SlideShare une entreprise Scribd logo

Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015

M
Mark Raduenzel
1  sur  10
Télécharger pour lire hors ligne
PRESIDENTIAL MEMORANDUM Key Issues in Cyber Policy DECEMBER 27, 2015 NSEC506 - NOV/DEC 2015 Mark Raduenzel
Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015 Mark Raduenzel Page 1 of 9 Summary A recent cyber-attack occurred where a botnet type attack targeted a major U.S. defense firm. No physical damage occurred to the firm’s network, but significant technological secrets about a new surveillance and targeting system from the firm, Defense Applications International (DAI), appear to have been compromised. Incidental, but nonetheless as a result of the attack, the virus also infected a software program that DAI was testing at electrical plant in Pennsylvania. The plant had to be shut down for 12 hours while repairs were made. The NSA believes it has credible evidence that the attack had a direct connection to the elite cyber unit Department 2112, of the country of Redistan, an adversary of the United States, although the attack itself appears to include private citizens of Redistan. The attack however, was routed through several third countries including Bluelandia, an ally of the United States. Key Issues and Analysis Possible Responses According to Dr. Clay Wilson, Program Director for Cybersecurity Studies at the American Military/Public University, botnets consist of “vast numbers of computers that are infected and remotely controlled to operate, in concert, through commands sent via the Internet” (Wilson 2009, 420). An attack of this type is difficult to prevent and to defend against which makes it an attractive technique for criminals and is reminiscent of the Distributed Denial of Service (DDoS) attacks against Estonian sites in 2007. While no significant damage occurred as a result of this particular attack, the United States Department of Justice (DOJ) routinely views such attacks as a criminal activity.
Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015 Mark Raduenzel Page 2 of 9 Further complicating matters is that the virus also infected the electrical plant in Pennsylvania. It is possible that the software program Defense Applications International (DAI) was testing enlisted one or more computers in the electrical plant as part of the same attacking botnet. Even though the repairs were made over a 12 hour timeframe, the risk remains that security experts did not find and eradiate all traces of the software virus and that the systems at the electrical plant could still be remotely controlled via the Internet. This is a risk to the United States critical infrastructure, and therefore national security, with the capability to impact more than just the Pennsylvania area. Even more troublesome is that the DDoS attack was used as a cover to compromise the technological secrets regarding a new surveillance and targeting system being developed by DAI. This unauthorized viewing or copying of data files is classified as cyber espionage whether it was conducted by a state or an industrial competitor (Wilson 2009, 423). The use of cyberspace to conduct espionage is hardly new. In 2003, for instance, a series of computer attacks against the Department of Defense (DoD) systems, code named Titan Rain, succeeded in copying large amounts of data containing sensitive information which is subject to U.S. export control laws (Wilson 2009, 424). Since DAI is a defense contracting firm, the same export control laws apply to DAI and its data and justify classifying the attacks as espionage. Neither the DDoS attack nor the case of cyber espionage can be considered an act of war under current international norms. According to Michael N. Schmitt, Director of the Stockton Center for the Study of International Law, United States Naval War College; Professor of Public International Law at Exeter University; and Senior Fellow at the NATO Cyber Defence Centre of Excellence, cyber operations which do not cause damage do not qualify as an act of war (Schmitt 2014, 191). This “effects-based” approach does not classify attacks on computer
Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015 Mark Raduenzel Page 3 of 9 systems as long as there is no loss of life which may be directly associated with the attack and any resulting damage is not permanent. The United States should respond to these attacks by hardening its existing computer systems and continuing to improve upon its security infrastructure and monitoring capabilities in order to keep pace with current technology changes, vulnerabilities, risks and threats. This is not an easy solution to a challenging problem which is due to the rapid changes experienced in by cyber domain. With these changes come evolving and proliferating attack methods and techniques which are difficult to defend against as in the case of the DDoS attack experienced by DAI. It is also recommended that the U.S. work with our ally Bluelandia in order to try and confirm that the attacks originated with the elite cyber unit Department 2112 of Redistan. The confirmation of attribution is particularly challenging even though the NSA believes it has credible evidence the attacks were conducted by this unit. The difficulties of attribution typically prevent forensic investigators from conclusively identifying the perpetrators of the attack. Since the evidence against Redistan is inconclusive, retaliation at this time is inadvisable. If Redistan did not direct the attacks and had no fore-knowledge of them, retaliation against the nation would be targeting the wrong party and the United States could very well be fighting on two cyber- fronts. Additionally, since cyber-attacks are mainly invisible to outsiders and lack clear evidence to display on the nightly news, the United States could be painted as aggressors by retaliating and find international opinion solidly against the U.S. (Lin 2012, 55). Public vs. Private Sector Responsibilities It is further recommended that U.S. Cyber Command immediately begin to determine how best to protect and defend key infrastructure entities, regardless of whether they belong to the public or private sectors. Wilson has noted that individual companies normally rely on the internet in
Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015 Mark Raduenzel Page 4 of 9 order to conduct business and that fighting cyber-crime effectively will require the cooperation of government entities and the private sector, including academia (Wilson 2009, 428). However, government cannot and must not have sole responsibility for securing the internet and critical infrastructure. If the private sector does not have a high enough stake in protecting their own systems, the tendency could be to overly rely on the government for security and absolve themselves of any responsibility. This would place too much of a burden on the federal government. A better approach is for the federal government to encourage the private sector to implement proper security measures of their systems. This can be done through legislation passed by Congress combined with required security audits conducted by the NSA. There may be some complications with the Department of Defense (DoD) and the National Security Agency (NSA) interfacing with the private sector in the implementation of this effort. As Major General Charles J. Dunlap has noted, the NSA “possesses extraordinary technical expertise and experience, unmatched in the government, in exploring and exploiting computer and telecommunication systems” (Dunlap 2011, 93). This expertise could be invaluable in helping the private sector to protect its systems. In spite of this proficiency, it may be wise to place more responsibility on the development of fully civilian security measures for networks while at the same time discouraging involvement by the Department of Defense and its agencies such as the NSA. Involving the NSA may seem to conflict with the direction of American values even if the effort has a legal basis. Public attitudes must be taken into account moving forward because Americans are becoming increasingly uncomfortable with a “national-security state [that] now touches every aspect of American life, even when seemingly unrelated to terrorism” (Dunlap 2011, 94). This general discontent with intrusive government activity could cause the private sector to become unwilling
Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015 Mark Raduenzel Page 5 of 9 to work with the federal government on protecting the nations systems and allow the systems to remain vulnerable to cyber-attacks. International cyber agreements The United States should immediately lead the effort to obtain an international cyber agreement because there are many areas of mutual interest with countries which have an internet presence. The United States’ policy on information security is remarkably similar to Chinese policy and the Russian Federation’s Information Security Doctrine (Thomas 2009, 480). These policies include the creation of national programs in order to prevent threats and mitigate vulnerabilities, the development of awareness to cyber threats, protecting government networks which are part of the cyber domain and cooperating in international cyber security. These policies are critical to each nation’s national security interests and an international cyber agreement could begin with this commonality. Another facet which facilitates an international cyber agreement is that cyberspace can be considered a common property resource to which everyone may be able to benefit from without needing to specifically paying for it (Fosyth 2013, 95). Overexploitation is normally avoided in common property resources by every nation becoming aware of the necessity of cooperation in order to continue using it. An additional aspect which may facilitate international norms is the rising power of Brazil, Russia, India and China (the BRICs). These four economies are well positioned to become the four most dominant economies in the world within the next 40 years (Forsyth 2013, 98). As the BRIC nations increase their political cooperation, the structure of international politics changes from a unipolarity to multipolarity thereby decreasing the costs of governing the global commons and increasing international cooperation and security.
Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015 Mark Raduenzel Page 6 of 9 However, having areas of mutual interest regarding cyberspace security may not foster an international cyber agreement in the near future. States have often disagreed on “whether international laws of war and self-defense should apply to cyber attacks, the right to block information from citizens, and the roles that private or quasi-private actors should play in Internet governance” (Hurwitz 2012, 21). These differences in ideologies could be a significant barrier to international agreements. The concept of the right to block information from citizens may be a challenge too difficult to overcome for an international agreement. The United States has deep-rooted values regarding freedom of the press and expression and a free and open internet promotes these values. Other societies like Russia and China, however, do not share the same values. When creating or negotiating the terms of international cyber norms, care must be taken to not infringe upon the rights of American citizens for the sake of security. Russia or China’s insistence on including limits on freedom will jeopardize any potential agreement. An alternative to leading a new international cyber agreement could be to instead begin with NATO’s Cooperative Cyber Defence Centre in Tallinn, Estonia. This center was established in 2008 with the intention of developing standards and “key directions for NATO’s cyber protection system and carry out expert analyses of suspected cyber attacks” (Thomas 2009, 476). The United States is still a member of NATO and should have direct input to the standards and key directions developed by the Defence Centre. It could prove beneficial to officially publish the center’s findings and use diplomacy to prompt the international community to agree to the standards and directions.
Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015 Mark Raduenzel Page 7 of 9 U.S. Cyber Policy Recommendations Finally, existing United States cyber policy should be strengthened by adding more explicit policies focused on deterrence of cyber-attacks against the United States. This will not be easy to achieve since a “one-size-fits-all approach to deterrence will not work because of the multiplicity and diversity of potential adversaries and cyber-attacks, and because U.S. goals and actions may shift from one situation to the next” (Kugler 2009, 310). This means that any cyber deterrence strategy which is implemented should be specifically tailored to fit the adversary and particular type of attack. Comprehensive cyber deterrence strategies which lead to concrete cyber deterrence policies should be comprised of declaratory policy, defensive cyber security, deterrence metrics, internal and external interagency cooperation, situational awareness, command and control, and retaliatory cyber capabilities. Collectively, these measures provide a solid foundation towards preventing cyber-attacks, reducing overall vulnerabilities to attack and minimizing the amount of damage incurred as well as recovery time in the event of an attack (Kugler 2009, 311). Existing cyber policy must be revised immediately to include these elements. The most basic challenge to deterrence is the difficulty in reliably attributing the attacks to a specific party and whether the attacking party is a state or non-state actor. Because of the technical limitations of attribution, retaliation in the form of counter-attacks or diplomacy is nearly impossible which means the attackers have not been deterred as in the recent attacks against DAI. The NSA believes the country of Redistan is responsible, but the evidence has not yet shown to be conclusive. Even if solid proof is obtained, a secondary consideration to retaliation is that counter-attacking against Redistan may hold no value. Furthermore, counter- attacks may do nothing to prevent Redistan from conducting further attacks. Any retaliation
Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015 Mark Raduenzel Page 8 of 9 against Redistan could seem provocative and may not be worth the time and effort to respond to. The advantages gained by counter-attacks should be weighed against the possibility that entities outside of the original conflict could become involved and keep the conflict brewing, even if the supposed reasons for Redistan’s attack are removed. Another element of policy which should be contemplated is the framing of cyber-attacks as acts of war, especially when aimed at critical infrastructure as in the case of the DAI attacks. To accomplish this, it will be necessary to further analyze the implications of cyberwar, “what it means, what it entails, and whether threats can deter it or defense can mitigate its effects” (Libicki 2009, 15). As Libicki indicates, the point of deterrence policy is to add another consideration to the attacker’s calculus. This calculus is a function of whether the attacker believes that the targeted entity will carry out a retaliation and significant damage would be sustained in the case of retaliation. The concept of deterrence as policy is not new. In fact, Kugler notes that “the entire U.S. conventional military posture is viewed as a major contributor to deterrence” (Kugler 2009, 325). Cyber capabilities are a natural extension of that defensive posture. Well-implemented cyber defense can add creditability to this posture as well. If the United States’ defenses are adequate and the policy includes a strategy for counterattacks, the threat in the mind of attackers of retaliation could dissuade them from attacking in the first place, which is the essence of deterrence (Libicki 2009, 73).
Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015 Mark Raduenzel Page 9 of 9 References Dunlap, Charles J. 2011. “Perspectives for Cyber Strategists on Law for Cyberwar.” Strategic Studies Quarterly (Spring):81-99. Forsyth, James W. “What Great Powers Make of It: International Order and the Logic of Cooperation in Cyberspace.” Strategic Studies Quarterly 7:1 (2013): 93-113. Hurwitz, Roger. “Depleted Trust in the Cyber Commons.” Strategic Studies Quarterly 6:3 (2012): 20-45l Kugler, Richard L. 2009. "Deterrence of Cyber Attacks". In Cyberpower and National Security. Washington D.C.: National Defense University Press, 2009:309-340. Libicki, Martin C. 2009. "Cyberdeterrence and Cyberwar". RAND Report. Santa Monica: Rand Corp. Lin, Herbert. 2012. “Escalation Dynamics and Conflict Termination in Cyberspace.” Strategic Studies Quarterly vol. 6 no. 3:46-70. Schmitt, Michael N. 2014. "Rewired warfare: rethinking the law of cyber attack." International Review of the Red Cross 96, no. 893: 189-206. Thomas, Timothy L. 2009. "Nation-state Cyber Strategies: Examples from China and Russia". In Cyberpower and National Security. Washington D.C.: National Defense University Press, 2009:465-488. Wilson, Clay. 2009. "Cyber Crime". In Cyberpower and National Security. Washington D.C.: National Defense University Press, 2009:415-436.

