What are Cyberspace and Cyber threat intelligence
Cyberspace can be defined as the space in which information circulates from one medium to another and where it is processed, duplicated, and stored. It is also the space in which tools communicate, where information technology becomes ubiquitous.
So in effect, cyberspace consists of communication systems, computers, networks, satellites, and communication infrastructure that all useful information in its digital format.
This includes sound, voice, text, and image data that can be controlled remotely via a network, which includes technologies and communication tools such as the following:
Fixed or mobile equipment
As we obtain our information through cyberspace and as all aspects of society become more dependent on the acquisition of their information, one can easily surmise why this will become a theater for information warfare.
Since our nation’s 16 critical infrastructures are so dependent on their operations through the area we define as cyberspace, it is only understandable that cyberspace will eventually become a vehicle for launching cyberattacks, and there is a need for creating defensive strategies and operations to prevent this from happening.
Bruce Schneier relates that in the 21st century, war will inevitably include cyberwar as the war moved into space with the development of satellites and ballistic missiles, and war will move into cyberspace with the development of specialized weapons, software, electronics, tactics, and defenses.
Schneier discusses the properties of cyberwar in terms of network hardware and software and notes the fundamental tension between cyber attacks and cyber defenses.
Regarding cyber attacks, one of our concerns should center on the ability of an attacker to launch an attack against us, and since cyber attacks do not have an obvious origin, unlike other forms of warfare, there is something very terrifying not knowing your adversary—or thinking you know who your adversary is only to be wrong.
As Schneier states, “imagine if, after Pearl Harbor, we did not know who attacked us?” Many people experienced this very fear after the 9/11 attacks in the United States, which involved physical plane attacks. One can only imagine the terror if the attack was a total cyber electronic attack alone by an unknown source.
It should be quite obvious that as a result of the rapid development of technologies, the digital environment has ushered in an era where most nations will have to begin to plan for cyber warfare. It would be unreasonable for militaries to ignore the threat of cyber attack and not invest in defensive strategies.
John Arquilla of the Naval Postgraduate School and David Ronfeldt of the Rand Corporation introduced the concept of “cyberwar” for the purpose of contemplating knowledge-related conflict at the military level as a means to conduct military operations according to information-related principles.
It meant to disrupt, if not destroy, information and communication systems that an adversary relies upon. Of course, if the information and communication systems can be used to gather information on the adversary, these systems would be most useful from an intelligence point of view and would continue to be used to acquire further intelligence.
Martin Libicki, from the National Defense University, identified seven forms of information warfare and categorized these as follows:
Command and control warfare
Economic information warfare
Dorothy Denning suggests several possible futures for war and military conflict, and as a result of the Gulf War, she sees that future wars may well be a continuation of the Gulf War, wherein future operations will exploit new developments in technology, particularly sensors and precision-guided weapons, but will be accompanied by military force on the ground, sea, and air.
A second future scenario is one in which operations take place almost exclusively in cyberspace. Under this scenario, wars will be fought without any armed forces. Instead, trained military cyber-warriors will break into the enemy’s critical infrastructures, remotely disabling communication command and control systems that support both military and government operations.
Additional attacks will be targeted toward critical infrastructures such as banking, telecommunications, transportation systems, and the electrical power grid of the adversary.
Cyber Intelligence and Counter Intelligence
The digital transformation that has impacted all aspects of our life in terms of business, education, medicine, agriculture, and our critical infrastructure has also had a profound effect on our national security and those agencies responsible for our nation’s defense and security.
Our nation’s intelligence agencies are also making transformational changes in the manner in how their collection, processing, and exploitation of data are acquired and how the analysis and dissemination of the information are presented.
After the 9/11 attack on our nation, a National Commission was appointed to review the work and performance of our intelligence community, and this resulted in major modifications of the intelligence agencies, but most importantly, it resulted in the creation of the Office of the Director of National Intelligence.
The Director of National Intelligence is charged with providing greater cooperation and information sharing between each of our intelligence agencies and to oversee the $50 billion dollar budget allocated to our nation’s intelligence community.
Our nation’s intelligence community is distributed in three major pathways as follows:
Office of the Director of National Intelligence
1. Principal National Intelligence Programs
Central Intelligence Agency
Defense Intelligence Agency
National Geospatial-Intelligence Agency
National Reconnaissance Office
National Security Agency
FBI-National Security Branch
2. Armed Forces—Military Intelligence
Air Force Intelligence
Marine Corp Intelligence
Coast Guard Intelligence
3. National-Government Department of Intelligence Operations
Department of Homeland Security—Office of Intelligence & Analysis
Department of Energy—Office of Intelligence & Counter Intelligence
Treasury Department—Office of Intelligence & Analysis
State Department—Bureau of Intelligence & Research
e. Drug Enforcement Agency—Office of National Security Intelligence
James Clapper, Director of the Office of National Intelligence, identified the core function of his office as the integration of intelligence with the requirement for a global information technology infrastructure through which the intelligence community can rapidly and reliably share information.
This infrastructure is much more than hardware, software, data, and networks. It also encompasses the policies, procedures, and strategies that drive responsible and secure information sharing.
Ultimately, mission success depends on our diverse workforce bringing forth and implementing innovative ideas that are linked to the National Intelligence Strategy and the Intelligence Communities Information Technology Enterprise Strategy.
In doing so, we enable our mission partners, warfighters, and decision-makers to have secure and timely information that helps them meet mission needs and keep our nation secure.
If the core function of the integration of intelligence is to be achieved, the creation of the Intelligence Community Information Technology Enterprise Strategy was an exceptional achievement.
The strategic goals of the Information Technology Enterprise Strategy center on defining, developing, implementing and sustaining a single, standards-based interoperable, secure, and survivable intelligence community Information Technology Enterprise Architecture.
This architecture has to deliver user-focused capabilities that are to be provided as a seamless, secure solution for trusted collaboration on a basis of people to people, people to data, and data to data that will enhance mission success while ensuring the protection of intelligence assets and information.
Not only is this Information Technology Enterprise Architecture Program fundamental to creating a mechanism for intelligence agencies to work more cooperatively, but it also has enabled the intelligence community to be better prepared for the digital transformation in their basic collection, processing, and analysis functions.
Cyberspace and Cyber Intelligence
In 1995, the Central Intelligence Agency (CIA) realized that advances in technology were outdistancing their internal capabilities, and the Agency was simply not prepared to seize the collection and analysis opportunities that would become available through the high-tech environment that was emerging outside the Agency. As a result, the Agency created the Office of
Clandestine Information Technology and its work were designed to prepare for the espionage operations in cyberspace. Within four years, by 1999, most of the technical operations in the CIA’s Counter Terrorism Center were based in cyberspace. The result was in the production of terabytes of intelligence data.
However, as former CIA Agent Henry Crumpton notes, “…these monumental advances in technology have not made collection easier…in some ways technical collection is much harder, because of the massive amounts of data, new requisite skills, diverse operational risks, organizational challenges, and bureaucratic competition.”
By 2000, these changes would usher in an era of new collection platforms; namely, the Predator and this unmanned aerial vehicle (UAV) would, in less than ten years, transform how wars would be fought not only to this day as well as into the future.
Ironically, the CIA agents had attached an Army weapon to an Air Force platform under the command of the CIA, and this created a major bureaucratic argument as the Department of Defense (DoD) viewed this as an instrument of war and believed that, as an instrument of war, it belonged under the purview of the DoD.
The fundamental intelligence paradox centers on the need to reconcile intelligence programs, practices, and operations while preserving the public trust, within the democracy we live and serve.
Jennifer Sims and Burton Gerber provide the most incisive assessment of the intelligence paradox by their analysis of intelligence requirements and the protection of civil liberties, where they observe the following:
In democracies, the state’s interest in maximizing power for national security purpose must be balanced with its interest in preserving public trust. In the U.S. case, this trust requires protection of constitutional freedoms and the American way of life.
History tells us that intelligence practices unsuited either to the temperament of American political culture or to the new threats embedded in the international system will probably trigger more failure, and all too swiftly.
Thus, national security decision-makers face a conundrum: the best intelligence systems, when turned inward to address foreign threats to vital domestic interests, can threaten the very institutions of democracy and representative government that they were set up to protect in the first place.
The nature of how our nation addresses our intelligence policy includes governmental leaders, in Congress as well as the White House and also our judicial system.
All three branches of our government are intimately involved in the creation, oversight, and interpretation of our nation’s intelligence community’s collection policy operations and analytical production of work products.
So the question of how to manage the conundrums involved in gathering and maintaining secrets must by, its very nature, include those significant branches of our government.
How the intelligence community earns the trust and cooperation of the American people in its domestic fight against transnational threats while simultaneously expanding intrusive domestic surveillance is an issue that goes beyond the decision-makers of the intelligence community;
as it requires the engagement of the full panoply of our nation’s intelligence leaders who have, all too frequently, found their role similar to an iceberg, in which two-thirds of the body is hidden from its participation in the very policies they have tangentially been involved in creating.
