IGA 236 - PDF Free Download

Technology, Security, and Conflict in the Cyber Age IGA-236, Harvard Kennedy School Fall, 2015 Faculty: Professor Jim Waldo Course Description: In our information age security policy, strategy, and management face exceptional challenges. The increasing reliance of modern society on networked computer systems creates unprecedented vulnerabilities coupled with open and simple pathways to exploit those vulnerabilities. Powerful nations are forced to adapt to a shrinking margin of safety. Today no nation, agency, industry, or firm is isolated from the new methods of harm: cyberwar, cyberespionage, cyberterrorism, and cybercrime. Traditional strategies and approaches to security need revision to apply to a world where threats can propagate instantaneously and where the identity or location of an adversary may not be known. Despite the magnitude of the problem, the field of cybersecurity strategy, policy, and management remains incipient. This course seeks to equip students with the tools necessary to conceptualize the cyber issue, develop policies appropriate for its resolution, and frame strategy and action to address the emerging threats. To that end, the course has four principal objectives:  develop students’ understanding of the technology underlying cyberspace  explore the nature of emergent and future cyber threats  evaluate strategies and policy responses to these threats  build professional skills in group work, scenario assessment, and memo writing No computer science background is required: a core aim of the course is to make the related technology comprehensible to a layperson. Students with technical expertise may find the course useful in developing an understanding of key issues in the strategic management of cybersecurity for the organizations of industry and government. Requirements and Grading: 1. Class Participation: Every student is expected to be prepared for and attend every class. Participation is important; it will count for 20% of your overall grade 2. Individual Policy Papers and Briefs: There will be semi-weekly writing assignments, undertaken by individual students. These papers will count for 20% of your overall grade 3. Group Policy Papers and Briefs: There will be semi-weekly writing assignments that will be given to groups of students, organized by the instructors. These papers will count for 20% of your overall grade 4. Final Group Project: Each student will, either individually or as part of a small group, be expected to complete a significant term project. These projects might take the form of an 1

experiment, or a policy brief, or a paper. The exact project will be proposed towards the middle of the semester, and will be due at the end of the semester. Part of the project will be a short presentation or briefing to the class on the project. The final project will be 40% of the grade. Academic Integrity All of you taking this course are working towards positions of public service and trust. So academic integrity and a solid ethical grounding are vital. It must be shown in this course. The subject matter of this course is designed to spark discussion, and you are encouraged to talk about everything, including assignments, with your classmates. However, individual work must be done by the individual who takes credit for the work, and ideas imported from elsewhere must give credit to the source of the idea. This course also involves group work, where the group is constructed by the teaching staff. The work of the group should originate with the members of the group, and once again it is important to give credit to ideas imported from elsewhere. Presenting the work of others as your own will not be tolerated. If you have any questions on where the boundaries lie, please talk to the instructional staff prior to submitting the work. Course Topics, with readings: (Note: the set of topics and readings are subject to change, as the topic of cybersecurity and the policy debates around that topic change rapidly. Events may well dictate a different topic; if so we will adapt. Also note that the required readings will be a subset of the readings listed here, not all of it.) Computers, the Internet, Virus, Trojans, and Worms: The technical basics Required Readings: 1.) United States. Executive Office of the President. Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communication Infrastructure. May 2009. Available Online: http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf 2.) Committee on Offensive Information Warfare, National Research Council. Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities. Washington, DC: National Academies Press, 2009. “Preface” and “Synopsis.” Available Online: http://www.nap.edu/catalog.php?record_id=12651 2

3.) Symantec. Symantec Internet Security Threat Report: Trends for 2010. Vol. 16 (April 2011). Available Online: https://www4.symantec.com/mktginfo/downloads/21182883_GA_REPORT_ISTR_MainReport_04-11_HI-RES.pdf 4.) Ken Thompson. “Reflections on Trusting Trust.” Communication of the ACM. 27.8 (Aug. 1984): 761-763. Available Online: http://cm.bell-labs.com/who/ken/trust.html 5.) Janet Abbate. Inventing the Internet. Cambridge: MIT Press, 2000. “Chapter 1: White Heat and Coldwar: The Origins and Meanings of Packet Switching,” “Chapter 2: Building the ARPANET: Challenges and Strategies,” and “Chapter 4: From ARPANET to Internet.” 6.) Nicolas Falliere, Liam O Murchu, and Eric Chien. W32.Stuxnet Dossier, Version 1.4. February 2011. Available Online: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_s tuxnet_dossier.pdf 7.) Steven M. Bellovin, Scott O. Bradner, Whitfield Diffie, Susan Landau, and Jennifer Rexford. “Can It Really Work? Problems with Extending EINSTEIN 3 to Critical Infrastructure.” Harvard National Security Journal. 3.1 (2011): 1-38. Available Online: http://harvardnsj.org/wp-content/uploads/2012/01/Vol.3_Bellovin_Bradner_Diffie_Landau_Rexford1.pdf 8.) Fred Schneider and Deirdre Mulligan. “Doctrine for Cybersecurity.” Daedalus. Fall 2011, 7092. Available Online: http://www.cs.cornell.edu/fbs/publications/publicCYbersecDaed.pdf 9.) Vivek Kundra. Federal Cloud Computing Strategy. Feb. 2011. 1-6; 26-28. Available Online: http://ctovision.com/wp-content/uploads/2011/02/Federal-Cloud-Computing-Strategy1.pdf 10.) United States. Government Accountability Office (GAO). “Information Security: Additional Guidance Needed to Address Cloud Computing Concerns.” Oct. 2011. Available Online: http://www.gao.gov/assets/590/585638.pdf 11.) Tyler Moore, Richard Clayton, and Ross Anderson. “The Economics of Online Crime.” Journal of Economic Perspectives. 23.3 (2009): 3-20. Available Online: http://people.seas.harvard.edu/~tmoore/jep09.pdf

3

12.) J.H. Saltzer, D.P.Reed, and D.D. Clark. “End-to-End Arguments in System Design.” ACM Transactions in Computer Systems. 2.4 (Nov. 1984): 277-288. Available Online: http://web.mit.edu/Saltzer/www/publications/endtoend/endtoend.pdf 13.) David D. Clark and Marjory S. Blumenthal. “Rethinking the Design of the Internet: The End to End Arguments vs. the Brave New World.” (2000). Available Online: http://dspace.mit.edu/bitstream/handle/1721.1/1519/TPRC_Clark_Blumenthal.pdf Recommended Readings: 1.) Center for Strategic and International Studies. Securing Cyberspace for the 44th Presidency. Dec. 2008. Available Online: http://csis.org/files/media/csis/pubs/081208_securingcyberspace_44.pdf 2.) W. Brian Arthur. Increasing Returns and Path Dependence in the Economy. Ann Arbor, MI: University of Michigan Press, 1994. 3.) Susan Leigh Star. “The Ethnography of Infrastructure.” American Behavioral Scientist (1999) 43: 377-391. 4.) Paul A. David. “Clio and the Economics of QWERTY.” The American Economic Review 75.2 (1985): 332-337. 5.) Scott D. Sagan. The Limits of Safety: Organizations, Accidents, and Nuclear Weapons. Princeton, NJ: Princeton UP, 1993. 6.) Charles Perrow. Normal Accidents: Living with High-Risk Technologies. Princeton, NJ: Princeton UP, 1984/1999. “Introduction,” and “Chapter 3: Complexity, Coupling, and Catastrophe.” 7.) Charles Perrow. The Next Catastrophe: Reducing Our Vulnerability to Natural, Industrial, and Terrorist Disasters. Princeton, NJ: Princeton UP, 2007/2011. 8.) Philip Auerswald, et al. Seeds of Disaster, Roots of Response. Oxford UP: 2006. 9.) Langdon Winner. “Complexity, Trust and Terror.” NetFuture #137, October 22, 2002.

Attribution and Authentication Required Readings: 4

1.) David D. Clark and Susan Landau. “Untangling Attribution.” National Security Journal. 2.2. (2011). Available Online: http://harvardnsj.org/wp-content/uploads/2011/03/Vol.-2_Clark-Landau_Final-Version.pdf 2.) Committee on Offensive Information Warfare, National Research Council. Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities. Washington, DC: National Academies Press, 2009. “Chapter 5: Perspectives on Cyberattack Outside National Security.” Available Online: http://www.nap.edu/catalog.php?record_id=12651 3.) Orin S. Kerr. “Cybercrime's Scope: Interpreting 'Access' and 'Authorization' in Computer Misuse Statutes.” New York University Law Review. 78.5 (2003). Available Online: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=399740 4.) Steptoe Cyberblog. “The Hackback Debate.” Nov. 2, 2012. Available Online: http://www.steptoecyberblog.com/2012/11/02/the-hackback-debate/ 5.) An Introduction to Cryptography. (1999). Available Online: ftp://ftp.pgpi.org/pub/pgp/6.5/docs/english/IntroToCrypto.pdf 6.) “Tor.” Wikipedia. Available Online: http://en.wikipedia.org/wiki/Tor 7) Julian Dunning, Statistics Will Crack Your Password, https://www.praetorian.com/blog/statistics-will-crack-your-password-mask-structure Recommended Readings: 1.) Butler Lampson, Martin Abadi, Michael Burrows, and Edward Wobber. “Authentication in Distributed Systems: Theory and Practice.” ACM Transactions in Computer Systems. 10.4 (Nov. 1992): 265-310. Available Online: http://research.microsoft.com/enus/um/people/blampson/45-AuthenticationTheoryAndPractice/Acrobat.pdf

