Default Gateway to Electronic Subversion: American Security in the Digital Age
Hi, all. This is a paper I wrote for one of my grad school classes on the subject of Cyber Security. I figure it may be of interest to some of you, so I’ve decided to post it here as a blog post. This will probably be familiar to some of you, as I turned most of this paper into a script for a video at one point. Anyways, if you’re nerdy and like policy stuff, you may enjoy it.
“The worst of all conditions in which a belligerent can find himself is to be utterly defenseless.” – Carl von Clausewitz, On War[i]
The invention of the personal computer and the expansion of the internet have brought unparalleled prosperity and progress to the world. They have revolutionized the way the world does business and the way people communicate with each other. Customers are no longer limited to purchasing goods and services from whatever stores happen to be within a reasonable driving distance, but instead can order from online stores based half a world away. People and businesses can use the internet to communicate with each other through text, audio, or video in real-time. Large amounts of information can be passed across the world in record time: what once might have taken hours, days, or weeks to transport across the world can now be sent in minutes or seconds. The number of internet users throughout the world has skyrocketed – from 250 million internet users in 2000 to over 2 billion by the end of 2010, according to the UN’s International Telecommunications Union[ii] and will grow even higher as mobile internet becomes cheaper and more commonplace.
The world has become increasingly dependent on the speed and interconnectivity that the internet allows, be it for the average person to communicate and stay in touch with old friends through Facebook or a business based in New York to communicate with clients in Honolulu via secure video conferencing or VoIP software. Even the venerable news industry has been greatly affected by the advent of the internet, with private citizens armed with nothing more than an internet connection and a cell phone camera able to quickly capture and upload events of great import for the whole world to see mere moments after they have occurred. Governments rely on the internet for a variety of critical tasks, be it to disseminate information about upcoming legislation, possible terrorist threats, or to facilitate communication with its armed forces. The modern world has been shaped and guided by the expansion of the internet, and one can scarcely imagine the world today without it.
This interconnectivity and dependence has come with a price. It has created massive vulnerabilities that governments, corporations, and the average internet user are ill prepared to combat. As one of the most wired, open, and internet dependent countries in the world, the United States faces a greater challenge than less developed or less open countries might. While the United States might have more resources to draw on for an offensive cyber operation, closed, authoritarian societies such as the People’s Republic of China (with its draconian censorship policies and its so-called ‘Great Firewall’) or the Democratic People’s Republic of Korea have less to fear from a cyber-attack than the heavily connected countries of the West. Cyber-attacks can come from a myriad of actors: other states, organized criminal groups, terrorist networks, or lone individuals.
Determining which one of these actors may be responsible for a specific attack is a daunting task. Kinetic attacks typically leave some sort of trail – be it a wire transfer, video surveillance taken of the perpetrators, or a launch trajectory from a rocket. Cyber-attacks are notoriously difficult to attribute to whoever carried them out: an attack carried out on the Department of Defense or the New York Stock Exchange could be “the work of a national government or a 14-year-old hacker in Shanghai or Moscow”[iii]. Any retaliation carried out by the United States for a cyber-attack could easily be aimed at an innocent party, damaging the security interests and credibility of the United States.
Tens of millions of dollars are spent by private firms, Government agencies, and private citizens on protecting themselves from cyber-attacks each year. Speaking to an audience of industry experts at the 2010 Black Hat conference in Las Vegas, former CIA and NSA Director General Michael Hayden said of cyber security:
You guys made the cyberworld look like the north German plain–and then you bitch and moan because you get invaded. We made it flat. We gave all advantages to the offense. The inherent geography in this domain plays to the offense. There’s almost nothing inherent in the domain that plays to the defense.[iv]
No matter how much time, effort, and money is spent on cyber security, there will always be glaring vulnerabilities waiting to be exploited and that the advantage will always go to the attacker.
Even the most comprehensive, well defended system can and will be compromised if its users are unaware of basic security measures. Users that rely on easy to guess or oft-repeated passwords, failing to regularly install security updates and fixes, and browsing or downloading from unsafe sites can easily infect or allow outside access to secure networks or to a home PC, compromising the security and reliability of data contained within. Users can easily infect their computers with keyloggers that will record and transmit every keyboard stroke to a third party. Users can also become unwitting accomplices in cyber-attacks aimed at other users or networks if they become infected with hidden software that allows hackers to use their computers as a “bot” or a “zombie computer” joined with “thousands, if not millions, of others around the world to create a ‘botnet’ … used to send spam, spread malware or launch distributed denial-of-service (DDos) attacks” to take down a third party’s network[v].
Criminal gangs of hackers have no shortage of ways to make money on the internet by defrauding users or by penetrating their systems. Traditional illegal moneymaking ventures such as identify theft or extortion have found new life on the internet and can generate vast sums of money for criminal enterprises to use as they will. Other criminals have taken advantage of entirely new markets that have sprung up as a result of the internet. The advent of Massively Multiplayer Online Role Playing Games (MMORPGs) such as World of Warcraft (WoW), Everquest, and Ultima Online has led to the creation of marketplaces (usually prohibited by these games’ Terms of Service agreements) dedicated to the sale and transfer of digital, in-game goods and services for real-world currency. Enterprising hackers “have been surreptitiously installing keylogging software on WoW players’ Windows computers, hijacking their accounts and selling off their often valuable in-game assets”[vi] through these new online marketplaces. A 2009 World Bank report estimates that that these marketplaces earn roughly $3 billion a year, with roughly $334 million (or 20% of the gross revenue) going to hackers[vii]. This revenue could easily be used to fund further cyber-attacks or real world criminal activity.
The borderless nature of the internet makes it exceedingly difficult for criminals or cyber terrorists – even if properly identified – to be brought to justice. Groups such as Anonymous and Lulzsec have often turned to cyber-attacks to further their own ideological goals. Support of organizations such as WikiLeaks inspired Anonymous to launch multiple DDoS attacks aimed at corporations like Visa and MasterCard (dubbed “Operation Payback”) that refused to allow customers to donate money to WikiLeaks[viii] as well as threatening to stalk and harass specific government employees in retaliation to PFC Bradley Manning’s treatment at Quantico (dubbed “Operation Bradical”)[ix]. These ideologically-motivated hackers (often referred to as “hacktivists”) represent a unique challenge due to their decentralized and global nature. Membership is fluid, as supporters will often join in to support one cause, splinter off to form sub-groups with their own specific aims, and then rejoin the rest at a later date.
There is no shortage of clever (or bored) individuals who may stumble upon vulnerabilities that both an end user and a software or hardware creator are unaware of or circumvent security measures previously deemed robust and reliable. Vulnerabilities are not necessarily even limited to computers connected over the internet. Jay Radcliffe, an attendee at the 2011 Black Hat conference, demonstrated that he had “reverse-engineered the proprietary wireless communication system between the glucose meter and [an insulin] pump” which “would allow an attacker to manipulate the diabetic’s insulin injections and could possibly be used to kill the pump user.”[x] While the average hacker or cybercriminal most probably lacks the level of moral depravity necessary to murder a diabetic with their own insulin pump, the fact that this sort of attack is technically feasible is alarming in its own right. While not a cyber-attack in the strictest sense, the alarming ease with which a team from Argonne National Laboratories was able to read and alter voting information entered into a Diebold AccuVote TS machine from almost half a mile away using only twenty-six dollars and “eighth-grade science project” skills demonstrates that even our most basic and time-honored democratic systems could be threatened by hackers with access to cheap technology[xi].
Attacks carried out in the cyber realm are not limited to inflicting damage in the cyber realm, but can actually cause real physical damage to property, lives, and critical infrastructure. One of the first (and most well-known) instances of this occurred in July of 1982, when the CIA “supplied the Soviet Union with faulty software that eventually led to a major pipeline disaster” in Siberia[xii]. This faulty software, according to former Secretary of the Air Force Thomas C. Reed, was “programmed to let [the pipeline] run for four or five months” before failing, resulting in an (unintended) explosion estimated to be nearly 3-kilotons by the Air Force[xiii]. In March of 2007 the Department of Homeland Security carried out what has become known as the ‘Aurora experiment’ at the Idaho National Lab. Government researchers “[hacked] into a replica of a power plant’s control system … changed the operating cycle of the generator, sending it out of control”[xiv]. Hackers (be they state affiliated or not) could use the internet to shut down critical infrastructure during a time of war or as part of a terrorist attack against the United States. An attack on America’s power grid or water system (or any other crucial infrastructure) could leave the country paralyzed for weeks, leading to grave consequences for the economy or even resulting in the loss of life.
Cyberspace is increasingly becoming the “fifth domain” of warfare – following “land, sea, air, and space” as a realm where states vie for power and control[xv]. The People’s Republic of China has taken this lesson to heart, carrying out an astonishing number of cyber-attacks against private citizens, business interests, and other governments – including the United States – over the past decade. The first of these attacks – dubbed Titan Rain – successfully infiltrated “secure networks ranging from the Redstone Arsenal military base to NASA to the World Bank” as well as “hundreds of Defense Department computer systems” making off with data ranging from “hundreds of detailed schematics about propulsion systems, solar paneling and fuel tanks for the Mars Reconnaissance Orbiter” to “specs for the aviation-mission-planning system for Army helicopters”[xvi]. The Aurora attacks of late 2009 and early 2010, originally revealed by Google to have “penetrated the Gmail accounts of Chinese human rights advocates in the United States, Europe and China” reportedly targeted an additional 33 companies, primarily “companies in strategic industries in which China is lagging”: namely, corporations that specialize in defense and high technology[xvii]. Finally, many security professionals believe that China is behind a series of attacks[xviii] – dubbed Operation Shady RAT – which infiltrated over seventy-two different targets, forty-nine of them in the United States alone[xix].
The May 2007 cyber-attack on Estonia and the 2008 cyber-attacks on Georgia during the South Ossetia war – both rumored to have taken place with either direct authorization or tacit permission from Moscow – offer a glimpse at how cyber-attacks may be used against other states in a time of diplomatic or military conflict. Both attacks blocked access to multiple government websites, financial institutions, news agencies and various other websites primarily through the use of coordinated DDoS attacks[xx][xxi][xxii]. Paralyzing cyber infrastructure through a coordinated series of DDoS attacks – relatively simple to carry out – could bring a nation as internet-dependent as the United States to a crawl. Citizens could find themselves unable to access their bank accounts, pay their bills online or many of the other activities they engage in, weakening the economy. The ability of the government to effectively communicate with its citizens could also be placed at risk if government websites were shut down or if the media were effectively targeted.
While the DDoS attacks aimed at Estonia and Georgia were damaging, they are relatively simple attacks that are more likely to harass and annoy than cause serious, long-term damage to a country or to specific systems. The W32.Stuxnet virus represents an evolution of cyber-warfare; allegedly created by some combination of American, British, or Israeli experts, this finely tuned virus was apparently directed at attacking five specific targets in Iran[xxiii]. According to Symantec, Stuxnet “can potentially control or alter how the system operates” by infecting an industrial system’s “Programmable Logic Controllers (PLCs)”[xxiv]; Stuxnet is believed to have altered the PLCs of Iranian nuclear centrifuges to spin fast enough “to send the centrifuges flying apart”[xxv]. This highly effective virus – apparently aimed at disrupting Iranian nuclear production – may have opened the floodgates for similar attacks on other governments or industries in the future.
A cyber-attack from an enemy state may not even necessarily come from an internet-connected computer that has been compromised or an infected flash drive but could potentially be built in to the very hardware of a sensitive or critical system itself. The United States is highly dependent upon computer hardware built in foreign companies, as “only one-fifth of all computer chips” and “just one-quarter of the chips based on the most advanced technologies” are built in domestic facilities[xxvi]. Retired four-star General Wesley Clark and Peter Levin wrote in great length in a 2009 Foreign Affairs article about this (and other) potential scenarios. They wrote that deliberately faulty or modified hardware “is almost literally a time bomb, because the corruption occurs well before the attack” and can be triggered remotely at any time[xxvii]. Hardware modified in this way could be programmed to fail if triggered by a specific command or by a certain date. Entire networks could easily be compromised, either not working at all, reporting faulty data, or even allowing an enemy state total access to these systems during a wartime scenario.
Speaking at the International Conference on Cyber Security 2010 in New York, FBI Director Robert Mueller said:
We in the FBI, with our partners in the intelligence community, believe the cyber terrorism threat is real, and is rapidly expanding. Terrorists have shown a clear interest in pursuing hacking skills. And they will either train their own recruits or hire outsiders, with an eye toward coupling physical attacks with cyber attacks.[xxviii]
The threat and the potential risks have been clearly identified – not just by Director Mueller, but by countless others for well over a decade. While government and industry experts have repeatedly warned against the panoply of cyber-threats facing the United States and its citizens, the federal government’s response has been lackluster at best. In 2002 Congress enacted the Federal Information Security Management Act (FISMA), which:
… requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.[xxix]
This well-intentioned but flawed piece of legislation attempted to set a government-wide standard to address the glaring problems in governmental network security. Many, such as former federal chief information officer Vivek Kundra, argued that “the FISMA measures reported on annually have led agencies to focus on compliance” while others say that departments must implement a “performance-based model that focuses on continuous monitoring and managing real risks”[xxx].Despite multiple calls for reforming FISMA in recent years, the proposed Federal Information Security Amendments Act of 2010 (sponsored by Democratic Rep. Diane Watson of California) never reached a floor vote on the House[xxxi] and the Executive Cyberspace Coordination Act of 2011 (sponsored by Democratic Rep. James Langevin of Rhode Island) is still tied up in committee after seven months[xxxii].
There is also a great deal of confusion about what FISMA actually does. Former Air Force CIO John Gilligan believes “FISMA’s implementation is to blame” due to the “emphasis on adopting an impossibly large catalog of security controls without focusing on high-priority items … [leading to] a scatter-shot approach to security.”[xxxiii] Congress’s grading of FISMA implementation further complicates matters. Many critical government agencies have repeatedly received abysmal rankings on the FISMA annual security report card prepared by the House Government Reform Committee; for instance, the Department of Homeland Security (nominally in charge of securing the civilian side of the government from cyber-attacks) received an “F” from 2003 to 2007[xxxiv] while the Department of Defense finally rose from an “F” to a “D-“ in 2007[xxxv]. However, Gilligan points out that these grades focus on “characteristics that are easily measured but have little correlation to actual security”[xxxvi].
Furthermore, there is little if any explanation given as to how these grades are determined and what metrics are involved. Does the Department of Defense’s former “F” grade signify that it is absolutely defenseless and ripe for the taking by any cyber-attacker, or did it merely fail to meet some arbitrary and poorly defined standard set by a congressional staffer responsible for drawing up the report card from year to year? These “standards” are an absolutely horrendous way to measure and track actual security objectives within the federal government’s executive agencies and seem to have no other purpose than to elicit a terrified response from the news media or various pundits. Nowhere in the FISMA legislation does it require or even suggest an “annual report card” and neither is it meant to serve as a grading mechanism for how the departments are doing[xxxvii]. Expecting Congress to approach a problem with a rational, calm, and mature mindset might seem quaint in this day and age, but baseless and meaningless grades do nothing but obfuscate the real issues surrounding cyber-security and do nothing to make anyone safer. If Congress wishes to monitor and rank executive agencies based on cyber security, they should be encouraged to do so; however, slapping an “F” or an “A” on the side of the Pentagon with absolutely no context or explanation as to why they have earned this grade does nothing to inform and educate the citizenry, nor will it lead to positive changes that any intelligent and competent elected official would actually wish to see implemented.
It is easiest to understand the American government’s approach to cyberspace if one divides it into three distinct realms: .gov (the civilian portion of government), .mil (military and intelligence), and .com (the private sector). A number of different agencies have been tasked with protecting the United States and its citizens from cyber-attack, typically dealing primarily with the .gov and .mil realms. These agencies are guided by overarching policies such as FISMA and by guidelines set down by the President of the United States and legislation from Congress. However, the .com world has been largely left to its own devices and expected to fend for itself. The Department of Homeland Security believes “the private sector is best equipped and structured to respond to an evolving cyberthreat”[xxxviii] while other experts believe that both the Department of Defense and DHS lack any ability to properly defend .com[xxxix]. While the Federal government has involved itself with many serious cases, security and protection is typically left to private corporations such as Symantec or Kaspersky as well as to the average end-user. While understandable given the scarcity of resources and manpower available to the federal government, this alarming gap in security for what effectively amounts to the heart of America’s economic wellbeing should disturb any policy maker.
Securing the .gov realm falls under the auspices of the Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT), which is “charged with providing response support and defense against cyber attacks for the Federal Civil Executive Branch (.gov) and information sharing and collaboration with state and local government, industry and international partners”[xl]. US-CERT, “the operational arm of the National Cyber Security Division … [serves] as the federal government’s cornerstone for cyber security coordination and preparedness, including implementation of the National Strategy to Secure Cyberspace”[xli] and coordinates its operations with multiple other federal agencies, international partners, and private enterprise[xlii].One of the most important programs US-CERT is responsible for is the EINSTEIN Program, which:
… is an automated process for collecting, correlating, analyzing, and sharing computer security information across the Federal civilian government so that Federal agencies will be aware, in near real-time, of the threats to their infrastructure and can act swiftly to take corrective measures.[xliii]
Through EINSTEIN (and its successor, EINSTEIN 2.0[xliv]) US-CERT has sought to coordinate detection of and response to cyber-attacks aimed at Federal agencies.
It is important to note that US-CERT has no actual enforcement powers of its own as it “does not have an intelligence or law enforcement mission”[xlv] and that in the event of a penetration it will “notify that law enforcement or intelligence entity of the event and [provide] them with contact information so they can coordinate directly with the affected participating federal agency.”[xlvi] Separating any actual ability to respond or investigate a cyber attack on the federal government from the agency given primary responsibility to monitor and detect these threats in real time seems unwise, ineffective, and unlikely to provide the results demanded of the civilian cyber security establishment by the American citizen; if the goal is to provide the ability to respond to threats in real time, requiring the agency charged with detection to pass a memo along to other differing agencies (some not even in the same Federal department) instead of giving them the authority to respond themselves appears to be an exercise in futility and bureaucratic time wasting. Effective communication and coordination is not the forte of the federal government even when it is communicating within itself; expecting this process to be carried out in real time within the byzantine world of the interagency process is foolhardy. It would be far simpler to either give US-CERT the ability to respond or turn EINSTEIN over to an agency that already has this authority.
Responsibility for protecting the .mil world falls to two agencies: The NSA’s Information Assurance Directorate (IAD) and the newly formed United States Cyber Command (CYBERCOM). While both agencies are headed by the same person in a dual-hat role, they carry out different functions. The IAD is primarily responsible for securing and protecting the computer networks of the national security sector by “[providing] products and services to secure national security systems” at a cost of just under a billion dollars a year[xlvii]. The IAD’s activities range from detecting and defending critical DoD networks from outside attack [xlviii] to providing instruction to DoD officials on how to safely use “several mobile devices popular with DoD customers including iPod, Droid, and Blackberry” without unwittingly compromising secure data or systems to outside penetration[xlix]. IAD safeguards critical data to prevent it from falling into the wrong hands and works to ensure that important military and national security systems will remain operational in the event of a crisis. It also does offer some assistance to the .gov and .com internet realms, although IAD’s raison d’etre remains the protection of the American national security cyber infrastructure.
CYBERCOM – a subcommand of USSTRATCOM created in 2009 – replaced the Joint Task Force – Global Network Operations (JTF-GNO) and the Joint Functional Component Command – Network Warfare (JFCC-NW) that had preceded it as DoD’s primary cyber war centers[l] as well as integrating several service components directly related to cyber war[li]. Deputy Defense Secretary William Lynn III clearly established CYBERCOM has no authority or responsibility other than the .mil world, stating the “command would not be responsible for the security of civilian computer networks outside the Defense Department.”[lii] CYBERCOM’s creation is most probably due to the perceived gravity of the threats originating from both the Russian Federation and the People’s Republic of China[liii] in recent years and the numerous attacks aimed at DoD networks every day.
