The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

CERIAS Blog

Page Content

Schrodinger’s Catnip: A Review of the NSA Phone Surveillance Program (Guest Blog)

Share:

By Mark Rasch and friends

The NSA programs to retrieve and analyze telephone metadata and internet communications and files (the former we will call the telephony program, the latter codenamed PRISM) are at one and the same time narrow and potentially reasonably designed programs aimed at obtaining potentially useful information within the scope of the authority granted by Congress. They are, at one and the same time perfectly legal and grossly unconstitutional. It’s not that we are of two opinions about these programs. It is that the character of these programs are such that they have both characteristics at the same time. Like Schrödinger’s cat, they are both alive and dead at the same time – and a further examination destroys the experiment. Let’s look at the telephony program first.

Telephone companies, in addition to providing services, collect a host of information about the customer including their name, address, billing and payment information (including payment method, payment history, etc.). When the telephone service is used, the phone company collects records of when, where and how it was used – calls made (or attempted), received, telephone numbers, duration of calls, time of day of calls, location of the phones from which the calls were made, and other information you might find on your telephone bill. In addition, the phone company may collect certain technical information – for example, if you use a cell phone, the location of the cell from which the call was made, and the signal strength to that cell tower or others. From this signal strength, the phone company can tell reasonably precisely where the caller is physically located (whether they are using the phone or not) even if the phone does not have GPS. In fact, that is one of the ways that the Enhanced 911 service can locate callers. The phone company creates these records for its own business purposes. It used to collect this primarily for billing, but with unlimited landline calling, that need has diminished. However, the phone companies still collect this data to do network engineering, load balancing and other purposes. They have data retention and destruction policies which may keep the data for as short as a few days, or as long as several years, depending on the data. Similar “metadata” or non-content information is collected about other uses of the telephone networks, including SMS message headers and routing information. Continuing with the Schrödinger analogy, the law says that this is private and personal information, which the consumer does not own and for which the consumer has no expectation of privacy. Is that clear?

Federal law calls this telephone metadata “Consumer Proprietary Network Information” or CPNI. 47 U.S.C. 222 (c)(1) provides that:

Except as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories.

Surprisingly, the exceptions to this prohibition do not include a specific “law enforcement” or “authorized intelligence activity” exception. Thus, if the disclosure of consumer CPNI to the NSA under the telephony program is “required by law” then the phone company can do it. If not, it can’t.

But wait, there’s more. At the same time that the law says that consumer’s telephone metadata is private, it also says that consumers have no expectation of privacy in that data. In a landmark 1979 decision, the United States Supreme Court held that the government could use a simple subpoena (rather than a search warrant) to obtain the telephone billing records of a consumer. See, these aren’t the consumer’s records. They are the phone company’s records. The Court noted, “we doubt that people in general entertain any actual expectation of privacy in the numbers they dial. All telephone users realize that they must "convey" phone numbers to the telephone company, since it is through telephone company switching equipment that their calls are completed. All subscribers realize, moreover, that the phone company has facilities for making permanent records of the numbers they dial, for they see a list of their long-distance (toll) calls on their monthly bills.” The court went on, “even if petitioner did harbor some subjective expectation that the phone numbers he dialed would remain private, this expectation is not "one that society is prepared to recognize as `reasonable.'”

By trusting the phone company with the records of the call, consumers “assume the risk” that the third party will disclose it. The Court explained, “petitioner voluntarily conveyed to it information that it had facilities for recording and that it was free to record. In these circumstances, petitioner assumed the risk that the information would be divulged to police.” This dichotomy is not surprising. The Supreme Court held that, as a matter of Constitutional law, any time you trust a third party, you run the risk that the information will be divulged. Prosecutors and litigants subpoena third party information all the time –your phone bills, your medical records, credit card receipts, bank records, surveillance camera data, and records from your mechanic – just about anything. These are not your records, so you can’t complain. At the same time, Congress was concerned with phone company’s use of CPNI for marketing purposes without consumer consent, so they imposed statutory restrictions on the disclosure or use of CPNI unless “required by law.”

Enter the NSA

There is little doubt that telephony metadata can be useful in foreign intelligence and terrorism cases. Hell, it can be useful in any criminal investigation, or for that matter, a civil or administrative case. But if the CIA obtains the phone records of, say Abu Nazir (for Homeland fans), and spots a phone number he has called, they, through the NSA, want to be able to find out information about that phone call, and who that person called. The NSA wants this data for precisely the same reason that it is legally protected – phone metadata reveals patterns which can show relationships between people, and help determine who is associated with whom and for what purpose. Metadata and link analysis can help distinguish between a call to mom, a call to a colleague, and a call to a terrorist cell. Context can reveal content – or at least create a strong inference of content. So, in appropriate cases involving terrorism, national security or intelligence involving non-US persons, the NSA should have this data. And indeed, they always have. None of that is new.

If the NSA captured a phone number, say 867-5309, they could demand the records relating to that call from the phone company through an order issued by a special super-secret court called FISC. The order could say “give the NSA all the records of phone usage of 867-5309 as well as the records of the numbers that they called.” Problem is, that is unwieldy, time consuming, requires a new court order with each query, and in many ways overproduces records. Remember, not only are these terrorism and national security investigations, but the target is a non-US person, usually (but not always) located outside the United States.

The Fourth Amendment

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Read that carefully. You would think that it requires a warrant to search, right? Wrong. Actually, Courts interpret the comma after the word “violated” as a semi-colon (who says grammar doesn’t matter?) “The people” which includes but is not limited to U.S. citizens, have a right to be secure against unreasonable searches and seizures (more on the “and” in a minute). Also, warrants have to be issued by neutral magistrates and must specify what is to be seized. So no warrant is needed if the search is “reasonable.” In fact, the vast majority of “searches and seizures” in America are conducted without a warrant. People are searched at airports and borders. No warrant. They are patted down on the streets and in their cars. No warrant. Cops look into their car windows, follow them around, and capture video of them without a warrant. Police airplanes, helicopters (and soon drones) capture images of people in their back yards or porches. No warrant. Dogs can sniff for drugs, bombs or contraband. No warrant. And people give consent to search without a warrant all the time. When the police searched the boat for the fugitive Boston bomber, they needed no warrant because of exigent circumstances (and perhaps because the boat’s owner consented). Warrantless searches can be “reasonable” and can pass constitutional muster. That’s one reason Congress created the FISC.

For law enforcement purposes (to catch criminals) the government can get a grand jury subpoena, a search warrant, a “trap and trace” order, a “pen register” order, a Title III wiretap order, or other orders if they can show (depending on the information sought) probable cause or some relevance to the criminal investigation. But for intelligence gathering purposes, the NSA can’t really show “probable cause” to believe that there’s a crime, because often there is not. It’s intelligence gathering. So the Foreign Intelligence Surveillance Act (FISA) created a special secret court to allow the intelligence community to do what the law enforcement community could already do – get information under a court order, but instead of showing that a crime was committed, they had to show that the information related to foreign intelligence.

After September 11, 2001, Congress added terrorism as well. When Congress amended FISA, it allowed the FISA court (FISC) to authorize orders for the production of “books records or other documents.” Section 215 of the USA PATRIOT Act allowed the FBI to apply for an order to produce materials that assist in an investigation undertaken to protect against international terrorism or clandestine intelligence activities. The act specifically gives an example to clarify what it means by "tangible things": it includes "books, records, papers, documents, and other items." Telephone metadata fits within this description, including the NSA Telephony Program (As we know it)

So the NSA has the authority to seek and obtain (through the FBI and FISC) telephone metadata. It also has a legitimate need to do so. But that’s not exactly what they did here. Instead of getting the records they needed, the NSA decided that it would get all the records of all calls made or received (non-content information) about everyone, at least from Verizon, and most likely from all providers. The demand was updated daily, so every call record was dumped by the phone companies onto a massive database operated by the NSA.

Now this is bad. And good. The good part is that, by collecting metadata from all of the phone companies, the NSA could “normalize” and cross-reference the data. A single authorized search of the database could find records from Verizon, AT&T, Sprint, T-Mobile, and possibly Orange, British Telecom, who knows? Rather than having to have the FISC issue an order to Verizon for a phone record, and then after that is examined, another order to AT&T, by having the data all in one place, “pingable” by the NSA, a singly query can find all of the records related to that query.

So if the FISC authorizes a search for Abu Nazir’s phone records, this process allows the NSA to actually get them. Also, the NSA doesn’t have to provide a court order (which itself would reveal classified information about who they were looking at) to some functionary at Verizon or AT&T (even if that functionary had a security clearance). And Verizon’s database would not have a record of what FISC authorized searches the NSA conducted – information which itself is highly classified.

Just because the NSA had all of the records does not mean that it looked at them all. In fact, the NSA and FBI established a protocol, which was apparently approved by the FISC that restricted how and when they could ping this massive database. So the mere physical transfer of the metadata database from the phone companies to the NSA doesn’t impinge privacy unless and until the NSA makes a query, and these queries are all authorized by the FISC and are lawful. So what’s the big deal? It’s all good, man.

General Warrant

Not so fast Mr. Schrödinger. There are two huge legal problems with this program. Undoubtedly, the USA PATRIOT Act authorizes the FISC to order production of “tangible things” and these records are “tangible things.” But the law does not authorize what are called “general warrants.” A general warrant is a warrant that either fails to specify the items to be searched for or seized, fails to do so with particularity, or is so broad or vague as to permit the person seizing the items almost unfettered discretion in what to take. A warrant which permitted seizure of “all evidence of crimes” or “all evidence of gang activity” would be an unconstitutional general warrant.

It’s important to note that the warrant is “legal” in the sense that it was for information relevant to a crime (or, say terrorism), that the obtaining of the warrant was authorized by law, that a court issued the warrant, and that the proper procedures were followed. But the warrant is unconstitutional and so is the search and seizure. This is particularly true where the warrant seeks information that relates to First Amendment protected activities like what books we are reading, and with whom we are associating. So when Texas authorized the search and seizure of records relating to “communist activities”(the ism before terrorism) and cops got a warrant to take such books and records, the Supreme Court had no problem finding that the warrant was an unconstitutional “general warrant.

Even though the FISC warrant to Verizon specified exactly what was to be seized (“everything”) it was undoubtedly a general warrant. Remember, the Fourth Amendment prohibits unreasonable “searches” and “seizures.” A warrant authorizing seizure of all records of millions of people who did nothing wrong, particularly when it is designed to figure out their associations is about as general as you can get. And that is assuming that the searches, or pinging to the database, which happen later, are reasonable.

What’s more, by taking custody of all of these records, the NSA abrogates the document retention and destruction policies of all of the phone companies. We can assume that the NSA keeps these records indefinitely. So long after Verizon decides it doesn’t need to know what cell tower you pinged on July 4, 2005 at 6:15.22 PM EST, the NSA will retain this record. That’s a problem for the NSA because now, instead of subpoenaing Verizon for these records (especially in a criminal case where the defendant has a constitutional right to the records if relevant to a defense), the NSA (or FBI who obtained the records for the NSA) can expect to get a subpoena for the records. While the NSA and FBI would undoubtedly claim that the program is classified, clearly my own phone records are not classified. A federal law called the Classified Information Procedures Act provides a mechanism to obtain unclassified versions of classified data. So if you were charged with a crime by the FBI, and the same FBI had records (in this database) that indicated that you did not commit the crime, they would have to search the database and produce the records. And when Verizon tells you that the records are gone, well… it aint true anymore.

But wait, there’s more.

Even if the “seizure” is a general warrant, the government would argue that it is “reasonable” because it is necessary to effectuate the NSA’s function of protecting national security, and its impact on privacy is minimal because the database isn’t “pinged” without court approval. The “collection” of data about tens of millions of Americans doesn’t affect their privacy especially when the Supreme Court said that they have no privacy rights in this data, and it doesn’t even belong to them. (Even though the Director of National Intelligence testified in March that the NSA did not “collect” any data on millions of Americans). Besides, the NSA would argue, there is no other way for the government to do this.

What does the NSA do with the records? Here’s where there is an unknown. At present, we do not know what the NSA does with the telephone metadata database. Do they simply query it – e.g., give me all the records of calls made by Abu Nazir; or do they preform data mining, link analysis, and pattern analysis on the database in order to identify potential Abu Nazir’s? If the latter, then the NSA is clearly searching records of millions of Americans. If the former, it is still troubling for a few reasons.

Six Degrees of Separation

First, the NSA’s authority revolves around non-US persons. While there may be “inadvertent” collection on U.S. persons, the target of the surveillance must be a non-US person for the program to be legal. According to the leaked documents, the NSA took a very liberal interpretation of what this means. First, they determined that as long as there was a 51% chance that the target was a non-US person, the NSA was entitled to obtain records. Second, they may – and we stress "may" – have interpreted their authority as providing that, if the target of the investigation was foreign (again 51% chance) then they could obtain records related to calls between two US persons wholly in the US. Finally, they apparently deployed a “two degrees of separation” test. If Abu Nazir (51% foreign) called John Smith’s telephone number, the NSA could look at who Smith (100% US) called within the US (first degree of separation). If Smith called Jones, the NSA could then look at Jones’ call records (second degree of separation.) At this point, even if the pinging of the database is authorized by the FISC, we are a long way from Abu Nazir. Toto, I’m afraid we are in Kansas.

Writs of Assistance

OK, but what’s the big deal? The seizure of the database is authorized by FISC, under a statute approved by Congress, with Congressional knowledge and oversight (maybe), and under strict control by the NSA, the FBI and DOJ. Every search of the database is approved by the super-secret court, right? Not so fast, Kemo Sabe. It is highly unlikely that the FISC approves every database search. More likely is that the FBI and NSA have established protocols and procedures designed to ensure that the searches are within their jurisdiction, are designed to find information about terrorism and foreign intelligence, that the targets are (51%) foreign, and that there is a minimization procedure. These protocols –rather than the individual searches themselves – are what are approved by the FISC. The NSA then most likely reports back to the FISC (through the DOJ) about whether there was an “inadvertent disclosure” of information not related to these objectives. So the court most likely does not approve every search.

And that’s another problem. You see, each “search” of the database is – well – a search. That search must be supported by probable cause (in a criminal case to believe that there’s a crime, in a FISA case, espionage, foreign intelligence or terrorism) and must be approved by a court. Each search. Not the process. We have been down this road before. In fact, this is precisely what lead to the American Revolution in general and the Fourth Amendment in particular.

When the British Parliament issued the Navigation Acts imposing tariffs on goods imported into America, many colonists refused to pay them (as Boston lawyer James Otis noted, “taxation without representation is tyranny”) So Parliament authorized King George II to issue what are called “writs of assistance.” This writ, issued by a Court, authorized the executive branch (a customhouse officer with the assistance of the sheriff) to search colonists houses for unlawfully smuggled items. These writs did not specify what the sheriff could search for or seize, or where he could look. Like the NSA program, the court approved what could be done, the executive had discretion in how to do it. When George II was succeeded by George III (the writs expiring with the death of the King) Parliament reauthorized them under the hated Townsend Acts. James Otis urged resistance, and it was the use of these unspecific writs authorizing searches that galvanized public opinion (and that of John Adams in particular) to urge revolution. It is why the Fourth Amendment demanded that a search warrant specify based on probable cause, the specific place to be searched and item to be seized. It’s also why writs of assistance are prohibited in the constitution.

The NSA FISC approved searches would be like a judge in Los Angeles issuing a search warrant to the LAPD which said, “you may search any house as long as you smell marijuana in that house.” While the search may be reasonable, and indeed, if the LAPD had applied for a warrant to search a house after they smelled marijuana a court probably would have issued the warrant, the broad blanket approval of these searches would be more akin to a writ of assistance.   

So the NSA digital telephony program, while legal in the sense that it was approved by both Congress and the Foreign Intelligence Surveillance Court, has some serious Constitutional problems.

Telephone Company Liability?

The phone companies could be on the hook for participating in the program, even though they have both immunity and had no choice but to participate. In fact, they could not legally have even disclosed the program. In the FISA amendments, Congress expressly gave the phone companies immunity for making “good faith” disclosures of information pursuant to Section 215.

So why would the phone company be in trouble? The problem is the “good faith” part. In 2012 the Supreme Court looked at the question of when someone (cops in that case) should have immunity for a good faith search pursuant to an unconstitutional warrant. The cops got a warrant for all records of “gang related activity” and all guns in a particular house. The court agreed that the warrant was overbroad, unconstitutional, and should not have been issued. The question was whether the cops, who executed the warrant, should have immunity from civil liability because they acted in “good faith.”

The Supreme Court noted that the fact that they got a warrant at all was one indication that they acted in good faith, but that, “the fact that a neutral magistrate has issued a warrant authorizing the allegedly unconstitutional search or seizure does not end the inquiry into objective reasonableness. Rather, we have recognized an exception allowing suit when “it is obvious that no reasonably competent officer would have concluded that a warrant should issue.” In other words, the cops are generally permitted to rely on the fact that a court issued a search warrant, unless the warrant itself (or the means by which it is procured) is so obviously unconstitutional, overbroad, general or otherwise prohibited that you cannot, in good faith rely on it. While the court found that the cops had immunity because the warrant was not so overbroad to lead to the inevitable conclusion that it was unconstitutional, it is hard to make that same argument where the FISA warrant essentially asked for every record of the phone company. Hard to imagine a broader warrant.

Justice Kagan pointed out that it’s not illegal to be a member of a gang, and that a warrant that authorized seizure of evidence of gang membership per se called for associational records which were protected. Much like the phone logs here. Justices Sotomayor and Ginsburg went further noting, The fundamental purpose of the Fourth Amendment’s warrant clause is “to protect against all general searches.” Go-Bart Importing Co. v. United States, 282 U. S. 344, 357 (1931)

The Fourth Amendment was adopted specifically in response to the Crown’s practice of using general warrants and writs of assistance to search “suspected places” for evidence of smuggling, libel, or other crimes. Boyd v. United States, 116 U. S. 616–626 (1886). Early patriots railed against these practices as “the worst instrument of arbitrary power” and John Adams later claimed that “the child Independence was born” from colonists’opposition to their use. Id., at 625 (internal quotation marks omitted).

To prevent the issue of general warrants on “loose, vague or doubtful bases of fact,” Go-Bart Importing Co., 282 U. S., at 357, the Framers established the inviolable principle that should resolve this case: “no Warrants shall issue, but upon probable cause . . . and particularly describing the . . . things to be seized.” U. S. Const., Amdt. 4. That is, the police must articulate an adequate reason to search for specific items related to specific crimes. They found that the search by the police without probable cause was unreasonable even though there was both judicial and executive oversight, and that therefore there should be no immunity because the actions were not in “good faith.” The phone companies run that risk here.




Mark Rasch, is the former head of the United States Department of Justice Computer Crime Unit, where he helped develop the department’s guidelines for computer crimes related to investigations, forensics and evidence gathering. Mr. Rasch is currently a principal with Rasch Technology and Cyberlaw and specializes in computer security and privacy.

Rasch Cyberlaw (301) 547-6925 www.raschcyber.com


Opening Keynote: Todd Gebhart, Co-President McAfee Inc. (Summary)

Share:

Wednesday, April 3, 2013

Summary by Gaspar Modelo-Howard

The Changing Security Landscape

Why do we, as cybersecurity professionals, go to work each day? Mr. Gebhart reflected on this question to start his presentation, suggesting a very clear and concise answer. It is to protect the many things and people that are so important to our lives. Security professionals need to protect the families from threats like cyber bullies or identity thieves, risks associated to financial information, attacks to the new business ideas and our critical infrastructure, and to help protect those that protect us, such as law enforcement and first responders. This is why a multidisciplinary approach, such as what CERIAS follows and to which Mr. Gebhart pointed out, is required to come up with the ideas and solutions to achieve our goal as cybersecurity professionals.

In the early days of malware, it could have been considered a nuisance. After all, there were about 17,000 pieces of malware in 1997 and for some people antivirus software could be updated every few months. But malware has been growing at a rapid pace. McAfee stores more than 120M samples of malware software in its database, up from 80M in 2011. The growth is also fast in the mobile landscape. There were 2K unique pieces of mobile malware in 2011, while last year it grew to 36K. And as the mobile market becomes more popular and we move from multiple operating systems to just two today, Google’s Android and Apple’s iOS, there will still be room for growth for malware. McAfee’s stats show that (1) Android is the most targeted operating system for malware, (2) many application stores for phones host malware, and (3) half of all iOS phones are jail broken.

Other trends explain the always changing landscape of information technology and therefore security. For example, the growth in the number of devices connected to the Internet and their changing profiles. There are approximately 1B devices today, and that number should reach 50B by 2020. People think about computers and phones when asked about which electronic devices are connected to the Internet. But there are many others such as automobiles, televisions, dishwashers, and refrigerators that are being connected every day, helping to put the control of our lives at our fingertips: how much energy we consume, what do we eat or how we communicate and with whom.

So today’s risks are more about the devices and data stored, rather than just malware, and everybody is at risk. At the personal level, there are always reports of attacks aimed at individuals. Mr. Gebhart recounted Operation High Roller that targeted corporate bank accounts and wealthy people by using a variant of the Zeus Trojan horse.  At the business level, he talked about the incident known as Operation Aurora, discovered by McAfee Labs, where attackers were after intellectual property from 150 companies. It is also common nowadays to hear about state sponsored cyberattacks on businesses. For example, McAfee believes is one of the most attacked companies in the world (given their condition as both a security services provider and a consumer) as they see many, frequent attacks around the world, ran by well-funded, professional organizations.

One of the most concerning areas at risk is critical infrastructure and governments around the world show growing concern about malware. The Stuxnet malware seemed to come from a spies’ movie as it was created as a stealthy, offensive tool to cause harm. The Citadel trojan is another example of how incisive and targeted malware can be, attacking individual organizations, while also harvesting credentials and passwords from users. So the malware found nowadays in the wild is more targeted and automated, which explains the growing concern on highly important systems such as critical infrastructure. Additionally, the commercialization of malware keeps increasing. Hackers as a Service (HAAS) and off-the-shelf malware are too common now, so malicious code and people’ services are openly being sold.

Mr. Gebhart suggested that new partnerships are required to deal with malware; it is no longer only a technical issue. This pointed back to his early comment of dealing with cybersecurity in a multidisciplinary approach. An organization’s board should be involved and new strategies need to be created. Whereas malware used years ago to be a topic that would only include a mid-level business manager, now is a high-level management discussion topic everywhere you go. It is in everybody’s mind, with people not limiting the conversation to the technical aspects of an attack, but also talking about the impact to the business. Today, it is required to include those that make the decisions for the business in order to opportunely defend against malware and to plan for security.

Innovation is also paramount in order to successfully protect the systems and Mr. Gebhart mentioned several current initiatives. For example, companies are increasingly using cloud-based threat intelligence systems to deal with real-time and historical data, and at increasing quantities. McAfee monitoring systems receive about 56B events a month from 120M devices. Many of the events are hashed and sent to their systems on the cloud to determine if they are malicious or not, allowing McAfee to block (if necessary) similar traffic. The response capabilities have also improved, as now there exists the algorithms to classify the events, determining which ones to handle, and to respond fast.

The DeepSAFE Technology is another innovation example, coming from the partnership between McAfee and Intel. The jointly-developed technology serves as a foundation for new hardware-assisted security products. Today’s malware detection software sits above the operating system, whereas DeepSAVE will operate without such restriction and closer to the hardware, offering a different vantage point to detect, block, and remediate hidden attacks such as Stuxnet and SpyEye.

To close his presentation, Mr. Gebhart mentioned to not forget who we are working for and to protect the global access to information and the identities of our users. It is an exciting time to be involved in cybersecurity with the changing landscapes of information technology and security. Computing has come a long way in the last few decades but we still have to build the trust around it so people can confidently rely on computing.

 

Keynote: Christopher Painter, Coordinator for Cyber Issues, U.S. Department of State (Summary)

Share:
Thursday, April 4th, 2013
Summary by Kelley Misata

As Christopher Painter, Coordinator for Cyber Issues within the US Department of State, began his keynote address to the CERIAS Symposium audience he humorously admitted, "Today I’m flying without a net", a PowerPoint presentation net that is. This set the tone for an informal and informative discussion about the changing threat landscape in cyberspace.

In the early 1990s Christopher Painter began his federal career as an Assistant U.S. Attorney in Los Angeles; a time when most people were not that interested in cyber crime and the issues we are facing today where unimaginable. These issues weren’t on the forefront of most people’s minds which provided Mr. Painter an opportunity to dive in and get involved at all levels of cyber investigations happening at the time. Mr. Painter led some of the early and most infamous cyber crime cases including the prosecution of Kevin Mitnick; one of the most wanted cyber criminals in the United States.

Through his work leading case and policy discussions of the Computer Crime and Intellectual Property Section of the US Department of Justice, Mr. Painter has become a leading expert in international cyber issues. However, through this impressive journey he shared with the CERIAS audience, one of the most marked times during his career was with President Obama in 2009. Reminding the audience of the campaign hacking incident that raised the awareness of cyber threats to the office of the President, Mr. Painter discussed how the shift in focus on cyber issues was starting to occur. Now charged with identifying the gaps in national cyber policies, Mr. Painter led a research initiative which resulted in over 60 interviews engaging individuals from government, private industry, academia and civic society the results of this study became the premise for President Obama’s landmark speech on cyber security in May 2009.

Over the past 5 years the conversations in cyber security have evolved dramatically. Initially these conversations were so highly technical in nature that government officials handed them to the technical community to find the solutions. Today, with cyber issues expanding beyond domestic boundaries it was quickly realized that in order for solutions to be sustainable they needed the "push" of the senior policy makers and CEOs from the private sectors. As Mr. Painter stated, "We have come a long way even though the challenges continue to mount, we need to remember we still have a long way to go."

Today, the cyber security threat landscape has changed from the days of the "lone gunman hackers" to the now organized, transnational groups. Cyber security professionals are facing mounting challenges in international laws, forensic processes and the introduction of new actors in the arena of bad guys. However, reflecting back again to President Obama’s 2009 speech on cyber security, Mr. Painter recall’s the President reference to the “economic threat of cyber crime”; an important distinction from merely addressing cyber crime as a security threat to identifying cyber crime as an economic threat to the country.

Public awareness is changing and so are the conversations within the U.S. government. Remembering President Obama’s 2013 State of the Union address, Mr. Painter remarked, “this was to a national audience who are not cyber folks - it is another great example of how the cyber issues have transitioned to be government issues.” This landmark speech resulted in a new sergeant of collaboration and coordinating among government agencies; "This is a big shift in how these groups are running interagency meetings as there is a new commonality and purpose to these issues."

Looking toward the future, world will continue to grabble with the constantly changing cyber threat landscape and the equitably of these issues in the physical world. These are global challenges globally. As result, in partnership with the Department of Homeland Security, Mr. Painter and his team are bringing technical information and training to over 100 countries; working to help technologically advancing countries to mitigate the increasing and complex cyber threats around the world. Concurrently, they are evaluating key policies issues including 1. international security - the US has taken the lead in establishing an international law through systems that build confidence in transparency; 2. cyber security due-diligence-challenging the international community to continue to develop national policies, build institutions and foster the due diligence process; 3. identification cyber crimes; 4. internet governance - through existing technical organizations and a multi-stakeholder approach; and 5. internet freedom - principles around openness and transparency online.

As the audiences starts to process this incredible professional journey along with the changing landscape in cyber space, Mr. Painter closed his keynote address illustrating the efforts him and his team in working closely with inter-agencies within the US government, private sectors and academia around the world. Also, actively conducting important dialogues and advancing the key cyber issues with governments in Brazil, South Africa, Korea, Japan and Germany to name a few; bringing the issues of cyber security strategies, the changing landscape and key policy issues to these emerging countries.

Tech Talk #3: Stephen Elliott (Summary)

Share:
Thursday, April 4th, 2013
Associate Professor Stephen Elliott, Industrial Technology, Purdue University
Director, Biometric Standards, Performance and Assurance Laboratory
Summary by Kelley Misata
Title: Advances in Biometric Testing

Starting the conversation Stephen reminded the audience that what makes biometrics such an interesting field is the unpredictability of the humans in the testing and evaluations processes. In traditional biometric testing environments researchers work with algorithms and established metrics and methodologies. However, as biometrics testing moves to operational environments there are more uncertainties to content with and therefore making it hard to do. Considering these two important testing environments, what biometric researchers are now trying to do is to understand further how a biometric system performs in any environment and identify what (or who) could the possible cause of errors.

As Stephen pointed out, there have been several papers addressing how individual error impacts biometric performance and the potential causes of these errors. Some of these errors are now being traced to gaps in biometrics testing including training (e.g. "How do you train someone who is difficult to train or doesn’t want to be trained?"), accessibility (e.g. "Are the performance results different in a operation environment than collected in a lab?"), usability (e.g. "Can the system be used efficiently, effectively and consistently by a large population?") and the complexities of the human factors on biometric testing performance. Raising the question, is the error always subject centric?

In order to fill in some these gaps, Stephen and his graduate students are looking at the traditional biometric modes and metrics to determine if they are suitable in today’s testing and evaluation environments. During the CERIAS tech talk Stephen spotlighted the research of three of his graduate students: 1. The Concept of Stability Thesis by Kevin O’Connor - the examination of finger print stability across force levels; 2. The Case of Habituation by Jacob Hasselgren - quantitatively measuring habituation in biometrics testing environments; and 3. Human Biometric Sensor Interaction highlighting Michael Brokly’s research on test administrator errors in biometrics, including the effects of operator train, workloads of both test administrators and test operators, fatigue and stress.

The biometrics community continues to investigate these questions in order to understand how the vast array of players in a operational data collection environment impact performance. In his closing statements, Stephen reiterated the complexities and challenges in biometrics testing and how researchers are looking deeper into the factors affecting performance beyond a simple ROC/DET curve.

Featured Commentary: The Honorable Mark Weatherford, DHS Deputy Under Secretary for Cybersecurity

Share:
Thursday April 4, 2013
Summary by Marquita A. Moreland

During the introduction, Professor Spafford discussed Mark Weatherford's experience prior to becoming Deputy Under Secretary for cybersecurity at DHS. He mentioned that Mr.Weatherford was CIO of the state of Colorado and California and director of security for the electric power industry. He made it known that Mr.Weatherford has won a number awards and spent a lot of time in cybersecurity in the navy.

He also mentioned that under sequestration rules Mr.Weatherford was not allowed to travel. Mr.Weatherford desired to be present, but he could not attend, so he decided to create a video.

Mark Weatherford began his commentary with the For Want of a Nail rhyme because he believes it is a good way on how to approach the business of security. Mr.Weatherford expressed his appreciation for Professor Spafford, thanking him for how much he has helped advance the topic of cybersecurity and the development of some of the national security leaders.

Mr. Weatherford proceeded to state that "we're in business where ninety nine percent secure, means you’re still one hundred percent vulnerable." An example he used was from 2008, when a large mortgage company that is no longer in business, was concerned with the loss of their client’s information. They decided to disable the USB ports from thousands of machines to prevent employees from copying data. They missed one machine, which was used by an analyst to load and sell customer’s data over a two year period.

Cybersecurity threat, DHS’s role in cybersecurity, the President’s Executive Order on cybersecurity, and the lack of cyber talent across the nation are the four topics that Mr.Weatherford briefly explained.

Cybersecurity Threat:

  • The danger of a cyber attack is the number one threat facing the United State, bigger than the threat of Al Qaeda.
  • There is a lack of security practices, and water, electricity and gas are dangerously vulnerable for cyber attacks.
  • The banking and finance industry has been under a series of DDOS attacks since last summer. Almost every week there are a new set of banks under siege, such as the Shamoon attack on Saudi Aramco and the attack on Qatari RasGas.
  • In February of this year the emergency broadcast system in four states were attacked, with a message that said the nation was being attacked by zombies. The fact that someone can get into these systems raises safety and security concerns.
  • The office of cybersecurity and communication (CS&C) has the largest cybersecurity role in DHS.
    • They help secure the federal civilian agency networks in the executive branch primarily the .gov domain.
    • They also provide help with the privacy sector in the .com domain, with a focus on critical infrastructure.
    • They lead and coordinate the response of cyber events.
    • They work on national and international cybersecurity policies.
  • There are five divisions; Network Security Deployment, Federal Network Resilience, Stakeholder Engagement and Cyber Infrastructure Resilience, the Office of Emergency Communications, and the National Cybersecurity and Communications Integration Center.
  • Last year U.S. CERT resolved over 200,000 incidents involving different sectors, and ICS-CERT responded onsite to 177 incidents.

President’s Cybersecurity Executive Order (EO):

  • The EO was announced during the State of Union speech.
  • There were two paragraphs regarding cybersecurity in the President’s State of Union Speech. Mr. Weatherford mentioned when he was CIO, he worked every year to try and get at least a single sentence in the Governor State of State speech but was unsuccessful.
  • The EO significance will help achieve:
    • Establishment of an up to date cybersecurity framework.
    • Enhancement of information sharing amongst stakeholders by:
      • Expanding the voluntary DHS Enhanced Cybersecurity Services program (ECS).
      • Expediting the classified and unclassified threat reporting information for private sectors.
      • Expediting the issuance of security clearances of critical infrastructure members in the private sector.

Cyber Challenges:

  • Mr.Weatherford stated that "the common denominator to all the work we do is the requirement for well trained and experienced cyber professionals."
  • DHS sponsors Scholarship for Service (SFS) with the National Science Foundation.
  • DHS co-sponsored the National Centers of Academic Excellence (CAE). Purdue was one of the first seven universities in the nation designated as a CAE in 1999.
  • The lack of qualified people is one of the biggest problem and Mr.Weatherford’s suggestions are:
    • Make people want to choose cyber security.
    • Government, academia and industry need to work together to change the public perception and to figure out how to make cybersecurity "cool".

Mr.Weatherford closed this commentary by stating "DHS wants to be your partner in cybersecurity whether you’re in the government, academia or the private sector. No one can go it alone in this business and be successful, so think of us as partners and colleagues, we really can help."