Research and Analysis
Quantifying Improbability: An Analysis of the Lloyd’s of London Business Blackout Cyber Attack Scenario
Susan Lee, Michael Moskowitz, and Jane Pinelis
Scenarios that describe cyber attacks on the electric grid consistently predict significant disruptions to the economy and citizens’ quality of life. Most offer anecdotal support for the grid’s vulnerability to such an attack and assume the existence of an adversary with the means and intent to launch the attack. An estimate of risk, however, also requires knowledge of the probability that an attack of the required caliber can be successfully executed. Quantifying the probability of success for a large-scale cyber attack is hard because of the lack of precedent and the changing nature of threats and vulnerabilities. This report uses the grid cyber attack scenario outlined in the Lloyd’s of London and the University of Cambridge Centre for Risk Studies 2015 report, Business Blackout, to demonstrate how a probabilistic assessment could be used to quantify the likelihood that the scenario could occur. The analysis is subject to the limitations inherent in any probabilistic risk assessment; however, it serves to highlight some interesting phenomena that deserve further investigation, such as the importance of some individual power plants in influencing the adversary’s probability of success. In addition, it describes feasible data collection that would materially increase the validity of such an analysis.
Parametric Cost and Schedule Modeling for Early Technology Development
There is a need in the scientific, technology, and financial communities for economic forecast models that improve the ability to estimate new or immature technology developments. Engineering design or conceptual technical requirements with which to drive parametric estimates or translate analogous system costs are often unavailable in early life-cycle stages of technology development. The limited availability of comparable systems, design or performance parameters, and other objective bases makes it challenging to produce even rough-order-of-magnitude cost and schedule models. Often compounding the limited availability of information is the proprietary or protected nature of technology research and development efforts and related intellectual property. Consequently, executives, program managers, budget analysts, and other decision-makers must often rely on historical information from related yet often very dissimilar systems or the subjective opinion or “best guess” of subject-matter experts. This paper first investigates available industry modeling concepts, frameworks, models, and tools. A representative project data set is identified and selected for cost and schedule modeling, leveraging macro-parameters generally known or available in early technology development stages. Several model forms are then created and evaluated based on key performance criteria.
Sony’s Nightmare Before Christmas: The 2014 North Korean Cyber Attack on Sony and Lessons for US Government Actions in Cyberspace
Antonio DeSimone and Nicholas Horton
The cyber attack on Sony Pictures Entertainment in late 2014 began as a public embarrassment for an American company and ultimately led to a highly visible response from national leaders after the purported criminals threatened 9/11-style attacks on movie theaters showing the film. The cyber attack was triggered by the imminent release of The Interview, a comedy by Sony Pictures Entertainment in which an American talk show host and his producer are recruited by the Central Intelligence Agency to travel to North Korea and assassinate Kim Jong-un, the country's supreme leader. The cyber attack was discussed everywhere: from supermarket tabloids, delighting in gossip-rich leaked emails, to official statements by leaders in the US government, including President Obama.
The events surrounding the attack and attribution provide insight into the effects of government and private-sector actions on the perception of a cyber event among the public, the effect of attribution on the behavior of the attackers, and possible motives for North Korea's high-profile cyber actions. The incident also illuminates the role of multi-domain deterrence to respond to attacks in the cyber domain.
The Long-Range Standoff (LRSO) Cruise Missile and Its Role in Future Nuclear Forces
Dennis Evans and Jonathan Schwalbe
The United States has a nuclear triad that consists of ballistic missile submarines (SSBNs), land-based intercontinental ballistic missiles (ICBMs), B-52 bombers, and B-2 bombers. The non-stealthy B-52 relies entirely on the AGM-86 Air-Launched Cruise Missile (ALCM) in the nuclear role, whereas the B-2 penetrates enemy airspace to drop unguided bombs. The current SSBNs, ICBMs, ALCMs, and B61 bombs will all reach end of life between the early 2020s (for the B61 bomb) and the early 2040s, whereas the B-52 should last until at least 2045 and the B-2 should last until at least 2050. Programs are well under way for a new SSBN, a new bomber, and the B61-12 guided bomb, whereas programs have just started for a new ICBM and for the Long-Range Standoff (LRSO) cruise missile that is planned to replace the AGM-86. Among these programs, the LRSO is the most controversial and (probably) the one at most risk of cancellation. Analyses presented here suggest that LRSO is critical to the future of the triad and should not be terminated or delayed.
Nonstrategic Nuclear Weapons at an Inflection Point
Michael Frankel, James Scouras, and George Ullrich
The world has changed greatly since the last Nuclear Posture Review (NPR) was formulated only some seven years ago, and US nuclear policy must be responsive to these changes. In particular, the 2010 NPR assessed that Russia and the United States are “no longer adversaries” and their “prospects for military confrontation have declined dramatically.” This assessment has been directly confronted in the intervening years by Russia’s steady stream of nuclear saber rattling, its naked aggression in Ukraine, and its palpably bellicose willingness to project its military might beyond Europe. Moreover, large asymmetries in nonstrategic nuclear capabilities, coupled with Russia’s escalate-to-deescalate doctrine and earlier abandonment of its commitment to a no-first-use nuclear posture, suggest that Russia views nuclear weapons as useful instruments of intimidation and warfighting. We argue that Russian first-use of nuclear weapons in Europe should be addressed as a high priority nuclear threat in the trump administration’s NPR. We address the roles of allied nonstrategic nuclear weapons in Europe; the challenges posed by asymmetries in numbers, systems, and doctrine; and NATO’s potential response options. Looking forward, we anticipate key nuclear policy decisions the trump administration must face, and suggest that the issue of nonstrategic nuclear weapons, heretofore treated as a nearly irrelevant epicycle orbiting the greater strategic nuclear issues at play, can no longer be neglected.