Cybersecurity Topic Lecture Jeffrey Miller Marist School 2015 Georgia Debate Institutes In your free time, watch this.watch this.

Cybersecurity Topic Lecture

Jeffrey MillerMarist School

2015 Georgia Debate Institutes

In your free time, watch this.

“Make no mistake, the United States has never been more unprepared for a conflict than it has been against the

cyber war.” Van Hipp, June 5, 2015

The coming cyber war

• “On the other hand, more than 140 nations are reported to have or be developing cyber weapons, and more than thirty countries are creating cyber units in their militaries.” - Emilio Iasiello, 2013

Or is it here?

• “We should be more worried about intrusions from lawless Russian or Chinese hackers than from the NSA’s cyber-warriors who operate under tight safeguards within the rule of law.” – Max Boot, 6-15-15

#thanksobama

• "We have known for a long time that there are significant vulnerabilities, and that these vulnerabilities are going to accelerate as time goes by, both in systems within government

and within the private sector.” – President Obama, 6-8-15

BACKGROUND OF CYBERSECURITY

Gotta be a topic expert…

Federal Law

• Federal Government’s role involves securing federal systems and assisting in protecting nonfederal systems.

• All federal agencies have responsibilities pertaining to their own systems and have sector-specific responsibilities for critical infrastructure

• More than 50 statutes that address cybersecurity, but no framework legislation is in place. No major cybersecurity legislation has been enacted since 2002.

• White house issued executive order 1336. It has provisions to protect critical infrastructure which includes information sharing and standards development.

• Proposals that received attention are The Cybersecurity Act of 2012

Economic Analysis

• Data breaches of large companies have affected financial records of millions of households, this occurs regularly. (Playstation Network getting hacked, Home Depot)

• Companies respond by hiring consultants, and purchase new hardware and software.

• Sharing information about these breaches would be effective and inexpensive to improve cybersecurity, but firms are reluctant because of privacy issues, fear of helping a competitor, or because they are afraid of losing money.

• Because firms are scared to share info, other firms suffer from vulnerabilities that could be corrected if information was shared.

• Some industry leaders call for mandatory sharing of information concerning cyber attacks.

• In April 2015 the House passed H.R. 1560 and H.R. 1731, and combined them into H.R. 1560 with two titles (Title I and Title II).

Issues & Challenges

• Experts expect cyberattacks to increase in frequency and severity over the next several years

• Design: effective security needs to be an integral part of ICT design, but developers traditionally focus more on features than security for economic reasons. Future security needs can’t be predicted, which makes it hard for designers.

• Incentives: Cybercrime is cheap, profitabile, and safer than other versions of crime. Cybersecurity is expensive, imperfect, and return on investments are unsure

• Concensus: Cybersecurity doesn’t have the same definition to different stakeholders

• Environment: Cyberspace is known as the fastest evolving technology space in human history. Social media, mobile computing, big data, cloud computing, further complicate the evolving threat environment.

Legal Issues

• In order to protect federal information networks, the Department of Homeland Security (DHS), and the National Security Agency (NSA), uses a network intrusion system that moniters all federal agency networks for potential attacks.

• It is known as EINSTEIN. It raises large privacy implications. DHS has developed a set of procedures to address these concerns, such as minimization of information collection, accountability requirements, and retention rules.

• There are concerns that the program implicates privacy interests that are protected under the Fourth Amendment (right to be free from unreasonable searches and seizures).

• Obstacles to information sharing may exist in current laws protecting antitrust or electronic communications.

• Private entities may be concerned that sharing or receiving information may lead to increased civil liability.

• H.R. 624, the Cyber Intelligence Sharing and Protection Act (CISPA), seeks to improve the nation’s cybersecurity, and may raise the legal issues mentioned

More Legal Issues

• The challenges are sharing of cyber information within the government’s possession and sharing of cyber-information within the possession of the private sector.

• There are fears that information disclosed to the government could be released through a public records request, result in forfeit of certain intellectual property rights of individuals whose information may be encompassed in disclosed cyber-intelligence.

Solving the threat?

• “The president urged Congress to move ahead by passing cybersecurity legislation to deal with the escalating digital threats. Part of the problem is that the federal government works on "very old systems," he said, adding that the recent breach was discovered because of efforts to install newer and better systems.” - Everett Rosenfield, 6-9-15

Two Options

Cyber DeterrenceThe mission of cyber deterrence is to prevent an enemy from conducting future attacks by changing their minds, by attacking their technology, or by more palpable means…. The goal of cyber deterrence is to deny enemies “freedom of action in cyberspace”.-Thomas Mowbray, 2010

Cyber SecurityCybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets. -ITU, 2015

Simplified….

Cyber Deterrence

OFFENSE

Cyber Security

DEFENSE

The Resolution

Resolved: Prioritizing a strategy of cyber deterrence over cyber security is in the best interest of the United States.

Aff’s Job

• Prioritize can simply mean preference, so not one instead of the other – but rather more emphasis placed on.

