Legal Aspects of IO IW 230 College of Aerospace Doctrine, Research, and Education.
-
Upload
landen-ruskin -
Category
Documents
-
view
214 -
download
0
Transcript of Legal Aspects of IO IW 230 College of Aerospace Doctrine, Research, and Education.
Legal Aspects Legal Aspects of IOof IO
IW 230IW 230
College of Aerospace College of Aerospace Doctrine, Research, Doctrine, Research,
and Educationand Education
““The Big Picture”The Big Picture”
The law lags evolution of technologyThe law lags evolution of technology Find answers in existing principlesFind answers in existing principles Our actions affect evolution of the lawOur actions affect evolution of the law Shape legal framework to further national Shape legal framework to further national
interestinterest Governmental actors must consider spirit Governmental actors must consider spirit
not just letter of the lawnot just letter of the law
The law lags evolution of technologyThe law lags evolution of technology Find answers in existing principlesFind answers in existing principles Our actions affect evolution of the lawOur actions affect evolution of the law Shape legal framework to further national Shape legal framework to further national
interestinterest Governmental actors must consider spirit Governmental actors must consider spirit
not just letter of the lawnot just letter of the law
INFORMATION SUPERIORITYINFORMATION SUPERIORITY
INFORMATION OPERATIONSINFORMATION OPERATIONS
AFDD 2-5AFDD 2-5
Successfully executed Successfully executed Information OperationsInformation Operations
achieve information superiorityachieve information superiority
ISRPrecision
Nav & Position
Other Info Collection/Dissemination Activities
PAO
Weather
INFORMATION-in-WARFARE
exploitgain
INFORMATION WARFARE
DEFENSIVECOUNTERINFORMATION
COUNTERINFORMATION
OFFENSIVECOUNTERINFORMATION
Counter-Intelligence
InformationAssurance
OPSECCounter-
Propaganda
Counter-Deception
ElectronicProtect
CND PAO
PSYOPPhysicalAttack
MilitaryDeception
ElectronicWarfare
PAOCNA
defend attack
Information OperationsInformation Operations Joint: Actions taken to affect adversary Joint: Actions taken to affect adversary
information and information systems while information and information systems while defending one’s own information and defending one’s own information and information systems information systems • Offensive and Defensive IO Offensive and Defensive IO
The Air Force believes that in practice a more The Air Force believes that in practice a more useful working definition is:useful working definition is:
those actions taken to gain, exploit, defend, or those actions taken to gain, exploit, defend, or attack information and information systemsattack information and information systems• Information Warfare and Information-In-WarfareInformation Warfare and Information-In-Warfare
Information WarfareInformation Warfare
““Information operations conducted during time of Information operations conducted during time of crisis or conflict to achieve or promote specific crisis or conflict to achieve or promote specific objectives over a specific adversary or adversaries. … objectives over a specific adversary or adversaries. … The Air Force believes that, because the defensive The Air Force believes that, because the defensive component of IW is always engaged, a better component of IW is always engaged, a better definition is: definition is: Information operations conducted to Information operations conducted to defend one’s own information and information defend one’s own information and information systems, or to attack and affect an adversary’s systems, or to attack and affect an adversary’s information and information systems.information and information systems.””
AFDD 2-5, Aug 98AFDD 2-5, Aug 98
USSPACECOM: DoD’s Lead USSPACECOM: DoD’s Lead for CND and CNA for CND and CNA
JTF CNDJTF CND• Chartered in 1998 as an Chartered in 1998 as an interiminterim
organization to handle coordination of organization to handle coordination of DoD’s Computer Network DefenseDoD’s Computer Network Defense
JTF CNO JTF CNO • CINCSPACE received the mission for CINCSPACE received the mission for
Computer Network Attack in Oct 00Computer Network Attack in Oct 00• Decision to expand JTF CNDDecision to expand JTF CND• 2 Apr 2001, JTF redesignated JTF 2 Apr 2001, JTF redesignated JTF
Computer Network Opertions Computer Network Opertions
The FutureThe Future
““It seems to me that, philosophically, rather It seems to me that, philosophically, rather
than conducting information operations as than conducting information operations as
ends in themselves, we want to ‘operate in ends in themselves, we want to ‘operate in
the information age….’ By that I mean the information age….’ By that I mean
integrating, and not ‘stovepiping,’ the various integrating, and not ‘stovepiping,’ the various
areas of information operations into our areas of information operations into our
overall military plans and operations….”overall military plans and operations….”
--General Ed Eberhart, USCINCSPACE--General Ed Eberhart, USCINCSPACE
AF Future Capabilities Game 2001: AF Future Capabilities Game 2001: An Introduction to Network An Introduction to Network
Warfare of the FutureWarfare of the Future
Computer Network OperationsComputer Network Operations
• Computer Network DefenseComputer Network Defense
• Computer Network ExploitationComputer Network Exploitation
• Computer Network AttackComputer Network Attack
CNO TaxonomyCNO Taxonomy Computer Network Defense:Computer Network Defense:
• Those measures, internal to the protected Those measures, internal to the protected entity, taken to protect and defend entity, taken to protect and defend information, computers and networks from information, computers and networks from intrusion, exploitation, disruption, denial, intrusion, exploitation, disruption, denial, degradation or destruction.degradation or destruction.
Computer Network Defense:Computer Network Defense:
• Those measures, internal to the protected Those measures, internal to the protected entity, taken to protect and defend entity, taken to protect and defend information, computers and networks from information, computers and networks from intrusion, exploitation, disruption, denial, intrusion, exploitation, disruption, denial, degradation or destruction.degradation or destruction.
CNO TaxonomyCNO Taxonomy Computer Network Defense: Computer Network Defense:
• Actions taken to protect, monitor, analyze, detect, Actions taken to protect, monitor, analyze, detect, and respond to unauthorized activity within . . . and respond to unauthorized activity within . . . information systems and computer networks. information systems and computer networks. (DoDD O-8530.1)(DoDD O-8530.1)
• Defensive measures to protect and defend Defensive measures to protect and defend information, computers, and networks from information, computers, and networks from disruption, denial, degradation, or destruction. disruption, denial, degradation, or destruction. (JP1-02) (JP1-02)
Computer Network Defense: Computer Network Defense: • Actions taken to protect, monitor, analyze, detect, Actions taken to protect, monitor, analyze, detect,
and respond to unauthorized activity within . . . and respond to unauthorized activity within . . . information systems and computer networks. information systems and computer networks. (DoDD O-8530.1)(DoDD O-8530.1)
• Defensive measures to protect and defend Defensive measures to protect and defend information, computers, and networks from information, computers, and networks from disruption, denial, degradation, or destruction. disruption, denial, degradation, or destruction. (JP1-02) (JP1-02)
CNO TaxonomyCNO Taxonomy Computer Network Attack: Computer Network Attack:
• Operations using computer hardware or Operations using computer hardware or software, or conducted through computers or software, or conducted through computers or computer networks, with the intended computer networks, with the intended objective or likely effect of disrupting, objective or likely effect of disrupting, denying, degrading or destroying, information denying, degrading or destroying, information resident in computers or computer networks, resident in computers or computer networks, or the computers and networks themselves.or the computers and networks themselves.
Computer Network Attack: Computer Network Attack: • Operations using computer hardware or Operations using computer hardware or
software, or conducted through computers or software, or conducted through computers or computer networks, with the intended computer networks, with the intended objective or likely effect of disrupting, objective or likely effect of disrupting, denying, degrading or destroying, information denying, degrading or destroying, information resident in computers or computer networks, resident in computers or computer networks, or the computers and networks themselves.or the computers and networks themselves.
CNO TaxonomyCNO Taxonomy Active CND (Computer Network Response): Active CND (Computer Network Response):
• Those measures, that do not constitute CNA, Those measures, that do not constitute CNA, taken to protect and defend information, taken to protect and defend information, computers, and networks from disruption, computers, and networks from disruption, degradation, denial, destruction, or exploitation, degradation, denial, destruction, or exploitation, that involve activity external to the protected that involve activity external to the protected entity. CNR, when authorized, may include entity. CNR, when authorized, may include measures to determine the source of hostile measures to determine the source of hostile CNA or CNE.CNA or CNE.
Active CND (Computer Network Response): Active CND (Computer Network Response): • Those measures, that do not constitute CNA, Those measures, that do not constitute CNA,
taken to protect and defend information, taken to protect and defend information, computers, and networks from disruption, computers, and networks from disruption, degradation, denial, destruction, or exploitation, degradation, denial, destruction, or exploitation, that involve activity external to the protected that involve activity external to the protected entity. CNR, when authorized, may include entity. CNR, when authorized, may include measures to determine the source of hostile measures to determine the source of hostile CNA or CNE.CNA or CNE.
CNO TaxonomyCNO Taxonomy Computer Network Exploitation: Computer Network Exploitation:
• Intelligence collection operations that obtain Intelligence collection operations that obtain information resident in files of threat automated information resident in files of threat automated information systems (AIS) and gain information information systems (AIS) and gain information about potential vulnerabilities, or access critical about potential vulnerabilities, or access critical information resident within foreign AIS that information resident within foreign AIS that could be used to the benefit of friendlycould be used to the benefit of friendly operations. operations.
(CJCSI 6510.01C)(CJCSI 6510.01C)
Computer Network Exploitation: Computer Network Exploitation: • Intelligence collection operations that obtain Intelligence collection operations that obtain
information resident in files of threat automated information resident in files of threat automated information systems (AIS) and gain information information systems (AIS) and gain information about potential vulnerabilities, or access critical about potential vulnerabilities, or access critical information resident within foreign AIS that information resident within foreign AIS that could be used to the benefit of friendlycould be used to the benefit of friendly operations. operations.
