1 / 35

Key Legal Implications of Computer Network Defense Protecting America’s Information Infrastructure Walter Gary Sharp, Sr

Las Vegas, Nevada July 2001. Key Legal Implications of Computer Network Defense Protecting America’s Information Infrastructure Walter Gary Sharp, Sr., Esquire Principal Information Security Engineer (703) 624-5292 or WGSharp@MITRE.org The MITRE Corporation.

kishi
Télécharger la présentation

Key Legal Implications of Computer Network Defense Protecting America’s Information Infrastructure Walter Gary Sharp, Sr

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Las Vegas, Nevada July 2001 Key Legal Implications of Computer Network Defense Protecting America’s Information Infrastructure Walter Gary Sharp, Sr., Esquire Principal Information Security Engineer (703) 624-5292 or WGSharp@MITRE.org The MITRE Corporation The opinions and conclusions expressed herein are those of the author and do not necessarily reflect the views of any governmental agency or private enterprise.

  2. The Legal Framework for Response: Three Perspectives Purpose & CND Defined Key Legal Issues U.S. Domestic, International, & Foreign Law Case Studies, Policy Considerations & Recommendations Conclusion Selected Legal Authorities Summary: An Analytical Decision Support Model Today’s Presentation

  3. Purpose of this Presentation To explore how America can better balance its citizens’ privacy and civil liberties with an effective ability to: • protect America’s information infrastructure; • detect potential attacks by joy-hackers, economic competitors, criminals, terrorists, and hostile states; and, • respond effectively in a way that is compatible with American democratic principles and international law.

  4. Caveat This presentation is intended to provide a situational awareness for those involved or interested in the legal issues relevant to the defense of computer networks. It is NOT intended to substitute for the advice of your organizational legal counsel. Legal advice should only be sought from an attorney authorized to provide legal advice to your organization.

  5. Computer Network Defense (CND) Defined Defensive measures to protect and defend information, computers, and networks from disruption, denial, degradation, or destruction. Joint Publication 1-02: DoD Dictionary of Military and Associated Terms 23 March 1994, as amended 14 June 2000

  6. Increasing Legal Authority to Respond State Non-state, Non-U.S. Citizen U.S. Citizen Default Environment Crisis Peace Conflict The Legal Framework for Responding to Computer Intrusions Perspective ONE Nine distinctive regimes;each may implicate U.S.domestic, international, andforeign law Actor-dependent Attribution key issue An effective initial response methodology must be actor-independent

  7. Perspective TWO The Legal Framework for Responding to Computer Intrusions State actors -- national security community response U.S. domestic law International peacetime regime Law of Conflict Management Law of War Non-state actors -- law enforcement response U.S. domestic law Foreign law Mutual Legal Assistance Treaties International peacetime regime Question: What is an appropriate and lawful response when a territorial state is unable or unwilling to assist another state’s law enforcement efforts to arrest non-state actors within its territory?

  8. Perspective THREE International Law • Peacetime Regime • Law of Conflict Management • Law of War Telecommunications Law and Foreign Law Telecommunications Law The Legal Framework for Responding to Computer Intrusions Foreign Law U.S. Domestic Law Law of Target State Air Law HN Law Law of the Sea

  9. Key Legal Issues -- U.S. Domestic Law Attribution Property Privacy Civil liberties Criminal and civil liabilities Posse Comitatus Separate legal authorities for military, law enforcement, and foreign intelligence activities Presumption that intruder is “U.S. Citizen” until proven otherwise

  10. Key Legal Issues -- International Law Current international status: peacetime or armed conflict Use of force: necessary and proportional, and discriminate Hostile act / hostile intent U.N. Security Council Chapter VII authorization Application of Article 103 of Charter of United Nations Self defense Regulation of activities by peacetime regime Criminal and civil liabilities

  11. Key Legal Issues -- Foreign Law Sovereignty and governmental acts Criminal and civil liabilities Modifications to application of foreign law by operation of U.N. Charter or international agreement U.S. Presidential authority to conduct covert operations

