Tag: cyber

It’s the Biggest National Threat and We Can’t Help You

The Department of Defense’s (DoD) new Cyber Strategy is a refinement of past attempts at codifying and understanding the “new terrain” of cybersecurity threats to the United States.   While I actually applaud many of the acknowledgements in the new Strategy, I am still highly skeptical of the DoD’s ability to translate words to deeds. In particular, I am so because the entire Strategy is premised on the fact that the “DoD cannot defend every network and system against every kind of intrusion” because the “total network attack surface is too large to defend against all threats and too vast to close all vulnerabilities (13).

Juxtapose this fact to the statement that “from 2013-2015, the Director of National Intelligence named the cyber threat as the number one strategic threat to the United States, placing it ahead of terrorism for the first time since the attacks of September 11, 2001.” (9).   What we have, then, is the admission that the cyber threat is the top “strategic” –not private, individual or criminal—threat to the United States, and it cannot defend against it. The Strategy thus requires partnerships with the private sector and key allies to aid in the DoD’s fight. Here is the rub though: private industry is skeptical of the US government’s attempt to court it and many of the US’s key allies do not trust much of what Washington says. Moreover, my skepticism is furthered by the simple fact that one cannot read the Strategy in isolation. Rather, one must take it in conjunction with other policies and measures, in particular Presidential Policy Directive 20 (PPD 20), H.R. 1560 “Protecting Cyber Networks Act”, and the sometimes forgotten Patriot Act.

Continue reading

Not What We Bargained For: The Cyber Problem

Last week the New America Foundation hosted its launch for an interdisciplinary cybersecurity initiative. I was fortunate enough to be asked to attend and speak, but the real benefit was that I was afforded an opportunity to listen to some really remarkable people in the cyber community discuss cybersecurity, law, and war.   I listened to a few very interesting comments. For instance, Assistant Attorney General, John Carlin, claimed that “we” (i.e. the United States) have “solved the attribution problem, and the National Security Agency Director & Cyber Command (CYBERCOM) Commander, Admiral Mike Rogers, say that he will never act outside of the bounds of law in his two roles.   These statements got me to thinking about war, cyberspace and international relations (IR).

In particular, IR scholars have tended to argue over the definitions of “cyberwar,” and whether and to what extent we ought to view this new technology as a “game-changer” (Clarke and Knake 2010; Rid 2011; Stone 2011; Gartzke 2013; Kello 2013; Valeriano and Maness 2015).   Liff (2012), for instance, argues that cyber power is not a “new absolute weapon,” and it is instead beholden to the same rationale of the bargaining model of war. Of course, the problem for Liff is that the “absolute weapon” he utilizes as a foil for cyber weapons/war is not equivalent in any sense, as the “absolute weapon,” according to Brodie, is the nuclear weapon and so has a different and unique bargaining logic unto itself (Schelling 1977). Conventional weapons follow a different logic (George and Smoke 1974).

Continue reading

Privacy, Secrecy & War: Emperor Rogers and the Failure of NSA Reform

On November 3, Britain’s head of the Government Communications Headquarters (GCHQ) published an opinion piece in the Financial Times, noting that technology companies, such as Twitter, Facebook, WhatsApp, (and implying Google and Apple), ought to comply with governments to a greater extent to combat terrorism. When tech companies further encrypt their devices or software, such as what Apple has recently released with the iPhone 6, or what WhatsApp has accomplished with its software, GCHQ chief Hannigan argues that this is tantamount to aiding and abetting terrorists. GCHQ is the sister equivalent of the US’s National Security Agency (NSA), as both are charged with Signals Intelligence and information assurance.

Interestingly, Hannigan’s opinion piece comes only weeks before the US Senate voted on whether to limit the NSA’s ability to conduct bulk telephony meta-data collection, as well as reform aspects of the NSA’s activities. Two days ago, this bill, known as the “USA Freedom Act,” failed to pass by two votes. While Hannigan stressed that companies ought to be more open to compliance with governments’ requests to hand over data, the failure of the USA Freedom Act strengthened at least the US government’s position to continue is mass surveillance of foreign and US citizens.  It remains to be seen how the tech giants will react.