(CJCSI 6510.01C)(CJCSI 6510.01C)
OverviewOverview
Part I: Computer Network Defense (CND)Part I: Computer Network Defense (CND)• Computer MonitoringComputer Monitoring• Computer CrimeComputer Crime• Active Defense / Computer Network Active Defense / Computer Network
ResponseResponse Part II: Computer Network Attack (CNE/CNA)Part II: Computer Network Attack (CNE/CNA)
• Development of International LawDevelopment of International Law• The Use of Force in PeacetimeThe Use of Force in Peacetime• US/Foreign Domestic LawsUS/Foreign Domestic Laws• The Law of WarThe Law of War
Part I: Computer Monitoring Part I: Computer Monitoring (Part of CND)(Part of CND)
IO Law Outline, p. 1-15IO Law Outline, p. 1-15
System Administrators System Administrators • Monitoring, Encryption, Monitoring, Encryption,
Intelligence Oversight Intelligence Oversight Law Enforcement / FISALaw Enforcement / FISA Intelligence CommunityIntelligence Community
Information Infrastructure
EN
ER
GY
TR
AN
SP
OR
TA
TIO
N
T
EL
EC
OM
MU
NIC
AT
ION
BA
NK
ING
DE
FE
NS
E
One of the first lines of defense in protecting One of the first lines of defense in protecting AF information systemsAF information systems
Monitoring performed for different reasons; Monitoring performed for different reasons; by different actorsby different actors• systems protectionsystems protection / network / network
professionalsprofessionals• operational securityoperational security / TMAP assets / TMAP assets• evidentiary interceptionevidentiary interception / law enforcement / law enforcement
investigatorsinvestigators
Information Security--Information Security--MonitoringMonitoring
Analytical BlueprintAnalytical Blueprint Analysis starts with the three “Ws”Analysis starts with the three “Ws”
• Who?Who?• What?What?• Why?Why?
Different ROEs based on answersDifferent ROEs based on answers• Law Enforcement interceptionsLaw Enforcement interceptions• Intel-counterintel surveillanceIntel-counterintel surveillance• Systems protection monitoringSystems protection monitoring
Monitoring: Legal ConstraintsMonitoring: Legal Constraints
4th Amendment Right to 4th Amendment Right to PrivacyPrivacy
Electronic Communications Electronic Communications Privacy ActPrivacy Act
Fourth Amendment prohibition against Fourth Amendment prohibition against Unreasonable Search & SeizureUnreasonable Search & Seizure• Protects people; not placesProtects people; not places• Is there a reasonable expectation of privacy?Is there a reasonable expectation of privacy?• If so, is the search reasonable?If so, is the search reasonable?
Governed by totality of circumstancesGoverned by totality of circumstances Degree of protection proportional to Degree of protection proportional to
expectation of privacyexpectation of privacy
Summary of Case Law, p. 1-37 Summary of Case Law, p. 1-37
Legal Principles--Legal Principles--Constitutional LawConstitutional Law
U.S. v. MonroeU.S. v. Monroe(AFCCA Feb 5, 1999)(AFCCA Feb 5, 1999)
Court found Monroe had no expectation of Court found Monroe had no expectation of privacy in an e-mail account on a government privacy in an e-mail account on a government server as to his supervisors and the system server as to his supervisors and the system administrator (Banner)administrator (Banner)
E-mail accounts were given for official E-mail accounts were given for official business, although users were authorized to business, although users were authorized to send and receive limited textual and morale send and receive limited textual and morale messages to and from friends and familymessages to and from friends and family
Monroe did not have a government computer, Monroe did not have a government computer, but had a personal computer in his dorm roombut had a personal computer in his dorm room
Monroe...Monroe... Court used the analogy of an unsecured Court used the analogy of an unsecured
file cabinet in the member’s superiors’ file cabinet in the member’s superiors’ work area in which an unsecured drawer work area in which an unsecured drawer was designated for his/her use in was designated for his/her use in performing his/her official duties with the performing his/her official duties with the understanding that his superiors had free understanding that his superiors had free access to the cabinet, including the access to the cabinet, including the drawer drawer
Affirmed by CAAF, 13 March 2000Affirmed by CAAF, 13 March 2000
Electronic Communications Electronic Communications Privacy Act (ECPA)Privacy Act (ECPA)
Statutorily conferred an expectation of privacy in Statutorily conferred an expectation of privacy in electronic and wire communicationselectronic and wire communications
Interception of electronic communicationsInterception of electronic communications Access into stored communicationsAccess into stored communications Generally prohibits interception of electronic Generally prohibits interception of electronic
communications, or access into stored communications, or access into stored communications, without court ordercommunications, without court order• aimed at law enforcement aimed at law enforcement • numerous “exceptions”numerous “exceptions”
systems provider exceptionsystems provider exception consentconsent court ordercourt order
ECPA: Rights and LimitationsECPA: Rights and Limitations
May monitor and disclose traffic dataMay monitor and disclose traffic data May access electronic communications May access electronic communications
stored on his or her systemstored on his or her system May disclose the contents of those May disclose the contents of those
communications to others communications to others unless unless he or he or she is providing electronic she is providing electronic communications services to the publiccommunications services to the public
Real Time Monitoring-- The Real Time Monitoring-- The provider exceptionprovider exception
May monitor in real-time (and thereafter May monitor in real-time (and thereafter disclose) wire and electronic disclose) wire and electronic communications, communications,
so long as such monitoring and disclosure so long as such monitoring and disclosure is conducted “in the normal course of his is conducted “in the normal course of his employment employment
while engaged in any activity which is a while engaged in any activity which is a necessary incident to the rendition of his necessary incident to the rendition of his service or to the protection of the rights or service or to the protection of the rights or property of the provider of that service.”property of the provider of that service.”
Disclosure to Law EnforcementDisclosure to Law Enforcement
May disclose real-time May disclose real-time communications he or she has communications he or she has monitored (or stored monitored (or stored communications he or she has communications he or she has accessed) with the consent of an accessed) with the consent of an appropriate party, normally an appropriate party, normally an individual who is a party to the individual who is a party to the communication, or whencommunication, or when
Evidence of crime is apparent and Evidence of crime is apparent and inadvertantly obtainedinadvertantly obtained
PATRIOT Act of 2001PATRIOT Act of 2001 IO Law Outline, p. 1-17 IO Law Outline, p. 1-17
Section 212 of the amends subsection Section 212 of the amends subsection 2702(b)(6) (ECPA) to permit, but not 2702(b)(6) (ECPA) to permit, but not require, a service provider to disclose to require, a service provider to disclose to law enforcement either content or non-law enforcement either content or non-content customer records in emergencies content customer records in emergencies involving an immediate risk of death or involving an immediate risk of death or serious physical injury to any person. serious physical injury to any person.
This section also allows providers to This section also allows providers to disclose information to protect their rights disclose information to protect their rights and property. and property.
PATRIOT Act of 2001PATRIOT Act of 2001IO Law Outline, p. 1-18 IO Law Outline, p. 1-18
Although the wiretap statute allows Although the wiretap statute allows computer owners to monitor the computer owners to monitor the activity on their machines to protect activity on their machines to protect their rights and property, until their rights and property, until Section 217 of the Patriot ActSection 217 of the Patriot Act was was enacted it was unclear whether enacted it was unclear whether computer owners could obtain the computer owners could obtain the assistance of law enforcement in assistance of law enforcement in conducting such monitoringconducting such monitoring
Consent: Banners are our Consent: Banners are our friendfriend
Promotes awareness for Promotes awareness for users (ECPA exceptions not users (ECPA exceptions not necessarily obvious)necessarily obvious)
2nd exception under ECPA2nd exception under ECPA
Limits on Consent Limits on Consent
Defined by what banner saysDefined by what banner saysLimited to provider’s own Limited to provider’s own
networknetworkDuration must be short term, Duration must be short term,
then get Wiretap Order (DoJ)then get Wiretap Order (DoJ)
AFI 33-219AFI 33-219• authority given only to HQ AIA authority given only to HQ AIA
TMAP elementsTMAP elements• consent monitoring / bannersconsent monitoring / banners• certification processcertification process
SJA must review detailed summary of SJA must review detailed summary of consent notification actions consent notification actions
determines if actions legally sufficient determines if actions legally sufficient to constitute consentto constitute consent
OPSEC/COMSEC SurveillanceOPSEC/COMSEC SurveillanceIO Law Outline, p. 1-19IO Law Outline, p. 1-19
Is the search/seizure reasonable?Is the search/seizure reasonable?• consentconsent• search authorization or warrantsearch authorization or warrant
AFOSI vs Security ForcesAFOSI vs Security Forces
ROEs--Search (con’t)ROEs--Search (con’t)
ROEs--InterceptionsROEs--Interceptions AFI 71-101, Vol 1 Requires Approval AFI 71-101, Vol 1 Requires Approval
for Interceptionsfor Interceptions• AFOSI/CC AFOSI/CC • SAF/GCSAF/GC• DOJ (nonconsensual)DOJ (nonconsensual)
Tips on Handling Computer Tips on Handling Computer Abuse CasesAbuse Cases
SYSAD usually identifies govt. I.P. SYSAD usually identifies govt. I.P. addresses where abuse taking placeaddresses where abuse taking place• Does Not Need to Monitor Real-TimeDoes Not Need to Monitor Real-Time
Appropriate commander/senior leader Appropriate commander/senior leader should be briefed, then assemble all users should be briefed, then assemble all users to notify them of impropriety, warnto notify them of impropriety, warn
If it continues, SYSAD, commander, and If it continues, SYSAD, commander, and SF can mount a “sting” to catch perp in SF can mount a “sting” to catch perp in the actthe act
Computer CrimeComputer CrimeIO Law Outline, p. 1-23IO Law Outline, p. 1-23
Federal Computer Crime StatutesFederal Computer Crime Statutes• 18 USC 1029, 1030 18 USC 1029, 1030 • 18 USC 1028 (Identity Theft)18 USC 1028 (Identity Theft)• 18 USC 2251, 2252, 2252A (Sexual 18 USC 2251, 2252, 2252A (Sexual
Exploitation of Children)Exploitation of Children)• 18 USC 2511, 2701… (Wiretap Statute and 18 USC 2511, 2701… (Wiretap Statute and
ECPA)ECPA) UCMJ ArticlesUCMJ Articles
• General Article (134)General Article (134)• Failure to Obey Order or Regulation (92)Failure to Obey Order or Regulation (92)
USA PATRIOT ACT of 2001USA PATRIOT ACT of 2001
Uniting and Strengthening America by Uniting and Strengthening America by Providing Appropriate Tools Required Providing Appropriate Tools Required
to Intercept and Obstruct Terrorism Actto Intercept and Obstruct Terrorism Act
Nationwide Search Warrants for Nationwide Search Warrants for E-mail: Sec 220E-mail: Sec 220
Old: Search warrant Old: Search warrant needed to compel needed to compel disclosure of disclosure of unopened e-mail less unopened e-mail less than six months old in than six months old in Electronic Computing Electronic Computing Service or Remote Service or Remote Computing Service Computing Service (i.e. ISP)(i.e. ISP)
Had to be issued by Had to be issued by court within district court within district where e-mail was where e-mail was stored stored
New: nationwide New: nationwide search warrants for e-search warrants for e-mailmail
Allows court with Allows court with jurisdiction over the jurisdiction over the offense to issue offense to issue single search warrantsingle search warrant
Subject to sunsetSubject to sunset
Intercepting Voice Comms in Intercepting Voice Comms in Hacking Cases: Sec 202Hacking Cases: Sec 202
Old: Could not get Old: Could not get wiretap order to wiretap order to intercept intercept wirewire communications communications (involving human (involving human voice) for violations of voice) for violations of the Computer Fraud the Computer Fraud and Abuse Act (18 and Abuse Act (18 U.S.C. § 1030) U.S.C. § 1030)
Hackers have stolen Hackers have stolen teleconferencing teleconferencing services to plan and services to plan and execute hacks execute hacks
New: Adds felony New: Adds felony violations of violations of Computer Fraud and Computer Fraud and Abuse Act to list of Abuse Act to list of offenses that support offenses that support a voice wiretap ordera voice wiretap order
Sunsets December Sunsets December 20052005
Old: LE could use Old: LE could use search warrant for search warrant for voice recording on voice recording on answering machine answering machine inside criminal’s inside criminal’s home (easier), but home (easier), but needed wiretap order needed wiretap order for voice comms with for voice comms with a third party provider a third party provider
New: Stored voice New: Stored voice (“wire”) comms (“wire”) comms acquired under 18 acquired under 18 USC § 2703 (including USC § 2703 (including search warrant)search warrant)
Sunsets December Sunsets December 2005 2005
Obtaining Voice-mail and Stored Voice Comms: Sec 209
Subpoenas for Electronic Subpoenas for Electronic Evidence: Sec 210Evidence: Sec 210
Old: Subpoena Old: Subpoena limited to limited to customer’s name, customer’s name, address, length of address, length of service, and means service, and means of paymentof payment
In many cases, In many cases, users register with users register with ISPs under false ISPs under false namesnames
New: Update and New: Update and expand records expand records available by subpoenaavailable by subpoena
Old list, plus means and Old list, plus means and source of payment, source of payment, credit card or bank credit card or bank account number, account number, records of session records of session times and durations, times and durations, and any temporarily and any temporarily assigned network assigned network addressaddress
Not subject to sunsetNot subject to sunset
Intelligence Oversight Intelligence Oversight Improved Intelligence Improved Intelligence Inclusion of international terrorist Inclusion of international terrorist
activities within scope of foreign activities within scope of foreign intelligence under the National Security intelligence under the National Security Act of 1947. Act of 1947.
Law enforcement to notify the intelligence Law enforcement to notify the intelligence community when a criminal investigation community when a criminal investigation reveals information of intelligence value. reveals information of intelligence value.
Reconfigures the Foreign Terrorist Asset Reconfigures the Foreign Terrorist Asset Tracking Center. Tracking Center.
FISA Elec SurveillanceFISA Elec SurveillanceSec. 218Sec. 218
Old: required Old: required certification that certification that obtaining foreign obtaining foreign intelligence was intelligence was ‘the’ ‘the’ purpose of searchpurpose of search
FISA Court interpreted FISA Court interpreted to mean primary to mean primary purpose of purpose of investigation was investigation was obtaining foreign obtaining foreign intelligence and not intelligence and not criminal prosecutioncriminal prosecution
New: obtaining New: obtaining foreign intel is “a foreign intel is “a significant purpose”of significant purpose”of the searchthe search
Allows intelligence Allows intelligence agents to better agents to better coordinate with coordinate with criminal investigatorscriminal investigators
Subject to sunsetSubject to sunset
What is “Active Defense”?What is “Active Defense”?
Approved joint term in DoD DictionaryApproved joint term in DoD Dictionary• Active Defense: The employment of limited Active Defense: The employment of limited
offensive action and counterattacks to deny a offensive action and counterattacks to deny a contested area or position to the enemy. contested area or position to the enemy.
• Passive Defense: Measures taken to reduce the Passive Defense: Measures taken to reduce the probability of and to minimize the effects of damage probability of and to minimize the effects of damage caused by hostile action without the intention of caused by hostile action without the intention of taking the initiative.taking the initiative.
No consensus in computer network contextNo consensus in computer network context
Approved joint term in DoD DictionaryApproved joint term in DoD Dictionary• Active Defense: The employment of limited Active Defense: The employment of limited
offensive action and counterattacks to deny a offensive action and counterattacks to deny a contested area or position to the enemy. contested area or position to the enemy.
• Passive Defense: Measures taken to reduce the Passive Defense: Measures taken to reduce the probability of and to minimize the effects of damage probability of and to minimize the effects of damage caused by hostile action without the intention of caused by hostile action without the intention of taking the initiative.taking the initiative.
No consensus in computer network contextNo consensus in computer network context
““Active defense” Active defense”
“The fact is that right now my authority [for active defense measures] is very limited. I believe in this area the wisest course of action is to pursue the policy and procedural issues at or ahead of the pace of technological capabilities, because whether or not to use an attack as an active defense measure or as a weapon system is a decision that needs to be operationally defined at the national policy levels first and foremost.” Maj Gen James Bryan, JTF-CND/CC, Federal Computer Week, 4 Dec 2000
Current U.S. Policy….
DoD Deploys Cyber-DefenseDoD Deploys Cyber-DefenseDefense News, November 12-18, 2001, Pg.Defense News, November 12-18, 2001, Pg.
Faced with a near doubling of attacks on Faced with a near doubling of attacks on military computers in the past year, the military computers in the past year, the guardian of the U.S. military’s information guardian of the U.S. military’s information systems has asked Pentagon leaders for systems has asked Pentagon leaders for permission to strike back.permission to strike back.