  12. Selected Legal Authorities U.S. Domestic Law Fourth Amendment Restricts the ability of the government to search where a reasonable expectation of privacy exists Electronic Communications Privacy Act, 18 USC §2510 Creates statutory privacy rights and defines: Providers of Electronic Communication Service (ECS) -- any service which provides to its users the ability to send or receive wire or electronic communications Providers of Remote Computing Service (RCS) -- public service which provides computer storage or processing by means of an ECS “Electronic storage” -- any temporary, intermediate storage incidental to an electronic transmission

  13. Selected Legal Authorities U.S. Domestic Law (continued) Electronic Communications Privacy Act, 18 USC §2510(continued) Prohibits unlawfulaccess to communications of an ECS in electronic storage Prohibits unlawfuldisclosure by a public ECS of a communication in electronic storage Prohibits unlawfuldisclosure by a RCS of a communication it carries or maintains Regulates how the government can obtain information from ECS and RCS providers Compelled disclosure (subpoena, court order, warrant) Voluntary disclosure Consent

  14. Selected Legal Authorities U.S. Domestic Law (continued) Pen Registers and Trap and Trace Statute, 18 U.S.C. §§ 3121-27 Regulates the collection of addressinginformation of wire and electronic communications (simply to and from, not even the subject line) Prohibits installation or use of a pen register or a trap and trace device by anyone without prior court order Prohibition does not apply to provider of electronic or wire communication service who uses such device: during the operation, maintenance, and testing of its service; to protect its and its users’ property rights; to prevent fraudulent, unlawful, or abusive use of its services; with the consent of its users

  15. Selected Legal Authorities U.S. Domestic Law (continued) “Title III” Wiretap Statute, 18 U.S.C. §§ 2510-22 Regulates the collection of the content of wire and electronic communications in transmission Prohibits any intentional interception, knowing use, or the knowing disclosure of any wire, oral, or electronic communication during its transmission, and the intentional use of any device to intercept any oral communication, by any third party in the United States Prohibition does not apply, for example, to any ECS provider who may intercept, disclose, or use a communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of that service

  16. Selected Legal Authorities U.S. Domestic Law (continued) The Foreign Intelligence Surveillance Act of 1978, 50 USC §1801 Grants authority and approval process for investigations, electronic surveillance, and search & seizure that target foreign intelligence activities The Computer Fraud and Abuse Act of 1984, 18 USC §1030 (1984) The first federal computer crime statute Prohibits unauthorized access to computers engaged in interstate communication The Economic Espionage Act of 1996, 18 USC §1831 Prohibits theft of trade secrets for foreign government (Economic Espionage) or for the economic benefit of any person (Theft of Trade Secrets)

  17. Selected Legal Authorities U.S. Domestic Law (continued) The Identity Theft and Assumption Deterrence Act of 1998, 18 USC §1028 Prohibits unauthorized transfer or use of another’s means of government identification for the furtherance of any unlawful activity that constitutes a violation of Federal law or a felony under state or local law Fraud by Wire, Radio, or Television, 18 USC §1343 Prohibits interstate fraud via the Internet Communication Lines, Stations, or Systems, 18 USC §1362 Prohibits injury or destruction to any means of communication operated or controlled by U.S. Government or used for military or civil defense

  18. Selected Legal Authorities U.S. Domestic Law (continued) U.S. Constitution -- authority of the Commander in Chief U.S. Code, Title 10 -- authority of military U.S. Standing Rules of Engagement -- authority of combatant commanders (CJCSI 3121.01A, Enclosure F, 15 January 2000)

  19. Selected Legal Authorities International Law The Peacetime Regime -- governs, but does not prohibit per se, state activities in CyberSpace (applies during armed conflict if not inconsistent with inherent nature of hostilities) Jus ad Bellum -- the law of conflict management (U.N. Charter, Articles 2(4), 39, and 51) regulates the use of force by states vis-à-vis states (all use of force must be necessary, proportionate, and discriminate) Jus in Bello -- the law of war governs the means and methods of warfare and the protection of civilians during armed conflict (effects based analysis)

