Through cyberattacks on information technology and digital communications systems, antagonists have increasingly been able to alter the strategic balance in their favor without provoking serious consequences. Conflict within and through the cyber domain is inherently different from conflict in other domains that house our critical systems. These differences result in new challenges for defending and creating resilient systems, and for deterring those who would wish to disrupt or destroy them. The purpose of this paper is to further examine the question of whether or not deterrence can be an effective strategy in cyber conflict, given our broad and varied interests in cyberspace. We define deterrence broadly as the creation of conditions that dissuade antagonists from taking unwanted actions because they believe that they will incur unacceptably high costs and/or receive insufficient benefits from taking that action. Deterrence may or may not be the most credible or effective strategy for achieving our desired end states in cybersecurity. Regardless of the answer here, however, it is important to consider why deterrence strategies might succeed under certain conditions, and to understand why deterrence is not effective within the myriad contexts that it appears fail. Deterrence remains a key component of U.S. cyber strategy, but there is little detail on how to operationalize or implement this policy, how to bring a whole-of-government and whole-of- private-sector approach to cyber deterrence, which types of antagonists can or should be deterred, and in which contexts. Moreover, discussion about how nations can and should respond to significant cyber incidents largely centers around whether or not the incident constitutes a "use of force," which would justify certain types of responses according to international law. However, we believe the "use of force" threshold is inadequate to describe the myriad interests and objectives of actors in cyberspace, both attackers and defenders. In this paper, we propose an approach to further examine if deterrence is an effective strategy and under which conditions. Our approach includes systematic analysis of cyber incident scenarios using a framework to evaluate the effectiveness of various activities in influencing antagonist behavior. While we only examine a single scenario for this paper, we propose that additional work is needed to more fully understand how various alternative thresholds constrain or unleash options for actors to influence one another's behavior in the cyber domain.
The need for metrics for planning and response measures was identified as key gap to be addressed in the National Hurricane Program's (NHP) Technology Modernization effort. This document proposes a framework for defining a set of metrics for planning and response that will be implemented in the NHP products of hurricane evacuation studies (HES) and post-storm assessments (PSA). To determine the feasibility of this framework, a survey of current HES and PSAs was carried out followed by and then used to determine if the proposed metrics are currently captured. While there is a wide variety in data availability and detail, the implementation of these metrics is not only feasible but presents an opportunity to improve on current practices. The final implementation of this framework shall require the ongoing feedback from local, state, tribal, and federal stakeholders.
The Hurricane Evacuation Study (HES) Tool prototype is a key component of the Federal Emergency Management Agency (FEMA) National Hurricane Program (NHP) Technology Modernization (TM) effort. To ensure the HES Tool captured the necessary capabilities and functionality, engagement with potential end-users and key stakeholders was considered a priority throughout development. Pilot studies with representatives from North Carolina and New York City were done to validate the HES Tool process with their current HES undertaking. These pilot studies let the development of additional capabilities and feedback on the needs of diverse regions. A usability study was carried out with key stakeholders identified by NHP leadership through individualized sessions with identified personnel. The results showed the value of the HES Tool compared to the current process as well as key issues that must be addressed to ensure a final transition.