Despite these efforts, General Keith Alexander (Director of NSA and head of CYBERCOM) testified to Congress that the military “does not have the trained personnel or the legal authorities it needs to respond to a computer-based attack on America or its allies”[liv] and wrote that there is a “mismatch between our technical capabilities to conduct operations and the governing laws and policies.”[lv] This is especially troubling given DoD’s recently policy decision that “computer sabotage coming from another country can constitute an act of war … [opening] the door for the U.S. to respond using traditional military force.”[lvi] Where is the line drawn? If the Russian Federation is deemed to be behind another cyber-attack on a NATO ally such as Estonia, should they expect that an invocation of Article 5 of the Washington Treaty would be honored by the United States government? Would the Pentagon be authorized to immediately respond to cyber-attack as if it were a kinetic attack, or would they need to seek approval from the White House or Congress first?
The computer networks of the United States have been compromised, penetrated, and corrupted in the past. They are being compromised and penetrated now and they will be compromised and penetrated in the future. A total defense against enemy intrusion into secure networks is impossible; a determined and capable enemy will eventually find its way in to any network, no matter how well defended. While fighting off intrusion by enemy actors (be they state based, criminals, or terrorists) is important and necessary, it will not always work and should not be the only focus of cyber-security. A robust, multi-pronged approach is necessary for the United States to remain secure in this new environment. Robust redundancies must be built in to critical infrastructure and key components to give them the ability to survive and adapt to cyber-attacks and contingencies must be put in place for how the government should respond if key systems such as the electrical grid or financial institutions are taken out by an attack.
Agencies responsible for cyber security must be given clear legal guidelines as to their authority to investigate and respond to attacks. As cyber capabilities becoming increasingly more potent and devastating, those in charge of American security need to know exactly under what circumstances they are allowed to respond and what they are allowed to respond with. If an attack on a critical network is detected, law enforcement, intelligence, and DoD should be given the authority to “hack back” and trace this attack to its source, even if it means they must penetrate domestic, American-owned networks to do so. While there is an understandable privacy concern, law enforcement personnel are already able to conduct warrantless searches when exigent circumstances[lvii] exist. Similarly, the government should have the authority to trace an attack through American servers back to its source without first acquiring a warrant if there is probable cause.
A more difficult issue is what the United States should do if it traces an attack back to another country; if an attack against the United States or its allies was conducted by Chinese nationals without the authority of the People’s Republic, the United States may be absolutely powerless to respond directly. The People’s Republic is unlikely to extradite these criminals to American custody and the United States would have limited options as to how it should respond. In the case of another cyber-war aimed at a NATO ally such as Estonia, the American government could conceivably be forced into a situation where it employs lethal force (and potentially starting a lengthy and costly war). There is always the possibility that enemy states or terrorist groups could attempt to provoke a war by attacking the United States and attempting to make a third party appear responsible. Conversely, the existence of “hacktivist” groups could provide hostile states with a level of plausible deniability if they contracted out cyber-attacks to these groups instead of launching them themselves.
The weakest link in any cyber security system will almost always be the person sitting in front of the computer. Individuals are often unaware of even the most basic safety techniques to protect their computers and networks from intrusion and subversion. Despite constant warnings from network administrators and even computer software itself, people still use easy to guess passwords – such as their birthday or the name of their son – to protect their systems. A fifteen year old using their parent’s credit card to purchase something from an unsecure website can inadvertently fund a criminal network or find their computer infected with malware that can be used in a coordinated botnet attack against a major corporation or a government agency. A government employee at a sensitive facility could connect a contaminated USB thumb drive to a secure network, defeating carefully established firewalls or even infecting systems not connected to the internet.
The private sector is mostly left to fend for itself against cyber-attacks; citizens rely upon products from private firms such as Kaspersky or McAfee to secure their network and data. Private companies are often loath to report breaches of network security to avoid any potential loss of business that may come as a result, leaving the true extent of cyber-crime unknown. Even if individuals and corporations reported these incidents, local and state law enforcement agencies are unlikely to have the resources or expertise to handle any but the most serious, high profile crimes. Even if a federal agency existed to deal with these crimes, it would be hard to imagine any agency spending the resources necessary to track down every bored teenager in Eastern Europe who decides to DDoS a local bank or hack someone’s World of Warcraft account.
Simply put, the government will not be able to protect its citizens from cyber-attacks in the same way it can protect its citizens from kinetic attacks or from regular criminal activity. Increased public-private partnership will be necessary to address this threat. While the government can and should do more on the law enforcement front, the government must also work with private corporations to both develop a greater understanding of the severity and volume of cyber-crimes affecting the private sector but also to develop methods of ameliorating the problem. More time and energy need to be spent on educating citizens of all ages and walks of life on the dangers of the internet and proper safety techniques to limit their vulnerability to malicious parties that seek to prey on their weakness and ignorance. Security techniques and measures must be taught in the class room alongside traditional computer skills such as using e-mail or Microsoft Office. The government and the private sector must rely upon their unique strengths and coordinate their efforts; while the government has vast resources at its disposal, the private sector has simply had to deal with cyber-security as a real and serious threat for far longer. The government must combine its resources with the security expertise that industry leaders can provide.
