the united states naval war college … to freedonia, a neighboring country, ... the government bore...
TRANSCRIPT
THE UNITED STATES NAVAL WAR COLLEGE
National Security Affairs Department
Theater Security Decision Making Course
THE 'AZANIA' POLICY COORDINATING COMMITTEE SIMULATION: THE SCENARIO
Excerpts from:
"Detect, Disrupt, Deter: A Whole of Government Approach to National Security Cyber Threats"
by John P. Carlin
Reprinted with permission from Harvard National Security Journal, Issue 7, 2016, pp. 392-436. Copyright © 2016 Harvard University Law School.
TSDM
Policy 10-1
A variety of educational institutions—from the Foreign Service Institute which educates our nation’s
diplomats to Harvard University—use simulations to reinforce lessons learned in the classroom. The
tradition of using fictional countries in these exercises is to allow for a focus on the process and the
dynamics of real-time interaction, rather than testing knowledge about specific places and governments.
“Azania” is a fictional country, but the simulation laid out here is based on a number of real-world
incidents and has been based on conversations with actual participants in such interagency meetings.
THE SETTING:
Azania is one of the largest countries in the AOR of the combatant command. It is considered to be a
rising regional power with a growing level of development, and is considered to be ranked among the
world’s middle powers.
It is an authoritarian country, ruled by the Azanian National Front (ANF). The ANF does allow for token
opposition parties to exist and to have a few seats in the legislature, and allows for a limited set of
political and civil rights, while claiming its mandate is to pursue economic growth and development. The
ANF took power in a coup 40 years ago, displacing the previous governing body, the Azanian
Constitutionalists. The ANF faces opposition both from the Azanian Movement for Democracy, which
claims to be a peaceful opposition group pressing for more democracy, and from an insurgency in the
southern parts of the country, the Azanian Liberation Front (ALF).
Azania is not a major trading partner of the United States and there are few U.S. companies invested in
the country, even though it is a lucrative market. The Azanian government, however, does pursue close
security cooperation with the United States. The United States has a major airbase in Azania which is
critical for the U.S. to be able to project power and supply forces engaged in operations elsewhere in the
AOR. Azania also has port agreements allowing U.S. ships to dock and be resupplied.
The airbase is an important facility and one that cannot be easily replaced, although, if several of the
surrounding countries agree, it might be possible to mitigate the loss of the Azanian facilities. The port
facilities are useful because the nearest comparable facilities that would be open and accessible to the
U.S. Navy are some 300 miles away.
The Azanian National Intelligence Service (NIS) is a close partner helping the U.S. to gain intelligence on
and infiltrate violent extremist organizations in the AOR which pose a threat both to Azanian and
American interests. The NIS has been able to carry out operations neutralizing key figures in VEOs that
would not have been permissible under U.S. law for American agencies to undertake. Azania is also in
talks to host U.S. listening facilities on its territory.
Because of its geographic location, Azania is an important transit point for the narcotics trade with the
United States being one of the important final destinations. In the past, Azania tended to overlook the
trade as long as traffickers did not sell their products on their territory, and traffickers were able to bribe
Azanian officials, border guards and police to ignore their operations. Under U.S. pressure, Azania has
begun to take stronger measures to interdict the drug trade across its territory.
Azania is an important regional center for finance. Its banks handle funds from around the world and its
stock market is an important secondary listing location for many companies, in particular for firms that
may not meet U.S. or British requirements for the New York and London exchanges. In recent years, the
U.S. Department of the Treasury has been able to work with Azania to ensure that financial sanctions
that prevent terrorist groups from moving money as well as the sanctions imposed on North Korea
would be followed in Azania. Azania also has cracked down on money-laundering by the drug cartels.
Azania has a large and well-educated workforce, particularly in STEM fields, but the economy has not
grown to keep pace with the size of that labor force. Some Azanians have drifted, therefore, into various
hacking collectives as a way to stay employed. The government in the past has turned a blind eye to
these activities and in some cases the Azanian security services have even turned to them for assistance.
