Lecture 6 - Chrono's Cyber Chronicles

 The expressions computer security and cybersecurity generally refer to computer/cyber - related concerns affecting the following topics: ➢ Reliability, ➢ Availability, ➢ Accessibility, ➢ System safety, ➢ Data integrity, ➢ Confidentiality, ➢ Privacy.  Epstein (2007) suggests that computer security can be defined in terms of three elements: 1) Confidentiality - focuses on protecting against “unauthorized persons gaining access to unauthorized information.” 2) Integrity - can be understood as “preventing an attacker from modifying data.” 3) Accessibility - has to do with “making sure that resources are available for authorized users.” ## Defining Computer Security (Continued)  In Nuemann’s (2004) view, security in the context of computer systems also aims at preventing: ➢ misuse, ➢ accidents, ➢ malfunctions.  Neumann also notes that computer security can be a “double - edged sword,” because it can be used both to: a) protect privacy, and b) undermine freedom of access to information . ## Computer Security and Computer Crime  Computer security concerns often overlap with issues analyzed under the topic of computer crime .  Virtually all (known) violations of security involving computers and cybertechnology are also criminal in nature.  But not every instance of crime in cyberspace necessarily involves a breach or violation of computer/cyber security. ## Computer Security Issues as Distinct from Computer Crime  Some cyber/computer - related crimes have no direct implications for cyber/computer security.  Consider, for example, that someone can use a computer or an electronic device to: ➢ make unauthorized copies of software programs; ➢ stalk a victim in cyberspace; ➢ bully someone online; ➢ elicit sex with young children; ➢ distribute child pornography;  Note, however, that none of these (criminal) acts are a direct result of insecure computer systems. #### Security as Related to Privacy  Cyber - related issues involving privacy and security often overlap.  But there are some important distinctions between the two notions. ➢ For example, privacy - related concerns often arise because users are concerned about losing control over ways in which personal information about them can be accessed by organizations who claim to have some legitimate need for that personal information in order to make important decisions. ➢ This is not the case with security - related concerns. Security as Related to Privacy (continued)  Cyber - related security concerns (unlike those of privacy) typically arise because of either: a) fears that many individuals and organizations have that their data could be accessed by those who have no legitimate need for, or right to, such information; or b) worries that personal data or proprietary information, or both, could be retrieved and possibly altered by individuals and organizations who are not authorized to access that data. Computer Security Issues as Distinct from Computer Crime  Some cyber/computer - related crimes have no direct implications for cyber/computer security.  Consider, for example, that someone can use a computer or an electronic device to: ➢ make unauthorized copies of software programs; ➢ stalk a victim in cyberspace; ➢ bully someone online; ➢ elicit sex with young children; ➢ distribute child pornography;  Note, however, that none of these (criminal) acts are a direct result of insecure computer systems. Security as Related to Privacy (continued)  But sometimes the objectives of privacy and security seem to be at odds with each other, causing a tension between these two notions.  From a security perspective, protecting computer system resources and proprietary data residing in those systems is critical, but  From a privacy perspective, protecting personal information and personal autonomy has a higher priority  “Those who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.” (Benjamin Franklin) ## Three Aspects of Cybersecurity: Data, System, and Network Security Security issues involving cybertechnology span concerns having to do with three distinct kinds of (computer - related) vulnerabilities, which include: I. **unauthorized access to data** (i.e., data security ); II. **attacks on system resources by malicious computer** **programs** (i.e., system security ); III. **attacks on computer networks** , including the infrastructure of privately owned networks and the Internet itself (i.e., network security ). #### Data Security: Confidentiality, Integrity, and Availability of Information  Data security is concerned with vulnerabilities pertaining to unauthorized access to data that can either: a) reside in one or more computer storage devices, b) be exchanged between two or more computer systems.  Data security issues affect the confidentiality, integrity, and availability of that information. #### Data Security (Continued)  Spinello (2000) describes what is required for data security by noting that: 1. The information to be protected can be either personal or proprietary or both. 2. The information must be secured not only from tampering and alteration by unauthorized parties, but also from merely being accessed and read by those parties. 3. The stored information must be accurate, readily available, and accessible to authorized parties, i.e., on demand access ## System Security  While System security is concerned with vulnerabilities to system resources such as computer hardware, operating system software, and application software, it is also concerned with various kinds of viruses, worms, and related “malicious programs” that can disrupt and sometimes destroy computer systems. ## The Olympic Games and the Stuxnet Worm In June 2012, the New York Times reported that the US and Israeli governments had been cooperating on an initiative code - named Olympic Games . Originally conceived and developed during the George W. Bush administration, the Olympic Games operation aimed at disrupting Iran’s uranium enrichment program and thus damaging Iran’s nuclear capability. At the core of this joint operation was a computer worm known as Stuxnet, a “cyberweapon” that targeted “electronic program controllers” developed by Siemens Corp for industrial controlled computers that were installed in Iran. The Stuxnet worm was allegedly responsible for ( i ) sending misleading data to computer monitors in Iran and (ii) causing several of Iran’s centrifuges (fast - spinning machines that enrich uranium) to spin out of control. The Stuxnet attack was estimated to have destroyed approximately 1000 of Iran’s 6,000 centrifuges. Was this operation a justified breach of cybersecurity? If it is wrong for ordinary individuals and nongovernmental actors to break into and disrupt someone’s computer system, is it also wrong for nations to do this as well? ## Viruses and Worms (Continued)  Dale and Lewis (2016) define a virus as a “malicious, self - replicating program that embeds itself into other code.” ➢ Dale and Lewis define a worm as a “malicious stand - alone program that often targets network resources.”  However, some believe that both viruses and worms, as well as all other kinds of malicious programs are better described under the single category “malware.” ## Malware  Miller (2015) defines malware as “software designed to produce, damage, or provide unauthorized access to computers or computer systems.”  Under this broad definition, all of the following would be included under the category “malware”: ➢ viruses, ➢ worms, ➢ Trojan horses, ➢ logic bombs, ➢ (at least some forms of) “spyware”. Network Security (Continued)  Attacks on computer networks have ranged from programs launched by individuals and organizations whose intentions were malicious to those entities claiming that their intentions were benign.  Some network attacks have severely disrupted activities on (segments of) the Internet.  In some cases, these attacks have also have rendered the Internet virtually inoperable.  It is not always easy to determine whether a major computer network disruption is the result of malicious individuals or whether it is due to the failure of some aspect of the network infrastructure itself. ➢ For example, some suggest that a significant power outage experienced by AT&T in 1990, which, at the time, was attributed to a software glitch in the system’s programming code, was the result of “malicious” individuals who caused the network to crash. ### Three Kinds oƒ Comp Security ![](Pasted%20image%2020240215161136.png) ## “Cloud Computing” and Security  The National Institute of Standards and Technology (NIST) officially defines cloud computing as ...a model for enabling ubiquitous , convenient , on - demand network access to a shared pool of configurable computing resources.  The National Institute of Standards and Technology (NIST) officially defines cloud computing as ...a model for enabling ubiquitous , convenient , on - demand network access to a shared pool of configurable computing resources. ## Cloud Computing  Cloud computing affects not only where users can store their data but also where many of the applications they use can ultimately reside.  Four popular examples of cloud - computing applications include: ➢ photo storing services, such as Google’s Picasa; ➢ web - based email services, such as Yahoo; ➢ file transfer services, such as YouSendit ; ➢ online computer backup services, such as Mozy (Privacy Rights Clearinghouse, 2008).  The NIST definition of cloud computing identifies four distinct “deployment models” and three kinds of “service models.”  