“The US Justice Department is shifting the focus of its national security prosecution team to deal with cyber instead of spies,” writes Lawfare. “U.S. national security prosecutors shift focus from spies to cyber,” proclaims Reuters. “DOJ heightens focus on state-backed cyber crime” is The Hill’s headline. All are reacting to a press release from the U.S. Department of Justice dated Tuesday, October 21, 2014.
The release states that my former colleague and friend Luke Dombosky has been named Deputy Assistant Attorney General of Justice’s National Security Division (NSD) to “manage NSD’s newly created portfolio covering protection of national assets, including efforts to combat economic espionage, proliferation, and cyber-based national security threats;” the “Anti-Terrorism and Advisory Council (ATAC) Coordinator program will be re-designated as the National Security Coordinator/ATAC program, to better reflect its ongoing work on the full range of national security threats, including combating economic espionage and counterproliferation;” and other “strategic changes within the … (NSD) designed to put additional focus on the protection of national assets from the threat of state-sponsored economic espionage and proliferation, including through cyberspace.”
[Full disclosure: this author was a federal prosecutor assigned to an ATAC and a JTTF. The ATAC's are groups of federal, state and local law enforcement agencies headed by the local U.S. Attorneys around the country. They were created by Attorney General Ashcroft shortly after 9/11/01 in order to address issues of terrorism.]
From Reuters: “The revamp… also marks a recognition that national security threats have broadened and become more technologically savvy since the 9/11 attacks against the United States.” This reflects my long advocacy of combining computer engineers with lawyers and policy makers, something I try to do in interdisciplinary classes every day.
John P. Carlin, the Assistant Attorney General for National Security who announced these changes, used a cyber term to explain them: “We need to develop the capability and bandwidth to deal with what we can see as an evolving threat,” reports Reuters. The same article also quotes a former Justice prosecutor stating: “This is not just a reshuffling of the deck.”
“This is such a new field and frontier that there aren’t sanctions, there aren’t penalties in place for doing this,” he said. “I think that’s the piece that’s missing.”
McCaul has seen private companies fill the vacuum, waging their own cyber offensive against these state cyber thieves.
“I would obviously prefer that that be done through our capabilities at the federal level,” he said. “I think we have capabilities that the private sector doesn’t always have to help with attribution.”
Here is the entire news release from the Department of Justice:
October is Cyber Awareness Month, which means that cyber news is in abundance. However, the cyber issue that continues to gain the most attention is the evolving debate over the nature of the relationship between the federal government and private industry when it comes to cybersecurity. Should the government be more involved in how private companies handle cybersecurity? Or should they back away, and allow private companies to make their own decisions when it comes to cybersecurity? This is the question lurking behind the scenes of many cyber reports hitting the newsstands today.
Take the recent story on the possibility of biometrics replacing passwords as a primary security measure. The story hit the news after White House cybersecurity coordinator, Michael Daniel, made the statement that biometric scanning devices will become the norm for identity confirmation online. The story was covered by the WashingtonTimes, USAToday, SC Magazine, and Yahoo News. So what do these recent reports have to do with the current tensions between government and private industry? The answer lies behind Mr. Daniel’s reasons for making the announcement in the first place. SC Magazine reported Mr. Daniel stating that passwords are a “terrible” security mechanism, and that organizations should improve on their use of encryption. This is a perfect example of what appears the be the current administration’s trend for handling the cybersecurity tension with private companies: leave the private industry alone, but make suggestions. Is this the best way to balance the interests of these two sectors of society? Or should the government be more involved in regulating the industry’s cybersecurity measures?
According to a Bloomberg report, some feel that the number one thing the government can do is get out of the way. The report quotes Ajay Banga, the Chief Executive Officer of MasterCard, who is pushing for the government to eliminate legal barriers to sharing information and move away from a posture that blames companies for cyber attacks. On the other hand, according to a WashingtonTimes report, there are concerns inside the White House that almost all private companies when left to their own devices have a habit of not paying enough attention to cybersecurity threats. Nevertheless, the report also notes that as of yet, the Obama administration has been reluctant to push legislation that would require private companies to take any specific cybersecurity measures. In fact, according to a USAToday report, the Obama administration has given up trying to pass one big cybersecurity bill, and is opting to break up the legislation into bite-size chunks that lawmakers are more likely to approve.