The largest of these hacking collectives, the “Snow Leopard Brotherhood,” was responsible for a major
hack that stole hundreds of millions of dollars from seven U.S. banks in addition to obtaining credit card
information on hundreds of thousands of U.S. citizens. The Snow Leopard Brotherhood was also alleged
to be behind an attempted hack of U.S. government personnel databases in order to sell that
information on the “dark web”, as well as the intercept (and leak) of sensitive e-mails sent by the U.S.
ambassador to Freedonia, a neighboring country, in which very frank and unflattering comments about
the host government were made and which complicated U.S. diplomacy in the area, and led to the
ambassador’s departure. Two years ago, after strong pressure from the U.S. ambassador, the Azanian
government pledged to crack down on the hackers.
There is a large Azanian diaspora in the United States, made up both of supporters of the former regime,
the Constitutionalists, who fled when the ANF took power, and people who have left the southern
regions of the country because of the fighting. The Azanian-American community tends to be very
opposed to the current ANF government. The Azanian-American community has tended to cluster
together in a number of states, including key battleground states like Pennsylvania and Ohio, where
they are seen as a swing vote. There is an Azanian caucus in Congress with 25 members. Several wealthy
business figures have endowed Azanian study programs at think tanks in Washington. The current
National Security Advisor, prior to entering the administration, held an endowed chair at a DC think tank
that was funded by an Azanian-American philanthropist.
THE IMMEDIATE SCENARIO
Five days ago, a pro-democracy demonstration in the principal city of the south led by the Movement
for Democracy clashed with police; ALF insurgents then used the opportunity to launch strikes on
security forces. In retaliation, the Azanian military launched a full-scale set of reprisals to retake control
of the city, but used artillery and airpower in civilian areas. Footage of the devastation and of the
thousands of civilian casualties has appeared on social media and has been rebroadcast by the news
networks. The President was asked at the end of a speech at the Carnegie Council on Ethics and
International Affairs in New York what he thought the U.S. reaction would be. In off-the-cuff remarks,
not cleared by the interagency process, the President condemned the violence, seemed to indicate that
the government bore responsibility for the carnage, and then called for an “impartial” investigation. He
stopped short of suggested any U.S. sanctions would be applied.
Two days later, there was a cyber intrusion into the systems of the lobbying and governmental affairs
firm which has Jack Mayor, the President’s former chief of staff, as its principal. Six months ago, Mayor
took the account for the Azanian Movement for Democracy, to help bolster its reach in Washington.
That hack uncovered e-mails that were leaked to the Washington Post and published the next day. They
detail conversations where Mayor discusses how he will use his close personal relationship with the
President to push change; advises the Azanian Movement for Democracy to tap down any links with
anti-government forces; speculates about likely defectors from within the government and considers
the line-up of a potential new government.
Members of Congress are now questioning whether the U.S. government is engaged in regime change in
Azania or has a “pay to play” foreign policy. The Azanian government takes this as proof that there is an
organized effort to overthrow it and has announced that it will carefully reconsider the relationship with
the United States. Meanwhile, the first report from an FBI investigation says that there are “indications”
that the hack bears the signature moves of the Snow Leopard Brotherhood.
The PCC has been assembled to assess the situation and the impact of different options. In particular,
the most pressing task which must be resolved by the end of the meeting is to lay out how the President
plans to respond to these latest developments and what statement, if any, will be issued by the White
House.
KEY BACKGROUND DETAILS
U.S. policy must be crafted in broad conformity to the outlines presented in the National Security
Strategy (and not openly contradictory of its provisions). [See document #1] Whatever solutions you
propose must also be in accordance with the provisions of the so-called “Leahy amendment” which
governs U.S. security assistance when there are questions raised of human rights abuses. [See document
#2]. Details on cyber approaches are contained in the excerpts from the John Carlin article. [See
document #3] The U.S.-Singapore security cooperation agreement is presented [document #4] as a
template for what a similar hypothetical agreement with Azania might look like.
The President is in the 3rd year of his first term and plans to run for re-election.
A key plank in his initial election campaign was “Standing True to American Values” and he was
critical of his opponent’s willingness to make “deals with dictators.”
Leading members of the Azanian-American community were donors to the President’s campaign
but have expressed dissatisfaction with the President’s policies; there is talk of throwing support
to a potential challenger in the primaries next year.
Six months ago, the President and the Secretary of Commerce pledged to double U.S.
investment in Azania when the Azanian president visited the United States and to encourage
U.S. firms to explore opportunities in Azania. In two weeks, CEOs of a number of major U.S.
companies plan to attend the Azanian Economic Forum.
The Undersecretary of State for Democracy and Human Affairs is an American of Azanian origin
(second generation) and retains a personal interest in what transpires in that country.
The U.S. is engaged in sustained military action in a country that borders Azania and is using the
facilities in Azania to support that engagement. The President has just announced that there will
be a surge in the U.S. military effort in that country.
The Azanian president was invited to take part in a summit meeting with Russia and China to
discuss forming a closer association with those countries. He has not yet accepted.
The Secretary of Defense is traveling overseas. In a press availability he was quoted as saying,
“The United States will not rush to judgment.”
An Azanian-American delegation is visiting the White House today and it was announced that
they would be meeting the Chief of Staff. Three members of Congress from the President’s
party, one of them the deputy whip in the House, are accompanying them.
The current Chief of Staff was the deputy to his predecessor, who stepped down last year. His
predecessor was the President’s college roommate and was his colleague in different political
endeavors for 30 years. The current Chief of Staff is still struggling to be seen as speaking with
the President’s voice and still relies on support from his predecessor. In this White House, the
Chief of Staff has forged a strong working relationship with the National Security Advisor and
the Vice President to manage policy.
We have the following reports from the U.S. embassy in Azania:
o The Azanian president spoke to the nation last night. He made it clear that Azania is
fighting against terrorists and stated that other countries who question Azania’s actions
are supporting the terrorists and cannot be viewed as genuine partners of Azania
o The Foreign Minister, someone educated in the United States and with good experience
of the U.S. domestic political system, told the U.S. ambassador privately that he
understands that the United States had to make some comment on the event and now
must respond to the latest incident. If reaction is minimal, he feels he can persuade the
president to overlook it, but anything deemed to be too drastic will impede
cooperation. He did not elaborate.
o The Chief of the Azanian General Staff told the defense attache that he hopes there is
no interruption because Azania benefits from the U.S. presence and the income
generated from U.S. rental payments goes directly into the defense budget of the
country. He also suggests that hackers working for the ALF are responsible as they hope
to develop a wedge between the U.S. and Azanian governments.
o A representative of the Movement for Democracy has contacted the embassy to stress
that the Movement is not anti-American and does not seek to impede U.S.-Azanian
relations. The MoD would want to continue cooperation with the United States
o A Facebook message posted by the ALF states that the ALF remains committed to
ending any U.S. presence in Azania
o A Gab account that is suspected of being the mouthpiece of the Snow Leopard
Brotherhood denies responsibility for the hack and suggests that the ALF is responsible.
o The chief of staff to the Azanian president was at a private dinner at the swank
“Restaurant Syldavia” in the capital. A British diplomat was present. He has passed along
the following: the chief of staff was loudly complaining that Azania has taken action
against drug cartels and computer hackers who were creating no problems for Azania as
favors to the United States—and wonders if this is Washington’s gratitude, why should
Azania continue?
IMPORTANT DATES
The Chinese and Russian summit where the Azanian president has been invited convenes in one
month’s time.
The Pentagon is planning to rely on the Azanian bases for ongoing operations and for a major
operation that will take place in two months’ time.
WHAT THE PCC’S TASK IS:
By the end of this meeting, the PCC must pass along to the Deputies’ Committee the following
recommendations:
1. Will a statement on the hack be made by the United States? Should any further action be
contemplated?
2. Will the United States government elaborate on the President’s earlier remarks that the U.S. is
calling for an investigation into the attacks from five days ago?
3. Will the President make the statement, or will it be another U.S. official?
4. Will the statement express concern, or raise the possibility of further action, and, if so, what?
PCCs work on consensus. An option can be forwarded even if not enthusiastically endorsed by all
participants. Silence equals consent. On the other hand, if the PCC cannot agree because there are
disputes that need to be settled between departments and agencies, the PCC will send up the
disagreements to be adjudicated by the deputies’ committee.