Deployment models include the: ➢ Private Cloud (used by a single organization) ➢ Community Cloud (used mainly by a “specific community” of organizations and users that have “shared concerns”) ➢ Public Cloud (can be used by the general public) ➢ Hybrid Cloud (some combination of the above!)  As already noted, cloud computing also provides three important service (or delivery ) models: ➢ Software as a Service (or SaaS) – delivers various kinds of applications using a “multitenant architecture” ➢ Platform as a Service (PaaS) – delivers “development environments” to consumers ➢ Infrastructure as a Service (IaaS) – delivers various “resources” which include servers, connections, and “related tools” needed for building “an application from scratch” ### Cloud Computing (Continued)  If we combine both a) private/community/public/hybrid modes of deployment , and b) SaaS/ PaaS / IaaS modes of service/delivery we are able to distinguish twelve variations of cloud - computing services. See Table 6 - 2. ## Securing User Data Residing in the Cloud  Cavoukian (2008) argues that for cloud computing to be fully realized, users will have to be confident that their personal information is protected and that their data (in general) is both secure and accessible.  Currently, however, users have at least four different kinds of “concerns” along these lines.  One concern has to do with how users can control their data stored in the cloud – e.g., at present, users have very little “control over or direct knowledge about how their information is transmitted, processed, or stored” (Privacy Rights Clearinghouse).  A second concern involves the integrity of the data – for example, if the host company goes out of business, what happens to the users’ data?  A third kind of concern affects questions about access to the data – i.e., can the host deny a user access to his/her own data?  A fourth concern has to do with who actually “owns” the data that is stored in the cloud. ##### Securing User Data Residing in the Cloud (Continued)  Talbot (2011) identifies three main kinds of concerns that these businesses have, which involve: 1) accidental loss of data, 2) fear of hacking attacks, 3) theft by “rogue employees of cloud providers.”  Until these concerns are resolved, Talbot suggests that users will be skeptical about placing their trust in cloud - computing services to protect their data. ## Assessing Risk in the Context of Cloud Computing  It is not clear who is responsible for assessing and managing risk in computing/IT - security contexts.  One reason why it is becoming even more difficult to determine who is responsible for doing this may have to do with a factor that Pieters and van Cleeff (2009) call the “ de-perimeterization ” of the security landscape.  Because the information security landscape has become increasingly “ deperimeterized ,” IT systems now “span the boundaries of multiple parties” and they “cross the security perimeters.”  They also note that deperimeterization - related concerns lead to “uncertain risk” for IT security, because of the lack of clear boundaries defining the security landscape with no secure “digital fence” or perimeter safeguarding the users' data.  So both ordinary users and businesses may be required to assume some level of uncertain risk with regard to their data and system resources that reside in the cloud. ## Ethical Aspects of Cybersecurity  Ethical issues affecting individual autonomy, privacy, and expectations of anonymity arise because of cybersecurity.  To realize autonomy, as well as privacy and anonymity, users need to have some control over how personal information about them is gathered and used.  On the one hand, secure computers can help users realize this goal.  But secure computers can also undermine this goal, and this can raise ethical concerns.  An ethical analysis of cybersecurity issues needs to consider whether an appropriate balance can be found in preserving both: a) adequately secure computer systems; b) autonomy and privacy for computer users. ## Hacking and the “Hacker Ethic”  Individuals and groups that launch malicious programs of various kinds are commonly described in the media as hackers .  According to Simpson (2006), a hacker is anyone who “accesses a computer system or network without authorization from the owner.”  Simpson defines “crackers” as hackers who break into a computer system with “the intention of doing harm or destroying data.”  Many computer scientists are unhappy with how the word “hacker” has come to be used in the media.  Kaufman, Perlman, and Spencinor (2002) describe “true computer hackers” as  individuals who play with computers for the “pure intellectual challenge” and as “master programmers, incorruptibly honest, unmotivated by money, and careful not to harm anyone.” Hacking and “HackerEthic” (Continued)  Many people who are now identified in the media as hackers are neither brilliant nor accomplished computer experts.  “Early computer hackers” have been described as individuals who aimed at accessing computer systems to see how they worked, and not to cause any harm to those systems.  Were these kinds of hackers also behaving unethically?  These individuals are sometimes described as behaving in accordance with a certain “code of ethics.” ### Hacking and the “Hacker Ethic” (Continued)  Steven Levy (2001) describes the “Hacker Ethic” as comprising the following beliefs: 1. Access to computers should be unlimited and total. 2. All information should be free. 3. Mistrust authority - promote decentralization. 4. Hackers should be judged by their hacking, not bogus criteria such as degrees, age, race, or position. 5. You can create art and beauty on a computer. 6. Computers can change life for the better. ##### Hacking Activities  Some hacking activities can be viewed as examples of three of the principles included in Levy’s “Hacker Ethic”: 1) information should be (totally) free; 2) hackers provide society with a useful and important service; 3) activities in cyberspace are virtual in nature; so they do not cause real harm to people in the real (physical) world. ### “Information Wants to Be Free”  Should all information be totally free?  The view that information should be free is regarded by some critics (for example, Spafford 2004) as naïve, idealistic, or romantic.  Spafford notes that if information were free: ➢ privacy would not be possible because we would not be able to control how information about us was collected and used. ➢ it would not be possible to ensure integrity and accuracy of that information. #### “Hackers Provide Society with an Important Service”  Spafford also provides counterexamples to this version of the “hacker argument.”  He asks whether we would permit someone to start a fire in a crowded shopping mall in order to expose the fact that the mall's sprinkler system was not adequate.  Alternatively, would you be willing to thank a burglar who successfully broke into your house? ➢ For example, would you thank that burglar for showing that your home security system was inadequate? ### “Hacking Causes Only Virtual Harm, Not Real Harm”  Some argue that break - ins and vandalism in cyberspace cause no “real harm” to persons because they are activities that occur only in the virtual realm .  This argument commits a logical fallacy by confusing the connection between the real and the virtual regarding harm by reasoning in the following way: ➢ The virtual world in not the real (physical) world; so any harms that occur in the virtual world are not real harms. ➢ See Chapter 3 for a description of why the reasoning process used in the Virtuality Fallacy is fallacious. ## Can Computer Break-ins Ever Be Ethically Justified?  Spafford suggests that in certain extreme cases, breaking into a computer could be the "right thing to do." ➢ For example, breaking into a computer to get medical records to save one’s life, and the authorized users of the system cannot be found.  However, Spafford also argues that computer break - ins always cause harm, **i.e., sometimes it could be right to do** **something that is ethically unjustifiable.**  Utilitarian? Deontological? Chapter 2! ### Ethically Justifying a Computer Break - in (Continued)  Spafford seems to use a deontological (or nonconsequentialist ) argument to justify the break - in the case of the medical emergency. ➢ For example, Spafford believes that morality is determined by actions not results .  He argues that we cannot evaluate morality based on consequences or results because we would not “know the full scope of those results,” which are based on the “sum total of all future effect.”  Spafford’s argument tends to be based on a version of act deontology (see Chapter 2). ## Cyberterrorism  Dorothy Denning (2004, 2007) defines cyberterrorism as the "convergence of cyberspace and terrorism."  Cyberterrorism covers a range of politically motivated hacking operations intended to cause grave harm that can result in either loss of life or severe economic loss, or both.  In some cases, it is difficult to separate acts of cyberterrorism from cybervandalism and cyberwarfare , and acts of ordinary hacking . #### Cyberterrorism vs. Hacktivism  Denial - of - service (DoS) attacks have been launched for the purpose of preventing users from accessing targeted commercial Web sites.  These attacks have also resulted in severe economic loss for major corporations.  Should these DoS - related attacks necessarily be classified as instances of cyberterrorism?  Or, can some of these attacks be better understood as another form of malicious hacking – i.e., acts perpetrated by persons or groups with a particular political agenda or ideology? #### Hacktivism  Manion and Goodrum (2004) have questioned whether some DoS (and related) cyberattacks might be better understood as instances of hacktivism . ➢ They also question whether the behavior of these persons and groups responsible for the cyberattacks suggests a new form of civil disobedience, which they also describe as hacktivism . ➢ Can acts of hacktivism be justified on the grounds of civil disobedience ? ##### Can Hacktivism be Justified?  Himma (2007) describes the line of reasoning that hacktivists and their supporters tend to use to justify their activities as forms of political activism and “electronic civil disobedience” (or ECD): ##### Can Hacktivism be Justified? ➢ **PREMISE 1**. Because civil disobedience is justifiable as a protest against injustice, it is permissible to commit digital intrusions as a means of protesting injustice. ➢ **PREMISE 2.** In so far as it is permissible to stage a sit - in in a commercial or governmental building to protest, say laws that violate human rights, it is permissible to intrude on commercial or government networks to protest such laws. ➢ **CONCLUSION**. Digital intrusions that would otherwise be morally objectionable are morally permissible if they are politically motivated acts of electronic civil disobedience, or hacktivism. ^^^ VALID ARGUMENT ### Hacktivism as a form of Electronic Civil Disobedience (ECD)  With regard to ECD, Manion and Goodrum (2004) claim that for an act to qualify as “civilly disobedient,” it must satisfy the following conditions: ➢ No damage done to persons or property; ➢ Nonviolent; ➢ Not for personal profit; ➢ Ethical motivation – the strong conviction that a law is unjust, or unfair, to the extreme detriment of the common good; ➢ Willingness to accept personal responsibility for the outcome of actions.  Denning (2008) argues that Manion and Goodrum’s analysis of hacktivism suggests that some acts of Web defacement may also be morally justified as ECD, in so far as they are “ethically motivated.”  But Denning points out that defacing a Web site seems to be incompatible with Manion and Goodrum’s first condition for ECD – i.e., “no damage.” In 2012, a self - described hacktivist group called Anonymous launched a series of DDoS attacks against commercial and government Web sites in response to 2 different incidents. For one thing, the group stated that its attack, called “Operation Payback”, was in retaliation against the US Department of Justice for taking down Megaupload, a massive file - sharing site. For another, Anonymous stated that it was supporting the coordinated January 18, 2012 online protest against two controversial legislative proposals in the US Congress: Protect Intellectual Property Act (PIPA) and Stop Online Piracy Act (SOPA). While most of the participants in this online protest, including Wikipedia and Google, used tactics that were nondisruptive, Anonymous launched DDoS attacks against the websites of organizations that supported the two congressional bills. The sites attacked included not only those of the Recording Industry Association of America (RIAA) and Motion Picture Association of America (MPAA) but also the sites for the US Copyright Office and Broadcast Music, Inc (BMI), which collects fees from businesses that use music.  Can this incident qualify as example of ECD?  Is it an example of hacktivism?  Or, can it possibly qualify as an act of cyberterrorism? ### Hacktivism vs. Cyberterrorism  Denning (2001) attempts to draw some critical distinctions among three related notions: ➢ activism ; ➢ hacktivism ; ➢ cyberterrorism. #### Activism, Hacktivism, and Cyberterrorism  A ctivism includes the normal, non - disruptive use of the Internet to support a cause. ➢ For example, an activist could use the Internet to discuss issues, form coalitions, and plan and coordinate activities.  Activists could engage in a range of activities from browsing the Web to sending e - mail, posting material to a Web site, constructing a Web site dedicated to their political cause or causes, and so forth.  Hacktivism is the convergence of activism and computer hacking.  It uses hacking techniques against a target Internet site with intent to disrupt normal operations, but without intending to cause serious damage.  These disruptions could be caused by "e - mail bombs" and "low grade" viruses that cause only minimal disruption, and would not result in severe economic damage or loss of life.  Cyberterrorism consists of operations that are intended to cause great harm such as loss of life or severe economic damage, or both. ➢ For example, a cyberterrorist might attempt to bring down the U.S. stock market or take control of a transportation unit in order to cause trains to crash.  Denning believes that conceptual distinctions can be used to differentiate various activities included under the headings of activism, hacktivism, and cyberterrorism. ### Denning’s Analysis  Denning admits that as we progress from activism to cyberterrorism the boundaries become "fuzzy." ➢ For example, should an "e - mail bomb" sent by a hacker who is also a political activist be viewed as hacktivism or as an act of cyberterrorism?  Many in law - enforcement argue that more effort should be devoted to finding ways to deter and catch these individuals rather than trying to understand their ideological beliefs, goals, and objectives. ## Cybertechnology and Terrorist Organizations  A major concern in the past has been how and when terrorist organizations might use cybertechnology to carry out attacks.  Some members of al Qaeda and ISIS now possess very sophisticated computer devices, as well as the skills needed to use them effectively.  In the November 2015 terrorist attacks in France, ISIS terrorists used encryption technology to communicate with one another in ways that made it extremely difficult for European authorities to monitor and intercept those communications.  When al Qaeda terrorists flew airplanes into the Twin Towers, on 9/11, they had to take their own lives in the act.  But we can imagine that would happen if terrorists are someday able to gain control of onboard computer systems on airplanes and override the airplane’s computerized controls. ### Information Warfare  Denning (1999) defines information warfare (IW) as "operations that target or exploit information media in order to win some objective over an adversary."  Certain aspects of cyberterrorism also seem to conform to Denning's definition of IW, but IW is a broader concept than cyberterrorism. 1. IW can include cyberattacks that send misleading information to an enemy. 2. While IW is disruptive and sometimes destructive, it need not involve loss of life or severe economic loss, even though such results can occur. 3. IW typically involves cyberattacks launched by sovereign nations as opposed to “rogue” political organizations and terrorist groups.  IW, unlike conventional or physical warfare, tends to be more disruptive than destructive.  The instruments of war in IW typically strike at a nation's infrastructure.  The kinds of "weapons" used typically consist of malware (including viruses and worms), as well as DoS attacks (described earlier).  The disruption caused by malware and DoS attacks can be more damaging, in many respects, than physical damage caused to a nation by conventional weapons. Information Warfare  Moor (2004) notes that in the computer era, the concept of warfare has become “informationally enriched.”  Moor also notes that while information has always played a vital role in warfare, now its importance is overwhelming, because the “battlefield is becoming increasingly computerized.”  He points out that in the future, warfare may have more to do with information and cybertechnology than with human beings going into combat.  Moor and others note that in the past, warfare was conducted by physical means – e.g., human beings engaged in combat, using weapons such as guns, tanks, and aircraft.  But during the first Gulf War, in the early 1990s, we saw for the first time the importance of information technology in contemporary warfare strategies.  Moor notes that the war was won relatively quickly by the multinational coalition because it was able to destroy the Iraqi communications technologies at the outset and thus put the Iraqi army at a severe disadvantage. ## Information Warfare  Review Scenario 6 - 1 (in the textbook) involving the Stuxnet Worm and the “Olympic Games” Operation.  Does “Operation Olympic Games” qualify as an instance of IW (or “cyberwarfare”)?  In so far as the Stuxnet worm sent misleading information to the Iranian government and its scientists, it complies with one aspect of IW.  Also, because this worm was disruptive (regarding Iran’s nuclear program), as well as destructive (i.e., with respect to its effect on Iran’s centrifuges), it complies with another aspect of IW.  Additionally, consider that the Stuxnet attacks were launched (allegedly, at least) by two nation states.  So, Stuxnet complies with all three elements of IW (described above).  It is perhaps also worth noting that in the Olympic Games incident, there had been no formal declaration of war among the three nation states allegedly involved. Potential Consequences for Nations that Engage in IW  Sanger (2012) suggests that the United States did not think through the international implications of its use of cyberwarfare in the Olympic Games operations). ![](Pasted%20image%2020240215164405.png)