On December 5, the Brookings Center for 21st Century Security and Intelligence hosted an event discussing the future of U.S. military innovation with Deputy Secretary of Defense Robert Work. Alan Easterling of Northrop Grumman and Kelly Marchese of Deloitte Consulting also spoke, and Brookings Senior Fellow Michael O’Hanlon moderated the event.

First, Second, Third Offsets

Secretary Work reminded the audience that the United States has enjoyed a conventional advantage over recent adversaries. Importantly, that advantage has been against small regional powers. There has been less worry about peer competitors since the end of the Cold War, he said, but that has changed again over the past decade.

With an ascendant China and a re-strengthened Russia, a new military strategy called the Third Offset “helps deter a conventional conflict with a large state power,” according to Work. A key facet is strengthening conventional deterrence. In short, the Third Offset is meant to help prevent war with a great power by ensuring that if we did ever fight, we would prevail. 

The First Offset, as O’Hanlon outlined, covers the full range of U.S. nuclear capabilities in the 1950s. The Second Offset is more focused on precision weaponry and air-land battle concepts from the 1970s and 1980s. All offsets, Work noted, “are focused on operational and organizational constructs that provide an advantage at the operational level of war.” But the Third Offset is more open-ended, long-term, and diffuse, compared to the first and second offsets. While we knew the end game of the First Offset and the Second Offset as they were developed, we do not necessarily know the end state when it comes to the Third Offset.

We do know that technology—specifically its connectedness to military organizations and to military doctrine—provide the key to the Third Offset. Secretary Work highlighted five areas of focus:

• Learning machines
• Human-machine collaboration
• Assisted human operations (such as exoskeletons and wearables)
• Man-unmanned combat teaming
• Better autonomous weapons

Work stressed the criticalness of Artificial Intelligence (AI) and autonomy. “Putting AI and autonomy into the battle network is the most important thing we can do first,” he said. Missile defense, robotics, and unmanned systems also fit into the Third Offset framework, and Work said these systems can be thought of as “assisted human ops” (as distinct from “enhanced human ops,” which involve genetically modifying the soldier; that’s not something the United States is pursuing, but it is possible competitors may try). There is also a clear cyber element to the Third Offset—for one, autonomous machines driven by AI might be the first line of defense in a cyberattack.

What about possible ethical concerns of these military systems? O’Hanlon queried Secretary Work on the potential for machines making their own decision to shoot. Work indicated that was more likely to happen under authoritarian governments—pointing, for example, to a Soviet conception that was totally automatic. In the United States, he said, our focus has been on enabling better communications and network capabilities for the human warfighters.

The Third Offset, in Work’s view, is not unlike other major revolutions that started in the commercial technology space, such as the telegraph and railroad, which ultimately transformed war.

By land and by sea

Kelly Marchese reminded the audience that the Third Offset is not just about technology, highlighting the importance of overall architecture and integration. According to Marchese, the most important aspects are “operational and organizational constructs.” Since technology changes so rapidly, improving agility and the way technologies interact in a network are also key. Marchese expressed concern that networking standards have not been set.

O’Hanlon pointed out that many networks are unlikely to survive a cyber attack. Could much of our technology be rendered useless in such incidents?, he wondered. Marchese responded: “The good news is much of this technology is still not connected. The bad news is it needs to be connected to operate as effectively as we want.”

Turning to more traditional means of warfighting, O’Hanlon asked Alan Easterling about the oceans, adding that they are thought of as an “area of great promise” in the international arena. Easterling agreed, but emphasized that there’s a problem with ships. Modern ships are very vulnerable, he said—during the Falklands War of 1982, for example, superior British ships proved little match for advanced missiles. That is very much the story today, Easterling added, saying: “Any surface vessel within 1,200 miles of determined opponent is at risk.” And this problem tends to push everyone underwater. In many ways, he said, submarines are the “last bastion of stealth.” There are still unresolved difficulties under water, though (including communication), and concluded that combining above and below water assets remains key.

Finally, O’Hanlon turned to land bases and their vulnerability. He pointed out that there are things we can do like hardening, dispersal, and retaining short-takeoff aircraft to help overcome the issues. But is this enough? Easterling argued that the best strategy is distribution, and that forward bases are often quickly overwhelmed, adding: the “age of the medium range ballistic missile changes everything.” Circling back to remarks by Secretary Work, Easterling remarked that the United States has not faced a foe with this kind of capability, and that it is of great potential concern.

While some challenges lie ahead, the overall message of the event was that the Third Offset strategy or its natural successor, whatever that may be called (but which will likely preserve many elements of the Third Offset), will offer considerable hope for the United States in the decades ahead. 

      

 

 

On December 14, the Center for Technology Innovation at Brookings hosted a conversation about the future of technology policy under the Trump administration. A panel of experts discussed health information technology, telecommunications policy, competition, wireless issues, net neutrality, and cybersecurity.

      

 

 

While the exact outcomes of such proposal remain to be carefully analyzed, the idea behind it – fostering competition and relying on the invisible hand of the free market –  may be a sound solution to our nation’s health information technology challenges. Over the past decade, despite spending billions of dollars, government interference in the health IT market has only resulted in small victories and big failures. Although every medical provider is now using an Electronic Health Records (EHR) system, physicians are frustrated with their EHR systems, exchanging medical data remains to be a major challenge and cyber-security attacks undermine the privacy of patients more than ever. Many of these challenges could have been addressed in the recently announced rules of Medicare and CHIP Reauthorizations Act (MACRA). However, CMS lost this golden opportunity by making a set of extremely complicated rules that ignore both medical practice and basic economics.

In the following, I lay out a set of recommendations for fostering interoperability and protecting patient privacy as the two most important challenges in the health IT domain over the next four years.

Interoperability

More than a decade ago, President Bush established the Office of the National Coordinator for Health IT (ONC) and assigned it with spearheading the efforts to create a nationwide system in which medical data of all Americans are securely stored and privately exchanged between those physicians who need to access such data to provide better medical care at lower cost. Achieving these goals could have resulted in over $78 billion dollars of annual savings. Despite significant support from the Obama administration, we are still very far from achieving those goals. While the entire US health care system is now digitized, most electronic health records (EHR) systems fail to interoperate. That is, they archive medical data electronically but cannot exchange such data with EHRs used by other providers. The situation is akin to a system of disconnected computers that work independently but cannot send and receive data to and from other computers.