There are also pragmatic reasons for looking outside legislation for potential solutions. The WashingtonTimes report goes on to quote Mr. Daniel: “the speed of regulation does not move at the speed of technology” and thus the government has to be “mindful” that any regulations will probably be outdated by the time they are issued. In the meantime, the administration has launched a “Cybersecurity Framework,” which the report describes as the “result of a yearlong private-sector led effort to develop a voluntary how-to guide for organizations in the critical infrastructure community to enhance their cybersecurity.” This “Framework” fits the trend of “suggesting” rather than “requiring” cybersecurity measures to the private industry.
The United States is not alone when it comes to dealing with the cybersecurity tensions between the government and private industry. SC Magazine recently reported on the “mutual suspicion” between police and the private sector in the UK when it comes to issues of cybersecurity. For the full report, click here.
President Barack Obama believes cyber terrorism is one of the biggest threats to national security and says the White House is bracing for a possible doomsday scenario if hackers can successfully penetrate government and business computer systems, the FOX Business Network reported. Will the current balance of control between the government and private industry over cybersecurity provide Americans will adequate protection from a cyber attack? Only time will tell.
Cyber Round Up: President Obama Puts Focus Back on Cybersecurity; Cyber Sabotage by Digital Cat Burglars; Israel Aims to Become a Cybersecurity Superpower; South Korea Switches to Offensive Cyber Capabilities; Problems with Russia’s New Internet Policy; China Claims US Fabricating Cyber Accusations; Ninth Circuit Considers Overturning National Security Letters Ruling
- According to FoxBusinessNews, when President Obama spoke at fundraising events in New York City and Connecticut last week, he tried to turn America’s focus away from Ebola and back towards what he described as one of the biggest threats to National Security: cyber terrorism. FoxBusinessNews reported that after downplaying the Ebola scare, the president laid out a potential “doomsday” scenario if hackers can successfully gain entry into government systems or breach security walls at major banks. Read the full article here.
- International digital cat burglars? According to an article in Fortune, an American biomedical company was hacked, and the schematics of their fully-tested product stolen by a Chinese competitor and rushed to market in a mere 18 months, beating the original innovators to market. The Fortune article describes this cyber sabotage as “[j]ust the tip of a mammoth iceberg of cyber warfare over the last decade that has left companies and organizations that are standing on the sidelines shellacked.” While the article distinguishes between independent hackers, hackers financially backed by states, and purely state-employed hackers, the article discusses how all three groups are involved in some form of cyber sabotage in the form of international trade theft, and suggests that the NSA’s cyber reputation may be to blame for prompting Russian and China to follow suit.
- The Washington Post reports that Israel, the world’s second largest exporter of cyber products and services, aims to become a cybersecurity superpower, and to do that, the Israeli military is launching an ambitious program to groom the next generation of cyberwarriors while they are still in high school. The article goes on to discuss the various other initiatives by Prime Minister Benjamin Netanyahu, who claims in the article that the cyber-fight reached a peak during the 50-day Gaza war this summer.
- South Korea is developing offensive cyber capabilities to counter the growing number of cyber attacks it faces from North Korea, according to a report by The Diplomat. According to The Korean Herald, this marks a move from their prior defensive focus.
- The US State Department’s first coordinator for cyber issues, Christopher Painter, discussed his issues with Russia’s new internet policy in a recent article by DW.com. According to the article, Russia recently announced new rules to restrict so-called extremist content online and requiring social networks to store their data in Russia. The article takes a close look at how the United States is trying to repair lost trust with other countries that resulted from the NSA surveillance scandal.
- According to WorldBulletin, China is pointing the finger back at the United States, claiming they have cried wolf in the their recent cyber security accusations. At a news brief last Thursday, Chinese Foreign Ministry Spokesperson Hong LeiChina urged the U.S. to stop “fabricating stories” and “mudslinging” when it comes to cyber security accusations, reports WorldBulletin. GlobalResearch also posted an article announcing this message.
- The Wall Street Journal reports the Federal Bureau of Investigation would lose a powerful tool against terrorism if a federal ruling against the agency’s use of secret requests for information about individuals’ phone usage and electronic transactions isn’t overturned, a U.S. lawyer warned an appeals court hearing the matter. According to the report, the letters allow the FBI to obtain records from telephone, banking and Internet companies without court approval as long as the bureau certifies that the records would be relevant to a counterterrorism investigation.