While total defense of the Internet is impossible, the United States must do as much as it can to protect this vital national resource from attack. A well-coordinated cyber-attack on critical infrastructure could cripple the economy, result in the destruction of lives or property, or hinder the ability of the American military to carry out kinetic missions throughout the world. As technology matures and grows, attacks will become ever more sophisticated; so too must the American response. Redundancies and contingencies for the worst case scenarios must be developed lest the United States be caught unawares and unprepared. The wellbeing and survival of the United States is intimately linked with the ability of its citizens, corporations, and government agencies to freely use the internet and cyberspace. A direct attack on this ability would be a grave threat to the United States and would throw the nation into unbelievable chaos. The United States cannot afford to sit idly by, complacent in a false sense of security, while the rest of the world prepares for war in the fifth domain.
[i] (Clausewitz 1984, 77)
[ii] (AFP 2011)
[iii] (McCullagh 2010)
[iv] (McCullagh 2010)
[v] (The Economist 2010)
[vi] (Terdiman 2007)
[vii] (Lehdonvirta and Ernkvist 2011)
[viii] (Bryan-Low and Grundberg 2010)
[ix] (Greenberg 2011)
[x] (McGlaun 2011)
[xi] (Vamosi 2011)
[xii] (French 2004)
[xiii] (Kettmann 2004)
[xiv] (Meserve 2007)
[xv] (The Economist 2010)
[xvi] (Thornburgh 2005)
[xvii] (Cha and Nakashima 2010)
[xviii] (Finkle 2011)
[xix] (Alperovitch 2011)
[xx] (Markoff, Before the Gunfire, Cyberattacks 2008)
[xxi] (Clover 2009)
[xxii] (Traynor 2007)
[xxiii] (Fildes 2011)
[xxiv] (Falliere 2010)
[xxv] (Broad and Sanger 2010)
[xxvi] (Markoff, Old Trick Threatens the Newest Weapons 2009)
[xxvii] (Clark and Levin 2009)
[xxviii] (Mueller III 2010)
[xxix] (NIST Computer Security Division 2010)
[xxx] (Jackson 2010)
[xxxi] (Watson 2010)
[xxxii] (Langevin 2011)
[xxxiii] (Jackson 2010)
[xxxiv] (Broache 2007)
[xxxv] (House Oversight and Government Reform Committee 2008)
[xxxvi] (Jackson 2010)
[xxxvii] (United States Code 2002)
[xxxviii] (United States of America 2003, ix)
[xxxix] (Clark and Knake 2010, 43-44)
[xl] (Department of Homeland Security 2009)
[xli] (US-CERT n.d.)
[xlii] (Department of Homeland Security 2009)
[xliii] (Department of Homeland Security 2004)
[xliv] EINSTEIN 2.0 is designed to provide real-time data on network intrusions (CNN 2008)
[xlv] (Tueffel 2008, 12)
[xlvi] (Ibid. p. 13)
[xlvii] (Hoover 2010)
[xlviii] (Department of Defense 2011, 6)
[xlix] (Ibid, 5)
[l] (Secretary of Defense 2009, 2)
[li] (USSTRATCOM 2011)
[lii] (Jackson, DOD creates Cyber Command as U.S. Strategic Command subunit 2009)
[liii] (P. Jackson 2010)
[liv] (The Associated Press 2011)
[lv] (Alexander 2009, 9)
[lvi] (Gorman and Barnes 2011)
[lvii] The 9th Circuit Court of Appeals defined an exigent circumstance as: “We define exigent circumstances as those circumstances that would cause a reasonable person to believe that entry (or other relevant prompt action) was necessary to prevent physical harm to the officers or other persons, the destruction of relevant evidence, the escape of the suspect, or some other consequence improperly frustrating legitimate law enforcement efforts.” ( United States v. McConney 1984)
United States v. McConney. 728 F.2d 1195 (United States Ninth Circuit Court of Appeals, February 10, 1984).
AFP. “Number of Internet users worldwide reaches 2 bln: UN.” Google News. January 26, 2011. http://www.google.com/hostednews/afp/article/ALeqM5iL3JD4qYM6YTkh7BSVMHUn2z7qFg (accessed September 26, 2011).
Alexander, Keith. “Advance Questions for Lieutenant General Keith Alexander, USA Nominee for Commander, United States Cyber Command.” Senate Armed Services Committee. 2009. http://armed-services.senate.gov/statemnt/2010/04%20April/Alexander%2004-15-10.pdf (accessed October 15, 2011).
Alperovitch, Dmitry. “Revealed: Operation Shady RAT.” McAfee. August 2, 2011. http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf (accessed October 5, 2011).
Broache, Anne. “Homeland Security finally transcends F cybersecurity grade.” CNET News. April 12, 2007. http://news.cnet.com/Homeland-Security-finally-transcends-F-cybersecurity-grade/2100-7348_3-6175666.html (accessed October 1, 2011).
Broad, William J., and David E. Sanger. “Worm Was Perfect for Sabotaging Centrifuges.” The New York Times. November 18, 2010. http://www.nytimes.com/2010/11/19/world/middleeast/19stuxnet.html (accessed September 25, 2011).
Bryan-Low, Cassell, and Sven Grundberg. “Hackers Rise for WikiLeaks.” The Wall Street Journal. December 8, 2010. http://online.wsj.com/article/SB10001424052748703493504576007182352309942.html (accessed September 19, 2011).
Cha, Ariana Eunjung, and Ellen Nakashima. “Google China cyberattack part of vast espionage campaign, experts say.” The Washington Post. January 14, 2010. http://www.washingtonpost.com/wp-dyn/content/article/2010/01/13/AR2010011300359.html (accessed October 14, 2011).
Clark, Richard A., and Robert K. Knake. Cyber War. New York: HarperCollins, 2010.
Clark, Wesley K., and Peter L. Levin. “Securing the Information Highway: How to Enhance the United States’ Electronic Defences.” Foreign Affairs. November/December 2009. http://www.foreignaffairs.com/articles/65499/wesley-k-clark-and-peter-l-levin/securing-the-information-highway (accessed October 10, 2011).
Clausewitz, Carl von. On War. Translated by Michael Howard and Peter Paret. Princeton: Princeton University Press, 1984.
Clover, Charles. “Kremlin-backed group behind Estonia cyber blitz.” Financial Times. March 11, 2009. http://www.ft.com/intl/cms/s/0/57536d5a-0ddc-11de-8ea3-0000779fd2ac.html#axzz1c8gI2i5C (accessed October 13, 2011).
CNN. “Homeland Security seeks cyber counterattack system.” CNN.Com. October 4, 2008. http://articles.cnn.com/2008-10-04/tech/chertoff.cyber.security_1_chertoff-government-cyberspace?_s=PM:TECH (accessed October 5, 2011).
Department of Defense. “NSA FY 2012 Budget Request.” SNaP Information Technology. 2011. https://snap.pae.osd.mil/snapit/ReportOpen.aspx?SysID=PB2012_NSA (accessed October 9, 2011).
Department of Homeland Security. “Privacy Impact Assessment EINSTEIN Program.” DHS.gov. September 2004. http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_eisntein.pdf (accessed September 29, 2011).
—. “Protecting Our Federal Networks Against Cyber Attacks.” DHS.gov. June 4, 2009. http://www.dhs.gov/files/programs/gc_1234200709381.shtm (accessed September 27, 2011).
Falliere, Nicolas. “Stuxnet Introduces the First Known Rootkit for Industrial Control Systems.” Symantec. August 19, 2010. http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices (accessed October 10, 2011).
Fildes, Jonathan. “Stuxnet virus targets and spread revealed.” BBC News. February 15, 2011. http://www.bbc.co.uk/news/technology-12465688 (accessed September 18, 2011).
Finkle, Jim. “”State actor” behind slew of cyber attacks.” Reuters. August 3, 2011. http://www.reuters.com/article/2011/08/03/us-cyberattacks-idUSTRE7720HU20110803 (accessed October 1, 2011).
French, Matthew. “Tech sabotage during the Cold War.” Federal Computer Week. April 26, 2004. http://fcw.com/articles/2004/04/26/tech-sabotage-during-the-cold-war.aspx?sc_lang=en (accessed September 29, 2011).
Gorman, Siobhan, and Julian E. Barnes. “Cyber Combat: Act of War.” Wall Street Journal. May 31, 2011. http://online.wsj.com/article/SB10001424052702304563104576355623135782718.html (accessed October 15, 2011).
Greenberg, Andy. “Anonymous Hackers Target Alleged WikiLeaker Bradley Manning’s Jailers.” Forbes. March 7, 2011. http://www.forbes.com/sites/andygreenberg/2011/03/07/anonymous-hackers-target-alleged-wikileaker-bradley-mannings-jailers/ (accessed September 27, 2011).
Hoover, Nicholas J. “NSA Details Information Assurance Spending.” Information Week. April 9, 2010. http://www.informationweek.com/news/government/security/224202447 (accessed October 25, 2011).
House Oversight and Government Reform Committee. “Eighth Report Card on Computer Security at Federal Departments and Agencies.” COACT. May 2008. http://www.coact.com/FISMA/FISMA_FY2007_ReportCard.pdf (accessed October 13, 2011).
Jackson, Patrick. “Meet USCybercom: Why the US is fielding a cyber army.” BBC News. March 15, 2010. http://news.bbc.co.uk/2/hi/8511711.stm (accessed October 27, 2011).
Jackson, William. “Consensus is growing for the reform of flawed FISMA.” Washington Technology. March 30, 2010. http://washingtontechnology.com/Articles/2010/03/25/FISMA-hearing-032510.aspx?Page=1 (accessed October 5, 2011).
—. “DOD creates Cyber Command as U.S. Strategic Command subunit.” Federal Computer Week. June 24, 2009. http://fcw.com/Articles/2009/06/24/DOD-launches-cyber-command.aspx (accessed October 18, 2011).
Kettmann, Steve. “Soviets Burned By CIA Hackers?” Wired.com. March 26, 2004. http://www.wired.com/culture/lifestyle/news/2004/03/62806?currentPage=all (accessed September 29, 2011).
Langevin, James. “H.R. 1136: Executive Cyberspace Coordination Act of 2011.” GovTrack.us. March 25, 2011. http://www.govtrack.us/congress/bill.xpd?bill=h112-1136 (accessed October 28, 2011).
Lehdonvirta, Vili, and Mirko Ernkvist. “Knowledge Map of the Virtual Economy: Converting the Virtual Economy into Developmental Potential.” InfoDev. April 2011. http://www.infodev.org/en/Document.1056.pdf (accessed October 5, 2011).
Markoff, John. “Before the Gunfire, Cyberattacks.” New York Times. August 12, 2008. http://www.nytimes.com/2008/08/13/technology/13cyber.html?em=&adxnnl=1&adxnnlx=1319895063-DPI2zDbqyp4W530A3gVx5g (accessed September 25, 2011).
—. “Old Trick Threatens the Newest Weapons.” The New York Times. October 26, 2009. http://www.nytimes.com/2009/10/27/science/27trojan.html?_r=1&ref=science&pagewanted=all (accessed September 28, 2011).
McCullagh, Declan. “U.S. Military cyberwar: What’s off-limits?” CNET News. July 29, 2010. http://news.cnet.com/8301-31921_3-20012121-281.html (accessed September 28, 2011).
McGlaun, Shane. “Hacker shows how to hack insulin pumps at Black Hat conference.” Slash Gear. August 5, 2011. http://www.slashgear.com/hacker-shows-how-to-hack-insulin-pumps-at-black-hat-conference-05169762/ (accessed September 19, 2011).
Meserve, Jeanne. “Sources: Staged cyber attack reveals vulnerability in power grid.” CNN.com. September 26, 2007. http://articles.cnn.com/2007-09-26/us/power.at.risk_1_generator-cyber-attack-electric-infrastructure?_s=PM:US (accessed September 30, 2011).
Mueller III, Robert S. “Using Partnerships to Combat Cyber Threats.” Federal Bureau of Investigation. August 5, 2010. http://www.fbi.gov/news/speeches/using-partnerships-to-combat-cyber-threats (accessed October 17, 2011).
NIST Computer Security Division. “FISMA Detailed Overview.” Computer Security Resource Center. August 17, 2010. http://csrc.nist.gov/groups/SMA/fisma/overview.html (accessed October 8, 2011).
Secretary of Defense. “Establishment of a Subordinate Unified U.S. Cyber Command Under U.S. Strategic Command for Military Cyberspace Operations.” Federal Computer Week. June 23, 2009. http://www.fcw.com/~/media/GIG/GCN/Documents/cyber%20command%20gates%20memo.ashx (accessed September 24, 2011).
Terdiman, Daniel. “No end in sight to hacking of ‘WoW’ accounts.” CNET News. April 10, 2007. http://news.cnet.com/No-end-in-sight-to-hacking-of-WoW-accounts/2100-1043_3-6174704.html (accessed October 5, 2011).
The Associated Press. “US lacks people, authorities to face cyber attack.” The Washington Post. March 16, 2011. http://www.washingtonpost.com/wp-dyn/content/article/2011/03/16/AR2011031603552.html (accessed October 23, 2011).
The Economist. “Cyberwar: War in the fifth domain.” The Economist. July 1st, 2010. http://www.economist.com/node/16478792 (accessed September 29, 2011).
Thornburgh, Nathan. “The Invasion of the Chinese Cyberspies.” TIME Magazine. August 29, 2005. http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html (accessed October 5, 2011).
Traynor, Ian. “Russia accused of unleashing cyberwar to disable Estonia.” The Guardian. May 16, 2007. http://www.guardian.co.uk/world/2007/may/17/topstories3.russia (accessed October 4, 2011).
Tueffel, Hugo III. “Privacy Impact Assessment for EINSTEIN II.” DHS.gov. May 19, 2008. http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_einstein2.pdf (accessed October 17, 2011).
United States Code. “‘Federal Information Security Management Act of 2002.” NIST. 2002. http://csrc.nist.gov/drivers/documents/FISMA-final.pdf (accessed October 15, 2011).
United States of America. “The National Strategy to Secure Cyberspace.” February 2003. http://www.us-cert.gov/reading_room/cyberspace_strategy.pdf (accessed October 4, 2011).
US-CERT. “About Us.” US-CERT.gov. n.d. http://www.uscert.gov/aboutus.html (accessed October 19, 2011).
USSTRATCOM. “U.S. Cyber Command Fact Sheet.” United States Strategic Command. October 2011. http://www.stratcom.mil/factsheets/Cyber_Command/ (accessed October 27, 2011).
Vamosi, Robert. “Man-in-the-Middle Attacks on Voting Machines: Vote Early, Often, and Why Not Vote Remotely?” Security Week. October 14, 2011. http://www.securityweek.com/man-middle-attacks-voting-machines-vote-early-often-and-why-not-vote-remotely (accessed October 20, 2011).
Watson, Diane. “H.R. 4900: Federal Information Security Amendments Act of 2010.” GovTrack.us. May 20, 2010. http://www.govtrack.us/congress/bill.xpd?bill=h111-4900 (accessed September 29, 2011).