The lack of interoperability is purely an economic problem

Health information will not be exchanged unless all of the involved parties have a clear financial incentive to do so. The reason that information exchange in the health care system has lagged behind other industries is the fact that anti-kickback laws prevent the healthcare industry to treat information as a commodity and therefore eliminate the incentive to trade information.

Consider the financial industry as an example. Credit card holders can swipe their card at almost any location in the world and exchange a part of their financial information with a vendor. Two parties exchange information as long as they both benefit from doing so. For instance, if the vendor charges extra for credit card payments, some users may prefer to pay in cash rather than exchanging information via their credit cards. More importantly, since banks are legally allowed to charge the vendor and the card holder a service fee, they also have a clear financial incentive for enabling and fostering the exchange of information.

Anti-kickback laws largely limit similar business models in the health care industry. Although ownership of medial data belongs to providers, they are not allowed to charge others for allowing access to such data. This lack of incentives creates an imbalance in the information market. While there is a large demand for medical data, supply is limited because there is no incentive for physicians and hospitals who have these data to provide data to those who need them. More importantly, the intermediaries such as electronic health record vendors have disincentives to remove the technical barriers of exchange simply because they are not get paid to do so.

Data blocking is not the reason for the lack of interoperability

ONC has coined the term “data blocking” to describe the technical obstacles that EHR vendors intentionally create to limit information exchange. ONC’s solution to data-blocking is to conduct in-the-field surveillance and check EHRs at the location of hospitals and physicians’ offices to make sure that they are interoperable and are not limiting data exchange. This solution is impractical, extremely expensive and seriously threatens patients’ privacy.

ONC ignores the fact that exchanging information is not in the best interests of many medical providers. The “inability to exchange” is actually a preferred feature of an EHR system for many providers as it enables providers to keep their patients and prevent them from migrating to other providers. Recent studies show in the states where it is easier and cheaper for patients to obtain their medical records, the proportion of patients who switch their primary care physicians and specialists increases by 11% and 13%, respectively. Prior research also identifies competition among medical providers as a barrier to their engagement in exchanging health information and shows that providers who are more competitive, such as for-profit hospitals and those with smaller market shares, are much less likely to exchange health information with others. In many instances where data flows smoothly and providers can access data if they choose to, access to information barely happens. For example, while research shows that looking up patients’ information can significantly lower the number of test orders, clinicians do so in less than 10% of the ED counters, even when there is no technical barrier to block the data exchange.

To enable interoperability, anti-kickback laws should be repealed

To create interoperability and enable data exchange, we should follow the solutions that have been proven to be successful in every other industry. In the current system, providers have very little incentive to receive data and absolutely no incentive to send data. The current safe harbors of anti-kickback laws result in information silos with even thicker walls and lead smaller practices and individual physicians to adopt an EHR system which is subsidized by a larger hospital.  Such laws coupled with the ill-designed payment systems have turned medical data into a property that serves the interests of its owners only if kept private and not shared.  I have previously discussed how to solve this problem by designing business models that encourage the exchange of information through both patient mediated solutions and centralized health information exchange platforms. These market based proposals would eliminate the most important barriers to interoperability and significantly enhance health information exchange. However, to implement these solutions, the government should allow medical providers to meet the demand for information by charging a fee for supplying it.

Cyber-security & Privacy

Privacy breaches are more likely to happen in the health care industry than any other sector. According to the data provided by the Office for Civil Rights (OCR), since late 2009, the medical information of more than 155 million American citizens has been exposed without their permission through about 1,500 breach incidents. Heavy reliance of US hospitals on EHR systems and their weak cyber-security practices have turned them into lucrative and easy targets for ransomware attacks in which hackers lock down the computer systems of hospitals and ask for a ransom to allow hospitals to have access to their own computers.

To prevent these breaches and protect patient privacy, OCR should allow the healthcare industry to learn from its failures and create larger incentives for medical providers and their business associates to protect patient privacy. In the long run, a cyber-insurance market will ensure the privacy of patients by creating incentives for different entities of the healthcare sector to prioritize security practices and privacy policies.  In a previous post, I discussed the following solutions in detail.

Increase penalties of data breaches

Protecting customer privacy is among the most important activities of businesses in every industry, except the health care industry. For most companies, spending on digital security is considered a strategic investment. It is a necessity without which many of the current businesses will immediately vanish. Due to limited competition and the nature of their services, medical providers and their business associates have little financial incentive to safeguard their patients’ privacy.  The only major consequence of breaches are the subsequent OCR audits and the possible penalties.  It is therefore necessary for OCR to create a strong incentive for the healthcare industry to invest in digital security and protect patient privacy by increasing the penalties of data breaches.

Allow healthcare industry to learn from its failures

After a breach happens, OCR conducts a thorough investigation to identify its causes. Through these audits, OCR also ensures that the victim organization has put corrective and preventive policies in place to avoid future incidents. Although the lessons learned from each breach can prevent other similar incidents, OCR does not share the details of its investigations. OCR should provide detailed reports on how each breach happened, and how other health care organizations can avoid similar occurrences.

Promote cyber-insurance in the healthcare industry

In the long run, the cyber-insurance market can fundamentally improve how patient privacy is viewed and managed in the health care sector. To underwrite the privacy risk of health care organizations, cyber insurance companies will be willing and able to conduct timely and efficient audits and proactively manage their clients’ privacy protection efforts. Health care organizations will also have a direct economic incentive to reduce their cyber insurance premiums by addressing their security weaknesses and preventing privacy breaches.

      

 

 

The paper is entitled “Bridging the Internet-Cyber gap: lessons in digital policy for the next administration.” That’s an allusion to an observation by Danny Weitzner, then Deputy Chief Technology Officer at the White House Office of Science & Technology Policy, at a meeting of economic and security agencies that, “this world is divided into people who call it ‘the Internet’ and those who call it ‘cyber.’”  The former tend to be techno-optimists who focus on the economic and human potential of information and communications technology, whereas the latter focus on the darker side of that technology—threats, exploits, bad actors, and applications to warfare.

We saw that divide in the initial response to the Snowden leaks in 2013. Almost immediately, President Obama sought to assuage concerns about the Section 215 program by saying that “nobody is listening to your phone calls” and stated that PRISM surveillance under Section 702 “does not apply to U.S. citizens and it does not apply to people living in the United States.” These responses were fighting the last war, aimed at distinguishing the Snowden revelations from the decades-earlier revelations about FBI and CIA domestic surveillance that led to the creation of the Foreign Intelligence Surveillance Act in 1978.

The President’s response did not address the impact of the leaks on companies identified in the documents released by Snowden and on international issues from trade to privacy and internet governance. This omission waved a red flag to those outside the United States. The resulting firestorm hastened the demise of the Safe Harbor transatlantic data transfer framework at the hands of the Court of Justice of the European Union and saw allies join less friendly nations in considering data localization and some kind of multinational takeover of internet governance.

Three years later, the landscape is different. The Obama administration has learned a lot from its experience of managing the Snowden disclosures and has taken numerous steps to restore trust and integrate a broader outlook into its policymaking in the digital arena.

We’ve seen reports from the president’s special review board on surveillance as well as the Privacy and Civil Liberties Oversight Board; President Obama’s January 2014 announcement of surveillance reforms and Presidential Policy Directive 28 declaring that foreign citizens outside the U.S. should receive protections for privacy and dignity comparable to those for American citizens; a transformation in transparency about intelligence programs; the enactment of the USA FREEDOM Act and Redress Act, among other things. We’ve also seen the White House expand and empower its technology staff and involve them, and other agencies, in decisionmaking on issues in the traditional national security (or “cyber” as opposed to “internet”) sphere.

Issues surrounding the digital economy and technology have become mainstream. For most of my time in the administration, I was the senior official focusing on international and commercial privacy issues. Now that official is the president.

My paper asks, “What will the Obama administration leave behind? How much will the collective understanding developed over the course of the current administration survive the senior officials who leave? Or will entropy set in?”

Drawing on my observations and experience as well as discussion with participants and stakeholders, I make the following recommendations about how to ensure the next administration learns from these successes and failures:

1. National security policymaking needs to reflect the importance of economic issues in general and the digital economy in particular. We pay lip service to the relationship of the economy to national security. We need to do more to reflect it. The digital economy is more resilient and faster-growing than the economy as a whole. That will continue, and it will present great opportunities and challenges (think autonomous vehicles, for one example). The health and wellness of the digital economy and the systems and technology that support it are vital U.S.  interests.
2. The president and other top leaders need champion an interconnected world. It took President Obama’s personal engagement to change the trajectory of damage from the Snowden disclosures. It will take advocacy and engagement from the next president and cabinet officers to press these vital interests and promote the benefits of a digital economy and open, interoperable networks around the world.
3. The organization of the executive branch around digital issues should reflect their scope and significance. Advocacy and engagement at the top needs to be supported throughout the government, and economic issues integrated with national security:
   1. White House decision-making should reflect the breadth of issues involved. The National Security Act of 1947 gives the president the authority to establish who participates in the National Security Council. The Obama Administration established the position of Deputy National Security Adviser for International Economics, and its directive on NSC operations says this adviser, along with the National Economic Council, the Trade Representative, and the secretaries of Commerce and Treasury shall participate in the NSC when “international economic issues are on the agenda.”  There should be a presumption that these agencies will participate in the NSC and its interagency processes. Executive orders spelling out more of the processes of the NEC, Domestic Policy Council, and National Science & Technology Council and how their work relates to national security and digital issues would help put them more on a par with the NEC.
   2. Every agency needs to be part of the digital agenda. The Commerce and State Departments have senior advisers on digital issues reporting directly to the secretaries and coordinating across their agencies. Commerce Secretary Penny Pritzker has made the digital economy a top priority. Every agency needs to consider how will engage in this arena.
4. Open the architecture of decision-making affecting the digital economy and the ecology of the internet.  Multi-stakeholder, iterative, and adaptive decision-making works in this space because it is complex and continuously changing. The agencies that have been effective are those that have a great deal of interaction with outside stakeholders—businesses, academics, civil society, and foreign governments.
5. Personnel is policy. Structural changes in decisionmaking will work only if the right people are in the right places. Increasingly, understanding of things like the architecture of the internet, the mechanisms of cybersecurity threats, and the role of information and technology in the future are as necessary as some basic understanding of economics or how a bill is passed. More and more government positions will demand this literacy. The paper includes as an appendix a “Digital Policy Plum Book” identifying positions in the executive branch where this applies, including many where digital fluency is essential to the job.

      

 

 

Executive Summary

After two years of intense discussion and a series of mutually-bruising legal stand-offs, the U.S. government and Silicon Valley are no closer to resolving the “Going Dark” debate. Going Dark refers to the phenomenon by which government agencies have a legal right to access particular communications but lack the technical ability to do so, often because of the deployment of strong encryption by technology companies. Not only are the various participants unable to find a resolution to the problem, they are unable to agree on the proper analogy for it—or even whether there actually is a problem.

Legislative efforts have failed. Legal battles ended without producing additional clarity. Attempts at voluntary cooperation have gone nowhere. Finding a more productive path is critical to the future public-private cooperation which will be necessary for many unrelated cybersecurity efforts. A new approach is needed.

Here, I argue that the federal government in a new administration should adopt and articulate a pragmatic approach that fully embraces lawful hacking as a possible alternative to legislative mandates. A coordinated interagency position should clearly communicate the trade-offs, stakes, and strategic aims. And recognizing that future legislative efforts may be required, the government should seek to develop empirical data to inform long-term decision making.

Background

In 2011, then-FBI General Counsel Valerie Caproni used the term “going dark” to describe “a potentially widening gap between our legal authority to intercept electronic communications pursuant to court order and our practical ability to actually intercept those communications.”[i] That prediction has proved largely accurate. Although some technological developments and trends have assisted law enforcement collection, a variety of pressures place ever more communications content beyond the reach of a warrant. The underlying factors include broader adoption of end-to-end encryption, full disk encryption, and stronger security defaults, but also extend to widely-available anonymization tools, trends toward data localization, and the availability of large-storage removable media devices, among others. In short, the factors underlying the phenomenon are varied and not limited to technological developments alone.

While going dark also impacts intelligence collection, the most pressing concerns arise in the context of law enforcement. In ordinary criminal investigations, end-to-end encrypted messaging, stronger device encryption, and IP anonymization tools present acute challenges.

And the problem’s scale has increased dramatically over the past few years, as a number of major communications providers have taken steps towards offering end-to-end encrypted messaging and sophisticated device encryption broadly and by default.[ii] Anyone not holding the required keys, including the providers themselves, is unable to access communications sent using those platforms or stored on those devices. Unquestionably, these features offer substantial security benefits to consumers. But the effect—whether intentional or unintended—is that even when law enforcement obtains a warrant, the content is inaccessible unless investigators can obtain the keys directly from individuals.

What had been a simmering tension between the government and technology companies boiled over into a heated public debate in February 2016. That month, the Department of Justice sought a court order to compel Apple to assist the government in unlocking an iPhone belonging to San Bernardino terrorist Sayed Farook. The precise legal questions centered on whether a court could require Apple to provide a particular form of technical assistance, where it unquestionably retained the capacity to do so. The case resolved itself out of court when a third party demonstrated the ability to unlock the phone at issue and the government withdrew its motion. While the San Bernardino case was actually about what technical assistance a company must provide to the government where it is able, the public debate centered on a distinct, and important, question: should companies be required to ensure the government has access to communications content when required for an investigation?

At issue is the relative risks and merits of requiring “exceptional access” for law enforcement, which is often characterized by opponents as a “backdoor.”

Broadly speaking, at issue is the relative risks and merits of requiring “exceptional access” for law enforcement, which is often characterized by opponents as a “backdoor.” Most notably, Senators Dianne Feinstein and Richard Burr advanced draft legislation to require companies to retain the technical capacity to comply with court orders to produce plain text communications.[iii] This legislation would, in effect, prohibit companies from deploying security features that place communications content beyond their own reach. Critics decried the draft as technologically illiterate and dangerous, arguing that it compromised user security overall.

Unsurprisingly, the heated rhetoric allowed little room for facts and common sense. Most of the public engagements consisted of each side assuming away the other side’s concerns, either by insisting that exceptional access does not necessarily compromise information security or by alleging that law enforcement overstates its need to see communications content.

One strain of criticism to “backdoors,” however, recognized law enforcement’s concerns and offered a potential solution: so-called “lawful hacking.”[iv] Instead of creating additional vulnerabilities to an already-fragile security ecosystem in the form of exceptional access, these commentators argued that law enforcement should exploit existing vulnerabilities in software and hardware. In theory, the position offers a workable middle ground by which law enforcement is able to access a sufficient amount of communications and companies are unimpeded in designing secure systems. But in order for lawful hacking to be a meaningful alternative—as opposed to a diversionary tactic to delay government action—a number of questions must be addressed.

The government has employed hacking techniques since long before the Apple v. FBI controversy. And unsurprisingly, it faces opposition to those actions from many of the same groups that oppose exceptional access. Despite some express suggestions posing lawful hacking as an alternative to backdoors, the specific debates over the procedural rules, operational policies, and legal standards central to the feasibility of lawful hacking, have proceeded largely in parallel to the conversation regarding going dark.

In reality, the two are deeply related. Congress and the executive branch are accountable to a public that expects the government to discharge law enforcement functions. And despite critics declaring periodic victories or insisting that access to communications content is unnecessary for law enforcement, the going dark problem is not going away. Therefore, if the executive branch is unable to successfully develop lawful hacking tools to address a sufficient amount of the need for government access to communications to meet the expectations of the general public, it becomes dramatically more likely that it will feel compelled to seek comprehensive legislative solutions mandating exceptional access.

A strategic approach to moving forward

Thus far, the Federal Bureau of Investigation has been the public face of the government’s engagement in the going dark debate. This has created ambiguity as to whether FBI Director Jim Comey speaks on behalf of the federal government, on behalf of law enforcement, or only for himself. The federal government is not monolithic, after all, and technological developments have uneven effects on the equities of different agencies. Therefore, it is not surprising that there is no consensus view even within government on the best way to address the problem. But the lack of any clear government position gives the impression of internecine battles and masks shared principles.

Stronger leadership is needed in order to clarify the government’s interests and goals. A coordinated interagency position does not require reaching agreement on the ultimate solution. Instead, the White House should coordinate a position that articulates the government’s view regarding the general scope and severity of the impact of going dark on law enforcement specifically.

Some forms of communication will always remain inaccessible, and the proper balance of information security and law enforcement needs will require trade-offs. But the government must be clear that the American people expect law enforcement to prevent, investigate, and prosecute crimes. It would be unacceptable and intolerable for the executive branch to simply accept that police function be significantly impaired, especially in the context of serious offenses. However, where experts agree that the most direct and comprehensive solution—a legislative decryption mandate—would have significant security downsides and potentially wide-ranging unintended consequences, prudence requires investigating potential alternatives.

It would be unacceptable and intolerable for the executive branch to simply accept that police function be significantly impaired, especially in the context of serious offenses.

The executive branch should deliberately set itself to solving as much of going dark as is possible before resorting to costly and controversial legislation, especially since it is clear that a legislative solution is unlikely to become politically feasible any time soon. Under the best outcome, a genuine investment in varied alternative strategies—possibly coupled with technological developments favoring law enforcement equities—would create a stable situation moving forward. But even if it does not, exhausting alternatives is useful in demonstrating the necessity of comprehensive mandates.

Adopting a strategic position of pursuing alternatives also has the benefit of clarifying the opposition. Many companies and advocacy organizations state that they support law enforcement action and believe crimes should be fully investigated; their objection is only to making imprudent security sacrifices to that end. This strategy would present a good-faith attempt to reconcile those views by pursuing “least bad” alternatives. But those who oppose not only performance standard legislation, but also all feasible alternatives, in effect endorse a view that it is tolerable for law enforcement to be unable to detect, prevent, investigate, or prosecute certain offenses.

Lawful hacking should be viewed as the central element of a comprehensive alternative strategy.

A national strategy on lawful hacking

Lawful hacking is a necessary, though possibly not sufficient, element of a workable solution without mandated exceptional access. Therefore, lawful hacking should be viewed as the central element of a comprehensive alternative strategy, which includes investments in using metadata and the emerging Internet of Things to offset the losses to communication content that make up the going dark problem.[v]

The ultimate utility of lawful hacking will depend as much on legal developments as technological ones. This series of complex and interrelated legal questions is central to the future of law enforcement and U.S. national security. Those questions should not be answered haphazardly or based on the expedient incentives of individual criminal cases, and instead must be given adequate thought.

To achieve this, the administration should direct the Department of Justice to develop a national strategy on lawful hacking. Below are recommendations for elements of an effective national strategy.

1.  Coordinate lawful hacking investigations and prosecutions.

• Categories of cases related to lawful hacking should be coordinated by Main Justice, including those involving the use of sensitive government tools, novel network investigative techniques, or where a single warrant is expected to result in prosecutions in numerous but unidentified jurisdictions. Coordination ensures consistent representation of the government’s position on the legal questions central to the success of this alternative strategy.
• The Department’s litigation strategy should focus on obtaining the clearest possible answers, and not fear establishing unfavorable precedents. Here, the resolution of legal questions may be more important than the answers themselves. For example, one controversy currently being litigated is whether a defendant is entitled to review sensitive computer code related to law enforcement techniques. Hacking tools are necessarily perishable, but an obligation to disclose in court would dramatically reduce the useful lifespan. While some proponents advocate for law enforcement to temporarily exploit and then quickly disclose a vulnerability for patching, this is infeasible in practice and would significantly limit the efficacy of lawful hacking as a broader solution. The sooner the executive knows whether such code must be disclosed, the sooner it can strategically invest resources in further pursing the strategy or instead seeking legislation in Congress.

2.  Support a technologically-informed judiciary.

• The executive branch should call on the Federal Judicial Center to develop a reference manual on computer science aimed at empowering the federal judiciary to independently evaluate the relevance and materiality of evidence involving computer code and information technology systems. The executive branch has a significant interest in ensuring correct, technologically informed judicial decisions related to lawful hacking and should provide technical support, and expertise to aid the development of such a guide.
• The executive branch should, to the extent possible, support the designation of independent court-appointed experts. Pursuant to federal evidence rules, courts are entitled to appoint experts of its choosing.[vi] In the context of lawful hacking investigations, this would be valuable to assist judges in determining the relative credibility of defense and prosecution expert testimony. And where tools related to lawful hacking contain classified or highly-sensitive information, the government should seek to designate specially-cleared, impartial experts. This is a limited solution, but similar strategies have been successful mechanisms for independent assessment of highly-sensitive materials in the context of Foreign Intelligence Surveillance Court.[vii]

3. Develop Ethical Use Guidelines for federal investigatory agencies

• Policy guidelines should specify the circumstances in which the use of lawful hacking is permitted. Broadly, policies should ensure that hacking techniques are deployed only after less intrusive means have been exhausted, as is required when wiretapping.
• Policy should also set guidelines, similar to those for undercover operations, governing lawful hacking that temporarily facilitates criminal activity. Standards should be set to balance probable harms and benefits and to ensure criminal activity is only facilitated where strictly necessary to prevent ongoing harm.

4. Invest resources in investigating the most serious offenses.

• Lawful hacking is resource intensive, both to develop or purchase the necessary tools and to properly coordinate investigations. Consequently, executive policy should invest these limited resources in investigations of the most serious offenses—violent crime, sexual offenses against children, large-scale narcotics trafficking, and terrorism. Limiting lawful hacking to serious cases ensures appropriate allocation of research and development resources, better protects tools, and facilitates coordinated prosecution strategies.

5.  Embrace Mass Hacking

• Lawful hacking often, though not always, constitutes a search under the Fourth Amendment and thus requires law enforcement to obtain a search warrant. Opponents of lawful hacking warn of the government’s ability to target thousands of computers pursuant to a single warrant, calling it “mass hacking.”[viii] But the government should embrace mass hacking as an paradigm shift necessary for investigations to respond to going dark and the Justice Department should clearly articulate how warrants for such operations can satisfy all constitutional requirements. Individuals who use computers to facilitate the most serious offenses, particularly those related to child sexual exploitation, avail themselves of the most sophisticated available technologies to hide their identities and crimes. Because of better tools and stronger defaults, those offenders make fewer mistakes which limits available opportunities for law enforcement intervention. When opportunities to uncover serious crimes and rescue victims present—and warrants can be obtained—law enforcement should be encouraged to unmask as many offenders as possible.

6.  Demand security in exchange for disclosure.

• The government should clearly articulate the vulnerabilities equities process applicable to law enforcement hacking tools that rely on undisclosed flaws in commercial software. The public should have a clear understanding as to the considerations and safeguards in developing such tools and be confident that the balance between disclosure and use maximizes overall security benefits.[ix]
• The government should mandate that technology companies that are notified of a vulnerability pursuant to the equities process either patch the flaw within a reasonable time period or provide periodic updates detailing the reason for their failure to protect consumers. This policy maximizes security benefits. The reason to disclose a vulnerability is so that it can be patched to eliminate the threat that bad actors will discover and exploit it, but disclosure represents some degree of loss to the security interests served by government use. Typically, that loss is more than offset by the ubiquitous information security gains of patching, but we should avoid the net harm that results when a vulnerability is disclosed and no patch is deployed.

7.  Develop empirical data to inform long-term decision making.

• The government should seek to develop data regarding the precise scope of going dark and the impact on law enforcement. This includes tracking instances in which law enforcement was unable to effectuate a court order to view communications content and the disposition of cases where such content could not be obtained.
• The government should also support empirical research regarding the probable consequences of legislative options and lawful hacking methods. For example, while software updates might provide an existing mechanism to push, in effect, malicious updates to the target of a warrant, experts fear this could result in fewer individuals updating software and create widespread insecurity. Where probable behavioral responses are measurable propositions, the government should seek evidence to inform policy that promotes cybersecurity benefits—by avoiding more drastic and potentially harmful solutions—and minimizes harm. Similarly, research is needed into the genuine consequences of law enforcement retaining vulnerabilities, which is the most controversial element of lawful hacking.

A strategic, solution-minded policy facilitates law enforcement function and allows for the development of much-needed evidence to inform law and policy choices.

Conclusion

Going dark presents fundamental tradeoffs. Maximally secure information technology systems mean paying some real costs in terms of how effective law enforcement can be. Conversely, maximally efficient law enforcement may require some genuine compromise to our information system security. Ultimately, that choice will have to be made either all at once, in the form of comprehensive legislation, or continually over time as we refine the balance through “good enough” alternatives.

Standing still, however, is not an option. The continued evolution of technologies alters the available options over time—solutions that are available today may not be in the near future. The choices here are neither easy nor obvious, but it is not yet necessary to determine the ultimate conclusion.

A strategic, solution-minded policy facilitates law enforcement function and allows for the development of much-needed evidence to inform law and policy choices. What is required now is pragmatic and clear leadership. The stakes are too high to wait.

[i] Valerie Caproni, Statement Before the House Judiciary Committee, February 17, 2011.
[ii] Report of The Manhattan District Attorney’s Office on Smartphone Encryption and Public Safety, November 2015, p. 2-6.
[iii] Compliance with Court Orders Act, 114^th Congress (2016).
[iv] Steven Bellovin et al., Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet, Northwestern Journal of Technology and Intellectual Property, Vol 12, Issue 1 (2014).
[v] Matthew Olsen et al., Don’t Panic: Making Progress on the “Going Dark” Debate, Berkman Center for Internet & Society at Harvard University (2016).
[vi] Federal Rule of Evidence 706(a).
[vii] 50 U.S.C. § 1803(i)(1).
[viii] Ron Wyden, (2016) Wyden Calls For A Vote on SMH Act to Stop Massive Expansion of Government Hacking Into Americans’ Personal Devices [Press release].
[ix] Ari Schwartz & Rob Knake, Government’s Role in Vulnerability Disclosure, Belfer Center for Science and International Affairs, Harvard Kennedy School, p. 12-14.

      

 

 

Opportunity and a threat

From the perspective of attackers, the Challenge is an opportunity and a threat. As an opportunity, the contest demonstrates that software can be programmed to identify and exploit previously unknown vulnerabilities in previously unseen code bases. This is a force multiplier for offensive security teams, although it is not an unprecedented development. For years offensive security teams have relied upon a variety of automated tools to hunt for code flaws. Code from the Challenge may accelerate the bug hunting process.

As a threat, some might wonder if automated code could put some offensive security personnel out of business. Could a high-priced “red team,” paid to simulate potential adversaries, be replaced by a cheaper bot? In the short-to-medium term, this seems unlikely. There is much more to security research and professional consulting engagements than grinding away to identify and exploit vulnerabilities. A human touch will remain a key component, if only for liability reasons, for the foreseeable future.

Problems are seldom technological

From the perspective of defenders, the Challenge is less helpful. At first glance it would seem that the bots’ capability to identify and patch vulnerabilities would be a benefit to defensive security teams. While rapid patching is a key element of proper defense, the problem facing enterprise security staffs is seldom technological. The problems are complex and sometimes interrelated. First, software vendors may be slow to provide patches, and they seldom allow customers to alter or even access code, as might be the case with open source alternatives. Therefore, a security bot that finds a vulnerability will not have the ability to fix it until the vendor codes and publishes a patch. Discovering a vulnerability may prompt the security team to implement their own work-arounds, such as limiting access via network-based controls, but that process can be cumbersome or ultimately ineffective.

While rapid patching is a key element of proper defense, the problem facing enterprise security staffs is seldom technological.

Second, security teams are creatures of the business or organization hosting them. They are not free to act on their security programs independently. On occasion they may be able to rush the deployment of a security countermeasure or software patch when it presents sufficient risk or it has received extreme media attention. More often, the security team must wait to apply patches or configuration changes, and weekly or even monthly change windows are standard.

Third, security teams are usually not allowed to have free reign on their business or organization networks. They must gingerly step around potential landmines, where disruption to a fragile but important server or application could cause millions in lost revenue. To this day there remain networks where it is forbidden to run standard network mapping or scanning tools for fear they will “knock over” that server in the closet that does something important, though no one is quite sure what. Unfortunately, the world beyond corporate enterprise computing is even worse, with so-called Internet of Things and Industrial Control Systems networks running code that dates to the 1990s and earlier.

A hodge-podge of equipment and code

The DARPA Cyber Grand Challenge, then, could be viewed as the technology demonstration project that it was, and not necessarily a model for future security paradigms. The biggest problems in real-life networks are based upon the fact that they are a hodge-podge of legacy equipment running an assortment of mix-and-match code, administered by staff struggling to perform basic functions like inventory management and so-called “cyber hygiene.” The high-tech world of “bot-on-bot” combat will remain largely separate, although elements of that world have already been present in cyberspace for decades. Anyone remembering the outbreaks of so-called network “worms” in the 1990s and early 2000s may wonder about the fuss over the DARPA Cyber Grand Challenge. However, it is worth congratulating the seven participating teams for pushing the limits of automation to show how creative programming can interact in offensive and defensive ways in artificial environments.

      

 

 

A privacy breach is a risk that has two components: probability and consequence. To effectively mitigate the risk, both of the components should be curbed. That is, we should not only try to prevent the privacy breaches, but also should have a plan to mitigate the negative consequences of such breaches in case they happen.

Unlike health care organizations, the banking sector has mastered the art of mitigating the consequences of privacy breaches. Immediately after the breach of credit card data, all affected consumers are notified, their old credit cards are frozen and new ones are issued. The process is so quick and efficient that consumers often face considerably less harm from a credit card data breach, especially because many credit card issuers now provide fraud liability coverage to their consumers and insure them against fraudulent charges.

On the other hand, the response of health care organizations to a data breach only consists of panic, mandatory reporting, and in some cases, provision of identity theft protection. Despite the fact that medical data breaches can be disastrous for patients, health care organizations have no viable strategy or technology to effectively reduce the negative consequences of data breaches.

To mitigate the consequences of privacy incidents, we should first know exactly how the breached data could be misused by hackers or unauthorized users; to block a road, one should first know where the road is located. Banks can often prevent hackers from using stolen credit card information simply because they are better versed in how hackers monetize that data, and thus have designed strategies to combat it. Despite the public concerns over health care privacy breaches, we do not know exactly why hackers are interested in stealing medical data or how exactly they monetize it.

In many cases, hackers aren’t really after health care data; they want patients’ credit card information, which due to poor information technology practices, is stored on the same network as many patients’ health records. Hacking the financial part of the data also opens the door to medical data.

In other cases, hackers want the medical data of one or a few individuals. As soon as a celebrity is admitted to a hospital, the hacking attacks on the specific hospital skyrocket. Many people are interested in such data and are willing to pay top dollar for it, which creates a strong financial incentive for hackers to try to steal the celebrity’s medical records.

While it is very easy to follow the money and figure out why hackers may be interested in getting their hands on the medical records of a celebrity or other specific individuals to commit insurance fraud, it is very difficult to imagine how a criminal organization may be able to monetize the medical data of say 655,000 Americans. There is still even a great deal of confusion about the value of stolen medical data in the black market as the range of reported value for one record of stolen data varies from under $1 to almost $500.

The first step to overcome this limitation and better protect patients’ privacy is to identify the incentives behind hacking attacks and classify all the possible ways through which the stolen medical data could be misused. Independent research institutes are uniquely situated to solicit the experiences of patients who have been the victim of medical data breaches and uncover the different ways through which hackers monetized the stolen data. The expertise and experience of law enforcement agencies such as the FBI’s cybercrime division or the Health and Human Services’ inspector general can also shed considerable light on other ways through which criminal organizations use stolen medical data to commit fraud.

We still have much to learn about why hackers go after medical data and how they monetize it. These government agencies could help us do just that.

      

 

 

But why would Putin even want to influence the U.S. presidential election? There are several reasons Russia might want stir up trouble in an already contentious campaign. Russian views of the United States are at a low point; Putin believes the U.S. plays its own nefarious games in Russian politics; and Moscow would like to undermine U.S. international credibility by highlighting the deficiencies in American party politics.

Putin thinks the U.S. already did it to him first

As far as Putin and his inner circle are concerned, it was the United States that moved first to meddle in Russian politics when Putin decided to return for a third term. In 2011-’12, Russian demonstrators took to the streets to protest electoral violations in the parliamentary elections and the lack of alternative candidates to Putin in the presidential election. Putin and his inner circle believed the U.S. was to blame. Putin even asserted that then-Secretary of State Hillary Clinton had either incited or directly financed the demonstrations.

In Putin’s mindset, the West always tries to bring Russia down. Next year will be the 100th anniversary of the Russian Revolution, and this year marks the 25th anniversary of the dissolution of the Soviet Union. In the Russian worldview, first Germany in World War I and then the United States in the Cold War took advantage of domestic divisions and vulnerabilities and the Russian state collapsed twice in one century.

So one of Putin’s primary objectives is to force Western leaders to back off in order to make sure this doesn’t happen again. Putin wants the United States and other Western governments to stop funding, as part of their foreign policies, organizations that promote political and economic transformations in Russia. He also wants to block U.S. officials from meeting with opposition figures and parties. From Putin’s perspective, democracy promotion is just a cover for regime change.

Putin thinks and acts like a KGB operative

Before he was the leader of Russia, Vladimir Putin was an officer in the KGB, the Soviet-era secret intelligence service, and that experience continues to shape his views and actions. Putin approaches his dealings with the United States with the logic of a covert operative, steeped in plots and conspiracies. He also uses an intelligence operative’s tools. He’s prepared to fight dirty, and he relies on the element of tactical surprise to ensure maximum effect.

Putin has two features that distinguish him from other world leaders. As he puts it, he knows how to “work with people” and “work with information.” In the KGB, Putin learned how to probe people’s vulnerabilities, uncover their secrets, and use compromising information against them. In other words, blackmail and intimidation are part of his stock in trade.

In his view, other world leaders are essentially “targets.” He gathers information and carefully tailors his approach to each leader to see how he can outmaneuver them. In one infamous and blatant episode, Putin played on German Chancellor Angela Merkel’s fear of dogs to put her edge during a one-on-one meeting at his dacha. He allowed his black Labrador to sniff around and lie at her feet. On numerous other occasions, Putin has signaled to visiting Western officials that he knows personal information from “their” old KGB files.

Putin also knows how to play the media. Russia already has a long tradition of propaganda and information warfare, but Putin is a master manipulator. Early in his presidency, he described the press as an instrument that he would deploy in the service of the state. The Kremlin has trained its own bloggers to create content on the internet. It has hired public relations firms to improve its media strategy. Kremlin-sponsored focus groups have helped hone messaging. As lies are part of the coin of the intelligence operative and facts are fungible, there have been few constraints on creative content.

The Russian media machine functions as a huge psychological operation, a kind of massive pro-Putin Super PAC. At home, it rallies the Russian public around the flag by publicizing the damage Russia’s enemies are trying to inflict. Abroad, it focuses on scandals that underscore the hubris, hypocrisy, and failings of Western political systems.

The DNC files may not have been given to WikiLeaks by Russian intelligence, but the selective release of email caches, at a juncture when they are likely to gain the greatest international media attention and have the most negative political impact in the United States, does have the hallmarks of a carefully considered operation. For Vladimir Putin, who sees himself as locked in a struggle for influence with the United States, this would all be fair game.

Putin wants a weakened U.S. presidency

There is much speculation that Putin may see Donald Trump as someone he can do business with, and that he has a grudge against Hillary Clinton. Trump’s praise of Putin as a “strong leader” is a notable break with the general trend of U.S. politicians and opinion leaders castigating Putin and criticizing Russia, and Putin has made seemingly complimentary comments about Trump in return.

In contrast, in public and private, Putin and other Russian officials have made it clear that they have a negative opinion of Clinton. In a 2014 interview with French television, for example, Putin lambasted Clinton for remarks she had made about him, noting that it was “better not to argue with women” and that Clinton was never “too graceful in her statements.”

Whatever his personal preferences, though, Putin cannot reasonably expect to influence the outcome of the U.S. presidential election. The best he can hope for is to reduce the ability of whoever comes into the Oval Office to pursue policies that are detrimental to Putin’s and Russia’s interests.

Right now, Putin wants the U.S. to remove sanctions imposed on Russia after its annexation of Crimea in March 2014. Perhaps even more importantly, Russia has parliamentary elections this September, and presidential elections again in 2018, when Putin is expected to run for a fourth term. The Kremlin does not want a repeat of the protests of 2011-’12, and certainly no pronouncements from the U.S. about whether the elections are free and fair or whether Putin has a genuine popular mandate for his next presidency.

Against this backdrop, the information from the DNC files underscores for the Russian public, and the outside world, that U.S. party politics is just as dirty as in Russia or anywhere else. The U.S. looks a lot less credible as the moral authority on the conduct of elections.

Irrespective of whether Donald Trump or Hillary Clinton is elected, from Moscow’s perspective, at the end of this ruinous political campaign, the new U.S. president will look as wounded as Putin did when he took office again in 2012. A U.S. president who is elected amid controversy and recrimination, reviled by a large segment of the electorate, and mired in domestic crises will be hard-pressed to forge a coherent foreign policy and challenge Russia.

      

 

 

Potentially unpleasant news for Jim Comey: We need you to intervene in the 2016 election again.

There is significant evidence that individuals acting at the direction of or on the behalf of Russia—the degree of coordination is unclear—are attempting to use organizational doxing to influence the United States presidential election. As Harvard law professor Jack Goldsmith noted, this raises a number of scary questions regarding preserving the integrity of U.S. election results. It is not entirely clear what is motivating the DNC document dumps or the apparent targeting of Hillary Clinton; some speculate the aim it to benefit Donald Trump, though a plausible goal might simply be to insert a degree of chaos into U.S. politics. Understanding the ultimate goal of the hack and leaks, however, is not all that important to deciding how exactly we should respond. What is critical to mitigating the harm is sufficiently strong public attribution.

Defense One lays out the powerful, though not definitive, public evidence of Russian involvement. The New York Times offers a somewhat more tempered assessment. It is important to recognize that the strongest evidence regarding attribution was made public long before the most recent batch of emails was released:

• Director of National Intelligence James Clapper reported in May that the intelligence community had evidence that foreign governments were targeting campaigns.
• In June, Crowdstrike published its account, specifically naming Russian state actors as behind the DNC hack.
• While the Russians have long been known to use information and disinformation campaigns to influence foreign elections, there was initial skepticism regarding the degree of Crowdstrike’s certainty. However, the discovery of incriminating metadata—first noticed by Matt Tait who tweets under @pwnallthethings—and other evidence quickly corroborated the Crowdstrike assessment.
• There are well-documented connections between Wikileaks—the chosen vehicle for the leak release—its founder Julian Assange, and the Russian state apparatus.

Paired with the technical indicators, the sum total of evidence is about as close to a smoking gun as can be expected where a sophisticated nation state is involved.  

The leaked DNC emails have already cost Debbie Wasserman Schultz her chairmanship of the DNC. Julian Assange threatened in a June interview that the leaks would lead to Hillary Clinton’s arrest. There is certainly nothing close to that in this batch of emails, and there is reason to doubt the validity of Assange’s claim; he has wildly exaggerated about the content of leaks in the past and there are strategic reasons to lead major leaks with the most damaging information. But we are almost certain to see a number of leaks aimed at damaging Hillary Clinton over the coming weeks and months.

This means, put simply, that actors outside the U.S. are using criminal means to influence the outcome of a U.S. election. That’s a problem.

The question before us now is how to construct a response to mitigate damage to our democratic institutions.

There is no exclusionary rule regarding media coverage of leaked or stolen information. The press cannot be asked to turn a blind eye out of patriotism to material released in the public domain. To the contrary, the strength of our system depends on an independent Fourth Estate that vigorously covers all information regarding political candidates. So Hillary is going to take whatever political hits she takes from the release of whatever this information contains.

However, it is crucial that the media not lose the thread that Russian state efforts to influence our democratic processes is the real story here. That story cannot vanish after an initial splash, and coverage of future leaked information should note the probable Russian involvement and involve analysis as to what the intended aims of leaking each new document might be. An informed public will need to evaluate new information situated in the context that it comes by means of a leak designed to manipulate the electorate’s opinions.

This careful persistent context will depend on strong attribution. The more speculative the claim is—though it isn’t all that speculative at this point—the less likely reporters are to view it as integral to coverage. Therefore, the U.S. government would be wise to go on the record with as much definitive information regarding attribution as it can.

This may require overcoming some governmental inertia to not comment. The non-political elements of the executive branch are hesitant to weigh in on matters related to elections, and the blowback following FBI Director Comey’s statement on the Clinton email investigation are a particularly fresh reminder of the perils. Beyond that, there is a fear that making even general claims of attribution may lead to calls for more concrete and sensitive evidence to be made public. In the early days following the hack and organizational doxing of Sony, the government went on the record that North Korea was behind the episode. After private industry experts questioned the strength of the technical evidence, the government was forced to disclose that it had additional information regarding DPRK involvement. Comey quelled doubts regarding the Sony attribution by stating that he had “a very high confidence about this attribution to North Korea, as does the entire intelligence community” and pointing to additional malware indicators. As a result, the government may be more hesitant to make public claims regarding nation state attribution because they do not want to risk compromising intelligence sources and methods in order to convince the public.

Here, however, the stakes are far higher.

Over the weekend, Dave Aitel argued that the “DNC hack and dump is what cyberwar looks like.” There is a decent case that information systems surrounding our elections should qualify as “critical infrastructure” and that malicious nation states should recognize that interfering with these systems risks serious consequences. The absolute minimum response should be to make credible public attribution.

The U.S. government is uniquely positioned to make the case for Russian attribution. The FBI and DHS have been working directly with the campaigns on cybersecurity, and the government has a combination of insight from both technical assessments of compromised networks and those intelligence information sources which the private sector lacks. And because the government has been historically very careful in stating conclusions regarding nation state involvement, it has a high degree of domestic and international credibility.  

The best way to mitigate damage is to provide a clear U.S. intelligence assessment as to whether there is Russian involvement and the degree of confidence. In May, Clapper was rather vague in noting that the IC was “aware that campaigns and related organizations and individuals are targeted by actors with a variety of motivations.” With the implication to free and fair elections in the U.S., it is time for the FBI to get far more specific.

The Russian weapon is information. Our national values require that we not suppress information in the press, whatever its provenance. The solution is to fight fire with fire: our defense is more information. Protecting all sources and methods, the intelligence community and FBI should tell us who they think hacked and leaked the information. The rest of us can sort out why and whether that will matter on Election Day.