Course Assistants and staff

Transcription

1 IGA-240: CYBER AND INFORMATION OPERATIONS: TECHNOLOGY, POLICY AND THE LAW Fall 2017/18, T/Th 8:45 10:00am L230 Instructor Eric Rosenbach L-362 Course Assistants and staff Corinna Fehst (Course Assistant) Caitlin Conley (Course Assistant) Melissa Kappotis (Faculty Assistant) Description: Today s leading democracies are digital: they depend on the internet and information technology for vital functions of the economy, infrastructure, media and government. Democracies rapid adoption of information technology has improved citizens lives and nations overall prosperity. But digital democracies are also increasingly vulnerable to interference from hostile actors who may use cyberattacks, information operations, or a sophisticated hybrid of both, to disrupt these societies. Russia s recent interference in elections in the United States and Europe highlight one aspect of the threat to digital democracies. Several other cases illustrate the emergence of attacks on other key sectors of digital democracies, such as the successful Russian attack on the Ukrainian power grid in 2016, the Islamic State s use of social media for radicalization, the 2014 North Korean hack of Sony Pictures and the Iranian cyberattacks on the US financial sector. The perceived success of these attacks will encourage increased malicious activity in the future. In parallel, the international community has seen an increasing weaponization of data and information obtained through cyber means, as well as the increasing use of offensive cyber tools by nation states to further national interests. Unfortunately, the leaders of most democratic nations are unprepared to address the complex technical, political, policy and legal issues associated with these types of malicious activities. The need for a new generation of technically-savvy policymakers is clear. This course will introduce students to the policy, technical and legal challenges faced by digital societies and push them to develop policy proposals to mitigate risk in the future. The course will assess the digitalization of today s leading democracies and the vulnerabilities that this creates, discuss the intent and foreign policy goals of hostile actors who seek to exploit these vulnerabilities, and review the features of intrusive attacks on digital democracies (including but not limited to the cases mentioned above). In addition sharpening students policy formulation skills, students will also learn to provide basic legal, technical and political analysis for each of the cases covered in the course. Understanding the technology of cybersecurity and big-data analysis is particular important; thus, the instructor will ensure all students have a basic understanding of the technical underpinnings of each case (e.g. how does ransomware work, how was the US DNC hacked, how do bots spread fake news).

2 The instructor recently served as the Pentagon Chief of Staff, and previously served as the Department of Defense Cyber Czar and Assistant Secretary of Defense for Global Security. As such, he personally worked on many of the cases that will be discussed in class. Instruction method: This class will be highly interactive and will rely heavily on the case method, supported by the Socratic Method/cold calling. Students should therefore come to class prepared to participate and contribute. Audience: This course is designed for future practitioners of cybersecurity and cyber policy, as well as for those who plan to work in national security and international affairs more broadly. Although parts of the course focus on the United States, information and cyber operations are global issues. International students are therefore highly encouraged to enroll. Initial classes in the course provide students with a solid foundation on networking, software and data, so no technical background is required for the course. Learning Objectives: By the end of the course, students will have: (1) the ability to think strategically about managing offensive and defense cyberattacks and information operations, taking into account policy, legal, technical and political considerations; (2) professional skills that allow them to effectively communicate through crisp policy recommendation memos and oral briefings; (3) a solid foundation of knowledge about specific recent cases of cyberattacks and cyber operations, and; (4) a more thorough understanding about how the US and other international governments, as well as the international community can work together to shape and address cyber threats. Expectations: This is a graduate-level course for future professionals. Thus, the instructor has high expectations of all students. Basic expectations are that students will: (1) attend all scheduled classes and show up on time; (2) complete assignments on time; (3) read all assigned materials in advance of class and come to class prepared to discuss them; and (4) contribute to the team assignments. Course Requirements: Each student will be required to: Complete two quizzes/assignments on the technology of cybersecurity and information operations Write two individual policy recommendation memos Write one short surprise memo (giving students 48 hours to complete this assignment after a significant real-world event) Complete two in-class simulation exercises Prepare for and participate in all class discussions Quizzes: There will be two quizzes/assignments on the technological foundations of cybersecurity and information operations. These will test students understanding of basic aspects of cybersecurity and information operations, as well as of the technical functioning of different types of cyberattacks. Individual Recommendation Memos: Each student will submit two three-page policy recommendation memos. The memos should provide a senior-level decision maker with analysis and recommendations on a cybersecurity / information operation issue covered in class. Students have the option to write on any two of the 8-10 assigned memo topics (full details will be posted at the start of term). Students must complete at least

3 one memo prior to the first simulation exercise. Policy recommendation memos should include: policy objectives, basic legal analysis, identification of various policy options and a final recommendation. The instructor will provide more details about the memo format in class. Surprise Memo: There will be a two page surprise memo assigned at some point during the semester. Students will assess a current event cybersecurity or information operations issue and present recommendations to a senior leader, such as the UN Secretary General, National Security Advisor, Secretary of Defense, or Minister of Foreign Affairs. Students have 48 hours to complete this assignment. Simulation Exercises: The class will participate in two (fun!) simulation exercises focusing on cyberattacks and/or information operations. These team-based exercises will simulate a national security environment, such as e.g. a Senate Intelligence Committee meeting or a Principles Committee meeting of the National Security Council. Preceding the exercise, students will be assigned a role, such as a Senator or Secretary of State. Each student will be expected to familiarize him/herself with all aspects of the role. Students will be evaluated on their professionalism, decision-making and ability to communicate. The class will jointly derive lessons learned from each simulation. Class Participation: The quality (not quantity!) of class participation will determine a significant part of a student s overall grade. The instructor expects students to complete the readings for each class; each student should come to class prepared to debate the issue of the day. The instructor will use the Socratic Method to ensure that all students prepare for class and participate in the discussion. Because of the importance of class participation, students are required to bring their name placards to every class. The use of laptops and phones in class is prohibited. Attendance is mandatory unless excused. Standard Operating Procedures (SOPs) for Assignments: All written assignments must be uploaded to the course Canvas site to receive full credit. Students are required to upload their assignment by 08:00 of the due date. Additionally, students must hand in a hardcopy of their assignment at the beginning of class. All assignments must follow the formatting guidelines distributed in class. Grading: The instructor will follow HKS guidance regarding the curved distribution of grades. Final grades will be determined according to the following: Technical quizzes: 10% Policy Recommendation Memos: 40% Surprise Memo: 10% Simulations and Class Participation: 40% Office Hours: The instructor will hold office hours by appointment. You should schedule an appointment within these hours with Melissa Kappotis (melissa_kappotis@hks.harvard.edu). Readings and Required Books: This class will not rely on a single book instead specific readings are assigned for each class. In addition, the beginning of this course familiarizes students with the technical fundamentals of cybersecurity and cyber/ information operations. Students without a technical background will be expected to build up their technical knowledge quickly. To help them get started, the instructor strongly

4 recommends that students complete technical readings ahead of the start of term. Potential readings that students might wish to consider as a starting point are: Lawrence C. Miller, Cybersecurity for Dummies, 2014 (available online) Peter W. Singer and Allan Friedman, Cybersecurity and Cyberwar: what everyone needs to know, 2014 (available online).

5 Class Date Topic Objectives 1 31 st Aug A Cyber 9/11: Assess the risk of a catastrophic cyberattack to the US or other nations. Inevitable or Identify key issues of analysis necessary to determine whether a cyber 9/11 is possible. Hysterical? Preview of course structure and key features. Overview of the course s framework of analysis: 2 5 th Sept Technology Basics and Cyber Defense (part I) 3 7 th Sept Cyber Defense (part II) and Cyber Attacks 4 12 th Sept Cyber Actors: Russia, China and Cyber Criminals 5 14 th Sept Cyber Actors: Iran, North Korea and Cyber Terrorism 6 19 th Sept Organizing for Cyber: USG, Private Sector and International Organizations technology, policy and the law. Understand the functioning and basic components of the internet, networks, software, and hardware. Understand the inherent technical vulnerabilities of the internet, networks, software, hardware. Learn key concepts and strategies for identifying and defending an organization s key assets. Understand key technologies associated with defending networks, systems and information against cyberattacks and information operations. Technical Quiz 1 (to be completed within 24 hours of the class) Define information and cyber operations, and distinguish between the two. Understand how attackers exploit vulnerabilities in the internet, networks, software, hardware to conduct different types of information and cyberattacks. Technical Quiz 2 (to be completed within 24 hours of the class) Assess the strategies employed by Russia and China to advance their national interests via cyber and information operations. Review historic examples of Russian and Chinese cyber and information operations. Understand the organizational set-up supporting cyber/information operations in Russia and China. Understand motivations of cyber criminals, and key means by which they exploit networks and sensitive information. Understand different means of monetizing cyber and information attacks (e.g. sale of financial information, ransomware). Understand why cyber operations are a key tool for nations like Iran and North Korea. Review historic examples of Iranian and North Korean cyber and information operations. Understand the organizational set-up supporting cyber/information operations in Iran, North Korea. Understand motivations of cyber terrorist and asses how large the threat of cyber terrorism really is. Understand how the US government is organized to address challenges of cyber and information operations. Who are key actors and their responsibilities, how do they interact, what challenges exist in their operations and interactions? Understand the crucial role that the private sector plays in addressing cyber threats to national interests. Understand the crucial role that international organizations play in defining, deterring, and managing cyber and information operations (esp. NATO, UN, EU) st Sept Cyber Strategy Learn to evaluate, prioritize, and articulate cyber policy goals and objectives within the framework

6 and Policy 8 26 th Sept The Law and Politics of Cyber 9 28 th Sept Chinese Theft of Intellectual Property 10 3 rd Oct Defending Networks: The OPM Case 11 5 th Oct Defending Services: Dyn DDoS, Iranian DDoS of Financial Sector of national interests. Apply the national interest framework to articulate a prioritized list of US policy objectives in cyberspace. Use this framework in future sessions to evaluate resource allocations and prioritization in actual US cyber policy. Outline key U.S. cyber strategy and policy documents. Consider the policy trade-offs generated by an emphasis on cybersecurity on other domestic and international US objectives (e.g. in terms of resources, relationships, intellectual focus). Review the key foreign policy considerations and frameworks that apply to information and cyber operations (e.g. deterrence, attribution challenges, arms race, applicability of law, advantages of cyber/info ops vs. traditional warfare). Understand the important role that the law plays in the formulation of cyber policy. Understand how the U.S. constitution, codes and caselaw influence US cyber policy. Understand how Congress is structured, its authority/ sources of power, and how this plays out on cyber policy. Understand which key international pieces of law affect US (and other players ) cyber/ information operations. Understand the role of non-binding efforts to establish rules in cyberspace, in particular the NATO CCD COE Tallinn Manual, and UN cyber norms process. Recognize how politics shapes (and sometimes distorts) the national security environment. Recognize the currently occurring fault lines and consider how to manage them. Be able to participate in a discussion on how future political trends will impact cyber security policy. Understand the strategic implications of intellectual property theft and how China uses cyber operations to bolster its overall economic strategy. Explore the U.S.-China 2015 agreement banning commercial cyber espionage. Assess its effectiveness, understand how this agreement was reached, review why it is so difficult to achieve such negotiated settlements in other areas of cyber/ information operations. Understand key events and technology employed in the OPM attack. Understand the intent and impact of the Chinese operation. Assess the US government s response to the attack and constraints on its potential reactions. Understand key events and technology employed in U.S. Financial sector and Dyn DDoSs Understand the significance of a denial of service attack, and how the response to them may differ from other cyberattacks. Assess the decision-making calculus of a private sector leader responding to a large cyberattack against his/her firm. Understand the increasing risk of DDoS from poorly secured Internet of Things devices. Be able to debate the potential need for cybersecurity regulation for IoT devices.

7 12 10 th Oct Defending Operational Networks: TransCom and Iranian attacks on the U.S. Navy th Oct Defending Important Information: Snowden, Insider Attacks and Domestic Surveillance th Oct Simulation I: Senate Hearing on a Cyber Attack (related to Wanna Cry) th Oct Disrupting Terrorist Attacks: ISIS use of social media and San Bernadino th Oct Defending Critical Infrastructure: Attacks on the Financial Sector: NASDAQ, 2015/16 SWIFT Understand the importance of operational networks to large organizations, such as the military or a large multinational corporation. Understand key events and technology employed in the TransCom and Iranian Navy attacks. Assess the intent of China and Iran to penetrate these networks. Assess the US military s response to the attack and the constraints on its potential reactions. Understand key events of the Snowden leaks, and their short- as well as long-term political and national security consequences. Understand the important role of that insiders are known or alleged to have played in other highprofile cyberattacks and information operations. Discuss political, moral, and security considerations surrounding insider leaks in the national security space. Is it ever justified to leak sensitive national security information from inside government? If so, under which conditions? Understand existing measures to prevent and manage insider risk within the U.S. government. Discuss legal/ political measures pursued since Snowden and whether/ how to further expand the use of such measures in the future. In-class simulation focused on key implications of WannaCry ransomware attack (including severity of threat it posed, attribution, retaliation options, vulnerability equities process/ PATCH Act and their implications for future U.S. intelligence gathering capabilities) Students need to have completed Individual Policy Memo 1 by this class Explore terrorists diverse uses of the Internet (e.g. for recruiting, financing/ payments, attack planning, everyday operation and coordination). Specifically, understand ISIS use of social media for recruiting. Assess how the U.S. and ally government, as well as social media/ tech companies seek to disrupt it. Understand FBI-Apple stand-off following the San Bernadino attack, and the resulting national security vs. privacy/civil liberties/ data security debate. Understand key events and technology employed in NASDAQ and SWIFT cyberattacks. Understand scope of disruption for global economic system from financial sector attacks. Understand attribution and political implications/ retaliation.

8 17 26 th Oct Defending Critical Infrastructure: Saudi Aramco and RasGas st Oct Defending Critical Infrastructure: Ukraine Power Grid and US Infrastructure 19 2 nd Nov Defending Digital Democracy: Sony Pictures 20 7 th Nov Defending Digital Democracy: US 2016 Elections (I/II) Define critical infrastructure. Understand implications of CI cyberattacks in general and specifically for the oil/gas sector. Understand key events and technology employed in Saudi Aramco/ RasGas attacks (Shamoon). Understand operational and financial implications of these attacks. Understand attribution challenges and political implications/ retaliation. Understand key events and technology employed in Ukraine 2015 power grid attack, and its significance. Understand attribution and attribution challenges. Assess risk of attacks being similarly effective in the U.S./ European electric grids. Understand reactions by U.S. and international community (e.g. measures to improve security of electricity grids), and discuss what more could be done going forward (e.g. more compulsory cybersecurity and reporting regulation for CI private sector operators?) Understand key events and technology employed in 2014 Sony Pictures attack. Understand the financial, operational and reputational damage suffered by Sony Pictures. Understand attribution (marks formal emergence of the Lazarus Group); alternative attribution theories (e.g. role of insiders, hacktivists not related to DPRK). Discuss the potential of cyberattacks to interfere with the democratic right of free speech. Discuss the U.S. political reaction and response, and the limits on constraints it faced. Understand key events and info ops/ cyber ops technology employed in U.S Elections, covering cyberattacks with information leaks (DNC and RNC hacks, Podesta mails) and fake news. Understand attribution to RUS: what is vs. is not publicly known, strength of evidence? Understand domestic political implications of the election interference (in particular: what do we know about the effect that this intervention may of may not have had on election outcomes. Understand foreign policy implications (sanctions, escalating tensions in US/RUS relations, raised the ongoing questions regarding the Trump administration s links to Russia). Distinguish between different level of attacks on elections (from fake news, to cyberattacks coupled with information leaks, to hacking of core election infrastructure such as voter registration systems). Understand how each attack type is executed and their respective likelihood and impact. Highlight key case of RUS election interference beyond the 2016 US elections (e.g. Macron campaign, Estonian and Ukrainian elections).

9 21 9 th Nov Defending Digital Democracy: US 2016 Elections (II/II) th Nov Offensive Cyber Ops: Stuxnet th Nov Offensive Cyber Ops: Counterterrorism st Nov Offensive Cyber Ops: Military th Nov Simulation II: National Security Council th Nov Simulation II debrief & class wrap-up Discuss increasing weaponization of information (cyberattacks coupled with information leaks, and fake news). Understand what is already being done to prevent the weaponization of information, esp. fake news. Understand efforts to secure the different levels of election infrastructure going forward (e.g. paper audit trails at voting machines, increased pressure on social media companies) Understand key events and technology employed in Stuxnet attack. Understand the operational and foreign policy framework for analysis of offensive cyber operations. Assess the short and longer impacts of conducting offensive cyber operations. Review US CYBERCOM s offensive cyber campaign against ISIS: key components, legal status, effectiveness. Understand the potential for using offensive cyber and information operations during combat. Students simulate an NSC meeting dealing with an imminent, severe cyber attack. Debrief on Simulation II. Review of key concepts and lessons learnt in the class.