The Federal Bureau of Investigation had only hired 52 of the 134 computer scientists it was authorized to employ under the Justice Department’s Next Generation Cyber Initiative launched in 2012, according to a report released today, July 30, 2015, by the Department of Justice Office of the Inspector General. Although the “audit found that the FBI has made considerable progress towards achieving the goals it established for the Next Gen Cyber Initiative,” it also concluded:
the NCIJTF [National Cyber Investigative Joint Task Force] did not have a process to measure the timeliness of information sharing among members;
recruitment and retention of qualified candidates remain a challenge for the FBI, as private sector entities are often able to offer higher salaries and typically have a less extensive background investigation process;
the FBI has encountered challenges in attracting external participants to its established Cyber Task Forces; the FBI did not hire 52 of the 134 computer scientists for which it was authorized; and
5 of the 56 field offices did not have a computer scientist assigned to that office’s Cyber Task Force.
Finally, although the FBI is working to develop strategies to enhance outreach to private sector entities, it continues to face challenges partnering and sharing information with these entities.
The editorial position of this blog is that it is critical for policy, law and investigations — both criminal and national security intelligence investigations — to be “tech informed.” The Cyber Task Forces all need a computer scientist. Additionally, it is no surprise that low pay and lengthy and intrusive background checks inhibit the Bureau’s hiring process, but we are confident that sufficient adequately trained personnel not motivated exclusively by pay and not deterred by the drug policy (p.8) can be found out of a nation of 320 million persons.
You can read the entire report by clicking here or on the image, below.
A response by the FBI to the Inspector General is on page 28 of the report.
Additional coverage of this story can be found, here.
[The opinions expressed in this post are those of the author and the blog editor and not necessarily those of Syracuse University, its College of Law, or of the Institute for National Security and Counterterrorism.]
Dark Web is a new report from the Congressional Research Service dated July 7, 2015. (Most of you are probably aware that CRS reports are not released to the public but tend to get linked and generally are pretty well done.) The report summarizes:
The layers of the Internet go far beyond the surface content that many can easily access in their daily searches. The other content is that of the Deep Web, content that has not been indexed by traditional search engines such as Google. The furthest corners of the Deep Web, segments known as the Dark Web, contain content that has been intentionally concealed. The Dark Web may be used for legitimate purposes as well as to conceal criminal or otherwise malicious activities. It is the exploitation of the Dark Web for illegal practices that has garnered the interest of officials and policy makers.
* * *
Just as criminals can rely upon the anonymity of the Dark Web, so too can the law enforcement, military, and intelligence communities. They may, for example, use it to conduct online surveillance and sting operations and to maintain anonymous tip lines. Anonymity in the Dark Web can be used to shield officials from identification and hacking by adversaries. It can also be used to conduct a clandestine or covert computer network operation such as taking down a website or a denial of service attack, or to intercept communications. Reportedly, officials are continuously working on expanding techniques to deanonymize activity on the Dark Web and identify malicious actors online.
The report also includes this chart:
You can download the entire report
by clicking on the image, below.
Delivered today, July 08, 2015: Going Dark: Encryption, Technology, and the Balances Between Public Safety and Privacy
Joint Statement of James B. Comey, Director, Federal Bureau of Investigation, with Deputy Attorney General Sally Quillian Yates, Before the Senate Judiciary Committee in Washington, D.C.
Good morning, Chairman Grassley, Ranking Member Leahy, and members of the Judiciary Committee. Thank you for the opportunity to testify today about the growing challenges to public safety and national security that have eroded our ability to obtain electronic information and evidence pursuant to a court order or warrant. We in law enforcement often refer to this problem as “Going Dark.”
We would also like to thank this committee more generally for its continued support for the mission of the Department of Justice. We know that you, like us, take very seriously the role of the Department in protecting the public in a manner that upholds the Constitution and the rule of law.
In recent years, new methods of electronic communication have transformed our society, most visibly by enabling ubiquitous digital communications and facilitating broad e-commerce. As such, it is important for our global economy and our national security to have strong encryption standards. The development and robust adoption of strong encryption is a key tool to secure commerce and trade, safeguard private information, promote free expression and association, and strengthen cyber security. The Department is on the frontlines of the fight against cyber crime, and we know first-hand the damage that can be caused by those who exploit vulnerable and insecure systems. We support and encourage the use of secure networks to prevent cyber threats to our critical national infrastructure, our intellectual property, and our data so as to promote our overall safety.
Click on the thumbnail to read the actual text of the ‘‘Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015’’ or the ‘‘USA FREEDOM Act of 2015,” signed last evening by the President.
“The United States considers the promotion of an open and secure internet to be a key component of our foreign policy,” said Secretary of State John Kerry on May 18, 2015, in South Korea.
Although the July 2011 Department of Defense Strategy for Operating in Cyberspace has already been replaced by The DoD Cyber Strategy, the May 2011 International Strategy for Cyberspace has not been superseded and is not expected to be anytime soon. Thus, Kerry’s speech is our most current and comprehensive summary of the U.S. State Department’s positions on cybersecurity. (A writer at justsecurity.org called for a new international strategy for cyberspace last fall.)
Little is new in the speech. State still supports multistakeholderism and opposes multilateralism. (More on that over at nextgov.com.) It still considers access to the Internet, privacy, and censorship in cyberspace to be human rights issues. Review Secretary Kerry’s speech for yourself. Below is the official text, and between here and there is video of the actual speech.
An Open and Secure Internet: We Must Have Both
Secretary of State
Seoul, South Korea
May 18, 2015
SECRETARY KERRY: (Applause.) Well, good afternoon, President Yeom. Thank you very much for a generous introduction. Distinguished guests, all, I’m delighted to be here and I want to thank the university, and particularly Park No-young, the Director of the Cyber Law Center, for inviting me to be here today. Thank you very, very much.
“I’d say our [cyber] defense isn’t working” – Former Director of the National Security Agency Keith Alexander.
In a keynote address at the American Enterprise Institute, Alexander told the audience that “if everybody’s getting hacked … industry and government … the strategy that we’re working on is flawed.” Critical infrastructure is vulnerable to cyberattacks and several nation states have developed the necessary cyber arsenal to strike critical infrastructure. Yet, our cyber defense isn’t working. This is not the first time nations have developed weapons that break through defense systems. The nuclear terror of the Cold War presented a similar complication.
In cyber defense, can Cold War-style deterrence work? Relying primarily on the words of Keith Alexander, Eric Rosenbach (principal cyber advisor to the Secretary of Defense), and Scott Jasper (retired Navy captain and lecturer at the Naval Postgraduate School), Mark Pomerleau examines this question in an article for DefenseSystems.com.
Pomerleau first sets out Jasper’s definition for deterrence, breaking it down into potentially three components: deterrence by punishment (the threat of retaliation), deterrence by denial (the ability to prevent benefit), and deterrence by entanglement (mutual interests). According to Rosenbach, a cyber deterrence policy would require a “whole-of-government” approach, in which the Department of Defense would need to:
(1) develop the capabilities to deny a potential attack from achieving its desired effect
(2) increase the cost of executing a cyberattacks . . . DOD must be able to provide the president with options to respond to cyberattacks on the U.S., if required through cyber and other means,
(3) ensure that we are resilient, so if there is an attack that we can bounce back.
However, Pomerleau goes on to describe a number of issues in the cyber realm that differentiate the cyber defense situation from the Cold War nuclear defense situation. First of all, attribution is difficult in the cyber realm due to the ability of adversaries to re-route the source to a different location providing plausible deniability. Second, deterrence will not be as effective with the numerous criminal non-state actors involved in cyber attacks. Finally, traditional nuclear deterrence relies on an adversary having knowledge of the destruction that will result if they make a move, whereas in the cyber realm the effectiveness of a cyber threat depends in part on the secrecy of weapons.
While Pomerleau also describes potential solutions, they are couched in vague terminology, providing little reassurance. For instance, Rosenbach addresses the attribution problem by suggesting that the government reduce anonymity in cyberspace, without providing any information as to how the government would be able to accomplish that objective. Pomerleau also stresses the importance of international frameworks, a view shared by most, but despite numerous international conferences the vulnerabilities in cyberspace are still on the rise.
After finishing Pomerleau’s article, I pulled out a book of essays on cyber deterrence compiled by the National Research Council of the National Academies*. In one of the essays** in the book, Stephen J. Lukasik compared the nuclear deterrence policy to deterrence issues in the cyber realm. While Lukasik described many of the same issues in Pomerleau’s article, he noted the three aspects of deterrence that remain invariant:
(1) A defender’s response must be seen as technically feasible. In the nuclear case, very visible weapon tests and well publicized images of nuclear detonations and measured global radioactive fallout provided convincing demonstrations of feasibility.
(2) [T]he defender must be seen as credible, willing as well as able to respond. U.S. nuclear weapon use in WWII established that, and equivalent Soviet nuclear capabilities left little doubt what its respond to a nuclear attack would be.
(3) [D]efense through deterrence requires being able to respond, with in-being offensive capability. While response to a cyber attack need not be a cyber counter-attack, international principles of armed conflict speak to proportionality of response and escalation control favors responding in kind. Thus cyber offense is a component of cyber deterrence.
I agree with Lukasik that feasibility, credibility, and ability are the cornerstones to a successful deterrence policy, but can this work in cyber defense? It seems like all three of those objectives suggest some sort of a demonstration to the world that it is feasible, we are able to strike, and our threats should be taken seriously.
While Lukasik argues that the response to a cyber attack should be limited to cyber offense, Rosenbach is cited in Pomerleau’s article advocating for a response policy that uses all the tools of foreign policy and military options.
This is a global issue, and everyone will be watching what policy the United States ultimately follows to fix the flaws in their cyber defense. If we continue to limit offensive actions, we limit deterrence by punishment. On the other hand, if we are too aggressive, we could open the door to more attacks. I agree with Rosenbach:
“The U.S. is a glass house when it comes to cyber.”
To read the full DefenseSystems.com article by Mark Pomerleau, click here.
*Proceedings of a Workshop on Deterring Cyberattacks – Informing Strategies and Developing Options for U.S. Policy, compiled by the National Research Council of the National Academies
**A Framework for Thinking About Cyber Conflict and Cyber Deterrence with Possible Declaratory Policies for These Domains, by Stephen J. Lukasik
We’ll have lots of analysis and commentary over time, no doubt, but we just want to make sure you all have a copy of the actual [U.S.] Department of Defense Cyber Strategy of April 2015 by posting it here:
Of course, it is always better to read the actual source document for yourself before reading what the reporters, pundits, analysts and experts have to say about it.
In 2010, the United States and Israel reportedly attacked Iran’s nuclear enrichment center using a computer worm that caused about 1,000 centrifuges to self-destruct. From recent reports by cybersecurity firms Norse and Cylance*, it appears that Iranians have begun a cycle of cyber retaliation. Unlike nuclear technology, cyber tools provide Iran with a usable weapon with the added bonus of plausible deniability.
The New York Times examined the Norse and Cylance* reports, as well as information gathered from American intelligence officials, and detailed their findings in an article on Iran’s recent cyber developments. According to the article, despite international sanctions, Iran has greatly increased the frequency and skill of its cyberattacks.
American intelligence officials are concerned about Iran’s cyber capabilities, but according to the article, the concern has nothing to do with sophistication. While Iran’s cyber capabilities are not as advanced as Russia or China, their attacks are the most concerning because they are aimed more at destruction. The destructive cyber attacks are the category of attacks that could escalate into attacks on critical infrastructure.
Norse and Cylance* report the same thing: Iran’s cyber attacks are politically motivated with a focus on retaliation. Iran is believed by many to have attacked American banks in retaliation for sanctions. Iran has also been identified as the source of the 2012 attack on Saudi Aramco, in which hackers wiped out data on 30,000 computers, replacing it with an image of a burning American flag.
However, the reports also indicate a move away from ostentatious attacks toward quieter reconnaissance. As for the degree of escalation, the reports are mixed. Cylance* reports that in the recent months (potentially due to the recent nuclear negotiation talks) there has been a notable drop in cyber activity. On the other hand, Norse (“which says it maintains thousands of sensors across the Internet to collect intelligence on attackers’ methods”) detected more than 900 attacks, on average, every day in the first half of March, showing no signs of Iran slowing down.
There is also evidence in the reports supporting the fear that Iran will escalate cyber attacks by targeting critical infrastructure: From the NYTimes article:
In some cases, they appear to be probing for critical infrastructure systems that could provide opportunities for more dangerous and destructive attacks. . . . Cylance researchers, for example, noted that Iranian hackers were using tools to spy on and potentially shut down critical control systems and computer networks in the United States, as well as in Canada, Israel, Saudi Arabia, the United Arab Emirates and a handful of other countries. . . . Norse says it saw evidence that Iranian hackers probed the network of Telvent, a company now owned by Schneider Electric that designs software to allow energy companies and power grid operators to control their valves and switches from afar.
In 2010 the Stuxnet worm proved to be a cyber “win” for the United States, but just as in non-cyber warfare, winning the battle is not the same as winning the war. To read the full New York Times article, click here.
For the full Norse report, click here: Norse: The Growing Cyber Threat from Iran
*It is unclear which Cylance report NYTimes is referring to, as they do not link any report to their article. The most recent report concerning Iran is the Operation Cleaver report. The Crossroads Blog posted an in-depth discussion of this report, accessible here: For the report itself, click here: Cylance – Operation Cleaver Report
We noted in January of 2014 that Chatham House, the international famous UK think-tank, had assembled a Global Commission on Internet Governance. On April 14, 2015, the Commission released a statement entitled: “Toward a Social Compact for Digital Privacy and Security.” From the Chatham House website:
On the occasion of the April 2015 Global Conference on Cyberspace meeting in The Hague, the Commission calls on the global community to build a new social compact between citizens and their elected representatives, the judiciary, law enforcement and intelligence agencies, business, civil society and the internet technical community, with the goal of restoring trust and enhancing confidence in the internet.
It is now essential that governments, collaborating with all other stakeholders, take steps to build confidence that the right to privacy of all people is respected on the internet. It is essential at the same time to ensure the rule of law is upheld. The two goals are not exclusive; indeed, they are mutually reinforcing. Individuals and businesses must be protected both from the misuse of the internet by terrorists, cyber criminal groups and the overreach of governments and businesses that collect and use private data.
A social compact must be built on a shared commitment by all stakeholders in developed and less developed countries to take concrete action in their own jurisdictions to build trust and confidence in the internet. A commitment to the concept of collaborative security and to privacy must replace lengthy and over-politicized negotiations and conferences.
The following are the core elements that the Commission advocates in building the new social compact: