Search
Close
Search
Advanced Search
Search Menu
AI Discovery Assistant

Abstract

The system in place to respond to cybersecurity events is described best as a “patchwork,” with divergent missions, legal frameworks, and organizational structures. Governments are struggling to overcome these obstacles to create robust and resilient cyber response infrastructure. However, the evolution and dispersion of technology has spread technical capability and resources widely among various constituencies across private, public, civil and military domains. This “patchwork” approach has resulted in a diverse array of stakeholders, leaving the processes of coordination uncertain. Our approach rests on the concept of “organizational seams” which exist between functional entities engaged in cyber conflict response. How can important interfaces between public/private, civil/military, and domestic/international constrain or enable effective coordination in response to cyber attacks? The paper posits that seams are a barrier to coordination and that when a seam is minor, there may be a readily apparent solution to this barrier, whereas when a seam is classified as major, it constrains coordinative activity, resulting in more complicating effects. This article advances both a theoretical and real-world understanding of how individuals, organizations, institutions, and states engage and coordinate in the cyber domain.

The US cybersecurity infrastructure is best characterized as a “patchwork,” necessarily drawing on a diverse range of public agencies (civilian and military) and private entities for response to large-scale events.1 The US case is by no means unique. China, Russia, Japan, and Europe are all struggling with the same questions while trying to shape the evolution of their own cyber response infrastructure. Yet, much of the literature focused on national cybersecurity response and the deterrence of cyber threats is conceived of as dyadic interactions between nation-states in which actors are monolithic in rationalization and execution despite common acknowledgment of blurred divisions of labor between mixed civilian/military and public/private areas of responsibility. Very little thought and work has tried to understand how disparate stake-holders can impact the coordination of response in the event of a cyber assault across public and private interests, perpetrated by either a nation-state or another technically adept adversary. The pervasively networked nature of cyber threats makes the response to such threats open to deleterious effects born of coordinative misunderstandings, command inefficiencies, missed opportunities, or even intentional exploitation of unrecognized holes within national response infrastructure.

The cybersecurity response infrastructure exists as a patchwork, as such coordination is required in order to achieve optimal outcomes during cyber attacks. We argue that this patchwork is best characterized through the concept of organizational seams that can enable and constrain coordination dependent upon the nature of the seam. The current distribution of capabilities and responsibilities within the US cyber response community has created complex interdependencies across organizational boundaries. These interdependencies can consist of routine interactions, such as Microsoft petitioning the US judicial system for the right to redirect third-party Internet traffic due to alleged malfeasance, or more exotic and complex collaborations between public, private, non-profit, and international entities.

We define “organizational seams” as boundaries between separate organizations or their component sub-organizations across which information and communication must flow. Seams are a natural by-product of the need to specialize, to provide for division of labor, or to divide gross organizational size into more manageable parts. Seams can be found at the natural boundary across any number of dimensions, such as culture, language, affinity groups, mission, geography, as well as explicit boundaries such as those between firms, divisions, working groups, and other organizational lines. These “seams” within and amongst organizations and their subunits can be either minor or major, depending on the dissimilarities of the organizations and subunits involved [1].2 The nature of the seams can either enable or constrain attempts at coordination in response to external shocks, such as cyber intrusions. Entities involved in provisioning cybersecurity are not homogenous in terms of their goals, incentives, and disincentives. In fact, their own unique organizational culture, their standard operation procedures, and their internal supervisory controls condition the manner in which they coordinate with other entities. This helps explain the range of outcomes possible during cyber conflict mobilization. The seams in this patchwork of response mechanisms and constituencies can result in what we term the ‘cyber response coordination problem’. In this article, we hope to introduce the concept of seams as a way to begin to analyze how individuals, organizations, and institutions, both formal and informal, coordinate and manage activities. While there may be some utility in further defining and measuring seams, across both qualitative and quantitative dimensions, this initial work is meant to present the general concept.

This article draws upon an interdisciplinary body of literature and adopts a novel organizational approach, originally derived from research on North Atlantic Treaty Organization (NATO) forces, to examine the “organizational seams” that exist between functional entities engaged in cyber conflict response and which condition coordination. This is the first time that the concept of organizational seams and coordination theory has been used to analyze the patchwork of cyber response system. We understand coordination as the management of interdependent relationships that necessitates the exchange of information in order to align actors’ intentions, goals, and actions.3 The article posits that the nature of the organizational seams can either bolster or restrain coordination and the resultant ability of actors to effectively respond to a cyber attack. Specifically, minor seams tend to enable easier cyber response coordination, while major seams constrain coordination resulting in more complicating effects. Through this theoretical framework, it is possible to develop a more nuanced understanding of outcomes. This is to say that cybersecurity response should not be judged simply as having successful or unsuccessful outcomes, but as having a range of optimal and suboptimal outcomes. These outcomes are conditioned by the type organizational seam present.

We submit that the use of an organizational seams metaphor can help to understand the inherent difficulties of coordinated action in this domain. The example of Microsoft cited above can be parsed in terms of organizational seams to illuminate the difficulties in response and the varied priorities emanating from the involved constituencies. Much of the current analysis of cyber infrastructure and strategy tends toward projecting ideal, but not yet established, reforms into discussion without clearly analyzing the nature of response within the system as it currently exists. The cyber response infrastructure is complex, resulting in unsuccessful, inefficient, or even escalatory responses. Additionally, the disparate actors and competing interests present contradictory or perverse incentives for actions or coordination. Moreover, the lack of clear doctrine regarding response to a cyber-attack, even within the US government, is troubling. While some incidents are quite mundane, others may pose considerable risks to national security. Thus, it is critical to understand the process by which actors can coordinate and respond to cyber-attacks and to examine how major or minor seams have hindered or facilitated past instances of coordination in response to a cyber-attack. This article examines the coordination problems endemic to the cybersecurity patchwork as a first step in a research program that will, in future work, consider how coordinative failures as a result of major seams can increase the likelihood of conflict escalation during cyber conflict.

This article will proceed as follows. First, we describe the patchwork nature of the cyber response infrastructure. Second, we develop a theory of how organizational seams can be used to understand complex organizations, coordination, and crisis response dynamics. Third, the theoretical framework of organizational seams and coordination is applied to the patchwork response infrastructure. The article concludes with a discussion of some of the risks inherent to coordination failures in the cyber domain.

The cyber patchwork

The mechanism through which security is provisioned on the Internet has evolved organically, is highly dispersed (horizontal) in nature—and is often described as a “patchwork” of loosely related or unrelated constituencies both public and private. For example, the hacking of a government agency may necessitate a response that draws upon private software providers, law enforcement agencies at the state or federal level, the intelligence community, the military, the Department of Homeland Security (DHS), third-party infrastructure providers (internet service providers, telecommunications companies, etc.), international agencies, and many other constituencies. These constituencies form a ‘meta-organization’, which refers to networks of firms and/or individuals not bound by authority but characterized by a system-level goal [2].

Often, major cyber attacks or incidents require the participation of a wide range of stakeholders to be resolved. These stakeholders range from governments to private firms and international organizations. Within government, various departments and branches of government share responsibility. Private sector firms engage in a variety of activities such as storing, transmitting, and protecting data and may play a central role in recognizing and remediating threats. International organizations can be regional, global, or completely divorced from national entities and are involved at various levels throughout the constituent elements making up “cyber space.” These organizations range from the International Telecommunications Union (ITU), other multi-state organizations and states themselves that legislate and/or set data privacy rules and regulations among other provisions, to non-profit Internet governance organizations like the World Wide Web Consortium (W3C) that wield significant power over the technical evolution of parts of cyber space. The role in Internet governance helps structure and constrain available response choices and methods. Each of these stakeholders ranging across public, private, profit-seeking, non-profit, domestic, and international divides has unique capabilities and motivations that impact upon incident response to wide-scale security events impacting the cyber realm. This patchwork is a decision-making space in which actors coordinate and compete to shape priorities and strategic calculus during the threat recognition, response, and remediation phases of a cybersecurity relevant activity.

Demonstrating coordination within the internet governance network, Mueller et al. examine the example of the Conficker Botnet response [3]. The Conficker group was composed of a loosely connected set of mostly private sector actors using pooled resources to contain the Conficker threat. The individuals were largely affiliated through their pre-existing professional circles rather than the explicit ties shared by their employer organizations. In fact, the parent organizations had a variety of divergent interests, but agreed to take part in the group because of a shared commitment to the “technical wellbeing of the internet.” A notable aspect of the group is the disproportionate role of the private sector relative to national governments and traditional international organizations. The ad hoc nature of the groups was possibly due to the flexibility and robustness of private sector person-to-person professional networks and the rigidness of public sector actors.

