In a hearing of the House Committee on Foreign Affairs on “Iran’s Support for Terrorism Worldwide,” former chairman of the House’s Permanent Select Committee on Intelligence gave a statement that included the “increasing sophistication of Iran’s cyber program and capability to conduct cyber warfare.” The testimony on last Tuesday followed reports in February on Iranian hackers, who penetrated the Navy Marine Corps intranet over an extended period of time in 2013.
Building on a Foreign Policy report of February 18th, Former Rep. Peter Hoekstra (R-MI) elaborated on the Iranian regime’s awareness of U.S. vulnerabilities and its ambitions to be at eye level with its “enemies” in cyber. Correspondingly, he claimed that “[t]he very nature of cyber warfare and Iran’s increasing capability should be of major concern of the United States.”
The former chairman further discussed Iran’s ties with Russia, mentioning suspicions that Russia supports the development of Iranian cyber capabilities. He concluded his statement, which also covered Iran’s “global reach” through international terror networks, with the following finding:
Iran will view cyber warfare, a closer relationship with Russia, and the possibility of closer cooperation with other Islamist terror groups as potential opportunities to radically change the national security equation for the U.S. and our allies.
Hoekstra’s concluding remarks give a concise account of his assessment of Iran’s relevance to U.S. national security. The reason I quoted it directly is because, as for the cyber part, it exemplifies how Iran reportedly exploits the asymmetric nature of cyberspace. The list of previous cyber attacks, including hacks of U.S. financial institutions and the mentioned Navy network penetration, gives a taste of the possibilities for conventionally, i.e. “symmetrically” inferior adversaries to change the balance of power in their favor.
Regardless of Russia’s suspected involvement and the assumed ties of Iran with international terrorism, I think the developments in cyberspace are worth some of the attention that beforehand was exclusively directed at the nuclear issue.
The Milan-based spyware firm HT S.r.l., also known as Hacking Team, provided several repressive regimes with an Internet surveillance tool, which routes the data tapped at a targeted device through a series of servers in different countries. The purpose is to obscure the data’s final destination and thus the eavesdropper. In the course of their investigation, the researchers of the Citizen Lab at the University of Toronto identified at least 12 cases, in which U.S. based data centers are part of this espionage infrastructure, (passively) assisting the governments of several repressive and authoritarian states, including Azerbaijan, Uzbekistan, and Ethiopia, in laundering their surveillance data.
In mid-February, the Citizen Lab started to release their research results on the Hacking Team. The first report introduced the company’s Remote Control System (RCS), a surveillance tool that “can record Skype calls, copy passwords, e-mails, files and instant messages, and turn on a computer or phone’s webcam and microphone to spy on nearby activity,” and how it was used against employees of an Ethiopian news outlet based in Alexandria, Virginia. The second report mapped out the infrastructure used by RCS, tracing the so-called proxy chains back 21 governments that could be identified as clients of the spyware provider (despite Hacking Team’s assurance of intractability).
On Tuesday, the Citizen Lab released the third report, covering the “Hacking Team’s US Nexus”. While the first two parts of the series echoed widely on- and offline, I chose to blog about this third release for its specific value for the Crossroads Community, as it directly addresses questions of cyber security law and policy.
Establishing a covert network infrastructure using servers on U.S. soil and routing wiretapped data from targeted computers and devices through the U.S., so the report, Hacking Team’s operations raise several cyber legal issues, including whether moving exfiltrated data through U.S. based communications facilities violates
- U.S. law, including the Computer Fraud and Abuse Act and the Wiretap Act,
- U.S. sovereignty and the international legal principle of nonintervention,
- the client states’ own laws on electronic surveillance,
- the corporate social responsibility of service providers owning the U.S. based infrastructure,
- the terms of service of service providers owning the U.S. based infrastructure,
- Hacking Team’s own corporate social responsibility.
A Final Thought
To me, Hacking Team’s RCS is a paragon of the messy policy problems that arise from cyberspace, exemplifying the fundamental relevance of the Internet’s technical architecture for policy deliberation in and governance of the virtual.
Join White House Cybersecurity Czar Michael Daniel and NIST Director Dr. Patrick Gallagher, together with industry leaders, for an interactive conversation about the future of business cybersecurity standards.
On February 12th, The White House unveiled the final version of its “cybersecurity framework,” designed to help companies involved in critical infrastructure improve the security of their networks. Will it make significant impact on company cybersecurity, or disappear without making a ripple?