KEY DOCUMENTS
1) Relevant extract from the 2015 National Security Strategy (for purposes of this simulation,
assume that this document is still operative):
Defending democracy and human rights is related to every enduring national interest. It aligns us with
the aspirations of ordinary people throughout the world. We know from our own history people must
lead their own struggles for freedom if those struggles are to succeed. But America is also uniquely
situated—and routinely expected—to support peaceful democratic change. We will continue mobilizing
international support to strengthen and expand global norms of human rights. We will support women,
youth, civil society, journalists, and entrepreneurs as drivers of change. We will continue to insist that
governments uphold their human rights obligations, speak out against repression wherever it occurs,
and work to prevent, and, if necessary, respond to mass atrocities.
Our closest allies in these efforts will be, as they always have, other democratic states. But, even where
our strategic interests require us to engage governments that do not share all our values, we will
continue to speak out clearly for human rights and human dignity in our public and private diplomacy.
Any support we might provide will be balanced with an awareness of the costs of repressive policies for
our own security interests and the democratic values by which we live. Because our human rights
advocacy will be most effective when we work in concert with a wide range of partners, we are building
coalitions with civil society, religious leaders, businesses, other governments, and international
organizations. We will also work to ensure people enjoy the same rights—and security—online as they
are entitled to enjoy offline by opposing efforts to restrict information and punish speech.
2) Full text of the so-called “Leahy Amendment.” This is the binding Congressional legislation
that requires that U.S. assistance can only be provided to foreign security forces whose
personnel have not committed gross human rights abuses. When the vetting process
uncovers credible evidence that an individual or unit has committed a gross violation of
human rights, U.S. assistance is withheld.
The Leahy amendment was first introduced by Senator Patrick Leahy (D-VT) in 1997 and
attached to the Foreign Operations Appropriations Act. It was subsequently renewed each
year until made permanently part of the U.S. Code in 2008.
No assistance shall be furnished under this chapter or the Arms Export Control Act [22 U.S.C. 2751 et
seq.] to any unit of the security forces of a foreign country if the Secretary of State has credible
information that such unit has committed a gross violation of human rights.
(b) Exception
The prohibition in subsection (a) shall not apply if the Secretary determines and reports to the
Committee on Foreign Relations of the Senate, the Committee on Foreign Affairs of the House of
Representatives, and the Committees on Appropriations that the government of such country is taking
effective steps to bring the responsible members of the security forces unit to justice.
(c) Duty to inform
In the event that funds are withheld from any unit pursuant to this section, the Secretary of State shall
promptly inform the foreign government of the basis for such action and shall, to the maximum extent
practicable, assist the foreign government in taking effective measures to bring the responsible
members of the security forces to justice.
(d) Credible information
The Secretary shall establish, and periodically update, procedures to—
(1) ensure that for each country the Department of State has a current list of all security force
units receiving United States training, equipment, or other types of assistance;
(2) facilitate receipt by the Department of State and United States embassies of information
from individuals and organizations outside the United States Government about gross
violations of human rights by security force units;
(3) routinely request and obtain such information from the Department of Defense, the Central
Intelligence Agency, and other United States Government sources;
(4) ensure that such information is evaluated and preserved;
(5) ensure that when an individual is designated to receive United States training, equipment,
or other types of assistance the individual’s unit is vetted as well as the individual;
(6) seek to identify the unit involved when credible information of a gross violation exists but
the identity of the unit is lacking; and
(7) make publicly available, to the maximum extent practicable, the identity of those units for
which no assistance shall be furnished pursuant to subsection (a).
3) Excerpt from John P. Carlin, “Detect, Disrupt, Deter: A Whole of Government Approach to
National Security Cyber Threats,” Harvard National Security Journal 7 (2016), 392-436.
The United States faces an inflection point when it comes to the Internet's effect on daily life. What has
enriched our economy and quality of life for the past several decades may start to hurt us more than
help us, unless we confront its cybersecurity challenges. Waves of network intrusions-increasing in
number, sophistication, and severity-have hit American companies and the U.S. government. In 2012,
former CIA Director and Defense Secretary Leon Panetta described the nation's cybersecurity
weaknesses as presenting a "pre-9/11 moment." And in July 2014, the 9/11 Commission itself warned:
"We are at September 10th levels in terms of cyber preparedness.” Following that ominous prediction,
in a span of less than two years, the United States was besieged by intrusions originating from around
the globe. There was no single target, and no common perpetrator. Our adversaries stated or
demonstrated that they hacked on behalf of China, North Korea, Syria, Iran, and many others. They stole
sensitive information from government databases, damaged and destroyed private companies'
computer systems, and-in a new twist-even targeted individuals' personally identifiable information to
benefit terrorist organizations. The list of victims is broad and varied-the private sector, the government,
and individual citizens. The past two years have publicly demonstrated the extent of the threat.
… Empowered by advances in technology like cheap storage, increased bandwidth, miniaturized
processors, and cloud architecture, we've extended Internet connectivity throughout our lives. But this
expansion carries a risk not fully accounted for. Increased connectivity makes our critical infrastructure-
water, electricity, communications, banking-and our most private information more vulnerable. We
invested an enormous amount over the past few decades to digitize our lives. But we made these
investments while systematically underestimating risks to our digital security. If we don't secure our
Internet connectivity, what has been an important driver of prosperity and strength for the past twenty
years could have disastrous effects in the next twenty.
To meet this challenge, the U.S. government has changed its approach to disrupting national security
cyber threats. One element of its new strategy involves implementing and institutionalizing a "whole-of-
government" approach. No one agency can beat the threat. Instead, success requires drawing upon
each agency's unique expertise, resources, and legal authorities, and using whichever tool or
combination of tools will be most effective in disrupting a particular threat. At times, that may mean
economic sanctions from the Treasury Department, proceedings initiated by the Office of the U.S. Trade
Representative, and cyber defense operations from the Defense Department. At other times, it might
mean information sharing coordinated by the Department of Homeland Security, diplomatic pressure
from the State Department, intelligence operations from the U.S. Intelligence Community (IC), and
prosecution and other legal action from the Justice Department. And in many instances, it will mean a
coordinated application of several capabilities from the U.S. government's menu of options.
The United States' approach to combating Chinese theft of sensitive U.S.-company business information
and trade secrets-activity that former National Security Agency Director Keith Alexander described as
the "greatest transfer of wealth in history" illustrates the power of this coordinated approach. In May
2014, after an unprecedented investigation spanning several years, a federal grand jury indicted five
uniformed members of the Chinese military on charges of hacking and conducting economic espionage
against large U.S. nuclear-power, metal, and solar-energy companies. The 48-page indictment describes
numerous, specific instances where officers of the People's Liberation Army (PLA) hacked into the
computer systems of American companies to steal trade secrets and sensitive, internal communications
that could be used for economic gain by Chinese companies. The recipient companies could use the
stolen information against the victims in competition, negotiation, and litigation.
This landmark case was the first prosecution of official state actors for hacking. But the indictment was
not pursued in isolation; nor was it seen as an end in and of itself. Rather, the investigation and
prosecution of the PLA members were pieces of a larger deterrence strategy. In spring 2015, the
President issued an executive order authorizing sanctions against companies engaging in malicious cyber
activity. At the same time, the government was advocating diplomatically for basic international norms
in cyberspace.
It appears that these coordinated efforts are starting to establish new norms in cyberspace. In
September 2015, President Obama and Chinese President Xi Jinping affirmed that neither country's
government will conduct or knowingly support cyber-enabled theft of intellectual property, including
trade secrets or other confidential business information, with the intent of providing competitive
advantages to companies or commercial sectors. Although we don't know the extent to which China will
honor this commitment, the fact that the commitment was made is itself significant, as is the fact that at
the November 2015 G20 Summit in Turkey, leaders representing the twenty largest economies in the
world agreed to norms related to acceptable behavior in cyberspace. …
A whole-of-government approach is critical to success in disrupting national security cyber threats. But
given the complexity of the threats we face, no strategy, regardless of the number of agencies involved
or the breadth of tools available, would be complete without coordination with the private sector. In an
increasingly flattened and connected world, the threat can easily move and change-but one constant is
that private entities remain on the front lines of this fight. Thus, a second element of the United States'
new approach involves deeper partnerships with the private sector.