Recommandé

Jpeg2000
Jpeg2000Jpeg2000
Jpeg2000imec.archive
 
Information security principles an understanding
Information security principles an understandingInformation security principles an understanding
Information security principles an understandingHelpWithAssignment.com
 
Chapter- I introduction
Chapter- I introductionChapter- I introduction
Chapter- I introductionDr.Florence Dayana
 
WB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection BillWB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection BillTrustArc
 
Cryptography and Steganography with watermarking
Cryptography and Steganography with watermarkingCryptography and Steganography with watermarking
Cryptography and Steganography with watermarkingGarima Kulshreshtha
 
12 Best Privacy Frameworks
12 Best Privacy Frameworks12 Best Privacy Frameworks
12 Best Privacy FrameworksAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigationedwardbel
 
DPIA
DPIADPIA
DPIAMartyn Ripley
 

Recommandé

Jpeg2000
Jpeg2000Jpeg2000
Jpeg2000imec.archive
 
Information security principles an understanding
Information security principles an understandingInformation security principles an understanding
Information security principles an understandingHelpWithAssignment.com
 
Chapter- I introduction
Chapter- I introductionChapter- I introduction
Chapter- I introductionDr.Florence Dayana
 
WB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection BillWB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection BillTrustArc
 
Cryptography and Steganography with watermarking
Cryptography and Steganography with watermarkingCryptography and Steganography with watermarking
Cryptography and Steganography with watermarkingGarima Kulshreshtha
 
12 Best Privacy Frameworks
12 Best Privacy Frameworks12 Best Privacy Frameworks
12 Best Privacy FrameworksAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigationedwardbel
 
DPIA
DPIADPIA
DPIAMartyn Ripley
 
Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2MLG College of Learning, Inc
 
Network centrality measures and their effectiveness
Network centrality measures and their effectivenessNetwork centrality measures and their effectiveness
Network centrality measures and their effectivenessemapesce
 