In-person seats are sold out, but you can join the conversation – and pose questions – in our online webcast.”
Register for free to join the event online at http://about.bgov.com/events/cybersecurity-next-steps-for-government-and-industry/ .
As the situation on the Crimean peninsula remains tense, media reports on cyber incidents disrupting Crimean information and communication networks are increasingly discussing the likelihood of a virtual escalation of the crisis, and the hypotheticals of a cyberwar between Russia and the Ukraine. While the following articles provide different assessments of the cyber-strategical status quo, together they give a simple overview of the different layers on which the involved parties have already carried out cyber attacks.
The Physical – Ukraine/Crimea
Two days ago, Foreign Policy (FP) reported how “[t]he new strikes appear to have been conducted mostly by hand rather than by hackers”. The article mentioned the jamming of phone and radio signals, possibly from Russian navy ships, and, more prominently, the siege of several of the Ukrainian state-owned service provider’s Crimea offices, in the course of which phone and internet cables have allegedly been cut, damaging the region’s internet backbone. Also, “armed commandos reportedly cut off power lines at the Ukrainian navy headquarters in Sevastopol”, and “other teams of commandos” allegedly broke into Ukrainian navy communication stations, sabotaging information and communication technological infrastructure.
The Virtual – Endpoints in Ukraine/Crimea
Yesterday, Digital news outlet Quartz cited the head of Ukraine’s security service, saying that “the mobile phones of Ukrainian lawmakers are under attack by equipment located in Russian-controlled Crimea”. Moreover, though “only sporadic”, remote attacks have been reported targeting Ukraine.
The Virtual – Endpoints in Russia
Also yesterday, the Massachusetts Institute of Technology (MIT) Technology Review mentioned that the Russian government “has moved to block Internet pages devoted to the Ukrainian protest movement”, while “Info-war tactics have been seen on the Ukrainian side too”, when the Russian government’s English-language news organ Russia Today had been hacked and defaced.
The common spin of all three reports is that “all-in” cyberwarefare in the form of massive denial-of-service attacks, as witnessed in Estonia 2007 or Georgia 2008, has not yet occurred. Accordingly, further layers facilitating cyber conflict, including physical spaces in Russia and other critical infrastructures in the Ukraine, have not evolved for now. FP stated that “Moscow hasn’t succeeded in imposing an information blackout, but the attacks could be sign that Russia is looking to escalate its military operations [...] without firing a shot”. Contrarily, Quartz argued that the limited scope of this (non-)present cyberwar is in line with the Russian Federation’s intentions of isolating Crimea and controlling information and communication traffic through the peninsula’s internet exchange point.
While the evolution of the conflict and of Russia’s and Ukraine’s cyber operations can hardly be predicted at the moment, I think it is worth tracking how the current events develop international military and diplomatic conduct in cyber conflicts, and which rules of engagement the involved parties will base their actions on – on each of the different layers elaborated above.
Mt. Gox, once a leader in bitcoin exchange handling as much as eighty percent of the world’s bitcoin trades, filed for bankruptcy in Tokyo District Court last week leaving many concerned over the future of the digital currency, reports the Washington Post, Reuters, Information Week, and others.
Bitcoin is a digital currency and monetary transfer technology that removes banks and credit card companies from online financial exchanges by using cryptography to manage the creation and transfer of money. The collapse of Mt. Gox, which revealed that approximately $500 million in bitcoins had been stolen, has triggered an investigation led by Japanese authorities, according to Information Week.
Importantly, too, that report reveals, Mt. Gox is still unclear as to what techniques were used by the attackers, when the attack occurred, or, truly, how much was taken. Information Week offers one possible explanation, namely “that hackers employed transaction malleability attacks.”
But regardless of the “who?”, “when?”, or “how much?” of the debacle, as the Washington Post reports,
The spectacular rise and fall of the marketplace, called Mt. Gox, has played out as something of a morality tale for those skeptical that a currency created on computers and untethered from regulatory structures or the full faith and credit of an issuing nation can be made secure enough for routine transactions.
- According to the Associated Press, Lauri Love, the 28-year-old British man accused of hacking into certain United States government networks, is fighting attempts to extradite him to the United States in order to face trial. The charges against Love, which include computer hacking, aggravating identity theft, and attacking the Federal Reserve, carry a sentence of up to twelve years.
- GCHQ, the British surveillance agency, reportedly collected images intercepted from the web communications of millions of net users–none of which were suspected of wrongdoing, reports The Guardian. “Optic Nerve,” as the program was codenamed, dates back to 2008-2010. According to The Guardian, “In one six-month period in 2008, the agency collected webcam imagery–including substantial quantities of sexually explicit communications–from more than 1.8 million Yahoo user accounts globally.”
- A report by The Washington Post details outgoing Cyber Command and National Security Agency (NSA) director, General Keith Alexander’s parting remarks last week. Specifically, General Alexander called for “a stronger strategy to deter cyber attacks, saying the line that would prompt a U.S. response against an adversary ‘did not yet exist.’” Moreover, he “said his greatest concern was a terrorist attack against the United States or Europe[,]” and addressed the NSA surveillance debate by noting he was “open to some proposed reforms,” the Washington Post reports.
- Speaking of NSA reform, the AP and the Washington Post report that the Department of Justice (DOJ) has gone to the Foreign Intelligence Surveillance Court (FISC) to seek permission to retain collected phone records beyond five years, which is the current practice. The argument, according to the article, is that the government must retain evidence for future lawsuits.
- The Wall Street Journal reports that the Obama Administration is currently considering four proposals devised by White House attorneys regarding reforms to NSA surveillance programs: (1) have phone companies retain data and perform NSA-requested searches; (2) have a separate government organization retain the data, such as the FBI; (3) have a non-government entity other than phone companies retain the data; or, (4) ditch the phone metadata collection program.
- Lastly, Reuters reports that, according to the German paper Bild am Sonntag, since Obama ordered the NSA to halt its spying on Chancellor Merkel, the agency has begun conducting surveillance of other senior German officials, such as Minister of the Interior, Thomas de Maiziere.
Yesterday, the Electronic Frontier Foundation (EFF), one of the most prominent non-profit digital rights organizations, released a statement on their website, calling for support of the Email Privacy Act. The bill seeks to amend the Electronic Communications Privacy Act of 1986 (ECPA), primarily by the requirement of a probable cause warrant for any governmental access to users’ online private messages.
This update points at the root of a matter lying at the heart of privacy advocates spearheaded by the EFF. The actual version of the ECPA allows government agencies to obtain private online messages, such as personal emails or social media messages, without a warrant, when they are older than 180 days. According to the EFF, “[t]he government would have to obtain a warrant if those same messages were printed out on your desk. This difference shouldn’t exist.”
When we covered the ECPA the last time, Tara touched on the White House’s call for a more invasive amendment of the law in 2010, seeking to authorize the FBI to obtain electronic records without a warrant. Though, after last year’s “Summer of Snowden”, momentum seems to be gained in favor of privacy and data protection, currently represented by the Email Privacy Act:
In the wake of the recent high profile data breaches, most prominently the attack on the Target Corporation, it is my impression that insurance companies may evolve as an effective driver of securing cyberspace.
While the National Institute for Standards and Technology’s (NIST) cyber security framework encourages organizations non-bindingly to consider and prioritize risks from cyber, proposals for solid legislation undergoing metamorphosis on Capitol Hill address rather breach notification than the implementation of standardized security measures. At the same time, Jason’s post on how Target’s massive data breach has not changed the habits of the population shows that individual “cyber hygiene” may also not be expected to bring about change.
That said, a look into this discussion about liability in data privacy and cyber security of corporations’ directors and officers (D&O) gives an idea about insurance companies’ potential to increase cyber security out of the private sector. Facilitated by finance and business intelligence news outlet Financier Worldwide Magazine (FW) and published in its January 2014 edition, an executive of an insurance broker, a specialist from a cyber security solutions company, and a shareholder at a high-profile litigation law firm, answer insightful questions about
- key risks to D&Os arising from data and security breaches in the US,
- imperatives, challenges and costs associated with mitigating these risks,
- insurance options covering risks arising from cyberspace, and D&O’s awareness about them,
- requirements to obtain cyber liability policies, which may include the demonstration of
- meeting or exceeding sector-specific technological requirements and mitigation strategies,
- due diligence in assessing and controlling third party vendors and business partners,
- the participation in a “cyber readiness program” offered by different insurers.
This discussion about D&O liability may give an idea of how this part of the private sector, though only a narrow section of the insurance industry, may develop thrust towards a higher standard of cyber security.
CBS reports that recently Maryland Governor Martin O’Malley and Senator Barbara Mikulusk (D. Maryland) came together in the Maryland statehouse and created a partnership by bringing together federal, state and private industry actors to expand the National Cybersecurity Center of Excellence and move it into a permanent home.
The National Cybersecurity Center of Excellence was established in 2012 as a partnership between the National Institute of Standards Technology (NIST), the State of Maryland and Montgomery County. Its mission is to “further innovation through the rapid identification, integration and adoption of practical, standards-based cybersecurity solutions.”
According to WUSA-9, Maryland has set the goal of becoming the epicenter of the nation for cybersecurity. Currently, Fort Meade, Maryland serves as the headquarters for the National Security Agency and U.S. Cyber Command. Governor O’Malley credited the growing field of cybersecurity for producing high-quality jobs for Maryland citizens. Senator Mikulusk mirrors the Governor’s sentiment commenting on how the new center will ensure that Maryland will be at the forefront in the development of cyber technology and the creation of cyber jobs.
The private sector has also joined the mission in expanding and enhancing the National Cybersecurity Center of Excellence, this last report continues, as companies like Microsoft, Symantec and 14 other companies signed on to contribute to this expansion.
According to a report published by the New York Times yesterday, when the civil uprising in Syria turned violent in the spring of 2011, key government agencies, such as the National Security Agency (NSA), produced a plan for cyberstrike against the Assad regime that would “essentially turn the lights out for Assad.”
However, President Obama has thus far declined to act against the regime either in cyberspace or through a kinetic attack, the Times reports.
Syria was not in a place where [Obama] saw strategic value in American intervention [in Syria,] and even covert attacks–of the kind he ordered against Iran during the first two years of his presidency–involved a variety of risks.
Of course, as the article points out, in addition to questions of justifiability, always part of the consideration over whether to deploy a cyber-offensive weapon is the issue of retaliation. In the case of Syria, “[W]hether . . . an attack on Syria’s air power, its electric grid or its leadership would prompt Syrian, Iranian or Russian retaliation” against the United States.
As Peter W. Singer of the Brookings Institution noted in a recently published book he co-authored with Allan Friedman, “Cybersecurity and Cyberwar: What Everyone Needs to Know”:
Here in the U.S. we tend to view a cyberattack as a de-escalation–it’s less damaging than airstrikes. . . . But elsewhere in the world it may be viewed as opening up a new realm of warfare.
We may soon see progress toward answering some of the questions that linger around the use of cyber-offensive weapons. Turkish Weekly reports that NATO plans to decide at an upcoming summit “whether to designate and treat cyber-attacks against its member states as military attacks,” such that a cyberattack on one member state would be “considered an attack against them all” under Article V of the alliance’s governing treaty.
is completing her Juris Doctor and Masters of Public Administration degrees at the Maxwell School of Citizenship and Public Affairs and the College of Law of Syracuse University. She has served as a law clerk in the United States Attorney's Office for the Western District of New York and the Public Defender Service for the District of Columbia and as an extern in the United States District Court for the Western District of Washington.
Professor William Snyder
is a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.
- Iran’s Boosted Cyber Capabilities
- Hacking Team: The Italian Spyware Company’s Data Laundry Operations in the U.S.
- Webcast Today, Cybersecurity: Next Steps for Government and Industry
- Crimea Crisis: Operational Complexities in a (Non-) Present Cyberwar
- Mt. Gox Goes Under Fostering Further Bitcoin Debate
- Crossroads Blog » Mt. Gox Goes Under Fostering Further Bitcoin Debate on Bitcoin: The Portal Connecting the Virtual With the Physical is Widening
- Crossroads Blog » New Momentum for Electronic Communications Privacy Act Reform Bill on Debate Continues Over FBI Rights to Electronic Records and Data
- Crossroads Blog » Cyber Insurances And Their Potential To Get Security More Standardized on Massive Data Breach Not Enough to Change Americans’ Habits
- Crossroads Blog » Cyber Insurances And Their Potential To Get Security More Standardized on Federal Data Security Bills in Pipeline
- Crossroads Blog » Cyber Insurances And Their Potential To Get Security More Standardized on Full NIST Cyber Framework Released to the Public
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010