This Article explains how national security investigators and lawyers in the Department of Justice (DOJ)
play a crucial role in this new approach. As practiced at DOJ, national security law goes beyond the use
of one set of tools or body of law. It is cross-disciplinary-encompassing a practical, problem-solving
approach that uses all available tools, and draws upon all available partners, in a strategic, intelligence-
driven, and threat-based way to keep America safe. As former Acting Assistant Attorney General (AAG)
for National Security Todd Hinnen has noted, "[n]ational security investigations seek to harness and
coordinate the authorities and capabilities of all members of the national security community, state and
local law enforcement, and foreign law enforcement and intelligence partners," and "may result in a
wide variety of national security activity, including . . . arrest and prosecution of perpetrators, imposition
of economic sanctions, diplomatic overtures to foreign governments, and actions undertaken by U.S.
intelligence services or armed forces overseas."
Key to almost any of these responses is attribution. Attribution is the ability to confidently say who did
it: which country, government agency, group, or even individual is responsible for a cyber intrusion or
attack. To respond to cyber activity, you must know who is responsible, and what makes them tick.
Defense, deterrence, and disruption all require an understanding of the adversary. Government
lawyers, agents, analysts, computer scientists, and other national security investigators are particularly
good at developing the building blocks of attribution-they have expertise honed in criminal
investigations and carry a host of legal authorities that allow them to investigate and gather
information.
Although attribution is a simple idea, doing so on the Internet is very complex. The Internet's
architecture allows hackers to route their activities through a global network of computers, almost all of
which are owned and operated by a variety of private actors. In addition, knowing which specific
computer or network caused the malicious activity doesn't necessarily tell you which person or
organization ordered, carried out, or supported the hack. But attribution is still possible. DOJ, including
the Federal Bureau of Investigation (FBI) and other law enforcement agencies, and with support from
the IC, has unique expertise and legal authorities it can use to attribute cyber activities to their source.
We can then take steps based on that attribution including but not limited to prosecuting those
responsible-to help us fight cyber threats. Each of these steps may seem small, but incrementally they
can help us turn the tide.
4) For purposes of comparison, sections of relevant agreements between the United States and
Singapore related to the U.S. use of port and other facilities are enclosed here. Assume that
the United States has reached similar agreements with Azania.
a) From the Defense Cooperation Agreement Between the United States of America and
Singapore, signed at Washington July 12, 2005
Article 2: EXPANDED DEFENSE AND SECURITY COOPERATION
1. The United States and Singapore desire to expand the scope of defense and security cooperation
reflected in their 1990 Memorandum of Understanding (MOU) Regarding United States Use of Facilities
in Singapore and other relevant agreements. The United States recognizes the important role played by
Singapore as a Major Security Cooperation Partner and its place in the global network of strategic
partnerships for the promotion of peace and stability and the war against global terrorism.
2. The Parties agree to work toward enhanced cooperation in the following areas:
a. Increased defense cooperation through the provision of facilities in Singapore for United
States military vessels, aircraft, personnel, equipment and materiel; supporting deployments of the
Parties' respective forces; conducting bilateral and multilateral exercises in the region and in the United
States and exchanging military training; fostering inter-operability of the Parties' respective aimed
forces; conducting defense policy dialogues to exchange strategic perspectives; conducting exchanges
between defense intelligence and security agencies; and joint efforts to broaden and deepen defense
technology and defense related research, development, testing, and scientific assessments;
b. Cooperation in Search and Rescue (SAR) and disaster management operations;
c. Exchanges and cooperative collection and analyses of information on threats of common
concern, including law enforcement cooperation;
d. Countering global terrorism and enhancing combined defenses against terrorism, including
promoting greater regional cooperation and coordination, building counterterrorism capacity, and
managing responses to terrorist attacks;
e. Cooperation against the proliferation of weapons-related items and dangerous technologies,
including through adherence to export, re-export, transit/transshipment, and brokering control systems
and to multilateral nonproliferation and export control regimes; and strengthened enforcement of such
controls; and
f. Such other areas of defense and security cooperation as the Parties may agree upon in the
future.
3. Increased cooperation in these areas will be subject to conditions separately agreed upon by the
Parties. The specific details of cooperation in these areas may be set out in Annexes to this Agreement
or other agreements entered into between the Parties pursuant to this Agreement.