Tdc 2021-innovation-lgpd-dados-pessoais
Tdc 2021-innovation-lgpd-dados-pessoaisTdc 2021-innovation-lgpd-dados-pessoais
Tdc 2021-innovation-lgpd-dados-pessoaisDouglas Siviotti
 
Legal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityLegal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityGamentortc
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensicsprimeteacher32
 
Email recovery
Email recoveryEmail recovery
Email recoveryPalash Mehar
 
Network security
Network securityNetwork security
Network securityhajra azam
 
Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Jyothishmathi Institute of Technology and Science Karimnagar
 
Chapter 11 laws and ethic information security
Chapter 11 laws and ethic information securityChapter 11 laws and ethic information security
Chapter 11 laws and ethic information securitySyaiful Ahdan
 
Introduction to Image Compression
Introduction to Image CompressionIntroduction to Image Compression
Introduction to Image CompressionKalyan Acharjya
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 
Pca ppt
Pca pptPca ppt
Pca pptDheeraj Dwivedi
 
Principal component analysis
Principal component analysisPrincipal component analysis
Principal component analysisFarah M. Altufaili
 
Data & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyData & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyThoughtworks
 
Visual Cryptography Industrial Training Report
Visual Cryptography Industrial Training ReportVisual Cryptography Industrial Training Report
Visual Cryptography Industrial Training ReportMohit Kumar
 
Steganography presentation
Steganography presentationSteganography presentation
Steganography presentationAshwin Prasad
 
Adventures with Hillshading in FME.pptx
Adventures with Hillshading in FME.pptxAdventures with Hillshading in FME.pptx
Adventures with Hillshading in FME.pptxSafe Software
 
Operating system vulnerability and control
Operating system vulnerability and control Operating system vulnerability and control
Operating system vulnerability and control أحلام انصارى
 
Network measures used in social network analysis
Network measures used in social network analysis Network measures used in social network analysis
Network measures used in social network analysis Dragan Gasevic
 
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) ProtocolE-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) ProtocolVishal Kumar
 
Digital danger zone tackling cyber security
Digital danger zone tackling cyber securityDigital danger zone tackling cyber security
Digital danger zone tackling cyber securityJohn Kingsley
 
Digital danger zone tackling cyber security
Digital danger zone tackling cyber securityDigital danger zone tackling cyber security
Digital danger zone tackling cyber securityiFluidsEng
 

Contenu connexe

Tendances

Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2MLG College of Learning, Inc
 
Network centrality measures and their effectiveness
Network centrality measures and their effectivenessNetwork centrality measures and their effectiveness
Network centrality measures and their effectivenessemapesce
 
Tdc 2021-innovation-lgpd-dados-pessoais
Tdc 2021-innovation-lgpd-dados-pessoaisTdc 2021-innovation-lgpd-dados-pessoais
Tdc 2021-innovation-lgpd-dados-pessoaisDouglas Siviotti
 
Legal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityLegal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityGamentortc
 
Network security
Network securityNetwork security
Network securityhajra azam
 
Chapter 11 laws and ethic information security
Chapter 11 laws and ethic information securityChapter 11 laws and ethic information security
Chapter 11 laws and ethic information securitySyaiful Ahdan
 
Introduction to Image Compression
Introduction to Image CompressionIntroduction to Image Compression
Introduction to Image CompressionKalyan Acharjya
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 
Data & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyData & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyThoughtworks
 
Visual Cryptography Industrial Training Report
Visual Cryptography Industrial Training ReportVisual Cryptography Industrial Training Report
Visual Cryptography Industrial Training ReportMohit Kumar
 
Steganography presentation
Steganography presentationSteganography presentation
Steganography presentationAshwin Prasad
 
Adventures with Hillshading in FME.pptx
Adventures with Hillshading in FME.pptxAdventures with Hillshading in FME.pptx
Adventures with Hillshading in FME.pptxSafe Software
 
Operating system vulnerability and control
Operating system vulnerability and control Operating system vulnerability and control
Operating system vulnerability and control أحلام انصارى
 
Network measures used in social network analysis
Network measures used in social network analysis Network measures used in social network analysis
Network measures used in social network analysis Dragan Gasevic
 
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) ProtocolE-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) ProtocolVishal Kumar
 

Tendances (20)

Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2
 
Network centrality measures and their effectiveness
Network centrality measures and their effectivenessNetwork centrality measures and their effectiveness
Network centrality measures and their effectiveness
 
Tdc 2021-innovation-lgpd-dados-pessoais
Tdc 2021-innovation-lgpd-dados-pessoaisTdc 2021-innovation-lgpd-dados-pessoais
Tdc 2021-innovation-lgpd-dados-pessoais
 
Legal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityLegal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information Security
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Email recovery
Email recoveryEmail recovery
Email recovery
 
Network security
Network securityNetwork security
Network security
 
Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Initial Response and Forensic Duplication
Initial Response and Forensic Duplication
 
Chapter 11 laws and ethic information security
Chapter 11 laws and ethic information securityChapter 11 laws and ethic information security
Chapter 11 laws and ethic information security
 
Introduction to Image Compression
Introduction to Image CompressionIntroduction to Image Compression
Introduction to Image Compression
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
 
Pca ppt
Pca pptPca ppt
Pca ppt
 
Principal component analysis
Principal component analysisPrincipal component analysis
Principal component analysis
 
Data & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyData & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny Leroy
 
Visual Cryptography Industrial Training Report
Visual Cryptography Industrial Training ReportVisual Cryptography Industrial Training Report
Visual Cryptography Industrial Training Report
 
Steganography presentation
Steganography presentationSteganography presentation
Steganography presentation
 
Adventures with Hillshading in FME.pptx
Adventures with Hillshading in FME.pptxAdventures with Hillshading in FME.pptx
Adventures with Hillshading in FME.pptx
 
Operating system vulnerability and control
Operating system vulnerability and control Operating system vulnerability and control
Operating system vulnerability and control
 
Network measures used in social network analysis
Network measures used in social network analysis Network measures used in social network analysis
Network measures used in social network analysis
 
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) ProtocolE-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
 

Similaire à Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015

Digital danger zone tackling cyber security
Digital danger zone tackling cyber securityDigital danger zone tackling cyber security
Digital danger zone tackling cyber securityJohn Kingsley
 
Digital danger zone tackling cyber security
Digital danger zone tackling cyber securityDigital danger zone tackling cyber security
Digital danger zone tackling cyber securityiFluidsEng
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecuritySpark Security
 
Is 2014 the year for Cyber Militias ?
Is 2014 the year for Cyber Militias ?Is 2014 the year for Cyber Militias ?
Is 2014 the year for Cyber Militias ?David Sweigert
 
Understanding the Methods behind Cyber Terrorism
Understanding the Methods behind Cyber TerrorismUnderstanding the Methods behind Cyber Terrorism
Understanding the Methods behind Cyber TerrorismMaurice Dawson
 
Marriage of Cyber Security with Emergency Management -- NEMA
Marriage of Cyber Security with Emergency Management -- NEMAMarriage of Cyber Security with Emergency Management -- NEMA
Marriage of Cyber Security with Emergency Management -- NEMADavid Sweigert
 
Need for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure ProtectionNeed for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure ProtectionWilliam McBorrough
 
Comprehensive U.S. Cyber Framework Final Report
Comprehensive U.S. Cyber Framework Final ReportComprehensive U.S. Cyber Framework Final Report
Comprehensive U.S. Cyber Framework Final ReportLandon Harrell
 
The Future of National and International Security on the Internet
The Future of National and International Security on the InternetThe Future of National and International Security on the Internet
The Future of National and International Security on the InternetMaurice Dawson
 
Cyber security-in-india-present-status
Cyber security-in-india-present-statusCyber security-in-india-present-status
Cyber security-in-india-present-statusRama Reddy
 
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITYCYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITYTalwant Singh
 
How to take down the 911 call center -- NFPA 1221 , Chapter 13
How to take down the 911 call center -- NFPA 1221 , Chapter 13How to take down the 911 call center -- NFPA 1221 , Chapter 13
How to take down the 911 call center -- NFPA 1221 , Chapter 13David Sweigert
 
Securing Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay RobertsonSecuring Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay RobertsonEljay Robertson
 
Larry KeaslerAs part of the nation’s 16 Critical Infrastructure .docx
Larry KeaslerAs part of the nation’s 16 Critical Infrastructure .docxLarry KeaslerAs part of the nation’s 16 Critical Infrastructure .docx
Larry KeaslerAs part of the nation’s 16 Critical Infrastructure .docxsmile790243
 
Battlefield Cyberspace: Exploitation of Hyperconnectivity and Internet of Things
Battlefield Cyberspace: Exploitation of Hyperconnectivity and Internet of ThingsBattlefield Cyberspace: Exploitation of Hyperconnectivity and Internet of Things
Battlefield Cyberspace: Exploitation of Hyperconnectivity and Internet of ThingsMaurice Dawson
 
VFAC REVIEW issue12_extract_2016
VFAC REVIEW issue12_extract_2016VFAC REVIEW issue12_extract_2016
VFAC REVIEW issue12_extract_2016Cameron Brown
 
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015Mark Raduenzel
 

Similaire à Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015 (20)

Digital danger zone tackling cyber security
Digital danger zone tackling cyber securityDigital danger zone tackling cyber security
Digital danger zone tackling cyber security
 
Digital danger zone tackling cyber security
Digital danger zone tackling cyber securityDigital danger zone tackling cyber security
Digital danger zone tackling cyber security
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for Cybersecurity
 
Is 2014 the year for Cyber Militias ?
Is 2014 the year for Cyber Militias ?Is 2014 the year for Cyber Militias ?
Is 2014 the year for Cyber Militias ?
 
Understanding the Methods behind Cyber Terrorism
Understanding the Methods behind Cyber TerrorismUnderstanding the Methods behind Cyber Terrorism
Understanding the Methods behind Cyber Terrorism
 
Marriage of Cyber Security with Emergency Management -- NEMA
Marriage of Cyber Security with Emergency Management -- NEMAMarriage of Cyber Security with Emergency Management -- NEMA
Marriage of Cyber Security with Emergency Management -- NEMA
 
Need for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure ProtectionNeed for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure Protection
 
Comprehensive U.S. Cyber Framework Final Report
Comprehensive U.S. Cyber Framework Final ReportComprehensive U.S. Cyber Framework Final Report
Comprehensive U.S. Cyber Framework Final Report
 
The Future of National and International Security on the Internet
The Future of National and International Security on the InternetThe Future of National and International Security on the Internet
The Future of National and International Security on the Internet
 
Cyber security-in-india-present-status
Cyber security-in-india-present-statusCyber security-in-india-present-status
Cyber security-in-india-present-status
 
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITYCYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
 
114-116
114-116114-116
114-116
 
How to take down the 911 call center -- NFPA 1221 , Chapter 13
How to take down the 911 call center -- NFPA 1221 , Chapter 13How to take down the 911 call center -- NFPA 1221 , Chapter 13
How to take down the 911 call center -- NFPA 1221 , Chapter 13
 
Securing Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay RobertsonSecuring Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay Robertson
 
Cyber-what?
Cyber-what?Cyber-what?
Cyber-what?
 
Larry KeaslerAs part of the nation’s 16 Critical Infrastructure .docx
Larry KeaslerAs part of the nation’s 16 Critical Infrastructure .docxLarry KeaslerAs part of the nation’s 16 Critical Infrastructure .docx
Larry KeaslerAs part of the nation’s 16 Critical Infrastructure .docx
 
Terrorist Cyber Attacks
Terrorist Cyber AttacksTerrorist Cyber Attacks
Terrorist Cyber Attacks
 
Battlefield Cyberspace: Exploitation of Hyperconnectivity and Internet of Things
Battlefield Cyberspace: Exploitation of Hyperconnectivity and Internet of ThingsBattlefield Cyberspace: Exploitation of Hyperconnectivity and Internet of Things
Battlefield Cyberspace: Exploitation of Hyperconnectivity and Internet of Things
 
VFAC REVIEW issue12_extract_2016
VFAC REVIEW issue12_extract_2016VFAC REVIEW issue12_extract_2016
VFAC REVIEW issue12_extract_2016
 
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
 

Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015

  • 1. PRESIDENTIAL MEMORANDUM Key Issues in Cyber Policy DECEMBER 27, 2015 NSEC506 - NOV/DEC 2015 Mark Raduenzel
  • 2. Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015 Mark Raduenzel Page 1 of 9 Summary A recent cyber-attack occurred where a botnet type attack targeted a major U.S. defense firm. No physical damage occurred to the firm’s network, but significant technological secrets about a new surveillance and targeting system from the firm, Defense Applications International (DAI), appear to have been compromised. Incidental, but nonetheless as a result of the attack, the virus also infected a software program that DAI was testing at electrical plant in Pennsylvania. The plant had to be shut down for 12 hours while repairs were made. The NSA believes it has credible evidence that the attack had a direct connection to the elite cyber unit Department 2112, of the country of Redistan, an adversary of the United States, although the attack itself appears to include private citizens of Redistan. The attack however, was routed through several third countries including Bluelandia, an ally of the United States. Key Issues and Analysis Possible Responses According to Dr. Clay Wilson, Program Director for Cybersecurity Studies at the American Military/Public University, botnets consist of “vast numbers of computers that are infected and remotely controlled to operate, in concert, through commands sent via the Internet” (Wilson 2009, 420). An attack of this type is difficult to prevent and to defend against which makes it an attractive technique for criminals and is reminiscent of the Distributed Denial of Service (DDoS) attacks against Estonian sites in 2007. While no significant damage occurred as a result of this particular attack, the United States Department of Justice (DOJ) routinely views such attacks as a criminal activity.
  • 3. Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015 Mark Raduenzel Page 2 of 9 Further complicating matters is that the virus also infected the electrical plant in Pennsylvania. It is possible that the software program Defense Applications International (DAI) was testing enlisted one or more computers in the electrical plant as part of the same attacking botnet. Even though the repairs were made over a 12 hour timeframe, the risk remains that security experts did not find and eradiate all traces of the software virus and that the systems at the electrical plant could still be remotely controlled via the Internet. This is a risk to the United States critical infrastructure, and therefore national security, with the capability to impact more than just the Pennsylvania area. Even more troublesome is that the DDoS attack was used as a cover to compromise the technological secrets regarding a new surveillance and targeting system being developed by DAI. This unauthorized viewing or copying of data files is classified as cyber espionage whether it was conducted by a state or an industrial competitor (Wilson 2009, 423). The use of cyberspace to conduct espionage is hardly new. In 2003, for instance, a series of computer attacks against the Department of Defense (DoD) systems, code named Titan Rain, succeeded in copying large amounts of data containing sensitive information which is subject to U.S. export control laws (Wilson 2009, 424). Since DAI is a defense contracting firm, the same export control laws apply to DAI and its data and justify classifying the attacks as espionage. Neither the DDoS attack nor the case of cyber espionage can be considered an act of war under current international norms. According to Michael N. Schmitt, Director of the Stockton Center for the Study of International Law, United States Naval War College; Professor of Public International Law at Exeter University; and Senior Fellow at the NATO Cyber Defence Centre of Excellence, cyber operations which do not cause damage do not qualify as an act of war (Schmitt 2014, 191). This “effects-based” approach does not classify attacks on computer
  • 4. Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015 Mark Raduenzel Page 3 of 9 systems as long as there is no loss of life which may be directly associated with the attack and any resulting damage is not permanent. The United States should respond to these attacks by hardening its existing computer systems and continuing to improve upon its security infrastructure and monitoring capabilities in order to keep pace with current technology changes, vulnerabilities, risks and threats. This is not an easy solution to a challenging problem which is due to the rapid changes experienced in by cyber domain. With these changes come evolving and proliferating attack methods and techniques which are difficult to defend against as in the case of the DDoS attack experienced by DAI. It is also recommended that the U.S. work with our ally Bluelandia in order to try and confirm that the attacks originated with the elite cyber unit Department 2112 of Redistan. The confirmation of attribution is particularly challenging even though the NSA believes it has credible evidence the attacks were conducted by this unit. The difficulties of attribution typically prevent forensic investigators from conclusively identifying the perpetrators of the attack. Since the evidence against Redistan is inconclusive, retaliation at this time is inadvisable. If Redistan did not direct the attacks and had no fore-knowledge of them, retaliation against the nation would be targeting the wrong party and the United States could very well be fighting on two cyber- fronts. Additionally, since cyber-attacks are mainly invisible to outsiders and lack clear evidence to display on the nightly news, the United States could be painted as aggressors by retaliating and find international opinion solidly against the U.S. (Lin 2012, 55). Public vs. Private Sector Responsibilities It is further recommended that U.S. Cyber Command immediately begin to determine how best to protect and defend key infrastructure entities, regardless of whether they belong to the public or private sectors. Wilson has noted that individual companies normally rely on the internet in
  • 5. Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015 Mark Raduenzel Page 4 of 9 order to conduct business and that fighting cyber-crime effectively will require the cooperation of government entities and the private sector, including academia (Wilson 2009, 428). However, government cannot and must not have sole responsibility for securing the internet and critical infrastructure. If the private sector does not have a high enough stake in protecting their own systems, the tendency could be to overly rely on the government for security and absolve themselves of any responsibility. This would place too much of a burden on the federal government. A better approach is for the federal government to encourage the private sector to implement proper security measures of their systems. This can be done through legislation passed by Congress combined with required security audits conducted by the NSA. There may be some complications with the Department of Defense (DoD) and the National Security Agency (NSA) interfacing with the private sector in the implementation of this effort. As Major General Charles J. Dunlap has noted, the NSA “possesses extraordinary technical expertise and experience, unmatched in the government, in exploring and exploiting computer and telecommunication systems” (Dunlap 2011, 93). This expertise could be invaluable in helping the private sector to protect its systems. In spite of this proficiency, it may be wise to place more responsibility on the development of fully civilian security measures for networks while at the same time discouraging involvement by the Department of Defense and its agencies such as the NSA. Involving the NSA may seem to conflict with the direction of American values even if the effort has a legal basis. Public attitudes must be taken into account moving forward because Americans are becoming increasingly uncomfortable with a “national-security state [that] now touches every aspect of American life, even when seemingly unrelated to terrorism” (Dunlap 2011, 94). This general discontent with intrusive government activity could cause the private sector to become unwilling
  • 6. Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015 Mark Raduenzel Page 5 of 9 to work with the federal government on protecting the nations systems and allow the systems to remain vulnerable to cyber-attacks. International cyber agreements The United States should immediately lead the effort to obtain an international cyber agreement because there are many areas of mutual interest with countries which have an internet presence. The United States’ policy on information security is remarkably similar to Chinese policy and the Russian Federation’s Information Security Doctrine (Thomas 2009, 480). These policies include the creation of national programs in order to prevent threats and mitigate vulnerabilities, the development of awareness to cyber threats, protecting government networks which are part of the cyber domain and cooperating in international cyber security. These policies are critical to each nation’s national security interests and an international cyber agreement could begin with this commonality. Another facet which facilitates an international cyber agreement is that cyberspace can be considered a common property resource to which everyone may be able to benefit from without needing to specifically paying for it (Fosyth 2013, 95). Overexploitation is normally avoided in common property resources by every nation becoming aware of the necessity of cooperation in order to continue using it. An additional aspect which may facilitate international norms is the rising power of Brazil, Russia, India and China (the BRICs). These four economies are well positioned to become the four most dominant economies in the world within the next 40 years (Forsyth 2013, 98). As the BRIC nations increase their political cooperation, the structure of international politics changes from a unipolarity to multipolarity thereby decreasing the costs of governing the global commons and increasing international cooperation and security.
  • 7. Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015 Mark Raduenzel Page 6 of 9 However, having areas of mutual interest regarding cyberspace security may not foster an international cyber agreement in the near future. States have often disagreed on “whether international laws of war and self-defense should apply to cyber attacks, the right to block information from citizens, and the roles that private or quasi-private actors should play in Internet governance” (Hurwitz 2012, 21). These differences in ideologies could be a significant barrier to international agreements. The concept of the right to block information from citizens may be a challenge too difficult to overcome for an international agreement. The United States has deep-rooted values regarding freedom of the press and expression and a free and open internet promotes these values. Other societies like Russia and China, however, do not share the same values. When creating or negotiating the terms of international cyber norms, care must be taken to not infringe upon the rights of American citizens for the sake of security. Russia or China’s insistence on including limits on freedom will jeopardize any potential agreement. An alternative to leading a new international cyber agreement could be to instead begin with NATO’s Cooperative Cyber Defence Centre in Tallinn, Estonia. This center was established in 2008 with the intention of developing standards and “key directions for NATO’s cyber protection system and carry out expert analyses of suspected cyber attacks” (Thomas 2009, 476). The United States is still a member of NATO and should have direct input to the standards and key directions developed by the Defence Centre. It could prove beneficial to officially publish the center’s findings and use diplomacy to prompt the international community to agree to the standards and directions.
  • 8. Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015 Mark Raduenzel Page 7 of 9 U.S. Cyber Policy Recommendations Finally, existing United States cyber policy should be strengthened by adding more explicit policies focused on deterrence of cyber-attacks against the United States. This will not be easy to achieve since a “one-size-fits-all approach to deterrence will not work because of the multiplicity and diversity of potential adversaries and cyber-attacks, and because U.S. goals and actions may shift from one situation to the next” (Kugler 2009, 310). This means that any cyber deterrence strategy which is implemented should be specifically tailored to fit the adversary and particular type of attack. Comprehensive cyber deterrence strategies which lead to concrete cyber deterrence policies should be comprised of declaratory policy, defensive cyber security, deterrence metrics, internal and external interagency cooperation, situational awareness, command and control, and retaliatory cyber capabilities. Collectively, these measures provide a solid foundation towards preventing cyber-attacks, reducing overall vulnerabilities to attack and minimizing the amount of damage incurred as well as recovery time in the event of an attack (Kugler 2009, 311). Existing cyber policy must be revised immediately to include these elements. The most basic challenge to deterrence is the difficulty in reliably attributing the attacks to a specific party and whether the attacking party is a state or non-state actor. Because of the technical limitations of attribution, retaliation in the form of counter-attacks or diplomacy is nearly impossible which means the attackers have not been deterred as in the recent attacks against DAI. The NSA believes the country of Redistan is responsible, but the evidence has not yet shown to be conclusive. Even if solid proof is obtained, a secondary consideration to retaliation is that counter-attacking against Redistan may hold no value. Furthermore, counter- attacks may do nothing to prevent Redistan from conducting further attacks. Any retaliation
  • 9. Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015 Mark Raduenzel Page 8 of 9 against Redistan could seem provocative and may not be worth the time and effort to respond to. The advantages gained by counter-attacks should be weighed against the possibility that entities outside of the original conflict could become involved and keep the conflict brewing, even if the supposed reasons for Redistan’s attack are removed. Another element of policy which should be contemplated is the framing of cyber-attacks as acts of war, especially when aimed at critical infrastructure as in the case of the DAI attacks. To accomplish this, it will be necessary to further analyze the implications of cyberwar, “what it means, what it entails, and whether threats can deter it or defense can mitigate its effects” (Libicki 2009, 15). As Libicki indicates, the point of deterrence policy is to add another consideration to the attacker’s calculus. This calculus is a function of whether the attacker believes that the targeted entity will carry out a retaliation and significant damage would be sustained in the case of retaliation. The concept of deterrence as policy is not new. In fact, Kugler notes that “the entire U.S. conventional military posture is viewed as a major contributor to deterrence” (Kugler 2009, 325). Cyber capabilities are a natural extension of that defensive posture. Well-implemented cyber defense can add creditability to this posture as well. If the United States’ defenses are adequate and the policy includes a strategy for counterattacks, the threat in the mind of attackers of retaliation could dissuade them from attacking in the first place, which is the essence of deterrence (Libicki 2009, 73).
  • 10. Presidential Memorandum | Key Issues in Cyber Policy NSEC506 - Nov/Dec 2015 Mark Raduenzel Page 9 of 9 References Dunlap, Charles J. 2011. “Perspectives for Cyber Strategists on Law for Cyberwar.” Strategic Studies Quarterly (Spring):81-99. Forsyth, James W. “What Great Powers Make of It: International Order and the Logic of Cooperation in Cyberspace.” Strategic Studies Quarterly 7:1 (2013): 93-113. Hurwitz, Roger. “Depleted Trust in the Cyber Commons.” Strategic Studies Quarterly 6:3 (2012): 20-45l Kugler, Richard L. 2009. "Deterrence of Cyber Attacks". In Cyberpower and National Security. Washington D.C.: National Defense University Press, 2009:309-340. Libicki, Martin C. 2009. "Cyberdeterrence and Cyberwar". RAND Report. Santa Monica: Rand Corp. Lin, Herbert. 2012. “Escalation Dynamics and Conflict Termination in Cyberspace.” Strategic Studies Quarterly vol. 6 no. 3:46-70. Schmitt, Michael N. 2014. "Rewired warfare: rethinking the law of cyber attack." International Review of the Red Cross 96, no. 893: 189-206. Thomas, Timothy L. 2009. "Nation-state Cyber Strategies: Examples from China and Russia". In Cyberpower and National Security. Washington D.C.: National Defense University Press, 2009:465-488. Wilson, Clay. 2009. "Cyber Crime". In Cyberpower and National Security. Washington D.C.: National Defense University Press, 2009:415-436.