Cyberwar Required Readings: 1.) Richard Clarke and Robert Knake. Cyber War: The Next Threat to National Security and What to Do About It. Ecco, 2010. 2.) John Arquilla. “Cyberwar Is Already Upon Us.” Foreign Policy. March/April, 2012. Available Online: 5

http://www.foreignpolicy.com/articles/2012/02/27/cyberwar_is_already_upon_us 3.) United States. Department of Defense. Department of Defense Strategy for Operating in Cyberspace. July 2011. Available Online: http://www.defense.gov/news/d20110714cyber.pdf 4.) Joseph Nye. “Nuclear Lessons for Cyber Security.”Strategic Studies Quarterly Winter 2011. Available Online: http://www.au.af.mil/au/ssq/2011/winter/nye.pdf 5.) Thomas Rid. “Cyber War Will Not Take Place.” Journal of Strategic Studies. 35:1 (2012): 532. 6.) David Sanger. Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power.” New York: Crown, 2012. “Prologue” and Chapter 8.” 7.) Harold Koh. “International Law in Cyberspace.” USCYBERCOM Inter-Agency Legal Conference. Sept. 18, 2012. Available Online: http://opiniojuris.org/2012/09/19/harold-koh-on-international-law-in-cyberspace/ Recommended Readings: 1.) United States. Department of Defense. Department of Defense Cyberspace Policy Report. Nov. 2011. Available Online: http://www.defense.gov/home/features/2011/0411_cyberstrategy/docs/NDAA%20Section%2093 4%20Report_For%20webpage.pdf 2.) Bill Gertz. “Computer-Based Attacks Emerge as Threat of Future, General Says.” Washington Times. Sept. 3, 2011. Available Online: http://www.washingtontimes.com/news/2011/sep/13/computer-based-attacks-emerge-as-threatof-future-/?page=all 3.) Jack Goldsmith. “Cybersecurity Treaties: A Skeptical View.” Hoover Institution. 2011. Available Online: http://media.hoover.org/sites/default/files/documents/FutureChallenges_Goldsmith.pdf 4.) Thomas Mahnken. “Why Cyberwar Isn’t the Warfare You Should Worry About.” Foreign Policy. July 2012. Available Online: http://shadow.foreignpolicy.com/posts/2012/07/23/avoiding_cyber_hysteria

6

5.) Committee on Deterring Cyberattacks, National Research Council. Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy. Washington, DC: National Academies Press, 2010. Available Online: http://www.nap.edu/catalog.php?record_id=12997 6.) Thomas Rid. “Think Again: Cyberwar.” Foreign Policy. March/April, 2012. Available Online: http://www.foreignpolicy.com/articles/2012/02/27/cyberwar 7.) Michael N. Schmitt. “Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework.” Columbia Journal of Transportation Law. (1999). Available Online: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1603800 8.) Kenneth Anderson. “Readings: Harold Koh Lays Out US Government Position on Cyberspace and International Law.” Lawfare. Sept. 19, 2012. Available Online: http://www.lawfareblog.com/2012/09/readings-harold-koh-lays-out-us-government-position-oncyberspace-and-international-law/ 9.) Paul Rosenzweig. “The Organization of the United States Government and Private Sector for Achieving Cyber Deterrence.” 2010. Draft. Available Online: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1651905 Privacy, Surveillance, and Law Enforcement Required Readings: Orin S. Kerr, Searches and Seizures in a Digital World, Harvard Law Review 531 (2005), available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=697541. Samuel D. Warren and Louis Brandeis, The Right to Privacy, Harvard Law Review Vol. 4 No. 5 (Dec 15, 1890), available at http://faculty.uml.edu/sgallagher/Brandeisprivacy.htm David Golumbia, Opt-Out Citizenship: End-to-End Encryption and Constitutional Governance, available at http://www.uncomputing.org/?p=272 Harold Abelson, Ross Anderson, et. al., Keys Under Doormats: Mandating Insecurity by Requiring Government Access to All Data and Communications, available at http://privacyink.org/pdf/Keys_under_Doormats.pdf

7