Cyber Command Strategy Document: Achieve and Maintain Cyberspace Superiority

Command-Vision-for-USCYBERCOM-23-Mar-18

Tags:

Actual Indictment – Iranians Charged with Hacking 144 Universities and Lots More

Nine Iranians Charged With Conducting Massive Cyber Theft Campaign on Behalf of the Islamic Revolutionary Guard Corps

Mabna Institute Hackers Penetrated Systems Belonging to Hundreds of Universities, Companies, and Other Victims to Steal Research, Academic and Proprietary Data, and Intellectual Property

Tags: , ,

The Clarifying Lawful Overseas Use of Data (CLOUD) Act

This blog usually does not cover legislative proposals because they too often never progress through the process. But as Steve Vladeck first pointed out via tweet earlier this evening, the latest spending bill includes a provision worth addressing here.

The Clarifying Lawful Overseas Use of Data Act (CLOUD) Act, addressed the use of stored data overseas similar to that currently at issue in United States v. Microsoft Corp. which is at the Supreme Court. Vladeck explained in the same tweet that, if passed, this law could render that case moot and/or lead to the Justices to punt on the issue. The law adds to and amends the Stored Communications Act, 18 U.S.C. §§ 2701-2712.

A post from last week discussing the CLOUD Act addresses opposition to the Act but ultimately concludes that the new law will be beneficial. That post can be read here.  Another analysis from the Council on Foreign Relations looks at the implications for intelligence collection can be read here.

The full text of the proposed law, which is the last 32 pages of the 2232 page spending bill, is included below.

CLOUD Act

 

Tags: , , ,

US military cyber group tried to ‘manipulate the thinking’ of ISIS followers

A few weeks ago, I wrote a post on the difference between cyber and information warfare and U.S. policy in this sphere. The idea was sparked by a lecture from Gen. Michael Hayden this past fall at Syracuse University, when I realized that many people have likely conflated these two concepts. Cyber operations can be used for cyber warfare, defined as attacked computer systems. They can also be used as part of information warfare. It just so happens that most information today flows through cyberspace so cyber can have a bigger role in information operations.

Hayden said that the U.S. decided not to open the door to the world of information warfare. But a report yesterday says otherwise. The article from the Washington Examiner explains that Gen. Paul Nakasone, the head of Army Cyber Command, testified to the Senate about operations to “manipulate the thinking” of ISIS followers.

According to the article, Nakasone described his experience with the operations with the following: “I would offer that that is perhaps the piece of Ares that I’ve learned most about, being able to provide a message, being able to amplify a message to impact our adversaries.”  The article further elaborated that most of this work, which was done by Task Force Ares, was executed at a tactical and operational level. Nakasone has been nominated to lead U.S. Cyber Command and most of the testimony was focused on how the U.S. can protect the integrity of its elections from foreign meddling, the article said.

Personally, I’m glad to see the U.S. is engaging in this type of work. As I mentioned in the original post a few weeks ago, it would be somewhat silly to think that we weren’t engaged in information operations at least at some level. But it appears as though the military, which is also the entity I suggested giving this power to, is looking to expand its capabilities and further develop this tool.

Tags: , , , ,

Encryption Policy in Democratic Regimes: Finding Convergent Paths and Balanced Solutions

Below is a report from the East West Institute titled “Encryption Policy in Democratic Regimes: Finding Convergent Paths and Balanced Solutions.”  The organization’s own press release states that the report  “provides nine normative recommendations on encryption policy to ensure strong cybersecurity while enabling lawful law enforcement access to the plaintext of encrypted information in limited circumstances.”  The full press release can be found here, which includes links to the full report and executive summary.

ewi-encryption-us-version

Tags:

Cyber Round Up: Germany Calls Russian Cyber Attack ‘warfare’; Cyber Command Not a ‘Bully’; New SEC Guidance Comes Up Short

  • Russia cyber attack on Germany a ‘form of warfare’ (The Telegraph): A story last week discussed a recent and then still ongoing cyber attack against Germany. The report said that while government officials weren’t saying much, many expect there to be a lot more damage than those officials were initially letting on. The story suggested that the attacks were the work of Fancy Bear, a group allegedly associated with Putin’s intelligence agencies. The main concern, according to the article, is that the network attacked is supposed to be one of the most secure in Germany’s government. The full article can be read here.

  • US Cyber Command: An Assiduous Actor, Not a Warmongering Bully (Ciper Brief):  Last week, an article was posted on the Cipher Brief titled, “US Cyber Command: “When faced with a bully…hit him harder.” A response to that story came on Sunday on the same site, which refuted the idea that Cyber Command is a bully. The latter article explains that “[a] more positive account of the U.S. Cyber Command is that the organization is continuing to explore new approaches to ‘maneuver’ in this new ‘domain of warfare.’” That assertion is just one of many made by the author, who focused mostly on the developing nature of cyber space as the defining factor in Cyber Command’s current strategies. The full article can be read here.

  • SEC’s new cybersecurity guidance falls short (CSO Online):  Last week, this blog highlighted the new cyber guidance released by the SEC in a post that can be found here.  A piece by CSO Online reaches the conclusion that the SEC could have done much in its newest guidance, particularly in the wake of the Equifax breach. The article says that the guidance is an improvement, but that it still doesn’t have the teeth to make it truly effective. At the end of the day, the article explains, these are still just recommendations. The article contrasts this with data breach notification laws that have been passed in 48 states. The full article can be found here.

