By Edward W. Lowery

– Executive Summary –

Since the initial development of the Internet as an information-sharing platform, the cyber world has grown exponentially and become intertwined with almost every facet of our daily activities, commerce, and governmental operations. But, increasingly, the opportunities offered by the cyber world have resulted in rapidly increasing threats to our citizens, businesses and government operations.

Cyber security and cyber law enforcement operations were recognized as rapidly growing fields when the nation suffered the terrorist attacks of September 11, 2001. Following the attacks, the U.S. government worked to reassure the American public, mitigate previously unidentified threats, and provide for citizens’ safety and security. During this time, many organizational changes were made to facilitate increased security and operational efficiency. Among the most significant was the creation of the Department of Homeland Security (DHS) with the passage of Public Law 107–296 (Homeland Security Act of 2002) on November 25, 2002.

On September 11, 2001, the U.S. Secret Service (USSS) was operationally aligned within the U.S. Treasury Department with the authorities conferred since its formation in 1865 to suppress the counterfeiting of U.S. currency. The USSS has continued to develop its investigative expertise as the primary investigative agency defending the nation’s financial infrastructure through financial crimes investigations. Over the course of its history, the Secret Service’s investigative authorities evolved, and the agency adapted its capabilities to account for changing technologies that supported the nation’s critical financial infrastructure. As the financial sector became increasingly reliant on cyber technologies, and the threats emanating from cyberspace became more pervasive, the USSS also consistently increased its investment in cyber-investigative capabilities. The USA Patriot Act, which passed on October 26, 2001, called for an expansion of the USSS Electronic Crime Task Force (ECTF) model, which had been proven to be a successful method of investigating the terrorist use of cyber technologies and the prevention of attacks against the nation’s financial infrastructure through aggressive enforcement and information sharing. [1]

In 2003, the USSS, although mandated to remain a distinct agency operating within its own authorities, was transferred to the Department of Homeland Security (DHS), whose mission was to ensure the security of the nation from terrorist attack. [2]  Since that time, DHS’s mission has expanded to include the security and resilience of the nation’s 16 Critical Infrastructure And Key Resources (CIKR), which includes the financial infrastructure and cyberspace. [3]  DHS’s National Protection and Programs Directorate (NPPD) was formed to coordinate the department’s cyber-security mission but, as reflected in multiple governmental reports, NPPD has underutilized DHS component cyber-security capabilities, namely the USSS cyber investigation expertise, to further the department’s cyber-security mission.  [4]

This thesis documents the U.S. government’s post 9/11 initial focus on the threat posed by international terrorism to its shifting focus on the nation’s resiliency, and finally, to cyber-based threats that could impact the nation’s identified critical infrastructure. It examines the Department of Homeland Security as it followed the identical development process, as well as the operations and development of the primary cyber law enforcement, military and intelligence agencies supporting this cyber security effort.

Research questions were developed to guide this research and, ultimately, provide recommendations to assist the U.S. government in developing a comprehensive national cyber security methodology and policies that utilize agency-specific lawful authorities and capabilities to strengthen our cyber security efforts while protecting our citizens’ civil liberties and privacy.

• Primary research question: What strategies can the U.S. government develop that support the efforts of DHS, in concert with other governmental cyber security entities, to ensure the nation’s cyber-supported critical infrastructure is provided with the most comprehensive security, while ensuring our citizens’ privacy and security are preserved?
• Secondary research question: How could the application of established law enforcement investigative authorities and capabilities augment the technology-centric, defensive cyber methods currently utilized by the Department of Homeland Security to secure the nation’s critical infrastructure against criminal cyber intrusions?

Through a review of DHS budgetary documents, evidence suggests that DHS has consistently chosen to devote disproportionate budgetary resources to develop defensive technologies of questionable effectiveness, initiate redundant information-sharing programs, and to develop cyber incidence response teams, while not considering the utilization of component agency’s legal authorities and capabilities, namely the U.S. Secret Service. The underutilization of the department’s own cyber law enforcement component’s capabilities has arguably affected the overall effectiveness and efficiency of the department’s efforts. The analysis indicates that the USSS has the expertise and legal mandate to integrate the traditional model of criminal investigation and deterrence to the realm of cyber security and better support the DHS mission.

Cyber-law enforcement effectiveness was also contrasted against the suitability and effectiveness of utilizing intelligence or military agencies to fulfill the nation’s domestic cyber-security mission. As Steven Tomisek described in his 2002 report Homeland Security: The New Role for Defense, since 9/11, government agencies, predominantly represented by the National Security Agency (NSA) and Department of Defense (DOD), have aggressively promoted the premise that any cyber threat targeting our nation’s critical infrastructure, including the financial infrastructure, should be designated as a “national security” threat, regardless of the motivations or identity of the attacker. [5]  The NSA and DOD have argued that they alone possess the requisite capabilities to successfully counter this critical threat to our national security through domestic and international cyber operations. Evidence presented in this thesis indicates that DHS’s apparent acceptance of the premise that NSA/DOD should provide domestic technical assistance, cyber security support, and mitigation may be in violation of existing laws prohibiting domestic operations by the intelligence community and military.

Additionally, as argued by Tyler Moore, Allan Friedman and Ariel D. Procaccia in “Would a ‘Cyber Warrior’ Protect Us?: Exploring Trade-offs between Attack and Defense of Information Systems,” relying on the intelligence community (IC) and military cyber attack units to provide effective defensive information and technology may be a faulty assumption because providing that information would be counter to the IC and military’s primary missions and negatively affect their overall effectiveness.   [6] The analysis indicated that the government’s proposed designation of all cyber attacks targeting the nation’s critical infrastructure as a “national security” event was initiated and fully supported by the IC and military. This designation, regardless of the identity or motivations of the perpetrator, was described within this thesis as a thinly veiled attempt to provide justification for the NSA/DOD to operate domestically despite the fact that the FBI is the only agency legally authorized to conduct domestic intelligence operations to counter national security threats. Finally, this proposal by the IC was presented as an effort that could threaten our citizens’ privacy due to the lack of intelligence community operational oversight and the borderless nature of the cyber world.

This thesis, and supporting research, offers comparative information to support the formulation of government cyber-security policy that develops the most effective, integrated cyber-security methods while protecting civil liberties and our citizens’ privacy. This thesis then offers policy recommendations to assist in this whole of government cyber security effort. These recommendations include:

• DOD/NSA must remain focused on nation-state cyber threats and foreign activities. To ensure that the NSA, the nation’s premier SIGINT collection agency, remains focused on the exploitation of foreign SIGINT and foreign espionage activities in support of our national security interests, as well as to protect our citizens’ civil liberties, the agency must not be permitted to utilize its capabilities on domestic targets or systems. Additionally, the DOD cyber attack forces must not operate on or within domestic cyber systems, unless owned by the DOD, and must concentrate their activities to exploiting foreign vulnerabilities.
• FBI must remain the only IC agency permitted to operate domestically with proper judicial oversight. The bureau’s domestic cyber intelligence activity must be limited to the investigation of espionage threats which are committed by nation-state supported actors that 1.) Seek to gain knowledge from information systems which contain information of national security value or; 2.) Attack critical infrastructure systems to degrade or disrupt such systems to cause a national crisis. The FBI Cyber Criminal Division should continue to investigate cyber intrusions within their criminal jurisdictions.
• DHS should continue to enhance its network defense capabilities and information sharing initiatives but must increase its utilization and reliance on the deterrent effect of USSS cyber criminal investigations as an integral part of the department’s cyber security efforts. Although, as indicated within this thesis, defensive technology can never be expected to thwart the most determined or advanced attackers, defensive technology does provide a high level of protection. As presented within the thesis, in recognition of the inherent vulnerabilities in cyber systems, deterrent law enforcement operations are necessary to ensure attackers are identified and apprehended.

In closing, the thesis identifies additional areas of research that are required to support the development of adaptable policies scalable to the rapidly changing cyber threat environment. As demonstrated through the literature review, the existing research into the threats against U.S. critical cyber infrastructure has generally focused on the two key methods of attaining cyber security: 1) utilizing defensive technology as described in John McHugh, Alan Christie, and Julia Allen’s article “Defending Yourself: The Role of Intrusion Detection Systems,” regarding intrusion detection systems, [7]  for example, and 2) offensive operations that identify and eliminate the actors who seek to target our cyber systems [8]  as discussed in Susan Brenner’s article in the Journal of Criminal Law and Criminology titled “At Light Speed.”

Areas for future research include a review of emerging technologies that provide more adaptable defensive precautions through leveraging artificial intelligence. At some point, it is possible that the technology will supplant the need for human decisions and intervention that is often identified as the point of failure during a post-intrusion review. Another area of valuable research is a review of successful cyber security efforts initiated by the private sector, how the need for those efforts was advertised within the corporate structure to gather support, and the way that those successes could be imitated or initiated throughout the government enterprise. Related to this topic, a comprehensive study of the cyber security efforts of other nations and whether those efforts could be employed within the U.S. could prove beneficial to policy makers. Finally, additional research regarding deterrence or game theory as it applies to low-level attackers, advanced/organized criminal actors, and nation-state supported cyber threats should be conducted to more thoroughly evaluate the effectiveness of offensive operations against attackers of different skill levels and motivations.

---

[1] Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA Patriot Act) Act of 2001, Pub. L. No. 107-56, 115 Stat. 272 (2001).

[2] An Act to Establish the Department of Homeland Security, and for Other Purposes (Homeland Security Act) Act of 2002, Pub. L. No. 107-296 Stat. 2135 (2002).

[3] U.S. Department of Homeland Security (DHS), National Infrastructure Protection Plan, (Washington, DC: DHS, 2009) https://www.dhs.gov/national-infrastructure-protection-plan.

[4] Frank Deffer, Planning, Management, and Systems Issues Hinder DHS’ Efforts To Protect Cyberspace and the Nation’s Cyber Infrastructure (OIG -11-89) (Washington, DC: OIG and DHS, June 2011), https://www.hsdl.org/?view&did=683172.

[5] Steven J. Tomisek, Homeland Security: The New Role for Defense (Washington, DC: Institute for National Strategic Studies, National Defense University, 2002).

[6] Tyler Moore, Allan Friedman, and Ariel D. Procaccia, “Would a ‘Cyber Warrior’ Protect Us?: Exploring Trade-Offs between Attack and Defense of Information Systems,” in Proceedings of the 2010 Workshop on New Security Paradigms (New York: 2010 ACM, 2010), 85–94, doi:978-1-4503-0415-3.

[7] John McHugh, Alan Christie, and Julia Allen, “Defending Yourself: The Role of Intrusion Detection Systems,” IEEE Software, September 2000, 42.

[8] Susan W. Brenner, “ ‘At Light Speed’: Attribution and Response to Cybercrime/Terrorism/Warfare,” Journal of Criminal Law and Criminology (1973-) 97, no. 2 (January 1, 2007): 379–475, doi:10.2307/40042831.