The Rise of Milware

By Trey Herr

“Governments writing, we sort of take that for granted. But ten years ago, that would have been science fiction.”

In the last half-decade, governments have become some of the most sophisticated proliferators of malicious software. What has changed isn’t the behavior of states so much as the scope of our understanding of their activities. Recognizing this and adapting to it requires a shift in mindset, namely: it isn’t all malware anymore.

Event Report: Privacy and Civil Liberties Oversight Board

By Katelyn Anders

On November 12, 2014, the Privacy and Civil Liberties Oversight Board (PCLOB) held a public meeting with four panel discussions.  The invited panelists and board members covered the topic of “defining privacy.”  In the wake of the Snowden leaks, department store data breaches, and changes in cell phone data tracking practices, this event brought together a vast group of professionals from different fields.  The topics of privacy and technology easily melded together, but one question became very apparent that highlights the complexity of their tandem relationship:  how does technology affect our view and conceptualization of privacy? 

Just Cyberwar

By Thomas Wester

Cybersecurity represents a major paradigm shift in global conflict and warfare. In his 1962 book, The Structure of Scientific Revolutions, Thomas Kuhn developed the notion that paradigm shifts in technology transform global dynamics.[i] Cyber-attacks are becoming more common; paired with increasing sophistication and greater lethality, cyber warfare will influence and dominate the war-fighting style of the 21st Century and beyond. In a 2012 article, President Obama warned that the “cyber threat to our nation is one of the most serious economic and national security challenges we face.”[ii] Mounting appropriate responses to this emerging threat will be crucial to ensuring our security as a nation. However, the response must be morally permissible and the currently accepted moral theories, including the Just War Theory, fail to fully address this emerging form of warfare. Furthermore, our nation’s responses will likely set the global precedent for responses to cyber-attacks. Thus, the morality of responses in cyber warfare is an issue that must be addressed.

Event Report: Internet Governance Forum USA Annual Meeting

By Jonathan Berliner

  If anything is taken for granted, it is the Internet. The nation with the smallest GDP in 2013, Tuvaluhas its own top-level domain name. China, the world’s largest nation by population, has its own sophisticated mechanisms for controlling the Internet. According to a McKinsey report from 2011, $8 Trillion is processed in e-commerce annually via the Internet and of 13 nations accounting for 70% of world GDP, 3.4% of their overall GDP is solely from the Internet. Yet, these staggering numbers account for a system that is not governed by a government authority, a UN agency, or any single stakeholder for that matter. 

Event Report: The NSA Surveillance Programs - Assessing the Damage to U.S. Commerce, Confidence & Credibility

By Jonathan Berliner

  This event, hosted by the Congressional Internet Caucus Advisory Committee, seemed to suggest a new, unbiased perspective on the Snowden leaks thus far. Whereas the normal Snowden-related polarized rhetoric focuses on the merits of surveillance, privacy, or government transparency, this panel discussion promised to take a more objective route: ceteris paribus, what is the damage that the NSA surveillance programs have cost the United States in terms of commerce, confidence, and credibility? Had I been consulted, I would suggest that the hosts substitute “damage” with “cost,” to sound more even-handed; one does not assess the damage to his or her wallet after a shopping trip to Safeway, but one does assess the damage to his or her bank account after their wallet has been robbed.

Event Report: Computers, Freedom, and Privacy Conference 2014

By: Jonathan Berliner

            This year’s Computers, Freedom, and Privacy Conference (#CFP2014) was held during an extraordinary time in the history of computers, freedom, and privacy. The Edward Snowden NSA revelations of 2013 made the task of privacy experts more pressing and certainly added to the energy of this year’s conference. Attendees included a former governor of Pennsylvania, a congressman, a former general counsel of the NSA, leaders of NGOs, cryptographers, whistleblowers, and drone experts from as far as Australia. Of course, the usual cadre of DC-area policy wonks and lawyers were in attendance as well.

NIST Releases Next Generation SHA-3 Hash Function for Public Comment…After Year of Turmoil

By Jonathan Berliner

On May 28, 2014, the National Institute of Standards and Technology (NIST), an agency of the United States Department of Commerce, released its latest draft for the SHA-3 (Secure Hash Algorithm-3) standard hash function. What is unique about this announcement is that its ancestry involves Edward Snowden, NSA, NIST, and leading cryptographers, all wrestling over…random numbers.

Musings on NETmundial

By Susan Ariel Aaronson

Netmundial, the multi-stakeholder meeting organized by the government of Brazil, was an inspiring mess. On one hand, it was the place to be - a Woodstock for Internet activists and innovators. The Brazilian government paid tribute to these individuals and used the opportunity to signal that it intended to play a leading role in global Internet governance. On the other hand, the Brazilian government did not clarify the objectives, strategy, and desired outcomes for the April meeting. They made it clear that the conference would yield a declaration with two sections:  principles and a road map, but attendees were unclear as to how will policymakers use these principles and road map.  Did the organizers intend to create a road map that could ensure that governments and business adhered to those principles?  

The PrEP Model: Cyber Weapons

By Trey Herr

Within PrEP, malware that have a payload designed to create destructive physical OR digital effects can be classified as a weapon.

Digital effects damage the integrity or availability of an information system - deleting data or disrupting a network service. These could be short term, as with a brief denial of service attack, or near permanent, where a payload is designed to wipe the boot layer of a hard disk. Physical effects manipulate a piece of equipment, like a centrifuge or generator, causing it to damage or destroy itself. The Aurora test at Idaho national labs, deployed a cyber weapon into the industrial control system of a multiton generator, causing it to jump and shake on its foundations, eventually destroying the machine. Destruction can amount to physical damage or loss of data integrity such as deletion or corruption. This still requires the combination of the three components, a propagation method, exploit, and payload, but is differentiated from malware by the effects produced by the payload.

The PrEP Model: An Introduction

By Trey Herr

How we think about malware (and cyber weapons) affects the way we make policy and conduct research. There is an alternative to the current approach, which approaches pieces of malware as individual objects – classifying code based entirely on its purpose instead of the components it contains. In the next few posts, I’m going to present an alternative model to how we currently think about malware and offer a definition of cyber weapons.[1]

Future Health Tech: How Secure Will It Be?

By Steven Munnelly

Health care has become an increasingly large part of our lives; from the increase in the percentage of our Gross Domestic Product (GDP) we spend on it, to the periodic overhauls of our health programs, to the creation of online insurance marketplaces, or to the future of health care technology, one has to wonder: how secure is my health data?

Recent Google Street View Court Decision Threatens to Criminalize Ordinary Wi-Fi Use (Part 3): How the Court Reversed Itself, and How the Courts Should Analyze this Issue in the Future

By Shane Huang

Originally, this series was designed to highlight the most problematic portions of the 9th Circuit’s opinion in Joffe v. Google, and to propose a better framework for analyzing whether the Wiretap Act covers technologies developed and popularized since the Act’s most recent major revision.

Cyber Actors Find a Target-Rich Landscape in Sochi

By Miranda Sumey

Today, spectators the world over tuned in to watch the Opening Ceremony of the XXII Olympic Winter Games in Sochi, Russia. Over 100,000 tourists and 3,000 athletes will stay in the Black Sea resort town for 17 days of international competitions. Despite the excitement, however, the past few weeks have seen substantial trepidation over the potential for a terrorist attack. But cyber-attacks, which seem omnipresent at nearly every major news-worthy event these days, are a far more likely (albeit less dangerous) threat.

Cyberinsurance: At What Cost?

By Nicolas Zahn


What happens if the plans for your new product line get stolen by hackers working for your competition? What happens if merger plans get leaked by a disgruntled employee? What happens if you lose customer data one week before Christmas? Those questions are increasingly on the mind of managers as the question with cyber attacks is no longer if, but when. To deal with the risk of cyber attacks, companies are starting to look at a relatively new product to add to their risk management strategies: cyberinsurance.

Approaching the Limits of Speed and Automation in the Cyber Age

By Mark Hagerott

This blog post addresses an urgent issue: with the rise of peer cyber powers in contested cyber-physical space, what are the key implications for US/NATO physical systems, doctrine, and workforce programs in the warfare domains of air, sea, and land?  The article offers what might seem a counterintuitive recommendation: consider slowing the acquisition of automated systems, and resume training officers and government/corporate work forces in manual operations of key systems.