institutional formation of Iran’s Cyber
Command equivalent.
Large-scale hacks and cyber events will
only increase in the future as the cost of obtaining internet access trends
lower over time. Cyber-bullying may
become more commonplace and political motivation may be the norm, as noted in
Nazario’s Politically Motivated Cyber
Attacks.[13] In cyberspace, the lines between states
and non-states become opaque over time – political and collective action can
travel exponentially faster in the era of social networking and free flow of
information. It is vital that deterrence capabilities adapt proportionately and
keep up with technological advancement in the black market. The cyberspace version of North Korea testing
and conducting nuclear launches is not something that can be risked in a
developed world- one that relies increasingly on global financial and payment
networks.
XI.
Conclusion
As it relates to US national security
policy, the role of deterrence in cyberspace is fundamentally different than
past experience. Gen. Alexander was
keenly aware of the unique challenges posed by cyberspace, stating, “The
distinctions between public and private, government and commercial, military
and non-military are blurred.” It is not
practical to deny an individual access to the internet. As
opposed to denial of access, cyber deterrence ought to focus on offensive,
defensive and theoretical capabilities. The
formation of USCYBERCOM is one step in the right direction. A separate
budgetary control and authority for USCYBERCOM will promote competition for
assets and resources, leading to greater capabilities and technology. Increased
information sharing with regards to cyber-security and cyberspace
identification is another step that can lead to increased knowledge among the
good hackers.
The extent which information is
protected and secured, without regards to its utility is an economic risk as it
relates to developing technological capabilities. As organizations like the FBI and CIA are
walled off from each other in terms of communication, there lies a significant
institutional hurdle for the US to overcome (Spears 2010). The knowledge sharing among ‘the good’ institutions
promotes implicit deterrence – through more access to resources and ability to
retaliate. Moreover, the ability to
promote ethical knowledge sharing and utility in cyberspace can be facilitated
through an international organization or NGO. The military and kinetic use of
cyber capabilities are typically reserved for nation-state actors. Nation-states also set laws and legal
recourse for actions taken in cyberspace.
The use of traditional military operations in Georgia, combined with
cyber warfare, has an extensive impact on US national security and 21st
century warfare.
Hackers can be transformed into
‘accidental guerillas’ when institutions violate philosophical values such as
the free flow of information in cyberspace, raising the bar for cyber
deterrence. Hacktivists reserve the
right to express philosophical values while influencing norms secondarily. Furthermore, the dynamic nature of cyberspace
creates historic challenges for cyber deterrence and US national security
policy in the 21st century. In the absence of cohesive norms and commonly
shared principles, the only rules in cyberspace become Hama Rules.
Works
Cited
Alexander, General Keith, interview by House Armed
Services Subcommittee. Cyberspace Operations Testimony (September 23,
2010).
Censer, Marjorie. "From blue-collar Army base to
white-hot cyber city." Washington Post Cybersecurity Special Report,
Oct 2013.
Friedman, Thomas. From Beirut to Jerusalem.
Picador, 1989.
Gerson, Michael S. "Conventional Deterrence in
the Second Nuclear Age." Parameters, 2009: 32-48.
Goodman, Will. "Cyber Deterrence: Tougher in
Theory than in Practices." Strategic Studies Quarterly, Fall 2010:
102-135.
Haley, Christopher. "A Theory of Cyber
Deterrence." Georgetown University, 2013.
Kilcullen, David. The Accidental Guerrilla.
Oxford University Press, 2009.
Lan, Tang, et al. "Global Cyber Deterrence:
Views from China, the US, Russia, India, and Norway." East West
Institute, 2010.
Lewis, James Andrew. "The arms race in
cyberspace." Washington Post Cybersecurity Special Report, Oct
2013.
Mokarram, Ali. "European cyber security: a cyber
deterrence approach." 2013.
Morgan, Patrick M. "The State of Deterrence in
International Politics Today." Contemporary Security Policy, 2012.
Nazario, Jose. "Politically Motivated Denial of
Service Attacks." NATO Cooperative Cyber Defence Center of Excellence,
n.d.
Posner, Eric A. "Human Rights, the Laws of War,
and Reciprocity." John M. Olin Law & Economics Working Paper No.
537, September 2010.
Spears, Austin. "United States Cyber Security in
the 21st Century." Public Review, 2012.
Stevens, Tim. "A Cyberwar of Ideas? Deterrence
and Norms in Cyberspace." Contemporary Security Policy, 2012.
Stone, John. "Conventional Deterrence and the
Challenge of Credibility." Contemporary Security Policy, 2012.
Walker, Paul. "Organizing for Cyberspace
Operations: Selected Issues." International Law Studies, Naval War
College, 2013.
[1]
Aaron Swartz was arrested by MIT police and indicted in September 2012 in
federal court for downloading and proliferating academic journals for viewing
by the public domain. His view, shared by members of the hacking group
Anonymous, believed that academic research was funded using taxpayer dollars
and resources, and therefore should be made freely available. Facing the
possibility of multiple decades of imprisonment, Mr. Swartz committed suicide in
January 2013. Charges were later dropped.
[2]
This includes state and non-state actors that play a role in setting the norms
in cyberspace.
[3]
Hackers that operate under a set of values or code are widely known as
‘hacktivists.’ This is often specific to the organization known as Anonymous,
but is generalized for the context of this research.
[4]
Swartz’s suicide was followed by hacking tributes displayed on the DOJ and MIT
website, implicating US Attorneys Carmen Ortiz and Stephen Heymann as partially
responsible. See <http://www.telegraph.co.uk/technology/news/9800257/Anonymous-hacktivists-target-MIT-websites-over-Aaron-Swartz-suicide.html>.
See USA v. Swartz timeline <http://tech.mit.edu/V132/N62/swartztimeline.html>.
[5]
Retaliation is sensitive to a negative feedback loop based on interpretation of
events.
[6] In
the absence of rules, the only rule becomes “Hama rules”, or “there are no
rules.” This was used by Thomas Friedman in reference to the ability of
retaliation to be unpredictable, violent and atrocious acts committed by
aggressors against their adversaries.
[7]
This claim is attributed to former Deputy Secretary of Defense William Lynn. Operation Buckshot Yankee was the codename
used to combat the virus that infected the U.S. military networks. See Walker (2013) and: <http://www.nytimes.com/2010/08/26/technology/26cyber.html?_r=2&ref=technology&>.