For example, as intelligence programs and policies are created, all participants have to address some of the most difficult issues confronting intelligence programs in a democracy;
such as whether, when, and how the government may consort with criminals, influence elections, listen in on private conversations, eliminate adversaries, withhold information from the public, what kind of cover may be used by intelligence officers, and how covert action proposals are vetted within the government.
These are all programs that have been used in the past and with the approval of our nation’s highest elected officials. So in effect, intelligence policy is not the exclusive domain of the intelligence agency professionals.
In essence, decisions about intelligence policy, who formulates the policy, and who will be responsible for the policies determine how a given set of intelligence institutions and the democratic system it serves can productively coexist.
Clearly, a challenge confronting both our government and the intelligence community is the realization that substantial numbers of American citizens are uncomfortable with the intelligence communities use of clandestine operations, deception, or the collection of telephone and Internet metadata.
The incredible advancements in technology and the accompanying digital revolution have irreversibly altered the collection and analysis of intelligence data.
The global reliance on information technology throughout all nations and their intelligence agencies has so fundamentally changed not only the intelligence process but also military warfare.
Today, the challenges are not only in the use of offensive cyber weapons by nation-states, but also, the ability of individuals to design software attacks, exfiltrate intellectual property, and compromise databases is a challenge confronting our nation’s intelligence community.
Each of our 16 intelligence agencies is focused on the development of programs that will produce information in a timely fashion that will answer the question which is foremost in the mind of our nation’s leadership and that is central to the “warning” question. Will there be another terrorist attack within or against the United States, by whom, and in what manner?
Since our nation experienced the 9/11 attacks, we as a society are acutely aware of our vulnerabilities, and we want to be protected from such terrorist activity. So we depend on our intelligence community to provide actionable information to our governmental leaders so their decision making will result in well-developed policies premised upon well-researched and analyzed fact patterns.
On some occasions, especially in controversial areas, the dialogue over the appropriateness of collection methods may be viewed by some as a deviation from the norms, mores, and sensitivities of the general public.
Our nation’s public is disengaged from the difficulties of operating intelligence programs and the sincere efforts of our intelligence professionals to work within a structure that permits our coexistence of democratic principles.
The value of providing the information that will protect our citizens on the safety and freedom they wish to enjoy is a core principle of our intelligence professionals. As a nation, we have had little public dialogue on the conundrums facing our intelligence community.
The intelligence para-dox will take careful and thoughtful dialogue from all parties as those who work within our intelligence community seek to protect our citizens and to protect and uphold the democratic values of our society.
DoD—The U.S. Cyber Command
In his periodic report to Congress, James Clapper, Director of National Intelligence, stated that as a result of the worldwide threat assessment compiled by the 16 intelligence agencies under his direction, the most critical concerns are related to cyber threats and the potential for cyber attacks, which use cyberweapons and can be difficult to defend against.
The growing concern for cyber attacks against our critical infrastructure as well as the penetration of corporate networks and the loss of intellectual property continues to be a problem that is growing and requires action by the U.S. government.
Jason Healey observed that the DoD began to organize around cyber and information warfare just after the first Gulf War of 1991. The Air Force Information Warfare Center was created in 1993, and both offense and defense operations were combined in the 609th Information Warfare Squadron.
Since this unit was an Air Force unit, it was not able to assume responsibility for all cyber defense operations that existed outside of its domain. The Pentagon, in an effort to more thoroughly address the problem of cyber activities, established the Joint Task Force-Computer Network Defense in 1998.
By 2000, this Joint Task Force was given responsibilities for both offenses as well as defense. By 2004, responsibilities for offensive and defensive operations were again separated, and the NSA was given the offensive mission space, and the Defense Information Systems Agency was assigned the defensive mission responsibility.
Once again, this strategy lasted only until 2010, when both missions of offense and defense were combined within the U.S. Cyber Command, under the leadership of General Keith Alexander, who was also the director of the NSA.
The DoD determined that as a result of the cyber capability of both the NSA and the U.S. Cyber Command, it was quite appropriate to have a four-star general lead both Commands.
Major General John A. Davis, Senior Military Advisor for Cyber to the Under Secretary of Defense (Policy) and former Director of Current Operations, U.S. Cyber Command, Fort Meade, commenting on recent activities in refining the cyber strategy for the DoD, stated the following:
DoD has established service cyber components under the U.S. Cyber Command;
Established Joint Cyber Centers at each Combatant Command;
Implemented a Military-Orders process to handle cyber action as it is handled in other operational domains;
Established an interim command-and-control framework for cyber-space operations across joint service and defense agency operations;
Developed a Force Structure Model for Cyber Force organizations;
Established a Plan and developed orders to transition to a new Network Architecture called the Joint Information Environment or JIE;
DoD’s mission is to defend the nation in all domains, but in cyber-space, the DoD shares its role with other members of the Federal Cybersecurity Team, including the Department of Justice and the FBI, the lead for investigation and law enforcement;
Other Team Members are the Department of Homeland Security— the lead for protecting critical infrastructure and government systems outside the military—and the intelligence community which is responsible for threat intelligence and attribution;
DoD has defined three main cyber missions and three kinds of Cyber Forces which will operate around the clock to conduct these missions:
National Mission Forces to counter adversary cyber attacks;
Combat Mission Forces to support combatant commanders as they execute military missions;
Cyber Protection Forces will operate and defend the networks that support military operations worldwide.
The Pentagon, responding to the growing threat of cyber activities in cyberspace, expanded the force of the U.S. Cyber Command from 900 personnel to include 4900 military and civilian personnel. The three types of forces under the U.S. Cyber Command are
(1) National Mission Forces, with the responsibility to protect computer systems critical to the national and economic security such as our electrical grid system, power plants, and other critical infrastructures;
(2) Combat Mission Forces to assist commanders in planning and executing attacks or other offensive operations; and (3) Cyber Protection Forces to fortify and protect the DoD’s worldwide networks.
General Keith Alexander, U.S. Cyber Command, informed Congress that the potential for an attack against the nation’s electrical grid system and other critical infrastructure systems is real, and more aggressive steps need to be taken by both the federal government and the private sector to improve our digital defenses.
Offensive weapons are increasing, and it is only a matter of time before these weapons might wind up in the control of extremist groups or nation-states that could cause significant harm to the United States.
In the meantime, the U.S. Cyber Command has formed 40 Cyber Teams; teams are assigned the mission of guarding the nation in cyber-space, and their principal role is offensive in nature.
Another 27 Cyber Teams will support the military’s warfighting commands, while others will protect the Defense Department’s computer systems and data.
General Alexander also notified Congress that we still need a definition of what constitutes an act of war in cyberspace. Alexander stated that he does not consider cyberespionage and the theft of a corporation’s intellectual property as acts of war, but he did state that “you have crossed the line” if the intent is to disrupt or destroy U.S. infrastructure.
The question raised by General Alexander as to what constitutes an act of war in cyberspace is an important question, yet it is not easily answered due to the complexity of the issues it raises.
The NSA is one of America’s 16 Intelligence Agencies, and its principal responsibility is to protect the national security interests of the U.S. The NSA is responsible for cryptology, signals intelligence, computer network operations, and information assurance.
For years, few Americans took note or were even aware of this organization; however, in June 2013, events unfolded that positioned the NSA into a worldwide discussion over the appropriateness of cyber espionage. The person who catapulted the NSA into the focus of the entire world community was Edward Snowden.
Snowden was working as a contract employee for Booz Allen Hamilton, a firm that had a contract with the NSA, and in this capacity, Snowden had access to the NSA’s databases. Before his employment at Booz Allen Hamilton, Snowden was employed at Dell Computer, Inc., where he also had access to the NSA’s databases.
Evidently, Snowden decided to collect data while working at Dell, and he took a position at Booz Allen Hamilton to acquire additional data all for the express purpose of releasing the information to call attention to the activities of the NSA. The release of the information and classified security documents has resulted in a terrible loss to our nation.
In addition to informing our adversaries as to our collection methods and revealing very complex security programs, it has also created a financial burden on our government.
U.S. corporations providing the NSA with data, even though under the legal court orders by virtue of the Foreign Intelligence Surveillance Act (FISA), still experienced major public relations problems as citizens were concerned over their possible loss of privacy.
The international community reacted by reducing business with major U.S. corporations, and some nations even considered the total rejection of further business with some U.S. corporations.
The irony is that China’s PLA 61398 activities were in fact designed for the cyber espionage of intellectual property from a vast number of corporations throughout the world;
whereas the National Security cyber espionage activities never focused on that domain and were consistently focused on the security of our nation, and NSA activities were directed to identifying a terrorist or other security threats to our country.