• Prioritize can be

Neg’s Job?

Inverse of the Resolution

• Resolved: Prioritizing a strategy of cyber deterrence over cyber security is NOT in the best interest of the United States.

Converse of the Resolution

• Resolved: Prioritizing a strategy of cyber security over cyber deterrence is in the best interest of the United States.

PRO ARGUMENTS

Justification for Offense

• “The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the Nation’s critical infrastructure in the face of such threats.” – Fischer, 2014

• “The risks associated with any attack depend on three factors: threats (who is attacking), vulnerabilities (how they are attacking), and impacts (what the attack does)…. Reducing such risks usually involves removing threat sources, addressing vulnerabilities, and lessening impacts.” – Fischer, 2014

Public-Private Good

• “There is a role to be played in cyber deterrence by nearly every public and private entity in the U.S. – a much broader domain than the nuclear one.” – Ciluffo, 2015

• “The primary focus of this approach is usually to mitigate the cyber harm itself, though it also has proven valuable in helping apprehend and incapacitate perpetrators.” – Germano, 2014

Efficiency

• “deterrence can play a critical role in reducing the total number of attacks to a manageable level at a relatively low cost. This should free up resources to pursue and prosecute the attacks that do slip through.” – Haley, 2013

Cyber Leadership

• “The U.S. has always been a country of innovators and entrepreneurs and there is no reason for the U.S. to not be the dominant cyber power in the world for decades to come, with cyber deterrence policy as a foundation of that power.” – Haley, 2013

Futility

• “futility offers defenders some major deterrence advantages in cyberspace. Digital information can be replicated endlessly. Redundancy and recovery—very expensive in the physical domain—cost almost nothing in cyberspace.” – Goodman, 2010

• “Removing vulnerability or taking equipment offline means any attempt to attack that equipment through cyberspace will be futile… Taking some critical systems off of the network may at times prove a better option than attempting to secure critical systems from cyber attack.” – Goodman, 2010

Assigned Responsibility

• “The 2007 Estonia case does not offer only bad news. While contestability does pose challenges for cyber deterrence, cyberspace also allows for assigned responsibility.” – Goodman, 2010

• “Cyber attacks offer the possibility of assigning responsibility to states or infrastructure providers if they refuse to help attribute cyber attacks to the guilty parties.” – Goodman, 2010

CON ARGUMENTS

No Solvency

• “…regardless of how much effort is put into deterrence, it can never be completely effective. This is true not only from a technical perspective, but also from a sociological perspective. Some options that will deter some potential adversaries will give incentive to others, and there are some actors who simply cannot be deterred.” – Jensen, 2012

• “the assumption of ineffectiveness of cyber deterrence is that some with cyber capabilities can never be deterred. As a matter of social theory and historical precedent, it seems clear that some individuals are so committed to a certain course of violent action that no methods of deterrence can be truly effective. Rogue states, terrorists, and suicide bombers represent a stark example…” – Jensen, 2012

Contestability

• “The anonymity of cyberspace causes big problems for cyber deterrence. The 2007 Estonia case also exemplifies the asymmetry of cyberspace. Even if investigators could attribute the attack to an actor (say, Russia), that actor may not offer Estonia any target in cyberspace worthy of retaliation.” - Goodman, 2010

• “This poses obvious problems as states attempt to develop an effective cyber deterrence strategy. The deterring of states poses enough of a challenge; deterring super-empowered individuals seems almost impossible” – Goodman, 2010

Contestability

• “The anonymity of cyberspace causes big problems for cyber deterrence. The 2007 Estonia case also exemplifies the asymmetry of cyberspace. Even if investigators could attribute the attack to an actor (say, Russia), that actor may not offer Estonia any target in cyberspace worthy of retaliation.” - Goodman, 2010

• “This poses obvious problems as states attempt to develop an effective cyber deterrence strategy. The deterring of states poses enough of a challenge; deterring super-empowered individuals seems almost impossible” – Goodman, 2010

Scalability

• “Scalability refers to the wide variety of effects that a single capability can achieve in cyberspace” – Goodman, 2010

• “Not knowing the scale or purpose of a potential adversary’s cyber activities makes it difficult to craft an effective and incontestable deterrent declaration.” – Goodman, 2010

Retaliation

• “Misattribution and incorrect retaliation not only weakens the logic of deterrence, but possibly results in a new enemy. The prospect of facing one cyberwar against the original attacker would have evolved to two cyberwars against both the original attacker and the misattributed party.” – Wei, 2015

• “The act of cyber retaliation may itself take months to execute before the effects are felt and noticed by the attacker. By the time the retaliatory cyber-attack is discovered, the retaliation could possibly seem both arbitrary and unrelated to the original incident.” – Wei, 2015

• “retaliation in kind may legitimize a form of warfare that it would not be in the interest of the United States to legitimize when it has more than adequate conventional strength for every occasion.” – Libicki, 2009