This runs counter to the predicted nature of international incident response in the information age as presented by Slaughter in her work on transnational networks [4]. It was assumed that nation states would remain the primary security actor in the information space in collaboration with NGOs and the private sector. However, cases like Conficker and the disruptions of Estonian information networks in April 2007 show that national governments and traditional security organizations like NATO play a backseat role in the ad hoc cyber response regime. However, since the occurrence of these incidents, national and international nongovernmental organizations (INGOs) actors have focused their attention into weaving themselves more prominently into the patchwork and will be invaluable members of the regime due to their unique capabilities and sheer resources. However, states face a unique political challenge in participating in these efforts, especially when the transnational component of an incident is prominent. Effective networks require trust to be successful, which centuries of international relations history has shown to be a difficult achievement.

Keohane and Martin provide evidence that international organizations such as the UN can imbue trust in member states by lowering transactions costs and providing a “shadow of the future” in order to discourage short-term rent seeking by potential rivals [5]. However, realist critics have claimed that international institutions, like other instruments of national power, are simply vehicles for dominant powers to maintain the balance of power [6]. The success of the patchwork cyber regime is underpinned by the ability of states and other collaboration actors or entities to trust one another so that cooperation and information sharing is possible. If states engage in “Contested Multilateralism” [7], it severely hampers the ability of national entities to contribute to the response effort. National-level contentions could also spill over into private relations between companies associated with a host states, poisoning fruitful business-to-business relations.

This presents a problem to be confronted by organizational designs called Computer Emergency Response Teams (CERTs). CERTs are purposely built ad hoc cyber response teams composed by a variety of stakeholders and couched in a government style lateral institutional design. Choucri et al. describe the purpose of CERTs as identifying vulnerabilities and fostering communication between security vendors, users, and private organizations [8]. CERTs share a common organizational framework but value autonomy and self-determination over rigid institutional controls. This means they have the flexibility to carry out their missions but also means monitoring and free riding prevention are difficult to enforce.

Many of these teams work with other teams under the Forum of Incident Response and Security Teams (FIRST) network which also includes the DHS and other official state and quasi-state entities. The variety of actors participating in this network are both a strength and weakness of the patchwork cyber regime. While the diversity in mission and expertise maximizes the capabilities of the CERT and related organizations, it also creates seams and communication imbalances which can degrade the efficiency and long-term viability of the organization. In their examination of CERTs, Choucri et al. claim that the primary inhibitor of the teams is the lack of a “universal data provision” meaning that some actors in the CERT are more hesitant or less capable of making their data available to other members of the group [8]. For example, many non-profits and other non-reputational bodies are enthusiastic to share intelligence and statistical analysis on cyber incidents and trends, while governments are slow and bureaucratic about data sharing. Many private companies are hesitant to share cyber vulnerability intelligence due to fear of reputational harm.

This data imbalance is a critical inhibitor to building successful patchwork response organizations because the efficiency and effectiveness of diffuse networks is highly dependent on the ability of information to travel across the seams dividing the actors. This is both for the sake of efficiency of resource coordination in crisis situations and for the long-term stability of these trust based multilateral entities. The patchwork remains hard to categorize in unitary fashion. Empirically, there exists too many involved entities and stakeholders to directly map, but that does not mean a structure does not exist.

A formalized way of thinking about the so-called cyber response patchwork can be drawn from academic discussions of meta-organizations. These firms, organizations, and individuals are characterized by their level of autonomy and their pursuit of a shared goal. We can think of each of these networks of individuals, firms, and organizations as individual agents with their own “motivations, incentives, and cognition” [2]. Furthermore, the act of coordination is a process whereby, individual goals are brought into line with each other through the exchange of information. Within this conception, each agent may not be linked by formal authority but instead display a range of linkages across boundaries or seams. Within the present work, these linkages can be characterized as existing across major or minor seams, concepts that will be introduced in the following section. Seams within the cyber patchwork can enable or constrain coordination in response to cyber attacks. The following section will present the concept of organizational seams as it was developed to understand the organizational challenges facing NATO forces during the Cold War. This theory will then be used to understand the coordination challenges facing the cyber response infrastructure.

Before we turn to a discussion of the seams framework, it is important to define coordination. As described earlier in the article, we define coordination as the management of interdependent relationships that necessitates the exchange of information in order to align actors’ intentions, goals, and actions [9]. This definition draws upon literature in organizational theory and management, which examines the process by which multiple actors pursuing similar goals have organized themselves. Coordination is a function of these organizing activities. Actors performing interdependent activities may have conflicting interests, and this can be a challenge to coordination [10]. The coordination problem has also been examined and formalized within literature from the field of game theory [11–13]. It is important to note that both organizational theorists and game theorists understand coordination in a very similar manner. While the formal approaches seek to identity the equilibria in particular games, both game theory and organizational theory define coordination as a problem facing actors trying to manage interdependent relationships. As an example, Duncan Snidal argues that a coordination problem, “arises when actors have a strong desire to coordinate but some differences over exactly where to coordinate” [10]. As such, we treat coordination as an organizational challenge facing the cyber response infrastructure.

A theory of organizational seams

This article utilizes an organizational approach to explore the patchwork cyber response infrastructure characterized in the previous section. In doing so we develop a theoretical framework to understand how organizational seams in the cyber patchwork can influence coordination in response to a cyber intrusion. The theory posits that the nature of the seam matters; minor seams can enable coordination while major seams can constrain coordination. This section unfolds in three parts. First, we develop the argument that organizational seams can influence the likelihood of coordination within the cyber response infrastructure. The theory of organizational seams was originally developed to account for coordinative challenges facing NATO. The NATO example provides an ‘ideal type’ for understanding how seams emerge from the need to specialize, where seams occur, and how seams effect coordination. Second, we argue that the type of seam, whether it is major or minor, can account for the likelihood coordinative failures or successes. Finally, we apply this theory to the cyber response infrastructure. The four illustrative cases which follow the theoretical discussion serve as a means by which to test the plausibility of the argument that the major seams can constrain the ability of actors to coordinate, while minor seams can enable coordination [14].

Organizational seams and coordination

As opposed to the conceptualization of the cyber response infrastructure as a network, our understanding of the cyber patchwork emerges from the seams framework. We posit that in order to understand the coordinative problems facing the system, it is necessary to examine the inter- and intra-organizational dynamics of involved stakeholders in the response system. The concept of organizational seams, or boundaries between separate organizations or their subcomponents, extends the work of Simon, Cyert, and March in the 1950s and 1960s and the latter half of the twentieth century [15–17]. This theoretical framework rests on a key premise: certain fundamental cognitive constraints severely limit the human capacity for rational action. Limits on the amount of information that individuals can process force people to respond to only limited aspects of their environment [18]. These limits on the ability to actively manipulate conceptual information result in a reliance on relatively simple mental strategies that frequently violate conventional notions of rational inference and choice [17, 19, 20].

Organizations can be viewed as a social strategy for overcoming the inherent limitations of individuals in addressing the multiplicity of functional responsibilities necessary to bring about overarching goals [15]. Through specialization, individuals acquire the capacity to apply relatively complex cognitive strategies (based on very efficient information coding schemes) to narrowly defined task environments [21]. Through division of labor, substantial cognitive resources can be simultaneously brought to bear on many tasks or information sources at a time [15]. Division of labor, however, necessitates coordination among various tasked constituencies. The efforts of numerous individuals and separate groups of individuals must be structured to form coherent and useful patterns of activity. But this structuring task itself can easily become so complex as to overwhelm the cognitive capacities of those who must carry it out [15].

In focusing on command, control, and communication (C3) attention is immediately drawn to the question of what is being coordinated and the prominent role that the formal structure of the organization plays. An organizational approach to C3 is particularly important in two different types of situations: (i) where the functioning of an organization depends crucially upon explicit coordination, communication, command and control, and (ii) where the functioning of a subunit of the organization is automatic or involves the execution of standard operating procedures (SOPs). Formal organizational boundaries are important in that they usually define areas where all aspects of a subunit's operations—“within boundaries”—are organic to the subunit, whereas operations involving other subunits—“across boundaries”—involve explicit inter-unit coordination and planning.

