What are Cyberspace and Cyber threat intelligence
Cyberspace can be defined as the space in which information circulates from one medium to another and where it is processed, duplicated, and stored. It is also the space in which tools communicate, where information technology becomes ubiquitous.
So in effect, cyberspace consists of communication systems, computers, networks, satellites, and communication infrastructure that all useful information in its digital format.
This includes sound, voice, text, and image data that can be controlled remotely via a network, which includes technologies and communication tools such as the following:
Fixed or mobile equipment
As we obtain our information through cyberspace and as all aspects of society become more dependent on the acquisition of their information, one can easily surmise why this will become a theater for information warfare.
Since our nation’s 16 critical infrastructures are so dependent on their operations through the area we define as cyberspace, it is only understandable that cyberspace will eventually become a vehicle for launching cyberattacks, and there is a need for creating defensive strategies and operations to prevent this from happening.
Bruce Schneier relates that in the 21st century, war will inevitably include cyberwar as the war moved into space with the development of satellites and ballistic missiles, and war will move into cyberspace with the development of specialized weapons, software, electronics, tactics, and defenses.
Schneier discusses the properties of cyberwar in terms of network hardware and software and notes the fundamental tension between cyber attacks and cyber defenses.
Regarding cyber attacks, one of our concerns should center on the ability of an attacker to launch an attack against us, and since cyber attacks do not have an obvious origin, unlike other forms of warfare, there is something very terrifying not knowing your adversary—or thinking you know who your adversary is only to be wrong.
As Schneier states, “imagine if, after Pearl Harbor, we did not know who attacked us?” Many people experienced this very fear after the 9/11 attacks in the United States, which involved physical plane attacks. One can only imagine the terror if the attack was a total cyber electronic attack alone by an unknown source.
It should be quite obvious that as a result of the rapid development of technologies, the digital environment has ushered in an era where most nations will have to begin to plan for cyber warfare. It would be unreasonable for militaries to ignore the threat of cyber attack and not invest in defensive strategies.
John Arquilla of the Naval Postgraduate School and David Ronfeldt of the Rand Corporation introduced the concept of “cyberwar” for the purpose of contemplating knowledge-related conflict at the military level as a means to conduct military operations according to information-related principles.
It meant to disrupt, if not destroy, information and communication systems that an adversary relies upon. Of course, if the information and communication systems can be used to gather information on the adversary, these systems would be most useful from an intelligence point of view and would continue to be used to acquire further intelligence.
Martin Libicki, from the National Defense University, identified seven forms of information warfare and categorized these as follows:
Command and control warfare
Economic information warfare
Dorothy Denning suggests several possible futures for war and military conflict, and as a result of the Gulf War, she sees that future wars may well be a continuation of the Gulf War, wherein future operations will exploit new developments in technology, particularly sensors and precision-guided weapons, but will be accompanied by military force on the ground, sea, and air.
A second future scenario is one in which operations take place almost exclusively in cyberspace. Under this scenario, wars will be fought without any armed forces. Instead, trained military cyber-warriors will break into the enemy’s critical infrastructures, remotely disabling communication command and control systems that support both military and government operations.
Additional attacks will be targeted toward critical infrastructures such as banking, telecommunications, transportation systems, and the electrical power grid of the adversary.
Cyber Intelligence and Counter Intelligence
The digital transformation that has impacted all aspects of our life in terms of business, education, medicine, agriculture, and our critical infrastructure has also had a profound effect on our national security and those agencies responsible for our nation’s defense and security.
Our nation’s intelligence agencies are also making transformational changes in the manner in how their collection, processing, and exploitation of data are acquired and how the analysis and dissemination of the information are presented.
After the 9/11 attack on our nation, a National Commission was appointed to review the work and performance of our intelligence community, and this resulted in major modifications of the intelligence agencies, but most importantly, it resulted in the creation of the Office of the Director of National Intelligence.
The Director of National Intelligence is charged with providing greater cooperation and information sharing between each of our intelligence agencies and to oversee the $50 billion dollar budget allocated to our nation’s intelligence community.
Our nation’s intelligence community is distributed in three major pathways as follows:
Office of the Director of National Intelligence
1. Principal National Intelligence Programs
Central Intelligence Agency
Defense Intelligence Agency
National Geospatial-Intelligence Agency
National Reconnaissance Office
National Security Agency
FBI-National Security Branch
2. Armed Forces—Military Intelligence
Air Force Intelligence
Marine Corp Intelligence
Coast Guard Intelligence
3. National-Government Department of Intelligence Operations
Department of Homeland Security—Office of Intelligence & Analysis
Department of Energy—Office of Intelligence & Counter Intelligence
Treasury Department—Office of Intelligence & Analysis
State Department—Bureau of Intelligence & Research
e. Drug Enforcement Agency—Office of National Security Intelligence
James Clapper, Director of the Office of National Intelligence, identified the core function of his office as the integration of intelligence with the requirement for a global information technology infrastructure through which the intelligence community can rapidly and reliably share information.
This infrastructure is much more than hardware, software, data, and networks. It also encompasses the policies, procedures, and strategies that drive responsible and secure information sharing.
Ultimately, mission success depends on our diverse workforce bringing forth and implementing innovative ideas that are linked to the National Intelligence Strategy and the Intelligence Communities Information Technology Enterprise Strategy.
In doing so, we enable our mission partners, warfighters, and decision-makers to have secure and timely information that helps them meet mission needs and keep our nation secure.
If the core function of the integration of intelligence is to be achieved, the creation of the Intelligence Community Information Technology Enterprise Strategy was an exceptional achievement.
The strategic goals of the Information Technology Enterprise Strategy center on defining, developing, implementing and sustaining a single, standards-based interoperable, secure, and survivable intelligence community Information Technology Enterprise Architecture.
This architecture has to deliver user-focused capabilities that are to be provided as a seamless, secure solution for trusted collaboration on a basis of people to people, people to data, and data to data that will enhance mission success while ensuring the protection of intelligence assets and information.
Not only is this Information Technology Enterprise Architecture Program fundamental to creating a mechanism for intelligence agencies to work more cooperatively, but it also has enabled the intelligence community to be better prepared for the digital transformation in their basic collection, processing, and analysis functions.
Cyberspace and Cyber Intelligence
In 1995, the Central Intelligence Agency (CIA) realized that advances in technology were outdistancing their internal capabilities, and the Agency was simply not prepared to seize the collection and analysis opportunities that would become available through the high-tech environment that was emerging outside the Agency. As a result, the Agency created the Office of
Clandestine Information Technology and its work were designed to prepare for the espionage operations in cyberspace. Within four years, by 1999, most of the technical operations in the CIA’s Counter Terrorism Center were based in cyberspace. The result was in the production of terabytes of intelligence data.
However, as former CIA Agent Henry Crumpton notes, “…these monumental advances in technology have not made collection easier…in some ways technical collection is much harder, because of the massive amounts of data, new requisite skills, diverse operational risks, organizational challenges, and bureaucratic competition.”
By 2000, these changes would usher in an era of new collection platforms; namely, the Predator and this unmanned aerial vehicle (UAV) would, in less than ten years, transform how wars would be fought not only to this day as well as into the future.
Ironically, the CIA agents had attached an Army weapon to an Air Force platform under the command of the CIA, and this created a major bureaucratic argument as the Department of Defense (DoD) viewed this as an instrument of war and believed that, as an instrument of war, it belonged under the purview of the DoD.
The fundamental intelligence paradox centers on the need to reconcile intelligence programs, practices, and operations while preserving the public trust, within the democracy we live and serve.
Jennifer Sims and Burton Gerber provide the most incisive assessment of the intelligence paradox by their analysis of intelligence requirements and the protection of civil liberties, where they observe the following:
In democracies, the state’s interest in maximizing power for national security purpose must be balanced with its interest in preserving public trust. In the U.S. case, this trust requires protection of constitutional freedoms and the American way of life.
History tells us that intelligence practices unsuited either to the temperament of American political culture or to the new threats embedded in the international system will probably trigger more failure, and all too swiftly.
Thus, national security decision-makers face a conundrum: the best intelligence systems, when turned inward to address foreign threats to vital domestic interests, can threaten the very institutions of democracy and representative government that they were set up to protect in the first place.
The nature of how our nation addresses our intelligence policy includes governmental leaders, in Congress as well as the White House and also our judicial system.
All three branches of our government are intimately involved in the creation, oversight, and interpretation of our nation’s intelligence community’s collection policy operations and analytical production of work products.
So the question of how to manage the conundrums involved in gathering and maintaining secrets must by, its very nature, include those significant branches of our government.
How the intelligence community earns the trust and cooperation of the American people in its domestic fight against transnational threats while simultaneously expanding intrusive domestic surveillance is an issue that goes beyond the decision-makers of the intelligence community;
as it requires the engagement of the full panoply of our nation’s intelligence leaders who have, all too frequently, found their role similar to an iceberg, in which two-thirds of the body is hidden from its participation in the very policies they have tangentially been involved in creating.
For example, as intelligence programs and policies are created, all participants have to address some of the most difficult issues confronting intelligence programs in a democracy;
such as whether, when, and how the government may consort with criminals, influence elections, listen in on private conversations, eliminate adversaries, withhold information from the public, what kind of cover may be used by intelligence officers, and how covert action proposals are vetted within the government.
These are all programs that have been used in the past and with the approval of our nation’s highest elected officials. So in effect, intelligence policy is not the exclusive domain of the intelligence agency professionals.
In essence, decisions about intelligence policy, who formulates the policy, and who will be responsible for the policies determine how a given set of intelligence institutions and the democratic system it serves can productively coexist.
Clearly, a challenge confronting both our government and the intelligence community is the realization that substantial numbers of American citizens are uncomfortable with the intelligence communities use of clandestine operations, deception, or the collection of telephone and Internet metadata.
The incredible advancements in technology and the accompanying digital revolution have irreversibly altered the collection and analysis of intelligence data.
The global reliance on information technology throughout all nations and their intelligence agencies has so fundamentally changed not only the intelligence process but also military warfare.
Today, the challenges are not only in the use of offensive cyber weapons by nation-states, but also, the ability of individuals to design software attacks, exfiltrate intellectual property, and compromise databases is a challenge confronting our nation’s intelligence community.
Each of our 16 intelligence agencies is focused on the development of programs that will produce information in a timely fashion that will answer the question which is foremost in the mind of our nation’s leadership and that is central to the “warning” question. Will there be another terrorist attack within or against the United States, by whom, and in what manner?
Since our nation experienced the 9/11 attacks, we as a society are acutely aware of our vulnerabilities, and we want to be protected from such terrorist activity. So we depend on our intelligence community to provide actionable information to our governmental leaders so their decision making will result in well-developed policies premised upon well-researched and analyzed fact patterns.
On some occasions, especially in controversial areas, the dialogue over the appropriateness of collection methods may be viewed by some as a deviation from the norms, mores, and sensitivities of the general public.
Our nation’s public is disengaged from the difficulties of operating intelligence programs and the sincere efforts of our intelligence professionals to work within a structure that permits our coexistence of democratic principles.
The value of providing the information that will protect our citizens on the safety and freedom they wish to enjoy is a core principle of our intelligence professionals. As a nation, we have had little public dialogue on the conundrums facing our intelligence community.
The intelligence para-dox will take careful and thoughtful dialogue from all parties as those who work within our intelligence community seek to protect our citizens and to protect and uphold the democratic values of our society.
