39 TOP 2006 DNI Processing 622 Mbps. Spring 2007 Comprehensive National Cybersecurity Initiative Firms-Up. Spring 2007 TURBULENCEINCC the First cao ?Take Shape. August 2007 Protect America Act; CT, only. 2.5 Gbps. Spring 2008 CNCI FYDP Becomes Real. July 2008 FISA Amendments Act; CT Cert, first, Foreign Governments Cert in Sept. March 2009 FAA Cert C, Counter-Proliferation. TURMOIL T16 2.5 Gbps. March 2010 ??briefs 330 on FAA Cert A Case. Summer 2010 TURMOIL XNET 10 Gbps. September 2010 Activates XKEYSCORE Deep Dive. 2010 to 2011 - Low-Profile TURMOIL 10 deployed worldwide. Spring 2011 NCSCISSO Activate Content Collection US-3140IMADCAPOCELOT. June 2011 US-3171 DANCINGOASIS. (Need I see more?) August 2011 NIPF Band A Cybersecurity Becomes Cyber Threats to US Infrastructures. January 2012 President Obama Reconfirms the Transit Program. May 2012 Dept. of Justice approves targeting certain signatures under FAA FG Cert. May 2012 First TURMOIL BLUESNORT content activation for FAA July 2012 Dept. of Justice approves targeting certain IP addresses under FAA. August 2012 Iranian attack against Saudi Aramco. December 2012 FAA of 2008 extended until December 31, 2017. TOP 5 (TS//SI//NF) New FAA702 Certification in the Works - Cyber Threat By on 2012-03-23 1423 (TS//SI//NF) NSA has drafted a new FAA702 Certification to target Cyber Threats. It is close to being ready for formal coordination with Department of Justice and the Office of the Director of National Intelligence. If approved by the FISA Court, likely many months from now, the Certification will enable analysts to task selectors to SSO's FAA702 authorized systems (PRISM, STORMBREW, OAKSTAR, FAIRVIEW, BLARNEY) which do not fit into one of the current Certifications for Foreign Intelligence. This will be of great benefit to NTOC because it will fill a targeting gap - some cyber threat actors are currently targeted under the existing Certifications when the actor is known and can be tied to a foreign government or terrorist organization. However, many cyber threat targets currently cannot be tasked to FAA702 due to lack of attribution to a foreign government or terrorist organization. The new certification will not require this attribution, and rather only require that a selector be tied to malicious cyber activity. The FAA702 collection will then be used to determine attribution, as well as perform collection against known targets. (TS//SI//NF) The Certification will also for the first time spell out the authorization for targeting cyber signatures such as IP addresses, strings of computer code, and similar non-email or phone number-based selectors. Although the current Certifications already allow for the tasking of these cyber signatures, NSA and its FAA702 overseers (e.g. - Dept. of Justice; ODNI) have yet to reach a common understanding as to how this unique type of targeting and collection will be implemented. This new Certification will help to codify the FISA Court's guidance on targeting using the signatures listed above. SSO's "upstream" FAA702 accesses will perform collection against all signature types and are poised to make immediate significant contributions. The PRISM access will be used primarily for e-mail and similar selector types. Taken together, SSO's FAA702 collection will fill a huge collection gap against cyber threats to the nation, and the approval of this new Certification is one of the DIRNSAs highest priorities. POCs: PRISM Mission Program Manager, S3531, SSO Cyber Lead, S3531; TOP SECRET//SI//ORCON//NOFORN (TS//SI//NF) What's Next o Plan to add Dropbox as PRISM provider o Want to add Cyber Threat Certification o Expand collection services from existing providers o Change UTT tasking system to allow tasking of phone numbers and sending one selector to multiple providers TOP SECRET//SI//ORCON//NOFORN TOP SECRET//SI//ORCON//NOFORN (TS//SI//NF) Conclusion What to Remember o PRISM is one of the most valuable, unique, and productive accesses for NSA - don't miss out on your targets. o Recommend tasking all DNI and DNR selectors to FAA 702 if they meet the criteria. Your target's communications could be flowing through SSO's accesses which only FAA can access. Communications paths constantly change. o Recommend using Rules-Based-Tasking in UTT to ensure that both PRISM and passive/upstream SSO FAA accesses are given the selectors. o Some Product Lines do not use PRISM and other SSO accesses optimally. They are missing unique collection on their targets. o FAA 702 collection = PRISM program providers + FAA Upstream SSO programs with access to thousands of non-PRISM internet domains, DNR collection, cyber signatures and I.P. addresses. TOP SECRET//SI//ORCON//NOFORN - FIB TO USA, VEY SECURITY CLASSIFICATION NSA STAFF PROCESSING FORM TO EXREG CONTROL NUMBER KCC CONTROL SIGINT DIR 2012-704 8353?1 13-11 THRU ACTION EXREG SUSPENSE SUBJECT APPROVAL KCC SUSPENSE IGN RE SSO's Support to the FBI for Implementation of [j 3 Am ELEMENT SUSPENSE their Cyber FISA Orders CI V2. V3. V07 SUMMARY RECOMMENDATION: Approve the provision of the assistance to FBI, with the proviso that the FBI remains responsible for any additional expenses incurred. PURPOSE: To obtain the SIGINT Director's approval for the Of?ce of Special Source Operations to provide ongoing technical assistance to the Federal Bureau of Investigation (FBI) for the implementation of the various orders they have obtained, and will obtain, from the Foreign Intelligence Surveillance Court (FISC) in certain ber cases invol?vin a cuts of forei powers (cg. - soon, The preparation of this Staff Processing Form was a collaborative-effort between 880 and the NSA Of?ce of General Counsel (OGC). BACKGROUND: On December 20, 2011, NSA received a request for technical assistance from the FBI seeking access to infrastructure established by NSA for collection of foreign intelligence from US telecommunications providers. The FISC has issued a number of orders at the request of the FBI authorizing electronic surveillance directed at communications related to computer intrusions being conducted by foreign powers. The orders include some that are limited to pen register/trap and trace (PRTT) information as well as others that authorize collection of. content. The ?rst of these for which NSA assistance has been requested is directed at communications related to intrusions conducted by the? (Docket Number 11-91), regarding what FBI refers to as STYGIAN FLOW. In mid?2011, prior to receipt of the request for technical assistance, 880 became aware of plans to seek these orders and has been in discussions with FBI throughout the latter half of the year, in the belief that use of NSA's collection/processing infrastructure would allow the FBI to COORDINATIONIAPPROVAL NAME AND DATE NAME AND DATE OFFICE OFFICE OGC 3037?. ?f S3 i?eZO'x?Z NTOC ORIGINATOR ?a s3ss M:2011.12.210i:qz:m ?1600' FORM AS79605 REV NOV 200 ersedes A6796 FEB 05 which is obsolete mwm?aw 3< up sscunm CLASSIFICATION Derived From: Manna! 