Organizational seams are the boundaries between separate organizations or their component sub-organizations across which information and communication must flow. They are a natural by-product of this need to specialize, provide for the division of labor, and/or create more manageable sub-components, can create problems for coordination. Seams can be found at the natural boundary across any number of dimensions, such as culture, language, affinity groups, mission, geography, as well as explicit boundaries such as those between firms, divisions, working groups, and other organizational lines. Seams within and amongst organizations and their subunits can be either minor or major, depending on the dissimilarities of the organizations and subunits involved. Seams are a barrier to coordination and the efficient flow of communication, information, or intelligence. Indeed, the high frequency of “coordination failures” between groups suggests that such problems commonly occur. This is not to say that coordination failure occur in all cases in which seams are present, but seams can complicate the ability to aligns actors’ goals and intentions.

The specific theoretical framework of organizational seams that we use to explain the coordination challenges inherent to the cyber response infrastructure was first used in a study on C3 issues within the NATO central region during the last phase of the Cold War [1].4 The organizational seams inherent to NATO’s arrangements can provide insights about the modern challenges confronting the cyber patchwork response infrastructure, and the attendant risks that follow from coordination failures. Coordinative failures across organizational seams could potentially create escalatory dynamics within the cyber domain. Similarly, in the case of NATO, coordination failures carried with them the risk of escalation to a nuclear exchange. While we don’t explore the impact of coordination failures in the cyber domain within present work, the relationship between coordination failures and conflict escalation is an area requiring further research.

The NATO central region required fighting units drawn from disparate national militaries to coordinate closely despite myriad differences. In NATO (during this period), native language, culture, training, assumptions about the nature of war, equipment, logistics, and intelligence all changed at the organizational boundaries between different national forces - such as between the V US Corps and the III German Corps. The organization of the conventional forces in NATO has been characterized as the “Schwartzwald Cake” approach.5 By slicing the “cake” (or responsibility for defending Europe) and distributing it among NATO nations, the Dutch, Belgians, British, Germans, and the Americans all had a set of explicit responsibilities (both geographically and functionally), a particular piece of the front to defend, and a political stake in the functioning of NATO. Belgium, for example, by having its troops committed along the front and responsible for defending a piece of German soil, was politically bound and militarily committed to the defense of Germany against Soviet aggression. This politically motivated approach, however, introduced many organizational seams in the NATO force structure.

Seams are canyons for information to traverse. Important phenomena change at organizational boundaries. Within the cyber response infrastructure similar phenomena, such as language, culture, mission, and capabilities change at the seams. The loss of information from one unit to the other significantly impacts the effectiveness of response, and this is even more acute when information has to cross a multitude of different actors, in different organizations, domestically and internationally. The politically motivated organizational structure of NATO provides a useful point of comparison to the cyber domain in which, not only is the cyber response infrastructure is constituted by a wide range of stakeholders creating many different kinds of seams, in many cases, actors are politically motivated, creating another layer of organizational seams.

In general, the issues identified by the “organizational seams” metaphor became serious when the US and NATO faced the task of actually fighting a conventional war. In peacetime, the visibility of the seams in military organizations, and the C3 functions, which must take place across those seams to insure military effectiveness, is minimized. Similarly, issues of coordinative failure may not be apparent within the cyber response infrastructure unless that system is under stress by a large-scale cyberattack.

Major and minor seams

Seams within organizations can be categorized as either minor or major. Units of similar structure and purpose will have comparatively little difficulty in coordinating their actions; the boundary between such units is termed a ‘minor seam’. The nature of the seam, which has an effect on the ability to address the coordination problem, is conditioned by whether the seams are minor or major. Minor seams that occur between units of similar structure and purpose, while certainly still a barrier to the efficient flow information, might make a solution more readily apparent, enabling an ad hoc coordination. As the size of a seam grows and similarities give way to differences, a seam could be classified as ‘major’. Major seams constrain the ability of actors to find a coordinative response. The presence of both major and minor seams, however, can undermine the ability of these mechanisms to achieve coordination. In the final section of this article we look at four cyber incidents to examine how in some cases minor seams enabled effective coordination, while in others major seams acted as constraints on coordination.

NATO offers an illustrative example of major and minor seams. For example, two US infantry battalions can be expected to have very few problems in coordinating and acting together. There are several reasons for this. First of all, the units are essentially the same; they are both infantry battalions with the same structure and equipment, referred to in the military as the Table of Organization and Equipment.6 Furthermore, their personnel were processed through the same training programs, so they share the same procedures, operational philosophies, doctrine, and, to some extent, the same expectations.

The more similar the units within and between organizations, the smaller the seams will be that separate them. In the example above of US infantry battalions, the units were as identical as possible. The seam between them would grow, however, if they were from different regiments or divisions, one was an armored battalion, one was from a different service branch, one was from a different country, or even if they spoke different languages. The more discontinuities, the more that explicit communications will have to be exchanged to affect coordination. As the size of a seam grows and similarities give way to differences, a seam could be classified as ‘major’. Direct comparisons show that the Warsaw Pact had a greater number of the minor seams, but NATO had more major seams. The relative homogeneity of Soviet-dominated Warsaw Pact combat forces limited the international differences between the forces that would have borne the brunt of most combat. NATO, which had different command structures for air and ground forces, suffered from having more national members and a far more decentralized command structure, multiplying the number of major seams. The extensive latitude given to individual services within the alliance's national contexts further exacerbated the size of the seams between services, which were then reflected in the NATO context. Modern cybersecurity response shows similar dynamics in that agency is often devolved to constituencies that are the first to recognize a problem that exists and then must assemble and marshal resources for remediation efforts often relying on ad hoc leveraging of professional, social, private, and public and networks. This environment is thereby easily described as consisting of seams which will vary across minor and major dimensions.

Beyond minor and major seam classification, seams can also occur between units at the same level of organization, such as the example of US infantry battalions. For example, in the US military specific liaison officers are in place to coordinate the actions of air support units and the ground units with which they are stationed. Because the backgrounds, methods of operations, and operational control are more dissimilar than they are similar, their seam would be classed as a major one. This variation in background and operational philosophies can result in discontinuities in interpreting capability, understanding need, or communicating. Inside the patchwork response system, roles and responsibilities are often duplicated across the various private and public points of control making up Internet infrastructure. On a high level, both Amazon and Google may have cybersecurity elements distributed within subunits that have similar roles and responsibilities but may vary greatly in the manner in which they carry out their duties due to internal cultural norms and standard operating procedures. Public security entities may display similar dynamics, for example Federal Bureau of Investigation (FBI) field offices may differ in the depth of experience agents assigned to cyber based cases posses, and various governmental institutions may approach cyber security remediation in diverging ways. While the US government is continually seeking to standardize rules, procedures, and approaches, they have a long way to go [22].

Organizational seams within the cyber response infrastructure

Our application of seams within the cyber context is motivated by two observations. First, the cyber response patchwork consists of capabilities distributed horizontally across various technical, non-technical, private, public, domestic and international constituencies. Second, within the US context, cybersecurity has evolved in an ever more specializing manner that is continually creating additional seams while sometimes forcing change across others. This is obvious by observing the evolution of offensive and defensive cyber missions within the US military [23]. Currently, for example, the recent elevation of a US Cyber Command to a full combatant command status will create new seams between Cyber Command and the subunits it will now direct while also widening existing seams between US Cyber Command and its antecedent organizations.

Solving the coordination problem becomes even more difficult if there are both inter- and intra-organizational coordinative necessities, as with the cyber domain in which seams exist within organizations and also between a large number of disparate organizations. The cyber response infrastructure has intragovernmental seams, interagency seams, international seams, and seams between the private and government sector, among others. Currently the cybersecurity response infrastructure has not institutionalized a structure that can solve the coordination problem within its domain. These seams and the multitude of stakeholders with different interests and capabilities can create coordination problems complicating effective responses to cyber intrusions.

Even further, technology can exacerbate organizational seams and heighten the boundaries between individual organizational agents. Simply as a straightforward organizational issue, any new technology brings with it new standards, new information, and new capabilities, all of which must be integrated into existing technologies and practices. As an emerging technology, the cybersecurity space is further characterized by intense volatility and rapid technological evolution. When thought of in this manner, the current flux and continued evolution of the cybersecurity response infrastructure should lead to confusion.

Responding effectively and efficiently to national-scale cyber mediated attacks requires a level of coordination across decentralized resources, a fundamental feature of the Internet and information exchange networks. Within the public sector, each entity maintains its own information systems (i.e. computer systems, servers, and so forth), at multiple levels of classification, with ranging security protocols and policies. Consequently, there exist inherent challenges marshaling those resources that may not be directed by a centralized command scheme and instead be located within and across organizations not adept at coordinating with each other.