  20. Articles 2(4) & 51 threshold Common Article 2 threshold The Application of International Law © 1996 Walter Gary Sharp, Sr. State Activities in CyberSpace Line of belligerency Peacetime military operations  law enforcement  normal peace-keeping  humanitarian & disaster relief  counter-terrorist & hostage rescue  noncombatant rescue Combatant operations  declared war de facto hostilities (scope, duration, & intensity)  partial or total occupation Self-defense All necessary means in response to outright aggression Limited use of force Use of Force Spectrum jus in bello applies jus ad bellum applies peacetime regime applies

  21. The International Peacetime Regime Examples of Application Espionage is lawful Status of Forces Agreements and host nation laws UN Convention on the Law of the Sea: innocent passage and unauthorized broadcasting International Telecommunications Conventions: prohibitions on harmful interference, national right to intercept and suspend Outer Space Treaty: the moon and other celestial bodies must be used for “peaceful purposes” INTELSAT: must be used for “other than military purposes” INMARSAT: must be used “exclusively for peaceful purposes”

  22. Jus ad Bellum:Examples of Application (Part One) © 2001 Walter Gary Sharp, Sr. Customary International Law Policy Precedent  Isolated verbal threat;  Initial troop movements;  Shaping of alliances.  Use of fire control radar;  Interference with early warning or C2 systems.  Massing of troops on border. A C T I V I T Y  Boycotts;  Diplomatic measures;  Severance of diplomatic relations;  Economic competition or sanctions;  Interruption of communications;  Espionage.  Extreme intrastate violence or human rights violations;  Failure of state to surrender terrorists;  Illegal racist regime;  Large refugee movements;  Diversion of a river;  Serious violations of int’l law that may provoke armed response. Use of force against:  Territory;  Warship;  Military forces;  Citizens abroad.  Destruction of early warning or C2 systems. Spectrum of Interstate Relations Art. 39 Art. 2(4) Art. 51 T H R E S H O L D Armed attack (use of force) Threat to the peace Threat of force Hostile act Hostile intent

  23. Customary International Law Policy Precedent Jus ad Bellum:Examples of Application (Part Two) © 2001 Walter Gary Sharp, Sr. Spectrum of Interstate Relations Art. 39 Art. 2(4) Art. 51 T H R E S H O L D Armed attack (use of force) Threat to the peace Threat of force Hostile act Hostile intent Anticipatory self defense Self defense R E S P O N S E UNSC may require states to comply with Art. 41 measures Any measures or use of force authorized by the UNSC under Chapter VII Diplomatic measures; severance of diplomatic relations; complete or partial interruption of economic relations or interstate communications; arbitration, judicial proceedings, etc.

  24. Jus in Bello: Examples of Application Regulations annexed to the 1907 Hague Convention No. IV -- an effects based analysis -- Prohibit the use of means calculated to cause unnecessary suffering Prohibit attack by whatever means of undefended towns or buildings Prohibit unnecessary damage to buildings dedicated to religion, art, science, or charitable purposes as well as historic monuments, hospitals, and places where the sick and wounded are collected Permit ruses of war and employment of measures necessary to obtain information about the enemy Permit seizure of state property that can be used for military ops

  25. Selected Legal Authorities Foreign Law Criminal and civil law applies unless modified by operation of U.N. Charter or international agreement

  26. © 1997 Walter Gary Sharp, Sr. Does international law prohibit the activity? Does U.S. law authorize the activity? Does HN law authorize the activity? YES NO NO YES YES YES NO NO Activity is unlawful under U.S. law and cannot be authorized Is prohibition suspended by:  a state of war, or  operation of Article 103; or is the activity authorized by:  right of self-defense, or  Chapter VII? Activity is lawful under U.S., HN, and international law, and may be authorized by the NCA Activity is unlawful but may be authorized by the President Summary An Analytical Decision Support Model for the Legality of State Activities in CyberSpace

  27. Case Studies “Track-back” Internal to system or network External to system or network Compelled disclosure (subpoena, court order, warrant) Voluntary disclosure Consent “Shoot-back” Attribution Targeting -- necessity, proportionality, discrimination Electronic -- automated and manual Kinetic

  28. Case Studies (continued) DirecTV Satellite Entertainment Number one digital satellite entertainment service in the U.S. Controls access to proprietary network via “smart” cards Pirating of services is a significant problem Late 2000 - transmitted a logic bomb a few bytes at a time to a specific series of smart cards that injects upon command an endless loop into a write once section of the smart card January 2001 - transmitted a message via proprietary DirecTV satellites that activated logic bomb Did not effect non-proprietary equipment or computers that emulated the smart cards for purposes of pirating services

  29. Case Studies (continued) Rights of law enforcement to cross national borders In the United States, the FBI: set up a front company called Invita invited two suspected Russian hackers, Vasily Gorshkov and Alexey Ivanov, for a job interview and asked them to demonstrate what they could do used a“sniffer” program to obtain their passwords and account numbers downloaded 250 gigabytes of evidence from computers in Russia obtained a search warrant before viewing the downloaded evidence Defendant Gorshkov sought to suppress the downloaded evidence in Federal district court as a violation of his Fourth Amendment rights

  30. Case Studies (continued) Rights of law enforcement to cross national borders (continued) U.S. District Court judge held on 23 May 2001 that Gorshkov and Ivanov had no expectation of privacy because they knew the system administrator could and likely would monitor their activities the undercover agents told them they wanted to watch the Fourth Amendment did not apply to the computers because they were the property of a non-resident alien and located outside the United States a search warrant was not required before the data was downloaded because the defendant’s co-conspirators could destroy or remove the evidence the Fourth Amendment did not apply to the data downloaded until it was transmitted to the United States Russian law does not apply to the agent’s actions Question: What investigative rights does this case give U.S. and foreign law enforcement?

  31. Legal and Policy Considerations of State Activities in CyberSpace Peacetime or armed conflict Perception of unauthorized use of force Perception of hostile intent or hostile act Authorized or directed by U.N. Chapter VII authority Direct, indirect, and ripple economic impact on target state, third-country states, actor state, and their nationals Tort liability of actor state and criminal liability of government agents under U.S. domestic, international, and foreign law Utilization of telecommunication and satellite systems owned by multinational corporations or non-governmental organizations

  32. Recommendations How do we shape an effective initial response to a computer network attack that is actor-independent? Reverse the presumption -- presume an intruder is a non-U.S. citizen until such time the investigation determines otherwise Establish by law a new agency responsible for investigating attacks against computer networks critical to our national defense and economic well being What is an appropriate and lawful response when a territorial state is unable or unwilling to assist another state’s law enforcement efforts to arrest non-state actors within its territory? Unable -- states have a duty to cooperate; remains a law enforcement issue Unwilling -- states harboring criminals or terrorists may be deemed an actor; becomes a national security issue

  33. Recommendations (continued) How does America protect its information infrastructure? Through the right balance of technology, policy, and law How can the private sector protect America’s information infrastructure? Information system owners must implement best business practices for information security (tort and corporate law will encourage this) Internet Service Providers must coordinate their defenses between themselves and with major users (regulation not needed, best business practices and tort liability will force this coordination) Incident response capabilities must develop a comprehensive information sharing mechanism within private industry and between private industry and state, local, and federal governments

  34. Recommendations (continued) How can the government protect America’s information infrastructure? Must designate a government agency, perhaps DOD, to be responsible for the coordinated defense of our Nation’s information infrastructure Must enact cross-cutting investigative authority within United States (regulation and law can help here) Must construct cross-cutting mutual legal assistance treaties within international community (must have near universal system of treaties to be effective) Must encourage legal and insurance sectors to develop best business practices for information security (regulation and law can help here)

  35. ? The most fundamental and important distinction between our great Nation and other countries is our system of laws. Those who have sworn to defend our Constitution must never bend or break the law in the name of national security. We must remain within the law as we protect our system of laws. Walter Gary Sharp, Sr. Conclusion (703) 624-5292 or WGSharp@MITRE.org

More Related