US Security & Civil Liberties Reporting – Medill National Security Zone http://nationalsecurityzone.medill.northwestern.edu A resource for covering national security issues Tue, 15 Mar 2016 22:20:28 +0000 en-US hourly 1 Whistleblowing in the FBI: problems lie deeper than confusing legal boundaries http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/16/whistleblowing-in-the-fbi-problems-lie-deeper-than-confusing-legal-boundaries/ Mon, 16 Mar 2015 14:08:01 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21070 Continue reading ]]> WASHINGTON — Former FBI agent Michael German thought the agency had the information it needed to see the 9/11 terrorist attacks coming. In the aftermath of the attack, German reported a cover-up of a failed counterterrorism investigation that infringed upon people’s civil liberties in unprecedented ways.

Yet when German raised these concerns, the Department of Justice inspector general failed to investigate, he said. He also said the IG Office failed to protect him from official retaliation within the FBI, including possible surveillance, resulting in the 16-year veteran resigning in 2004.

“I tried to challenge the system from within, but they don’t like that,” German said in an interview with the American Civil Liberties Union. “They made it very uncomfortable so I finally realized it was time to work on the outside.”

German’s case became one of the most visible examples of the challenges facing whistleblowers in the intelligence community. In addition to a legal framework that makes it incredibly difficult for whistleblowers to come forward, a more subtle influence lurks beneath the surface: a culture that views whistleblowers as traitors, not reformers.

A new report by the Government Accountability Office released last Thursday found that, despite recent efforts to extend whistleblower protections to FBI employees, they remain exposed to retaliation for reporting wrongdoing.

Under the Whistleblower Protection Act of 1989, federal employees are generally protected from retaliation for reporting wrongdoing, entitling them to pursue legal recourse should they face retribution. However, FBI employees were excluded from these protections, and in 1998 the Department of Justice established separate guidelines that were meant to protect whistleblowers within the agency.

Yet the guidelines permitting FBI agents to disclose wrongdoing are unclear, according to the GAO report. For example, FBI employees must report wrongdoing only to a handful of designated officials. As a result, more than half of the 62 cases reviewed by the GAO were dismissed without review.

According Steven L. Katz, formerly counsel to the Senate Committee on Governmental Affairs and an expert on federal whistleblowing law, those in the FBI face much deeper issues than simply unclear legal guidelines. Instead, intelligence agents are a part of a culture that targets whistleblowers and punishes their behavior.

“When someone raises concerns, do you throw them overboard, or do you sit down with them and thank them?” he said. “The FBI throws them overboard.”

Katz argued that the GAO report fails to reflect the human aspect of the FBI in making it difficult for whistleblowers to come forward, focusing instead solely on the regulations that govern whistleblowing activities.

“The agencies are full of people, not just processes,” Katz said. “It’s the people who screw up because the laws look perfect on the books.”

According to Katz, other government agencies have faced similar problems with whistleblower culture. Last year, a series of attempted break-ins at the White House prompted Secret Service Director Julia Pierson to resign. A report released after the incident found that the Secret Service was “too insular,” ignoring the warning signs made plain by the attacks.

“In the agencies where you have a law enforcement culture, where power is might, people tend to transfer that culture of enforcement that’s outward facing inwards,” he said.

In 2012, President Barack Obama released Presidential Policy Directive 19, which established whistleblowing protection for those in the intelligence community. Elements of the directive were codified under the Intelligence Authorization Act for FY2014, but the guidelines of the directive aren’t permanent and can be easily reversed by a different president.

The result adds up to a climate that, while improving in some key ways, remains hostile to the act of whistleblowing. In an organization that possesses some of the nation’s most important classified information, the threat to the success of the FBI is intimately tied to the future of the country itself, as the 9/11 attacks demonstrated.

“You want the FBI to be effective, and so to help them be more effective you’d expect them to have better protection against retaliation from reporting problems,” said David Maurer, director for GAO’s homeland security and justice department. “It’s ironic that they have less whistleblower protection than the rest of the government.”

]]>
Is the battlefield moving online? http://nationalsecurityzone.medill.northwestern.edu/blog/2015/01/15/is-the-battlefield-moving-online/ Thu, 15 Jan 2015 15:28:34 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=20610 Continue reading ]]> WASHINGTON – With hackers attacking organizations from Sony to the Defense Department’s Central Command, cyber warfare is shaking America’s Internet security and people’s confidence in how safe they are while surfing the web.

Cyber security recently grabbed the nation’s attention when hackers threatened to bomb movie theaters last year if Sony released “The Interview,” a satirical movie about a U.S. plot to assassinate North Korean President Kim Jong Un. The FBI claims the North Korean government was behind the attack, with some Internet security experts agreeing and others proposing it was more likely the work of a Sony insider.

“The recent destructive cyber attacks on Sony and related threats of violence on American moviegoers are deeply disturbing. Whether the perpetrator is North Korea or another bad actor, the United States takes these actions seriously,” Sen. Tom Carper of Delaware, the top Democrat on (the Senate Committee on Homeland Security and Governmental Affairs, said in a statement after the incident.

House Cybersecurity Subcomittee Chairman John Ratcliffe, R-Texas, had a similar reaction. “Any response by the United States must be swift and must send a message that there will be serious consequences for cyberattacks. We cannot encourage cyber terrorists or cyberattacks from nation-states such as North Korea, Iran, or China with a weak response.”

After major theater chains refused to show the film, it was later released at specific theaters and online.

The second major cyber attack came on Monday when hackers apparently linked to the Islamic State (IS) took over U.S. Central Command’s Twitter and YouTube accounts, releasing documents allegedly showing government scenarios on China and North Korea. Both accounts were taken down later that day.

Obviously physical attacks from groups such as al-Qaida and the Islamic State are ever-present threats. The recent attacks in Paris and Nigeria proved that. However, we may see the Internet developing as a new battleground in conflicts with terrorist organizations and foreign governments.

Stewart Baker, former assistant secretary of Homeland Security and a keynote speaker at Cyber Security Summit 2014, is convinced that North Korea was behind the Sony hack.

“The Sony attack is a very troubling new development in which foreign governments have gone from stealing our secrets to trying to get us to say things they like and stop saying things they don’t like…” he said. “That’s a development that goes beyond exposing personal data to actually forcing Americans to dance to foreign governments’ tunes.”

Baker argues that many Americans are vulnerable to cyber attacks, but the real threat is from foreign governments attempting to influence national policy.

“We’re facing the prospect that foreign governments are going to be stealing American intellectual property, bankrupting companies, extorting behavior that will have an effect on how our democracy functions…” he said.

Emphasizing the danger of such attacks, Carper issued a statement this week praising the passing of four bills on cyber security last year and demanding further cooperation and action to deal with this growing threat.

However, Baker expects to see more cyber attacks and is not convinced that America’s defenses against cyber attacks are strong enough.

“[North Korea] didn’t prevent the movie from being shown. But they came close. I think the fact that they came close will encourage them to try it again,” he said. “And others who are watching the events are likely to draw the same conclusion, because the U.S. has not yet found a way to retaliate in a fashion that will deter these kinds of attacks.”

]]>
DC drone hobbyists in limbo over flying locations http://nationalsecurityzone.medill.northwestern.edu/blog/2014/10/26/dc-drone-hobbyists-in-limbo-over-flying-locations/ Sun, 26 Oct 2014 23:21:25 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=20328 Continue reading ]]> WASHINGTON — A small, four-propeller copter buzzes like a swarm of aggressive bees, hovering in place above its land-based operator, now making small high-pitched beeps indicating it’s running low on juice in its flight through rural Virginia.

Just north, the nation’s capital has been a restricted flight zone since shortly after the 9/11 attacks, but that hasn’t stopped D.C. drone users from fueling their hobby in the Virginia countryside.

The Federal Aviation Administration has strict regulations on unmanned aircrafts in the District of Columbia and its Maryland and Northern Virginia suburbs. The rules, however, got murky this year after a National Transportation Safety Board law judge ruled that an FAA ban on commercial drones was unenforceable.

That ambiguity got worse last week when the FAA canceled a voluntary set of guidelines for drone users, known as the advisory circular for unmanned aircrafts, that’s been in place since 1981.

“It’s a problem that there’s a lot of people who are flying unsafely and not knowing any of the rules or not knowing any of the community-based guidelines,” said Christopher Vo, president of the DC Area Drone User Group.