It is important to note that there are other theoretical frameworks for understanding coordination in cyberspace. For example, Raymond argues that mitigation and management processes are essential in order to maintain internet stability and prevent disruptions. Consistent with the seams framework presented in this article, Raymond find that these challenges are due, in part, to the large number of rules and the involvement of a wide array of actors [24]. He argues that decisions made by one actor could have “intended or unintended effects” on other actors. The combination of these effects with the decentralized nature of the regime complex can create coordination and conflict resolution problem [24]. However, Raymond suggests that coordination can occur and offers a solution to these problems, through the creation of a prohibition regime able to address threats in the international security realm. The following section will provide evidence of these coordination challenges in the cyber security response system through an examination of four examples.

Coordination in the cybersecurity response patchwork

Security and resiliency of the Internet and other electronic information networks is necessarily collaborative since a central characteristic of ‘networks’ is that they propagate effects as a mere function of pervasive connectivity. Despite the existence of disincentives due to competitive pressures, secrecy necessitated by security concerns, lack of comprehensive formal arrangements, a plethora of threats, and many other potential road blocks, they continue to function. Collaborative security is still pursued by dispersed actors spanning organizations, classification levels, and objectives.

Describing and conceptualizing the many involved constituencies with regards to cybersecurity is difficult, as entities connect with each other across political borders, across civilian/military lines, and across public and private spheres to address both specific and diffuse threats, both malicious or structural in nature [3]. Sometimes these response collaborations are born out of formal institutional linkages in a directed manner, but many other times informal collaboration instantiated through non-hierarchical means is a central mechanism of threat redress. Four examples are presented below in order to illustrate the manner in which cybersecurity provisioning occurs. These examples are presented here as a test of the theory’s plausibility through highlighting the enabling and constraining effect that seams can have on coordination within the cybersecurity patchwork. Specifically, these examples underscore the prevalence of seams across the various response mechanisms within the cyber domain. As described earlier in this article, organizational seams can be minor and major based upon the dissimilarities of the units involved. Units of similar structure and purpose will have less difficulty in coordinating their actions than more dissimilar units. As a result, while coordination may still be a challenge, minor seams can enable or facilitate ad hoc coordination across the various stakeholders, while major seams make coordination harder to achieve, constraining the development of a coordinative response.

The four cases under examination in this article were chosen in order to achieve variation on the dependent variable, whether or not coordination was constrained or enabled. It is important to note that our definition of constrained or enabled instances of coordination does not necessarily relate to successful or unsuccessful occurrences of remediation. Rather, we seek to account for variation in the ability of actors to coordinate a response to a cyber incident and to acknowledge that this response may occur across varying timelines. By examining two cases on each value of the dependent variable, we are able to utilize both a method of agreement and a method of difference to identify whether the presence of different types of seams can account for these similarities or differences [25]. In doing so, we are able to examine within case and cross case variation. In order to account for the factors accounting for the similarity of outcome in both sets of cases, we can utilize to the method of agreement to identity the common explanatory factor, which in this case is the type of organizational seam. Then to account for variation between the two sets of similar cases, we identify the factors that differ in how actors coordinated within cyber patchwork—seams and the type of first mover in the remediation and response processes.

In all four cases, seams resulted in varying degrees of ad hoc coordination between previously disconnected entities—making coordinating efforts reliant on shared norms rather than previously established standard operating procedures and trusted connections. The first two cases, on the Mariposa Botnet and BGP routing errors, are example of how minor seams enabled ad hoc coordination. Mariposa, for example, represents a strong example of how cybersecurity entrepreneurs muddle their way through a problem set that then helps to define pathways, which subsequently may become institutionalized. In this case, the scope of the problem was such that the early actor was private, and thus determined the pathway through and manner in which remediation occurred. How it has played out has become a useful example of how cyber remediation efforts can work. The second two cases, on the DNC and Sony Pictures Entertainment, are example of how major seams constrained the ability of actors to coordinate a response. The Russian political hack, demonstrates how major seams can complicate the capacity to coordinate, constraining a response, creating inefficiencies, and instilling uncertainty or confusion into the response process. This case demonstrates the importance of threat recognition, which ultimately has implications for public goods. In this case, different private actors may have been disincentived to enact large scale remediation efforts. The Sony Pictures Entertainment case illustrates how major seams created problems in coordination, while minor seams within the private industry enabled a de facto response to the hack.

We thus utilize a comparative perspective and process tracing in order to test the theoretical claim that major seams make coordination hard, while minor seams can facilitate an easier process of coordination in response to a cybersecurity event [26].7 Furthermore, we examine whether variation in the first mover influenced the remediation pathway, which within the patchwork system of the cyber response infrastructure effectively determines that pathway. These cases also provide variation on the following variables, which can influence the size of the seams: temporality, type of actor, nature of the incident, intent, and perhaps most importantly the threat born of structural realities of the internet.

The Mariposa botnet

In 2009, a Canadian information security company, Defense Intelligence, observed a piece of software being propagated that permitted a degree of remotely administered control over a wide range of computers. They named this network of compromised computers the “Mariposa botnet.” Botnets consists of computer code placed on machines (usually) owned or operated by a separate party to utilize that machine’s processing power for one’s own purposes, often illegal or nefarious in nature. The Mariposa botnet infected more than “half of Fortune 1000 companies and more than 40 major banks.” The botnet was associated with over 11 million IP addresses between 23 December 2009 and 9 February 2010 [27]. What transpired was a multi-national effort to eradicate the botnet, eventually leading to the arrest and prosecution of individuals in Slovenia and Spain. Tracing the evolution of the botnet’s discovery, the building of a constituency to address the botnet, and the linkages within and outside of the information security space which led to arrests, prosecutions and mitigation provides insight into how diverse information security provisioning communities connect and function, while also highlighting several organizational seams [22].

Defense Intelligence was not the first company to observe the coordinated command and control of Mariposa through Domain Name Server (DNS) activity. The coordinated communication of globally dispersed computers to centralized servers that did not seem to have legitimate functions was noticed by several organizations [27]. The original C2 servers coordinating Mariposa were housed in Israel and Germany and activity was noticed by another security firm, Prevx [27]. The Mariposa botnet seemed to be based upon a set of pre-packaged malware tools known as the “Butterfly Exploit Kit.” The kit was available for between 400 and 700 euros on known websites being sold as a “security” tool [27]. In order to address the problem, Defense Intelligence, a relatively small company, forged a diverse set of partnerships. In a paper published by the company, they note there were few law enforcement institutions within their native Canada to which they were able to turn for help [28]. They rejected a formal arrangement with the Technological Crime Branch of the Royal Canadian Mounted Police (RCMP), concluding that it was hostile to free information exchange. Instead, they forged a relationship with information security professionals at the Georgia Tech Research Institute and Panda Security, an information security focused firm based in the USA. The three entities branded their collaboration the “Mariposa Working Group.” The working group tracked Mariposa activity in Latin America, South Korea, Europe, the USA, and the Middle East. Using technical means, they identified where the botnet was being administered, narrowing the location to Spain. Spanish authorities were contacted and the Spanish judicial system was leveraged to provide internet service provider records. This led to the arrest of a Spanish citizen and the identification of several individuals involved in the botnet’s administration. In addition, the creator of the Butterfly Malware Kit was arrested in Slovenia [29].

The Mariposa case provides a detailed example of the networked structure of modern information security provisioning and the resulting organizational seams. A small Canadian firm sought to address widespread infection of malware across private and public computer networks dispersed globally. Perceived weakness within the Canadian information security response infrastructure led the firm to partner with a US educational/research entity and another private US firm. The established “working group” captured and redirected internet traffic in order to investigate an identified threat. Upon completing its research, the response then drew upon law enforcement and judicial infrastructure in Spain, Slovenia, and several other countries.

When viewed through the lens of organizational seams, the Mariposa example has a number of minor and major seams. In this case, coordination occurred across the minor seams and the major seams actually constrained collaboration. For example, the decision by Defense Intelligence to reject collaboration with the RCMP shows how the existence of a major seam between a government agency and a private firm structures choice in that it constrained their willingness to coordinate. Rather, Defense Intelligence coordinated trans-nationally which paradoxically represents a minor seam consisting of information security professionals exploiting their social connections enabling an ad hoc yet effective working group that provided a public good ultimately leading to remediation and prosecution.

