Cybersecurity

Professor Corri Zoli Speaks to Vox About China and Iran Meddling in US Elections

Are China and Iran meddling in US elections? It’s complicated.

(Vox | Sept. 15, 2020) This spring, the Chinese state-run news agency Xinhua posted a roughly two-minute video titled “Once Upon a Virus” on social media, including on official Chinese government accounts.

The video is in English and features Lego-like figures. One of the Statue of Liberty, representing America, and a warrior Lego representing China, with what looks like medical workers decked out in PPE, behind it…

… “There’s no question China’s the most technologically sophisticated for influence campaigns that reach beyond just elections,” Corri Zoli, associate teaching professor and director of research for the Institute for Security Policy and Law at Syracuse University, told me …

… And Iran definitely has cyber capabilities. But Zoli said, overall, they’re not sophisticated enough to have a truly enormous impact. “They don’t have the capabilities and they haven’t thought through a really multi-pronged strategy. They’re not going after, you know, these ancillary institutional sites to try to have a big impact on political decision-making” …

… Zoli told me she sees the ODNI document as educational, not so much for what it tells us about what our adversaries are up to, but as a way to “raise the public’s awareness that these election interferences are common and consistent. And you need to be kind of on guard about them. And you need to harden your approach to them” …

Read the full article.

 

Professor Corri Zoli: US Intelligence Warns of Foreign Election Interference

With less than 100 days to go before the US election, US intelligence officials are warning of attempted election interference by Russia, China and Iran, according to an update from the Office of the Director of National Intelligence. Professor Corri Zoli’s research focuses on contemporary problems of warfare from an interdisciplinary social science, public policy, and law perspective, and one track of her research investigates the changing nature of the US military force structure and the challenges of asymmetric warfare for military personnel.

“Director Evanina’s message is also designed to educate Americans and all private and government entities to adopt an aware and ‘hardened’ posture.”

“Election interference from foreign actors is a common and persistent concern in the United States (as well as in other democracies),” says Zoli. “Open systems with free markets, free speech, and robust public spheres are always subject to influence operations by actors, state and non-state, with their own agendas. These influence agendas may be motivated by political and economic interests, an opportunity for peer competitors to gain an advantage or edge over the US, or they may be efforts to simply test the strength and resilience of US public democratic institutions and processes, to see how far they can exercise power and influence on an unsuspecting American public.

“The recent statement by William Evanina, at the US Office of the Director of National Intelligence Director of National Counterintelligence and Security Center, should be read as a positive, proactive posture on the part of the federal government. It indicates that US Intelligence professionals are ready and aware of these multifaceted election threats. Part of the purpose of Evanina’s message is to publicize the issue—to make ordinary Americans aware that bad actors will try to influence them through information campaigns, including on social media platforms.  

“The reach of those influence campaigns also includes cyber acts targeting election systems and infrastructure. The US is somewhat distinctive in the diversity of our election systems among municipalities and states, with multiple redundancies and post-election auditing procedures, all of which makes voter fraud less likely. There are recent cases of US based election interference by vote tampering, evident in recent prosecutions of individuals, including over 900 criminal convictions across the US of individuals attempting to change or remove votes (false registration, buying votes, misuse of absentee ballots, etc.)—but still the scope of that problem is relatively small.

“Director Evanina’s message is also designed to educate Americans and all private and government entities to adopt an aware and ‘hardened’ posture about foreign influence campaigns in social and traditional media designed to shape US voters’ perspectives and preferences by manipulating fears—about COVID-19 and the pandemic response, recent protests and riots across the nation, political division, etc.”

Chinese Hacking Indictments: Professor Corri Zoli Speaks to SCMP

US indicts Chinese hackers on charges of targeting coronavirus vaccine data and defence secrets

(South China Morning Post | July 22, 2020) The US government has indicted two Chinese nationals in connection with long-running cyber espionage operations that aimed to net information on Covid-19 vaccines, military weapons and human rights activists, in what is the second Justice Department indictment against individuals from China in recent days.

“You’re seeing more inter-agency cooperation to manage this threat.”

Li Xiaoyu, 34, and Dong Jiazhi, 33, were charged with 11 counts of conspiracy, identity theft and fraud related to operations carried out from China since 2009, some in conjunction with China’s Ministry of State Security (MSS), according to an indictment filed on July 7 with the US District Court for the Eastern District of Washington and unsealed on Tuesday …

…“This is information warfare so there’s a lot of evasion and distraction going on here,” said Corrinne Zoli, director of research at the Institute for Security Policy & Law at Syracuse University in New York. “I think the issue is not that the Chinese need more clinical data to sort out their own vaccine programmes.”

