Issues with Designating Election Infrastructure as Critical Infrastructure

By Daniel Patrick Shaffer

Critical Infrastructure and the Power of the Executive Branch

Department of Homeland Security Secretary Jeh Johnson recently proposed the idea of designating election infrastructure as “critical infrastructure.” Critical infrastructure includes pieces of infrastructure that are so vital to the United States, that their destruction would have a crippling effect on our economy, health, and security. This currently includes infrastructure like dams, the power grid, and financial institutions. The Secretary has cybersecurity concerns, citing the recent cyber-attacks on the Democratic National Committee database, and the possibility of more destructive attacks in the future. Pursuant to the Homeland Security Act of 2002, The President and Secretary of DHS both have the power to designate critical infrastructure. The President did this in the Presidential Policy Directive-21, Critical Infrastructure Security and Resilience. The Directive says that department heads are in charge of working with the Secretary of Homeland Security to ensure security in their respective critical infrastructures. The Department of Justice, a part of the executive branch, has jurisdiction to monitor, investigate, and Continue reading “Issues with Designating Election Infrastructure as Critical Infrastructure”

Cyber Security Threats Offer New Legal Challenge to Holding Spies Responsible for Espionage

In December 2014, naturalized US citizen Mostafa Ahmed Awwad was arrested by the FBI for attempting to sell blueprints of the US Navy’s brand-new nuclear-powered aircraft carrier, the USS Gerald R. Ford.[1] Awwad, a former Egyptian citizen and engineer in the Nuclear Engineering and Planning Department of the massive Norfolk Naval Shipyard, had a Secret security clearance and access to sensitive blueprints of the most advanced ship ever designed.[2] The case against Awwad is pretty cut-and-dry. Believing he was corresponding with an Egyptian Intelligence officer, Awwad turned over computer-aided drawings of the aircraft carrier, wore a pinhole camera in sensitive areas of the shipyard to record restricted information, and acknowledged that the information he provided would be sent to Egypt for use.[3] With the details of this case reading like a Cold War spy thriller, complete with dead-drops, spy gadgets, and a discreet payment left in a hole under a park bench in Southeast Virginia, the “Egyptian Intelligence officer” that Awwad was corresponding with was actually an undercover FBI agent.[4] Awwad was arrested, charged with attempted espionage, and recently sentenced to eleven years in federal prison.[5]

Modern-day espionage cases have all resulted in similar responses from the FBI and Department of Justice: arrest, try, and sentence. From Robert Hanssen to John Walker and Mostafa Ahmed Awwad, when suspected spies are caught, they’re tried and held responsible for their acts.[6] But how does our justice system’s response to espionage change when the actors are not physically within our country when they’re spying? What about when the secrets that are stolen are taken over the internet?

US defense contractors spend billions of dollars every year on research and development to design and build the most sophisticated and advanced military equipment in the world. The USS Gerald R. Ford, for instance, will cost nearly $13 billion to design and build once complete.[7] Similarly, the US military’s brand new F-35 Joint Strike Fighter has taken nearly twenty years and $400 billion to design and build, and its state of the art technology is more advanced than any other fighter jet ever built.[8] Coincidentally, shortly after its debut, China unveiled its new J-31 fighter jet, which strikingly resembles the F-35 in its design and performance characteristics.[9] The similarities, revealed to be from a 2007 data breach of US defense contractor Lockheed Martin’s computer servers by Chinese hackers, represent, “the greatest transfer of wealth in history,” and extend to include over fifty-terabytes of sensitive military weapon systems data—including the AEGIS Ballistic Missile Defense Radar System, and the Navy’s Littoral Combat Ship.[10]

This new form of digital-espionage leaves the US in unchartered territory. Can the US treat these breaches the same way as traditional espionage cases? Is it even possible to hold faceless hackers halfway across the globe accountable under the US criminal justice system? Furthermore, how is the dynamic changed when the hacker is an individual activist (or hacktivist) versus a nation?

Judging by the Department of Defense’s initially tacit response to the massive hacks, and only fully revealed to the public after documents released by Edward Snowden detailed the theft, policy-makers, defense leaders, and the law enforcement community do not want to publicly define these acts because doing so would tie their hands in their response. While on the surface these two different forms of espionage yield similar results (i.e. sensitive military and intelligence information in the hands of our adversaries), the complexities of holding the perpetrators responsible are worlds apart.

Furthermore, the question remains of where the line is drawn between espionage or something more. The 2014 Chinese hacks on the personnel and security clearance databases of the Office of Personnel Management went beyond the previous breaches of military technology.[11] Exposing over 22 million Americans’ social security numbers and personal life details, the hacks could have a very real, though likely not kinetic, effect on the lives of the US citizens whose information was stolen.[12]  By not defining these hacks or drawing any clear lines, the US retains the ability to choose how to best respond, and whether or not to make these responses public. Taking a hard line would tie the country’s hand whenever a breach occurs and could escalate a situation beyond the scope of the original act.

_________

[1] Howell, Kellan. “FBI Charges Saudi-born Naval Engineer over Plans to Sink Aircraft Carrier.” The Washington Times 06 Dec. 2014. Web. 13 Nov. 2015.

[2] Zapotosky, Matt. “Navy Engineer Admits Trying to Leak Plans for New Aircraft Carrier to Egypt.” The Washington Post 15 June 2015. Web. 13 Nov. 2015.

[3] Cavas, Christopher P. “Navy Engineer Indicted for Trying to Sell Secrets.” Navy Times 05 Dec. 2014. Web. 13 Nov. 2015.

[4] Id.

[5] FBI. “Navy Civilian Engineer Sentenced to 11 Years for Attempted Espionage.” FBI 2015. Web. 13 Nov. 2015.

[6] FBI. “Counterintelligence Cases Past and Present.” FBI 2013. Web. 13 Nov. 2015.

[7] Harper, Jon. “Funding Restricted for Ford-Class Carriers.” National Defense Magazine Sept. 2015. Web. 13 Nov. 2015.

[8] Wall Street Journal. “China’s Cyber-Theft Jet Fighter.” The Wall Street Journal 12 Nov. 2014. Web. 13 Nov. 2015.

[9] Goldstein, Sarah. “Snowden: Chinese Hackers Stole F-35 Fighter Jet Blueprints.” New York Daily News 20 Jan. 2015. Web. 13 Nov. 2015.

[10] Russian Today. “50 Terabytes! Snowden Leak Reveals Massive Size of F-35 Blueprints Hack by China.” Russian Today 19 Jan. 2015. Web. 13 Nov. 2015.

[11] Nakashima, Ellen. “Hacks of OPM Databases Compromised 22.1 Million People, Federal Authorities Say.” The Washington Post 09 Jul. 2015. Web. 14 Nov. 2015.

[12] Id.

GameOver ZeuS: Combatting the Global Threat of CyberCrime

Although cybercrime is no longer a new threat to global security, it has remained an important and growing concern for both domestic and international law enforcement agencies. The very nature of cybercrime requires American law enforcement agencies to reach out to their international counterparts to work together in tracking down criminals. This need for international cooperation has led state leaders to create new pieces of legislation that monitor and prosecute those who commit international cybercrimes.

The FBI Cyber Division has the definitive top 10 most wanted list of international cyber criminals with the list split fairly evenly between those from Russia and China. The Chinese suspects work under the PRC’s 3rd Department of General Staff while the Russians are mainly independent with strong ties to the Russian mob. One suspect on the list is not an individual but rather a group called “JabberZeus Subjects”, a collective of criminals who are infecting millions of computers across the world with a malicious piece of software known as “GameOver ZeuS”. Zeus’s success comes from the number one suspect on the FBI’s list, Evgeniy Mikhailovich Bogachev.

3416310475_3e0625b8e4_m

Bogachev is a 30 year old career criminal living openly and freely in Anapa, Russia. His software, known as GameOver ZeuS or GOZ, is a botnet that uses keylogging or form grabbing to acquire banking information and then makes transactions through “money mules”, typically individuals who fall victim to phishing attacks. GOZ also installs “Cryptolocker”, malicious software known as ransomware that blocks access to critical files or documents until a fee is paid. GOZ spreads through spam and compromised URLs, infecting computers in 226 countries with the majority in the United States of America and Europe. GOZ communicates with other infected systems through a P2P network, allowing them to attack vulnerable infrastructures in tandem. GOZ has been used as a network for DDOS attacks against financial institutions and can prevent victims from accessing their compromised accounts. This has led to over $100 million in losses for victims in the USA alone.

The spread of GOZ has prompted coordinated efforts by law enforcement officials in Canada, Britain, the Netherlands, Ukraine, and Luxembourg to stop the spread of the malware at its source. Led by FBI agents in Pittsburg, Omaha, and Washington D.C., a federal grand jury in Pittsburg unsealed a 14-count indictment against Evgeniy Bogachev for “conspiracy, computer hacking, wire fraud,  bank fraud and money laundering in connection with his alleged role as an administrator of the Game over Zeus botnet.” Although the charges are an important step to bringing Bogachev to trial, the FBI faces a number of problems with prosecution. The FBI must rely on cooperation with Russian officials to turn over Bogachev and although cooperation with Russian authorities has been “productive”, there has been little effort made to turn Bogachev over to the international legal organizations seeking his arrest.

Since 2001, the international community has been working together to address cybercrime, improve investigative techniques, and increase cooperation amongst nations to combat cyber criminals. Beginning with the Budapest Convention, the international community has begun creating treaties that work to prevent cybercrime. However, due to the complexity of creating a standard set of rules dictating the prosecution of criminals around the world, there still is much work to do. Cyberterrorism and cyber-warfare is also an important topic of discussion and there has been increasing legislation to combat this growing threat. Trade agreements such as the Wassenaar Arrangement which ban the sale of weapons have now been expanded to include hardware and software that can be used to compromise the infrastructure of a nation’s telecommunication systems.

What does the future hold for law enforcement agencies combatting criminals sitting behind their desks thousands of miles away? Increased cooperation between governments is the first step, allowing law enforcement agencies to apprehend suspects and to take them to trial. Beyond that, creating systems that are increasingly more secure and complex to thwart the next GOZ is critical. Finally, it is imperative that the general public is educated on how to protect themselves against phishing and other common techniques used by computer criminals.

 

Photo Courtesy of “Cliff” (License)

What happened to NSA reform and where does it go from here?

Over eighteen months have passed since Edward Snowden first disclosed the extent of the National Security Agency’s (NSA) surveillance programs. [1] Snowden revealed two main programs: the business records program that includes phone history collections, and the PRISM program that collects information about electronic communications. The business records program operates under Section 215 of the PATRIOT Act. [] PRISM operates under Section 702 of the Foreign Intelligence Surveillance Act (FISA). [3] In the aftermath of the disclosures, over a dozen bills were introduced in the Congress to reign in the NSA. [4] In May of 2014, the House passed a limited version of the USA Freedom Act, which shifted the burden for preserving phone records to telecommunication companies; notably, by the time the House voted on a final version, the bill had lost the support of privacy advocates and the technology community. [5] The Senate has not voted on the bill. [6]

9247530743_4410b66860_z

The reform proposals vary in detail but mainly focus on 1) narrowing requirements for Section 215 collection orders; 2) increasing disclosure from the Foreign Intelligence Surveillance Court (FISC), the government, and companies compelled to produce records; and 3) reforming the FISC’s makeup and procedures. [7] The complexity of the competing interests makes reforming the entire process very difficult. For example, just one specific reform proposal—making hearings before the FISC an adversarial process—is littered with complicated constitutional and policy implications. []

In the upcoming Congress with majorities in both chambers, Republicans may choose to focus on the economy, national security, health care, and immigration and the border before deciding to tackle NSA reform. At the very least, cohesion is needed between the various positions espoused by party leaders. Key Republicans have staked positions ranging from complete overhaul, to minor reforms, to maintaining the status quo. [9] [10] [11] [12]

Additionally, recent turmoil in the Middle-East and the increased focus on terrorism may have dampened the swell of public anger with the surveillance programs. A common argument of program supporters is that the only demonstrable harm of the surveillance is the fact that collections occurred. [13] Whether that is true may be debatable; but a divided Congressional leadership and an uptick in anti-terrorism sentiment do not likely bode well for significant NSA reform in the Congress.

So it appears for now the issue is left to the courts. Two notable cases are currently before U.S. circuit courts. In the D.C. Circuit, a three-judge panel just heard oral arguments in Klayman v. Obama on November 4th. [14] In the 2nd Circuit, a three-judge panel heard oral arguments in ACLU v. Clapper on September 2nd. [15]. The D.C. Circuit is considering a district court decision finding Section 215 likely unconstitutional, while the 2nd Circuit is considering a district court decision upholding the surveillance programs.

Both cases highlight the principles arguments of each side. The government argues that the plaintiffs in each case do not have standing because they cannot point to specific harm. The government next argues that the call history is voluntarily submitted to third party companies and is thus unprotected by legal interest. [16] For this argument the government relies on the 1979 Supreme Court case Smith v. Maryland, where the Court held that dialed phone numbers could be obtained by police without a warrant. [17] Finally, the government stresses in both cases that the collections are of metadata and not of content. [18]

The advocates argue that the pervasive and indiscriminate collection of data, approved by a court (the FISC) that only hears the government’s side of the argument, is in itself a violation of the Constitution. [19] They define the analysis of metadata as the equivalent of searching content. [20] The advocates also point to previous violations of FISC orders by the NSA as a key reason for stronger minimization procedures. [21]

Two proximate and likely distinguishable circuit court rulings could very well provoke consideration by the Supreme Court. In addition to those two cases, telecommunication companies have, while taking some criticism for complying with the records orders, also opposed the NSA programs in several instances. Facebook, Microsoft, Google, Yahoo, and Twitter have all challenged compulsion orders or fought for more disclosure. [22] [] [] [25] [26]

With comprehensive reform looking more complicated in Congress than last year after the Snowden disclosures, Americans will be anxious to see the pending opinions by the D.C. Circuit and 2nd Circuit Courts of Appeals.

[] ANDREW NOLAN ET AL., CONG. RESEARCH SERV., R43260, INTRODUCING A PUBLIC ADVOCATE INTO THE FOREIGN INTELLIGENCE SURVEILLANCE ACT’S COURTS: SELECT LEGAL ISSUES (2013).

Image courtesy of DonkeyHotey via Flickr (license)

Cyber Attacks and the Law of War: Decoding the Pentagon’s Response

The Pentagon recently stated it intends to treat sufficiently destructive cyber attacks as acts of war, subject to armed retaliation. In its report to the Congress, the Department of Defense (DoD) stated the use of armed force was on the extreme end of a continuum of policy choices rather than a default response. Yet the term “cyberwar” seems to imply the application of international humanitarian law (IHL) in the context of an armed conflict. Cyber attacks within an armed conflict, like those during the South Ossetia war of 2008, are problematic because organized crime and private citizens can more feasibly act on the basis of nationalist agendas rather than government direction. But most instances of cyber attacks against governments occur outside of armed conflict. Given most cyber attacks against American government infrastructure and websites occur outside of armed conflict and authorship of attacks is rarely certain, what are the implications of the DoD’s announced policy for the laws of war?

The first issue raised by “cyberwar” is whether a cyber attack can rise to the kind of attack indicative of war. War under IHL is conceptualized as the resort to protracted and intense armed force by two or more parties. Armed conflict is either between States, characterized as international armed conflict, or between States or armed groups operating inside a single State, referred to as non-international armed conflict. While the distinction can be ambiguous, both forms of conflict are characterized by the loss of life as a result of the commission of an attack. However, cyber attacks have yet to directly kill anyone. Cyberwarfare also raises the issues of what actions constitute an appropriate response to attacks, and to whom attacks should be attributed.

The DoD’s report provides the President with a wide array of options to confront cyber attacks, including intelligence, diplomacy, and law enforcement. For a cyber attack to rise to an act of war, it would have to trigger a self-defense claim, yet no war was started over a cyber attack, including those that caused widespread disruption in Estonia. The DoD report mentions cyber attacks meriting an armed response but mentions attacks that disable or damage vital infrastructure. IHL governs the conduct of the war rather than the beginning of the war. Assuming a cyber attack occurs within armed conflict it can be met with force and considered a war crime if it violates IHL. Such acts typically involve indiscriminate or disproportionate attacks upon a protected population or property. Interpretation will be necessary because none of the treaties which compose the body of IHL refer to cyber attacks, and the only international treaty governing cyber attacks addresses it as a crime issue. States could issue proportionate reprisals to respond to a cyber attack that violated IHL in order to deter future violations as a last resort, made from the highest level of government. On the other hand, any automatic use of armed force to respond to any cyber attack outside of armed conflict is as an act of aggression, because it would involve using force in the territory of another State in violation of that State’s sovereignty. The target could be a residential area or an internet café, likely resulting in substantial collateral damage. Unless the cyber attack was catastrophic, an armed response to a cyber attack would likely start a war or international controversy.

In the case a cyber attack is the catalyst for a war or is carried out during the context of armed conflict, the DoD report highlights multiple policy options prior to the use of force. The strategy it outlines focuses on deterrence and international cooperation in cultivating the growth of international law regulating cyberspace. Other States like Russia have adopted similar policies. Deterrence is questionable in practice. Cyber attacks can and are perpetrated by third parties acting for various reasons without State direction. To assign legal responsibility to a State for the cyber attacks of third parties, the injured State would have to prove those third parties were essentially organs of the accused State, acting at that State’s direction and on its behalf. In the alternative, the injured State would have to apply a standard focusing on the degree of control by the State, such as funding, legal and practical support. Effective deterrence involves dissuading third parties and potential State sponsors, which the DoD seeks to do through conventional means like law enforcement, intelligence, and international cooperation. Ultimately, the DoD announcement is about recognizing the emergence of a new theater of operations in cyberspace, not rewriting international humanitarian law.