"We are no longer going to be passive. If "We are no longer going to be passive. If they hit us, we’ll be hitting them back real they hit us, we’ll be hitting them back real soon," U.S. Army Maj. Gen. Dave Bryan, soon," U.S. Army Maj. Gen. Dave Bryan, commander, Joint Task Force-Computer commander, Joint Task Force-Computer Network Operations (JTF-CNO), Network Operations (JTF-CNO),
Part II: Computer Network Part II: Computer Network Attack (CNA)Attack (CNA)
IO Law Outline, p. 1-42IO Law Outline, p. 1-42
• Development of International LawDevelopment of International Law• The Law of WarThe Law of War• The Use of Force in PeacetimeThe Use of Force in Peacetime• Space LawSpace Law• Telecommunications LawTelecommunications Law• US/Foreign Domestic LawsUS/Foreign Domestic Laws
Development of International Development of International LawLaw
Consists of Binding Legal Consists of Binding Legal Obligations among Sovereign StatesObligations among Sovereign States
Sovereign States are Legally Equal Sovereign States are Legally Equal and Independent Actors and Independent Actors
They Assume Legal Obligations only They Assume Legal Obligations only by Affirmatively Agreeing To Do Soby Affirmatively Agreeing To Do So
General Rule: Unless Prohibited by General Rule: Unless Prohibited by Law a Course of Action is AllowedLaw a Course of Action is Allowed
Air Law: Post WW IIAir Law: Post WW II• Sovereign Control Over National AirspaceSovereign Control Over National Airspace
Space Law: Post Sputnik I & Explorer Space Law: Post Sputnik I & Explorer II• No Objections to Overflight of SpacecraftNo Objections to Overflight of Spacecraft• Reconnaissance Satellites OKReconnaissance Satellites OK
• Outer Space Treaty Enshrines PrincipleOuter Space Treaty Enshrines Principle
Information Operations??Information Operations??
Internat’l Development Of Internat’l Development Of Territoriality in Air & SpaceTerritoriality in Air & Space
United Nations CharterUnited Nations Charter The first use of armed force by a The first use of armed force by a
state…shall constitute prima facie state…shall constitute prima facie evidence of an act of aggressionevidence of an act of aggression
What kinds of information attacks are What kinds of information attacks are likely to be considered by the world likely to be considered by the world community to be armed attacks and community to be armed attacks and uses of force? uses of force?
Peacetime Rules of Engagement Peacetime Rules of Engagement
United Nations Charter--1945United Nations Charter--1945
Article 2(4)Article 2(4)• Refrain From the Threat or Use of ForceRefrain From the Threat or Use of Force
Against the Territorial Integrity of Any Against the Territorial Integrity of Any State, or in Any Manner Inconsistent With State, or in Any Manner Inconsistent With the Purposes of the UNthe Purposes of the UN
Article 51Article 51• Inherent Right of Inherent Right of Self-DefenseSelf-Defense Recognized Recognized
When an When an “Armed Attack”“Armed Attack” Occurs Occurs– Space Control -- Information Operations?Space Control -- Information Operations?
Use of Force Authorized?Use of Force Authorized?
Authorized by UN Security CouncilAuthorized by UN Security Council Self-defenseSelf-defense Humanitarian interventionHumanitarian intervention Treaty-sanctioned interventionsTreaty-sanctioned interventions Enforcement of international judgmentsEnforcement of international judgments
Authorized by UN Security CouncilAuthorized by UN Security Council Self-defenseSelf-defense Humanitarian interventionHumanitarian intervention Treaty-sanctioned interventionsTreaty-sanctioned interventions Enforcement of international judgmentsEnforcement of international judgments
What is Force?What is Force? The traditional view is that force The traditional view is that force
means armed force, rather than other means armed force, rather than other potentially coercive vehicles of state potentially coercive vehicles of state policypolicy• Negotiating history of UN CharterNegotiating history of UN Charter• UNGA Resolution on AggressionUNGA Resolution on Aggression• Nicaragua v. United StatesNicaragua v. United States
The traditional view is that force The traditional view is that force means armed force, rather than other means armed force, rather than other potentially coercive vehicles of state potentially coercive vehicles of state policypolicy• Negotiating history of UN CharterNegotiating history of UN Charter• UNGA Resolution on AggressionUNGA Resolution on Aggression• Nicaragua v. United StatesNicaragua v. United States
China’s Unrestricted WarfareChina’s Unrestricted Warfare This kind of war means that all means will This kind of war means that all means will
be in readiness, that information will be be in readiness, that information will be omnipresent, and the battlefield will be omnipresent, and the battlefield will be everywhere. It means that all weapons everywhere. It means that all weapons and technology can be superimposed at and technology can be superimposed at will … that all the boundaries lying will … that all the boundaries lying between the two worlds of war and between the two worlds of war and nonwar, of military and nonmilitary, will nonwar, of military and nonmilitary, will be totally destroyed … the rules of war be totally destroyed … the rules of war may need to be rewritten. may need to be rewritten.
Does CNA = Force?Does CNA = Force?
Focus on Consequences of CNAFocus on Consequences of CNA• Consider Severity/NatureConsider Severity/Nature• No Bright LinesNo Bright Lines
Some Tools/Targets May Constitute Some Tools/Targets May Constitute ForceForce
Focus on Consequences of CNAFocus on Consequences of CNA• Consider Severity/NatureConsider Severity/Nature• No Bright LinesNo Bright Lines
Some Tools/Targets May Constitute Some Tools/Targets May Constitute ForceForce
International LawInternational Law
Triggers for self-defense right?Triggers for self-defense right? Intruder defeats security and gains entry Intruder defeats security and gains entry
into computer systemsinto computer systems Significant damage to attacked system Significant damage to attacked system
or dataor data System is critical to national securitySystem is critical to national security Intruder’s conduct or context clearly Intruder’s conduct or context clearly
manifests malicious intentmanifests malicious intent
Triggers for self-defense right?Triggers for self-defense right? Intruder defeats security and gains entry Intruder defeats security and gains entry
into computer systemsinto computer systems Significant damage to attacked system Significant damage to attacked system
or dataor data System is critical to national securitySystem is critical to national security Intruder’s conduct or context clearly Intruder’s conduct or context clearly
manifests malicious intentmanifests malicious intent
Computer ResponsesComputer Responses
Launching responsive CNA to Launching responsive CNA to disable intruder’s equipmentdisable intruder’s equipment
May not defeat state-sponsored opsMay not defeat state-sponsored ops May serve as shot across the bowMay serve as shot across the bow Useful for shaping conflictUseful for shaping conflict ReciprocalReciprocal
Launching responsive CNA to Launching responsive CNA to disable intruder’s equipmentdisable intruder’s equipment
May not defeat state-sponsored opsMay not defeat state-sponsored ops May serve as shot across the bowMay serve as shot across the bow Useful for shaping conflictUseful for shaping conflict ReciprocalReciprocal
Kinetic ResponsesKinetic Responses
Response to CNA need not be CNAResponse to CNA need not be CNA Lack of target, access etc. may limit Lack of target, access etc. may limit
optionsoptions Traditional LOAC analysis: Traditional LOAC analysis:
• Military necessityMilitary necessity
• ProportionalityProportionality
Response to CNA need not be CNAResponse to CNA need not be CNA Lack of target, access etc. may limit Lack of target, access etc. may limit
optionsoptions Traditional LOAC analysis: Traditional LOAC analysis:
• Military necessityMilitary necessity
• ProportionalityProportionality
AttributionAttribution
Huge technical challengeHuge technical challenge Intelligence data/analysis criticalIntelligence data/analysis critical Links to other eventsLinks to other events State sponsored or not?State sponsored or not? Identity and intentIdentity and intent
Huge technical challengeHuge technical challenge Intelligence data/analysis criticalIntelligence data/analysis critical Links to other eventsLinks to other events State sponsored or not?State sponsored or not? Identity and intentIdentity and intent
RemediesRemedies If not state-sponsored, law enforcement If not state-sponsored, law enforcement
authorities are primary responseauthorities are primary response If nation unable or unwilling to prevent If nation unable or unwilling to prevent
recurrence, use self-defenserecurrence, use self-defense Providing safe refuge can be complicityProviding safe refuge can be complicity Complicity can be state actionComplicity can be state action
If not state-sponsored, law enforcement If not state-sponsored, law enforcement authorities are primary responseauthorities are primary response
If nation unable or unwilling to prevent If nation unable or unwilling to prevent recurrence, use self-defenserecurrence, use self-defense
Providing safe refuge can be complicityProviding safe refuge can be complicity Complicity can be state actionComplicity can be state action
Legal/Policy Legal/Policy ConsiderationsConsiderations
Continuing threat to national Continuing threat to national securitysecurity
Demonstration of resolveDemonstration of resolve World opinionWorld opinion ReciprocityReciprocity
Continuing threat to national Continuing threat to national securitysecurity
Demonstration of resolveDemonstration of resolve World opinionWorld opinion ReciprocityReciprocity
Domestic Law-Domestic Law-No Military ExclusionNo Military Exclusion 18 USC 1367: Felony to intentionally 18 USC 1367: Felony to intentionally
or maliciously interfere with a or maliciously interfere with a communications or weather satellite, communications or weather satellite, or to obstruct or hinder any satellite or to obstruct or hinder any satellite transmission.transmission.
10 USC 1030: Misdemeanor to 10 USC 1030: Misdemeanor to intentionally access a computer intentionally access a computer without authorization or exceed without authorization or exceed accessaccess
Domestic Law (cont)Domestic Law (cont) 18 USC 2511: prohibits intercept and 18 USC 2511: prohibits intercept and
disclosure of wire, oral, electronic disclosure of wire, oral, electronic communications. communications. • FISA exceptionFISA exception
DOJ/GC opinion: domestic criminal DOJ/GC opinion: domestic criminal law does not apply to actions of US law does not apply to actions of US military members executing military members executing instructions of the NCAinstructions of the NCA
LOAC: Customary Legal LOAC: Customary Legal Principles and IWPrinciples and IW
Military NecessityMilitary Necessity Distinction Distinction Proportionality (possible problem)Proportionality (possible problem) Humanity (unlawful weapons)Humanity (unlawful weapons) Chivalry (Perfidy)Chivalry (Perfidy) [Law of Neutrality][Law of Neutrality]
Military NecessityMilitary NecessityMilitary Infrastructures: Lawful Military Infrastructures: Lawful
TargetTargetPurely Civilian Infrastructure: Purely Civilian Infrastructure:
Unlawful, Maybe... Unlawful, Maybe... • Stock ExchangesStock Exchanges• BanksBanks• UniversitiesUniversities
DistinctionDistinction
Combatants vs. NoncombatantsCombatants vs. Noncombatants
Computer Network AttackComputer Network Attack• Our “cyber-warriors” are required Our “cyber-warriors” are required
to be part of militaryto be part of military
• Attack from .mil??Attack from .mil??