Snowden has released through the Guardian newspaper an extraordinary amount of classified information he had no legal right to release. Snowden expressed his concern for the loss of privacy of Americans as a result of several NSA programs.
Perhaps, the release of data that were erroneously characterized as the NSA’s listing of telephone conversations drew the most attention and concern.
This story has been retold in media accounts, and it is totally incorrect, as the NSA’s authority for the capture of telephone contacts between intelligence targets is limited to a specific and detailed process, which is outlined as part of the NSA’s charter.
However, to fully appreciate the reason for the bulk collection of telephone metadata, we must return to the 9/11 terrorist attack against the World Trade Center in New York.
The aftermath of this attack and the report of the Congressional Review Committee on the failure of our intelligence community for not being able to “connect the dots” resulted in the George W. Bush Administration authorizing new programs to rectify this inability.
With the passage of the USA Patriot Act, new programs were established, and with these new programs came additional oversight from both the Congress and the FISA Court.
To more fully appreciate the operations of the NSA, it is appropriate to describe their mission and the authorization documents that permit the NSA’s operations.
Specific focus will be placed on the authorizing Executive Order 12333, FISA Section 702 and Business Records FISA, Section 215, as these are controlling authorities and most germane to Snowden’s release of classified information.
NSA Mission Legal Authorities
NSA’s mission is to help protect national security by providing policymakers and military commanders with the intelligence information they need to do their jobs.
NSA’s priorities are driven by externally developed and validated intelligence requirements, provided to NSA by the President, his national security team, and their staffs through the National Intelligence Priorities Framework.
NSA Collection Authorities
NSA’s collection authorities stem from two key sources: Executive Order 12333 and the Foreign Intelligence Surveillance Act of 1978 (FISA).
Executive Order 12333
Executive Order 12333 is the foundational authority by which NSA collects, retains, analyzes, and disseminates foreign signals intelligence information. The principal application of this authority is the collection of communications by foreign persons that occur wholly outside the United States.
To the extent, a person located outside the United States communicates with someone inside the United States or someone inside the United States communicates with a person located outside the United States those communications could also be collected.
Collection pursuant to EO 12333 is conducted through various means around the globe, largely from outside the United States, which is not otherwise regulated by FISA. Intelligence activities conducted under this authority are carried out in accordance with minimization procedures established by the Secretary of Defense and approved by the Attorney General.
To undertake collections authorized by EO 12333, NSA uses a variety of methodologies. Regardless of the specific authority or collection source, the NSA applies the process described as follows:
1. NSA identifies foreign entities (persons or organizations) that have information responsive to an identified foreign intelligence requirement. For instance, the NSA works to identify individuals who may belong to a terrorist network.
2. NSA develops the “network” with which that person or organization's information is shared or the command and control structure through which it flows. In other words, if NSA is tracking a specific terrorist, NSA will endeavor to determine who that person is in contact with, and who he is taking direction from.
3. NSA identifies how foreign entities communicate (radio, email, telephony, etc.).
4. NSA then identifies the telecommunications infrastructure used to transmit those communications.
5. NSA identifies vulnerabilities in the methods of communication used to transmit them.
6. NSA matches its collection to those vulnerabilities or develops new capabilities to acquire communications of interest if needed.
This process will often involve the collection of communications metadata—data that helps NSA understand where to find valid foreign intelligence information needed to protect U.S. national security interests in a large and complicated global network.
For instance, the collection of overseas communications metadata associated with telephone calls—such as the telephone numbers, and time and duration of calls—allows NSA to map communications between terrorists and their associates.
This strategy helps ensure that NSA’s collection of communications content is more precisely focused on only those targets necessary to respond to identified foreign intelligence requirements.
NSA uses EO 12333 authority to collect foreign intelligence from communications systems around the world. Due to the fragility of these sources, providing any significant detail outside of classified channels is damaging to national security.
Nonetheless, every type of collection undergoes a strict oversight and compliance process internal to NSA that is conducted by entities within NSA other than those responsible for the actual collection.
FISA regulates certain types of foreign intelligence collection including a certain collection that occurs with compelled assistance from U.S. telecommunications companies.
Given the techniques that NSA must employ when conducting NSA’s foreign intelligence mission, NSA quite properly relies on FISA authorizations to acquire significant foreign intelligence information and will work with the FBI and other agencies to connect the dots between foreign-based actors and their activities in the U.S.
The FISA Court plays an important role in helping to ensure that signals intelligence collection governed by FISA is conducted in conformity with the requirements of the statute.
All three branches of the U.S. government have responsibilities for programs conducted under FISA, and a key role of the FISA Court is to ensure that activities conducted pursuant to FISA authorizations are consistent with the statute, as well as the U.S.
Constitution, including the Fourth Amendment.
FISA Section 702
Under Section 702 of the FISA, NSA is authorized to target non-U.S. persons who are reasonably believed to be located outside the United States. The principal application of this authority is in the collection of communications by foreign persons that utilize U.S. communications service providers.
The United States is a principal hub in the world’s telecommunications system and FISA is designed to allow the U.S. Government to acquire foreign intelligence while protecting the civil liberties and privacy of Americans.
In general, Section 702 authorizes the Attorney General and Director of National Intelligence to make and submit to the FISA Court written certifications for the purpose of acquiring foreign intelligence information. Upon the issuance of an order by the FISA Court approving such certification and the use of targeting and minimization procedure.
The Attorney General and Director of National Intelligence may jointly authorize for up to one year the targeting of non-United States persons reasonably believed to be located overseas to acquire foreign intelligence information.
The collection is acquired through compelled assistance from relevant electronic communications service providers.
NSA provides specific identifiers (for example, email addresses, telephone numbers) used by non-U.S. persons overseas who the government believes possess, communicate, or are likely to receive foreign intelligence information authorized for collection under an approved certification.
Once approved, those identifiers are used to select communications for acquisition. Service providers are compelled to assist NSA in acquiring the communications associated with those identifiers.
For a variety of reasons, including technical ones, the communications of U.S. persons are sometimes incidentally acquired in targeting the foreign entities. For example, a U.S. person might be courtesy copied on an email to or from a legitimate foreign target, or a person in the U.S. might be in contact with a known terrorist target.
In those cases, minimization procedures adopted by the Attorney General in consultation with the Director of National Intelligence and approved by the Foreign Intelligence Surveillance Court are used to protect the privacy of the U.S. person.
These minimization procedures control the acquisition, retention, and dissemination of any U.S. person information incidentally acquired during operations conducted pursuant to Section 702.
Collection of U.S. Person Data
There are three additional FISA authorities that NSA relies on, after gaining court approval, that involve the acquisition of communications, or information about communications, of U.S. persons for foreign intelligence purposes on which additional focus is appropriate.
These are the Business Records FISA provision in Section 501 (also known by its section numbering within the Patriot Act as Section 215) and Sections 704 and 705(b) of the FISA.
[Note: You can free download the complete Office 365 and Office 2019 com setup Guide.]
Business Records FISA, Section 215
Under NSA’s Business Records FISA program subsequently reauthorized during two different Administrations, four different Congresses, and by fourteen federal judges, specified U.S. telecommunications providers are compelled by court order to provide NSA with information about telephone calls to, from, or within the U.S.
The information is known as metadata, and consists of information such as the called and calling telephone numbers and the date, time, and duration of the call—but no user identification, content, or cell site locational data. The purpose of this particular collection is to identify the U.S. nexus of a foreign terrorist threat to the homeland.
The government cannot conduct substantive queries of the bulk records for any purpose other than counterterrorism. Under the FISC orders authorizing the collection, authorized queries may only begin with an “identifier,” such as a telephone number, that is associated with one of the foreign terrorist organizations that were previously identified to and approved by the Court.
An identifier used to commence a query of the data is referred to as a “seed.” Specifically, under Court-approved rules applicable to the program, there must be a “reasonable, articulable suspicion” that a seed identifier used to query the data for foreign intelligence purposes is associated with a particular foreign terrorist organization.
When the seed identifier is reasonably believed to be used by a U.S. person, the suspicion of an association with a particular foreign terrorist organization cannot be based solely on activities protected by the First Amendment.
The “reasonable, articulable suspicion” requirement protects against the indiscriminate querying of the collected data. Technical controls preclude NSA analysts from seeing any metadata unless it is the result of a query using an approved identifier.
It is obvious that this detailed accounting of the NSA’s authorities and oversight would not easily capture the media attention, so the continuing public scrutiny of the NSA was bereft without all important aspects to help those interested place the operations into a context for clearer understanding.
Of course, this does not imply total acceptance of these activities and operations, but it does provide additional information for the public’s consideration.
The Congressional Research Service, which prepares reports for Congress, its members, and committees, prepared the Report on “NSA Surveillance Leaks: Background Issues for Congress” and the following is a summary of their Report:
Recent attention concerning NSA surveillance pertains to unauthorized disclosures of two different intelligence collection programs. Since these programs were publicly disclosed over the course of two days in June, there has been confusion about what information is being collected and what authorities the NSA is acting under.