In 2011 the FAA fined a photographer $10,000 for flying a drone over the University of Virginia campus in Charlottesville. The FAA lost the case in a court challenge and appealed to the National Transportation Safety Board, after the law judge dismissed it and ruled in March that the FAA ban on commercial drones was “non-binding.”

And Washington-area drone users struggling to understand the rules, let alone follow them, are waiting for FAA to publish an updated set of guidelines.

Vo said flying commercial drones is “technically not illegal.” He doesn’t see any other reason for the FAA canceling the guidelines, besides giving “users the impression that they were permitted to fly their aircraft,” he said.

FAA spokesman Les Dorr said the FAA plans to issue a new, updated set of guidelines to come in line with laws put in place two years ago by Congress, but there’s no release date yet. Dorr said the FAA is obligated to follow laws that Congress passes.

“Some of the guidance that is in the old advisory circular somewhat conflicts the language in the law,” Dorr said. “The language in the law takes precedence.”

The 2012 FAA Modernization and Reform Act outlined restrictions the FAA can put in place for a model aircraft.

Despite the NTSB ruling on the non-binding nature of the drone rules, Dorr said the FAA has “publicized what the law is and how we interpret it.”

The DC Area Drone User Group has 1,350 members, making it the largest such organization in the country. While some of these members are commercial drone users — including people who use drones for academic research — most are hobbyists who own small drones the size of toy helicopters.

“There are no stakeholders looking toward the interest of the hobbyists or the commercial users within the FAA, so the FAA has no idea or doesn’t care about any of our interests,” Vo said. He added: “Basically I want the federal government out of my hair when it comes to my less-than-5-kilogram aircraft.”

Gray areas pose a problem for both hobbyists and commercial users, who want locations where they can legally fly their drones. Vo is petitioning to use eight locations in the Washington area.

Vo, a Ph.D. robotics student at George Mason University, said the search process is “in the very beginning stages.” But the most promising location is the Fairfax County Landfill, where a model airplane club is already allowed to fly.

At the dump, there’s less concern over privacy or security issues. The biggest risk, Vo said, is a drone crashing into a pile and joining the rest of the trash.

“There’s pretty much no risk at all flying in a landfill,” he said.

Drones have been a matter of dispute because of their potential ability to gather information about their locations and take photos that could jeopardize privacy rights. Existing rules for drone flyers include a limit of no higher than 400 feet up in the air and no-fly zones of a five-mile radius around airports, so as not to interfere with planes.

Vo said he’s waiting to see more nuanced rules that would incorporate both unrestricted recreational flying and some commercial flying.

“I think most people in the DC Area Drone User Group would agree,” Vo said, “we are willing to accept some sort of licensing requirements or some sort of registration requirements, if it means that we would be allowed to fly.”

– See more at: http://medilldc.net/2014/10/dc-drone-hobbyists-in-limbo-over-flying-locations/#sthash.veDuM4YC.dpuf

]]>
Infographic: Privacy and civil liberties board structural reform is unnecessary, chairman says http://nationalsecurityzone.medill.northwestern.edu/blog/2014/02/22/infographic-pclob-structural-reform-is-unnecessary-medine-says/ Sat, 22 Feb 2014 19:04:42 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=18007 Continue reading ]]> WASHINGTON — Privacy and Civil Liberties Oversight Board Chairman David Medine said Wednesday that the board needs time to grow on its own rather than undergo a structural overhaul, as recommended by a presidential task force. The board provides executive branch agencies with oversight and advice on anti-terrorism matters.

Privacy and Civil Liberties Oversight Board  infographic

]]>
Google standing by hotly contested change in privacy policy http://nationalsecurityzone.medill.northwestern.edu/blog/2012/03/04/google-standing-by-hotly-contested-change-in-privacy-policy/ Sun, 04 Mar 2012 22:20:25 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=9928 Continue reading ]]> WASHINGTON — Google is maintaining that a privacy policy implemented Thursday is not the dangerous change civil liberties experts are claiming it could become.

The new approach combines the privacy policies of more than 60 Google products into a uniform code that emphasizes what the search giant considers a “more intuitive user experience.”

In an official Google blog post Thursday, Alma Whitten, the company’s director of privacy, product and engineering, wrote that the policy adjustment makes Google’s privacy controls easier to understand. Beyond that, nothing has been drastically modified, she said in the blog post.