1?52 Dated; a January 2007 TO USA, VEY Dectassify On: 20320108 SV POC 20111221 TO USA, FVEY sacumrv Page 2 of 4: CATS 2012-704 TO USA, FVEY) SSO's Support to the FBI for Implementation of their Cyber FISA Orders maximize the value of the collection without incurring the expenses associated with duplication of that infrastructure. Although FBI conducts numerous electronic surveillances without assistance, the vast majority of them are directed against targets located inside the United States, and U.S. providers served with ISC orders are ordinarily able to identify and deliver to the FBI most, if not all, of the targets' communications that they carry. That is because such electronic surveillance is typically effected at a point or points in the provider?s infrastructure in physical proximity to the target's location. In the case of computer intrusions being conducted by foreign powers, the providers may be carrying a target's communications, but it is much more dif?cult to identify and locate them, because the communications in question will enter and leave the United States via any convenient path, and their path may be obscured to avoid detection. In other words, in these cases, because the target's location is outside the United Statues and not well-characterized, effecting the surveillance via traditional means is not effective. However, in support of FAA and in anticipation of the need to conduct similar collection activities for computer network defense purposes, over the last decade, NSA has expended a signi?cant amount of resources to create collection/processing capabilities at many of the chokepoints operated by U.S. providers through which international communications enter and leave the United States. Collection at such chokepoints is much better suited to electronic surveillance directed at targets located outside the United States than BI's traditional means of collection. In theory, FBI could rely on the orders it has obtained to direct U.S. providers to conduct surveillance at these chokepoints without relying on NSA capabilities, but it would take a considerable amount of time to do so, and FBI would have to reimburse the providers to recreate duplicate) what NSA has already put in place. The cost alone would be prohibitive, and the time lost in doing so would necessarily result in a loss of foreign intelligence. The assistance being sought by the FBI is limited in nature. The U.S. providers served with Secondary Orders in this matter will assume full responsibility for the provisioning of and content collection to the FBI. Since all of the authorized "facilities" (typically known as "targeted selectors" in NSA parlance) to date are Internet Protocol (IP) addresses used by the targets, there is no question as to the providers' abilities to employ devices under their control routers) to provision fully-compliant, authorized intercept. Neither the previders nor the FBI will require NSA's Government off the Shelf (GOTS) Digital Network Intelligence (DNI) collection and processing solutions TURMOIL, XKEYSCORE). Instead, metadata and full content derived from the authorized intercept will be produced using Commercial off the Shelf (COTS) processing solutions. If these COTS processing solutions involve components developed at expense and used, primarily, for NSA's Cyber survey purposes, the 830 will make care?il and informed decisions prior to authorizing use of these components. TO USA, VEY SECURITY CLASSIFICATION TO USA, FVEY secum'rv CLASSIFICATION Page 3 of 4: CATS 2012-704 TO USA, FVEY) Support to the FBI for Implementation of their Cyber FISA Orders Prior to authorizing use of the extensive secure Wide Area Networks established at the two primary providers (cover terms, LITHIUM and ARTIF ICE, respectively) as the end-to-end data delivery infrastructure to connect intercept and processing locations with the FBI's designated Cyber data repository at the Engineering Research Facility, Quantico, VA, 880 will make careful and informed decisions to ensure this capability is undertaken on a 100% non-interference basis with NSA's current and future data backhaul needs on these same networks. All data (metadata and/or content) collected under the auspices of these ISC orders will be forwarded securely and directly to the designated FBI repository. The ISC orders do contain a provision, as follows: personnel participating in this joint investigation may have access to raw data prior to minimization." However, access to raw data by NTOC members of the NCIJTF will be facilitated under the purview of the FBI and not through any actions that $80 might take as the collected data passes through NSA's secure Wide Area Networks. Should the BI's cyber orders from the ISC be modified in the future to authorize raw data retention by NSA, $80 will coordinate with all cognizant NSA offices Data Governance, OGC, SV) to ensure the proper data delivery mechanism is put in place. Should the FBI require a sustained and high-level of dedicated analytical resources cleared, technical manpower) at the providers in order to optimize the collection effectiveness of their and content orders, they will contract for those services directly with the providers. If, on the other hand, the BI's requirement for provider analytical support is more ad hoc and aperiodic in nature during the period of time these orders remain in effect, 880 will make careful and informed decisions prior to authorizing labor charges against the relevant SSO contracts with the providers for these services on behalf of the FBI. Any charges that cannot be justi?ed as necessary for NSA purposes will not be made unless/until FBI agrees to reimburse NSA. DISCUSSION: If SID decides to approve the requested assistance, 830 will assist the FBI in effecting any cyber orders submitted to it after the has veri?ed that each of them contains language permitting NSA's involvement. As stated in Attachment 1, NSA will have the opportunity to review and respond to any proposed use of ISA?derived information from these collections prior to the Attorney General authorizing the use of such information in any criminal proceedings. The assistance 580 is being asked to provide to the FBI will not preclude NSA's SIGINT targeting of these same fully-quali?ed, overseas IP addresses under the auspices of the FISA Continued. . . TO USA, FVEY sa?i'inrv CLASSIFICATION TO USA, FVEY secuam' CLASSIFICATION Page 4 of 4: CATS 2012-704 TO USA, FVEY) Support to the FBI for Implementation of their Cyber FISA Orders The assistanCe 880 is being asked to provide to the FBI will not preclude SIGINT targeting of these same fully-quali?ed, overseas IP addresses under the auspices of the ISA Amendments Act (FAA) of 2008. To the contrary, the relatively recent discovery of these FBI Cyber FISA orders and the countless pages of SIGINT-derived evidence that was cited in the respective Applications to the FISC have already formed the basis for a dialog between OGC and the Department of Justice's National Security Division. (C) DIRECTOR, SIGNALS INTELLIGENCE DECISION: CONCUR: 5g QMAE 5 827??/ 5/ NON-CONCUR: DATE: TO USA, FVEY SECURITY CLASSIFICATION CNO LEGAL AUTHORITIES Office of General Counsel Ob'ectives for Toda?s Brief Overview of SIGINT law Overview of Information Assurance Law What d0 1 need to know? How do 1 apply this Stuff to what I?m doing? llelpful Questions What authorities are being used to collect the information that I?m looking at? Where is this information being collected? SIGINT platforms? Tutelage sensors? ?Collateral Source? Who will receive access to the collected information? What retention and dissemination restrictions apply to the collected information (9.9., SIGINT Procedures, Service Provider Rules, eta)? The Imortance of ?Purose? The urose governs the restrictions imposed upon the collection. If they get nothing else out of the briefing, they need to know and remember that SIGINT is collected for (F I) purposes and they must apply the SIGINT (Fl) rules (PISA and USSID SP0018) to all raw SIGINT and collection is done for system/data security purposes and they must apply (for now, though IAD is coming up with their own procedures like USSID 18) DOB regulation 5240.1-R and the rules to stay within the Wiretap Act Service Provider exception. COMSEC collection by JCMA is typically done for security purposes and follows National Telecomms and Info Systems Security Directive (NTISSD) 600. (U) Key Authorities Restrictions Linited States Constitution Lxecutive Order 13333, lntelligence Activities? Intellieence Directive ?Signals intelligence? National Security Directive 43, ?National Policy for the Security 01 National Security Telecommunications lnlormation Systems? l?itle ol the ()mnihus (Irime (jontrol Act ltitu??, as amended by the Electronic Communications Privacy Act of 1986 (18 U.S.C Sections 2511-2521, 2701-2711) ?Federal Wiretap Act? l-?oreigtt Intelligence Stu?yeillance (PISA) as amended by the FISA Amendments Act (FAA) ()ther l-?ederal [ans DOD Regulation 5240.1-R and SP0018 (NTOC and ANO) were not given any additional authorities. The idea is to use the same authorities more effectively and take advantage of the same expertise (analytical and technical) that is used to defend and exploit. (U) US. Constitution Article 11 (Power) ?The President shall be Commander in Chief of the Army and and conducts foreign affairs. Article II power not unlimited. (U) Executive Order 12333 ?United States intelligence Acthities," dated December 4, 1981(as amended by EU. 1328-1 2003 13355 2004 and 13-170 2008 SECDEF. in cm3rdination with DNI. is executive agent for SIGINT. See Section 1.10( DIRNSA is the functional mana<1 er l'or SIGINT. See Section DIRNSA is the National for National Securitv Svstems and is responsible to SECDEF and DNI. See Section No other department or agency may conduct signals intelligence activities, except as otherwise deleated the SECDEF, after coordination with DNI. See Section Collection done in accordance with procedures approved by the Attomev General. See Section 2.4. 18 Assist Law Enforcement and other Civil See Section 2.6. The collection done by electronic surveillance and using monitoring devices, requires procedures. Procedures established by the head of the IC element and approved by the AG, after consultation with the DN I must protect constitutional and other legal rights and limit use to lawful governmental purposes. Assist LE and other Civil authorities. has procedures in place to provide assistance. These procedures provide protection of SA resources, equities, sources and methods. Differentiate Reporting for lead purposes and use for LE. For instance, disseminate SIGINT to FBI re the fact that a foreign intruder is in a US system; FBI may start their own investigation (which could start as a investigation because believe to be foreign before turning to a criminal investigation.) **If the SIGINT system incidentally collected a US hacker conducting intrusion activities, give to OGC who will have to report a potential violation of US law (The Computer Fraud and Abuse Act.) Also, SIGINT must avoid any further collection of that US person hacker** From IAD side, can provide threat reports or OGC can report a violation units of the military for investigation if an intrusion is seen in the systems. IAD could not assist without a request for technical assistance (and a warrant from the units) if a specific system user is under investigation. Authorit to conduct CNE (5) E0 12333 assigns NSA the Signals lntelligence Mission, which includes COMINT and in turn CNE. (U) CNE evolved as a natural transition of the foreign intelligence collection mission of SIGINT. As communications moved from telex to computers and switches, NSA pursued those same communications. (U) 2 type of CNE activities: (U) Collection Activities? designed to acquire foreign intelligence information from the target computer system. (S) Enablin Activitie?? designed to obtain or facilitate access to the target computer system for possible later CNA, or force use of alternate communication systems. CNE has evolved as a natural transition of the foreign intelligence collection mission of SIGINT. COMINT mission includes CNE. Two types of CNE activities: the collection of 1, CI, SMO information and enabling activities that allow access. Collections activities are those designed to acquire foreign intelligence information from the target computer system and enabling activities are those activities designed to obtain or facilitate access to the target computer system. Constitution Fourth Amendment The right of the people to be secure in their ersons houses a ers ande ects a ainst unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched and the persons or things to be seized. Applies to SID and IAD. Purpose is to protect USPS from unreasonable searches and seizures by the U36 and employees, contractors and military or Agents of the Government. Can go over the fact that in ones personal life, a person can do whatever s/he likes unless there is a law against it. In contrast, the U56 is only allowed to do what it is authorized to do. Supreme Court Cases Olmstead v. US. (1928) Katz v. US. Prior to ?67, Gov could surveil/intercept comms as long as didn?t make physical intrusion into constitutionally protected area home) Describe cases. 10 Electronic Surveillance Supreme Court rules ELSUR is a search and seizure under the 4th Amendment to the US. Constitution. . Depending How it?s done. Where it?s done. Aiainst whom it?s done. Wh it?s done. 11 Electronic Surveillance History Privacy rights developed in case law Court determines electronic surveillance is a search and seizure under the Amendment Statute passed in 1968 (Ominibus Crimes Control and Safe Streets Act?the Wiretap Act) Scope Purpose was to give LE procedures to allow Electronic Surveillance for Law Enforcement purposes Congress also knew intelligence agencies and government required to do ES for F1 and Comsec purposes. Service providers needed to do surveillance of their own systems. More exceptions written into the law. (U) Federal Wiretap Act Crime to intentionally intercept or endeavor to intercept or procure any other person to intercept any wire, oral, or electronic communication. Crime to intentionally use or disclose or endeavor to use or disclose to any other person the contents of any wire, oral, or electronic communication 11? they know or have reason to know that the interception violated federal law. Fed statute starts by saying it is illegal. 13 (U) WIRETAP EXCEPTIONS Interception fo_rl'oreign intelligence mses permissible if conducted in accordance with Foreiin Intelliience Surveillance Act and/or other applicable procedures. Interception with prior consent of one interceted communication is OK under federal statute but be aware of state two?party consent statutes if acting in private capacity. -Will talk about the FI exception when briefing SIGINT rules -Consent?for IA and F1. Scope of consent matters. Drives expectation of privacy. (But see Long case.) Also, the system consent banners do n_0t mean that there is consent for NSA SIGINT to stan looking at systems for I purposes. SIGINT consent BEFORE tasking any US identifier, to include DOD, as a single selector for SIGINT system SIGINT consent is two fold: 1. the actual consent, and 2. approval of the purpose of the consensual SIGINT collection by For Soaring Eagle, NSA has SIGINT consent from STRATCOM Commander for the DOD NIPRNET and SIPRNET systems and data. NSA has SIGINT consent from DIA for JWICS systems and data. Service Providers?providers need to see if email got to the right place. Make sure bandwidth being used properly, not being stolen etc. Are limited to purpose. Once a target is identified and there is another purpose C1 or LE) talk to OGC. Trespassers-used when a service provider asks another service provider for information on an intruder one hop out. Can View trespasser info for LE, intel, system protect purposes. 4 requirements: need system owner permission; act under color of law; only trespasser?s comms, not legit user; stop when investigation purpose done. 14 (U) WIRETAP EXCEPTIONS CCWISEC Monitoring by US Government personnel is permissible if conducted in accordance with Attorney General-approved procedures (see NTIS SD No. 600). Service uroxs?iders may intercept or monitor communications on their systems 1) to ensure the systems are functioning properly or 2) to protect their rights or property in their systems. -Will talk about the FI exception when briefing SIGINT rules -Consent?for IA and F1. Scope of consent matters. Drives expectation of privacy. (But see Long case.) Also, the system consent banners do n_ot mean that there is consent for NSA SIGINT to Stan looking at systems for I purposes. SIGINT consent BEFORE tasking any US identifier, to include DOD, as a single selector for SIGINT system SIGINT consent is two fold: 1. the actual consent, and 2. approval of the purpose of the consensual SIGINT collection by For Soaring Eagle, NSA has SIGINT consent from STRATCOM Commander for the DOD NIPRNET and SIPRNET systems and data. NSA has SIGINT consent from DIA for JWICS systems and data. Service Providers?providers need to see if email got to the right place. Make sure bandwidth being used properly, not being stolen etc. Are limited to purpose. Once a target is identified and there is another purpose C1 or LE) talk to OGC. Trespassers-used when a service provider asks another service provider for information on an intruder one hop out. Can View trespasser info for LE, intel, system protect purposes. 4 requirements: need system owner permission; act under color of law; only trespasser?s comms, not legit user; stop when investigation purpose done. 15 Other Federal Laws Computer Fraud and Abuse Act Illegal to obtain unautltot'i/cd at ms or tint/tor i/cd tit to am prom lt'tl oinputt't'. Does not apply ifgenerally available to the public using legitimate kno wl edge/"t ool ervi ces. If going beyond what is publicly available, it is considered CNE and USSID DA3655 and all SIGINT rules apply. ix ll cue/Mimi similar to luu'. Includes non-communications data. non-attribution. covered accounts are for open source research. not CNE (NSA Policy 6-6) Eliciting in/brination disclosure o/?gov affiliation is not allowed. mission?related research at home is an OPSE concern -Line between open source and unauthorized access a fine one sometimes. E.g. facebook pages only available to friends and family are not publicly available etc. Can also use an analogy-if don?t lock door, doesn?t mean it is an invitation for intruders to come in. If a default password is being used by a less than competent Admin type, it still would not be publicly available. -Be aware if using info only gained from SIGINT or other special collection to access/monitor US systems, often will not be publicly available. -If going beyond authorized access for I purpose, SIGINT rules, to include ISA law, and TAO USSID applies. F4, monitoring device on computers in the U.S. applies. -If doing stuff at home, outside the scope of employment, may be subject to the federal law (no exceptions apply. -N SA was granted authority from the President to collect not only COMINT but any other data at rest on a foreign target computer while conducting out CNE missions. (Also have a delegation from SECDEF for room audio and video.) -Open source policy: Eliciting info while under cover has undisclosed participation issues and Privacy Act issues; even some open source research is not done from home for opsec concerns. Have uncovered and covered accounts for publicly available info research. 16 Intel Community History Church/Pike Commissions investigate Intelligence Community Abuses of power found Describe Shamrock, Watchlisting, narcotics collection. Computer Security Act ?87. E0 12333 gave DIRN SA the comsec mission for the fed government. Congress concerned that an intel agency had authority over traditional civilian agencies (with personal information like the social security administration, the IRS etc) so Congress passed the CSA and gave the developing standards and guidelines for the security of non-national security systems to Commerce?s National Institute of Standards and Technology (N IST). Gave SA authority over national security systems. 