This report clarifies the differences between the two programs and identifies potential issues that may help members of Congress assess legislative proposals pertaining to NSA surveillance authorities.
One program collects in bulk the phone records—specifically the number that was dialed from, the number that was dialed to, and the date and duration of the call—of customers of Verizon Wireless and possibly other U.S. telephone service providers. It does not collect the content of the calls or the identity of callers.
The FBI must provide a statement of facts showing that there are “reasonable grounds to believe” that the tangible things sought are “relevant to an authorized investigation.”
Some commentators have expressed skepticism regarding how there could be “reasonable grounds to believe” that such a broad amount of data could be said to be “relevant to an authorized investigation,” as required by the statute.
The other program collects electronic communications, including content, of foreign targets overseas whose communications flow through American networks. The Director of National Intelligence has acknowledged that data are collected pursuant to Section 702 of FISA.
As described, the program may not intentionally target any person known at the time of acquisition to be located in the United States, which is prohibited by Section 702.
Beyond that, the scope of the intelligence collection, the type of information collected and the companies involved, and the way in which it is collected remain unclear. Section 702 was added by the FISA Amendments Act of 2008.
Before the enactment of Section 702, FISA only permitted sustained domestic electronic surveillance or access to domestic electronically stored communications after the issuance of a FISC order that was specific to the target.
The Obama Administration has argued that these surveillance activities, in addition to being subject to oversight by all three branches of government, are important to national security and have helped disrupt terror plots.
These arguments have not always distinguished between the two programs, and some critics, while acknowledging the value of information collected using Section 702 authorities, are skeptical of the value of the phone records held in bulk at NSA.
Thus, recent legislative proposals have focused primarily on modifying Section 215 to preclude the breadth of phone record collection currently taking place. They have also emphasized requiring greater public disclosure of FISC opinions, including the opinion(s) allowing for the collection of phone records in bulk.
This report discusses the specifics of these two NSA collection programs. It does not address other questions that have been raised in the aftermath of these leaks, such as the potential harm to national security caused by the leaks or the intelligence community’s reliance on contractors.
According to intelligence officials, the two programs have “helped prevent over fifty potential terrorist events,” which appear to encompass both active terror plots targeting the U.S. homeland and terrorism facilitation activity not tied directly to terrorist attacks at home or abroad.
Of these, over 90% somehow involved collection pursuant to Section 702. Of the 50, at least 10 cases included homeland-based threats and a majority of those cases somehow utilized the phone records held by NSA.
David Headley: According to intelligence officials, the FBI received information indicating that Headley, a U.S. citizen living in Chicago, was involved in the 2008 attack in Mumbai that took the lives of 160 people. NSA, using 702 authorities, also became aware of Headley’s involvement in a plot to bomb a Danish newspaper.
It is unclear from public statements how Headley first came to the FBI’s attention. He pled guilty to terrorism charges and admitted to involvement in both the Mumbai attack and Danish newspaper plot.
Basally Saeed Moalin: NSA, using phone records pursuant to 215 authorities, provided the FBI with a phone number for an individual in San Diego who had indirect contacts with extremists overseas.
The FBI identified the individual as Basally Saeed Moalin and determined that he was involved in financing extremist activity in Somalia. In 2013, Moalin was convicted of providing material support to al-Shabaab, the Somalia-based al-Qaeda affiliate.
The Washington Post, reviewing a series of disclosures of classified intelligence material provided by Edward Snowden, discovered that U.S. intelligence services participated in 231 offensive cyber operations in 2011.
Additionally, they reported on operations that placed “covert implants” and sophisticated malware in computers, routers, and firewalls on tens of thousands of machines every year.
Of the 231 offensive operations, 75% of these cyber operations were directed to top priority targets, which included Iran, Russia, China, and North Korea. The DoD stated that they do engage in computer network exploitation, but they do not engage in any economic espionage. This is probably the major difference between China and America.
As a matter of fact, the number of nations that are engaged in cyber operations is increasing every year. Also, as advances in technology continue to increase, nations will apply these technologies to become more effective at the exploitation of their adversaries. The next level will be the development of cyber weapons on a scale that will displace the need for kinetic forces.
To control these developments, the international community will have to engage diplomats as well as the respective leadership of the principal nations possessing these cyber weapons to formulate plans, programs, and guidelines that will ultimately protect all nations.
Cyber Warfare and the Tallinn Manual on International Law
After the cyber attacks on Estonia and at the request of the Estonian government to seek assistance from NATO to be defended against further attacks,
NATO responded by establishing in 2009 the NATO Cooperative Cyber Defense Center of Excellence. This Center of cyber defense brought forth a group of international legal practitioners and scholars to examine how current legal norms may be applicable to this new form of cyber warfare.
The goal of this group of legal scholars was to produce a nonbinding document applying existing law to cyber warfare, and while their work product, titled the Tallinn Manual, is not an official document, it is a very important document as it highlights the nature of cyberspace and the potential for cyber conflicts, which could progress to cyber warfare.
The Tallinn Manual also now serves as a bedrock document to assist nations throughout the world in reviewing their respective laws, policies, and cyber operation programs.
The Tallinn Manual is not a manual on cybersecurity, nor is it focused on cyber espionage, theft of intellectual property, or criminal activities in cyber-space. The overriding purpose of the Tallinn Manual is to focus on cyber warfare.
Therefore, as a general matter, the focus of the manual is on how international law governs the resort to force by states as an instrument of their national policy, as well as the international law that regulates the conduct of armed conflict or the law of war.
The Tallinn Manual is organized around the current international cyber-security law, in which it examines states and cyberspace looking at issues of state responsibility and also the use of force.
Within the Tallinn Manual are 95 rules that represent the consensus of the working group of legal scholars, and while these rules have no constitutional or treaty authority, they do express a level of consensus on important aspects one should consider in making judgments regarding cyber warfare.
The second part of the Tallinn Manual addresses the current body of international laws that focus on the law of armed conflict and directs attention on the conduct of hostilities.
Those interested in further research may wish to examine some of the 95 rules of this manual, and it may be of interest to review the following rules:
Rule 5—Control of Cyber Infrastructure
Rule 7—Cyber Operations Launched from Governmental Cyber Infrastructure
Rule 8—Cyber Operations Routed Through a State Rule 9—Countermeasures
Rule 24—Criminal Responsibility of Commanders and Superiors Rule 30—Definition of a Cyber Attack
Rule 32—Prohibition on Attacking Civilians Rule 44—Cyber Booby Traps Rule 66—Cyber Espionage
Rule 91—Protection of Neutral Cyber Infrastructure Rule 92—Cyber Operations in Neutral Territory
Harold Koh, a Legal Advisor at the U.S. Department of State, also has been interested in how the United States will respond to the new challenges of operating in cyberspace. In particular, how do we apply old laws of war to new cyber circumstances while also anticipating new advances in technology?
In the analysis of international law in cyberspace, the United States has concluded that established principles of law do apply in cyberspace, and as such, cyberspace is not a law-free zone where anything goes. The position of the United States is guided by the application of both domestic and international laws.
Despite the growing body of international law being focused on the activities in cyberspace, and given the enormous number of cyber attacks and cyber espionage cases, the United States has articulated its role for an international strategy for cyberspace as follows:
When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country. All states possess an inherent right to self-defense, and we recognize that certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners.
We reserve the right to use all necessary means—diplomatic, informational, military, and economic—as appropriate and consistent with applicable international law, in order to defend our nation, our allies, our partners, and our interests.
In so doing, we will exhaust all options before military force whenever we can; will carefully weigh the costs and risks of action against the costs of inaction; and will act in a way that reflects our values and strengthens our legitimacy, seeking broad international support whenever possible.
As nations adopt cyber operations, whether they are cyber espionage or range into the next level of cyber offensive weapons, we will need to develop a body of law to regulate activities and protect all nations and their citizens. The potential harm that could be unleashed by a cyber weapon is simply staggering.
In addition, those nation-states that develop cyber offensive weapon capabilities will have to provide assurance for their security so that they do not become available to terrorists or individuals attempting to hold nations to a “blackmail” strategy by seeking a financial exchange for not exploiting the use of the cyber weapon.
The need for international cooperation in addressing the area of cyber-space is critical, and it will continue to be a challenging problem until the leading nations can formulate a strategy of mutual safety for one another.
Time is of the essence, as unaddressed, we will see hostilities continue to increase until that point in which it becomes difficult, if not impossible, to effect appropriate action to control the use of cyber weapons.
Cyberspace, like a virtual battleground, has become a place for confrontation: the appropriation of personal data, espionage of the scientific, economic and commercial assets of companies which fall victim to competitors or foreign powers, disruption of services necessary for the proper functioning of the economy and daily life;
This “virtual battleground” in cyberspace has only continued to increase global awareness of security and impact global political stability exponentially, cutting a wide swath across physical geographical boundaries, impacting the security of individuals, commercial enterprises, economies, and the sovereignty and stability of global nations.
