2001 Walter Gary Sharp, Sr. Key Legal Implications of Computer Network Defense Protecting America’s Information Infrastructure Las Vegas, Nevada July.

2001 Walter Gary Sharp, Sr.

Key Legal Implications of Computer Network Defense

Protecting America’s Information InfrastructureLas Vegas, Nevada July 2001

1

Key Legal Implications ofKey Legal Implications of

Computer Network DefenseComputer Network DefenseProtecting America’s Information InfrastructureProtecting America’s Information Infrastructure

Walter Gary Sharp, Sr., EsquirePrincipal Information Security Engineer

(703) 624-5292 or [email protected]

The MITRE CorporationThe opinions and conclusions expressed herein are those of the author and do not necessarily

reflect the views of any governmental agency or private enterprise.

Las Vegas, Nevada July 2001




2

Today’s PresentationToday’s Presentation

Purpose &CND Defined

The Legal Framework for Response:Three Perspectives

Conclusion

Key LegalIssues

Summary: An Analytical Decision Support Model

Selected Legal Authorities

U.S. Domestic, International, & Foreign LawCase Studies, Policy

Considerations & Recommendations




3

Purpose of this PresentationPurpose of this Presentation

To explore how America can better balance its citizens’ privacy and civil liberties with an effective ability to:

protect America’s information infrastructure; detect potential attacks by joy-hackers, economic competitors, criminals, terrorists, and hostile states; and, respond effectively in a way that is compatible with American democratic principles and international law.




4

CaveatCaveat

This presentation is intended to provide a situational awareness for those involved or interested in the legal issues relevant to the defense of computer networks. It is NOT intended to substitute for the advice of your organizational legal counsel. Legal advice should only be sought from an attorney authorized to provide legal advice to your organization.




5

Computer Network Defense (CND) DefinedComputer Network Defense (CND) Defined

Defensive measures to protect and defend information, computers, and networks from disruption, denial,

degradation, or destruction.

Joint Publication 1-02: DoD Dictionary of Military and Associated Terms

23 March 1994, as amended 14 June 2000




6

Peace Crisis Conflict

U.S. Citizen

State

Non-state,Non-U.S. Citizen

Default Environment

Increasing LegalAuthority toRespond

Nine distinctive regimes;each may implicate U.S.domestic, international, andforeign law

Actor-dependent

Attribution key issue

An effective initial response methodology must be actor-independent

The Legal Framework forThe Legal Framework for

Responding to Computer IntrusionsResponding to Computer IntrusionsPer

spec

tive O

NE




7

The Legal Framework for The Legal Framework for

Responding to Computer IntrusionsResponding to Computer Intrusions State actors -- national security community response

U.S. domestic law International peacetime regime Law of Conflict Management Law of War

Non-state actors -- law enforcement response U.S. domestic law Foreign law Mutual Legal Assistance Treaties International peacetime regime Question: What is an appropriate and lawful response when a territorial state is unable or unwilling to assist another state’s law enforcement efforts to arrest non-state actors within its territory?

Persp

ectiv

e TW

O




8

U.S. Domestic Law

The Legal Framework forThe Legal Framework for

Responding to Computer IntrusionsResponding to Computer Intrusions

Foreign Law

International Law• Peacetime Regime• Law of Conflict Management• Law of War

Telecommunications Law

Law of the Sea

Air Law

HN Law

Telecommunications Lawand Foreign Law

Law ofTarget State

Persp

ectiv

e THREE




9

Key Legal Issues -- U.S. Domestic LawKey Legal Issues -- U.S. Domestic Law

Attribution Property Privacy Civil liberties Criminal and civil liabilities Posse Comitatus Separate legal authorities for military, law enforcement, and foreign intelligence activities Presumption that intruder is “U.S. Citizen” until proven otherwise




10

Key Legal Issues -- International LawKey Legal Issues -- International Law

Current international status: peacetime or armed conflict Use of force: necessary and proportional, and discriminate Hostile act / hostile intent U.N. Security Council Chapter VII authorization Application of Article 103 of Charter of United Nations Self defense Regulation of activities by peacetime regime Criminal and civil liabilities




11

Key Legal Issues -- Foreign LawKey Legal Issues -- Foreign Law

Sovereignty and governmental acts Criminal and civil liabilities Modifications to application of foreign law by operation of U.N. Charter or international agreement U.S. Presidential authority to conduct covert operations