When sound was added to film between World War I and World War II, newsreels playing in movie theaters vividly portrayed the sights and sounds of American foreign battlefields, combat-footage, and invasions. We’ve become accustomed to relying on these images and videos in our television and print news media, to stay informed on war-related current affairs. However, today we are faced with a different kind of war. A war that takes place behind-the-scenes. A war that can’t be seen. That’s because today the United States is at war in cyberspace.
The San Antonia Business Journal reports that thousands of attacks are being launched everyday against US businesses by nation-states like China, Russia and Iran. According to the article, if these attacks are successful, they have the potential of creating chaos in our economy.
While the article notes that the United States has caught or deflected most of these attacks before they could cause any harm, when individual companies are attacked, will they be able to protect against organized attacks by nation-states? Not according to the article.
So what should we do? The article quoted solutions suggested by US Representative Mike Rogers, the chairman of the House Intelligence Committee, who is pushing for more sharing of information between government and private industry. As for Congressional plans, the article mentioned that the House has passed bi-partisan legislation that according to Representative Rogers, would establish rules for private industry and governments to share information on cyber threats.
There seems to be one message that is popping up again and again concerning the hidden war in cyberspace: the need for a stronger relationship between government and private industry. To read more, here is the full article.
Cyber Round Up: Researchers Aimed at Plugging Cybersecurity Holes in UK’s Power Stations; France’s New Cybersecurity Law; China’s Cyberwar on Hong Kong Protestors; Rising Cyber Threats in Software Used in Nuclear Power Plants; Japan Launches Cybersecurity Talks
- ZDNET reports that a team of experts will be looking at how to plug security holes in the vital systems that run the UK’s power stations, rail networks and manufacturing plants. According to the report, the researchers aim to improve operational decision making and lay the groundwork for a new, cyber-threat-resilient control architecture for the grid.
- Bloomberg reports on France’s new cybersecurity law, which will require that the 200 entities most vital to the country’s economy boost security using home-grown technology and experts, or risk being fined. Read more about the new law and other initiatives by France to promote cybersecurity in the Bloomberg article here.
- According to VoiceofAmerica News, China has turned to cyber attacks on Hong Kong protestors. According to the report, days after demonstrators in Hong Kong began filling the streets, a Chinese-authored spyware bug specifically designed and targeted to infect protestor’s iPhones and iPads was discovered by a mobile digital security firm. Read the full story here. Additionally, VoiceofAmerica News also reported China as the leader in cyber warfare against American industry, read the full report here.
- Indicators depict that the use of Software Intensive Systems in nuclear power plants is rapidly increasing, and with that, potential threats to centrifuges, personal data and controls, according to a report by PowerEngineering. The article discusses emerging issues with software growth and cyber attacks in the nuclear industry, and offers possible solutions.
- GlobalPost reports that in preparation for the 2020 Tokyo Olympics, Japan plans to launch bilateral cybersecurity talks with France, Australia, Israel and Estonia. The article also notes that bolstering cooperation with the countries is also seen as a signal to China that Japan will expand cooperation with countries that “respect basic human rights and the rule of law in view of ensuring free distribution of information.”
Is network neutrality a public-safety issue? The answer is yes, according to Catherine Sandoval, a commissioner with the California Public Utilities Commission, who spoke out at a recent network neutrality public forum in Sacramento, California. The forum was hosted by Representative Doris Matsui, and featured FCC commissioners Jessica Rosenworcel and Mignon Clyburn. Multichannel News, Fox40 News, and The National Journal all reported recaps of the event. At the forum, Rosenworcel stated that the public safety aspect of network neutrality was not talked enough about in Washington, reports Multichannel News.
The recent network neutrality debate has spurred widespread discussion since January 2014, when the U.S. Court of Appeals for the District of Columbia stripped the FCC of its power to enforce network neutrality protections under the regulatory framework it was using (holding that the classification of broadband carriers as “information services” as defined in the 1996 Telecommunications Act contradicted a previous FCC decision that put broadband companies beyond its regulatory reach). Read the full case here. Read a Washington Post report on the case here.
If the FCC reclassifies Internet carriage as a “telecommunications service,” online communications would automatically be subject to common carrier protections. Instead, the FCC has proposed a rule allowing companies to pay for access to a fast lane to deliver content to their customers. So how does this proposed rule effect public safety?
According to Catherine Sandoval, allowing paid prioritization of Internet traffic could hurt critical systems such as 911 call centers and water pumps, reports The National Journal. Not only that, according to the Multichannel report, Ms. Sandoval went on to warn that other critical systems could be negatively impacted, citing nuclear power plants and critical care smart beds for stroke patients.