DoD—The U.S. Cyber Command
In his periodic report to Congress, James Clapper, Director of National Intelligence, stated that as a result of the worldwide threat assessment compiled by the 16 intelligence agencies under his direction, the most critical concerns are related to cyber threats and the potential for cyber attacks, which use cyberweapons and can be difficult to defend against.
The growing concern for cyber attacks against our critical infrastructure as well as the penetration of corporate networks and the loss of intellectual property continues to be a problem that is growing and requires action by the U.S. government.
Jason Healey observed that the DoD began to organize around cyber and information warfare just after the first Gulf War of 1991. The Air Force Information Warfare Center was created in 1993, and both offense and defense operations were combined in the 609th Information Warfare Squadron.
Since this unit was an Air Force unit, it was not able to assume responsibility for all cyber defense operations that existed outside of its domain. The Pentagon, in an effort to more thoroughly address the problem of cyber activities, established the Joint Task Force-Computer Network Defense in 1998.
By 2000, this Joint Task Force was given responsibilities for both offenses as well as defense. By 2004, responsibilities for offensive and defensive operations were again separated, and the NSA was given the offensive mission space, and the Defense Information Systems Agency was assigned the defensive mission responsibility.
Once again, this strategy lasted only until 2010, when both missions of offense and defense were combined within the U.S. Cyber Command, under the leadership of General Keith Alexander, who was also the director of the NSA.
The DoD determined that as a result of the cyber capability of both the NSA and the U.S. Cyber Command, it was quite appropriate to have a four-star general lead both Commands.
Major General John A. Davis, Senior Military Advisor for Cyber to the Under Secretary of Defense (Policy) and former Director of Current Operations, U.S. Cyber Command, Fort Meade, commenting on recent activities in refining the cyber strategy for the DoD, stated the following:
DoD has established service cyber components under the U.S. Cyber Command;
Established Joint Cyber Centers at each Combatant Command;
Implemented a Military-Orders process to handle cyber action as it is handled in other operational domains;
Established an interim command-and-control framework for cyber-space operations across joint service and defense agency operations;
Developed a Force Structure Model for Cyber Force organizations;
Established a Plan and developed orders to transition to a new Network Architecture called the Joint Information Environment or JIE;
DoD’s mission is to defend the nation in all domains, but in cyber-space, the DoD shares its role with other members of the Federal Cybersecurity Team, including the Department of Justice and the FBI, the lead for investigation and law enforcement;
Other Team Members are the Department of Homeland Security— the lead for protecting critical infrastructure and government systems outside the military—and the intelligence community which is responsible for threat intelligence and attribution;
DoD has defined three main cyber missions and three kinds of Cyber Forces which will operate around the clock to conduct these missions:
National Mission Forces to counter adversary cyber attacks;
Combat Mission Forces to support combatant commanders as they execute military missions;
Cyber Protection Forces will operate and defend the networks that support military operations worldwide.
The Pentagon, responding to the growing threat of cyber activities in cyberspace, expanded the force of the U.S. Cyber Command from 900 personnel to include 4900 military and civilian personnel. The three types of forces under the U.S. Cyber Command are
(1) National Mission Forces, with the responsibility to protect computer systems critical to the national and economic security such as our electrical grid system, power plants, and other critical infrastructures;
(2) Combat Mission Forces to assist commanders in planning and executing attacks or other offensive operations; and (3) Cyber Protection Forces to fortify and protect the DoD’s worldwide networks.
General Keith Alexander, U.S. Cyber Command, informed Congress that the potential for an attack against the nation’s electrical grid system and other critical infrastructure systems is real, and more aggressive steps need to be taken by both the federal government and the private sector to improve our digital defenses.
Offensive weapons are increasing, and it is only a matter of time before these weapons might wind up in the control of extremist groups or nation-states that could cause significant harm to the United States.
In the meantime, the U.S. Cyber Command has formed 40 Cyber Teams; teams are assigned the mission of guarding the nation in cyber-space, and their principal role is offensive in nature.
Another 27 Cyber Teams will support the military’s warfighting commands, while others will protect the Defense Department’s computer systems and data.
General Alexander also notified Congress that we still need a definition of what constitutes an act of war in cyberspace. Alexander stated that he does not consider cyberespionage and the theft of a corporation’s intellectual property as acts of war, but he did state that “you have crossed the line” if the intent is to disrupt or destroy U.S. infrastructure.
The question raised by General Alexander as to what constitutes an act of war in cyberspace is an important question, yet it is not easily answered due to the complexity of the issues it raises.
The NSA is one of America’s 16 Intelligence Agencies, and its principal responsibility is to protect the national security interests of the U.S. The NSA is responsible for cryptology, signals intelligence, computer network operations, and information assurance.
For years, few Americans took note or were even aware of this organization; however, in June 2013, events unfolded that positioned the NSA into a worldwide discussion over the appropriateness of cyber espionage. The person who catapulted the NSA into the focus of the entire world community was Edward Snowden.
Snowden was working as a contract employee for Booz Allen Hamilton, a firm that had a contract with the NSA, and in this capacity, Snowden had access to the NSA’s databases. Before his employment at Booz Allen Hamilton, Snowden was employed at Dell Computer, Inc., where he also had access to the NSA’s databases.
Evidently, Snowden decided to collect data while working at Dell, and he took a position at Booz Allen Hamilton to acquire additional data all for the express purpose of releasing the information to call attention to the activities of the NSA. The release of the information and classified security documents has resulted in a terrible loss to our nation.
In addition to informing our adversaries as to our collection methods and revealing very complex security programs, it has also created a financial burden on our government.
U.S. corporations providing the NSA with data, even though under the legal court orders by virtue of the Foreign Intelligence Surveillance Act (FISA), still experienced major public relations problems as citizens were concerned over their possible loss of privacy.
The international community reacted by reducing business with major U.S. corporations, and some nations even considered the total rejection of further business with some U.S. corporations.
