computing lives - FTP Directory Listing

More documents

Recommendations

Info

A Computer Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page M S BE aG F 90 COMPUTER SECURITY Integrating Legal and Policy Factors in Cyberpreparedness James Bret Michael, Naval Postgraduate School John F. Sarkesain, Aerospace Corp. Thomas C. Wingfield, George C. Marshall European Center for Security Studies Georgios Dementis, Hellenic Navy Gonçalo Nuno Baptista de Sousa, Portuguese Navy Cyberwarfare countermeasures must consider more than technological capabilities. Attacks in cyberspace are commonplace. The effects of such attacks can range from minor nuisances, such as defacing webpages or temporarily denying service to noncritical systems, to major disturbances that interrupt international commerce or threaten to destabilize a nation-state. Anyone can wage an attack in cyberspace: individual citizens, criminal syndicates, terrorist organizations, even entire nations. Such attacks can be extremely sophisticated and involve many actors. The cyberattacks on Estonia in 2007 by so-called “patriotic hackers,” criminal elements that leased out botnets, and alleged state-sponsored information warriors combined some of the characteristics of a military campaign with those of a covert operation (www.economist.com/ ________________________ world/international/displaystory. cfm?story_id=E1_JNNRSVS). __________________ CYBERPREPAREDNESS Regardless of who perpetrates a cyberattack, defenders of the attacked systems must be prepared to respond, even if only to mitigate the attack’s effects. Cyberpreparedness can be said to have three dimensions (E. Tikk and T. Wingfield, “Frameworks for International Cyber Security: The Cube, the Pyramid, and the Screen,” presentation, Int’l Cyber Conflict Legal and Policy Conf., 2009): technical feasibility—the “possible”; legal—the “permissible”; and policy—the “preferable.” From a technical vantage, a defender could use a computerbased tool such as NetSPA to assess a computer network’s vulnerability to attack and develop appropriate countermeasures (K. Ingols et al., “Modeling Modern Network Attacks and Countermeasures Using Attack Graphs,” Proc. Ann. Comp. Security Applications Conf., IEEE, 2009, pp. 117- 126). However, a defender also needs a distributed command, control, and battle management (C2/BM) system to maintain situational awareness of and respond to cyberattacks in nearreal time (N. Howes, M. Mezzino, and J. Sarkesain, “On Cyber Warfare Command and Control Systems,” Proc. 9th Ann. Int’l Command and Control Research and Technology Symp., 2004; www.dodccrp.org/events/9th_ ____________________ ICCRTS/CD/papers/118.pdf). _________________ LAW AND POLICY Turning now to the “permissible” and “preferable,” the customary guiding principles of jus in bello, “customary legal standards for the conduct of war”—discrimination, necessity, proportionality, and chivalry—also apply to cyberwarfare, as does the jus ad bellum, “law governing the transition from peace to war” (J.B. Michael, “On the Response Policy of Software Decoys: Conducting Software-Based Deception in the Cyber Battlespace,” Proc. 26th Ann. Int’l Computer Software and Apps. Conf., IEEE, 2002, pp. 957-962). Cyberattacks can have the equivalent effects of attacks waged with kinetic weapons, rising to the level of a “use of force” under international law (J.B. Michael, T. Wingfield, and D. Wijesekera, “Measured Responses to Cyber Attacks Using Schmitt Analysis: A Case Study of Attack Scenarios for a Software-Intensive System,” Proc. Published by the IEEE Computer Society 0018-9162/10/$26.00 © 2010 IEEE A Computer Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page M S BE aG F
A Computer Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page M S BE aG F 26th Ann. Int’l Computer Software and Applications Conf., IEEE, 2003, pp. 622-627). Thus, regardless of the technical measures used, law and policy must be in place to guide defenders as they craft responses to cyberattacks. Although a response might be legal, policy dictates the latitude in applying the law, taking into consideration such factors as the impact on society, diplomatic relations, and even privacy concerns, such as a given response’s level of intrusiveness. The currency of the topic of cyberpreparedness is evidenced by the recent front-page news account of the legal and policy discussions that ensued prior to the cyberattack sponsored by the US Department of Defense to dismantle an online forum used by terrorists to plan kinetic attacks on US troops (E. Nakashima, “For Cyberwarriors Murky Terrain; Dismantling of