BGP routing errors

Threat born of malicious intent using malware is not the only vector of compromise on the Internet. Structural realities of how the Internet functions can leave the system open to adverse consequences due to misconfiguration, errant data, or exploitation. Border Gateway Protocol (BGP) is a standard through which various autonomous networks are able to identify what servers belong to which disparate connected network. For example, Google servers know which ones belong within their own network, and collectively, that network is identified and recognized by other networks which reciprocate this awareness. This arrangement is necessarily transparent so that data is able to traverse the many collections of physical infrastructure, much of which is owned privately or held by universities and public entities and together make up the Internet. The traversal of that data is known by the technical term routing. The reciprocal recognition of networks relies on simple trust. We trust Google’s servers to identify themselves, just as we trust Netflix or the US Government to identify their own servers. These lists of self-identified networks are then propagated across the Internet, shared so that any connected terminal is able to ask for and receive the data it requests. That data may cross many third-party owned or controlled networks in order to arrive at the requesting terminal. This system of trust has not always functioned as envisioned. Examples of the transnational effects of such BGP errors abound. For example, in March 2015, an Indian broadband provider named Hathaway changed a technical prefix (the identifying marker of an individual network), accidently directing traffic meant for Google’s servers to their own network. According to a news article detailing the incident, “Hathaway’s BGP error was accepted by its transit provider Bharti Airtel, which then broadcast the changes. The incorrect routes were accepted by other network providers including Cogent, Level 3, Orange, Singapore Telecom and Pakistan Telecom … ” [22, 28].8

Private network operators provide a significant portion of worldwide bandwidth, acting as a middle-man between service providers that provide access to the wider public. Such BGP errors manifest in the inaccessibility of affected servers, in this case the appearance of Google services being down. When BGP routing is utilized maliciously, the act is known as “route hijacking” which occurs when false mappings are propagated to intentionally reroute traffic to a third party. These sorts of incidents, malicious or unintentional, occur with surprising frequency on the modern Internet. Recognizing, diagnosing, and subsequently fixing such occurrences take place on small time-scales. Usually, when a major network such as Google experiences a BGP-related error, the problem is solved in a matter of hours.

It is useful to briefly trace the manner in which such threat redress occurs. The following testimonial appeared as a blog post on the website of the California based computer security firm, CloudFlare:

“Today [6 Nov 2012], Google's services experienced a limited outage for about 27 minutes over some portions of the Internet. The reason this happened dives into the deep, dark corners of networking” [30].

The same individual goes on to explain the reason for the outage, and how he tracked the problem to an Indonesian ISP:

“I looked at the BGP Routes for a Google IP Address. The route traversed Moratel (23947), an Indonesian ISP. Given that I'm looking at the routing from California and Google is operating Data Centre's not far from our office, packets should never be routed via Indonesia. The most likely cause was that Moratel was announcing a network that wasn't actually behind them” [30].

The US-based engineer was able to help effect a solution by contacting Moratel. He writes:

“The solution was to get Moratel to stop announcing the routes they shouldn't be. A large part of being a network engineer, especially working at a large network like CloudFlare's, is having relationships with other network engineers around the world. When I figured out the problem, I contacted a colleague at Moratel to let him know what was going on. He was able to fix the problem at around 2: 50 UTC/6: 50pm PST. Around 3 minutes later, routing returned to normal and Google's services came back online. Looking at peering maps, I'd estimate the outage impacted around 3–5% of the Internet's population. The heaviest impact will have been felt in Hong Kong, where PCCW is the incumbent provider. If you were in the area and unable to reach Google's services around that time, now you know why” [30].

The preceding anecdote demonstrates the process by which involved entities were able to coordinate and redress the routing error. While the actors were able to coordinate across minor seams, this case presents an altogether different collaborative mechanism than the one previously presented. The collaboration, however, was much more ephemeral and took place on a much smaller time-scale. In this case, a third-party security firm noticed an outage of Google’s service. An individual within that third-party firm decided to diagnose the issue, and was able to enact a solution that affected 3–5% of the Internet’s total user population. That solution involved a US-based computer engineer leveraging a social connection with another individual located across the world. All this happened without the involvement of Google, the company whose system was most affected by the routing error. According to the blog post, the problem was first observed around 6: 24 PST in California and the solution was enacted in Indonesia at 6: 50 PST [30].

This case illustrates the enabling effect of minor seams. The leveraging of a social connection between two engineers in separate private firms located in different countries remediated an issue that effected a large portion of the Internet’s user community. This is even though major seams existed between the parties effected and involved. In fact, Google, the company most effected by the error was not involved in the diagnosis and remediation of the problem. If Google had been involved, they would have necessarily had to contact Moratel but may not have benefited from the social connection and thus minor tie these two engineers had. In fact, one can assume that Google’s internal process may have led to a slower response due to an entrenched bureaucracy characterized by many seams.

Russian political hacking

Russian hacking of the Democratic National Committee (DNC) and efforts to influence the 2016 US presidential elections serves as another example of how information flows between disparate organizations and actors in the cyber domain. This example highlights how major seams can constrain coordination and impede effective responses to cyber intrusions. While there is a lack of consensus regarding the extent to which the Russian intrusion impacted the outcome of the election, many observations pertinent to this research are evident in this case.

In July 2015, Russian intelligence services agents gained access to political entities in the US associated with the 2016 elections [31]. This first penetration was perpetrated by a group known as COZY BEAR, or APT 29, a Russian state-sponsored group with a history of cyber campaigns against US-based organizations [32]. This initial attack utilized a broad spear phishing campaign, in which malicious emails are sent to users at specific domains in the hopes of accessing the system through malware installed via users clicking links or attachments, and targeted multiple US Government agencies [33]. This first attack resulted in successful penetrations of the unclassified networks of the White House, State Department, and US Joint Chiefs of Staff, as well as other non-governmental organizations. APT 29 gained access to the servers of the DNC in July 2015 and was able to extract a wide range of data, including email and voicemail transcripts. This extraction of data went largely unnoticed by the organization.

In spring 2016, a second Russian group known as FANCY BEAR or APT 28 launched an independent attack at the DNC servers, again utilizing a targeted spear phishing campaign. According to reports, APT 28 and APT 29 work independent of each other, utilizing distinct tactics and methods [34]. Rather than a wide-ranging search for information, it appeared at this point that the group gained entry for specific information. Some accounts indicate that the FBI had informed the DNC to check their systems, but did not provide specific guidance [34].

These intrusions went unnoticed until June 2016 when a cybersecurity company, CrowdStrike, was engaged by the DNC to research abnormalities detected in the network and investigate the breach. CrowdStrike utilized network forensics techniques to examine the tradecraft and methods utilized, and to assess the extent of the data breach. The security company released a detailed report on the breach in June, following a report by the Washington Post that the DNC had been hacked [34]. This report explicitly outlines the groups involved and the specific code and tactics used, and stated that the groups are “closely linked to the Russian government’s … intelligence services” [32].

A portion of the hacked emails were first published by DCLeaks.com in October 2016, and WikiLeaks subsequently released a series of emails obtained from the DNC servers [35]. The first official statement and formal attribution of the attack came in October in a report released by DHS and the Office of the Director of National Intelligence (DNI) which concluded that Russia was involved in hacking the DNC and intended to interfere with the US election process. “The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process” [36].

Despite the release of the DHS/DNI report, there was a lack of consensus regarding the source and motivations for the attacks. The FBI provided a vague assessment of the incidents in both closed testimony before the House Intelligence Committee, and statements made the week before by the Central Intelligence Agency about the motivations and actors behind the DNC hack [37]. The FBI did not release an official statement on their position until December [38]. Even after the release of emails by WikiLeaks, the Obama administration was uncertain about the nature of the attacks and more problematically about how to respond. During the second presidential debate, then candidate Trump questioned the veracity of the claim that Russia was responsible for hacking the DNC. He continued to call for evidence that Russia was responsible for the hacking incidents. In mid-December 2016, President Trump’s chief of staff, Reince Preibus, said that his office would accept that Russia played a part on the hacking if the FBI and CIA agreed on the hack and released a report.

On 29 December 2016, DHS and FBI released a joint analysis describing in detail the technical specifics utilized by the two groups implicated in the hack [35]. This technical report built upon the determination of the joint DHS/DNI report release in October 2016 and provided a more certain attribution of the hack to a coordinated attack by the Russian intelligence services. A report released by the intelligence community in January 2017 attributed responsibility to the Russian government and determined that Russia intended to influence the outcome of the US presidential elections and undermine Hilary Clinton’s campaign. The report concluded that, “The General Staff Main Intelligence Directorate (GRU) probably began cyber operations aimed at the US election by March 2016. We assess that the GRU operations resulted in the compromise of the personal e-mail accounts of Democratic Party officials and political figures. By May, the GRU had exfiltrated large volumes of data from the DNC” [39]. This report offered:

… confidence that Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election, the consistent goals of which were to undermine public faith in the US democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump. When it appeared to Moscow that Secretary Clinton was likely to win the election, the Russian influence campaign then focused on undermining her expected presidency [39].

President Trump then acknowledged the assessment of US intelligence agencies, and a White House press statement released on 6 January 2017 referenced Russian involvement in the hack, while stating that the incident had no impact on the outcome of the election [40]. This agreement between entities regarding attribution (let alone impact) came significantly after the initial detection of the breach. This delayed response can be seen as due, in part, to the presence of multiple and competing major seams within the cyber response infrastructure.

This lack of interagency and public/private agreement in the initial phase of the hack’s discovery was a function of seams between the many disparate actors involved. Unlike the first two cases, in which minor seams enabled and facilitated ad hoc coordination across the involved parties, this case serves as an example of how major seams can pose problems for coordination. Major seams between public and private entities, between government agencies, and international boundaries undermined coordination, which in this case can be understood as agreement on attribution, motivation, and impact. The divergent cultures and mission between the actors involved (law enforcement mission versus intelligence mission versus political mission, etc.) create seams across which it is difficult to reach an agreement about the problem and ultimately, the best way to respond.

In addition to the difficulty in reaching a consensus regarding attribution and motivation for the hack, the presence of major organizational seams undermined an effective response to the incident itself. From the time that President Obama learned about the hack, the administration deliberated over different response alternatives. The delayed response was due in part to lack of coordination, in other words, difficulty in reaching consensus regarding the incident. Further, the Obama administration did not want to be perceived as interfering in the presidential campaign. President Obama was worried, as reported in the Washington Post, that a response could “make things worse and provoke an escalation from Moscow” [41]. Ultimately, the administration approved a plan that included the expulsion of thirty-five Russian diplomats, the closure of the Russian compound, and sanctions on two Russian intelligence services [41]. The expulsions and compound seizures, however, can also be seen as retaliation for Russian harassment of US diplomats and intelligence operatives. Seams within and between US government agencies, the public and private domain, and between the US and Russia constrained the speed with which coordination occurred and the nature of the response itself.

This example of Russian political cyber intrusions highlights both minor and major seams. This is evidenced by coordination issues across the public–private divide, within the public sector, international and domestic, and within the perpetrating groups. The public–private seam exists in the reporting and attribution certainty levied by the cybersecurity company and the respondent government agencies. Additionally, the seam between the DNC and the FBI in terms of notification and investigation illustrates an information gap as the public entity may have had knowledge about the incursion prior to the entity impacted by the attack. Within the public sector the seams between the respondent agencies further illustrate coordination issues in that different coordinating arrangements (between the intelligence community and DHS, or DHS and FBI), cultures, and missions obfuscated coordinating and responding to attacks. Finally, a seam is also evident in how the attack was conducted by Russian intelligence services, with distinct operations conducted by two entities with likely little coordination, which ultimately resulted in the detection of the authorized access. These seams vary in their severity and are largely based on organization structure, bureaucratic politics, and culture.

Sony pictures entertainment hack

In 2014, Sony Pictures Entertainment (SPE) experienced a breach of their information network. SPE employees saw a message on their screens reading:

“We’ve already warned, and this is just a beginning. We will continue until our request be met. We’ve obtained all your internal data, including your secrets and top secrets. If you don’t obey us we will release data …” [42].

This breach was widely believed to be carried out by the Democratic People’s Republic of Korea (DPRK), or North Korea, as protest against the release of a Sony produced comedy which lampooned Kim Jung Un. The FBI later released a statement that they had enough information to definitively attribute the hack to North Korea. A clear timeline of events leading up to the hack and subsequently the US response is not available. However, according to Admiral Michael S. Rodgers, head of the National Security Agency: “The argument I made was the whole world is watching how we as a nation respond … . And if we don’t acknowledge this, if we don’t name names here, it will only—I’m concerned—encourage others to decide: ‘Well, this must not be a red line for the United States. This must be something they’re comfortable [with] and willing to accept’” [42].

This example and the US response highlights the importance of responding to cyber attacks and how organizational seams can complicate response coordination. Within this case there are the following major seams, between SPE, the US Government, and perhaps the Japanese Government [43]. There were also minor seams—in this case, intra-governmental and intra-organizational seams within SPE, between the companies SPE does business with, and those employed to investigate and mitigate the hack’s effects. This case demonstrates the constraining effect of major seams, and the enabling effect of minor seams. The incident shows the competing incentives at work between various constituencies involved within the threat recognition, remediation and subsequent phases of response.

SPE was naturally disinclined to be transparent regarding the incident as evidenced by an initial attempt to limit reporting based on leaked documents and emails. Several major news outlets received letters from SPE attorneys which stated, “We are writing to ensure that you are aware that SPE does not consent to your possession, review, copying, dissemination, publication, uploading, downloading or making any use of the stolen information” [44]. While it may seem that particular response was only pertinent to the information leaked, and not the national response and “naming of names” as stated by Admiral Rogers above, the two issues are in fact linked. The idea of “red lines” necessitates a degree of transparency between decision makers representing States. The business community tends to favor secrecy in order to protect profits in the face of data breaches, which creates a seam between a State’s ability to manage signaling and a private actor’s desire for limiting information. Pointedly, an adversary can target this major seam and exploit these differencing incentives to create further reputational damage, in this case both to SPE and the US Government.

Beyond the obvious major seam between a private actor, which falls victim to a state sponsored cyber attack, and the US Government, there lies a myriad of other public/private divides highlighted by the SPE incident. For example, examination of the United States Computer Emergency Readiness Team (US-CERT) advisories related to the DPRK origin malware is informative. At the highest level, and perhaps superficially, it should be noted, US-CERT identifies DPRK entities as responsible for the SPE operation in a different manner than industry. The US Government, namely DHS and the FBI, reference HIDDEN COBRA, the malicious cyber activities by the North Korean government, as responsible for the identified malware. The same advisory notes, however, that, “Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace” [44]. The advisories regarding HIDDEN COBRA provide technical details of malware as a service to help spread information and mitigate the threat. However, US Government dissemination of such technical information lags significantly behind private industry public dissemination of that same material. The hyperlinks provided as unofficial background at the bottom of one of the four US-CERT HIDDEN COBRA advisories led to private industry reporting of Lazarus Group activities, stretching back to 2014 and also reference malware that connects Lazarus to roughly a decade of activity. This obviates the non-trivial role private industry plays within the recognition and remediation process of national scale cyber threat. Independent of government involvement, private actors often operate in a quasi-enforcement role which will be discussed next [45].

The US-CERT technical advisories reference Operation Blockbuster, described by the lead private industry firm as disrupting the malicious actor responsible for the November 2014 “wiper” attack against SPE. A website set up to distribute a report on the operation describes it as such:

“Operation Blockbuster was spearheaded by Novetta’s Threat Research and Interdiction Group (TRIG), working in close partnership with a group of trusted experts from cybersecurity, antivirus and malware protection, intelligence and research firms. The cross-industry partnership and the scope of the operation’s reach signify a new security role and posture for private industry. The Lazarus Group activity shows the cyber landscape has evolved. The Novetta-led team demonstrates industry can be a highly agile, capable and effective force in tracking and interdicting global cyber crime” [45].

The release of private reports such as the one detailing Operation Blockbuster help shape the larger public debates surrounding response and responsibility for incidents such as the hacking of SPE. They also provide insight into seams important to the analysis of such incidents. Outside of the public/private seam which has been identified above throughout several cases, there exists important seams within the private cybersecurity patchwork. Authors of Novetta’s report write regarding their efforts that, “Novetta believes that these efforts can help cause significant disruption and raise operating costs for adversaries … ” and go on to say, “It is our hope private industry will not only continue to illuminate various threat actors’ toolsets and operations, but also work with other industry partners and law enforcement agencies as able to affect positive change on the safe of network environments worldwide” [45]. The invocation of language which echoes traditional concepts of international deterrence and dissuasion (i.e. “raise the costs”) within the context of private actor investigation and mitigation of state sponsored cyber malware raises important questions of command, control, and communication not only across public/private seams, but also between private entities. The authors of the Novetta report appropriately caveat their work as being valid only within the scope represented in the malware samples they have collected from public sources and private partners, but also argue forcefully that their attribution to North Korea as the perpetrator is correct. Their motivation to analyze the SPE case is conveyed as an attempt to bring clarity to the situation [45]. Given that US-CERT references the work both explicitly within their own technical advisories, and provides a link to the report on their website, is testament to the level of legitimacy afforded to certain private actors within the response patchwork. It should be noted that when clicking on the link from US-CERT’s website, one is presented with a disclaimer that the links are provided for information purposes and not as official endorsement by the US Government. Does that legitimacy translate into power, and with that power, how do private actors shape and structure subsequent threat recognition and remediation activities across seams within the cybersecurity patchwork? Answering that question is important in future work.