ProportionalityProportionality
During Desert Storm one of the earliest During Desert Storm one of the earliest targets was the electrical power systemtargets was the electrical power system• Lawful target: military useLawful target: military use
Iraqi response: Coalition’s attack Iraqi response: Coalition’s attack constituted attempted genocideconstituted attempted genocide• City’s sewage system backed up, threat of City’s sewage system backed up, threat of
epidemic diseaseepidemic disease
Humanity: Unlawful WeaponsHumanity: Unlawful WeaponsHumanity: Unlawful WeaponsHumanity: Unlawful Weapons
Illegal Per Se (by Treaty)Illegal Per Se (by Treaty)• PoisonsPoisons• Glass projectilesGlass projectiles• DumDum BulletsDumDum Bullets
Illegal by treaty because of Illegal by treaty because of indiscriminate effectsindiscriminate effects• Biological/Bacteriological weaponsBiological/Bacteriological weapons• Chemical weaponsChemical weapons
Indiscriminate Weapons?Indiscriminate Weapons? Lasers (earth/space based)Lasers (earth/space based) Malicious LogicMalicious Logic Worms/VirusesWorms/Viruses EMP DevicesEMP Devices
ChivalryChivalry
The waging of war in accordance with well-The waging of war in accordance with well-recognized formalities and courtesiesrecognized formalities and courtesies• Permits lawful “ruses and stratagems” intended to Permits lawful “ruses and stratagems” intended to
lawfully mislead the enemylawfully mislead the enemy• Prohibits perfidy -- treacherous acts intended to take Prohibits perfidy -- treacherous acts intended to take
unlawful advantage of the enemy’s “good faith”unlawful advantage of the enemy’s “good faith” What about taking over your enemy’s computer What about taking over your enemy’s computer
network:network:• to send supplies to the wrong place?to send supplies to the wrong place?• to declare an end to the war?to declare an end to the war?
PerfidyPerfidyImproper use ofImproper use of
PerfidyPerfidyImproper use ofImproper use of
Flags of TruceFlags of Truce
Protected StatusProtected Status
Distinctive EmblemsDistinctive Emblems
Uniforms of NeutralsUniforms of Neutrals
Law of NeutralsLaw of NeutralsLaw of NeutralsLaw of Neutrals- - Neutrality by a State means refraining from Neutrality by a State means refraining from
all hostile participation in the armed all hostile participation in the armed conflictconflict
- It is the duty of belligerents to respect the - It is the duty of belligerents to respect the territory and rights of neutral Statesterritory and rights of neutral States
AustriaSwitzerland Jordan
Hague V, Art. 1Hague V, Art. 1Hague V, Art. 1Hague V, Art. 1
Prohibits any unauthorized entry into Prohibits any unauthorized entry into the territory of a neutral State, its the territory of a neutral State, its territorial waters, or the airspace territorial waters, or the airspace over such areas by troops or over such areas by troops or instrumentalities of warinstrumentalities of war
If one belligerent enters neutral If one belligerent enters neutral territory, the other belligerent, or territory, the other belligerent, or neutral State may attack them thereneutral State may attack them there
Law of NeutralsLaw of Neutrals
Neutrality under UN Charter?Neutrality under UN Charter? 1907 Hague Convention--Facilities are 1907 Hague Convention--Facilities are
provided impartially to both sides provided impartially to both sides Systems that generate information v. Systems that generate information v.
merely relay communicationsmerely relay communications
SummarySummary
Interplay of different International Law Interplay of different International Law RegimesRegimes
If it is not prohibited, it is permittedIf it is not prohibited, it is permitted What we do will have tremendous effect What we do will have tremendous effect
on how this area of the law develops on how this area of the law develops
Relevant Directives Relevant Directives (To name a few!)(To name a few!)
PDD 62, Combating TerrorismPDD 62, Combating Terrorism PDD 63, Critical Infrastructure ProtectionPDD 63, Critical Infrastructure Protection JP3-13, Joint Doctrine for Information OperationsJP3-13, Joint Doctrine for Information Operations DoDD S 3600.1, Information OperationsDoDD S 3600.1, Information Operations DOD Memorandum on Web Site Administration, 7 Dec 98DOD Memorandum on Web Site Administration, 7 Dec 98 DOD Memorandum on Communications Security and Information DOD Memorandum on Communications Security and Information
Systems Monitoring, 27 Jul 97Systems Monitoring, 27 Jul 97 AFDD 2-5, Information OperationsAFDD 2-5, Information Operations AFI 33-129, Transmission of Information via the InternetAFI 33-129, Transmission of Information via the Internet AFI 33-119, Electronic Mail Management and UseAFI 33-119, Electronic Mail Management and Use AFI 33-219, Telecommunications Monitoring and Assessment AFI 33-219, Telecommunications Monitoring and Assessment
ProgramProgram AFI 14-104, Intelligence OversightAFI 14-104, Intelligence Oversight TJAG Policy Letter 31, Legal Information ServicesTJAG Policy Letter 31, Legal Information Services