Many of the international commerce and business development operations in developed and developing nations are integrally connected to the Internet. For example, Canada’s entire economy is tied to digital technology, with 87% of Canada’s commercial enterprises using the Internet to effectively conduct its business in 2012.
For those world citizens whose freedom of speech is restricted or prohibited, the Internet provides a nearly anonymous avenue where individuals can associate without government restriction and intervention.
It can use the Internet to mobilize and inform others about contemporaneous political activities or events affecting those in a specific community, can operate individual water systems for rural farmers, and can provide and mobilize assistance to those affected by natural disasters.
However, those same benefits can be accessed and used by mal-intentioned individuals and factions that wish to destabilize or overthrow governments or engage in acts of terrorism.
What Is Cybersecurity?
The legal playing field where the U.S. local, state, and federal authorities and international bodies and member states of the European Union (EU) aim their legal bat to regulate, govern.
And protect they're identified tangible and intangible assets from cybercrime, espionage, and an attack puts kindred terminology into play, which, at first blush, seem to be identified because the players wear the same uniforms when whizzing around the bases.
But upon closer inspection, those players have simply adopted a specific term without ever ascribing a precise definition to that word, while others have adopted a specific definition that fails to correlate to any scientific or existing statutory framework.
Either way, failing to develop and establish uniform and standardized definitions consistent with an overall strategy, legal structure.
And scientific basis will ultimately impact the ability of all players to identify their strengths and weaknesses, create sound gaming statistics, and develop an easy-to-understand rulebook that can be seamlessly adopted and fluidly applied in practice with other global players.
The development and adoption of precise definitions for the primary terms of art dealing with the security of various information systems and their physical and virtual devices, interconnected through the Internet, have been identified as a required component if and when cybersecurity is launched as actual science.
Such a development would put the study of cybersecurity under the rigorous scrutiny of the scientific method, which requires the repeatability of experiments based on precise definitions and conditions.
“Precise definitions matter. Until there is a precise set of objects that can be examined carefully and clearly, it will not be possible to increase the level of rigor.”
In analyzing data and security breaches, and the relevant legal framework throughout the EU, the Directorate General for Internal Policies Policy Department A: Economic and Scientific Policy, Industry, Research and Energy of the European Parliament (the “Directorate”) concluded in September 2013 that “consistent and unambiguous definitions across legislative instruments are often lacking.”
The Directorate’s report further outlines the level of impact that the lack of standardized terms for defining data and security breaches can have on identifying, reporting, and reacting to such breaches.
The lack of standardized terms has resulted in an inability to globally match “apples to apples” and affects the accuracy in reporting the actual number, nature, and type of breaches that have occurred over a given period of time.
Lastly, in one of the most deadly and critical aspects of identifying specific events by standardized terms, an international group of experts found that the same lack of agreed-upon definitions impacts the application of international cyber warfare.
State practice is only beginning to clarify the application to cyber operations of the jus ad bellum, the body of international law that governs a State’s resort to force as an instrument of its national policy.
In particular, the lack of agreed-upon definitions, criteria, and thresholds for application, creates uncertainty when applying the jus ad bellum in the cyber context.
Acknowledging that standardized and globally accepted definitions for significant and repeating terms of art affecting cybersecurity do not presently exist among global nation-state, business, and individual stakeholders.
An overview of the relevant U.S. and international legal environment must identify, at a minimum, what has been identified as a definition, or the lack thereof, for the word cybersecurity. What exactly does the word cybersecurity mean, and is that definition expansive enough to be borderless?
And if so, is that definition universally accepted throughout the world, or is that definition finite, limited, and restricted only to certain nation-states? The word cybersecurity seems to be used interchangeably, like the ubiquitous use of the wood glue.
As we all know, not all glues are created equal, meaning that the ingredients found in specific types of glue will make the difference between glue that sticks and one that just does not or, even worse, will actually muck things up, generating more problems than solutions. The same analogy can be made about definitions.
A definition of cyber security must adequately contemplate and address the physical and virtual nature of the assets to be protected, in addition to the breadth and scope of coverage because Cybersecurity is a complex problem with many different facets;
and that legal and legislative analyses of cybersecurity issues must distinguish not only among different cyber threat actors, such as nation-states, terrorists, criminals, and malicious hackers but also among different types of cyber threats.
Such cyber threats include threats to critical infrastructure, which could lead to loss of life or significant damage to our economy; and threats to intellectual property, which could affect our nation’s long-term competitiveness.
Without a clear, concise, and descriptive definition of cybersecurity, how can a nation-state promulgate an overarching statutory scheme designed to create a strong that will encompass and protect all its physical and virtual assets affected from external and internal threats?
If cybersecurity is not clearly defined, how will a nation-state be able to regulate the conduct of its economic business stakeholders without overregulating them into extinction?
Take the example of the United States, one of the largest nation-states globally, which arguably should easily be able to articulate a clear and concise definition of the word cybersecurity, yet it does not.
In fact, the Department of Homeland Security (DHS) uses the word cyber-security in its publications without ever defining precisely what aspects it does and does not cover, and even the defunct Cybersecurity Act of 2012 used the word cybersecurity without ever providing a definition. The proposed bill at least provided a definition for what it termed cybersecurity services:
(4) CYBERSECURITY SERVICES—the term “cybersecurity services” means products, goods, or services used to detect or prevent activity intended to result in a cybersecurity threat.
This definition does not stand independently and must be reviewed within the context of a “cybersecurity threat,” which is defined as follows:
(5) CYBERSECURITY THREAT
—the term “cybersecurity threat” means any action that will result in unauthorized access to, exfiltration of, manipulation of, or impairment to the integrity, confidentiality, or availability of an information system or information that is stored on, processed by, or transiting an information system.”
In its June 2013 seminal report for the Congress on federal laws relating to cybersecurity, the Congressional Report Service highlighted the lack of a uniform, universally accepted definition for cybersecurity:
The term information systems are defined in 44 U.S.C. 3502 as “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information,” where information resources is “information and related resources, such as personnel, equipment, funds, and information technology.”
Thus, cybersecurity, a broad and arguably somewhat fuzzy concept for which there is no consensus definition, might best be described as measures intended to protect information systems—including technology (such as devices, networks, and software), information, and associated personnel— from various forms of attack.
The concept has, however, been characterized in various ways. For example, the interagency Committee on National Security Systems has defined it as “the ability to protect or defend the use of cyberspace from cyber attacks,”
where cyberspace is defined as a global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers
On the other hand, the International Telecommunications Union (ITU), the United Nations’ specialized agency for information and communications technology, adopted the following definition of cybersecurity in its April 2008 recommendations on the network, data, and telecommunications security:
While the ITU definition of cybersecurity does not clearly define what would be the contemplated cyber environment, this definition is far more inclusive than the aforementioned cobbled-together definition presented in current U.S. cybersecurity legislation.
The ITU definition encompasses the individual, enterprise, and governmental information systems, identifying, in general, the physical and virtual assets it seeks to protect.
While a finite, discrete definition of cybersecurity may create a uniform standard in the application of the panoply of the overarching legal regulatory schemes currently in place, does having an inflexible, agreed-upon definition create the right solution to a 21st-century issue?
David Satola and Henry Judy posit that the current domestic and international legal architecture is outdated, is not geared to adjust quickly to the dynamic cyber environment, and is not a 21st-century response to the new digital landscape.
According to the authors, the current legal architecture does not adequately address “the lack of consensus on the fundamental and related issues of jurisdiction and sovereignty,”
which makes “it difficult to effectively cross borders to address international cybersecurity incidents,” while contract law is generally the only remedy available when cybersecurity issues arise from unintentional coding errors or negligently written software.
Lastly, the authors note that the concept of cybersecurity “varies depending on the physical, educational, and economic resources available in different jurisdictions.
It differs depending on the sensitivity of the data to be protected and needs to reflect different cultural expectations and priorities, among many other factors.”
Instead of adopting a specific definition for cybersecurity, this blog attempts to incorporate Satola and Judy’s suggested modular approach by identifying an overview of the U.S. federal and international laws that currently comprise the legal framework that attempts to address and regulate the changing cybersecurity landscape.
Current U.S. Comprehensive National Cybersecurity Strategy
In general, current U.S. and various state laws involving cybersecurity, either directly or indirectly, have developed in reaction to abuses and malicious activity occurring in specific economic sectors.
In his discussion paper “Cyber Norm Emergence at the United Nations—An Analysis of the Activities at the UN Regarding Cybersecurity,” Tim Maurer postulated that “cybersecurity can be divided into four major threats: espionage, crime, cyber war, and cyber terrorism.”