The SPE case highlights two important seams while exposing numerous others. First, the case shows a major seam between the private actor, SPE, and the US Government, exposing varying incentives regarding transparency and how transparency may affect response. In short, these major seams constrained a coordinated response between the involved actors. Second, it highlights important minor seams between private industry partners that enabled initiatives such as Operation Blockbuster, where private industry plays a vital role in providing public information while “raising the costs” of action to the adversary, in this case, the DPRK. While a response was enabled across these private (minor) seams, in doing so, the calculus of response may become even further muddied across the major public/private seam identified earlier.

Conclusion

This article has focused primarily on the identification of an understudied component of cyber conflict—organizational seams between dispersed entities in the cyber response infrastructure. Seams, which can be characterized as major and impair coordination or minor which may also impair coordination, but can also in some cases enable response to cyber intrusions. Fundamentally, organizational seams crossing government/government and government/non-governmental entities present a coordination issue which hampers the ability of defenders to detect, deter, respond to, and prevent cyber attacks. Moreover, the response capability of an organization can have a perverse impact on the dynamics of escalation.

The four cases presented in this article offer examples of how organizational seams can impact coordination across the cybersecurity patchwork, in some cases enable coordination and remediation, and in others, constrain or impede effective coordination. The first example, the Mariposa Botnet, displayed a clear example of a major seam, consisting of a cultural gulf between a private security company and the RCMP. In the case of the Mariposa botnet, the RCMP aversion to transparency represented a coordinative impediment thus helping explain the alternative choices that consequently shaped the Mariposa Working Group. However, the seams between industry partners were minor, enabling coordination across the involved entities, resulting in ad hoc and effective remediation strategy. The second case on BGP routing errors, provides another example of how minor seams enabled coordination. The example of a third party (CloudFlare) realizing and addressing an issue that affects Google via leveraging a social connection in Indonesia is informative. The fact that CloudFlare chose to act is an indication of a normative behavior toward third party assistance, not unlike the concept of a SOP discussed within the NATO example above. The fact that no communication between the main entity involved in the remediation process and the entity most effected by the outage, shows the existence of a minor seam across which remediation was possible, even without direct communication. The minor seam between CloudFlare and Moratel enabled coordination resulting in a swift and effective solution.

The final two examples demonstrate how major seams between organizations can impede coordination amongst stakeholders, complicating response. In the case of the Russian political hack, not only were actors unable to coordinate on attribution, a response was slow and indirect, with competing interests and motivations obfuscating a coordinated response. The SPE hack provides a more nuanced case, in which major seams constrained a response though coordination did occur across minor seams. The case may represent an example of how the interaction of major and minor seams can muddle State level signaling and response. Each of the examples are meant to make the reader aware of the multiplicity of connections that take place between and among separate constituencies involved within the domain of cybersecurity. A large-scale threat that creates even more confusion and necessitates mobilization across the cybersecurity resource base, that will involve both government and private resources, will be equally, if not more, complicated.

The examples did not present the potential for inadvertent escalation, though, one can think of many situations where seams can create in complications, increasing the potential for conflict escalation. The relationship between organizational seams, coordination failures, and escalation will be explored in a following paper.

They do however, point to a system in which agency is distributed. This may lead to catastrophic issues of coordination during a large-scale cyber mediated attack. Analysts and practitioners have not, as of yet, identified the threshold at which US national interests would be at risk due to a cybersecurity event. However, the wide array of stakeholders would certainly create uncertainties that could make coordinated response to escalatory acts in the cyber domain more difficult. The system is already complex, and a complex system when stressed is more likely to result in failure at as of yet unidentified, but important, junctions.

Today, work is underway to alleviate some of these organizational inefficiencies within the US, including the 2016 Presidential Policy Directive on US Cyber Incident Coordination which is meant to help standardize and better coordinate response. While initiatives within the government and between public and private entities, such as the DHS’s efforts to engage with private sector actors, are useful for developing relationships and procedures to bridge these seams, more effort is needed to address the coordination problems present in the cybersecurity patchwork.

This article has been an attempt to adapt an organization theory framework for identifying and understanding coordination issues to help characterize the cyber response domain. The current array of mechanisms and actors have given rise to the cybersecurity coordination problem that can impact how states interpret, collaborate, and respond during situations where conflict escalation is a risk. The article demonstrated how various factors, including organizational structures, culture, organizational mission, and so forth, can create canyons compartmentalizing and impeding information flow. The severity of these gaps will determine the extent to which suboptimal and inefficient coordination persists, as well as highlight areas in which coordination has the potential to cause signaling issues and misinterpretation during conflict. The presence of certain types of minor seams, however, may portend an opportunity to leverage distributed technical, political, and social competencies for the purposes of threat mitigation and remediation. Constructing a typology to highlight functional differences across a spectrum of seams is a direction for future research. Four cases were presented in which actors within different domains demonstrate the multiplicity of seams within the cyber domain. Leveraging this framework, future research is necessary to further examine and understand situations of elevated tensions between states due to intentional and unintended escalation through the use of various tools in the cyber domain.

Acknowledgements

For research and assistance we are grateful to Wes Stayton. For helpful comments and suggestions we would like to thank Anjali Bohlken, Mariel Borowitz, Scott Brown, Brandon Valeriano, and Rachel Whitlark. This research was supported by the Carnegie Corporation of New York. We would also like to thank, posthumously, John P. Crecine, the ninth president of Georgia Tech, whose ideas contributed to this paper.

Footnotes

1

We use cybersecurity as a catch-all phrase for the policies and security protocols guiding network security, as well as the various actors charged with the protection of systems.

2

This framework for thinking about the implication of organizational seams emerged from a series of projects conducted in the late 1980s for the Office of the Secretary of Defense/Director of Net Assessment (OSD/Net Assessment). The projects were to develop an organizational perspective for evaluating competing militaries.

3

We further explain this concept of coordination problem at the end of the following section.

4

The last phase is defined as the period of 1985 through 1990.

5

Also known as a “Black Forest Cake” consisting of layers of chocolate, cream, and fruit.

6

The Table of Organization and Equipment is an organizational document that details the structure (staffing, units, etc.), equipment, mission and capabilities of a unit.

7

For a discussion on how process tracing has been used as a complement to a comparative case study method see George and Bennett (2005).

8

This analysis of BGP routing is drawn from Chaudhary.

References

1

Crecine
J
,
Salomone
MD.
AFCENT Command and Control Assessment Vol. I: Coordination Across Organizational Seams
.
Joint Management Services, LLC
,
1991
.

Google Scholar

OpenURL Placeholder Text

 
2

Gulati
R
,
Puranam
P
,
Tushman
M.
Meta-organization design: rethinking design in interorganizational and community contexts
.
Strateg Manage J
2012
;
33
:
571
86
.

Google Scholar

Crossref
Search ADS

 
3

Mueller
M
,
Schmidt
A
,
Kuerbis
B.
Internet security and networked governance in international relations
.
Int Stud Rev
2013
;
15
:
86
104
.

Google Scholar

Crossref
Search ADS

 
4

Slaughter
AM.
The real new world order
.
Foreign Aff
1997
;
76
:
183
197
.

Google Scholar

Crossref
Search ADS

 
5

Keohane
RO
,
Martin
LL.
The promise of institutionalist theory
.
Int Security
1995
;
20
:
39
51
.

Google Scholar

Crossref
Search ADS

 
6

Mearsheimer
JJ.
The false promise of international institutions
.
Int Security
1994
;
19
:
5
49
.

Google Scholar

Crossref
Search ADS

 
7

Morse
J
,
Keohane
R.
Contested multilateralism
.
Rev Int Organ
2014
;
9
:
385
.

Google Scholar

Crossref
Search ADS

 
8

Choucri
N
,
Madnick
S
,
Ferwerda
J.
Institutions for cyber security: international responses and global imperatives
.
Inform Technol Dev
2014
;
20
:
96
121
.

Google Scholar

Crossref
Search ADS

 
9

Malone
T.
What is coordination theory?
National Science Foundation Coordination Theory Workshop
1988
.