17 SICINI Congressional Inquiries into the IC Committees Found 51 GIN information TO, FROM, and ABOUT US. Citizens was: Improperly Collected Improperly Retained Improperly Disseminated Look at USSID SP0018. There is a section on Collection, retention, dissemination. If in compliance with USSID, are in compliance with amendment in each of these activities. 18 Committee Findins and Results of lnvestiations Termination of illegal collection activities Executive Order requiring the establishment of procedures relating to US. person information Greater Executive and Legislative Oversight 19 Congressional/Executive Response to IC Abuses Federal Law Foreign Intelligence Surveillance Act EO. 12333 Intelligence Activities Executive Order Dod 5240.1-R and USSID Regulations and Sp0018 . . Procedure-5 Minimization Procedures ISA only applies to the collection. rules incorporated into USSID SP0018 which is supposed to be the working document. 20 Core SIGINT authority From E0 12333 0 to collect, process, analyze, produce, ana disseminate signals intelligence information and data to support national and departmental missions and for: - foreign intelligence: -counterintelligence.? or - the conduct of military operations. All the front end selectors and queries on SIGINT raw traffic databases are based on requirements given to SA by DNI or secdef. The National Intelligence Priorities Framework. SIGINT committee validates the requirements. Info Needs from customers based on SIGINT requirements and clarify the broader SIGINT requirements. Change in the ED. 12333 allows the IC agencies to take into account the responsibilities and requirements of State, local, and tribal governments and, as appropriate, private sector entities, when undertaking the collection and dissemination of information and intelligence to protect the US. See Section 1.1(f) This probably applies to both SIGINT and IA information but SA would still not typically disseminate directly to those entities, due to classification law and requirements and protection of sources and methods (mainly from the SIGINT side). A cut-out fed gov agency can help sanitize the information. Sanitization is different than the ?minimization? procedures that are required. The latter is for protection of sources and methods, the latter for protection of USP information privacy rights. 21 SIGINT Taretin/Collection NSA has "core" authority to intentionally target the following: Persons, who are located overseas, (C) for the purpose of collecting Foreign intelligence, Counter Intelligence and Support to Military Operations information (Fl purposes). 22 REMEMBER if it?s SIGINT rules/procedures: USSID SP0018 Purpose is to balance . . . The Government?s need [or foreign intelligence information with Individual Privacy Rights In a way that is . . .Speei/ie enough to be useful But not so spet'i/it? so that each new technology renders it obsolete 23 SIGINT Targeting Specific Communicants USSID SP0018 Section 4 The Four Rules Foreign Persons outside the US interest fair game No Foreign Persons in the US. (unless diplomatically-immune and using passive collection) must have Attorney General approval No US. Persons in the US. without a Court Order No US. Persons outside the US. without Court Order It is the communicant that matters. Do you have a foreign communicant overseas? If you have foreign hacker using a US computer, can develop selection strategy to collect the foreign hackers comms using a US computer similar to targeting, for instance, Equipment does not have expectation of privacy. may use a US IP address in conjunction with a selector that will collect only the foreign intruder?s comms on, not any legitimate USP user of, that US computer. May not intentionally target a known USP communicants in the US. Contrast: May query on US IP address in for system protection mission but may n_ot query on a US IP address as straight hit in SIGINT. Will get legit users of the US computer with that IP address. Can query/select in the SIGINT collection, foreign IP addresses found in Bluesash. Same technology looks for intrusion signatures in Bluesash/Tutelage and SIGINT. Can share technology. masterworks is SIGINT collection technology called Cynecs when deployed to Bluesash sites. Strickler (Sigint Tickler)/Tickler the same.) -If making federated queries, the most restrictive (SIGINT) rules apply. Therefore, data repositories must keep data sourced so that know what procedures to apply to the data but also so that can make queries on just Bluesash/Tutelage (least restrictive), just SIGINT or on both. Keep data sourced arcsight has the data color coded by source) so that know which procedures to apply to which data. SIGINT procedures must be applied to SIGINT data; IA procedures to the 1A data. 24 Targeting Issues Presumptions (If no other in/Ormation is available) In the U.S., then US. person Outside the U.S., then foreigner E.g. all that is known is that the hacker came from/through a Pakistani ISP. Presume is foreign. If all that is known is that the intrusion is from a US ISP, then presume is a USP. SIGIN Targeting Issues U.S. Person Information (need additional authority) (Did not know Person) (Legitimate [Oreign target; acquire US. Person REVERSE Target foreign entity to intentionally acquire U. 5. Person -No a USP communication without additional authority. -If used a presumption, and you find out you have been communcations to/from/about a USP, then must stop collection (or get the correct authority), cancel reports, and report in the IG quarterly. -Incidental collection, then apply the dissemination procedures. -Cann0t target a foreign entity just to acquire USP communications. When targeting the foreign hacker and using a US IP address in conjunction with the foreign hacker signature, that is not reverse targeting. Your collection is focused on the foreign hacker communications, what the foreign hacker is doing and what data the foreign hacker is stealing. There are no legitimate USP comms and it is impossible to know what or whose data the foreign hacker is exfiltrating. 26 US Government Communications Communications to or from any officer or employee of the US Government, or any state or local government may not be intentionally intercepted and must be destroyed upon recognition. Excmtion to the destruction requirement include anomalies that reveal a otential vulnerability to US communications security. Get a destruction waiver and authority to disseminate the US person information. If there is no legitimate USG communicant, there is no USG communications. That is different than collecting a foreign intruder stealing a bunch of USG information. All that USG information is incidental. USSID SP0018 5.4.c. and d. Other exceptions include: Significant foreign intelligence or evidence of a crime or threat of death or serious bodily harm to any person. This section also talks about USP to USP communications and US-US communications destruction requirements. 27 US Government Communications If a foreign intruder is just using a US computer and is not communicating, with any legitimate US Government official or employee, it is not considered to be US Government communications; report following dissemination procedures. Socially engineered emails to US Government or officials ARE US Government communications. Targeting by Subject Matter USSID SP0018, Section 5 Applies to the use of selection terms to communications on the basis of CONTENT, not necessarily on the basis of the IDENTITY of the communicants Covered in the ?Processing? Section of SP0018 E.g. hacker signatures. Hacker signatures pull in a lot. Focus on foreign target use of intrusion capabilities. Defeat out any USP use of the hacker signature. Worst thing NT 0C could do is to turn the SIGINT system to collect against a USP hacker. It is not basically doing surveillance for LE purpose without warrant. If incidentally collect information on USP hacking into a protected computer, this is a violation of law that should be reported to DL violations for OGC to refer. Do not want to see any/many of these. 29 Targeting by Subject Matter USSID SP0018, Section 5 No selection terms that are reasonably likely to intercept or have intercepted US. person communications UNLESS there is reason to believe that Foreign Intelligence will be obtained 3O Targeting by Subject Matter USSID SP0018, Section 5 Selection terms that have intercepted or are likely to intercept U.S. Person communications MUST BE DESIGNED (to the greatest extent practicable under the circumstances) to DEFEAT communications that do not contain foreign intelligence Pay attention to what is being collected. SA has a positive responsibility to defeat out to the extent possible collection of USP comms. 31 (S) SIGINT Dissemination Procedures (USSID SPOO 18, Section 7) Incidental USP information in valid collection, apply ?minimization? procedures ?Minimization? means, prior to disseminating any information obtained through collection, evaluate information for foreign intelligence and decide if any incidentally acquired US person information is suitable for dissemination. The information to, from, or about a USP must be necessary to understand the F1 or assess its meaning in order to not minimize. -Can query in Bluesash/Tutelage on IP address seen in SIGINT without it being a dissemination of the SIGINT raw traffic. If decide to task that US IP address in Bluesash/Tutelage on the deny list) then it is a dissemination of a US identity and must get SIGINT dissem approval. NTOC has upfront dissemination authority for intrusions into .mil/.gov systems. Need to alert ITF-GNO, DISA, the network owner of intrusions in a timely manner and the IP addresses intruded into are necessary to understanding the intell 32 (S) SIGINT Dissemination Procedures (USSID SP0018, Section 7) If necessary, include the USP information, focusing on the Fl, but only disseminate the actual USP identity with appropriate level dissemination authority. (.mil) ldents in is a good source. ACCESS and RETENTION to Raw Traffic containing USP information-USSID SP0018, Section 6 5 Years on?line up to 10 years off-line?historical searches Retention exceptions determination, tech data, evaluated data) E.O. 12333, Section 2.3 Limited to SIGINT droduction Jersonnel Recognizes intrusiveness of SIGINT Maintains SIGINT within community of individuals trained on Amendment Procedures FISA Overview FISA Definitions U.S. Persons US. Citizen Permanent Resident Alien (Green Card Holder) Corporations (incorporated in the US.) Associations (primary membership composed of US. persons) U.S. ?agged ships/aircraft definition) 36 FISA Definitions Foreign Power A foreign government or any component thereof A faction ofa foreign nation An entity openly acknowledged to be directed or controlled by a foreign government(s) A group engaged in international terrorism A foreign based political organization 37 FISA Definitions An officer or employee of a foreign power A spy, terrorist, saboteurs, aider/abbettor, or conspirator e.g. USP hacker not included unless can show state sponsorship. Then get appropriate approval. If a USP is the hacker, it is a law enforcement issue and should be referred to OGC. Other 1 requirements for alien smuggling, narcotics, organized crime, gun running, money laundering are similar. If a USP was involved, could not target unless working for a foreign power or also a spy, terrorist, saboteur, or aider/abbettor/conspirator. 38 ISA Restrictions (S Sl REL) l?ederal Lau Regulates the collection ol loreign intelligence il it lalls into 1 ol 4 categories ol ?electronic surveillancez" 1. (F1) Intentional collection of the communications sent by or intended to be received by a particular, known US. person who is in the United States. 2. (F2) Wiretaps in the United States. 3. (F3) The acquisition of certain radio communications where all parties to that communication are located in the United States. 4. (F4) Installation. and use of a device in the United States for monitoring ol inlormation in which a person has a reasonable expectation ol privacy. NTOC I believe has a ISA on the?in order to collect- intrusions into the-network. F4 is where CN usually falls. Other devices includes accessing/CNE against a computer located in the US. 39 FISA Amendment Act (FAA) of 2008 6304 The Amendment Act was signed into law by President Bush in July 2008. FAA replaced the Protect America Act (PAA) (also known as Modernization"). PAA was signed into law on Sunday, 5 August 2007, amending the FISA act, for a period of 180 days (until 15 February 2008). PAA Established a standard and set the stage for FAA. 40 FAA The new FISA Amendments Act (FAA) modified the FISA to include changes to collection that: 1. falls into categories 2-4 of "electronic surveillance? and the target is a non-US Person outside the US. (collection off a provider. 2. targets a US. Person FAA is Title VII of the FISA. It includes: - targeting non USP outside the US. collection inside the US. with service provider assistance. - m. USP outside the US. collection inside the US. with service provider assistance. - 704. USP located outside the US. collection outside the US. without service provider assistance BO. 12333 collection; old 2.5 authority) - mi, USP with concurrent FISA collection inside the US. (M. i.e. l1 authority) and collection outside the US. without service provider assistance (705b, i.e. BO. 12333 collection: o|d 2.5 authority). FAA section 702, foreign governments certification: NTOC uses the authorit to tetget hat wete to the? NTOC wants another 702 certification to target foreign hackers outside the US for I purposes. Because attribution is hard, just having to prove foreigness and an I purpose is especially useful to NTOC. However, the selectors will likely not be the hard/strong selectors Do] is used to. 41 SIGIN Targeting Specific Communicants Foreign Persons outside the US. of interest Examples: 1. US address used by itself 2. US IP in conjunction with an Intrusion Signature 3. - PKI certificates 1. Request to select based on a foreign hacker signature in conjunction with a DOD military IP address. Nothing seen in SIGINT. The SIGINT system doesn?t see everything. Collection architecture has to be in place. So, without asking, analyst put the DOD military IP address in as a straight hit and obtained hundreds of hits. 2. PKI certificates were compromised. In SIGINT without additional authority, may look for revoked certificates because no legitimate person should be usin . Can also look for valid certificates only in con'unction with theh signatures so will only collect the?using the certificate (but will not find new uses of-ise of the certificates.) My not look for expired certificates because the legitimate person could renew. May not look for valid certificates without obtaining the person?s consent. 3. Had incidental collection of an* using an army email address and getting into army systems. May co ect against that army email address because had evidence that it was being used by a foreign person outside the US. Reported to the army on the intrusion. Wanted to collect for a short while to see what the foreign target was doing/after. Unfortunately, after two weeks, a legitimate army person also started using that email address. Now we have USG comms. 42 Information Assurance Legal Framework Executive Order 12333 is the National Mana er for National Securit S/stems and is responsible to SECDEF and See Section National Securit I Directive 42, ?National Policy for the Security of National Security Telecommunications Information Systems? Regulation 5240.1-R Governs collection of USP information by (U) National Security Directive 42 President designated as the ?National Manager" for National Security Telecommunications and lnl'ormation?s Systems Security. Among other things, directed to assess the overall security posture of and disseminate inlormation on threats to and Vulnerabilities oi national securiu sx stems. Establishes, inter alia, policies and organization to protect national security systems that process: - Classified information - Intelligence activities - Ct'yptologic activities - Command and control - Weapon or weapons svstem - or intelligence mission. except for systems used for routine administrative and business applications. SS includes unclass systems if involved in intel activities, military or intell missions (includes monitoring because includes IPRNET.) However, SS does not typically include those systems supporting National Security Systems: Personnel, financing, accounting systems typically not E.g. Centcorn commander uses electrical power grid of central Florida. Not a national security system but may look at whether or not has a direct contract with centcom which can bring them under the SS rubric. 44 (U) National Security Directive 42 Continued Disseminate all?source inlormation on threats to LB national securitx stems. (NSD-42, NSA may monitor l\'SSs ithout a request lor technical assistance or request lor a \?ttlnerahilitt assessment from the system owner. Includes requests for monitoring, red teaming, blue teaming, system forensics. it above request made ol~ NSA then must have certification from the system owner that there is a notice and consent policy in place, ol~ the activity must fit within Service Provider rules and 1A procedures. Requester may ptit restrictions on the collection/monitoring, access, retention, use or dissemination contained in Ground Rules. Ground Rules are established to between SA and the requester. must follow the service provider rules to stay within the exception, regulation 52490.1-R AND the Ground Rules for this activity. being done for JTF-GNO and also Soaring Eagle is strictly under Service Provider (JCMA still will need a legal cert in order to be legal.) 45 (U IA rocedures: Service Provider rules and Re 5240.1-R Includes DOD NISIRT monitoring must be consistent with ensuring system functionality or furthering the protection of the service provider?s rights and property in their systems/network. ls USP information disclosure necessary? Retention of USP information limited (90 days per Regulation 5240.1-R or in accordance with the agreed upon Ground Rules.) -N SA is the service provider for SA net and DOD IPRNET monitoring per Instructions 0-8530.1 and O-8530.2) -Disclosure of foreign intrusions to SID is fine under the service provider rules. All foreign comms intrusions into are suspect and can be disseminated for SID to help find out attribution, how intrusion works etc. -Access and dissemination are part of disclosure of the data and must be for ensuring system functionality/protection of the provider?s rights and property. -Dod regulation allows collection/retention of USP information that arises out of a lawful comsec investigation. However, SA must determine that the USP information fits within that criteria within 90 days. -**The Ground Rules may have different retention periods. Oversight and Compliance policy (IAD Management Directive 20) 46 (S) Global Defense of US Networks 0 IA authorities allow NSA to monitor or other national security systems for indications ol~ inaliciotis activity in response to a request from the system owner. and disseminate that information iaw procedures. The Coin niter Security Act ol? 1987 (as amended by the FISMA) requires NIST to collaborate with NSA and does not preclude NSA from providing security support to Federal departments and agencies outside the national security sector. In a .Vlemorandum ol~ Understanding dated March 1989. NIST and NSA agreed that NSA could upon request by Federal agencies. their contractors. and other government-sponsored entities conduct assessments ol? the hostile intelligence threat to Federal information systems. provide technical assistance. and recommend products and solutions to secure systems against the threat. *1 ?ollon's the IA procedures for technical assistance to other agencies -Many players in the CND/cyber security. The difficult managerial task is to make the respective authorities and monitoring systems work well together since, to be effective, network defense has to be efficient and timely. -Tech assist outside SSs-Also Executive Order 12333, which was revised in July 2008. Sections 2.6(c) and permit SA to provide specialized equipment, technical knowledge, and assistance of expert personnel for use by any department or agency and render any other assistance and cooperation to civil authorities not precluded by law. Any provision of assistance of expert personnel must be approved in each case by OGC. 47 (S) Global Defense of US Networks 0 National Securit Presidential Directive 54/Homeland Security Presidential Directive 23 (signed in January 2008) applies to all Federal Government information systems except national security systems and information systems. 