China is more likely to be “trying to probe the US response to what really is an economic and security threat that is the pandemic”, she added. “They’re trying to figure out if the response is leading to the US to be more stable or unstable, if their response is indicative of a government that resilient or a government that’s in crisis” …

… “What you’re seeing now is just an administration that’s got a more of a forward posture … you’re seeing more inter-governmental operability, you’re seeing more inter-agency cooperation to manage this threat,” said Zoli. “Any nation state that has capacity, and usually that’s any nation state with a developed military, is going to have some information warfare capacity,” including the US.

The difference, she added, is that while the US government limits cyber espionage to the countering of national security threats, China is more inclined to hack for economic and commercial secrets as well.
“That’s where I think they are in a league of their own,” she said …

Read the full story.

 

Law & Policy of Artificial Intelligence

In 2019, SPL received a two-year grant from the Center for Emerging Technologies (CSET) at Georgetown University to conduct research on Artificial Intelligence (AI) and national security, law, ethics, and policy.

This research will seek solutions to national security risks raised by the emergence of AI while balancing the many legal and ethical concerns raised by its misapplication. IPL faculty—including the SPL Director the Hon. James E. Baker, Deputy Direct Robert Murrett, Professor Laurie Hobart, and Research Fellow Matthew Mittelsteadt—are working in collaboration to publish research and white papers to help drive the conversation on AI national security policy.

Products

BOOK

Artificial IntelligenceThe Centaur’s Dilemma—National Security Law for the Coming AI Revolution

The Hon. James E. Baker

250 Pages
Brookings Institution Press
Publishing date: December 2020
Paperback ISBN: 9780815737995

The increasing use of artificial intelligence poses challenges and opportunities for nearly all aspects of society, including the military and other elements of the national security establishment. This book addresses how national security law can and should be applied to artificial intelligence, which enables a wide range of decisions and actions not contemplated by current law. Written in plain English, The Centaur’s Dilemma will help guide policymakers, lawyers, and technology experts as they deal with the many legal questions that will arise when using artificial intelligence to plan and carry out the actions required for the nation’s defense.

REPORTS

A DPA for the 21st Century (April 2021)

By the Hon. James E. Baker

A DPA for the 21st CenturyThe Defense Production Act can be an effective tool to bring US industrial might to bear on broader national security challenges, including those in technology.

If updated and used to its full effect, the DPA could be leveraged to encourage development and governance of artificial intelligence. And debate about the DPA’s use for AI purposes can serve to shape and condition expectations about the role the law’s authorities should or could play, as well as to identify essential legislative gaps.

National Security Law and the Coming AI Revolution

AI Symposium ReportObservations from a Symposium hosted by the Institute for Security Policy and Law and the Georgetown Center for Security and Emerging Technology (Oct. 29, 2020)

The symposium commenced with a presentation on what AI is and how it works to make the technology behind AI accessible to national security generalists. For readers who did not attend the Symposium we collect at the outset of this report some of the general observations made about the constellation of technologies referred to as AI.

We then present the key points and observations from each of three panels – AI and the Law of Armed Conflict; AI and National Security: Ethics, Bias, and Principles; and AI and National Security Decision-Making. The Report concludes with a discussion about the role of lawyers, policy-law-technology teaming, and importance of making purposeful ethical and legal choices, which will embed our values in AI applications but also result in more accurate and effective national security tools.

Ethics and Artificial Intelligence: A Policymaker’s Introduction (April 2021)

By the Hon. James E. Baker

Ethics and AIThe law plays a vital role in how artificial intelligence can be developed and used in ethical ways. But the law is not enough when it contains gaps due to lack of a federal nexus, interest, or the political will to legislate. And law may be too much if it imposes regulatory rigidity and burdens when flexibility and innovation are required.

Sound ethical codes and principles concerning AI can help fill legal gaps. In this paper, CSET Distinguished Fellow James E. Baker offers a primer on the limits and promise of three mechanisms to help shape a regulatory regime that maximizes the benefits of AI and minimizes its potential harms.

AI Verification: Mechanisms to Ensure AI Arms Control Compliance (February 2021)

By Matthew Mittelsteadt, SPL AI Policy Fellow

The rapid integration of artificial intelligence into military systems raises critical questions of ethics, design and safety. While many states and organizations have called for some form of “AI arms control,” few have discussed the technical details of verifying countries’ compliance with these regulations. This brief offers a starting point, defining the goals of “AI verification” and proposing several mechanisms to support arms inspections and continuous verification.