“The new policy doesn’t change any existing privacy settings or how any personal information is shared outside of Google,” Whitten wrote. “We aren’t colleting any new or additional information about users. We won’t be selling your personal data. And we will continue to employ industry-leading security to keep your information safe.”

The company has contended a more universal policy will work to its users’ advantage in the long run. For example, under the new privacy policy, one Google product could generate traffic conditions if another Google product pinpoints the user in a certain geographic location.

Since the altered privacy policy was disclosed earlier this year, it has touched off a wave of international criticism from everyone from civil liberties watchdogs to elected officials.

In late February, 36 attorneys general signed an open letter dinging Google for not allowing users to opt out of the new privacy policy. The message, addressed to Google CEO Larry Page, addes that the privacy shift allows a user’s personal information to be shared across multiple services even if the user signs up on only one service.

The privacy policy revamping basically results in personal data being “held hostage in the Google ecosystem,” the members of the National Association of Attorneys General said in the letter.

The association’s missive came several days after the Electronic Privacy Information Center sued the Federal Trade Commission as a way of persuading it to curb Google’s impending policy change.

And on Thursday, European Union Justice Commissioner Viviane Reding declared the consolidated privacy policy goes against European law. She told the BBC that the search giant is not following transparency rules as it collects personal information across Google’s dozens of platforms, including YouTube and Blogger.

Google has greeted each challenge with the same defense: Its new, unified privacy policy follows all applicable laws and makes using its services easier for all users.

The company told a reporter for The Washington Post’s Post Tech blog that it remains “happy to discuss this approach with regulators globally.”

Thursday’s Google blog post confirmed the company’s confidence in its privacy policy revision.

“As you use our products one thing will be clear: It’s the same Google experience that you’re used to, with the same controls,” Whitten wrote.

 

]]>
New Sanctions Against Iran get American Jewish Council’s Praise http://nationalsecurityzone.medill.northwestern.edu/blog/2011/06/12/new-sanctions-against-iran-get-american-jewish-council%e2%80%99s-praise/ Sun, 12 Jun 2011 22:31:52 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=7730 Continue reading ]]> Due to its massive human rights violations, and its continuing threats against Israel, the American Jewish Council has worked for decades to preclude the Iranian threat.

Earlier this week, the Obama Administration received praises from the AJC for announcing new sanctions against Iran.

AJC Executive Director, David Harris, said “U.S. action is an essential reminder that the Iranian regime’s gross and systematic violation of human rights is being closely monitored and will not go unanswered.”

It’s been two years since Iranian’s took to their streets and the struggle for civil liberties and fundamental civil rights persists.

The sanctions were announced earlier this week by the State and Treasury departments against three official security bodies: Iran’s Islamic Revolutionary Guard Corps, the Basij Resistance Force, and Iran’s national police, as well as against the chief of police, Ismail Ahmadi Moghadam.

The three security agencies were added to the list of organizations and individuals sanctioned by the U.S. for their central roles in perpetrating human rights abuses against Iranian citizens.

The sanctions prohibit Americans from engaging in any transactions with those agencies, freezes assets in the U.S., and blocks American visas for anyone in the three organizations.

“[This] welcome action is especially significant, coming on the second anniversary of the fraudulent 2009 national Iranian elections,” said Harris.

“America’s latest sanctions against the despotic Iranian regime are another clear signal of our determination to match policies with principles,” Harris said.  “We hope that like-minded nations around the world will soon enact similar sanctions as those announced today by the U.S.”

In March, 2009, the AJC also testified to Congress in support of the Iranian Sanctions Enabling Act.

In its testimony, AJC told Congress: “If our Administration pursues engagement with Iran, simultaneously intensifying sanctions is critical. Only tough sanctions would prevent Iran’s rulers from seeing our overtures as a sign of weakness and motivate them to be forthcoming in negotiations. Firm goalposts and deadlines also are crucial to prevent Iran’s regime from hiding behind negotiations as it completes its quest for nuclear arms.”

Harris’ blog on Huffington post: “Iran: Truth Hurts”

http://www.huffingtonpost.com/david-harris/iran-the-truth-hurts_b_398688.html

 

]]>
Are Targeted Killings an Effective Counterterrorism Tool? http://nationalsecurityzone.medill.northwestern.edu/blog/2011/06/12/are-targeted-killings-an-effective-counterterrorism-tool/ Sun, 12 Jun 2011 11:32:40 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=7701 Continue reading ]]> The Obama administration has heightened its campaign of targeted killings against suspected terrorists.

According to the Council on Foreign Relations, this includes an increased use of unmanned drone strikes and “kill/capture missions” on al-Qaeda and Taliban leadership.

While some experts claim victory on such missions- such as the raid that killed Osama bin Laden in Pakistan, others criticize the strategies as lacking proper legal boundaries, (as  in the targeting of an American jihadist, Anwar al-Awlaki, in Yemen).

Are these targeted killings saving lives?

Are they within legal bounds?

An adjunct Senior Fellow for Law and Foreign Policy on the Council on Foreign Relations, Matthew Waxman, said U.S. policy is within legal bounds, but cautions against over reliance on targeted killings as a counterterrorism tool.

“Lethal force directed against particular individuals outside a combat zone like Afghanistan is legally and strategically appropriate in limited circumstances,” Waxman said.

According to Waxman, “As to strategy, lethal targeting is but one important tool in the counterterrorism arsenal.”

Constitutional lawyer Pardiss Kebriaei questioned the legal basis that U.S. administrations have used to justify killing suspected terrorists. She suggested it’s a violation of constitutional rights of due process.

“It takes more than declaring a global war for U.S. drone strikes in countries as disconnected from the conflict in Afghanistan as Yemen to be lawful,” Kebriaei said.

But, Professor at Georgetown University and Research Director of the Saban Center at Brookings Institution, Daniel Byman, said decapitating terrorist networks is an effective strategy.

“Killing terrorist leaders and key lieutenants not only brings justice to our enemies, but can devastate the group in question,” Byman said. “Killing a leader like bin Laden removes a charismatic yet pragmatic leader–one who succeeded in transforming a small group into a household name and proved time and again he could attract recruits and funding.”

Afghanistan expert Kate Clark said “targeted killings often produce an organizational chaos that unleashes a more radical generation of subordinates.”

“As for the other aim of the strategy,” Clark added, “persuading the Taliban that fighting is futile and they should negotiate, the United States may find it is killing some of the very people who will be needed to make peace.”

But, are those being killed willing to work for peace, do terrorists negotiate?

]]>
Businesses ill-prepared to combat cyber attacks http://nationalsecurityzone.medill.northwestern.edu/blog/2011/06/12/businesses-ill-prepared-to-combat-cyber-attacks/ Sun, 12 Jun 2011 09:37:43 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=7715 Continue reading ]]> Reports of data breaches at big companies such as Sony and Epsilon are regularly in the headlines these days; it makes one wonder how just safe are businesses against the threat of cyber attacks?

An alarmingly large number, about 71 percent, of security professionals think their companies are “not equipped to protect itself against cyber attacks,” according to a study by Narus Inc., a firm which provides security and traffic management software solutions.

“Decision makers or security managers don’t believe they have adequate controls,” said Mike Lee, senior product marketing manager for Websense, an Internet security firm. “It’s a pretty common theme among most of the customers that we talk to. The fundamental reason for this is that a lot of companies have invested today in very basic security controls that protect against sort of very low level, static, known threats. By and large, the landscape has changed significantly and is much more complex than the sort of very static solutions they are prepared to deal with.”

According to the Narus survey, in the past two years 96 percent of security professionals have seen a growing sophistication in cyber attacks, and “many of the newer sophisticated attacks are non signature based or of the nature of advanced persistent.”

Lee explains that advanced persistent threats are very complex threats, often used by either a very well funded criminal organization or nation states, to go after specific organizations with custom designed attacks.

“These threats use multiple attack vectors, that very often target zero day vulnerabilities and that take place over a long period of time,” he added.

“Zero day vulnerabilities” are by definition not covered under existing anti-virus solutions. As most companies only rely on baseline protections like anti-viruses they fall victim to such attacks easily.

Another misplaced notion, which has hampered adoption of security controls by businesses, is the expectation that service providers should provide this protection.

Almost 74 percent of professionals feel this way due to “resource constraints” faced by their organizations and “scarcity of skill sets for security analysts,” according to the Narus survey.

However, Lee argues that a growing number of cyber threats are custom designed and there is no generic technology that a service provider can provide to protect an organization against such an attack.

“They are much better set up to provide baseline controls for mainstream threats,” he added.

The data breach at Epsilon, which exposed personal information of millions of customers, fits the description of an advanced persistent attack, according to Lee. Another example of a high profile cyber attack was the one against Sony, which compromised credit card numbers of customers and resulted in financial damages of more than $171 million.

But it’s not only big businesses that are at risk. FCC warns that small businesses are increasingly becoming targets of cyber attacks.

American small businesses lose billions to cyber attacks annually and 74 percent of small and medium businesses report being affected by cyber attacks in the past 12 months. The average cost of these attacks for business, per incident, was $188,242,” according to a press release by the FCC.


During a conference organized by the FCC, Maurice Jones, CEO of Parkinson construction company, said cyber criminals stole $92 000 from his company accounts.


“This is a real problem for small business owners and unfortunately, I learned the hard way,” said Jones at the conference, according to the FCC press release. “But there are relatively simple strategies and steps that small business owners can take to protect their profits – and their customers.”


FCC released a cyber security tip sheet for small businesses that includes such basic protections as providing firewall security for your internet connection; installing, using and regularly updating antivirus and antispyware software; limiting employee access to data and information; and training employees in security principles.


However, Lee argues that businesses should also focus on more sophisticated protections.


Lee’s three-pronged solution for businesses revolves around “implementing solutions that don’t rely on known attack signatures”, “incorporating data and data protection as part of the attack prevention mix” and “getting various pieces of security infrastructure to work together.”

]]>
War on “cyber terror”: The next battlefield http://nationalsecurityzone.medill.northwestern.edu/blog/2011/06/12/war-on-cyber-terror-the-next-battlefield/ Sun, 12 Jun 2011 09:32:53 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=7712 Continue reading ]]> The Pentagon is drafting a formal strategy that will categorize certain cyber attacks as acts of war – -allowing the U.S. to use military force in retaliation to such attacks, according to a Wall Street Journal article. Security experts, however, argue that clear origins of a cyber attack are next to impossible to find.

The WSJ article quoted an unnamed military official saying, “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”

Cyber attacks are of varying nature: ranging from phishing and hacking attempts to the use of malicious software. But most of these attacks fall under the category of cyber crime or cyber espionage. So what sort of a cyber attack would constitute an act of war?

“An act of cyber war could be considered one where an actor perpetrates a cyber attack against critical infrastructure systems or national assets in such a way that the effect of the attack causes physical harm, damage, or violence,” said Joseph Giordano, director of the cyber security program at Utica College, in an email. “Severe effects against the economy can also be considered an act of cyber war.”

Severe harm caused by an attack on the nation’s critical infrastructures like the electric power grid, the chemical sector, oil and gas, water supply and transportation, could trigger a military response, according to Giordano.

Under this strategy, the U.S. could use military force to retaliate against a foreign nation it believes has perpetuated a cyber war against it. This might seem like disproportionate use of force, but Catherine Lotrionte, adjunct professor of law at the Institute of International Law and Politics, Georgetown University, says it is justified under international laws.

“The right of self defense and use of force are not limited by what kind of weapon is used and it is not limited necessarily to kinetic vs. cyber,” said Lotrionte in a phone interview. “What it is often constrained by is the effects of the actual initiation of the use of force.”

This is known as equivalence in international laws. If a cyber attack causes similar amount of damage and loss of life as a physical attack would, then the right of self defense could be invoked and a military response undertaken, according to Lotrionte.

But one of the biggest challenges in justifying a military action against cyber attacks is the problem of “attribution.”

In such cases it is almost impossible to accurately determine where the attack originated from and who was behind it.

“In the realm of the Internet (cyber realm), you will fail miserably if you think that you can pinpoint an opponent via an IP address or even collection of addresses, a signature, a comment in an application and so forth,” wrote J. Oquendo, a security expert, in his blog.

Oquendo argues that an attacker can easily hide in cyber space.

“With millions of vulnerable machines worldwide, an attacker can launch an attack from anywhere with almost no attribution. This makes any analysis pretty much useless for the most part, wasted resources,” he wrote.

Giordano agrees, “smart and sophisticated hackers know how to easily obscure the origin of their attack even making it appear as if the attack is coming from a totally different point of origin.”

However, Catherine argues that, because of the difficulty with attribution, states should be able “to work under less than perfect certainty” on where the attack originated from and who is responsible.

“You might not know the original point, but you might know one of the intermediary points. So there is a state and you could track it back to this server which compromised our systems in a foreign nation, then you at least go to that point and hold that state responsible,” said Lotrionte.

Furthermore, she argues that even if the attacker is a non-state actor, the state is responsible for controlling its sovereign territories and could be held accountable.

“The norm of state responsibility will become very important in cyber,” she added.

But if sophisticated attackers can easily disguise traffic and make an attack look like it’s coming from multiple countries – how many unknowing countries will be held accountable for an act that could be perpetuated by non-state actors? And would this strategy lead to unjust wars and wasted resources? Possibly.

]]>
How safe are the clouds? http://nationalsecurityzone.medill.northwestern.edu/blog/2011/06/12/how-safe-are-the-clouds/ Sun, 12 Jun 2011 09:25:30 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=7705 Continue reading ]]> Cloud computing is all the rage these days. It’s being hailed as a breakthrough technology that will revolutionize the IT landscape and the way we use the Internet: we won’t be restricted to one device or machine – all our data will be in off-site data centers and we can access it from just about anywhere.

Sounds great but also risky! Concerns have been raised about data security in cloud computing. However, experts defend cloud computing, saying it is not riskier than network computing and businesses might even reduce security risks by using a cloud provider.

“I don’t think that inherently cloud computing represents any more risky application or data environment than for example on-premise applications and data,” said Mike Lee, a security analyst with Wensense an Internet security firm. “It’s a new environment that organizations need to think about a little bit differently and make sure that they are able to extend the same level of control in the cloud that they have on premise.”

So how does Cloud computing work? It is a type of Internet-based computing where services are provided to Internet users through an on-demand basis. Now we don’t need to have our own computers. We just need some sort of a down terminal and by subscribing to a cloud-based service we can get all the computational power we need and store all our data and applications in an off-site data center, according to Bhavani Thuraisingham, director of the Cyber Security Research Center at the University of Texas Dallas.

But with this new technology came new risks and challenges.

“There are a range of security issues associated with cloud computing,” said Thuraisingham. “Security in the physical networks just involves securing the network. But with the clouds there are more things you are doing than in a physical network. You are not only transferring data but also storing data and applications, so it requires more controls.”

According to a survey by Narus, a growing number of businesses are using cloud technology, because “it enables a more flexible approach for deploying and scaling applications, promising real cost savings and agility to customers.” However, a majority of the survey respondents, about 70 percent, were concerned about the security of the cloud.

Joel Friedman, CEO of SurveyWriter a web-based software service provider, said cloud computing has been a central model for his business.

“This model does have some inherent security risks over offering individual shrink wrapped software. But the benefits far out weigh the risks. This type of power was not available with traditional software running on individual desktop computers,” he added.

Dennis Hurst, a member of the Cloud Security Alliance, disagrees.

“I don’t think it’s more risky it depends on the service. There are some cloud providers that are more secure than any company I’ve ever worked with. There are other providers that are not. So it’s very specific to the provider you are using,” said Hurst.

He said the biggest mistake businesses make when signing up with a cloud provider is not assessing their security controls upfront.

“In cloud computing you are trusting an external vendor to provide a certain amount of security. And it may be that service, because of the way, it was designed can’t be secured properly to meet your governance requirements. That’s something you need to look into before you enter the relationship not afterward,” said Hurst.

According to Hurst, some cloud providers provide better security controls than an individual business could ensure on its own. In such a situation it would be less risky for that business to branch into cloud computing.

Thuraisingham, who is working on a joint project funded by the U.S. Air Force, said the cloud computing paradigm which came in late 2006, with Amazon opening its Elastic Compute Cloud service, has progressed tremendously.

Recently, Apple announced it will launch iCloud, a service that allows users to put all their personal data in a cloud and then synchronize it across all of their devices.

However, outage of the Amazon’s cloud-based Web services, in April, – which brought down web sites and services of many businesses for days – sparked debate about the riskiness of cloud computing.

Thuraisingham foresees newer and more sophisticated technologies coming into cloud computing and with that newer security challenges.

“I don’t think we will ever have a hundred percent secure cloud just like we will never have a hundred percent secure physical network,” she added.

However, she feels there is no going back. Cloud computing is the future and just like any other system continuous work needs to be done in order to ensure its security.

]]>