Tag Archive | "cyber security"

Cyber Security: An International Security Issue with No Solution?

ddos-outage-100689014-large

Photo Credit: Download Detector

On Friday, October 20th, malicious cyber attacks prohibited access to major websites like Twitter, PayPal, and Amazon in intermittent locations throughout the U.S. and abroad. Experts determined the attacks are the result of a virus that infected thousands of users’ internet-connected devices through webcams and video recording devices. This method of hacking is both complicated and sophisticated, which makes it difficult to prevent within the general population of internet product users.

While both the F.B.I. and the Department of Homeland Security announced investigations into the incident, public response to the attacks demonstrates mounting uneasiness about cyber security. Coming on the heels of the Democratic National Committee hacks this summer, Friday’s attacks raise questions about cyber security and the proper response by both national and international bodies. The Department of Homeland Security did issue a warning about the virus code last week, but this ultimately was not enough to remedy the security gaps in consumers’ devices. Some in the industry have assigned blame to the producers of such devices, but many now contend that the issue of cyber security is an international issue that must have an international solution.

Because cyber attacks of international scope are a relatively new phenomenon, the U.N. Charter does not explicitly provide for a procedure to address their consequences and effects. As such, it remains unclear what kind of responses to cyber attacks would be legal under international law. Most likely an issue of self-defense, article 51 of the U.N. Charter provides that, “Nothing in the present charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a member of the United Nations. . . .” Cyber attacks, however, are certainly not “armed” attacks in the traditional sense, so any retribution framed in terms of self-defense may not prove to be a successful argument under the Charter. As international law currently stands, cyber security suffers from a noticeable gap.

Governments could also seek to impose sanctions and countermeasures against the perpetrators of cyber attacks, but this strategy poses an additional issue. Because these attacks are designed to preserve the hackers’ anonymity, attributing the attacks to a foreign government is extremely difficult. Attributions would necessitate an investigation into the level of complicity the foreign government had in the individuals’ hacking efforts, which could range from explicitly contracting for their services or neglecting to shut down suspected offenders. Further, the possible development of automated or “robot” hackings make punishing even individual offenders a complicated affair.

Because cyber attacks are likely to only increase in severity and frequency as technology and hackers become more advanced, the international community may be forced to address the issue in setting a clear legal precedent for the aftermath of incidents like Friday’s blackout.

Jane Rugg is a 2L at the University of Denver Sturm College of Law, and she is currently the Event Coordinator for the Denver Journal for International Law and Policy.

Posted in 1TVFA Posts, 2Featured Articles, DJILP Staff, Jane RuggComments (0)

Re-Writing History: The right to be forgotten

shutterstock_RTBF_195176492 (1)

Credit to: http://www.indexoncensorship.org/wp-content/uploads/2014/07/shutterstock_RTBF_195176492.jpg

Scientific research suggests that the act of forgetting memories fosters a healthy state of mind. The act of forgetting may be more difficult to achieve in a world where internet companies collect and store a broad range of information about their users’ lives and daily activities. Is it fair for individuals to ask everyone else to forget information that they do not want remembered? On May 13th, 2014 the Court of Justice of the European Union ordered Google to delete search results linking to a 1998 auction notice of a Spanish man’s repossessed home. Since the ruling went into effect, Google has received over 225,000 requests for the removal of links. This controversial ruling, labeled the “Right to be Forgotten,” puts into sharp focus the competing interests of global Internet companies and individual Internet users. The rule also raises a debate between the personal appeal in purging the Internet of undesirable information and the danger in creating a system that allows for censorship and the re-writing of history.

The ruling by the Court of Justice has three major holdings. First, the European Union’s 1995 Data Protection Directive applies to search engines because they are controllers of personal data. Second, even though Google Spain’s data-processing servers are located in the United States, the Court of Justice can apply European Union rules to Google Spain because it is located in a European Union Member State and it sells advertising space within that jurisdiction. Third and most importantly, under certain circumstances individuals have the right to request that search engines remove links containing “inadequate, irrelevant or no longer relevant” personal information about them.