How does net neutrality effect these systems which have broad public safety implications? According to the Fox40 News Report, Ms. Sandoval explained at the forum that the free and open use of the internet has allowed utilities to develop programs and apps to monitor and control energy use, and that “subjecting internet access to negotiations and slowdowns to minimum speeds can make pumps fail to open so they don’t provide water for cooling a power plant or water to fight a fire.” The Multichannel report then goes on to explain that the minimum broadband speeds available for the non-paying ISP clients would not provide the quality of broadband service required by these critical systems. However, the National Journal reports that many skeptics of net-neutrality rules point to public safety as a reason that Internet providers should be given flexibility to prioritize some services.
For a fuller recap of the net neutrality public forum, here are links to the articles by Multichannel News, Fox40 News, and the National Journal. Click here to access a Washington Post article discussing the broader implications of the proposed FCC rule, including whether it this type of internet regulation should be controlled by the FTC or the FCC.
Is the exposure of the Islamic State of Iraq and Greater Syria (ISIS) throughout various social media websites a sign that ISIS is technologically capable of launching a major cyberattack against the United States? According to a recent article by Time Magazine Online, the answer is no.
While the article acknowledges ISIS’s recruitment campaign over social media networks like Facebook, Twitter and YouTube, the report states that the ISIS’s use of modern technology to recruit does not equate with an ability to launch a major cyberattack. The article reports that the group has yet to acquire either the manpower or resources to launch a large-scale cyberattack. Specifically, ISIS lacks the type of technology and hardcore programmers needed to launch sophisticated attacks against the United States, according to the article. To demonstrate the deficiencies, the article compares and distinguishes the support and resources of ISIS with those of Chinese hackers with state-sponsored hacking operations.
The article does suggest that ISIS might be capable of launching a larger-scale cyberattack against the United States in the future, however, the article goes on to emphasize that a future attack would likely be more of an annoyance than a debilitating strike on the United States’ infrastructure. Click here for the full article.
Ninth Circuit Applies Exclusionary Rule to Violation of Posse Comitatus Act, Potential Effect on NSA Related Cyber Prosecutions
The Ninth Circuit, in United States v. Dreyer, a divided Court of Appeals case, recently concluded that suppression of evidence pursuant to the exclusionary rule was an appropriate remedy when the actions of a civilian agent of the Naval Criminal Investigative Service (NCIS) violated the Posse Comitatus Act by turning over criminal data to prosecutors revealed by a cyber-search. The case turned on two issues: was there a violation given the civilian status of the agent performing the search, and should the exclusionary rule apply to deter future violations?
The Court was unanimous on the first issue, finding the actions of the civilian agent to be in violation of DoD Posse Comitatus policy provisions, rather than the criminal Posse Comitatus statute (the text of the act only mentions the Army and Air Force). While exceptions exist, those exceptions were held inapplicable when, as here, a search was performed that was broad enough to include anyone in the state of Washington, whether connected with the military or not. However, in the world of cyber security, this type of application may present a dilemma. Can the scope of cyber searches be adequately compared to physical searches? The Court made that exact comparison when it rejected the Government’s argument that an exception did apply to the agent’s conduct:
“To accept that position would mean that NCIS agents could, for example, routinely stop suspected drunk drivers in downtown Seattle on the off-chance that a driver is a member of the military, and then turn over all information collected about civilians to the Seattle Police Department for prosecution.”
The Court was divided on the suppression issue. The question on suppression centered on whether the exclusionary rule was needed to deter future violations. In order to make that decision, the Court determined whether the violations were “widespread” and “repeated”. This determination is what split the Court. While the majority felt that the facts before them demonstrated that in this case alone there are apparent widespread and repeated violations, Judge O’Scannlain disagreed. Judge O’Scannlain dissented, failing to find a widespread problem where only four agents were found to have violated the act, three of whom were part of the same investigative team.
Since the NSA operates under a military director, the Posse Comitatus Act applies to the actions performed by the NSA. However, the applicability of using the Posse Comitatus Act to regulate the actions of the NSA is qualified on how the NSA’s information is used. Using the same analysis performed by the Dreyer Court, the issue becomes whether the searches performed by the NSA fit within an exception to the Posse Comitatus statute and policy provisions. The exception would take effect depending on whether or not the NSA is performing overly broad searches that target civilians not connected with the military. However, even if the searches are overly broad, a violation of the Posse Comitatus policy provisions or statute exist only if the data is then transferred to state or federal prosecutors for use in executing domestic civilian law.
In addition, it is extraordinary for a suppression remedy to be applied for a statutory violation when the statute does not provide for a suppression remedy (like the wiretap act does). Without Congress providing for suppression in the statute, suppression is a Court-made remedy for Constitutional violations. Generally, statutory violations do not lead to suppression — an example being the “Knock and Announce” statute (18 U.S.C. §3109) for the execution of federal search warrants. The possibility of Constitutional suppression for a violation of a statute comes from the standard of “reasonableness” enshrined in the Fourth Amendment. “How can a search that violates a statute be reasonable?”, some argue. Others argue that Congress should not be able to affect what is Constitutional with just a statute, because by definition a statute is subservient to the Constitution. The Eighth Circuit raised but largely avoided the issue of suppression for a violation of the Posse Comitatus Act during the lengthy litigation over the events at Wounded Knee in the early 1970’s (Bissonette v. Haig). This, too, could have implications for the use of criminal law to affect conduct in cyberspace, given the massive role of the U.S. military in cyber security.
Here is a summary on the United States v. Dreyer decision by the JustSecurity Blog.
Cyber Round Up: Iran Cyber Attacks on Israel; Cybersecurity Companies Taking Advantage of Consumers; Retailers Cybersecurity Responsibilities; Scamming the Scammers; The New Yorker on Anonymous
- Prime Minister Binyamin Netanyahu states Iran is behind cyber attacks against Israel, read the story by The Jerusalem Post here.
- Are cybersecurity companies focused on protected consumer’s computers, or scaring them into buying more protection? Scientific American reports on the lack of oversight of cybersecurity companies and their tendency to exaggerate threats to increase profits.
- USA TODAY reported Sunday on the Target and Home Depot breaches, focusing specifically on the lack of cybersecurity on the part of the companies. The report describes how these companies are removing the blame by claiming the difficulties of protecting consumers from foreign predators in the cyber world. Who should carry the burden of protection in a world where consumer businesses and cybersecurity issues are increasing merging? Read the story here.
- Looking for a way to scam the scammers that constantly send fake advertisements to your inbox? While according to Network World, a program was created to do exactly that, the article warns that what might seem an “ethical gray area” is not so gray in the legal world. According to the article, a person who takes this revenge approach could be prosecuted for breaking computer crime laws.
- While the online collective known as Anonymous has grown exponentially since its inception, take a look at the full story of how the group formed and expanded, including summaries on some of their most infamous acts, in the new detailed narrative published by The New Yorker: The Masked Avengers.
Jennifer A. Camillo
is a third year student at Syracuse College of Law. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She is a member of the Syracuse National Trial Team and was recently awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.
holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She has served as a law clerk in the United States Attorney's Office for the Western District of New York and the Public Defender Service for the District of Columbia and as an extern in the United States District Court for the Western District of Washington.
Professor William Snyder
is a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.
- Justice Shifts to Cyber From Terrorists With Reorganization Announced Today
- The Internal Cybersecurity Struggle Between the Government and Private Industry
- Cyber Round Up: President Obama Puts Focus Back on Cybersecurity; Cyber Sabotage by Digital Cat Burglars; Israel Aims to Become a Cybersecurity Superpower; South Korea Switches to Offensive Cyber Capabilities; Problems with Russia’s New Internet Policy; China Claims US Fabricating Cyber Accusations; Ninth Circuit Considers Overturning National Security Letters Ruling
- The Hidden War in Cyberspace
- Cyber Round Up: Researchers Aimed at Plugging Cybersecurity Holes in UK’s Power Stations; France’s New Cybersecurity Law; China’s Cyberwar on Hong Kong Protestors; Rising Cyber Threats in Software Used in Nuclear Power Plants; Japan Launches Cybersecurity Talks
- NATO’s Cyber Declaration: More Bark than Bite? on
- Cyber Provisions in NATO Wales Summit Declaration on
- The Heartbleed Bug and the Political Implications of Vulnerability Management on
- Fourth Amendment does not (yet) apply to NSA’s telephone call database (metadata) on
- Symposium Tomorrow: “The Constitutionality and Consequences of America’s Use of Drones and the NSA Spying Program” on
- October 2014
- September 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010