The report defines “AI Verification” as the process of determining whether countries’ AI and AI systems comply with treaty obligations. “AI Verification Mechanisms” are tools that ensure regulatory compliance by discouraging or detecting the illicit use of AI by a system or illicit AI control over a system.

Despite the importance of AI verification, few practical verification mechanisms have been proposed to support most regulation in consideration. Without proper verification mechanisms, AI arms control will languish. The report seeks to jumpstart the regulatory conversation by proposing mechanisms of AI verification to support AI arms control.

SYMPOSIUM

National Security Law and the Coming AI Revolution

On Oct. 28, 2020, Syracuse University Institute for Security Policy and Law and the Center for Security and Emerging Technology at Georgetown University’s Walsh School of Foreign Service presented a one-day virtual symposium on “National Security Law and the Coming AI Revolution,” including panels on:

  • AI & the Law of Armed Conflict
  • AI & National Security Ethics: Bias, Data, & Principles
  • AI & National Security Decision-Making
Visit the Symposium webpage

Between Hacks and Hostilities: Are the US Government and Private Sector Ready for Persistent Engagement?

By the Hon. James E. Baker

(Re-published from ABA Journal | May 9, 2019) Cybersecurity is necessarily an issue that crosses international boundaries, raising complex questions of sovereignty, jurisdiction, law and policy. In response, lawyers have struggled to find the right legal metaphor or framework to apply to cyberspace. Each of these issues concerns the American Bar Association Rule of Law Initiative because the way we as a society choose to address these challenges implicates what it means to live and operate under the rule of law.

“What would be even more remarkable would be if the U.S. government did in fact use all the instruments of national power to enforce cyber norms, as it once used all the instruments of national power to contain the Soviet Union.”

The United States government produces almost as many reports and strategies as the ABA. One recent document warrants the attention of the bar, and not just security practitioners. The Department of Defense Cyber Strategy released in September—or more precisely, the unclassified part of the Strategy available to the public—breaks new and important ground, potentially marking a significant shift in the federal government’s strategic posture. How important the Strategy is will depend in large part on whether it is tied to an effective policy and decision-making process.

If I were briefing a senior policymaker on the substance and import of this new Strategy, I would highlight the following key statement:

“We are engaged in a long-term strategic competition with China and Russia. … The United States seeks to use all instruments of national power to deter adversaries from conducting malicious cyberspace activity that would threaten U.S. national interests, our allies, or our partners. … [The United States will] persistently contest malicious cyber activity in day-to-day competition.”

What is remarkable here is not the content of the statement, but the willingness to say it publicly. What would be even more remarkable would be if the U.S. government did in fact use all the instruments of national power to enforce cyber norms, as it once used all the instruments of national power to contain the Soviet Union. Gen. Paul Nakasone, in his capacity as the commander of U.S. Cyber Command, has advocated this approach encapsulated in the concept of “persistent engagement” …

Read the full article.

 

William C. Snyder Discusses Huawei as a Security Threat With The Verge

Is Huawei a Security Threat? Seven Experts Weigh In

(The Verge | March 17, 2019) The United States government is cracking down hard on Huawei. Lawmakers and intelligence officials have claimed the telecommunications giant could be exploited by the Chinese government for espionage, presenting a potentially grave national security risk, especially as the US builds out its next-generation 5G network. To meet that threat, officials say, they’ve blocked government use of the company’s equipment, while the Justice Department has also accused Huawei’s chief financial officer of violating sanctions against Iran, and the company itself of stealing trade secrets.

Huawei’s status as a threat is hardly unique. Not only are other Chinese companies such as ZTE and China Mobile embedded in the supply chain, but so are those of other countries.

Huawei’s response has been simple: it’s not a security threat. Most importantly, the company’s leaders have said the US has not produced evidence that it works inappropriately with the Chinese government or that it would in the future. Moreover, they say, there are ways to mitigate risk — ones that have worked successfully in other countries. Huawei’s chairman has even gone so far as to call the US government hypocritical, criticizing China while the National Security Agency spies around the globe. The company has also denied any criminal wrongdoing …

WILLIAM SNYDER, PROFESSOR OF LAW, SYRACUSE UNIVERSITY

Huawei is a threat to US national security, but that misses the bigger point. Vulnerabilities in the supply chain of network hardware and software is, has been, and will continue to be a threat to the national security of the United States and many other countries, including China. It remains very difficult to audit that a chip with millions of embedded transistors or software with millions of lines of code does only what consumers know and consent to it doing. Even if Huawei is not committing the sort of crimes for which a US grand jury indicted it, any company that supplies such a large percentage of the market for components of telecommunications networks and has such ties to the People’s Liberation Army is a threat. Huawei’s need to operate under Chinese laws about cooperation with Chinese military and intelligence agencies is of concern.

Huawei’s status as a threat is hardly unique. Not only are other Chinese companies such as ZTE and China Mobile embedded in the supply chain, but so are those of other countries. Huawei itself buys components from major US firms, including Qualcomm. Those companies are subject to US laws concerning cooperation with US intelligence agencies. Given the essentially free market economy of the United States, rarely, if ever, will a US company be as closely tied to the government as Chinese companies are. Still, if you are a security policymaker of a nation like India — with several times the population of the US — wouldn’t you worry about how many major militaries have back doors into your networks?

As long as conflict occurs at the nation-state level while critical cyber networks are designed and manufactured internationally, we all must be very careful. This is a systemic problem. Currently, Huawei’s size and ties to the PLA make it the focus of concern. In the future, another supply chain threat will take center stage.

Read the full article.

 

James E. Baker Gives Keynote at Cyber Command Legal Conference

INSCT Director the Hon. James E. Baker gave the keynote address on the first day of the 2019 US Cyber Command Interagency Legal Conference, held at Andrews Air Force Base, MD. Titled “Achieving and Maintaining Cyberspace Superiority,” the conference takes place over March 4-7, 2019.

The 2019 conference focuses on the 2018 Command Vision for the US Cyber Command, and it provides the opportunity to discuss the domestic and international law implications of confronting long-term strategic competition in cyberspace. The first two days of the conference are unclassified, before the conference splits to allow discussion of classified information and strategy.

Among the topics of discussion during the unclassified portion are “Enhancing Domestic Resiliency Through Public/Private Partnerships,” “The 2019 National Defense Authorization Act,” and “Defending Forward: International Law and Norms Development.” Baker is joined at the conference by COL Gary Corn, Staff Judge Advocate, US Cyber Command; Paul Rosenzweig, Red Branch Consulting, LLC; Robert Chesney, University of Texas School of Law; and Laura Dickenson, Research Professor of Law, George Washington Law School.

Setting the Terms: William C. Banks Discusses Christopher Wray’s Senate Testimony

Professor Emeritus William C. Banks discusses the recent Senate testimony by FBI director Christopher Wray, who named China as the number one threat to the US. Banks also discusses the FBI’s handling of the second Justice Kavanaugh background check and the future of domestic unmanned aerial vehicle (drone) regulation, among other topics raised at the hearing.

Banks’ segment starts at 6m 09s

INSCT Hosts State Board of Elections Cybersecurity Tabletop Exercise

On June 7, 2018, the Institute for National Security and Counterterrorism (INSCT) hosted one of a series of statewide exercises that focus on cybersecurity preparedness and response to threats to New York State election systems. These first-of-their-kind tabletop exercises are sponsored by NYS Board of Elections (BOE) and US Department of Homeland Security (DHS) in partnership with the NY Division of Homeland Security and Emergency Services, NY State Police, and the NYS Intelligence Center.

Taking place in the College of Law, the Onondaga County tabletop exercise–like the other five regional exercises–was designed to identify areas for improvement in cyber incident planning, preparedness, and response through realistic scenarios that simulate the undermining of voter confidence, voting operations interference, and attacks on the integrity of elections.

State and local officials, led by the BOE and DHS Cyber Incident Response Team, will utilize information gleaned from these tabletop exercises with state, local, and federal stakeholders to identify risks and develop necessary steps to safeguard the election process.

Contoured for each region, the scenarios are based on a combination of real world events and potential risks facing election infrastructure. These threats include possible social media manipulation, disruption of voter registration information systems and processes, attacks on voting machines, and the exploitation of board of elections business networks.

The tabletop exercises are part of a BOE cybersecurity plan that was approved on May 3, 2018, to further strengthen cyber protections for New York’s elections infrastructure through the Secure Elections Center.