The European Union is the most aggressive jurisdiction when it comes to protecting personal privacy rights. The “Right to be Forgotten” rule maintains Europe’s position as the champion of personal privacy. Other countries with more balanced privacy regulations are considering whether Internet forgetfulness could benefit their citizens. A Japanese man brought a case in a Tokyo Court because Google did not comply with a request to remove information relating to him from search results. The Hong Kong Court of Appeals will hear a petition from Google on the “Right to be Forgotten” in early 2015. Privacy organizations in Asia are strongly advocating for the “Right to be Forgotten” to apply in Asian countries. Critics warn that establishing such a rule could undermine corporate and political transparency in a region with a history of powerful people that manipulate information flows.

In the United States, the debate around the “Right to be Forgotten” rule has support on both sides of the argument. Critics say that the rule is vague, prone to abuse and amounts to censorship in violation of the First Amendment. On the other hand, eighty-eight percent (88%) of American citizens in a recent survey said that they would support a “Right to be Forgotten” rule. When opposing experts discussed the same argument in front of an American crowd as a part of an Intelligence Squared event, fifty-two percent (52%) of the crowd voted against a “Right to be Forgotten” law. As other countries ponder the merits of the rule, the European Union is pushing for it to apply worldwide and not just on websites for European countries. A worldwide imposition of European privacy standards could result in the rest of the world losing the “Right to Remember.”

The ability of information technologies to collect and store endless amounts of individuals’ personal information raises legitimate concerns regarding surveillance and personal privacy. The “Right to be Forgotten” carries a powerful emotional appeal for many people that wish to leave their past behind. Despite the fact that forgetfulness may have its benefits, our memories of the past have a great deal to do with what we can learn in the future. When individuals request that Google “forgets” information undesirable to them, they re-write the collective story we share as a society. The processes the brain uses to facilitate information recall demonstrate the appropriate way to handle past information. Forgetting is not as easy as flipping a switch, ask anyone who has tried to forget an embarrassing moment from their youth. Instead, forgetting has more to do with the brain’s ability to accumulate enormous amounts of fresh information that crowd out old memories. In a world where every moment is stored forever, the brain teaches us that forgetting may be easier with more information, not less.

Matthew Aeschbacher is a 4LE law student at the University of Denver Sturm College of Law and a staff editor for the Denver Journal of International Law & Policy.

Posted in 1TVFA Posts, 2Featured Articles, DJILP Staff, Former DJILP Staff, Matthew AeschbacherComments (1)

Denver Journal of International Law and Policy

Preview: Science Fiction No More: Cyber Warfare and the United States

As Volume 40, Issue 4 of the Denver Journal of International Law and Policy heads off to the printers, we are previewing some of the articles.  Here is a look at Science Fiction No More: Cyber Warfare and the United States, by Cassandra Kirsch.

Faced with the increased propensity for cyber tools to damage state computer networks and power grids with the click of a mouse, politicians and academics from around the world have called for the creation of a Geneva Convention equivalent in cyberspace. Yet, members of United Nations Security Council continue to disagree as to what cyber activities might rise to the level of an armed attack under the existing Law of Armed Conflict.  Activities once limited to cyber espionage, and outside the reach of international law, are now the very same tools utilized in cyber operations to disable state communications and wreak havoc on state infrastructure. Wars, traditionally waged between nations and clearly defined groups, can now be fought behind the veil of anonymity inherent of the Internet. While acts of war have yet to happen openly on the Internet, accusations have already been made against Russia for the 2007 cyber attacks on Estonia and against Israel for the Stuxnet worm unleashed on Iran’s nuclear reactors. Just as aerial bombing and nuclear arms revolutionized the battlefield, cyber attacks, and the mechanisms behind them, stand poised as the next evolution in weapons of war and any multilateral treaty must take these facts into consideration.

