Cyber Policy and Legal Discussion - AFCEA 6510.01A, citing, DOD Directive 8530.1 Monitoring, analysis, detection activities, including trend and pattern analysis, are performed

LANDWARNET 2011 TRANSFORMING CYBER WHILE AT WAR UNCLASSIFIED

UNCLASSIFIED

Cyber Policy and Legal Discussion Session: 4

Track: Army Cyber Command

COL John Kent

Army Cyber Command / 2nd Army


UNCLASSIFIED

Defense Information Assurance Program, 10 U.S.C. § 2224

10 U.S.C. § 3013

(U) Unified Command Plan

(U) General Order, No. 2010-26, 1 Oct 10 Establishment of Army Cyber Command, 1 October 2010

2011-08-24// Cyber Policy and Legal Discussion Session: 4, Track: Army Cyber Command


UNCLASSIFIED

Protecting Army information is vital to our national security. IA capabilities and actions protect and defend networks, data integrity, and allow us to implement effective computer network defense (CND).

AR 25-2, Information Assurance, implements DODD 8500.1 , DODI 8500.2 and DODI 5200.40 , and CJCSM 6510.01 to align Army IA goals and requirements with the DOD Information Management Strategic Plan.


http://www.dtic.mil/whs/directives/corres/pdf/d85001_102402/d85001p.pdf

http://www.dtic.mil/whs/directives/corres/pdf/i85002_020603/i85002p.pdf

http://www.dtic.mil/whs/directives/corres/pdf/i520040_123097/i520040p.pdf


UNCLASSIFIED

Actions taken to protect, monitor, analyze, detect, and

respond to unauthorized activity within DoD information

systems and computer networks

CJCSM 6510.01A, citing, DOD Directive 8530.1

Monitoring, analysis, detection activities, including trend

and pattern analysis, are performed by multiple

disciplines within the DOD, e.g., network operations,

CND Services, intelligence, counterintelligence and law

enforcement.

DOD Directive 8530.1



UNCLASSIFIED

Multiple Disciplines

Network Ops – CERTs/NOSCs

Intelligence

Counterintelligence

Law Enforcement

POTUS

Incidents/Intrusions/Attacks

User abuse

Espionage

Foreign Agent

Crime

Hostile Act/Intent

Lead Government Entity & Primary Purpose



UNCLASSIFIED

FBI

NIPC

DCIOs

Other Fed/

State Orgs

DIA

NSA

CIA

FBI

Service CI

CERTs

Intelligence/CI Foreign

sources are involved

Technical analysis of

intrusion characteristics

Law Enforcement Activity involves US citizens

Pen register, trap and

trace; Title III wiretap;

FISA

ID, log analysis, forensics

ECPA “Service Provider”

exception

FISA; EO 12333; DODD

5240.1-R Attribution !



UNCLASSIFIED

To protect against the threat, the Army has established

the Army Computer Emergency Response Team

(ACERT). The ACERT provides the Army with the

capability to prevent, monitor, detect, and respond to

AIS security incidents. The ACERT leverages and

integrates intelligence support and network/system

management capabilities to a unified C2 Protect effort. As

part of its mission, the ACERT has initiated the Computer

Defense Assistance Program (CDAP).

Army Regulation 380–53, Security Information Systems

Security Monitoring, 29 April 1998



UNCLASSIFIED

The CG, NETCOM/9th SC (A) will operate, manage, monitor, administer, and defend the Army portion of the global information grid. (GNOSC & TNOSCs)

AR 25-2



UNCLASSIFIED

Exercise command and control of the ACERT and all

of its components (including RCERTs). Establish tactics, techniques, and procedures (TTPs)

for the ACERT, RCERTs, as required. Serve as focal point for security incidents and

violations. In coordination with law enforcement (LE) and

counterintelligence (CI) agencies, develop and publish response guidelines, checklists, and procedures.

AR 25-2 (Originally Cdr, 1st IOC, assumed by

ARCYBER)



UNCLASSIFIED

Army Cyber Command is the lead for Army missions, action and function related to cyberspace, including the responsibility for planning, coordinating, integrating, synchronizing, directing and conducting Army network operations and the defense of all Army networks. (U) General Order, No. 2010-26, Establishment

of the U.S. Army Cyber Command, 1 October 2010



UNCLASSIFIED

Monitoring networks. Network monitoring . . . number of actions . . . to ensure

proper performance and management. When any of these monitoring activities involve intercepting

(capturing in real time) the contents of wire or electronic communications, they must fall within the limits of an exception to Federal statute.

E.g., the service provider exception of Wiretap statute allows SA/NA to intercept, use, and disclose intercepted communications as long as the actions are conducted in the normal course of employment and the SA/NA is engaged in an activity that is necessary to keep the service operational or to protect the rights or property of the provider.

Therefore, IA personnel must consult with counsel to ensure that activities involving systems management and protection are properly authorized. AR 25-2



UNCLASSIFIED

Wiretap Statute

Pen Register / Trap & Trace Statute

Stored Communications Act

Banner and User Agreement

DAA Authority



UNCLASSIFIED

Federal Wiretap Statute: 18 U.S.C. §§ 2510-2520. •BLUF: Even if the interception of communications is

permissible under the Fourth Amendment, the Wiretap Statute may prohibit it

•Beyond Fourth Amendment requirements Prohibits a third party (like the government), who is not a party to

the communication, from intercepting private communications using an electronic, mechanical, or other device unless a statutory exception applies (18 USC § 2511(1))



UNCLASSIFIED

“provider of . . . electronic communication service” may intercept or disclose communications on its own machines “in the normal course of employment while engaged in any activity which is a necessary incident to . . . the protection of the rights or property of the provider of that service.”

18 U.S.C. § 2511(2)(a)(i)



UNCLASSIFIED

Broad authority with focused purpose Applies to “provider*s+ of electronic communication

services” (i.e., Army)

Authorized to intercept, disclose, or use network communications to protect rights & property of the provider or to ensure the system continues to provide service



UNCLASSIFIED

Allows for real-time monitoring – “intercepting” •No court order or warrant required

SysAds can track hackers within their networks to prevent further damage

Doesn’t allow unlimited monitoring

Need “substantial nexus” between threat and property •“Reasonable and tailored”



UNCLASSIFIED

The Service Provider Exception is a limited exception. Not a criminal investigator’s privilege.

18 U.S.C. § 2511(2)(a)(i)



UNCLASSIFIED

DoD Notice and Consent Banner

• Invalidates DoD employee’s reasonable expectation of privacy in their Gov’t computer

•Banner puts users on notice Computer cannot be used for illegal activity

Third-party monitoring

Security measures in place for supporting Gov’t info systems, not for personal privacy reasons



UNCLASSIFIED

Investigation of a crime Constitution, 4th Amendment Domestic Statutes (see Matrix) Mutual Legal Assistance Treaties, Agreements

USA PATRIOT Act Nation-wide Search Warrants Computer Trespasser Provisions

Computer Trespasser Exception; 18 U.S.C. 2511(2)(i) Allows law enforcement to intercept communications to or

from “computer trespassers” 18 U.S.C. 2510(21) Even if trespasser is using system as a pass-through to other

down-stream victims A “computer trespasser”

Is a person who accesses network “without authorization” and “thus has no reasonable expectation of privacy…”

Excludes a person known by the provider to have an existing contractual relationship with the provider for use of the system



UNCLASSIFIED

Intelligence Organizations Under the DCI, Title 50, National Foreign Intelligence

Program

Under Secretary of Defense, Tactical

DoD Counterintelligence Components

E.O. 12333

DoDD 5240.1, DoDD 5240.1-R

Foreign Intelligence Surveillance Act 50 USC 1801

USA PATRIOT Act



UNCLASSIFIED

EO 12333 / DoD 5240.1-R

SIGINT Cyber

POTUS

SECDEF

DIRNSA

CG, INSCOM

DoDI 0-3115.07

USSID 1000

POTUS

SECDEF

SECARMY CG, CYBERCOM

CG, ARCYBER



UNCLASSIFIED

EO 12333 Exercise responsibility for SIGINT;

Operate an effective and unified

organization for SIGINT;

Control collection and processing

of SIGINT activities;

Assign resources to an appropriate

agent for such periods and tasks

as required for the direct support of

military commanders.

No other Department or Agency is

authorized to engage in any

SIGINT activities without an

express delegation from

SECDEF

DoDI 0-3115.07 Supervise, fund, maintain, and operate NSA and

the US SIGINT System (USSS)as a jointly-staffed,

unified SIGINT organization;

Exercise control of all SIGINT collection,

processing, analysis, production, and

dissemination activities of the US.;

Exercise SIGINT OPCON over SIGINT activities of

the USSS to respond most effectively to military

and other SIGINT requirements by:

• Delegating standing SIGINT SOTA to the Mil Depts

with organic SIGINT units permanently assigned

under their command;

• Delegating temp. SOTA to commanders on a case-by-

case, mission specific basis to permit those

commanders to directly task designated SIGINT units

and assets assigned to their command to achieve

their mission objectives;

• Approving SIGINT missions for SIGINT units or assets

assigned to and under the OPCON of a commander;

• Retaining SIGINT OPCON of all SIGINT resources

fulfilling national SIGINT requirements



UNCLASSIFIED

Constitution

UCP

USSTRATCOM Mission

USCC

Title 10 U.S.C. 162, 163, 164

EXORD, OPORD

International Law

Standing Rules of Engagement

LOAC



UNCLASSIFIED

Combine CNO Disciplines

Interacting Authorities CND – Title 10 implementing 18 USC 2511(2)(a)(i)

Intelligence – Title 50

LEA

Dual Authorities Granted by DIRNSA

Intelligence Oversight Plan



UNCLASSIFIED

703-706-1190 [email protected] [email protected] [email protected]


mailto:[email protected]

Documents

Cyber Policy and Legal Discussion - AFCEA 6510.01A, citing, DOD Directive 8530.1 Monitoring, analysis, detection activities, including trend and pattern analysis, are performed