Maurer credits Harvard Professor Joseph Nye for identifying the underlying sources for these present-day threats: (1) flaws in the design of the Internet, (2) flaws in the hardware and software, and (3) the move to put more and more critical systems online.
In the United States, the government controls or manages only a small portion of the cyber environment, while the private sector designs, markets, installs, and operates much of the software and hardware that are utilized in the technological operation of power grids, water sanitation, and delivery, transportation, communications, and financial systems nationwide.
As a result, the United States can only control cyber threats to the vulnerabilities evident in these private systems by creating additional legislation allowing oversight, regulation, and monitoring based on potential impacts to national security.
While there has been a recent spate of legislative bills proposed to create a standardized overarching U.S. federal cybersecurity legal scheme seeking to cover both government and private computer and network systems, none of them have successfully been enacted into law.
In 2003, the White House initiated its inaugural national cybersecurity strategy when the White House, though then-President George W. Bush, released The National Strategy to Secure Cyberspace in February 2003. Bush identified, proposed, and emphasized the importance of, and participation of, a public– a private partnership to implement the national strategy to secure cyberspace.
Bush’s strategy prioritized five concerns: (1) creating a national cyberspace security team, (2) a cyberspace threat and vulnerability reduction program,
(3) a cyberspace security awareness program, (4) a plan to secure the federal cyberspace, and (5) national and international cooperation for cyberspace security.
While these five strategic priorities did not translate into the passage of any meaningful legislation, the Comprehensive National Cybersecurity Initiative (CNCI) originated as a classified offshoot of Bush’s National Strategy.
In December 2008, an appointed Commission on Cybersecurity for the 44th Presidency (“Commission”) from the Center for Strategic and International Studies (CSIS) issued a report that presented three fundamental findings:
“(1) cybersecurity is now a major national security problem for the United States, (2) decisions and actions must respect privacy and civil liberties, and (3) only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will make us more secure.”
Following up on the CSIS Commission’s recommendations, President Barack Obama issued a revised and updated CNCI as National Security Presidential Directive 54 released on March 2, 2010,29 which primarily addressed cybersecurity in the federal systems, both classified and civilian;
mandated the use of EINSTEIN 2, an intrusion detection system, across all federal systems; and reduced federal external network access points to the Internet to only those trusted providers contracted with the government.
The 2010 CNCI mandated information sharing across various federal agencies in an effort to develop a more robust cyber defense system to support initiatives to create a more cyber-savvy federal employee base, to develop future leading technology for cybersecurity, to develop a multiprong approach to global chain risk assessment, and to define the federal role for extending cybersecurity into critical infrastructure domains.
Following Obama’s issuance of the 2010 CNCI, Congress considered a variety of bills involving cybersecurity; however, none of them were successfully passed.
In the absence of a legislated cybersecurity legal standard, on February 12, 2013, the Obama White House issued Executive Order (EO) 13636, Improving Critical Infrastructure Security.
Which sets out a national policy on cyber intrusions, identifies the nature and scope of the U.S. national policy on the security of critical infrastructures, creates a process for information sharing and coordination with private entities to enhance and better protect critical infrastructure assets;
And defines critical infrastructures and critical infrastructure sectors, and directs the development of standards and a framework for improved cybersecurity of critical infrastructures.
The EO contemporaneously directs the Secretary of the DHS to uphold the individual privacy and civil rights of individuals and to ensure their inclusion in the execution and implementation of the Order’s mandates, adopting the Fair Information Practice Principles and other relevant “privacy and civil rights policies, principles and frameworks.”
While the EO cites “repeated cyber intrusions of critical infrastructures” as one of the most important national security issues presently facing the United States, the EO creates a federal partnership with U.S. businesses as the best way “to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards."
The EO tasks the Secretary of Commerce to direct the director of the National Institute of Standards and Technology (NIST) with developing a framework for improving the cyber security of critical infrastructures.
The EO directs the DHS to initiate and establish a collaborative partnership between government and the private sector in an effort to better assess cyber threat risks, identify evolving cyber threats, and proactively protect the nation’s critical infrastructure against such cyber risks.
It further tasks government agencies, including the DHS, to create a voluntary process between the government and private entities to rapidly share unclassified data relating to cyber threat risks and incidents and extends voluntary participation to select owners and operators of identified critical infrastructures for classified information sharing in the Enhanced Cybersecurity Services (ECS) program.
By opening participation in the ECS program to critical infrastructure entities, the EO expanded ECS coverage to a broader base of stakeholders.
Participation in ECS is voluntary and permits the sharing of classified information involving indicators of malicious cyber activity between DHS and qualified public and private entities involved in the operation of critical infrastructure assets.
ECS is a voluntary information sharing program that assists critical infrastructure owners and operators as they improve the protection of their systems from unauthorized access, exploitation, or data exfiltration.
DHS works with cybersecurity organizations from across the federal government to gain access to a broad range of sensitive and classified cyber threat information.
DHS develop indicators based on this information and shares them with qualified Commercial Service Providers (CSPs), thus enabling them to better protect their customers who are critical infrastructure entities. ECS augments but does not replace, an entities’ existing cybersecurity capabilities.
ECS deploys EINSTEIN 3-Accelerated (E3A), a real-time network intrusion detection and prevention system that performs deep packet inspection to identify, prevent, and block malicious activity from entering federal civilian agency networks.
E3A has been operationalized for every (.gov) website as part of the government’s efforts to reduce cyber threat risk to the system networks utilized by all federal civilian agencies, in furtherance of the EO’s mandate to improve the security of federal systems.
E3A is operated with E3A sensors placed at network Internet access points where incoming and outgoing network traffic is then monitored for cyber indicators in real-time.
According to the DHS, “A cyber indicator (indicator) can be defined as human-readable cyber data used to identify some form of malicious cyber activity and are data related to:
E3A matches detected cyber indicators against its database of known malicious signatures from both classified and unclassified sources to detect potential or actual threats, which are logged in real time and shared with the U.S. Computer Emergency Readiness Team (CERT), the DHS division responsible for coordinating defenses against and responses to cyber incidents across the United States.
Since E3A was initially designed and developed by the National Security Agency (NSA) and has the capability to read electronic content.
Its use in federal civilian systems continues to raise significant privacy concerns despite DHS’s description of the privacy protection processes it has implemented to protect individual privacy from abuse, misuse, and inadvertent disclosure, which is outlined in detail in its Privacy Impact Assessment Report issued in April 2013.
An important milestone produced by the EO’s mandate was completed on February 12, 2014, when NIST issued a Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework).
The NIST Framework is based on three separate categories that are interrelated and provide a basic roadmap for an organization to conduct a self-assessment of its enterprise information protection plan. The NIST Framework consists of Framework Core, Framework Profile, and Framework Implementation Tiers.
“The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors,” which provides the organization with the detailed guidance for developing its own individual organizational risk profile.
The Framework Profile represents outcomes based on business needs, which can be adjusted based on the categories selected under the Framework Core and Tiers.
The Framework Implementation Tiers “provide context on how an organization views cybersecurity risk and the processes in place to manage that risk.”
While not mandatory, the NIST Framework provides a benchmark that organizations can use to gauge where their cybersecurity activities fall within the NIST Framework, as the minimum standard of care for risk-based cyber-security.
The NIST Framework provides references for each category and activity to other more detailed standards issued by professional industry organizations.
International Comprehensive Cybersecurity Strategy
While there are a number of international organizations creating alliances among member nations throughout the world, two international bodies whose efforts heighten worldwide awareness about security in the growing cyber environment and increased development and access to Internet connectivity are the United Nations (UN) and the North Atlantic Treaty Organization (NATO).
NATO coordinates and complements its efforts in support of its politico-military mission to provide a strategic and unified defense for its European members with the UN.
NATO Cybersecurity Policy and Strategy
NATO was created as a result of the signing of the North American Treaty (“Treaty”) on April 4, 1949, following continued Soviet challenges to the security of newly established nations that were attempting to recover from the devastation of Europe from World War II. Presently, NATO is composed of 28 nations in Europe and North America.
Subsequent to its creation, NATO has provided politico-military support, training, education, and peace-keeping to the member nations that have been subject to attack or external conflict.
While NATO emphasizes peace first and foremost in resolving a potential conflict among nations, the Treaty provides a strong measure of solidarity in the alliance by linking adverse action to all members in the event of an attack to one nation member. This important linchpin is reflected in Article 5 of the North American Treaty:
The Parties agree that an armed attack against one or more of them in Europe or North America shall be considered an attack against them all and consequently they agree that, if such an armed attack occurs, each of them.
In exercise of the right of individual or collective self-defence recognised by Article 51 of the Charter of the United Nations, will assist the Party or Parties so attacked by taking forthwith, individually and in concert with the other Parties, such action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area.
This solidarity of security to NATO members extends to and may be triggered by cyber attacks, which NATO addresses individually through its members’ networks, an articulated cybersecurity strategy, and the NATO Cooperative Cyber Defense Centre of Excellence located in Tallinn, Estonia.
On December 27, 2013, the UN has specifically identified that conduct in cyberspace is subject to international law,83 thereby strengthening the impact and current applicability of NATO’s Article 5 in the event of nation-sponsored or initiated cyber attacks against NATO members.
EU Data Protection
The EU is an economic and political international body composed of 28 European member states whose representatives democratically govern through various interconnected institutions, the primary ones being the Euro Parliament, Council of European Union (“EU Council”), and the European Commission (“EU Commission”). According to its website, the
Euro Parliament is composed of members who are directly elected by voters of the EU every five years.
Parliament is one of the EU’s main law-making institutions, along with the Council of the European Union (“the Council”). The European Parliament has three main roles:
Debating and passing European laws, with the Council
Scrutinizing other EU institutions, particularly the Commission, to make sure they are working democratically
Debating and adopting the EU’s budget, with the Council.
The EU Council is the governmental body composed of national ministers from each EU member country who “meet to adopt laws and coordinate policies.”
The EU Council is charged with approving the annual budget, passing EU laws, coordinating economic policies of member countries, executing agreements between the EU and other nations, developing foreign and defense policies for the EU, and fostering cooperation between prosecution and law enforcement entities of member nations.
The EU Commission operates for the purpose of representing the interests of the EU as a whole.
The legal authority through which the governing bodies of the EU operate is based on two primary treaties, which bestow the authority and power to issue regulations, directives, decisions, recommendations, and opinions. As opposed to regulation, an issued directive is “a legislative act that sets out a goal that all EU countries must achieve.
Instead of a hodgepodge of statutes enacted to protect personal data as these relate to specific industries, as is the case in the U.S. statutory scheme, the Data Protection Directive establishes a broad, overarching framework for EU member states to adopt or interrelate with their own personal data protection legal scheme.
The two primary objectives of the Data Protection Directive were “to protect the fundamental right to data protection and to guarantee the free flow of personal data between the Member States.”
In furtherance of these objectives, the Data Protection Directive offers descriptions of conditions, criteria, responsibilities, and data relevancy relating to the collection, processing, access, retention, and use of personal individual information for EU citizens, and the rights of those individuals over how their personal data are collected, processed, accessed, handled, and retained.
The Data Protection Directive sets benchmarks for data protection for its member states to achieve through its own regulatory processes and creates general processes whereby EU citizens can restrict or remove their personal data from the public.
Many of the EU member states have already established laws and regulations relating to an individual citizen’s right to their personal data and the protection of that data.
The Data Protection Directive excludes the protection of personal data under Article 13 when there is a specific need to protect public and national security and other limited situations, as described below:
Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in Articles 6(1), 10, 11(1), 12 and 21 when such a restriction constitutes a necessary measure to safeguard:
The prevention, investigation, detection, and prosecution of criminal offenses, or of breaches of ethics for regulated professions;
An important economic or financial interest of a Member State or of the European Union, including monetary, budgetary and taxation matters;
A monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (c), (d) and (e);
The protection of the data subject or of the rights and freedoms of others.
Framework Decision 2008/977/JHA (“LE Data Protection”) describes the protections that are to be utilized by law enforcement and prosecutorial entities when such entities need to share personal data of EU citizens when cooperating with other law enforcement and prosecutorial entities in conducting criminal investigations and prosecutions.
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.
Article 8 of the EU Charter to create a distinct and powerful individual right of data protection that precludes laws of member states that seek to release personal data without the consent of the individual even when such data have already been published in the public domain.
As a result of the dynamic nature of the Internet and the constantly changing technological development impacting the collection, use, and distribution of electronic data and the potential erosion of the ability of the Data Protection Directive to protect personal data.
on January 25, 2012, the EU Commission released its proposal on the issuance of a regulation that would initiate a new framework for personal data protection.
The proposed regulation contains five primary components:
(1) territorial scope ensuring a fundamental right to data protection no matter the geophysical location of the business or its servers.
(2) international transfers permitted where data protection is ensured.
(3) enforcement where significant fines are imposed on foreign businesses failing to comply with EU data protection rights.
(4) cloud computing data processors subject to clear rules on obligations and liabilities, and (5) establishment of comprehensive rules for the protection of personal data shared with law enforcement.
After the whistleblower disclosures concerning the intelligence surveillance activities of the U.S. National Security Agency (NSA), on November 27, 2013, the EU Commission set forth a series of steps designed to restore trust in data flows between the United States and EU,99 with the centerpiece again focusing on a renewed emphasis to pass uniform international data protection reform.
The EU Commission proposed that the following actions be taken immediately concerning data sharing between EU and U.S. law enforcement partners:
Swift adoption of the EU’s data protection reform
Making Safe Harbor safe
Strengthening data protection safeguards in the law enforcement area
Using the existing Mutual Legal Assistance and Sectorial agreements to obtain data
Addressing European concerns in the on-going U.S. reform process
Promoting privacy standards internationally.
The Safe Harbor Framework “allows for the provision of solutions for transfers of personal data in situations where other tools would not be available or not practical.”
Galexia, a private specialist management firm, describes the U.S. Safe Harbor as an agreement between the European Commission and the United States Department of Commerce that enables organizations to join a Safe Harbor List to demonstrate their compliance with the European Union Data Protection Directive.
This allows the transfer of personal data to the US in circumstances where the transfer would otherwise not meet the European adequacy test for privacy protection.
Pursuant to the U.S. Safe Harbor, U.S. businesses operating under the U.S. Safe Harbor are required to certify with the U.S. Department of Commerce that those businesses comply with the Safe Harbor Framework.
However, in a 2008 report by Galexia, who conducted the limited review of U.S. businesses certifying themselves as Safe Harbor compliant, Galexia identified serious concerns with the administration of the U.S. Safe Harbor, in particular, relating to transparency, adherence to the Framework Principles, and enforcement efforts by the relevant U.S. agencies.
After the discovery of the NSA intelligence surveillance activities, the EU Commission issued a communication relating to the functioning of the Safe Harbor where it determined that “EU–U.S. Safe Harbor Framework lacked transparency and effective enforcement, and recommended revising the Framework.”
As of March 10, 2014, the Euro Parliament has suspended the Safe Harbor Framework, as well as the Terrorist Finance Tracking Program; however, the authority to renegotiate and/or cancel these agreements rests with the EU Commission.
The EU Commission’s earlier January 2012 reform proposal introduced a “right to be forgotten” on the Internet as one of the primary changes to the existing framework established under the Data Protection Directive.
According to the EU Commission proposal, Article 17 of the proposed regulation requires a data controller to erase individual personal data and to abstain from republishing the data under specific grounds.
Such grounds include obsolescence, incompatibility, or changes to the need and purpose for the data; the data subject withdraws consent to the initial basis of processing or the storage period exceeds what was consented to; the data subject objects to data processing on other legal grounds; and the data processing is not compliant under the Regulation.
While the Euro Parliament and Council have not issued a regulation as proposed by the EU Commission, the “right to be forgotten” has created a hot debate globally about the right to information versus the “right to be forgotten” on the Internet.
Despite the absence of an EU Regulation, the EU Court of Justice has recently enforced the concept of the “right to be forgotten” based on the current provisions of the Data Protection Directive.
On May 13, 2014, the EU Court of Justice ordered Google, Inc., and its global subsidiaries (“Google”) doing business with the EU to honor individual EU citizen requests to erase personal data from the Google search engines.
A Spanish citizen had requested that Google remove search results that linked his name to notice in a local newspaper for an auction of real property to pay for debts he owed approximately 16 years earlier.
In essence, the Court held that as a search engine, Google has a greater obligation to create “interference” by removing those links from its search engine results when an individual has requested to have data removed, even though the personal data were in the public domain and could be accessed directly from the newspaper’s records.
According to the Court, Google, as the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person.
Also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be when its publication in itself on those pages is lawful.
In the case at bar, the Court determined that the interest of the public to information and Google’s business interests in the data were trumped by the data subject’s “right to be forgotten” because
Those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name.
However, that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question.
While Google is presently struggling to identify an appropriate business solution whereby it can comply with the Court’s order with respect to its EU operations, the holding has far-reaching implications involving the use of the personal data of EU citizens for non-EU technology firms, like Yahoo! and Facebook, and governmental organizations involved in investigating and prosecuting criminal matters.
Issues Involving Electronic Data Collection for Law Enforcement Purposes
In general, electronic evidence sought by U.S. law enforcement and prosecutorial entities usually falls under some umbrella of protected personal data that are in the possession of government organizations, such as;
the Social Security Administration, or nongovernmental organizations, such as financial institutions, health care entities, telecommunications carriers, Internet service providers (ISPs), data storage providers, and others, all of which have statutory constraints relating to the access or use of protected personal data.
Statutory hurdles and constitutional Fourth Amendment challenges must be overcome by U.S. federal law enforcement and prosecutorial agencies and approved by the Attorney General or court approved, to conduct lawful wire-taps to intercept the content of the subject electronic communications both in criminal and intelligence matters.
Once approved by a federal court of competent jurisdiction, failure to comply with the order to produce electronic communications by a “telecommunications carrier, a manufacturer of telecommunications transmission or switching equipment, or a provider of telecommunications support services” subjects the violator to substantial civil penalties.
With respect to obtaining electronically stored information, U.S. authorities must follow other Fourth Amendment right to privacy statutory requirements set forth in the federal Stored Communications Act (SCA).
As opposed to the piecemeal U.S. legal framework providing data protection under limited circumstances, the EU has adopted a sweeping fundamental individual right of data privacy, and, as noted earlier, requests to use or share the personal data of EU citizens must fall within the requisite exceptions noted in Article 13 of the Data Protection Directive.
If law enforcement and prosecutorial entities satisfy those requirements, then those entities must additionally and adequately comply with the data processing procedures required in the LE Data Protection.
Other than specific instances identified in the LE Data Protection, information sharing of personal data for criminal matters among the law enforcement entities of member states is controlled primarily by mutual legal assistance treaties (MLATs).
In the case of the U.S. Customs and Border Patrol, a division of DHS, the European Community entered into an agreement with DHS in which DHS agreed to various undertakings in an effort to satisfy the specific data processing procedures required under the Data Protection Directive so that international airlines could transmit personal data involving EU airline passengers to DHS.
The actual geophysical location of the computer server where the electronic data reside has posed potential extraterritorial jurisdictional issues for both U.S. and international law enforcement personnel entities in cases where law enforcement has been authorized to obtain specific electronic evidence.
Because there are no geophysical boundaries in cyberspace where electronic data are stored, U.S. and international laws have not yet been adapted to effectively address the extraterritoriality of electronic evidence.
In a recent federal case in New York, Microsoft Corporation petitioned the court to quash a search warrant that had been issued in the Southern District of New York seeking certain electronic communications from the ISP Microsoft.
Microsoft asserted that it did not have to produce a client’s e-mail communications because those e-mails were stored at their data center in Dublin, Ireland.
As such, Microsoft contended that “courts in the United States are not authorized to issue warrants for extraterritorial search and seizure, and that this is such a warrant.”
The court identified language within the warrant language that related to Microsoft’s control and dominion over the stored information as being operative factors in denying Microsoft’s request in this case.
That warrant authorizes the search and seizure of information associated with a specified web-based e-mail account that is ‘stored at premises owned, maintained, controlled, or operated by Microsoft Corporation, a company headquartered at One Microsoft Way, Redmond, WA.
After reviewing the statutory language of the SCA, the court analyzed Microsoft’s simple argument that the government obtained a search warrant in accordance with the SCA.
And that “federal courts are without authority to issue warrants for the search and seizure of property outside the territorial limits of the United States” in light of the SCA’s structure, legislative history, and the “practical consequences” that would result from Microsoft’s argument. According to the court’s interpretation of the SCA,
The SCA created “a set of Fourth Amendment-like privacy protections by statute, regulating the relationship between government investigators and service providers in possession of users’ private information.” Id. at 1212.
Because there were no constitutional limits on an ISP’s disclosure of its customer’s data, and because the Government could likely obtain such data with a subpoena that did not require a showing of probable cause, Congress placed limitations on the service providers’ ability to disclose information and, at the same time, defined the means that the Government could use to obtain it.
The court reasoned that an SCA warrant is not a conventional search warrant but instead a hybrid: part search warrant and part subpoena. It is obtained like a search warrant when an application is made to a neutral magistrate who issues the order only upon a showing of probable cause.
On the other hand, it is executed like a subpoena in that it is served on the ISP in possession of the information and does not involve government agents entering the premises of the ISP to search its servers and seize the e-mail account in question.
As a result of its hybrid structure, the court postulated that the warrant did not “implicate principles of extraterritoriality” and noted that, historically, case law has held “that a subpoena requires the recipient to produce information in its possession, custody, or control regardless of the location of that information.”
The court ultimately determined that an SCA warrant does not implicate the “presumption against extraterritorial application of American law” in that the warrant seeks to “obtain account information from domestic service providers who happen to store that information overseas.”
After April 25, 2014, order, Microsoft has appealed the order, which had not yet been argued and decided at publication date.
The court’s ruling and analysis carry potentially significant ramifications for cloud and domestic ISPs whose stored electronic data the government seeks to obtain under the SCA and definitely present an insider’s view into how little Fourth Amendment right to privacy protections exist for electronic data stored on domestic or international servers.
In citing Orin Kerr’s “A User’s Guide to the Stored Communications Act” and referencing the article’s discussions about the lack of Fourth Amendment privacy protections in communications revealed to third parties, the court incorporated the Third Party Doctrine into its legal reasoning process.
The Third Party Doctrine
Provides that when an individual knowingly supplies information to a third party, his expectation of privacy is diminished because that person is assuming the risk that the third party may reveal the information to government authorities.
As a result, the information imparted to third parties generally falls outside the scope of Fourth Amendment protection and, accordingly, the government can access this information by requesting or subpoenaing it without informing the party under investigation.
Since the search warrant the government sought to enforce was obtained pursuant to the SCA, the court found no need to analyze the impact of the Third Party Doctrine in the case at bar as the SCA, by its very provisions, imbues Fourth Amendment protections to e-mail communications revealed to third parties, which may not have received such protections.
The current U.S. legal view that e-mail communications revealed to third parties, as is the case with big data and cloud computing storage providers and ISPs, are not afforded the same Fourth Amendment privacy protections puts U.S. data storage.
Directive. EU domiciled data storage and ISP businesses, while subject to the EU fundamental individual right to data protection and the “right to be forgotten” on the Internet, are not subject to U.S. court orders, subpoenas, or search warrants.
While U.S. domiciled data storage and ISP business may have enjoyed a competitive advantage over their EU counterparts in the past because participation in the U.S. Safe Harbor Framework is not as stringently enforced, that advantage has now vanished.
Microsoft’s decision to appeal Judge Francis’ ruling comes on the heels of the ongoing EU–U.S. negotiations relating to an international framework for data protection, referred to as the “Data Protection Umbrella Agreement” (DPUA), all of which have received heightened scrutiny as a result of the NSA surreptitious surveillance activities.
Among other data protection requirements, the DPUA seeks to provide EU citizens who do not reside in the United States with the same right of judicial redress as U.S. nationals in the EU receive.
In general, a provisional agreement has been reached that does not authorize any data transfer but “include the scope and purpose of the agreement, fundamental principles and oversight mechanisms.” The United States reports seeking legislative changes to obtain the changes sought by the EU.
Whistleblower or Criminal Leaker?
In general, whistleblowers provide a window of transparency into the potentially illegal activity occurring within an organization and, by doing so, serves the “public’s right to know” about individual or group misconduct occurring within government or nongovernment organizations, misconduct that may be illegal or prohibited.
In some cases, employees may be in the unique position of being the only eyewitnesses to gross, unethical, and illegal misconduct within an organization, putting them squarely in the crosshairs of those who hide the truth of their activities;
thereby thrusting those employee witnesses into choosing to remain silent to protect their careers or blowing the whistle to protect the public and, in some cases, the organization. So, are whistle-blowers really heroes or villains?
Do they serve an important purpose in the realm of cybersecurity, or are they a distraction and nuisance? At first blush, the answer to all of these questions seems to be in the affirmative.
The actions of whistleblowers can, in fact, shine a beacon of light into an otherwise dark, unexposed corner of an organization where inappropriate conduct, misconduct, or criminal activity exists within an entity.
Whistleblowers may be employees, contractors, vendors, or consultants who are in a position to have received information about potential wrongdoing by an organization.
According to the 2014 Report to the Nations by the Association of Certified Fraud Examiners, tips are the most common way in which occupational fraud schemes are detected, with over 40% of reported cases detected as the result of a tip and over half of those tips reported by employees of the organization.
While approximately 14% are anonymous, the remainder of tipster’s whistleblowing is known to the organization.
On the flip side of the coin, disgruntled employees, information technology employees, and contractors comprise the most common categories of individual insider threats for the exfiltration of confidential or classified data.
The CERT Insider Threat Center states that a malicious insider is a current or former employee, contractor, or another business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded.
or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.
In the realm of cybersecurity, an individual may, in fact, be categorized as both a whistleblower and a malicious insider based on the facts and circumstances of the event, characterizations that fit the case of Chelsea Manning and Edward Snowden, both of whom exfiltrated large amounts of classified data from protected U.S. computer systems.
In the case of Manning, she electronically submitted the removed data to WikiLeaks, a known leaking organization, while in the case of Snowden, he delivered the data to a news media outlet.