TABLE OF CONTENTS
Foreword
The Honorable Richard J. Danzig
Introduction
Trey Herr and Richard M. Harrison
Section I – Securing Data, Devices, and Networks
Chapter 1: Understanding Information Assurance
Eric Ormes and Trey Herr
Chapter 2: A Path To Collective Security: Information Sharing at the State and Local Level
David Weinstein
Chapter 3: Protecting Industrial Control Systems in Critical Infrastructure
Robert M. Lee
Chapter 4: Safer at Any Speed: The Roads Ahead for Automotive Cyber Safety Policy
Joshua Corman and Beau Woods
Chapter 5: Bad Code: Exploring Liability in Software Development
Jane Chong
Section II – Combating Cyber Crime
Chapter 6: Understanding Cyber Crime
Sasha Romanosky and Trey Herr
Chapter 7: Disrupting Malware Markets
Trey Herr and Ryan Ellis
Chapter 8: The Computer Fraud and Abuse Act: Structure, Controversies, and Proposals for Reform
Paul Ohm
Chapter 9: Breach Notification Laws: The Policy and Practice
Sasha Romanosky
Chapter 10: Cyber Insurance: A Market Based Approach to Information Assurance
Robert Morgus
Section III – Governing the Security of the Internet
Chapter 11: Understanding Internet Security Governance
Trey Herr and Heather West
Chapter 12: A Holistic Approach to the Encryption Debate
Aaron Brantly
Chapter 13: Certificate Authorities: Modernizing the Internet’s Chain of Trust
Adrienne Allen
Chapter 14: Multistakeholder Approaches to Cybersecurity Challenges
Allan Friedman and Jonah F. Hill
Chapter 15: Countering the Proliferation of Malware
Trey Herr and Paul Rosenzweig
Section IV – Military Cyber Operations
Chapter 16: Understanding Military Cyber Operations
Trey Herr and Drew Herrick
Chapter 17: Government Acquisition and Use of Zero-Day Software Vulnerabilities
Mailyn Fidler
Chapter 18: The Joint Cyber Force: Challenges and Solutions for the 21st Century
Jason Rivera with Lauren Boas Hayes, Anastasia Mark, Matt Russell, and Nathaniel Tisa
Chapter 19: The Practical Impact of Classification Regarding Offensive Cyber Operations
Herbert S. Lin and Taylor Grossman
Chapter 20: Creating Influence through Information
Kat Dransfield with Abraham Wagner and Rand Waltzman
Concluding Remarks
Trey Herr and Richard M. Harrison
BOOK SECTION SUMMARIES
Section I - Securing Data, Devices, and Networks
How do you secure the software and hardware that make up a network, be it an enterprise email system or a power plant? This is the principal question addressed in this Section, and a major focus of most cybersecurity professionals in the technical community. The work can be tedious and uncertain; for example, reverse engineering the latest strain of malware. Or it can be simple and repetitive, like making sure users in a system change their passwords every three months. Information assurance includes writing secure software, deploying it safely, and managing it to minimize the risk of compromise. The key principles are Confidentiality (that the information on a computer remains secret), Integrity (meaning a system operates the way it is supposed to), and Availability (that the computer system is ready and able to function when needed).
When the computer systems of retail giant Target were breached in 2013, malware was able to enter the company’s point of sale systems not because of some “Mission Impossible”-style covert operation but because someone clicked on the wrong attachment. A third party company which supplied heating and ventilation control services to Target inadvertently disclosed login credentials to a billing website that sat on Target’s corporate network. Using this server as a launch pad, attackers were able to move their code onto POS systems around the country. Securing the third party vendor’s systems, as well as Target’s corporate network, against these sorts of attackers are information assurance challenges for which there are a broad array of standards and practices. Add to this the problem of building secure software, locating finding vulnerabilities to fix them in existing software, and managing information technology (IT) infrastructure, such as cloud email services, and you have a broad spectrum of highly relevant cybersecurity topics. Critical Infrastructure Protection (CIP) falls under this Section as well. Chapters in this Section discuss the internet-related vulnerabilities of cars and trucks, explore cybersecurity and information sharing at the state and local level, detail the liability of software developers in cyber attacks, and address the secure design and operation of industrial control systems.
Section II – Governing the Security of the Internet
The internet crosses national and jurisdictional boundaries, so to take legal action outside U.S. borders or implement new protocols can require the involvement of other state and non-state actors. This Section addresses technical and legal security issues that affect or require the involvement of more than a single country. The topic is distinct from Internet Governance, which deals with managing the internet’s underlying architecture and broader administrative challenges like routing and content control, which are not security issues per se.
The ability to pass information over the internet in a secure manner underpins the modern economy, from online retail to personal banking. Transport Layer Security (TLS) is a protocol that allows computers to create encrypted links over the internet and communicate securely. When a computer connects to an internet service, such as an online bank, the website responds with a certificate containing a cryptographic key, establishing it is indeed the intended bank and not a fraudulent site waiting to steal user’s data. These certificates are issued and verified by a small number of firms, certificate authorities, which have proven vulnerable to compromise. This Section deals with the resulting cybersecurity challenges, including the debate over backdoors, designing a more secure system of identity verification for the web, using multistakeholder models for security governance, and countering the proliferation of malicious software.
Section III – Combating Cyber Crime
The Target and Home Depot data breaches were spectacular examples of a long-running effort by criminal groups to steal customer payment information. This game of cat and mouse between retailers and payment processors, on the one hand, and criminal groups on the other has been ongoing since the birth of the retail industry on the internet. The defensive efforts of firms to secure their systems is an information assurance challenge, the sort of issue dealt with in Section I, but the incentives for using secure systems and targeting the activities of their attackers are topics for Combatting Cyber Crime. Importantly, this Section does not deal with attacks that cause damage or harm people (a very small fraction of the total). In terms of the total cost of attacks to governments and individuals alike, cyber crime represents a far greater portion of the total than those addressed in the last Section in this book, Military Cyber Operations.
Cyber crime deals with actors that are interested in anything short of destructive attacks, including financial fraud and credit card theft or disrupting services for ideological goals (“hacktivism”). From a policy perspective, this Section includes the legal basis for law enforcement’s efforts to track and prosecute criminal who operate over the internet, including the Computer Fraud and Abuse Act (CFAA). Cyber crime thus covers both regulatory and legal action to drive good security practices as well as law enforcement activity to target criminal groups and interdict the trade in stolen goods and malicious tools. The chapters in this Section provide an understanding of existing laws governing cyber activities, explain the importance and potential of data breach notification laws, describe the emerging role of cyber insurance, and evaluate new ways to disrupt the malicious software markets.
Section IV – Military Cyber Operations
Military Cyber Operations (MCO) encompasses the acquisition and use of cyber capabilities for the strategic, operational, and tactical levels of conflict by states or non-state actors. This involves operations to find and develop exploits for vulnerabilities in software and the establishment of long-term access to systems in use by potential targets. At the strategic level, this could involve attacks against critical infrastructure such as nuclear weapons refining or heavy industrial facilities, while at the operational and tactical levels, military organizations may use cyber capabilities to target enemy logistics networks or air defense systems.
A well recognized set of cybersecurity issues is the one surrounding the development and use of cyber capabilities by states and non-state actors to injure or kill individuals and destroy data or equipment. This Section discusses not only the organizational and budgetary issues involved in U.S. military operations in cyberspace, but also the legal and normative constraints on all states and non-state actors. An emerging issue is the question of how the government acquires and uses software vulnerabilities. The Stuxnet attack on Iran’s centrifuge facility may be the most prominent example of a cyber weapon in use to date, but the potential for physically destructive attacks has so far remained small, largely because of the complexity involved in crafting the tools required.
This Section encompasses the organizations, policy and law related to deploying destructive digital or physical effects on target computer systems or defending against such. The chapters found here address the government’s purchase and use of zero-day software vulnerabilities, discuss how to organize and equip the military for both defensive and offensive cyber operations, highlight the negative impacts of overclassification, and detail a new way to think about the use of information in creating influence around the world.