12

Selected Legal AuthoritiesSelected Legal Authorities

U.S. Domestic LawU.S. Domestic Law Fourth Amendment

Restricts the ability of the government to search where a reasonable expectation of privacy exists

Electronic Communications Privacy Act, 18 USC §2510 Creates statutory privacy rights and defines:

Providers of Electronic Communication Service (ECS) -- any service which provides to its users the ability to send or receive wire or electronic communications Providers of Remote Computing Service (RCS) -- public service which provides computer storage or processing by means of an ECS “Electronic storage” -- any temporary, intermediate storage incidental to an electronic transmission




13

Selected Legal AuthoritiesSelected Legal AuthoritiesU.S. Domestic Law U.S. Domestic Law (continued)(continued)

Electronic Communications Privacy Act, 18 USC §2510 (continued)(continued)

Prohibits unlawful access to communications of an ECS in electronic storage Prohibits unlawful disclosure by a public ECS of a communication in electronic storage Prohibits unlawful disclosure by a RCS of a communication it carries or maintains Regulates how the government can obtain information from ECS and RCS providers

Compelled disclosure (subpoena, court order, warrant) Voluntary disclosure Consent




14


Pen Registers and Trap and Trace Statute, 18 U.S.C. §§ 3121-27 Regulates the collection of addressing information of wire and electronic communications (simply to and from, not even the subject line) Prohibits installation or use of a pen register or a trap and trace device by anyone without prior court order Prohibition does not apply to provider of electronic or wire communication service who uses such device:

during the operation, maintenance, and testing of its service; to protect its and its users’ property rights; to prevent fraudulent, unlawful, or abusive use of its services; with the consent of its users




15


“Title III” Wiretap Statute, 18 U.S.C. §§ 2510-22 Regulates the collection of the content of wire and electronic communications in transmission Prohibits any intentional interception, knowing use, or the knowing disclosure of any wire, oral, or electronic communication during its transmission, and the intentional use of any device to intercept any oral communication, by any third party in the United States Prohibition does not apply, for example, to any ECS provider who may intercept, disclose, or use a communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of that service




16


The Foreign Intelligence Surveillance Act of 1978, 50 USC §1801 Grants authority and approval process for investigations, electronic surveillance, and search & seizure that target foreign intelligence activities

The Computer Fraud and Abuse Act of 1984, 18 USC §1030 (1984) The first federal computer crime statute Prohibits unauthorized access to computers engaged in interstate communication

The Economic Espionage Act of 1996, 18 USC §1831 Prohibits theft of trade secrets for foreign government (Economic Espionage) or for the economic benefit of any person (Theft of Trade Secrets)




17


The Identity Theft and Assumption Deterrence Act of 1998, 18 USC §1028 Prohibits unauthorized transfer or use of another’s means of government identification for the furtherance of any unlawful activity that constitutes a violation of Federal law or a felony under state or local law

Fraud by Wire, Radio, or Television, 18 USC §1343 Prohibits interstate fraud via the Internet

Communication Lines, Stations, or Systems, 18 USC §1362 Prohibits injury or destruction to any means of communication operated or controlled by U.S. Government or used for military or civil defense




18


U.S. Constitution -- authority of the Commander in Chief

U.S. Code, Title 10 -- authority of military

U.S. Standing Rules of Engagement -- authority of combatant

commanders (CJCSI 3121.01A, Enclosure F, 15 January 2000)




19


International LawInternational Law The Peacetime Regime -- governs, but does not prohibit per se, state activities in CyberSpace (applies during armed conflict if not inconsistent with inherent nature of hostilities)

Jus ad Bellum -- the law of conflict management (U.N. Charter, Articles 2(4), 39, and 51) regulates the use of force by states vis-à-vis states (all use of force must be necessary, proportionate, and discriminate)

Jus in Bello -- the law of war governs the means and methods of warfare and the protection of civilians during armed conflict (effects based analysis)




20

Line of belligerency

Use of Force Spectrum

Combatant operations declared war de facto hostilities (scope, duration, & intensity) partial or total occupation

Peacetime military operations law enforcement normal peace-keeping humanitarian & disaster relief counter-terrorist & hostage rescue noncombatant rescue

Self-defense

Limited use of forceAll necessary means

in response tooutright aggression

jus in bello applies

The Application of International LawThe Application of International Law© 1996 Walter Gary Sharp, Sr.

State Activities in CyberSpace

jus ad bellum applies

peacetime regime applies

Common Article 2 threshold

Articles 2(4) & 51 threshold




21

The International Peacetime RegimeThe International Peacetime RegimeExamples of ApplicationExamples of Application

Espionage is lawful Status of Forces Agreements and host nation laws UN Convention on the Law of the Sea: innocent passage and unauthorized broadcasting International Telecommunications Conventions: prohibitions on harmful interference, national right to intercept and suspend Outer Space Treaty: the moon and other celestial bodies must be used for “peaceful purposes” INTELSAT: must be used for “other than military purposes” INMARSAT: must be used “exclusively for peaceful purposes”




22

ACTIVITY

THRESHOLD

Customary International Law

Policy Precedent

Hostileact

Hostileintent

Armedattack

(use of force)

Threatto thepeace

Threatof

force

Boycotts; Diplomatic measures; Severance of diplomatic relations; Economic competition or sanctions; Interruption of communications; Espionage.

Extreme intrastate violence or human rights violations; Failure of state to surrender terrorists; Illegal racist regime; Large refugee movements; Diversion of a river; Serious violations of int’l law that may provoke armed response.

Isolated verbal threat; Initial troop movements; Shaping of alliances.

Use of fire control radar; Interference with early warning or C2 systems. Massing of troops on border.

Use of force against: Territory; Warship; Military forces; Citizens abroad.

Destruction of early warning or C2 systems.

Art. 2(4)

Jus ad Bellum:Jus ad Bellum: Examples of Application Examples of Application (Part One)© 2001 Walter Gary Sharp, Sr.

Art. 51Art. 39

Spectrum of Interstate Relations




23

THRESHOLD

RESPONSE

Customary International Law

Policy Precedent

Hostileact

Hostileintent

Armedattack

(use of force)

Threatto thepeace

Threatof

force

Self defenseAnticipatoryself defense

Any measures or use of force authorizedby the UNSC under Chapter VII

UNSC may require states to comply with Art. 41 measures

Art. 51

Diplomatic measures; severance of diplomatic relations; complete or partial interruption of economic relations or interstate communications; arbitration, judicial proceedings, etc.

Art. 39 Art. 2(4)

Jus ad Bellum:Jus ad Bellum: Examples of ApplicationExamples of Application (Part Two)© 2001 Walter Gary Sharp, Sr.

Spectrum of Interstate Relations




24

Jus in Bello: Examples of ApplicationJus in Bello: Examples of ApplicationRegulations annexed to the 1907 Hague Convention No. IV

-- an effects based analysis --

Prohibit the use of means calculated to cause unnecessary suffering Prohibit attack by whatever means of undefended towns or buildings Prohibit unnecessary damage to buildings dedicated to religion, art, science, or charitable purposes as well as historic monuments, hospitals, and places where the sick and wounded are collected Permit ruses of war and employment of measures necessary to obtain information about the enemy Permit seizure of state property that can be used for military ops




25


Foreign LawForeign Law

Criminal and civil law applies unless modified by operation of U.N. Charter or international agreement




26

© 1997 Walter Gary Sharp, Sr.

Does international law prohibit the activity?

Is prohibition suspended by: a state of war, or operation of Article 103;or is the activity authorized by: right of self-defense, or Chapter VII?

Activity is unlawful under U.S. law and

cannot be authorized

Activity is unlawfulbut may be authorized

by the President

Does U.S. law authorize the

activity?

Activity is lawful under U.S., HN,

and international law, and may be

authorized bythe NCA

NO

YES YES NO

Does HN law authorize the

activity?

NO

YES YES

NO

SummarySummaryAn Analytical Decision Support Model for the Legality ofAn Analytical Decision Support Model for the Legality of

State Activities in CyberSpaceState Activities in CyberSpace




27

Case StudiesCase Studies “Track-back”

Internal to system or network External to system or network

Compelled disclosure (subpoena, court order, warrant) Voluntary disclosure Consent

“Shoot-back” Attribution Targeting -- necessity, proportionality, discrimination Electronic -- automated and manual Kinetic




28

Case StudiesCase Studies (continued) (continued)

DirecTV Satellite Entertainment Number one digital satellite entertainment service in the U.S.

