2001 Walter Gary Sharp, Sr. Key Legal Implications of Computer Network Defense Protecting America’s Information Infrastructure Las Vegas, Nevada July.
Post on 18-Dec-2015
213 Views
Preview:
Transcript
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
1
Key Legal Implications ofKey Legal Implications of
Computer Network DefenseComputer Network DefenseProtecting America’s Information InfrastructureProtecting America’s Information Infrastructure
Walter Gary Sharp, Sr., EsquirePrincipal Information Security Engineer
(703) 624-5292 or WGSharp@MITRE.org
The MITRE CorporationThe opinions and conclusions expressed herein are those of the author and do not necessarily
reflect the views of any governmental agency or private enterprise.
Las Vegas, Nevada July 2001
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
2
Today’s PresentationToday’s Presentation
Purpose &CND Defined
The Legal Framework for Response:Three Perspectives
Conclusion
Key LegalIssues
Summary: An Analytical Decision Support Model
Selected Legal Authorities
U.S. Domestic, International, & Foreign LawCase Studies, Policy
Considerations & Recommendations
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
3
Purpose of this PresentationPurpose of this Presentation
To explore how America can better balance its citizens’ privacy and civil liberties with an effective ability to:
protect America’s information infrastructure; detect potential attacks by joy-hackers, economic competitors, criminals, terrorists, and hostile states; and, respond effectively in a way that is compatible with American democratic principles and international law.
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
4
CaveatCaveat
This presentation is intended to provide a situational awareness for those involved or interested in the legal issues relevant to the defense of computer networks. It is NOT intended to substitute for the advice of your organizational legal counsel. Legal advice should only be sought from an attorney authorized to provide legal advice to your organization.
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
5
Computer Network Defense (CND) DefinedComputer Network Defense (CND) Defined
Defensive measures to protect and defend information, computers, and networks from disruption, denial,
degradation, or destruction.
Joint Publication 1-02: DoD Dictionary of Military and Associated Terms
23 March 1994, as amended 14 June 2000
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
6
Peace Crisis Conflict
U.S. Citizen
State
Non-state,Non-U.S. Citizen
Default Environment
Increasing LegalAuthority toRespond
Nine distinctive regimes;each may implicate U.S.domestic, international, andforeign law
Actor-dependent
Attribution key issue
An effective initial response methodology must be actor-independent
The Legal Framework forThe Legal Framework for
Responding to Computer IntrusionsResponding to Computer IntrusionsPer
spec
tive O
NE
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
7
The Legal Framework for The Legal Framework for
Responding to Computer IntrusionsResponding to Computer Intrusions State actors -- national security community response
U.S. domestic law International peacetime regime Law of Conflict Management Law of War
Non-state actors -- law enforcement response U.S. domestic law Foreign law Mutual Legal Assistance Treaties International peacetime regime Question: What is an appropriate and lawful response when a territorial state is unable or unwilling to assist another state’s law enforcement efforts to arrest non-state actors within its territory?
Persp
ectiv
e TW
O
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
8
U.S. Domestic Law
The Legal Framework forThe Legal Framework for
Responding to Computer IntrusionsResponding to Computer Intrusions
Foreign Law
International Law• Peacetime Regime• Law of Conflict Management• Law of War
Telecommunications Law
Law of the Sea
Air Law
HN Law
Telecommunications Lawand Foreign Law
Law ofTarget State
Persp
ectiv
e THREE
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
9
Key Legal Issues -- U.S. Domestic LawKey Legal Issues -- U.S. Domestic Law
Attribution Property Privacy Civil liberties Criminal and civil liabilities Posse Comitatus Separate legal authorities for military, law enforcement, and foreign intelligence activities Presumption that intruder is “U.S. Citizen” until proven otherwise
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
10
Key Legal Issues -- International LawKey Legal Issues -- International Law
Current international status: peacetime or armed conflict Use of force: necessary and proportional, and discriminate Hostile act / hostile intent U.N. Security Council Chapter VII authorization Application of Article 103 of Charter of United Nations Self defense Regulation of activities by peacetime regime Criminal and civil liabilities
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
11
Key Legal Issues -- Foreign LawKey Legal Issues -- Foreign Law
Sovereignty and governmental acts Criminal and civil liabilities Modifications to application of foreign law by operation of U.N. Charter or international agreement U.S. Presidential authority to conduct covert operations
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
12
Selected Legal AuthoritiesSelected Legal Authorities
U.S. Domestic LawU.S. Domestic Law Fourth Amendment
Restricts the ability of the government to search where a reasonable expectation of privacy exists
Electronic Communications Privacy Act, 18 USC §2510 Creates statutory privacy rights and defines:
Providers of Electronic Communication Service (ECS) -- any service which provides to its users the ability to send or receive wire or electronic communications Providers of Remote Computing Service (RCS) -- public service which provides computer storage or processing by means of an ECS “Electronic storage” -- any temporary, intermediate storage incidental to an electronic transmission
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
13
Selected Legal AuthoritiesSelected Legal AuthoritiesU.S. Domestic Law U.S. Domestic Law (continued)(continued)
Electronic Communications Privacy Act, 18 USC §2510 (continued)(continued)
Prohibits unlawful access to communications of an ECS in electronic storage Prohibits unlawful disclosure by a public ECS of a communication in electronic storage Prohibits unlawful disclosure by a RCS of a communication it carries or maintains Regulates how the government can obtain information from ECS and RCS providers
Compelled disclosure (subpoena, court order, warrant) Voluntary disclosure Consent
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
14
Selected Legal AuthoritiesSelected Legal AuthoritiesU.S. Domestic Law U.S. Domestic Law (continued)(continued)
Pen Registers and Trap and Trace Statute, 18 U.S.C. §§ 3121-27 Regulates the collection of addressing information of wire and electronic communications (simply to and from, not even the subject line) Prohibits installation or use of a pen register or a trap and trace device by anyone without prior court order Prohibition does not apply to provider of electronic or wire communication service who uses such device:
during the operation, maintenance, and testing of its service; to protect its and its users’ property rights; to prevent fraudulent, unlawful, or abusive use of its services; with the consent of its users
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
15
Selected Legal AuthoritiesSelected Legal AuthoritiesU.S. Domestic Law U.S. Domestic Law (continued)(continued)
“Title III” Wiretap Statute, 18 U.S.C. §§ 2510-22 Regulates the collection of the content of wire and electronic communications in transmission Prohibits any intentional interception, knowing use, or the knowing disclosure of any wire, oral, or electronic communication during its transmission, and the intentional use of any device to intercept any oral communication, by any third party in the United States Prohibition does not apply, for example, to any ECS provider who may intercept, disclose, or use a communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of that service
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
16
Selected Legal AuthoritiesSelected Legal AuthoritiesU.S. Domestic Law U.S. Domestic Law (continued)(continued)
The Foreign Intelligence Surveillance Act of 1978, 50 USC §1801 Grants authority and approval process for investigations, electronic surveillance, and search & seizure that target foreign intelligence activities
The Computer Fraud and Abuse Act of 1984, 18 USC §1030 (1984) The first federal computer crime statute Prohibits unauthorized access to computers engaged in interstate communication
The Economic Espionage Act of 1996, 18 USC §1831 Prohibits theft of trade secrets for foreign government (Economic Espionage) or for the economic benefit of any person (Theft of Trade Secrets)
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
17
Selected Legal AuthoritiesSelected Legal AuthoritiesU.S. Domestic Law U.S. Domestic Law (continued)(continued)
The Identity Theft and Assumption Deterrence Act of 1998, 18 USC §1028 Prohibits unauthorized transfer or use of another’s means of government identification for the furtherance of any unlawful activity that constitutes a violation of Federal law or a felony under state or local law
Fraud by Wire, Radio, or Television, 18 USC §1343 Prohibits interstate fraud via the Internet
Communication Lines, Stations, or Systems, 18 USC §1362 Prohibits injury or destruction to any means of communication operated or controlled by U.S. Government or used for military or civil defense
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
18
Selected Legal AuthoritiesSelected Legal AuthoritiesU.S. Domestic Law U.S. Domestic Law (continued)(continued)
U.S. Constitution -- authority of the Commander in Chief
U.S. Code, Title 10 -- authority of military
U.S. Standing Rules of Engagement -- authority of combatant
commanders (CJCSI 3121.01A, Enclosure F, 15 January 2000)
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
19
Selected Legal AuthoritiesSelected Legal Authorities
International LawInternational Law The Peacetime Regime -- governs, but does not prohibit per se, state activities in CyberSpace (applies during armed conflict if not inconsistent with inherent nature of hostilities)
Jus ad Bellum -- the law of conflict management (U.N. Charter, Articles 2(4), 39, and 51) regulates the use of force by states vis-à-vis states (all use of force must be necessary, proportionate, and discriminate)
Jus in Bello -- the law of war governs the means and methods of warfare and the protection of civilians during armed conflict (effects based analysis)
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
20
Line of belligerency
Use of Force Spectrum
Combatant operations declared war de facto hostilities (scope, duration, & intensity) partial or total occupation
Peacetime military operations law enforcement normal peace-keeping humanitarian & disaster relief counter-terrorist & hostage rescue noncombatant rescue
Self-defense
Limited use of forceAll necessary means
in response tooutright aggression
jus in bello applies
The Application of International LawThe Application of International Law© 1996 Walter Gary Sharp, Sr.
State Activities in CyberSpace
jus ad bellum applies
peacetime regime applies
Common Article 2 threshold
Articles 2(4) & 51 threshold
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
21
The International Peacetime RegimeThe International Peacetime RegimeExamples of ApplicationExamples of Application
Espionage is lawful Status of Forces Agreements and host nation laws UN Convention on the Law of the Sea: innocent passage and unauthorized broadcasting International Telecommunications Conventions: prohibitions on harmful interference, national right to intercept and suspend Outer Space Treaty: the moon and other celestial bodies must be used for “peaceful purposes” INTELSAT: must be used for “other than military purposes” INMARSAT: must be used “exclusively for peaceful purposes”
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
22
ACTIVITY
THRESHOLD
Customary International Law
Policy Precedent
Hostileact
Hostileintent
Armedattack
(use of force)
Threatto thepeace
Threatof
force
Boycotts; Diplomatic measures; Severance of diplomatic relations; Economic competition or sanctions; Interruption of communications; Espionage.
Extreme intrastate violence or human rights violations; Failure of state to surrender terrorists; Illegal racist regime; Large refugee movements; Diversion of a river; Serious violations of int’l law that may provoke armed response.
Isolated verbal threat; Initial troop movements; Shaping of alliances.
Use of fire control radar; Interference with early warning or C2 systems. Massing of troops on border.
Use of force against: Territory; Warship; Military forces; Citizens abroad.
Destruction of early warning or C2 systems.
Art. 2(4)
Jus ad Bellum:Jus ad Bellum: Examples of Application Examples of Application (Part One)© 2001 Walter Gary Sharp, Sr.
Art. 51Art. 39
Spectrum of Interstate Relations
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
23
THRESHOLD
RESPONSE
Customary International Law
Policy Precedent
Hostileact
Hostileintent
Armedattack
(use of force)
Threatto thepeace
Threatof
force
Self defenseAnticipatoryself defense
Any measures or use of force authorizedby the UNSC under Chapter VII
UNSC may require states to comply with Art. 41 measures
Art. 51
Diplomatic measures; severance of diplomatic relations; complete or partial interruption of economic relations or interstate communications; arbitration, judicial proceedings, etc.
Art. 39 Art. 2(4)
Jus ad Bellum:Jus ad Bellum: Examples of ApplicationExamples of Application (Part Two)© 2001 Walter Gary Sharp, Sr.
Spectrum of Interstate Relations
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
24
Jus in Bello: Examples of ApplicationJus in Bello: Examples of ApplicationRegulations annexed to the 1907 Hague Convention No. IV
-- an effects based analysis --
Prohibit the use of means calculated to cause unnecessary suffering Prohibit attack by whatever means of undefended towns or buildings Prohibit unnecessary damage to buildings dedicated to religion, art, science, or charitable purposes as well as historic monuments, hospitals, and places where the sick and wounded are collected Permit ruses of war and employment of measures necessary to obtain information about the enemy Permit seizure of state property that can be used for military ops
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
25
Selected Legal AuthoritiesSelected Legal Authorities
Foreign LawForeign Law
Criminal and civil law applies unless modified by operation of U.N. Charter or international agreement
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
26
© 1997 Walter Gary Sharp, Sr.
Does international law prohibit the activity?
Is prohibition suspended by: a state of war, or operation of Article 103;or is the activity authorized by: right of self-defense, or Chapter VII?
Activity is unlawful under U.S. law and
cannot be authorized
Activity is unlawfulbut may be authorized
by the President
Does U.S. law authorize the
activity?
Activity is lawful under U.S., HN,
and international law, and may be
authorized bythe NCA
NO
YES YES NO
Does HN law authorize the
activity?
