Cyber Round Up: Iran Cyber Attacks on Israel; Cybersecurity Companies Taking Advantage of Consumers; Retailers Cybersecurity Responsibilities; Scamming the Scammers; The New Yorker on Anonymous

  • Prime Minister Binyamin Netanyahu states Iran is behind cyber attacks against Israel, read the story by The Jerusalem Post here.
  • Are cybersecurity companies focused on protected consumer’s computers, or scaring them into buying more protection? Scientific American reports on the lack of oversight of cybersecurity companies and their tendency to exaggerate threats to increase profits.
  • USA TODAY reported Sunday on the Target and Home Depot breaches, focusing specifically on the lack of cybersecurity on the part of the companies.  The report describes how these companies are removing the blame by claiming the difficulties of protecting consumers from foreign predators in the cyber world.  Who should carry the burden of protection in a world where consumer businesses and cybersecurity issues are increasing merging?  Read the story here.
  • Looking for a way to scam the scammers that constantly send fake advertisements to your inbox?  While according to Network World, a program was created to do exactly that, the article warns that what might seem an “ethical gray area” is not so gray in the legal world.  According to the article, a person who takes this revenge approach could be prosecuted for breaking computer crime laws.
  • While the online collective known as Anonymous has grown exponentially since its inception, take a look at the full story of how the group formed and expanded, including summaries on some of their most infamous acts, in the new detailed narrative published by The New Yorker: The Masked Avengers.
Share:

Tags: , ,

NATO’s Cyber Declaration: More Bark than Bite?

Is NATO’s new definition of what constitutes an armed attack under Article V more bark than bite? That is the view of certain cybersecurity experts, according to a CNBC Report. The report highlights three main obstacles, discussed by those experts.  For more information on NATO’s declaration, read this recent post.

The first obstacle, according to the report, is the difficulty of attributing the origin of the cyberattack. While certain NATO members may have the capacity to determine the origin, the experts cited by the article counter that those member states may not be eager to reveal their intelligence and technological capabilities.

The second obstacle, according to the report, is that evidence is less concrete in the digital world than with physical warfare, where satellites can capture images. The report notes that the ambiguity that results from the less than clear evidence is likely to allow reluctant NATO members to argue that they are not persuaded.

Finally, the third obstacle discussed by the report, is the absence of an exact standard that would be used to determine when there is amble evidence of a cyberattack that would require retaliation.

According to the report, NATO will consider each cyber incident on a case-by-case basis, but that may not be enough to identify, attribute and respond to cyberstrikes in a timely manner.

Share:

Tags: , ,

Cyber Round Up: Army Possible Cyber Branch; NATO Recognizes Military Response to Cyber Attack; Pay Scale for Federal Cyber Pros; Removing Limits to Cyber Education; Grassley Comments at National Cyber Seminar; Home Depot Cyber Breach; Senator Feinstein’s Cyber Security Bill

The Army News Service released a report on Wednesday that the army activated a Cyber Protection Brigade, the first of its kind in the Army, and a discussion of a new cyber branch is in the works.
• Should the feds create a job category and salary scale for government cybersecurity workers — or is the profession too mercurial to assign pay grades? NextGov reports on the potential pros and cons of a pay scale for federal cyber professionals.
• Conventional warfare vs. cyberwar policy. Cyber offense police vs. cyber defense. Vertical-technical approaches to cyber studies vs. horizontal-strategic approaches. W. Hord Tipton, writing for Information Week Government, would urge us to remove the limits to one approach vs. another and instead look to broadening cyber education to produce a well-rounded cyber workforce. Read his commentary here.
Reuters reports that NATO leaders marked an expansion of the organization’s original interpretation of an attack when they agreed on Friday that a large-scale cyber attach on a member country could be considered an attack on the entire U.S.-led alliance.
Politicalnews.me has published the statement of U.S. Senator Chuck Grassley of Iowa at the National Cyber Security Alliance Seminar, here. In his statement, Senator Grassley discusses some of the areas of Cyber Security that the U.S. Senate have been focused on, including in particular the federal government’s partnerships with private business to protect critical infrastructure.
• Could the Home Depot credit card breach prove to be larger than the Target breach? Forbes reports on similar breaches in this comparison story, here.
• According to CBS Local, Senator Dianne Feinstein is urging Silicon Valley leaders to call their congressional representatives to express their support for her cyber-security bill which provides legal authority for companies to share cyber-related information with the government.  Read the story here.

Share:

Tags: , , ,

Cyber Provisions in NATO Wales Summit Declaration

The Wales Summit Declaration released on September 5, 2014, by the Heads of State and Government participating in the meeting of the North Atlantic Council in Wales contains these provisions directly related to cyber security:

  • [72.] As the Alliance looks to the future, cyber threats and attacks will continue to become more common, sophisticated, and potentially damaging. To face this evolving challenge, we have endorsed an Enhanced Cyber Defence Policy, contributing to the fulfillment of the Alliance’s core tasks. The policy reaffirms the principles of the indivisibility of Allied security and of prevention, detection, resilience, recovery, and defence. It recalls that the fundamental cyber defence responsibility of NATO is to defend its own networks, and that assistance to Allies should be addressed in accordance with the spirit of solidarity, emphasizing the responsibility of Allies to develop the relevant capabilities for the protection of national networks. Our policy also recognises that international law, including international humanitarian law and the UN Charter, applies in cyberspace. Cyber attacks can reach a threshold that threatens national and Euro-Atlantic prosperity, security, and stability. Their impact could be as harmful to modern societies as a conventional attack. We affirm therefore that cyber defence is part of NATO’s core task of collective defence. A decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis.  (emphasis added)
  • [73] We are committed to developing further our national cyber defence capabilities, and we will enhance the cyber security of national networks upon which NATO depends for its core tasks, in order to help make the Alliance resilient and fully protected. Close bilateral and multinational cooperation plays a key role in enhancing the cyber defence capabilities of the Alliance. We will continue to integrate cyber defence into NATO operations and operational and contingency planning, and enhance information sharing and situational awareness among Allies. Strong partnerships play a key role in addressing cyber threats and risks. We will therefore continue to engage actively on cyber issues with relevant partner nations on a case-by-case basis and with other international organisations, including the EU, as agreed, and will intensify our cooperation with industry through a NATO Industry Cyber Partnership. Technological innovations and expertise from the private sector are crucial to enable NATO and Allies to achieve the Enhanced Cyber Defence Policy’s objectives. We will improve the level of NATO’s cyber defence education, training, and exercise activities. We will develop the NATO cyber range capability, building, as a first step, on the Estonian cyber range capability, while taking into consideration the capabilities and requirements of the NATO CIS School and other NATO training and education bodies.

The statement that “[a] decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis,” implies that a cyber attack could be a “use of force” or an “armed attack” as those key legal terms are used in the United Nations Charter.  While the terms “armed attack”, “use of force” and “cyber attack” remain undefined — and, crucially, when a cyber attack constitutes an armed attack or a use of force remains unclear  — the language suggests that cyber attacks which “threaten national and Euro-Atlantic prosperity, security, and stability” and cyber attacks whose “impact is as harmful to societies as conventional attack” would qualify as armed attacks or uses of force under international law.  Note that those definitions would leave open the possibility of cyber attacks which do not result in death or serious bodily injury nevertheless qualifying as uses of force or armed attacks, a point this author has argued for years.  I believe that actions in cyberspace might threaten national security to an extent that a military response is justified or even necessary, even if neither the cyber attack nor it reasonably immediate consequential damages result in death or serious bodily injury.

Share:

Tags: , , , , ,

Coverage of Internet Governance Forum

My colleague and co-instructor of Cyber Security Law and Policy, Professor Milton Mueller is, as he always does, attending the Internet Governance Forum (IGF), this time in Istanbul, Turkey.  This is the Ninth Annual Meeting, and the theme is “Connecting Continents for Enhanced Multistakeholder Internet Governance.”  Milt will be a speaker — along with Vint Cerf — at a Main/Focus session on Thursday, September 4, 2014, entitled, “Evolution of Internet Governance Ecosystem and Role of the IGF.” (While that is, in fact, a very big deal, if you are familiar with multistakholderism you will understand that there are two moderators and 21 speakers at that session alone, and 703 scheduled speakers overall.)  The official Twitter account for the IGF is @intgovforum and the hashtag for this meeting is #IGF2014.  Professor Mueller’s own tweets can be found at https://twitter.com/miltonmueller , and his coverage is underway.

In addition, you can read Mueller’s blog for the Internet Governance Project at Syracuse University at http://www.internetgovernance.org/ . His most recent article, dated August 29, 2014, relates to this IGF meeting and is entitled, “The Not-Mundial Initiative: Governance and Ungovernance in Istanbul.”

Milton Mueller is a true expert with vast experience, and our students will benefit greatly from his teaching.

Share:

Tags: , , , , , , ,

The Very Wicked Problem of Search and Seizure in Cyberspace

The Facts

In April, the Advisory Committee on Criminal Rules proposed amendments to the Federal Rules of Criminal Procedure that would give authorities “more leeway to secretly hack into the suspected criminal’s computer,” so The Hacker News in a recent report.

According to the draft minutes of the Criminal Rules Meeting, the subcommittee on Rule 41 (Search and Seizure) envisioned the following amendment:

A magistrate judge with authority in any district where activities related to crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information within or outside that district. (p. 515)

 

Effectively, so the document, the change is intended to cover remotely accessed searches and seizures primarily a) to find out about the location of a computer when it is not known, and b) to search multiple computers in known locations outside the district of the issuing judge.

The Hacker News assessed the proposed amendment and translated it into plain English: With the new Rule 41, statutory law would allow authorities to “easily obtain warrants,” in order to secretly access suspects’ and witnesses’ computers

  • by employing zero-day exploits on software vulnerabilities (thus hacking into suspects’ computers)
  • whenever their location is unknown and presumably outside the jurisdiction of the issuing judge (thus in any of the other 93 judicial districts)
  • in large quantities whenever evidence or technical details related to suspected operators of botnets are targeted (hence, a single warrant could authorize the search of thousands of computers)

 

The Problem

Both The Hacker News and the Advisory Sub-Committee on the Criminal Rules provide a what occurs to me as an easily accessible set of reasons and justifications for the invasive proposal. It is based on the nature of cyber crime and a) how anonymizing technologies prevent the identification of the originating computer, and b) how containing and dismantling botnets require measures in many different jurisdictions.

My take on what makes the proposed amendment a messy policy problem, which will not be solved to the satisfaction of either stakeholder (government/law enforcement or civil society/privacy), builds on several layers where interests conflict with the pros of the envisioned change to the Federal Rules of Criminal Procedure:

1. The Ethical Layer: Governmental Use of Spyware
When governments employ spyware to utilize zero-day exploits and software vulnerabilities, ramifications range from the national to the global level, including:

  • A Potentially lower level of checks and balances:
    Conventional surveillance measures often have additional checks and balances on the organizational level, for example when telecommunication service providers facilitate wire-taps only after having received rightfully issued warrants. Contrarily, for the use of spyware, government agencies do not have to satisfy such external procedural requirements. Additionally, spyware suites usually equip their operators with remote access measures that may be more invasive than and exceed those that are covered by the respective warrant. In 2011, the German Bundestrojaner and its Staatstrojaners, spyware employed by German federal and state law enforcement agencies, carved out this difficulty of the government catching up with technology.
  • Negative impact on overall Internet security:
    Making zero-day exploits of vulnerabilities in commonly used software an integral part of law enforcement is likely to have negative impacts on the overall level of security in the Internet. The Heartbleed Bug and how it had reportedly been exploited over the course of a longer time by the National Security Agency serves as an example of choice, as it shows how governments can have knowledge about pervasive security flaws without sharing it. While they keep zero-day exploits secret in order to keep using them, these security gaps remain open and can be exploited by anyone who comes across them (our post about the zero-day exploit market and how suppliers cater to governments may be worth a look in this context as well).

2. The Factual Layer: Potential Extraterritoriality
Despite the intention of covering (only) all 94 judicial districts of the United States (US), the purpose of the amendment to Rule 41 is to search and seize data electronically stored on systems, whose location is not known. Accordingly, the very nature of cyberspace implicates potential search and seizure operations targeting devices that are not within the US at all. In that case, given that no prior consent has been obtained from the authority that has jurisdiction over the targeted system, a nation-state’s sovereignty may have been violated.

3. The Constitutional/Legal Layer: Particularity and Proportionality
The authorization of a search and seize of computers without knowing where they are located or how many will be subject to a (single) warrant also calls for considerations of particularity and proportionality. The draft minutes reflect the committee’s argumentation, due to which “any constitutional restriction should be addressed by each magistrate with each warrant request.” (p. 515)

 

Concluding Remarks

This post only introduces what occurred to me as the most striking points in favor and against the proposed amendment to Rule 41 of the Federal Rules of Criminal Procedure. Instead of recounting further arguments, my intention is to illustrate how The Onion Router (TOR) and other anonymization technologies or botnet facilitated denial of service attacks are challenging procedural law and call for innovative legislation.

With decision of May 5, the Advisory Committee recommended to publish the proposed amendment to Rule 41 for public comment (p. 486), before it will be passed on to Congress for respective enactment.

Share:

Tags: , , , , , ,

Hayden Versus Greenwald: High-Profile Debate On State Surveillance Coming Up

Here’s a heads-up to those who are interested in watching the straight-forward debate on what the Toronto Star labeled in today’s print edition “Big Brother – bad or good?”

Scheduled for 7:00 p.m. EDT, Munk Debates, a Canadian charitable initiative, will set the stage for 

  • former director of the NSA, CIA, and Principal Deputy Director of National Intelligence Gen. Michael Hayden (ret.), and
  • Felix Frankfurter Professor of Law at Harvard Law School Alan Dershowitz,

who will represent the pro-side of the debate, facing

  • investigative journalist, columnist, and Snowden revelations chronicler Glenn Greenwald, and
  • serial Internet entrepreneur and co-founder of the social news website reddit Alexis Ohanian,

who will argue against the pervasive state surveillance that became public with the global surveillance disclosures triggered by Edward Snowden a year ago.

The format of the debate includes an online as well as audience vote. Short opening statements are followed by a civil and substantive moderated panel discussion, concluded by short closing statements. The event takes place in Toronto in front of an audience of 3,000 people. It lasts approximately an hour and a half. The final vote is tallied and the winning side announced before 9:00 PM.

The debate will be live streamed to this link.

 

Share:

Tags: ,

Is the Fourth Amendment “Fighting for its Life”?

A couple of weekends ago I attended Western State University Law Review’s National Security Symposium, featuring keynote speaker, Dean Erwin Chemerinsky.  The dean’s speech focused on the Supreme Court’s “failure” to uphold the Constitution and served as an introduction to the afternoon panel on the constitutionality of the National Security Agency’s (NSA) surveillance programs.  The latter panel featured Attorney Todd Gallinger, Professor John Radsan, Professor Ryan Williams, and this blog’s administrator, Professor William C. Snyder.

In his presentation, Dean Chemerinsky asserted that the “reasonable expectation of privacy” test—established by Katz v. United States (389 U.S. 247 (1967)) to determine the applicability of the Fourth Amendment and, if applicability is determined, the reasonableness of warrantless searches and seizures under the Fourth Amendment—“doesn’t work” to protect against the threats of the twenty-first century.  I live tweeted during Dean Chemerinsky’s speech (@Tara_Pistorese, #WSULRSymp2014), but was intrigued by the Fourth Amendment assertions by the dean and thought it prudent to devote a blog post to this topic.

To begin, here is the language of the Fourth Amendment for your reference:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

As contributors to this blog and cyber scholars across the nation have argued, “the Supreme Court has repeatedly and consistently held that production of records about you in the hands of third parties[,]” such as metadata housed by your phone company, “does not implicate your constitutional rights.  You have no 4th Amendment protections regarding those records, [unless you meet the Katz test.]”  This argument finds additional support in Supreme Court cases such as Smith v. Maryland (44 U.S. 735 (1979)) and United States v. Miller (425 U.S. 435 (1976)), where the Court held that no reasonable expectation of privacy exists over phone company or bank records.  In other words, searches of such records do not meet the Katz test for implicating the Constitution at all.

Dean Chemerinsky’s argument, however, was more concerned with what he considers to be an outdated test that must be amended than with the constitutionality of searches that have thus far been conducted under the standard as presently articulated.  Specifically, the dean said, “What the Supreme Court needs to do, but has not yet done, is develop a theory of informational privacy.”

In Katz, which eventually established the “reasonable expectation of privacy” standard, the majority discussed the Fourth Amendment and the proper scope of its protections as follows:

[T]he Fourth Amendment cannot be translated into a general constitutional, ‘right to privacy.’  The Amendment protects individual privacy against certain kinds of government intrusion, but its protections go further, and often have nothing to do with privacy at all.  Other provisions of the Constitution protect personal privacy from other forms of governmental invasion.  But the protection of a person’s general right to privacy—his right to be let alone by other people—is like the protection of his property and of his very life, left largely to the law of the individual states. . . .

[T]he Fourth Amendment protects people, not places.  What a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection. . . . But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected (citations omitted).

Later, Justice Harlan’s concurring opinion explicated the words of the majority by saying (again, internal citations have been omitted):

I join the opinion of the Court, which I read to hold only (a) that an enclosed telephone both is an area where, like a home, a person has a constitutionally protected reasonable expectation of privacy; (b) that electronic as well as physical intrusion in to a place that is in this sense private may constitute a violation of the Fourth Amendment; and (c) that the invasion of a constitutionally protected area by federal authorities is, as the Court has long held, presumptively unreasonable in the absence of a search warrant. . . .

The critical fact in this case is that ‘(o)ne who occupies [] [a telephone booth,] shuts the door behind him, and pays the toll that permits him to place a call is surely entitled to assume’ that his conversation is not being intercepted.  The point is not that the booth is ‘accessible to the public’ at other times, but that it is a temporarily private place whose momentary occupants’ expectations of freedom from intrusion are recognized as reasonable (emphasis added).

Using Katz as a foundation, in my mind, Dean Chemerinsky’s proposal to change the standard upon which we consider searches and seizures with a technological component would require either: (1) broadening the current standard, or (2) employing a separate standard only for instances concerning “informational privacy.”  In either case, my question, generally, is: are we prepared to sacrifice elements of security in the name of this expanded right to privacy?

During the NSA panel at the same Western State University Symposium two weekends ago, Professor Ryan Williams discussed this trade-off between privacy and security and the implications of sacrificing one over the other.  Interestingly, Professor Williams posited that the word “sacrifice” itself implies an element of “knowledge”—in other words, you cannot sacrifice that which you do not know you are surrendering.  Think about this in the context of the NSA metadata collection program.  According to Professor Williams, it cannot be considered a “sacrifice” to permit the government to collect metadata from our phone calls in the name of increased security if we are not made aware that the government is doing so.

I cannot say I entirely agree with Professor Williams on this point for I think there may be instances where sacrifice could be simply the willingness not to know.  (My mind goes to the families of servicemen and women who are on classified assignment.  Would anyone argue that a mother or father’s willingness not to know the specifics of their son or daughter’s mission is not a sacrifice?)  Could it not be just as compellingly asserted that, if I choose security over privacy, I am making a sacrifice by accepting that there are actions the government may take in the name of security of which I choose not know?  To me, the willingness not to know of certain government programs is just as much a sacrifice as an explicit authorization of those activities.

However, even accepting that “knowledge” is somehow inherent in the concept of sacrifice, I would argue that the “reasonable expectation of privacy” test, against which Dean Chemerinsky advocates, at least contemplates “knowledge” by identifying instances where I am not entitled to it.

In other words, by identifying that there are circumstances under which our expectation of privacy would be “unreasonable,” the Court has effectively determined that we are not entitled to knowledge of government intrusion in those cases.  Thus, the Supreme Court has apparently drawn a line between security and privacy for us.

For example, when the NSA collects metadata from my phone calls, I am still sacrificing some of my privacy in the name of increased security even if I do not have true knowledge that it is occurring.  This is because, under the Katz standard, any expectation of privacy I have over that data would be unreasonable.  Am I entitled to “knowledge” if I don’t have a reasonable expectation to privacy?  When we think about it in this context, perhaps the Katz standard can be effectively applied in the technological or cyber realm.

Share:

Tags: ,

Cyber Proliferation and Export Controls – New Report Outlines The State of Play

Covering our previous posts on cyber proliferation and export controls (Wassenaar Agreement, Hacking Team, Exploit Sales, i.a.), this research paper provides a comprehensive political and technological analysis of current regimes in place in the United States, Great Britain, and in Germany, which relate to the export of surveillance technology. The report has been published in March as a joint research project of the New America Foundation, the Open Technology Institute, Privacy International, and Digitale Gesellschaft.

Bildschirmfoto 2014-04-19 um 15.46.24

The authors conducted their research guided by the insight that government regulation may have negative impacts on technological innovation and trade, pointing out concerns and ensuring “targeted and careful policy analysis to avoid negative consequences. As a key finding, the authors conclude that

existing export control regulations have become out-dated and have not kept up with new technology.

 

Share:

Tags: , , , ,

The FBI’s Role in Cybersecurity

Today, Richard P. Quinn, National Security Special Agent in Charge for the FBI’s Philadelphia Field Office, gave a statement before the House Homeland Security Committee, Subcommittee on Cyber Security, Infrastructure Protection, and Security Technologies.  In the statement, Quinn outlined the FBI’s role in cybersecurity.  Here are the takeaways:

  • The Cyber Threat and the FBI Response.  Recognizing the broad range of entities that present a cyber threat–state-sponsored hackers, hackers for hire, global cyber syndicates, and terrorists–the FBI is: (1) “prioritizing high-level intrusions”; (2) working in cooperation with federal, state, and local Cyber Task Forces and through the National Cyber Investigative Joint Task Force (NCIJTF); (3) partnering with the private sector; and, (4) coordinating overseas cyber investigations and supporting key partners, such as The Hague.
  • Recent Successes.  To name a few:
    • By “targeting infrastructure [the FBI] believe[s] has been used in distributed denial of service (DDoS) attacks[,]” the FBI has enabled “foreign partners to take action” and reduced the “effectiveness of the botnets and the DDos attacks[]”;
    • Operation Clean Slate–an FBI Cyber Division initiative to disrupt and dismantle botnets threatening US security–“to date . . . has resulted in several successes[,]” including the disruption of Citadel Botnet and ZeroAccess Botnet;
    • Aleksandry Andreevich Panin pled guilty in January of this year to conspiracy to commit wire and bank fraud, charges arising from his role in developing Spyeye, which is “malicious software” that “infected more than 1.4 million computers.”
  • Next Generation Cyber Initiative.  Briefly, “[t]he FBI’s Next Generation Cyber Initiative, which [it] launched in 2012, entails a wide range of measures, including focusing the Cyber Division on intrusions into computers and networks–as opposed to crimes committed with a computer as a modality; establishing Cyber Task Forces in each of [the FBI's] 56 field offices to conduct cyber intrusion investigations and respond to significant cyber incidents; hiring additional computer scientists to assist with technical investigations in the field; and expanding partnerships and collaboration at the NCITJF.”
  • Private Sector Outreach.  “The FBI’s newly established Key Partnership Engagement Unit (KPEU) manages a targeted outreach program focused on building relationships with senior executives of key private sector corporations.  Through utilizing a tiered approach, the FBI is able to prioritize our efforts to better correlate potential national security threat levels with specific critical infrastructure sectors.”

 

You can read the full statement here.

Share:

Tags: , ,

Next Page »

Authors

Untitled Document
Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She has served as a law clerk in the United States Attorney's Office for the Western District of New York and the Public Defender Service for the District of Columbia and as an extern in the United States District Court for the Western District of Washington. Full biography

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography

Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Categories