Controls access to proprietary network via “smart” cards Pirating of services is a significant problem

Late 2000 - transmitted a logic bomb a few bytes at a time to a specific series of smart cards that injects upon command an endless loop into a write once section of the smart card January 2001 - transmitted a message via proprietary DirecTV satellites that activated logic bomb

Did not effect non-proprietary equipment or computers that emulated the smart cards for purposes of pirating services




29


Rights of law enforcement to cross national borders In the United States, the FBI:

set up a front company called Invita invited two suspected Russian hackers, Vasily Gorshkov and Alexey Ivanov, for a job interview and asked them to demonstrate what they could do used a“sniffer” program to obtain their passwords and account numbers downloaded 250 gigabytes of evidence from computers in Russia obtained a search warrant before viewing the downloaded evidence

Defendant Gorshkov sought to suppress the downloaded evidence in Federal district court as a violation of his Fourth Amendment rights




30


Rights of law enforcement to cross national borders (continued)

U.S. District Court judge held on 23 May 2001 that Gorshkov and Ivanov had no expectation of privacy because

they knew the system administrator could and likely would monitor their activities the undercover agents told them they wanted to watch

the Fourth Amendment did not apply to the computers because they were the property of a non-resident alien and located outside the United States

a search warrant was not required before the data was downloaded because the defendant’s co-conspirators could destroy or remove the evidence the Fourth Amendment did not apply to the data downloaded until it was transmitted to the United States Russian law does not apply to the agent’s actions

Question: What investigative rights does this case give U.S. and foreign law enforcement?




31

Legal and Policy Considerations ofLegal and Policy Considerations of

State Activities in CyberSpaceState Activities in CyberSpace

Peacetime or armed conflict Perception of unauthorized use of force Perception of hostile intent or hostile act Authorized or directed by U.N. Chapter VII authority Direct, indirect, and ripple economic impact on target state, third-country states, actor state, and their nationals Tort liability of actor state and criminal liability of government agents under U.S. domestic, international, and foreign law Utilization of telecommunication and satellite systems owned by multinational corporations or non-governmental organizations




32

RecommendationsRecommendations

How do we shape an effective initial response to a computer network attack that is actor-independent?

Reverse the presumption -- presume an intruder is a non-U.S. citizen until such time the investigation determines otherwise Establish by law a new agency responsible for investigating attacks against computer networks critical to our national defense and economic well being

What is an appropriate and lawful response when a territorial state is unable or unwilling to assist another state’s law enforcement efforts to arrest non-state actors within its territory?

Unable -- states have a duty to cooperate; remains a law enforcement issue Unwilling -- states harboring criminals or terrorists may be deemed an actor; becomes a national security issue




33

Recommendations Recommendations (continued)(continued)

How does America protect its information infrastructure? Through the right balance of technology, policy, and law

How can the private sector protect America’s information infrastructure? Information system owners must implement best business practices for information security (tort and corporate law will encourage this) Internet Service Providers must coordinate their defenses between themselves and with major users (regulation not needed, best business practices and tort liability will force this coordination) Incident response capabilities must develop a comprehensive information sharing mechanism within private industry and between private industry and state, local, and federal governments




34

Recommendations Recommendations (continued)(continued)

How can the government protect America’s information infrastructure? Must designate a government agency, perhaps DOD, to be responsible for the coordinated defense of our Nation’s information infrastructure Must enact cross-cutting investigative authority within United States (regulation and law can help here) Must construct cross-cutting mutual legal assistance treaties within international community (must have near universal system of treaties to be effective) Must encourage legal and insurance sectors to develop best business practices for information security (regulation and law can help here)




35

(703) 624-5292 or [email protected]

ConclusionConclusion

The most fundamental and important distinction between our great Nation and other countries is our system of laws. Those who have sworn to defend our Constitution must never bend or break the law in the name of national security. We must remain within the law as we protect our system of laws.

Walter Gary Sharp, Sr.

?

2001 Walter Gary Sharp, Sr. Key Legal Implications of Computer Network Defense Protecting America’s Information Infrastructure Las Vegas, Nevada July.

Documents

legal advice

legal framework

legal authorities

legal authority

computer network defense

defense of computer

legal issues relevant

organizational legal