NYSBOE_Tabletop_Exercise

The Supply Chain Problem and Cybersecurity

By Ryan White

(Re-published from Crossroads: Cybersecurity Law & Policy | Feb. 28, 2018)  A few weeks ago, an article from Nextgov, a website dedicated to “how technology and innovation are transforming the way government agencies serve citizens and perform vital functions,” described recent efforts by DHS to address cyber security risks as they relate to supply chains.  The article quotes Jeanette Manfra, the head of DHS’s Office of Cybersecurity and Communications, who explained that “[t]he program’s major goals are to identify the greatest supply chain cyber threats, figure out if there are technical ways to mitigate those threats and, if not, figure out other solutions.” But other than barring companies with weak supply chain security from government contracts, no other solutions were mentioned. Below I look at what a cyber security supply chain policy might encompass.

One of the more prominent supply chain incidents in recent memory involved Hewlett Packard Enterprise, who, in an effort to expand its business, offered a Russian defense agency an inside look at a program called ArcSight.

One of the more prominent supply chain incidents in recent memory involved Hewlett Packard Enterprise, who, in an effort to expand its business, offered a Russian defense agency an inside look at a program called ArcSight.[i] The problem, however, was that ArcSight is a program that is heavily relied on by the Pentagon.[ii] The program is a “cybersecurity nerve center” that sends alerts when it detects a potential attack on a network.[iii] The program is also used frequently by private sector companies.[iv] By providing the program code to Russia, HP not only created a vulnerability for the United States but exposed that vulnerability to the most notorious cyber threat to the U.S. in recent years.

Another example of the cyber supply chain problem occurred several years ago with the United States Air Force. The Air Force had contracted with a vendor in an Asian country to produce hardware for one of the Air Force’s systems.[v] When the hardware arrived in the U.S. and was reviewed by the Air Force, however, they found that the chips contained an extra transistor. While the chip performed its intended function, the Air Force could not decipher what else the piece would do with the extra transistor. As a result, that batch of hardware was disposed of and never installed.

These two examples highlight the breadth and depth of the challenges regarding supply chains and cyber security. Supply chain security implicates hardware and software, public sector and private, and in these two instances, Asia and Russia. The Air Force was fortunate enough to find the altered specifications in its hardware, and reports so far suggest no harm has come from Russia’s ArcSight review.

Every point in every supply chain presents a weakness for that product’s cybersecurity. Every individual human that comes into contact with every component piece of hardware or software is a potential threat.  The threats to the supply chain include:[vi]

  • Installation of hardware or software containing malicious logic
  • Installation of counterfeit hardware or software
  • Failure or disruption in the production or distribution of critical products
  • Reliance on a malicious or unqualified service provider for the performance of technical services
  • Installation of hardware or software that contains unintentional vulnerabilities

All of these create potential weaknesses that can be exploited at a later point in time. Vulnerabilities could be exploited to steal sensitive information. Anything that program does could send a copy of that data to a third party. A vulnerability created by a nefarious actor somewhere in the supply chain could be a switch that lies dormant until activated when it would disable the system. Depending on what system that might be, there could be devastating consequences.

Two major concepts underlie the cyber supply chain security issues in the United States: (1) the United States technology sector is dependent on hardware components manufactured all over the world; and (2) the United States government is heavily dependent on commercial off-the-shelf cyber programs.

The United States, both its government and its private citizens, has become increasingly dependent on an intricate global economy. This is particularly true when it comes to technology, as the cost of manufacturing in the U.S. has led to increases in outsourcing. For example, the production of one iPhone involves component parts made in the U.S., South Korea, Taiwan, Japan, and Germany that are all ultimately assembled in China.[vii] The diagram below shows a similar analysis for a standard laptop, whose component parts may come from as many as twenty different countries …

Read the full article here.

[i]               “Special Report: HP Enterprise let Russia scrutinize cyberdefense system used by Pentagon,” Reuters (Oct. 2, 2017), http://www.reuters.com/article/us-usa-cyber-russia-hpe-specialreport/special-report-hp-enterprise-let-russia-scrutinize-cyberdefense-system-used-by-pentagon-idUSKCN1C716M.

[ii]               Id.

[iii]              Id.

[iv]              Id.

[v]               The facts of the Air Force narrative are from a series of conversations with Professor William C. Snyder, who had substantial knowledge of that situation’s details.

[vi]              Id.

[vii]             Cyber Supply Chain Security: A Crucial Step Toward U.S. Security, Prosperity, and Freedom in Cyberspace, Heritage Report, (Mar. 6, 2014) http://www.heritage.org/defense/report/cyber-supply-chain-security-crucial-step-toward-us-security-prosperity-and-freedom.

Ryan White is a third year law student at Syracuse University College of Law and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs.