Just Security: Hayden, NSA, and the Road to 9/11

Dec 11th, 2017 NSA

No comments

Former Director of the NSA and CIA General Michael Hayden recently released his memoir,  Playing to the Edge: American Intelligence in the Age of Terror The piece below was written in response to Hayden’s book and is an interesting read.

Hayden, NSA, and the Road to 9/11

Tags: , ,

Cyber Round Up: SEC Cyber Group’s First Stop; Sheltered Harbor, the “Best Kept Secret” in Cyber; Americans Want Businesses to be Responsible

  • A brand-new cybersecurity watchdog just shut down a $15 million cryptocurrency scam (Business Insider): The SEC’s recently created cyber unit saw some of its first major action, recent reports say. The group shut down a scam in which groups were requesting money for bitcoin and promising over 1,000% returns. The unit was created earlier this fall to provide “cyber-related expertise on misconduct involving distributed ledger technology and initial coin offerings, the spread of false information through electronic and social media, hacking and threats to trading platforms.” The official SEC statement can be read here.
  • The best kept secret in cybersecurity is protecting U.S. banks against catastrophic attacks (CSO Online): While headlines in the news always seem to be discussing the latest cyber hack, progress is being made, a recent article said. An initiative called Sheltered Harbor involved over 100 experts working together to enhance the security and stability of banks and and financial services. The program involves institutions submitting copies of consumer data which is then archived in case of an attack. The full details of the program are explained here.
  • For cybersecurity, it’s business – not government – that should take the lead to protect private information (Fox News):  Who should be responsible for protecting information? According to a recent poll from PWC, 72% of Americans polled believe businesses should bear that burden. That doesn’t mean the government is left with nothing to do, the article says. 82% think the government needs to regulate data protection rules, according to the article. So basically, we want businesses to do it, but we don’t trust them to. The full article can be read here.

Tags: , , ,

Cyber Round Up: Encrypted messaging within companies; UK warns against Russian software; Insider Threat at NSA

  • Uber’s use of encrypted messaging may set legal precedents (Reuters): The battle over encrypted messaging has a new added dynamic, a recent article says. Executives from Uber testified in court about their use of encrypted messaging app Wickr to discuss company business.  The article explains that there is nothing inherently illegal about telling employees to use apps of that nature, but companies do have a duty to preserve business records. A key element, according to the article, is whether the apps were used with the intent to hide information in anticipation of any litigation. The full article can be read here.
  • Don’t use antivirus firms linked to Russia, cyber security chief tells Whitehall (The Guardian): A few months ago, DHS made the decision to prohibit the use of Kaspersky software in U.S. government agencies. According to a recent article in The Guardian, Ciaran Martin, head of the U.K. National Cyber Security Centre, has reached a similar conclusion. Martin wrote a letter to civil servants, explaining that Russia  “uses cyber as a tool of statecraft” including “espionage, disruption and influence operations.” The letter also noted, though, that most of the operations were actually carried out by criminal gangs. The full article can be read here.

  • Ex-U.S. NSA employee pleads guilty to taking classified documents (Reuters):  A former NSA employee plead guilty last week to illegally taking classified documents from the agency, an article says. Nghia Hoang Pho is said to have worked in the NSA’s elite hacking unit. Pho took the documents home where they were obtained by Russian hackers through Kaspersky antivirus software, the article says, although that part of the narrative was not mentioned in court documents. The article notes a few other similar stories in recent years, highlighting the biggest threat in cyber today — the insider threat. The full article can be read here.

Tags:

Cyber Round Up: Microsoft Challenged the Wrong Law; Harvard Paper on AI Accountability; Three Steps to Improving Cybersecurity

  • Microsoft Challenged the Wrong Law. Now What? (Lawfare): Amidst all the excitement surrounding Carpenter this week, Orin Kerr also provided his thoughts on another important SCOTUS case, United States v. Microsoft Kerr said that Microsoft made a mistake bringing its claim under the Stored Communications Act (SCA) and that it really should have challenged its compliance with the search warrant under the All Writs Act (AWA). The post addresses both statutes and explains that the AWA gives the Court a lot of discretion to reach much better results than it can under the SCA. The full post can be read here.
  • Accountability of AI Under the Law: The Role of Explanation (Berkman Klein Center): Artificial Intelligence has raised many questions about how machine learning and autonomous systems will fit into existing legal and policy frameworks. Perhaps the biggest buzzword in that discussion is accountability. A new paper from the Berkman Klein Center addresses accountability issues through “explanation.” The abstract is included below or can be found here. The authors invite questions and comments on the paper.

Accountability of AI Under the Law_ The Role of Explanation _ Berkman Klein Center

  • Cybersecurity breaches: It’s time to break the silence and work together (GCN):  The author of a recent article cited to statistics showing the increased number of cyber attacks against the government. The author then offers his key three steps towards improving cyber security: 1) Shed the shame and speak up; 2) Better information sharing across agencies; and 3) Expand cybersecurity beyond cyber. The full article with the explanations for each of those key points can be read here.

 

Tags:

Cyber Round Up: NSA and Army Data Unprotected Online for Years; Is Blackberry Making a Rebound?; Cybercrime Reportedly Causes $450 Billion in Damages Per Year

  • Classified NSA, Army data was unprotected online for years, cybersecurity company says (CBS News): A cybersecurity company found top secret, classified files related to the Army Communications System unprotected online in late September. In a recent article, the data was apparently from the U.S. Army’s Intelligence and Security Command and was “sitting unprotected online for anyone to see.” While some data was only accessible when linked to Pentagon systems, 47 files and folders were viewable, and three were downloadable. You can read the whole article here.

  • Intensifying Cybersecurity Fears Could Fuel Blackberry Rebound (Forbes): As iPhones replaced Blackberrys, Blackberry lost its status in the smartphone market. But cybersecurity fears might be giving the company a new boost, according to Steven Dudash in a recent article. The company launched a cybersecurity consulting division in October after some strategic acquisitions to increase expertise levels. Read more about why Dudash thinks the company could be making a comeback here.

  • Cybersecurity: Fighting a Threat That Causes $450B of Damage Each Year (Visual Capitalist): Experts say cybercrime caused $450 billion of damage to the economy in 2016, according to a recent article. As more devices continue connecting to the internet, that number is going to rise. By 2021, it’s estimated yearly economic damage will increase to $1 trillion. In an effort to combat these damages, companies are increasing cybersecurity-related expenses. Find the full article and a corresponding infographic here.

 

 

Tags: , , , ,

Expansion of U.S. “Name and Shame” Indictment Policy?

In 2014, the United States made a bold move when the Department of Justice indicted five PLA members on charges of hacking and economic espionage. The indictments signaled a decision to face cyber espionage head on by calling out the nations who perpetrated the offenses.

Earlier this year, the DOJ decided to use that same tactic again by indicting four Russians accused of hacking, wire fraud, trade secret theft, and economic espionage. The charges relate to the massive data breach at Yahoo that led to 500 million user accounts being compromised. Two of the individuals charged were members of Russia’s Federal Security Service, the FSB. The other two were private individuals hired by the government.

Why did the DoJ decide to do this? Russia and China won’t ever extradite their own, so the indictments are likely both the first and last step of the prosecution of those individuals. The indictments are simply a tool used to “name and shame” international actors who are behaving unlawfully. Moreover, it appeals to domestic audiences who think the U.S. government should be doing more to combat these types of cyber acts from foreign nations. Finally, the indictments can serve as a deterrent.  In sum, the policy has some valid benefits and makes sense.

Just over a week ago, the U.S. Attorney’s Office in the Southern District of New York indicted an Iranian man for stealing episodes of HBO’s show Game of Thrones. The man stole unaired episodes, scripts, and plot summaries and demanded $6 million for their release. Notably, prosecutors said that the man had been connected to other illegal cyber activity on behalf of the Iranian government. Further explaining the benefits of this policy, U.S. Attorney’s Office stated that, “He will never be able to travel outside of Iran without fear of being arrested and brought here.”

To me, this seems to be an expansion of the policy. This wasn’t individuals acting on behalf of a foreign government and it wasn’t part of a more calculated effort to combat a specific nation’s economic espionage. The breach was damaging to HBO and the individual has a history. Regardless, at first glance, this seems to be a more casual use of the name and shame indictment method. The theft of popular TV shows  does not strike me as something that would typically inspire a DOJ investigation and a bold statement on an international level. Perhaps the people at DOJ simply decided this was an individual worth trying to slow down or stop. But it will be interesting to see if this trend continues and we start to see more of these indictments.

Tags:

Cato Policy Analysis: What to Do about the Emerging Threat of Censorship Creep on the Internet

The Cato Institute published a new piece in its Policy Analysis series that focuses on the threat of censorship creep on the internet. The article discusses Silicon Valley’s changing position on free speech over time, how European and U.S. law differ, and the importance of confronting violent and hateful ideology through discourse, among other things. The full post is included below or can be read here.

pa-828

Tags: , , ,

Carpenter v. U.S. Oral Arguments Tomorrow

Tomorrow, November 29, 2017, the Supreme Court will hear oral arguments in Carpenter v. United States. At the center of the case is how historical cell site location information will be treated under the Fourth Amendment, and subsequently, the third party doctrine.  Many of you will be familiar with the case, but for those that aren’t, a collection of sources are included in this post.

A Lawfare post written the day after cert was granted summarizes the facts of the case, what the Sixth Circuit said, and some of the implications of SCOTUS’s decision.

Brief for Petitioner

Brief for Petitioner

Brief for the United States

Brief for United States

Reply Brief for Petitioner

Reply Brief for Petitioner

 

SCOTUSblog has complied a timeline of the case with all the filings, which can be found here. That same page also includes coverage of other blogs and commentary throughout the case’s history.

Among those who filed Amicus Curiae briefs are:

  • Cato Institute
  • Center for Competitive Politics, Center for Media Justice, Color of Change, Americans for Prosperity Foundation, and Tea Party Patriots
  • Center for Democracy and Technology
  • Competitive Enterprise Institute, Cato Institute, Reason Foundation, and Committee for Justice
  • Data & Society Research Institute and Fifteen Scholars of Technology and Society
  • Electronic Frontier Foundation, Brennan Center for Justice, The Constitution Project, National Association of Criminal Defense Lawyers, and National Association of Federal Defenders
  • Electronic Privacy Information Center (EPIC) and Thirty-Six Technical Experts and Legal Scholars
  • Empirical Fourth Amendment Scholars
  • Institute for Justice, Carole Hinders, Randy and Karen Sowers, and DKT Liberty Project
  • Michael Varco
  • National District Attorneys Association
  • Professor Orin S. Kerr (He also wrote a follow up blog post with additional thoughts, which can be read here.)
  • The Reporters Committee for Freedom of the Press and 19 Media Organizations
  • Restore the Fourth, Inc.
  • Rutherford Institute
  • Scholars of Criminal Procedure and Privacy
  • Scholars of the History and Original Meaning of the Fourth Amendment
  • State of Alabama et al.
  • Technology Companies (In Support of Neither Party)
  • Technology Experts (represented by the Knight First Amendment Institute at Columbia University)
  • United States Justice Foundation, Gun Owners Foundation, Gun Owners of America, Inc., et al.

Tags: , ,

Cyber Round Up: Years of Warnings Came Before the SEC Hack; A Potential Cybersecurity Threat Solution; 2018 Cybersecurity Predictions

  • SEC hack was preceded by years of warnings about lax cybersecurity (The Hill): Following disclosing a hack in September, the Securities and Exchange Commission (SEC) stated cybersecurity was a top priority for the agency. In a recent article, however, The Hill discussed the variety of ways cybersecurity was not an evident top concern. Such indicators included warnings of insufficient defenses years before the 2016 attack. Read about other weakness and a lack of change within the agency here.
  • High-speed data encryption could be the solution to future cyber security threats (Firstpost): A leading concern with cybersecurity threats is developing solutions to impending threats. According to one article, scientists believe high-speed encryption may be that solution. Through high speed-encryption, quantum computers would create forms of data encryption that are essentially hack-proof. This system can create and distribute encryption codes five to 10 times faster than current techniques. Read more about the potential solution here.

  • 60 Cybersecurity Predictions for 2018 (Forbes): Cybersecurity is a prevalent aspect in our daily news and in the law, and with 2018 quickly approaching, that isn’t going to change. In this article, the contributing author, Gil Press, offers up 60 predictions for cybersecurity in the new year. Press unsurprisingly anticipates more data breaches and reminds us the EU General Data Protection Regulation goes into effect on May 25. He also, however, predicts new types of cyberattacks, new successful defenses, and the emergence of Artificial Intelligence as a double-edged sword. Find all 60 predictions here.

Tags: , , , , ,

Cyber Round Up: Experts react to Uber; Pentagon move doesn’t help cybersecurity; New generation being trained at Berkeley

  • ‘Mind-blowing error of judgement’: Cybersecurity experts and lawyers react to Uber data hack (GearBrain): You’ve probably heard all about Uber’s data breach and subsequent attempt to cover it up. A recent article highlights some experts’ reactions, including some who called it “inexcusable.” Comments in the article emphasize that the cover up will lead to more long term distrust than if they company simply acknowledged the breach right away. Additionally, the experts quoted wonder whether all the stolen data was actually deleted. Others note the timing of the disclosure months before Europe’s GDPR laws would have led to massive fines had they disclosed the breach after that law takes effect. The full commentary can be read here.

  • Pentagon’s move toward open source software isn’t going to enhance security (The Hill): A new Dept. of Defense program will require at least 20% of custom developed code to be released as open source software, according to a recent report.  The logic behind the move, the article says, can be found in Linus’s Law, which suggests that “given enough eyeballs, all bugs are shallow.” The author of the piece explains that while this may have been true and led to higher security many years ago, it no longer is the case. The exponential increase in the use of open source software, he says, mean that those programs don’t receive the same scrutiny and thus still have a huge number of flaws in them.  The full analysis can be found here.
  • At Berkeley, a New Generation of “Ethical Hackers” Learns to Wage Cyberwar (New Yorker): There is constant coverage in the media of the major shortage of a talented cyber security workforce. A recent piece explains how one professor is aiming to curtail that shortage by training students in the art of ethical hacking.  The course focuses on its version of “Cyberwar” and is modeled like one giant bug bounty program, with students earning points towards their final grade for any vulnerabilities they discover. As opposed to many of the courses here at Syracuse that focus on the law and policy of cyber security, this Computer Science course appears to require students to have somewhat significant computer and/or engineering skills. The class has caught the attention of HackerOne, and you can read more about it here.

Tags: , , ,

Next Page »

Authors

Untitled Document
Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Ryan D. White

Ryan D. WhiteRyan is currently a third year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic. Full biography

Shelby E. Mann

Ryan D. WhiteShelby is a second year law student at the Syracuse University College of Law. During her final year at the University of Missouri, she served as a full-time news producer for ABC 17 News. Shelby spent her first summer of law school at the Shelby County District Attorney General's Office in Memphis, Tenn., in the Public Corruption and Economic Crimes Unit. She is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and the senior editor for the Syrian Accountability Project. Full biography

Christopher w. FolkChristopher W. Folk

is a 2017 graduate of SU College of Law. A non-traditional student, Christopher returned to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering. Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law. Full biography

Anna Maria Castillo

Anna Maria Castillois 2016 graduate of Syracuse College of Law. She also holds a Master of Arts in International Relations from Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She served as an executive editor in the Syracuse Law Review. Full biography

Jennifer A. CamilloJennifer A. Camillo

is a 2015 graduate of Syracuse College of Law and is a prosecutor. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She was a member of the Syracuse National Trial Team and was awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She wrote for this blog when a student. She is now a member of the U.S. Army Judge Advocate General's Corps.

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography

Categories