Google Scholar

OpenURL Placeholder Text

 
10

Malone
TW
,
Crowston
K.
The interdisciplinary study of coordination
.
ACM Comput Surv
1994
;
26
:
87
119
.

Google Scholar

Crossref
Search ADS

 
11

Krasner
S.
Global communications and national power: life on the pareto frontier
.
World Polit
1991
;
43
:
336
66
.

Google Scholar

Crossref
Search ADS

 
12

Snidal
D.
Coordination versus prisoners' dilemma: implications for international cooperation and regimes
.
Am Polit Sci Rev
1985
;
79
:
923
942
.

Google Scholar

Crossref
Search ADS

 
13

Morrow
J.
Game Theory for Political Scientists
.
Princeton, NJ
:
Princeton University Press
,
1994
.

Google Scholar

OpenURL Placeholder Text

 
14

Eckstein
H.
Case Studies and Theory in Political Science. In
Greenstein
F
,
Polsby
N
 (eds),
Handbook of Political Science
, vol.
7
.
Reading, MA
:
Addison-Wesley
,
1975
.
79
138
.

Google Scholar

OpenURL Placeholder Text

 
15

Cyert
R
,
March
J.
A Behavioral Theory of the Firm
.
Hoboken
:
Wiley-Blackwell
,
1963
.

Google Scholar

OpenURL Placeholder Text

 
16

March
J
,
Simon
H.
Organizations
.
Hoboken
:
John Wiley
,
1958
.

Google Scholar

OpenURL Placeholder Text

 
17

Simon
H.
Administrative Behavior, the Sciences of the Artificial
, 2nd edn.
Cambridge
:
The MIT Press
,
1981
.

Google Scholar

OpenURL Placeholder Text

 
18

Norman
D.
Memory and Attention
, 2nd edn.
Hoboken
:
John Wiley
,
1976
.

Google Scholar

OpenURL Placeholder Text

 
19

Kahneman
D
,
Slovic
P
,
Tversky
A.
Judgement under Uncertainty: Heuristics and Biases
.
Cambridge
:
Cambridge University Press
,
1982
.

Google Scholar

OpenURL Placeholder Text

 
20

Tversky
A
,
Kahneman
D.
The framing of decisions and the psychology of choice
.
Science
1981
;
211
:
453
58
.

Google Scholar

Crossref
Search ADS
PubMed

 
21

Chase
W
,
Simon
H.
Perception in chess
.
Cognitive Psychol
1973
;
4
:
55
81
.

Google Scholar

Crossref
Search ADS

 
22

Chaudhary
T.
Coordinating across chaos: The practice of transnational internet security collaboration. PhD Thesis. Georgia Institute of Technology, forthcoming.

23

Healy
J.
A Fierce Domain: Conflict in Cyberspace, 1986-2012
.
Arlington
:
Cyber Conflict Studies Association
,
2013
.

Google Scholar

OpenURL Placeholder Text

 
24

Raymond
M.
Managing decentralized cyber governance: the responsibility to troubleshoot
.
Strategic Studies Quarterly
2016
;
10
:4 (Winter):
124
.

Google Scholar

OpenURL Placeholder Text

 
25

Mill
JS.
A System of Logic: Ratiocinative and Inductive
.
London
:
Longmans, Green
,
1886
.

Google Scholar

OpenURL Placeholder Text

 
26

George
AL
,
Bennett
A.
Case Studies and Theory Development in the Social Sciences
.
Cambridge
:
MIT Press
,
2005
.

Google Scholar

OpenURL Placeholder Text

 
27

Sully
M
,
Thompson
M.
The deconstruction of the mariposa botnet
.
Defense Intelligence
2010
; http://defintel.com/docs/Mariposa_White_Paper.pdf (25 September 2018, date last accessed).

Google Scholar

OpenURL Placeholder Text

 
28

Kirk
J.
Google services disrupted by routing error. IDG News Service (13 March 2015); http://www.csoonline.com/article/2896395/network-security/google-services-disrupted-by-routing-error.html (25 September 2018, date last accessed).

29

US Federal Bureau of Investigation, Slovenian and Spanish Police Arrest Mariposa Botnet Creator, Operators. FBI National Press Office (

28 July 2010
) https://archives.fbi.gov/archives/news/pressrel/press-releases/fbi-slovenian-and-spanish-police-arrest-mariposa-botnet-creator-operators (25 September 2018, date last accessed).

30

Paseka
T.
Why Google went offline today and a bit about how the internet works. CloudFlare 6 November 2012; https://blog.cloudflare.com/why-google-went-offline-today-and-a-bit-about/ (25 September 2018, date last accessed).

31

Background to ‘Assessing Russian Activities and Intentions in Recent US Elections’: The Analytic Process and Cyber Incident Attribution, Intelligence Community Assessment, 2.

32

Alperovitch
D.
Bears in the midst: Intrusion into the democratic national committee. Crowdstrike Blog: From the Front Lines
2016
; June. https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ (25 September 2018, date last accessed).

33

US Department of Homeland Security and Federal Bureau of Investigation. GRIZZLY STEPPE – Russian Malicious Cyber Activity. Joint Analysis Report, 29 December

2016
. https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016 -1229.pdf (25 September 2018, date last accessed).

34

Nance
M.
The Plot to Hack America: How Putin’s Cyberspies and WikiLeaks Tried to Steal the 2016 Election
.
New York
:
Skyhorse Publishing, Kindle Edition
,
2016
.

Google Scholar

OpenURL Placeholder Text

 
35

GRIZZLY STEPPE – Russian Malicious Cyber Activity
. NCCIC and FBI. 29 December
2016
https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf (25 September 2018, date last accessed).

36

DHS Press Office
. Joint Statement from the Department Of Homeland Security and Office of the Director of National Intelligence on Election Security(7
October 2016
). https://www.dhs.gov/news/2016/10/07/joint-statement-department-homeland-security-and-office-director-national (25 September 2018, date last accessed).

37

Nakashima
EA.
FBI and CIA give differing accounts to lawmakers on Russia’s motives in 2016 hacks. The Washington Post (10
December 2016
) https://www.washingtonpost.com/world/national-security/fbi-and-cia-give-differing-accounts-to-lawmakers-on-russias-motives-in-2016-hacks/2016/12/10/c6dfadfa-bef0-11e6-94ac-3d324840106c_story.html? utm_term=.5fa47a45e867 (25 September 2018, date last accessed).

38

Joint
DHS.
ODNI, FBI statement on Russian malicious activities (29 December
2016
) https://www.fbi.gov/news/pressrel/press-releases/joint-dhs-odni-fbi-statement-on-russian-malicious-cyber-activity (25 September 2018, date last accessed).

39

Office of the Director of National Intelligence
. Background to “Assessing Russian Activities and Intentions in Recent US Elections”: The Analytic Process and Cyber Incident Attribution (
6 January 2017
) https://www.dni.gov/files/documents/ICA_2017_01.pdf (25 September 2018, date last accessed).

40

Statement by President-Elect Donald J. Trump, 6 January

2017
https://us14.campaign-archive.com/? u=3a2a46a0ef67412eaa5d55987& id=f1 25f27a36& e=92ef999fb6 (25 September 2018, date last accessed).

41

Sanger
D.
Obama strikes back at Russia for election hacking, The New York Times (29
December 2016
) https://www.nytimes.com/2016/12/29/us/politics/russia-election-hacking-sanctions.html (25 September 2018, date last accessed).

42

Nakashima
E.
Why the Sony hack drew an unprecedented U.S. response against North Korea. The Washington Post (15
January 2015
) https://www.washingtonpost.com/world/national-security/why-the-sony-hack-drew-an-unprecedented-us-response-against-north-korea/2015/01/14/679 185d4-9a63-11e4-96cc-e858eba91ced_story.html? utm_term=.6e3f620 95389 (25 September 2018, date last accessed).

43

Sony Asks Media to Stop Covering Hacked Emails, Nolan Feeney, Time Magazine (15

December 2014
) http://time.com/3633385/sony-hack-emails-media/ (25 September 2018, date last accessed).

44

HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure, US Computer Response Readiness Team (23

August 2016
) https://www.us-cert.gov/ncas/alerts/TA17-164A (25 September 2018, date last accessed).

45

Operation Blockbuster: Unravelling the Long Thread of the Sony Attack, Novetta, https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf (25 September 2018, date last accessed).

© The Author(s) 2018. Published by Oxford University Press. All rights reserved. For permissions, please e-mail: [email protected]
This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/open_access/funder_policies/chorus/standard_publication_model)
Download all slides