Tags: , , ,

Blockchain: Background and Policy Issues

Below is a Congressional Research Service report released last week that provides some basic background regarding blockchain technology and related policy issues.

BlockchainR45116

Tags: , ,

Cisco Systems 2018 Annual Cybersecurity Report

Below is Cisco’s annual cyber report. An article with commentary on the report from Forbes can be found here.

acr2018final

Tags:

The Supply Chain Problem and Cyber Security

The Supply Chain Problem

A few weeks ago, an article from Nextgov, a website dedicated to “how technology and innovation are transforming the way government agencies serve citizens and perform vital functions,” described recent efforts by DHS to address cyber security risks as they relate to supply chains.  The article quotes Jeanette Manfra, the head of DHS’s Office of Cybersecurity and Communications, who explained that “[t]he program’s major goals are to identify the greatest supply chain cyber threats, figure out if there are technical ways to mitigate those threats and, if not, figure out other solutions.” But other than barring companies with weak supply chain security from government contracts, no other solutions were mentioned. Below I look at what a cyber security supply chain policy might encompass.

One of the more prominent supply chain incidents in recent memory involved Hewlett Packard Enterprise, who, in an effort to expand its business, offered a Russian defense agency an inside look at a program called ArcSight.[i] The problem, however, was that ArcSight is a program that is heavily relied on by the Pentagon.[ii] The program is a “cybersecurity nerve center” that sends alerts when it detects a potential attack on a network.[iii] The program is also used frequently by private sector companies.[iv] By providing the program code to Russia, HP not only created a vulnerability for the United States but exposed that vulnerability to the most notorious cyber threat to the U.S. in recent years.

Another example of the cyber supply chain problem occurred several years ago with the United States Air Force. The Air Force had contracted with a vendor in an Asian country to produce hardware for one of the Air Force’s systems.[v] When the hardware arrived in the U.S. and was reviewed by the Air Force, however, they found that the chips contained an extra transistor. While the chip performed its intended function, the Air Force could not decipher what else the piece would do with the extra transistor. As a result, that batch of hardware was disposed of and never installed.

These two examples highlight the breadth and depth of the challenges regarding supply chains and cyber security. Supply chain security implicates hardware and software, public sector and private, and in these two instances, Asia and Russia. The Air Force was fortunate enough to find the altered specifications in its hardware, and reports so far suggest no harm has come from Russia’s ArcSight review.

Every point in every supply chain presents a weakness for that product’s cybersecurity. Every individual human that comes into contact with every component piece of hardware or software is a potential threat.  The threats to the supply chain include:[vi]

  • Installation of hardware or software containing malicious logic
  • Installation of counterfeit hardware or software
  • Failure or disruption in the production or distribution of critical products
  • Reliance on a malicious or unqualified service provider for the performance of technical services
  • Installation of hardware or software that contains unintentional vulnerabilities

All of these create potential weaknesses that can be exploited at a later point in time. Vulnerabilities could be exploited to steal sensitive information. Anything that program does could send a copy of that data to a third party. A vulnerability created by a nefarious actor somewhere in the supply chain could be a switch that lies dormant until activated when it would disable the system. Depending on what system that might be, there could be devastating consequences.

Two major concepts underlie the cyber supply chain security issues in the United States: (1) the United States technology sector is dependent on hardware components manufactured all over the world; and (2) the United States government is heavily dependent on commercial off-the-shelf cyber programs.

Continue reading

Tags: , , ,

Council of Economic Advisers: The Cost of Malicious Cyber Activity to the U.S. Economy

Below is a report released earlier this month from the Council of Economic Advisers, “The Cost of Malicious Cyber Activity to the U.S. Economy.”

The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy

Tags: , ,

« Previous PageNext Page »

Authors

Untitled Document
Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Ryan D. White

Ryan D. WhiteRyan is currently a third year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic. Full biography

Shelby E. Mann

Ryan D. WhiteShelby is a second year law student at the Syracuse University College of Law. She is the 2018-9 Editor in Chief of the Syracuse Law Review, as well as a member of the Journal on Terrorism and Security Analysis, and the senior editor for the Syrian Accountability Project. During her final year at the University of Missouri, she served as a full-time news producer for ABC 17 News. Shelby spent her first summer of law school at the Shelby County District Attorney General's Office in Memphis, Tenn., in the Public Corruption and Economic Crimes Unit. Full biography

Christopher w. FolkChristopher W. Folk

is a 2017 graduate of SU College of Law. A non-traditional student, Christopher returned to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering. Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law. Full biography

Anna Maria Castillo

Anna Maria Castillois 2016 graduate of Syracuse College of Law. She also holds a Master of Arts in International Relations from Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She served as an executive editor in the Syracuse Law Review. Full biography

Jennifer A. CamilloJennifer A. Camillo

is a 2015 graduate of Syracuse College of Law and is a prosecutor. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She was a member of the Syracuse National Trial Team and was awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She wrote for this blog when a student. She is now a member of the U.S. Army Judge Advocate General's Corps.

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography

Categories