Posted in 1TVFA Posts, 2Featured Articles, Article Preview, Cassandra KirschComments (0)

Critical Analysis: Stuxnet Leaks: More than a Domestic Political Affair

It’s in the Network (FreePhotosBank)

Last week, U.S. intel leaks made headlines after an article in the New York Times quoted numerous anonymous sources, including current and former U.S. officials, alleging that President Obama ordered the Stuxnet attack against Iran’s Natanz uranium enrichment facility. The story comes in the wake of a two-week period of national security leaks in the New York Times, including the disclosure of a disrupted plot by Al Qaeda’s Yemen affiliate to smuggle a bomb onto a U.S. flight, the Obama administration’s expansion of the drone program, and how the Obama administration determines the drone “kill list.” Investigation by the Department of Justice into the Stuxnet intel leaks has begun, while political finger-pointing has the U.S. asking whether the White House is in part responsible for the leaks and ignoring the potential international repercussions of the leaked information.

In the summer of 2010, a computer worm coined “Stuxnet” had the world’s leading cyber security experts up in arms as the self-replicating computer worm made its way through computers the world over. Although Stuxnet was designed to target Siemens industrial software and equipment (specifically the computer systems that run Iran’s main nuclear enrichment facilities), a bug in the coding allowed Stuxnet to escape onto the public internet. Overnight, the worm infected computers across the globe, from Europe to China. At the onset of the Stuxnet outbreak, cyber security experts narrowed the list of culprits down to a short list of state actors with the ability to develop such complex computer code – America, Israel, China and Russia. Russia and China were quickly eliminated, leaving America and Israel as possible suspects, alone or working in conjunction. Despite this short list of actors, U.S. involvement with the Stuxnet has been dismissed as mere accusation. Even in the wake of the New York Times story, the U.S. has not publicly taken responsibility for the Stuxnet attack or issued a denial as to the legitimacy of the leak providing U.S. involvement with the computer worm.

Rather than address the substance of the leaked information, authorities in Washington have launched investigations into the leaks. Taking over direction of existing investigations by the Federal Bureau of Investigation, the Department of Justice is conducting two separate but concurrent investigations into the sources of the leaked  information. U.S. Attorneys Ronald Machen, Jr. of Washington, D.C., and Rod Rosenstein of Maryland are overseeing the investigation and have full authority to prosecute criminal violations discovered as a result of their investigations. While the White House denies providing classified information to New York Times reporter David Sanger, it has come under fire from both sides of the political divide. Senior lawmakers, including Senator John McCain, claim that White House officials authorized the leaks to boost public support of President Obama in an election year through highlighting his stance on national security, basing their allegations in large part on the fact that the level of detail in the accounts could only have come from senior officials in the White House.

In addition to dispute over the source and cause of the Stuxnet leak, the ongoing investigations have generated significant political uproar in both the House and Senate Intelligence Committees. The committees have joined together in calling for an outside probe of the leaks. Specifically, Republican members of the Senate Judiciary Committee have criticized the Attorney General appointing U.S. Attorneys to probe the leaks. Instead, they are calling for a special counsel to lead an independent investigation.  After the Justice Department’s national security division recused itself from the investigation due to the possibility that the department might have been a source of some of the disclosures, questions about possible conflicts of interests have arisen as frontline prosecutors might be required to interview their own department heads and senior officials. In light of the conflict of interests involved with the investigations, the House and Senate Intelligence Committees have begun discussing new legislation that would curtail unauthorized disclosures by limiting the pool of people with access to classified information and providing inspectors general with far more investigative powers.

The outrage over the leaks and the ensuing investigations is more than just another bipartisan affair dividing the next election: attributing the Stuxnet attack on Iran to a nation, specifically the U.S., potentially sets a new precedent in the realm of warfare. Now that the accusations of U.S. responsibility in the Stuxnet attack are becoming more of a reality, the international community is confronted with the real possibility of cyber attacks being used in times of war. Furthermore, many political and legal scholars already consider Stuxnet, and other similar cyber attacks, the equivalent of an armed attack; for example, unleashing a worm to damage another nation’s nuclear reactor has the same results as if a missile were fired at the same nuclear facility. In both cases, the right to self-defense and the use of force would arguably be triggered. However, the law of armed conflict requires attribution to a state actor, which was a missing element in the case of Stuxnet. The leaks of U.S. involvement in Stuxnet, if not refuted, may lead to attribution to the U.S. for the attack. The consequences could lay grounds not only for Iran to retaliate in self-defense under the law of armed conflict, but also set a preceden allowing the use of cyber attacks. The cyber attacks have a propensity for harm and collateral damage in our increasingly internet-dependent societies. State infrastructure, such as Supervisory Control and Data Acquisition control systems, are intertwined with public networks and a cyber attack could very well shut down anything from a water pump to an electrical grid. With the potential for such damage to result by cyber attacks, our national leaders need to be more concerned with how to reign in this potential precedent, whether by providing evidence that the U.S. was not responsible for the Stuxnet attack or by examining how this form of weaponry fits into the law of armed conflict.