NO
YES YES
NO
SummarySummaryAn Analytical Decision Support Model for the Legality ofAn Analytical Decision Support Model for the Legality of
State Activities in CyberSpaceState Activities in CyberSpace
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
27
Case StudiesCase Studies “Track-back”
Internal to system or network External to system or network
Compelled disclosure (subpoena, court order, warrant) Voluntary disclosure Consent
“Shoot-back” Attribution Targeting -- necessity, proportionality, discrimination Electronic -- automated and manual Kinetic
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
28
Case StudiesCase Studies (continued) (continued)
DirecTV Satellite Entertainment Number one digital satellite entertainment service in the U.S.
Controls access to proprietary network via “smart” cards Pirating of services is a significant problem
Late 2000 - transmitted a logic bomb a few bytes at a time to a specific series of smart cards that injects upon command an endless loop into a write once section of the smart card January 2001 - transmitted a message via proprietary DirecTV satellites that activated logic bomb
Did not effect non-proprietary equipment or computers that emulated the smart cards for purposes of pirating services
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
29
Case StudiesCase Studies (continued) (continued)
Rights of law enforcement to cross national borders In the United States, the FBI:
set up a front company called Invita invited two suspected Russian hackers, Vasily Gorshkov and Alexey Ivanov, for a job interview and asked them to demonstrate what they could do used a“sniffer” program to obtain their passwords and account numbers downloaded 250 gigabytes of evidence from computers in Russia obtained a search warrant before viewing the downloaded evidence
Defendant Gorshkov sought to suppress the downloaded evidence in Federal district court as a violation of his Fourth Amendment rights
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
30
Case StudiesCase Studies (continued) (continued)
Rights of law enforcement to cross national borders (continued)
U.S. District Court judge held on 23 May 2001 that Gorshkov and Ivanov had no expectation of privacy because
they knew the system administrator could and likely would monitor their activities the undercover agents told them they wanted to watch
the Fourth Amendment did not apply to the computers because they were the property of a non-resident alien and located outside the United States
a search warrant was not required before the data was downloaded because the defendant’s co-conspirators could destroy or remove the evidence the Fourth Amendment did not apply to the data downloaded until it was transmitted to the United States Russian law does not apply to the agent’s actions
Question: What investigative rights does this case give U.S. and foreign law enforcement?
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
31
Legal and Policy Considerations ofLegal and Policy Considerations of
State Activities in CyberSpaceState Activities in CyberSpace
Peacetime or armed conflict Perception of unauthorized use of force Perception of hostile intent or hostile act Authorized or directed by U.N. Chapter VII authority Direct, indirect, and ripple economic impact on target state, third-country states, actor state, and their nationals Tort liability of actor state and criminal liability of government agents under U.S. domestic, international, and foreign law Utilization of telecommunication and satellite systems owned by multinational corporations or non-governmental organizations
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
32
RecommendationsRecommendations
How do we shape an effective initial response to a computer network attack that is actor-independent?
Reverse the presumption -- presume an intruder is a non-U.S. citizen until such time the investigation determines otherwise Establish by law a new agency responsible for investigating attacks against computer networks critical to our national defense and economic well being
What is an appropriate and lawful response when a territorial state is unable or unwilling to assist another state’s law enforcement efforts to arrest non-state actors within its territory?
Unable -- states have a duty to cooperate; remains a law enforcement issue Unwilling -- states harboring criminals or terrorists may be deemed an actor; becomes a national security issue
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
33
Recommendations Recommendations (continued)(continued)
How does America protect its information infrastructure? Through the right balance of technology, policy, and law
How can the private sector protect America’s information infrastructure? Information system owners must implement best business practices for information security (tort and corporate law will encourage this) Internet Service Providers must coordinate their defenses between themselves and with major users (regulation not needed, best business practices and tort liability will force this coordination) Incident response capabilities must develop a comprehensive information sharing mechanism within private industry and between private industry and state, local, and federal governments
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
34
Recommendations Recommendations (continued)(continued)
How can the government protect America’s information infrastructure? Must designate a government agency, perhaps DOD, to be responsible for the coordinated defense of our Nation’s information infrastructure Must enact cross-cutting investigative authority within United States (regulation and law can help here) Must construct cross-cutting mutual legal assistance treaties within international community (must have near universal system of treaties to be effective) Must encourage legal and insurance sectors to develop best business practices for information security (regulation and law can help here)
2001 Walter Gary Sharp, Sr.
Key Legal Implications of Computer Network Defense
Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001
35
(703) 624-5292 or WGSharp@MITRE.org
ConclusionConclusion
The most fundamental and important distinction between our great Nation and other countries is our system of laws. Those who have sworn to defend our Constitution must never bend or break the law in the name of national security. We must remain within the law as we protect our system of laws.
Walter Gary Sharp, Sr.
?
top related