Saudi-CIA Web Site Illustrates need for Clearer Cyberwar Policies,” The Washington Post, 19 March 2010, pp. A1 and A16). Policy issues included the impact on US-Saudi relations and whether the response should be conducted as an intelligence or military operation. In addition, techniques for conducting principled analyses must be ready to help minimize legal uncertainty about cyberincidents and allow the most complete range of effective responses. Whether the response is conducted via kinetic or cyber means, it must be lawful (T. Wingfield, The Law of Information Confiict: National Security Law in Cyberspace, Aegis Research Corp., 2000). LEVERAGING THE LEGAL CELL We propose merging the three dimensions of cyberpreparedness by adding a new type of virtual cell to cybersystems: the legal cell. Virtual cells within such systems serve as dynamic virtual communities in which cyberoperators can interact in support of making informed decisions. Cyberoperators encompass subject-matter experts in cyberoperations along with the related communities of the diplomatic corps, intelligence analysts, the military, politicians, legal authorities, law-enforcement agents, economists, and those responsible for creating and maintaining the national critical infrastructure. Cyberoperators can create, join, leave, and even dissolve cell instantiations. The legal cell provides cyberoperators with the means to obtain advice from experts in information operations (IO) law. Within cyber C2/ BM systems, cells subscribe to infor- We propose merging the three dimensions of cyberpreparedness by adding a new type of virtual cell to cybersystems: the legal cell. mation and the system publishes it continuously in a digestible format. This differs from the information-pull approach incorporated into most of today’s C2/BM systems when used in conjunction with kinetic warfare. Through the legal cell, IO experts can maintain a current picture of the cyberspace situation and provide advice as needed. This is an important capability, given the rapid tempo of cyberbattles and the high degree of space compression, which asserts that the physical distance from a target does not matter as it would with kinetic weapons and that a flattened command structure is necessary for conducting cyberwarfare. On instantiation of a legal cell, the system populates it with presumptions and algorithms. In this context, presumptions follow black-and-white if-then rules automatically enacted by mobile agents, whereas algorithms involve more complex data processing than with production rules but, like presumptions, are processed without human intervention and whose results trigger a course of action. These three elements—the law, presumptions, and algorithms—are what Tikk and Wingfield refer to as the “pyramid,” representing decision making along a continuum of operational speed and the inherent limitations on what types of problems computers solve in support of decision making. ATTACK RESOLUTION Given the unpredictability and quickness of cyberattacks, a rapid response is critical, necessitating use of at least some autonomic systems. According to a report by the National Institute of Standards and Technology (NIST) outlining a smart grid cybersecurity strategy and requirements (http://csrc.nist. gov/publications/drafts/nistir-7628/ draft-nistir-7628_2nd-public-draft. __ pdf). Ultimately, the cyberoperation leader will ascertain the effect of the attack’s automated response, particularly in the military because a commander cannot delegate responsibility for the actions of their command. While a commander may delegate the authority to execute certain actions on to a subordinate within the command, the commander still retains full and complete responsibility for the outcome of those delegated actions, for good or bad. Some defensive systems that involve using kinetic weapons require extensive automation, such as those used for ballistic missile defense, in which the duty cycle for core functions of the so-called “kill chain”—detect, track, assign weapons, engage, and assess outcome—cannot be performed by humans swiftly enough to achieve the desired levels of operational effectiveness. APRIL 2010 A Computer Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page M S BE aG F 91
Page 1 and 2:
›± ¨ª ¨ § ±± § ±± ±´
Page 3 and 4:
A Computer Previous Page | Contents
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42: A Computer Previous Page | Contents
Page 91: A Computer Previous Page | Contents
show all

computing lives - FTP Directory Listing

Create successful ePaper yourself

Delete template?

Save as template?