The irony is that China’s PLA 61398 activities were in fact designed for the cyber espionage of intellectual property from a vast number of corporations throughout the world;
whereas the National Security cyber espionage activities never focused on that domain and were consistently focused on the security of our nation, and NSA activities were directed to identifying a terrorist or other security threats to our country.
Snowden has released through the Guardian newspaper an extraordinary amount of classified information he had no legal right to release. Snowden expressed his concern for the loss of privacy of Americans as a result of several NSA programs.
Perhaps, the release of data that were erroneously characterized as the NSA’s listing of telephone conversations drew the most attention and concern.
This story has been retold in media accounts, and it is totally incorrect, as the NSA’s authority for the capture of telephone contacts between intelligence targets is limited to a specific and detailed process, which is outlined as part of the NSA’s charter.
However, to fully appreciate the reason for the bulk collection of telephone metadata, we must return to the 9/11 terrorist attack against the World Trade Center in New York.
The aftermath of this attack and the report of the Congressional Review Committee on the failure of our intelligence community for not being able to “connect the dots” resulted in the George W. Bush Administration authorizing new programs to rectify this inability.
With the passage of the USA Patriot Act, new programs were established, and with these new programs came additional oversight from both the Congress and the FISA Court.
To more fully appreciate the operations of the NSA, it is appropriate to describe their mission and the authorization documents that permit the NSA’s operations.
Specific focus will be placed on the authorizing Executive Order 12333, FISA Section 702 and Business Records FISA, Section 215, as these are controlling authorities and most germane to Snowden’s release of classified information.
Business Records FISA, Section 215
Under NSA’s Business Records FISA program subsequently reauthorized during two different Administrations, four different Congresses, and by fourteen federal judges, specified U.S. telecommunications providers are compelled by court order to provide NSA with information about telephone calls to, from, or within the U.S.
The information is known as metadata, and consists of information such as the called and calling telephone numbers and the date, time, and duration of the call—but no user identification, content, or cell site locational data. The purpose of this particular collection is to identify the U.S. nexus of a foreign terrorist threat to the homeland.
The government cannot conduct substantive queries of the bulk records for any purpose other than counterterrorism. Under the FISC orders authorizing the collection, authorized queries may only begin with an “identifier,” such as a telephone number, that is associated with one of the foreign terrorist organizations that were previously identified to and approved by the Court.
An identifier used to commence a query of the data is referred to as a “seed.” Specifically, under Court-approved rules applicable to the program, there must be a “reasonable, articulable suspicion” that a seed identifier used to query the data for foreign intelligence purposes is associated with a particular foreign terrorist organization.
When the seed identifier is reasonably believed to be used by a U.S. person, the suspicion of an association with a particular foreign terrorist organization cannot be based solely on activities protected by the First Amendment.
The “reasonable, articulable suspicion” requirement protects against the indiscriminate querying of the collected data. Technical controls preclude NSA analysts from seeing any metadata unless it is the result of a query using an approved identifier.
It is obvious that this detailed accounting of the NSA’s authorities and oversight would not easily capture the media attention, so the continuing public scrutiny of the NSA was bereft without all important aspects to help those interested place the operations into a context for clearer understanding.
Of course, this does not imply total acceptance of these activities and operations, but it does provide additional information for the public’s consideration.
The Congressional Research Service, which prepares reports for Congress, its members, and committees, prepared the Report on “NSA Surveillance Leaks: Background Issues for Congress” and the following is a summary of their Report:
Recent attention concerning NSA surveillance pertains to unauthorized disclosures of two different intelligence collection programs. Since these programs were publicly disclosed over the course of two days in June, there has been confusion about what information is being collected and what authorities the NSA is acting under.
This report clarifies the differences between the two programs and identifies potential issues that may help members of Congress assess legislative proposals pertaining to NSA surveillance authorities.
One program collects in bulk the phone records—specifically the number that was dialed from, the number that was dialed to, and the date and duration of the call—of customers of Verizon Wireless and possibly other U.S. telephone service providers. It does not collect the content of the calls or the identity of callers.
The FBI must provide a statement of facts showing that there are “reasonable grounds to believe” that the tangible things sought are “relevant to an authorized investigation.”
Some commentators have expressed skepticism regarding how there could be “reasonable grounds to believe” that such a broad amount of data could be said to be “relevant to an authorized investigation,” as required by the statute.
The other program collects electronic communications, including content, of foreign targets overseas whose communications flow through American networks. The Director of National Intelligence has acknowledged that data are collected pursuant to Section 702 of FISA.
As described, the program may not intentionally target any person known at the time of acquisition to be located in the United States, which is prohibited by Section 702.
Beyond that, the scope of the intelligence collection, the type of information collected and the companies involved, and the way in which it is collected remain unclear. Section 702 was added by the FISA Amendments Act of 2008.
Before the enactment of Section 702, FISA only permitted sustained domestic electronic surveillance or access to domestic electronically stored communications after the issuance of a FISC order that was specific to the target.
The Obama Administration has argued that these surveillance activities, in addition to being subject to oversight by all three branches of government, are important to national security and have helped disrupt terror plots.
These arguments have not always distinguished between the two programs, and some critics, while acknowledging the value of information collected using Section 702 authorities, are skeptical of the value of the phone records held in bulk at NSA.
Thus, recent legislative proposals have focused primarily on modifying Section 215 to preclude the breadth of phone record collection currently taking place. They have also emphasized requiring greater public disclosure of FISC opinions, including the opinion(s) allowing for the collection of phone records in bulk.
This report discusses the specifics of these two NSA collection programs. It does not address other questions that have been raised in the aftermath of these leaks, such as the potential harm to national security caused by the leaks or the intelligence community’s reliance on contractors.
According to intelligence officials, the two programs have “helped prevent over fifty potential terrorist events,” which appear to encompass both active terror plots targeting the U.S. homeland and terrorism facilitation activity not tied directly to terrorist attacks at home or abroad.
Of these, over 90% somehow involved collection pursuant to Section 702. Of the 50, at least 10 cases included homeland-based threats and a majority of those cases somehow utilized the phone records held by NSA.
David Headley: According to intelligence officials, the FBI received information indicating that Headley, a U.S. citizen living in Chicago, was involved in the 2008 attack in Mumbai that took the lives of 160 people. NSA, using 702 authorities, also became aware of Headley’s involvement in a plot to bomb a Danish newspaper.
It is unclear from public statements how Headley first came to the FBI’s attention. He pled guilty to terrorism charges and admitted to involvement in both the Mumbai attack and Danish newspaper plot.
Basally Saeed Moalin: NSA, using phone records pursuant to 215 authorities, provided the FBI with a phone number for an individual in San Diego who had indirect contacts with extremists overseas.
The FBI identified the individual as Basally Saeed Moalin and determined that he was involved in financing extremist activity in Somalia. In 2013, Moalin was convicted of providing material support to al-Shabaab, the Somalia-based al-Qaeda affiliate.
The Washington Post, reviewing a series of disclosures of classified intelligence material provided by Edward Snowden, discovered that U.S. intelligence services participated in 231 offensive cyber operations in 2011.
Additionally, they reported on operations that placed “covert implants” and sophisticated malware in computers, routers, and firewalls on tens of thousands of machines every year.
Of the 231 offensive operations, 75% of these cyber operations were directed to top priority targets, which included Iran, Russia, China, and North Korea. The DoD stated that they do engage in computer network exploitation, but they do not engage in any economic espionage. This is probably the major difference between China and America.
As a matter of fact, the number of nations that are engaged in cyber operations is increasing every year. Also, as advances in technology continue to increase, nations will apply these technologies to become more effective at the exploitation of their adversaries. The next level will be the development of cyber weapons on a scale that will displace the need for kinetic forces.
To control these developments, the international community will have to engage diplomats as well as the respective leadership of the principal nations possessing these cyber weapons to formulate plans, programs, and guidelines that will ultimately protect all nations.
Cyber Warfare and the Tallinn Manual on International Law
In the analysis of international law in cyberspace, the United States has concluded that established principles of law do apply in cyberspace, and as such, cyberspace is not a law-free zone where anything goes. The position of the United States is guided by the application of both domestic and international laws.
Despite the growing body of international law being focused on the activities in cyberspace, and given the enormous number of cyber attacks and cyber espionage cases, the United States has articulated its role for an international strategy for cyberspace as follows:
When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country. All states possess an inherent right to self-defense, and we recognize that certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners.
We reserve the right to use all necessary means—diplomatic, informational, military, and economic—as appropriate and consistent with applicable international law, in order to defend our nation, our allies, our partners, and our interests.
In so doing, we will exhaust all options before military force whenever we can; will carefully weigh the costs and risks of action against the costs of inaction; and will act in a way that reflects our values and strengthens our legitimacy, seeking broad international support whenever possible.
As nations adopt cyber operations, whether they are cyber espionage or range into the next level of cyber offensive weapons, we will need to develop a body of law to regulate activities and protect all nations and their citizens. The potential harm that could be unleashed by a cyber weapon is simply staggering.
In addition, those nation-states that develop cyber offensive weapon capabilities will have to provide assurance for their security so that they do not become available to terrorists or individuals attempting to hold nations to a “blackmail” strategy by seeking a financial exchange for not exploiting the use of the cyber weapon.
The need for international cooperation in addressing the area of cyber-space is critical, and it will continue to be a challenging problem until the leading nations can formulate a strategy of mutual safety for one another.
Time is of the essence, as unaddressed, we will see hostilities continue to increase until that point in which it becomes difficult, if not impossible, to effect appropriate action to control the use of cyber weapons.
Cyberspace, like a virtual battleground, has become a place for confrontation: the appropriation of personal data, espionage of the scientific, economic and commercial assets of companies which fall victim to competitors or foreign powers, disruption of services necessary for the proper functioning of the economy and daily life;
This “virtual battleground” in cyberspace has only continued to increase global awareness of security and impact global political stability exponentially, cutting a wide swath across physical geographical boundaries, impacting the security of individuals, commercial enterprises, economies, and the sovereignty and stability of global nations.
Many of the international commerce and business development operations in developed and developing nations are integrally connected to the Internet. For example, Canada’s entire economy is tied to digital technology, with 87% of Canada’s commercial enterprises using the Internet to effectively conduct its business in 2012.
For those world citizens whose freedom of speech is restricted or prohibited, the Internet provides a nearly anonymous avenue where individuals can associate without government restriction and intervention.
It can use the Internet to mobilize and inform others about contemporaneous political activities or events affecting those in a specific community, can operate individual water systems for rural farmers, and can provide and mobilize assistance to those affected by natural disasters.
However, those same benefits can be accessed and used by mal-intentioned individuals and factions that wish to destabilize or overthrow governments or engage in acts of terrorism.
What Is Cybersecurity?
The legal playing field where the U.S. local, state, and federal authorities and international bodies and member states of the European Union (EU) aim their legal bat to regulate, govern.
And protect they're identified tangible and intangible assets from cybercrime, espionage, and an attack puts kindred terminology into play, which, at first blush, seem to be identified because the players wear the same uniforms when whizzing around the bases.
But upon closer inspection, those players have simply adopted a specific term without ever ascribing a precise definition to that word, while others have adopted a specific definition that fails to correlate to any scientific or existing statutory framework.
Either way, failing to develop and establish uniform and standardized definitions consistent with an overall strategy, legal structure.
And scientific basis will ultimately impact the ability of all players to identify their strengths and weaknesses, create sound gaming statistics, and develop an easy-to-understand rulebook that can be seamlessly adopted and fluidly applied in practice with other global players.
The development and adoption of precise definitions for the primary terms of art dealing with the security of various information systems and their physical and virtual devices, interconnected through the Internet, have been identified as a required component if and when cybersecurity is launched as actual science.
Such a development would put the study of cybersecurity under the rigorous scrutiny of the scientific method, which requires the repeatability of experiments based on precise definitions and conditions.
“Precise definitions matter. Until there is a precise set of objects that can be examined carefully and clearly, it will not be possible to increase the level of rigor.”
In analyzing data and security breaches, and the relevant legal framework throughout the EU, the Directorate General for Internal Policies Policy Department A: Economic and Scientific Policy, Industry, Research and Energy of the European Parliament (the “Directorate”) concluded in September 2013 that “consistent and unambiguous definitions across legislative instruments are often lacking.”
The Directorate’s report further outlines the level of impact that the lack of standardized terms for defining data and security breaches can have on identifying, reporting, and reacting to such breaches.
The lack of standardized terms has resulted in an inability to globally match “apples to apples” and affects the accuracy in reporting the actual number, nature, and type of breaches that have occurred over a given period of time.
Lastly, in one of the most deadly and critical aspects of identifying specific events by standardized terms, an international group of experts found that the same lack of agreed-upon definitions impacts the application of international cyber warfare.
State practice is only beginning to clarify the application to cyber operations of the jus ad bellum, the body of international law that governs a State’s resort to force as an instrument of its national policy.
In particular, the lack of agreed-upon definitions, criteria, and thresholds for application, creates uncertainty when applying the jus ad bellum in the cyber context.
Acknowledging that standardized and globally accepted definitions for significant and repeating terms of art affecting cybersecurity do not presently exist among global nation-state, business, and individual stakeholders.
An overview of the relevant U.S. and international legal environment must identify, at a minimum, what has been identified as a definition, or the lack thereof, for the word cybersecurity. What exactly does the word cybersecurity mean, and is that definition expansive enough to be borderless?
And if so, is that definition universally accepted throughout the world, or is that definition finite, limited, and restricted only to certain nation-states? The word cybersecurity seems to be used interchangeably, like the ubiquitous use of the wood glue.
As we all know, not all glues are created equal, meaning that the ingredients found in specific types of glue will make the difference between glue that sticks and one that just does not or, even worse, will actually muck things up, generating more problems than solutions. The same analogy can be made about definitions.
A definition of cyber security must adequately contemplate and address the physical and virtual nature of the assets to be protected, in addition to the breadth and scope of coverage because Cybersecurity is a complex problem with many different facets;
and that legal and legislative analyses of cybersecurity issues must distinguish not only among different cyber threat actors, such as nation-states, terrorists, criminals, and malicious hackers but also among different types of cyber threats.
Such cyber threats include threats to critical infrastructure, which could lead to loss of life or significant damage to our economy; and threats to intellectual property, which could affect our nation’s long-term competitiveness.
Without a clear, concise, and descriptive definition of cybersecurity, how can a nation-state promulgate an overarching statutory scheme designed to create a strong that will encompass and protect all its physical and virtual assets affected from external and internal threats?
If cybersecurity is not clearly defined, how will a nation-state be able to regulate the conduct of its economic business stakeholders without overregulating them into extinction?
Take the example of the United States, one of the largest nation-states globally, which arguably should easily be able to articulate a clear and concise definition of the word cybersecurity, yet it does not.
In fact, the Department of Homeland Security (DHS) uses the word cyber-security in its publications without ever defining precisely what aspects it does and does not cover, and even the defunct Cybersecurity Act of 2012 used the word cybersecurity without ever providing a definition. The proposed bill at least provided a definition for what it termed cybersecurity services:
(4) CYBERSECURITY SERVICES—the term “cybersecurity services” means products, goods, or services used to detect or prevent activity intended to result in a cybersecurity threat.
This definition does not stand independently and must be reviewed within the context of a “cybersecurity threat,” which is defined as follows:
(5) CYBERSECURITY THREAT
—the term “cybersecurity threat” means any action that will result in unauthorized access to, exfiltration of, manipulation of, or impairment to the integrity, confidentiality, or availability of an information system or information that is stored on, processed by, or transiting an information system.”
In its June 2013 seminal report for the Congress on federal laws relating to cybersecurity, the Congressional Report Service highlighted the lack of a uniform, universally accepted definition for cybersecurity:
The term information systems are defined in 44 U.S.C. 3502 as “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information,” where information resources is “information and related resources, such as personnel, equipment, funds, and information technology.”
Thus, cybersecurity, a broad and arguably somewhat fuzzy concept for which there is no consensus definition, might best be described as measures intended to protect information systems—including technology (such as devices, networks, and software), information, and associated personnel— from various forms of attack.
The concept has, however, been characterized in various ways. For example, the interagency Committee on National Security Systems has defined it as “the ability to protect or defend the use of cyberspace from cyber attacks,”
where cyberspace is defined as a global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers
On the other hand, the International Telecommunications Union (ITU), the United Nations’ specialized agency for information and communications technology, adopted the following definition of cybersecurity in its April 2008 recommendations on the network, data, and telecommunications security:
While the ITU definition of cybersecurity does not clearly define what would be the contemplated cyber environment, this definition is far more inclusive than the aforementioned cobbled-together definition presented in current U.S. cybersecurity legislation.
The ITU definition encompasses the individual, enterprise, and governmental information systems, identifying, in general, the physical and virtual assets it seeks to protect.
While a finite, discrete definition of cybersecurity may create a uniform standard in the application of the panoply of the overarching legal regulatory schemes currently in place, does having an inflexible, agreed-upon definition create the right solution to a 21st-century issue?
David Satola and Henry Judy posit that the current domestic and international legal architecture is outdated, is not geared to adjust quickly to the dynamic cyber environment, and is not a 21st-century response to the new digital landscape.
According to the authors, the current legal architecture does not adequately address “the lack of consensus on the fundamental and related issues of jurisdiction and sovereignty,”
which makes “it difficult to effectively cross borders to address international cybersecurity incidents,” while contract law is generally the only remedy available when cybersecurity issues arise from unintentional coding errors or negligently written software.
Lastly, the authors note that the concept of cybersecurity “varies depending on the physical, educational, and economic resources available in different jurisdictions.
It differs depending on the sensitivity of the data to be protected and needs to reflect different cultural expectations and priorities, among many other factors.”
Instead of adopting a specific definition for cybersecurity, this blog attempts to incorporate Satola and Judy’s suggested modular approach by identifying an overview of the U.S. federal and international laws that currently comprise the legal framework that attempts to address and regulate the changing cybersecurity landscape.
Current U.S. Comprehensive National Cybersecurity Strategy
In general, current U.S. and various state laws involving cybersecurity, either directly or indirectly, have developed in reaction to abuses and malicious activity occurring in specific economic sectors.
In his discussion paper “Cyber Norm Emergence at the United Nations—An Analysis of the Activities at the UN Regarding Cybersecurity,” Tim Maurer postulated that “cybersecurity can be divided into four major threats: espionage, crime, cyber war, and cyber terrorism.”
Maurer credits Harvard Professor Joseph Nye for identifying the underlying sources for these present-day threats: (1) flaws in the design of the Internet, (2) flaws in the hardware and software, and (3) the move to put more and more critical systems online.
In the United States, the government controls or manages only a small portion of the cyber environment, while the private sector designs, markets, installs, and operates much of the software and hardware that are utilized in the technological operation of power grids, water sanitation, and delivery, transportation, communications, and financial systems nationwide.
As a result, the United States can only control cyber threats to the vulnerabilities evident in these private systems by creating additional legislation allowing oversight, regulation, and monitoring based on potential impacts to national security.
While there has been a recent spate of legislative bills proposed to create a standardized overarching U.S. federal cybersecurity legal scheme seeking to cover both government and private computer and network systems, none of them have successfully been enacted into law.
In 2003, the White House initiated its inaugural national cybersecurity strategy when the White House, though then-President George W. Bush, released The National Strategy to Secure Cyberspace in February 2003. Bush identified, proposed, and emphasized the importance of, and participation of, a public– a private partnership to implement the national strategy to secure cyberspace.
Bush’s strategy prioritized five concerns: (1) creating a national cyberspace security team, (2) a cyberspace threat and vulnerability reduction program,
(3) a cyberspace security awareness program, (4) a plan to secure the federal cyberspace, and (5) national and international cooperation for cyberspace security.
While these five strategic priorities did not translate into the passage of any meaningful legislation, the Comprehensive National Cybersecurity Initiative (CNCI) originated as a classified offshoot of Bush’s National Strategy.
In December 2008, an appointed Commission on Cybersecurity for the 44th Presidency (“Commission”) from the Center for Strategic and International Studies (CSIS) issued a report that presented three fundamental findings:
“(1) cybersecurity is now a major national security problem for the United States, (2) decisions and actions must respect privacy and civil liberties, and (3) only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will make us more secure.”
Following up on the CSIS Commission’s recommendations, President Barack Obama issued a revised and updated CNCI as National Security Presidential Directive 54 released on March 2, 2010,29 which primarily addressed cybersecurity in the federal systems, both classified and civilian;
mandated the use of EINSTEIN 2, an intrusion detection system, across all federal systems; and reduced federal external network access points to the Internet to only those trusted providers contracted with the government.
The 2010 CNCI mandated information sharing across various federal agencies in an effort to develop a more robust cyber defense system to support initiatives to create a more cyber-savvy federal employee base, to develop future leading technology for cybersecurity, to develop a multiprong approach to global chain risk assessment, and to define the federal role for extending cybersecurity into critical infrastructure domains.
Following Obama’s issuance of the 2010 CNCI, Congress considered a variety of bills involving cybersecurity; however, none of them were successfully passed.
In the absence of a legislated cybersecurity legal standard, on February 12, 2013, the Obama White House issued Executive Order (EO) 13636, Improving Critical Infrastructure Security.
Which sets out a national policy on cyber intrusions, identifies the nature and scope of the U.S. national policy on the security of critical infrastructures, creates a process for information sharing and coordination with private entities to enhance and better protect critical infrastructure assets;
And defines critical infrastructures and critical infrastructure sectors, and directs the development of standards and a framework for improved cybersecurity of critical infrastructures.
It further tasks government agencies, including the DHS, to create a voluntary process between the government and private entities to rapidly share unclassified data relating to cyber threat risks and incidents and extends voluntary participation to select owners and operators of identified critical infrastructures for classified information sharing in the Enhanced Cybersecurity Services (ECS) program.
By opening participation in the ECS program to critical infrastructure entities, the EO expanded ECS coverage to a broader base of stakeholders.
Participation in ECS is voluntary and permits the sharing of classified information involving indicators of malicious cyber activity between DHS and qualified public and private entities involved in the operation of critical infrastructure assets.
ECS is a voluntary information sharing program that assists critical infrastructure owners and operators as they improve the protection of their systems from unauthorized access, exploitation, or data exfiltration.
DHS works with cybersecurity organizations from across the federal government to gain access to a broad range of sensitive and classified cyber threat information.
DHS develop indicators based on this information and shares them with qualified Commercial Service Providers (CSPs), thus enabling them to better protect their customers who are critical infrastructure entities. ECS augments but does not replace, an entities’ existing cybersecurity capabilities.
ECS deploys EINSTEIN 3-Accelerated (E3A), a real-time network intrusion detection and prevention system that performs deep packet inspection to identify, prevent, and block malicious activity from entering federal civilian agency networks.
E3A has been operationalized for every (.gov) website as part of the government’s efforts to reduce cyber threat risk to the system networks utilized by all federal civilian agencies, in furtherance of the EO’s mandate to improve the security of federal systems.
E3A is operated with E3A sensors placed at network Internet access points where incoming and outgoing network traffic is then monitored for cyber indicators in real-time.
According to the DHS, “A cyber indicator (indicator) can be defined as human-readable cyber data used to identify some form of malicious cyber activity and are data related to:
E3A matches detected cyber indicators against its database of known malicious signatures from both classified and unclassified sources to detect potential or actual threats, which are logged in real time and shared with the U.S. Computer Emergency Readiness Team (CERT), the DHS division responsible for coordinating defenses against and responses to cyber incidents across the United States.
Since E3A was initially designed and developed by the National Security Agency (NSA) and has the capability to read electronic content.
Its use in federal civilian systems continues to raise significant privacy concerns despite DHS’s description of the privacy protection processes it has implemented to protect individual privacy from abuse, misuse, and inadvertent disclosure, which is outlined in detail in its Privacy Impact Assessment Report issued in April 2013.
An important milestone produced by the EO’s mandate was completed on February 12, 2014, when NIST issued a Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework).
The NIST Framework is based on three separate categories that are interrelated and provide a basic roadmap for an organization to conduct a self-assessment of its enterprise information protection plan. The NIST Framework consists of Framework Core, Framework Profile, and Framework Implementation Tiers.
“The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors,” which provides the organization with the detailed guidance for developing its own individual organizational risk profile.
The Framework Profile represents outcomes based on business needs, which can be adjusted based on the categories selected under the Framework Core and Tiers.
The Framework Implementation Tiers “provide context on how an organization views cybersecurity risk and the processes in place to manage that risk.”
While not mandatory, the NIST Framework provides a benchmark that organizations can use to gauge where their cybersecurity activities fall within the NIST Framework, as the minimum standard of care for risk-based cyber-security.
The NIST Framework provides references for each category and activity to other more detailed standards issued by professional industry organizations.
Issues Involving Electronic Data Collection for Law Enforcement Purposes
The Third Party Doctrine
Provides that when an individual knowingly supplies information to a third party, his expectation of privacy is diminished because that person is assuming the risk that the third party may reveal the information to government authorities.
As a result, the information imparted to third parties generally falls outside the scope of Fourth Amendment protection and, accordingly, the government can access this information by requesting or subpoenaing it without informing the party under investigation.
Since the search warrant the government sought to enforce was obtained pursuant to the SCA, the court found no need to analyze the impact of the Third Party Doctrine in the case at bar as the SCA, by its very provisions, imbues Fourth Amendment protections to e-mail communications revealed to third parties, which may not have received such protections.
The current U.S. legal view that e-mail communications revealed to third parties, as is the case with big data and cloud computing storage providers and ISPs, are not afforded the same Fourth Amendment privacy protections puts U.S. data storage.
Directive. EU domiciled data storage and ISP businesses, while subject to the EU fundamental individual right to data protection and the “right to be forgotten” on the Internet, are not subject to U.S. court orders, subpoenas, or search warrants.
While U.S. domiciled data storage and ISP business may have enjoyed a competitive advantage over their EU counterparts in the past because participation in the U.S. Safe Harbor Framework is not as stringently enforced, that advantage has now vanished.
Microsoft’s decision to appeal Judge Francis’ ruling comes on the heels of the ongoing EU–U.S. negotiations relating to an international framework for data protection, referred to as the “Data Protection Umbrella Agreement” (DPUA), all of which have received heightened scrutiny as a result of the NSA surreptitious surveillance activities.
Among other data protection requirements, the DPUA seeks to provide EU citizens who do not reside in the United States with the same right of judicial redress as U.S. nationals in the EU receive.
In general, a provisional agreement has been reached that does not authorize any data transfer but “include the scope and purpose of the agreement, fundamental principles and oversight mechanisms.” The United States reports seeking legislative changes to obtain the changes sought by the EU.
Whistleblower or Criminal Leaker?
In general, whistleblowers provide a window of transparency into the potentially illegal activity occurring within an organization and, by doing so, serves the “public’s right to know” about individual or group misconduct occurring within government or nongovernment organizations, misconduct that may be illegal or prohibited.
In some cases, employees may be in the unique position of being the only eyewitnesses to gross, unethical, and illegal misconduct within an organization, putting them squarely in the crosshairs of those who hide the truth of their activities;
thereby thrusting those employee witnesses into choosing to remain silent to protect their careers or blowing the whistle to protect the public and, in some cases, the organization. So, are whistle-blowers really heroes or villains?
Do they serve an important purpose in the realm of cybersecurity, or are they a distraction and nuisance? At first blush, the answer to all of these questions seems to be in the affirmative.
The actions of whistleblowers can, in fact, shine a beacon of light into an otherwise dark, unexposed corner of an organization where inappropriate conduct, misconduct, or criminal activity exists within an entity.
Whistleblowers may be employees, contractors, vendors, or consultants who are in a position to have received information about potential wrongdoing by an organization.
According to the 2014 Report to the Nations by the Association of Certified Fraud Examiners, tips are the most common way in which occupational fraud schemes are detected, with over 40% of reported cases detected as the result of a tip and over half of those tips reported by employees of the organization.
While approximately 14% are anonymous, the remainder of tipster’s whistleblowing is known to the organization.
On the flip side of the coin, disgruntled employees, information technology employees, and contractors comprise the most common categories of individual insider threats for the exfiltration of confidential or classified data.
The CERT Insider Threat Center states that a malicious insider is a current or former employee, contractor, or another business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded.
or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.
In the realm of cybersecurity, an individual may, in fact, be categorized as both a whistleblower and a malicious insider based on the facts and circumstances of the event, characterizations that fit the case of Chelsea Manning and Edward Snowden, both of whom exfiltrated large amounts of classified data from protected U.S. computer systems.
In the case of Manning, she electronically submitted the removed data to WikiLeaks, a known leaking organization, while in the case of Snowden, he delivered the data to a news media outlet.