In the meantime, the bill also sought, amongst other things, to make transparent the amount of requests from governments to tech companies, to force the NSA to seek a court order from the Foreign Intelligence Surveillance Court (FISC) to query the (telecom held) data, and to require the NSA to list the “specific selection term” to be used while searching the data. Moreover, the bill would have also mandated an amicus curiae, or “friend of the court,” in the FISC to offer arguments against government requests for searches, data collection and the like, which it currently lacks. Much of these reforms were welcomed by tech companies like Google and Apple and also were suggested in a 2013 report for the White House on NSA and intelligence reform.

Many of the disagreements over the bill arose on two lines: that the bill hamstringed the US’s ability to “fight terrorists,” and that the bill failed to go far enough in protecting the civil liberties of US citizens. This was because the bill would have reauthorized Section 215 of the PATRIOT Act (set to end in 2015) to 2017. Section 215 permits government agents, such as the FBI and the NSA to compel third parties to hand over business records and any “other tangible objects” whenever the government requests them in the pursuance of an “authorized investigation” against international terrorism or clandestine intelligence activities. In particular, Section 215 merely requires the government to present specific facts that would support a “reasonable suspicion” that the person under investigation is in fact an agent of a foreign power or a terrorist. It does not require a showing of probable cause, only a general test of reasonableness, and this concept of reasonableness is stretched to quite a limit.   The democratic support for the bill comes most strongly from Senator Dianne Feinstein (D- Calif), who is reported to have said, “I do not want to end the program [215 bulk collection],” so “I’m prepared to make the compromise, which is that the metadata will be kept by the telecoms.”

Where, then does the failure of this bill leave us? In two places, actually. First, it permits the NSA to run along on with the status quo. Edward Snowden’s revelations of mass surveillance appear to have fallen off of the American people’s radar, and with it, permitted Congress to punt on the issue until its next session. Moreover, given that the next session is a Republican dominated House and Senate, there is high probability that any bill passed will either reaffirm the status quo (i.e. reauthorize Section 215) or potentially strengthen the NSA’s abilities to collect data.

Second, this state of affairs will undoubtedly strengthen the position of Emperor Mike Rogers. Admiral Mike Rogers is the recent replacement of General Keith Alexander, the head of both the NSA and US Cyber Command (Cybercom). I refer to the post holder as “Emperor” not merely due to the vast array of power at the hands of the head of NSA/Cybercom, but also because such an alliance is antithetical to a transparent and vibrant democracy that believes in separations between its intelligence gathering and war making functions.  (For more on former Emperor Alexander’s conflicts of interests and misdeeds see here.)

The US Code separates the authorities and roles for intelligence gathering (Title 50) from US military operations (Title 10). In other words, it was once believed that intelligence and military operations were separate but complementary in function, and were also limited by different sets of rules and regulations. These may be as mundane as reporting requirements, to more obvious ones about the permissibility of engaging in violent activities. However, with the creation of the NSA/Cybercom Emperor, we have married Title 10 and Title 50 in a rather incestuous way. While it is certainly true that Cybercom and the NSA are both in charge of Signals Intelligence, Cybercom is actively tasked with offensive cyber operations. What this means is that there is serious risk of conflicts of interest between the NSA and Cybercom, as well as a latent identity crises for the Emperor. For instance, if one is constantly putting on and taking off a Title 10 hat for a Title 50 hat, or viewing operations as military operations or intelligence gathering, there will eventually be a merging of both. That both post holders are high ranking military officers means that it is most likely that the character of NSA/Cybercom will be more militaristic, but with the potential for him to issue ex post justifications for various “operations” as intelligence gathering under Title 50, and thus subject to less transparent oversight and reporting.

One might think this fear mongering, but I think not. For example, if the Emperor deems it necessary to engage in an offensive cyber operation that might, say, change the financial transactions or statements of a target, and that part of this operation  is for the US’s role to remain secret. This operation would be tantamount to a covert action as defined under Section 413b(e) of Title 50.   Covert actions have a tumultuous history, but suffice to say, the President can order them directly, and they have rather limited reporting requirements to Congress.   What, however, would be the difference if the same action were ordered by Admiral Rogers in the course of an offensive cyber operation?   The same operation, the same person giving the order, but the difference in international legal regulations and domestic legal regulations is drastic. How could one possibly limit any ex post justification for secrecy if something were to come to light or if harm were inflicted?   The answer is there is no way to do this with the current system. This is because the post holder is simultaneously a military commander and an intelligence authority.

That the Senate has refused to pass a watered down version of NSA reform only further strengthens this position. The NSA is free to collect bulk telephony meta-data, and, moreover, it is free to hold that data for up to five years. It can also query the data without requiring a court order to do so, and is not compelled to make transparent any of its requests to telecom companies. Furthermore, one of the largest reforms necessary—that of separating the functions of the NSA and Cybercom—continues to go unaddressed.  The Emperor, it would seem, is still free to do what he desires.

Cyber Letters of Marque and Reprisal: "Hacking Back"

In the thirteenth century, before the rise of the “modern” state, private enforcement mechanisms reigned supreme. In fact, because monarchs of the time had difficulties enforcing laws within their jurisdictions, the practice of private individuals enforcing their rights was so widespread that for the sovereign to be able to “reign supreme” while his subjects simultaneously acted as judge, jury and executioner, the practice of issuing “letters of marque and reprisal” arose. Merchants traveling from town to town or even on the high seas often became the victims of pirates, brigands and thieves. Yet these merchants had no means of redress, especially when they were outside the jurisdiction of their states. Thus the victim of a robbery often sought to take back some measure of what was lost, usually in like property or in proportionate value.

The sovereign saw this practice of private enforcement as a threat to his sovereign powers, and so regulated the practice through the letters of marque. A subject would appeal to his sovereign, giving a description of what transpired and then asking permission to go on a counterattack against the offending party. The trouble was, however, that often the offending party was nowhere to be found. Thus what ended up happening is that the reprisals carried out against an “offending” party usually ended up being carried out against the population or community from which the brigand originated. The effect of this practice, interestingly, was to foster greater communal bonds and ties and cement the rise of the modern state.

One might ask at this point, what do letters of marque and reprisal have to do with cybersecurity? A lot, I think. Recently, the Washington Post reported that there is increasing interest in condoning “hacking back” against cyber attackers. Hacking back, or “active defense,” is basically attempting to trace the origins of an attack, and then gain access to that network or system. With all of the growing concern about the massive amounts of data stolen from the likes of Microsoft, Target, Home Depot, JPMorgan Chase and nameless others, the ability to “hack back” and potentially do malicious harm to those responsible for data theft appears attractive.   Indeed Patrick Lin argues we ought to consider a cyber version of “stand your ground” where an individual is authorized to defend her network, data or computer. Lin also thinks that such a law may reduce the likelihood of cyberwar because one would not need to engage or even to consult with the state, thereby implicating it in “war crimes.” As Lin states “a key virtue of “Stand Your Cyberground” is that it avoids the unsolved and paralyzing question of what a state’s response can be, legally and ethically, against foreign-based attacks.”

Yet this seems to be the opposite approach to take, especially given the nature of private enforcement, state sovereignty and responsibility. States may be interested in private companies defending their own networks, but one of the primary purposes of a state is to provide for public—not private—law enforcement.   John Locke famously quipped in his 2nd Treatise that the problem of who shall judge becomes an “inconvenience” in the state of nature, thereby giving rise to increased uses of force, then war, and ultimately requires the institution of public civil authority to judge disputes and enforce the law. Cyber “stand your ground” or private hack backs places us squarely back in Locke’s inconvenient state.

Moreover, it runs contrary to the notion of state sovereignty. While many might claim that the Internet and the cyber domain show the weakness in sovereignty, they do not do away with it. Indeed, if we are to learn anything from the history of private enforcement and state jurisdiction, sovereignty requires that the state sanction such behavior. The state would have to issue something tantamount to a letter of marque and reprisal. It would have to permit a private individual or company to seek recompense for its damage or data lost. Yet this is, of course, increasingly difficult for at least two reasons. The first is attribution. I will not belabor the point about the difficulty of attribution, which Lin seems to dismiss by stating that “the identities of even true pirates and robbers–or even enemy snipers in wartime–aren’t usually determined before the counterattack; so insisting on attribution before use of force appears to be an impossible standard.” True attribution for cyber attacks is a lengthy and time-consuming process, often requiring human agents on the ground, and it is not merely about tracing an IP address to a botnet.  True identities are hard to come by, and equating a large cyber attack to a sniper is unhelpful. We may not need to know the social security number of a sniper, but we are clear that the person with the gun in the bell-tower is the one shooting at us, and this permits us to use force in defense.   With a botnet or a spoofed IP address, we are uncertain where the shots are really coming from. Indeed, it makes more sense to think of it like hiring a string of hit men, each hiring a subcontractor, and we are trying to find out who we have a right of self-defense against; is it the person hiring or the hit men or both?

Second, even if we could engage a cyber letter of marque we would have to have some metric to establish a proportionate cyber counter-attack.   Yet what are identities, credit card numbers, or other types of “sensitive data” worth? What if they never get used? Is it then merely the intrusion? Proportionality in this case is not a cut and dry issue.

Finally, if we have learned anything about the history or letters of marque and reprisal, then it is that they went out of favor. States realized that private enforcement, which then turned to public reprisals during the 18th to early 20th centuries, merely encouraged more force in international affairs. Currently the modern international legal system calls acts that are coercive, but not uses of force (i.e. acts that would violate Article 2(4) of the United Nations Charter), countermeasures. The international community and individual states not longer issue letters of marque and reprisal. Instead, when states have their rights violated (or an ‘internationally wrongful act’ taken against them), they utilize arbitration or countermeasures to seek redress. For a state to take lawful countermeasures, however, requires that it determine the responsible state for the wrongful act in question. Yet cyber attacks, if we are to rely on what the professional cybersecurity experts tell us, are sophisticated in that they hide their identities and origins. Moreover, even if one finds out the origin of the attack, this may be insufficient to ground a state’s responsibility for the act. There is always the deniability that the state issued a command or hired a “cyber criminal gang.” Thus countermeasures against a state in this framework may be illegal.

What all this means is that if we do not want ignore current international law, or the teachings of history, we cannot condone private companies “hacking back.” The only way one could condone it is for the state to legalize it, and if this were the case, then it would be just like the state issuing letters of marque and reprisal. Yet by legalizing such a practice, it may open up those states to countermeasures by other states. Given that most of the Internet traffic goes through the United States (US), that means that many “attributable” attacks will look like they are coming from the US.   This in turn means that many states would then have reason to cyber attack the US, thereby increasing and not decreasing the likelihood of cyberwar.   Any proposal to condone retaliatory private enforcement in cyberspace should, therefore, be met with caution.

Ukraine – Cyber Speculation Run Rampant (Updated)

*I was a bit too quick to post last week and had to add quite a few recent events. Nothing changed my original analysis (BV 3/10/2014)

With my most of research right now heavily focused on cyber conflict, it might be useful to review all the news on the cyber situation between Ukraine and Russia.  There have been many posts on the Duck and elsewhere (Monkey Cage macro post) covering the conflict (here, here, here, here, here), so I will refrain from summarizing the basics.  The cyber situation on the other hand has shown a remarkable amount of restraint, defying conventional wisdom but also following directly in line with my soon to be completed book on Cyber Conflict and forthcoming Journal of Peace Research article (both with Ryan Maness).  The restraint point was made early by Mark Clayton at the Christian Science Monitor.

bbc urkaine

Continue reading

Russia’s Coercive Diplomacy against Ukraine: The Power Politics Story

*The following post is written by Ryan Maness and myself.

Events are in motion that many thought were past us, part of a bygone era where conventional war still had a prominent place in deciding the course of nations.  Having done a great amount of work on Russia’s strategic behavior and use of power (we have a book on the topic under review), we were a bit caught off guard too.  Not by the course of events, but that our vision was focused on cyber conflict and thus were distracted from the real world developments.  duck russia 2

The events in Ukraine fit a recent pattern of Russia’s coercive diplomacy directed toward the states of its former Soviet empire, more commonly known by Russians as the Near Abroad. Since the Soviet fall in 1991, Russia has been going through an identity crisis. Always regarded as a major power, it found itself weak after the end of the Soviet era, unable to even quell violence in Chechnya. It lost nearly half of its territory and population as the Soviet Union broke up into 15 independent states. Since then, Russia has been attempting to regain its status as a world power, or at least a regional power. Under the leadership of Vladimir Putin, Russia has used power politics strategies, mainly in post-Soviet space, to carve out its place and dominate a specific sphere of influence.

Continue reading

Cyber Spillover: The Transition from Cyber Incident to Conventional Foreign Policy Dispute

*Post written with my coauthor Ryan Maness.  We are currently rounding the corner and almost ready to submit the final version of our Cyber Conflict book.  This post represents ongoing research as we fill out unanswered questions in our text.

My coauthor and I have dissected the contemporary nature of cyber conflict in many ways, from cataloging all actual cyber incidents and disputes between states, to examining cyber espionage, and finally, examining the impact of cyber incidents on the conflict-cooperation nexus of states.  What we have not done until now is examine the nature of what we call cyber spillover.  duck read 2

Cyber spillover is when cyber conflicts seep and bleed into traditional arena of militarized and foreign policy conflict.  While it is dubious to claim that the cyber domain is disconnected from the physical domain given that cyber technology has to be housed somewhere, it is also true that there are very few incidents of cyber actions causing physical damage (the only case being Stuxnet).  Our question is not about the transition from cyber to physical, but when cyber disagreements lead directly to conventional foreign policy disputes between states, thus altering how international interactions work.

Continue reading

You Think You Have a Facebook Problem? The IDF and Social Media

Dan Levine sent on this great write up of the Israeli Defense Force’s (IDF) problems with social media.  A few highlights:

“In 2010, a soldier in the artillery corps posted this status: “Cleaning up Katana and home on Thursday.” Katana is a village in the West Bank. The status revealed the time of the planned raid and the unit involved. The other soldiers in the unit, also apparently glued to their screens, saw the update and, feeling imperiled, let the authorities know.” cute duck

Continue reading

Cyber Arms Proliferation and Arms Races

copmuter duckWith the assumption of an ongoing global cyber arms race, Western governments signed an agreement to limit the sharing and selling of dangerous cyber technologies.  David Livingstone notes, “[Cyber security technology] is a lot like the arms race.  What you want to do is slow down how fast your foe develops equivalent technologies.”

Continue reading

Duck and Cover when Cyber Doomsday Comes

scared-duck-55328“The current blackout is a result of a cyber attack”

“It will happen”

Ominous words from the National Geographic channel and their premier movie this weekend.  Not really sure how the news reporter can still report given the aforementioned blackout, and also not sure why toilets cease to work when you lose power, but the point is taken.  We are all at the mercy of roving mobs of vigilantes because of the dangers of a cyber attack.

Continue reading

© 2018 Duck of Minerva

Theme by Anders NorenUp ↑