Posted in 1TVFA Posts, 2Featured Articles, Cassandra Kirsch, DJILP StaffComments (0)

News Post: the Internet, Privacy, and National Security

Cell phone use in the Arab Spring

With the rise of hacker groups like “Anonymous,” coupled with the damage to Iran’s nuclear reactors left in the wake of the Stuxnet worm, 2012 has been coined the “Year of Cyber Security” by various media outlets. However, as the global community embarks upon what appears to be the epicenter of the Internet Age, privacy rights and freedom of speech on the internet creates tension with government domestic and national security and economic interests. Years before the advent of the internet, The United States Supreme Court cautioned in Keith the potential for a government to undermine the right to privacy inherent in the Bill of Rights through the unabated use of electronic surveillance in the name of “domestic security.”  Nearly four decades later and half-way across the globe, the Syrian Government has brought the fears of the Court to life; in an attempt to quell the recent uprising against the current political regime, the Syrian Government has begun blocking and intercepting text message communications between demonstration organizers and participants.

The Syrian government, using spyware  technology, issued orders to block all text messages containing terms such as “revolution” or “demonstration.” While this spyware technology is designed for protecting networks against spam and viruses, this same technology provides political regimes the ability to intercept their citizens’ e-mails and text messages, monitor Internet activity, and locate political targets. The orders from the Syrian Government are being carried out by the two of the largest mobile networks in the country, Syriatel and MTN Syria, using software provided by Dublin-based  Cellusys and AdaptiveMobile.

While AdaptiveMobile has yet to issue an official comment on the situation in Syria, AdaptiveMobile said in a statement that, in 2008, it provided MTN Syria with a standard SMS spam and MMS antivirus product for blocking spam, viruses, and inappropriate content.  However, “given the changing political situation in the region”, AdaptiveMobile did not renew the contract with MTN Syria last year.  Cellusys claims to have not sent workers to the country since 2009 and remains unaware of how its technology is being used today.  Despite the use of European technology by the current Syrian political regime to repress demonstrators, the supply of the software to MTN Syria and Syriatel did not violate any Irish or European laws: the transactions occurred prior to the 2011 EU imposed restrictions on sales of equipment to Syria that could be used for repression.

Even though the sales came about prior to the EU restrictions, human rights groups remain critical of both the companies. Several human rights groups and supporters have argued in the past week that both companies were irresponsible in selling filtering technology to Syria and ignoring the likelihood that the technology would be used to repress political dissidents.  Human rights groups assert that due diligence on the part of Cellusys and AdaptiveMobile would have revealed a high likelihood and propensity for the Syrian Government to use the technology to commit human rights violations.  The activists point to a U.S. State Department Human Rights report from 2008, which found that Syria’s security forces “committed numerous, serious human rights abuses” and “tortured and physically abused prisoners and detainees.”

 The news from Syria comes in the wake of the Arab Spring. Still fresh a year later in the minds of persons the world over, the use of Twitter, Facebook and text messaging were integral to organizing the revolutions and demonstrations that toppled autocratic regimes in Tunisia, Egypt and Libya. Through intercepting the private text messages and online communications of its citizens, the Syrian Government goes beyond just containing anti-regime sentiment and violates an often forgotten human right in today’s Facebook-addicted society: privacy.  As the international community begins to confront and monitor hacker groups like “Anonymous” in the name of domestic security, we must remember Syria’s censorship and interception in the private conversations of its citizens in the years to come.

Posted in 1TVFA Posts, DJILP StaffComments (0)


University of Denver Sturm College of Law

Posts by Date

August 2017
M T W T F S S
« Jul    
 123456
78910111213
14151617181920
21222324252627
28293031  
Resources