Cybersecurity and Privacy. Boston University, CS591/IR. Instructor: Timothy H. Edgar

Transcription

1 Cybersecurity and Privacy Boston University, CS591/IR Instructor: Timothy H. Edgar Cyber conflict poses unique challenges for governments, citizens, and the future of the Internet. The United States has established a new military command for cyberspace and has appointed the Director of the National Security Agency (NSA) as its commander. In 2012, Congress failed to reach agreement on comprehensive cybersecurity legislation authorizing security monitoring of government networks, incentives to encourage industry to adopt cybersecurity standards, and greater information sharing. In 2013, extensive revelations of NSA spying and cyber exploitation put into new perspective consistent complaints by the United States about attacks on its networks. At the same time, a growing list of countries, including China, Russia and Iran have adopted a variety of more or less restrictive Internet filtering practices, and filtering is being seriously proposed and debated even in democratic countries such as Australia. The U.S. Secretary of State has announced that the freedom to connect is an aspect of fundamental human rights, and has criticized countries that attempt to filter or censor the Internet. Is monitoring of computer networks necessary for cybersecurity? Computer systems and networks remain insecure, as sensitive commercial and government data including classified information continues to be leaked or stolen at increasing rates. This course will examine the problems confronting the United States and its international partners in addressing network and computer insecurity while upholding privacy, civil liberties and other fundamental values. : for the course consist of (1) selections from one of the required books listed below, and (2) materials that can be obtained by following the links in this syllabus. Supplemental reading is also recommended. Evaluation: Each student will complete a final paper that proposes solutions to a significant cybersecurity challenge, and will be responsible for presenting an outline of the paper for class discussion. The paper is worth 75% of the final grade, while 25% of the grade will be based on class participation. Topics are not limited to those covered in class. Required Books Richard A. Clarke & Robert K. Knake, CYBER WAR: THE NEXT THREAT TO NATIONAL SECURITY AND WHAT TO DO ABOUT IT (2010) Ronald J. Deibert, BLACK CODE: SURVEILLANCE, PRIVACY AND THE DARK SIDE OF THE INTERNET (2013) 1

2 Week 1 Introduction to the Course and the Cybersecurity Debate What is the cybersecurity problem? Why has it risen to the top echelons of government and industry? Is it hype or real? What are the implications for privacy and Internet freedom of proposed policies to safeguard computer networks? We will discuss areas of policy that will be covered in the course as they relate to cybersecurity. Understand generally the debate about the scale of the problem Understand some of the policy implications of the problem Map out some of the privacy and civil liberties issues that are related to proposed solutions No readings (first class). Week 2 The debate continued; General overview of the Internet and computer architecture. We will begin by continuing our discussion around the policy debate concerning the scope and nature of the cyber conflict problem, and then delve deeper into understanding the nature of the Internet and computer architecture. Cybersecurity implies that we are trying to protect something. What is it? We are trying to protect the Internet and the way of life that the Internet enables. Why? Understand what the Internet is, how it came to be, how it works. Understand the promise the Internet holds. Understand the unique challenges that the Internet poses for governments (e.g., territoriality, difficulty in attribution, etc.) Clarke & Knake, Cyberwar, pp Deibert, author s note, preface, introduction, chapter 1, pp. ix xvi, 1 28 John Arquilla, Cyberwar Is Already Upon Us, Foreign Policy, March/April 2012 Thomas Rid, Think Again: Cyberwar, Foreign Policy, March/April 2012 Barack Obama, "Taking the Cyberattack Threat Seriously," Wall Street Journal, July 19, or DDoS: What is Real World Cyber? Remarks of White House Cybersecurity Coordinator Michael Daniel, RSA Security Conference, San Francisco, February

3 Glenn Greenwald and Ewen MacAskill, Obama orders US to draw up overseas target list for cyberattacks, The Guardian, June 7, 2013 Supplemental Jonathan Zittrain, The Future of the Internet And How to Stop It (2008) (free download available), pp. 1 9, Lawrence Lessig, Code: Version 2.0 (2006), pp. 1 8, Goldsmith & Wu, Who Controls the Internet?, pp Week 3 Threats to computer networks: cyberattack, espionage, crime, malicious insiders. Why are computer networks vulnerable? Who is trying to exploit those vulnerabilities? What are some of the principal ways in which data can be stolen or altered, services disrupted, or in which cyber intrusions can result in real world physical effects? What are malware, botnets, SQL injections, buffer overflows and the like? Understand the nature of vulnerabilities in the Internet and computer networks, including examples of the most common vulnerabilities Understand the main threat actors (nation states, criminal groups, etc.) Examine and discuss the implications of pervasive threats Clark and Knake, ch. 3, Deibert, ch. 2, pp Watch on YouTube: Cyber War: The Aurora Project, 60 Minutes William Wan and Ellen Nakashima, Report ties cyberattacks on U.S. computers to Chinese military, Wash. Post, Feb. 19, 2013 Mandiant report on Chinese military hacking. Nicole Perlroth, Cyberespionage Attacks Tied to Hackers in Iran, N.Y. Times, May 29, 2014 Nicole Perlroth, 2nd China Army Unit Implicated in Online Spying, N.Y. Times, June 9, Supplemental 3

4 Zittrain, Future of the Internet, Goodrich & Tamassia, Introduction to Computer Security (2011), pp (fundamentals of information security), pp , (malware), pp , (denial of service attacks) Stewart Baker, Skating on Stilts: Why We Aren t Stopping Tomorrow s Terrorism (2010), pp (Moore s Outlaws) Symantec, 2014 Internet Threat Report, Volume 19. Week 4 Cyberwar (1): the use of force in cyberspace Much has been written about cyberwar and the possibility (or, some might say, the present reality) of nation states or non state actors using vulnerabilities in computer networks to launch attacks so devastating that they would constitute a use of force, i.e., an act that would justify self defense by the nation that was attacked. What would constitute a use of force in cyberspace? What distinguishes a use of force from other malicious acts (crime, espionage)? What responses would be justified if the threshold is reached? Understand the international law of the use of force and examine the ways it might apply to a cyber conflict Understanding other relevant considerations as they may apply to international cyber attacks Clark and Knake, ch. 6, pp Deibert, chs. 10 and 11, pp United Nations Charter. Read articles 2(4) and article 51. The North Atlantic Treaty. Read article 5. Manual on the International Law Applicable to Cyber Warfare (Tallinn Manual) (Michael N. Schmitt et al. eds. 2013), introduction, pp ; Rules 1 and 2, pp ; Rules 10, 11, 12 and 13, pp Matthew C. Waxman, Cyber Attacks and the Use of Force: Back to the Future of Article 2(4), 36 Yale J. Int l L. 421 (2011) (best general article on this subject) Supplemental William J. Lynn III, Defending a New Domain: The Pentagon s Cyberstrategy, Foreign Affairs (Sept/Oct 2010) (definitive outline of the Defense Department s strategy) 4

5 William Owens, Kenneth Dam, and Herb Lin, eds., Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities (National Research Council 2009), pp Week 5 Cyberwar (2): Internet governance and contrasting views concerning cyber arms control The United States has been very vocal in asserting its right to defend itself against cyber attacks and in decrying intrusions in its computer networks (military and civilian, both public and private sector). However, it has also resisted strongly proposals from Russia and others to limit or ban cyber weapons in the same way other weapons have been limited by international agreement. Understand some of the basic principles of Internet governance Examine the views of the United States and contrast with those of Russia and China Explore possible norms for cyber conflict Clarke and Knake, ch. 7, pp Diebert, ch. 9, pp Tallinn Manual, Rule 20, pp ; Rule 30 and 31 pp ; Rule 66, pp Russian Draft, Convention on International Information Security (concept) (November 2011) Jack Goldsmith, Cybersecurity Treaties: A Skeptical View (Hoover Institution essay) (2011) Kenneth W. Abbot & Duncan Snidal, Hard and Soft Law in International Governance, 54 International Organization 3, (Summer 2000) Supplemental Owens, Dam and Lin, eds., Cyberattack Capabilities, pp , Robert Knake, Internet Governance in an Age of Cyber Insecurity, September 2010 Week 6 Cybercrime Cyber conflict does not implicate only international issues. Most malicious activity directed against computer networks is criminal activity (perhaps state tolerated or even state sponsored, but generally criminal). How can the criminal justice system be used to deter or prevent malicious activity? What are the rules that govern the gathering of evidence? Is criminal law an effective mechanism for combating 5

6 the most serious threats in cyberspace? What constraints does the criminal paradigm place on countermeasures that may be used to combat the most common forms of computer attacks and intrusions? Understand the basic structure of cybercrime including common computer offenses Understand some of the rules for obtaining digital evidence and information Understand constitutional and statutory constraints Basic knowledge of international cooperation Deibert, ch. 8, pp and ch. 14, pp Indictment in United States v. Wang Dong (E.D. Penn. May 1, 2014). Press release and summary. Ellen Nakashima, Indictment of PLA hackers is part of broad U.S. strategy to curb Chinese cyberspying, Washington Post, May 22, Andy Greenberg, U.S. Indictment of Chinese Hackers Could Be Awkward for the NSA, Wired, May 19, 2014 The Council of Europe Convention on Cybercrime (Budapest Convention) Riley v. California, No (June 25, 2014) Supplemental Larissa MacFarquhar, Requiem for a Dream, The New Yorker (March 11, 2013). First chapter of Justice Department manual on prosecuting computer crimes. Read pp. 1 12; the rest (pp ) you can skim. Introduction and first chapter of Justice Department manual on searches and obtaining evidence. Read pp. ix xii, pp and pp ; the rest (pp ) you can skim. Indictment in United States v. Gonzalez (D. Mass. 2008). United States v. Jones, 132 S. Ct. 945 (2012) Week 7 Regulation and Critical Infrastructure 6

7 Much of the cybersecurity debate in Washington has concerned the advisability of any form of regulation that might affect software. Proponents of such regulation strongly believe it is necessary to address pressing security issues, while opponents are equally convinced government involvement, even if only to incentivize voluntary adoption of security standards, is misguided and potentially threatening to innovation, Internet freedom, or both. Is there a place for regulation in addressing cybersecurity vulnerabilities? What regulatory authority currently exists? What are the dangers in adopting a regulatory approach? Understand the debate concerning regulation to address cybersecurity vulnerabilities Map out some of the existing regulatory authority to address security problems Examine alternatives to regulation Deibert, ch. 15, pp Clark and Knake, ch. 4, pp Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," 78 Fed. Reg (Feb. 12, 2013) Congressional Research Service, The 2013 Cybersecurity Executive Order: Overview and Considerations for Congress (March 1, 2013) The Digital Arms Trade: The market for software that helps hackers penetrate computer systems, The Economist, Mar. 30, Lawrence Lessig, Code: Version 2.0 (2006), pp , Supplemental Zittrain, Future of the Internet, pp Michele Golabek Goldman, A New Strategy for Reducing the Threat of Dangerous 0day Sales to Global Security and the Economy (March 25, 2014) Stewart Baker, Skating on Stilts: Why We Aren t Stopping Tomorrow s Terrorism (2010) pp (Big Brother s Revenge) Joseph Menn, SEC issues guidelines on hacking, Financial Times, Oct. 14, Marc Mayerson and Darren Teshima, Insuring Against Cybercrime, The Recorder (2011) 7

8 Week 8 Network monitoring and surveillance (1): privacy Many forms of defense against malicious cyber activity involve monitoring of computer networks. What is the basis for monitoring for malicious activity? What are the rules that govern such monitoring? Is consent necessary? Is consent real or just legal jargon no one reads, and does it matter? Understanding general principles of monitoring at the workplace by public and private employers and constitutional principles. Understanding risks to privacy and potential mitigation of those risks. Understanding alternative bases for monitoring (e.g., to protect rights or property) Clark and Knake, ch. 5, pp White House description of the Comprehensive National Cybersecurity Initiative, released at RSA conference in Jack Goldsmith, The Cyberthreat, Government Network Operations, and the Fourth Amendment (Brookings paper) (Dec. 8, 2010) Gregory T. Nojeim, Cybersecurity and Freedom on the Internet, 4 J. of Nat l Sec. L. and Pol y 119 (2010) Congressional Research Service, Cybersecurity: Selected Legal Issues (March 14, 2012), pp Supplemental Privacy Impact Assessment for the Initiative Three Exercise, Department of Homeland Security, 18 March Federal Register notice for Defense Industrial Base pilot. Goodrich & Tamassia, Introduction to Computer Security (2011), pp (intrusion detection) Week 9 Network monitoring and surveillance (2): information sharing and intelligence oversight Continues our discussion of cybersecurity and surveillance. In particular, what constraints applicable to direct monitoring will be applicable to information sharing? In other words, when does information sharing become detailed enough that the participants in the sharing arrangement become responsible 8

9 for the monitoring? What risks arise as the result of such sharing? What about sharing with the government? What about sharing with the Intelligence Community? Understanding agency and state action issues. Understanding intelligence oversight H.R. 3523, Cyber Information Sharing and Protection Act, as passed the House of Representatives, April 26, 2012 Statement of Administration Policy on H.R (veto threat) Executive Order 12,333, as amended. Read part 2 only. Congressional Research Service, Cybersecurity: Selected Legal Issues (March 14, 2012), pp Suggested Steven M. Bellovin, Scott O. Bradner, Whitfield Diffie, Susan Landau, and Jennifer Rexford, Can It Really Work? Problems with Extending EINSTEIN 3 to Critical Infrastructure, 3 Harvard Nat l Sec. J. 1 (2011) Week 10 Emergency powers and competing authorities When confronting a possible cyber conflict, the federal government has an array of tools with which it could potentially respond. The President will ultimately be held responsible, but it matters whether the authorities are civilian or military, and which agency or Department is responsible for executing the response. There is considerable debate on this topic. Understand military and intelligence authorities Understand national security policymaking process Discuss the debate about the authority (or lack of authority) to shut down parts of the Internet Sean Lawson, Is America Really Building An Internet Kill Switch, Forbes, Feb. 11, 2011 Section 706 of the Telecommunications Act of 1934, 47 U.S.C. 606 ( War Powers of President ). Presidential Policy Directive 1, Organization of the National Security Council System (Feb. 2009). 9

10 Youngstown Sheet & Tube Co. v. Sawyer, 343 U.S. 579 (1952) Legal Authorities Supporting the Activities of the National Security Agency Described by the President (Jan. 19, 2006) Supplemental Section 249 ( National Cyber Emergencies ) of S. 413, the Cybersecurity and Internet Freedom Act of 2011, 112th Cong., 1st Sess., as introduced in the Senate, sponsored by Senators Lieberman, Collins and Carper. Robert Chesney, Military Intelligence Convergence and the Law of the Title 10/Title 50 Debate, 5 J. of Nat l Sec. L. and Pol y 539 (2012) (especially , Cyberoperations ) Week 11 Internet freedom (1) The freedom to connect may be, as articulated by Secretary of State Hillary Clinton, fundamental to basic human rights in the 21 st century. Is this freedom at odds with efforts to safeguard the Internet and address cybersecurity vulnerabilities? Is it possible for government to address real cybersecurity vulnerabilities without sacrificing Internet freedom? What about countries that seek to filter or control Internet usage in order to limit such freedoms? Is it possible to preserve Internet freedoms in the absence of reliable security? Understand human rights concepts as they apply to Internet freedoms. Explore the role of social networks in challenging authoritarianism and the limits of such tools. Examine Internet filtering as a tool of state control in China, Russia, and other regimes. Secretary of State Hillary Clinton, Remarks on Internet Freedom, (Jan. 2010) Deibert, ch. 4, 69 81, chs , Access Controlled: The Shaping of Power, Rights and Rule in Cyberspace, Ronald Deibert, John Palfrey, Rafal Rohozinski, and Jonathan Zittrain, eds. (MIT Press 2010), pp (next generation controls), control in Russian cyberspace), (Russia profile), (China profile) Alexander Klimburg, The Internet Yalta, Center for a New American Security (Feb. 2013) Supplemental Reading 10

11 Evgeny Morozov, The Net Delusion: The Dark Side of Internet Freedom (2011), pp , Goldsmith & Wu, Who Controls the Internet? pp (Yahoo!), (China). Week 12 Internet freedom (2) Continuing our discussion of Internet freedom, we discuss whether and to what extent control of the Internet, software, and the like should or should not be used for legitimate purposes beyond cybersecurity. Understand the debate about whether and how democratic countries should attempt to control software, networks, and users. Compare and contrast the purpose of such controls and consider critically whether and how they can be used for legitimate ends. Deibert, ch. 6 7, pp Access Controlled: The Shaping of Power, Rights and Rule in Cyberspace, Ronald Deibert, John Palfrey, Rafal Rohozinski, and Jonathan Zittrain, eds. (MIT Press 2010), pp (child protection), (intermediaries), (United States & Canada, Australia & New Zealand) Supplemental Goldsmith & Wu, Who Controls the Internet? pp (intermediaries) Zittrain, Future of the Internet, pp Lessig, Code: Version 2.0, pp Week 13 Digital Identity Current online identity systems suffer from a general lack of trust. Whether we are exchanging ideas or photos, or are engaged in online transactions, determining the identity of the people with whom we interact is very challenging. Cyber conflict suffers from the analogous problem of attributing cyber attacks to the correct adversary, complicating basic concepts such as deterrence and making it more difficult to assign responsibility for violation of international law or norms. In this session, we examine digital identity. 11

12 Understand concepts of digital identity and identity management Discuss the National Strategy for Trusted Identities in Cyberspace Understand privacy enhancing anonymous credentials and examine their legal implications White House, National Strategy for Trusted Identities in Cyberspace (April 2011) McIntyre v. Ohio Elections Commission, 514 U.S. 334 (1995) *Anna Lysyanskaya, Cryptography: How To Keep Your Secrets Safe, Scientific American (Sept. 2008) Supplemental Zittrain, Future of the Internet, pp Lessig, Code: Version 2.0, pp Web resources Some resources for your papers Cybersecurity wiki at Berkman Center for Internet Law and Society, Harvard University. This has got a lot of useful documents and information, categorized several ways. Use it!! Lawfare blog, Brookings Institution. The blog covers national security issues more generally but has a lot of cyber coverage. Generally offers a center right/national security perspective. Cybersecurity page, Center for Democracy and Technology. Offers a center/left privacy and civil liberties perspective on the issue. White House website cybersecurity page. Latest official statements from the Obama Administration and its Cybersecurity Coordinator, Michael Daniel. ACLU's Free Future blog, "Protecting Civil Liberties in the Digital Age." Pay close attention to the "blogroll" these are some of the best quality blogs in this area. Recommended Books 12

13 Goodrich & Tamassia, INTRODUCTION TO COMPUTER SECURITY (2011) (excellent basic text on computer and network security very accessible to the non technical expert) Paul Rosenzweig, CYBER WARFARE: HOW CONFLICTS IN CYBERSPACE ARE CHALLENGING AMERICA AND CHANGING THE WORLD (2013) Jack Goldsmith & Tim Wu, WHO CONTROLS THE INTERNET? ILLUSIONS OF A BORDERLESS WORLD (2006) Franklin D. Kramer, Stuart H. Starr & Larry K. Wentz, eds., CYBERPOWER AND NATIONAL SECURITY (2009) David G. Post, IN SEARCH OF JEFFERSON S MOOSE: NOTES ON THE STATE OF CYBERSPACE (2009) (strange title; good book on how Jefferson might have approached how to create rules for cyberspace) Thomas Rid, CYBER WAR WILL NOT TAKE PLACE (2013) Xu Wu, CHINESE CYBER NATIONALISM (2007) Evgeny Morozov, THE NET DELUSION: THE DARK SIDE OF INTERNET FREEDOM (2011) (a useful skeptical account of the ability of the Internet to serve a liberating function in closed societies) More Recommended Remarks by the President on Securing Our Nation s Cyber Infrastructure (May 2009). Transcript. Video. White House, Cyberspace Policy Review (2009). James Lewis, Securing Cyberspace for the 44 th Presidency, Center for Strategic and International Studies, Cybersecurity Two Years later, CSIS, Reno v. ACLU, 521 U.S. 844 (1997) (holds that the Internet is entitled to the highest level of First Amendment protection, akin to books rather than broadcast media) Metro Goldwyn Mayer Studios, Inc. v. Grokster, Ltd., 125 S. Ct (2005) (holds against Grokster for contributory copyright infringement, finding no immunity for peer to peer copying) Office of the National Counterintelligence Executive, Foreign Spies Stealing US Economic Secrets in Cyberspace (October 2011) United States v. Nicaragua (ICJ 1986). (examines the international law issues in proxy wars) Joel Brenner, America the Vulnerable (2011) (good general book on the threat) U.S. Department of Justice, Criminal Division, Computer Crimes and Intellectual Property Section, Prosecuting Computer Crimes. (very detailed, extremely well written, intended for prosecutors) 13

14 U.S. Department of Justice, Criminal Division, Computer Crimes and Intellectual Property Section, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. (very detailed, extremely well written, manual for prosecutors) Privacy Impact Assessment for the Initiative Three Exercise, Department of Homeland Security, 18 March (official privacy analysis of the Einstein intrusion detection system) Federal Register notice for Defense Industrial Base pilot. (notice of the pilot for deployment of intrusion detection system to selected private companies in the defense sector) The National Security Policy Process: The National Security Council and Interagency System by Alan G. Whittaker, Shannon A. Brown, Frederick C. Smith, and Ambassador Elizabeth McKune, Industrial College of the Armed Forces, National Defense University, August 15, 2011 (excellent description of the main process for national security decision making) Access Denied: The Practice and Policy of Internet Filtering, Ronald Deibert, John Palfrey, Rafal Rohozinski, and Jonathan Zittrain, eds. (MIT Press 2006), pp (measuring filtering). Title I of S. 3414, Cybersecurity Act of 2012, (Senate failed to invoke cloture by a vote of 52 46) Statement of Administration Policy on S (supports) Key Vote Letter by the U.S. Chamber of Commerce on S (opposes) 14