0 Under an implementation plan signed by the President in August 2008, NSA is to provide DHS with the same technological capability that uses to protect systems. Because the capability involves classified information, it constitutes a national security system and NSA will provide technical assistance to DHS at its request. The Comprehensive National Cybersecurity Initiative (CNCI) also called the cyber initiative is directed in NSPD 23 and the implementation plan. DHS is lead and it only covers federal government systems, not commercial. NSA is just providing technical assistance and services. Technical services typically refer to the SA will perform for DHS. NSA may not keep any of the data sent to NSA for (with the exception of some keys necessary for services). SA may not monitor .gov communications. If DHS is going to request technical assistance from NSA to look at .gov traffic, certain certifications and oversight must be done first. It may be that SA could detail an analyst to DHS. PL. 108-458, 118 Stat 3638, 17 December 2004. 48 (S) Global Defense of US Networks DHS or other federal agencies can use standard service provider authorities to monitor .goy networks for indications of malicious activity Owners or operators of privately owned critical infrastructure systems can use service provider authorities to monitor their networks for indications of malicious activity but no federal agency has been provided general authority to perform such monitoring for privately owned networks. (8) Global Defense of US Networks 0 STRATCOM has been delegated CNA and CND-RA authorin to attack foreign targets that threaten US interests . 0 SECDEF in Nov 2009 placed Joint Task Force-Global Network Operations (JTF-CNO) under the operational control of Commander, CYBERCOM DIRNSA is now dual hated as Commander CYBERCOM 2010?). role is not Defensive collection: authorities allow to monitor foreign systems for indications of foreign L?yhel? attacks against US systems and disseminate that intelligence based on requirements. - The officer serving as the Director, Defense Information Systems Agency (DISA) will continue to serve as Commander of JTF-GNO and will remain responsible for providing the JTF-GNO network and information assurance technical assistance as required. (U) Additional Authorities is the the Executive Secretary for all DOD, Do], and 1C tleconlliction regarding computer netuorlx attaclx and exploitation activities. (Trilateral DOD, Do], and 1C dated April 2007.) SECDEF designated the officer serving as to be the (Iommantler, (IYBERCUM (Max 3010) As directed by Commander. USSTRATCONL CYBERCONI coordinates the development of. plans for. deconl'licts. and executes cvber warfare to achieve global militarv objectives JTF-GNO. OPCON to CYBERCOM. directs the operation and defense of the Global Information Grid SCEs under and JFCC-NW, esp in TAO ROC conduct CNE so those on the target networks day in and day out can be assigned to JFCC-NW for the time necessary to conduct the CNA activities. JFCC- NW issued memorandum allowing personnel to be detailed to JFCC-NW for the time necessary to conduct the CNA, then they revert back to doing CNE. These personnel can conduct CNE while conducting CN A. Personnel detailed to JFCC-NW get training on the execute order, standing rules of engagement, and supplemental rules of engagement. 51 G10bal__D_efense_gf_Ll?MM 0 The Federal Information Securitv lVlanagement Act FISMA left intact the roles assigned to NIST and NSA but provides the Office of lVIanagement and Budget (OMB) an expanded information security oversight responsibilities over all Executive Branch departments and agencies. required to set up a central Federal information security incident center which is US CERT. FISMA: 44 U.S.C. 3541 et seq., P.L. 107-347, 116 Stat 2899, 25 November 2002. The Intelligence Reform and Terrorism Prevention Act of 2004[1] required the President to create an information sharing environment for the sharing of terrorism information in a manner consistent with national security and civil liberties. The President was to designate a program manager responsible for information sharing across the Government who would issue standards, procedures, and guidelines for the operation of the information sharing system that are consistent with guidance from the President, OMB, and the DN1. Today, the program manager is in the Office of the DN1. 52 Global Defense of US Networks cont. Agencies with national security systems are to share information about information security incidents, threats, and vulnerabilities with US CERT to the extent consistent with standards and guidelines for such systems issued in accordance with law and as directed by the President. The Homeland Securit/ Act of 2002 gave the SECDHS wide access to information relating to threats of terrorism against the United States and to all information concerning the vulnerability of the infrastructtu?e of the United States, or other vulnerabilities of the United States, to terrorism. (S) Implementing the PROCEDURES You are targeting using a signature in SIGINT. You see that the put a troj an into the UMD web server. Can you query using the UMD web server IP address in Bluesash/Tutelage? You see in Bluesash/Tutelage that the UMD mail server sent a troian to the DOD NIPRNET. You believe it is a Can you task the UMD mail server IP address in 1. Yes, can look for anything suspicious in the IA data to protect the system. The initial SIGINT can be disseminated in a report if it satisfies a requirement. If task the Bluesash/Tutelage deny list, must obtain dissemination approval. 2. No, not as a direct hit but may use a-signature in conjunction with the UMD mail server IP address. 3. The collection is valid. The target is a foreign person overseas. No USG communications because the target is not communicating with a legitimate USG official or employee or even a legitimate USP. All the exfiltrated data is incidental. Use dissemination procedures. Because this type of exfiltrated data potentially can contain so much USP information, OGC advises that this type of exfiltrated data be segregated from the rest of the SIGINT raw traffic and is made availabe only to those who have the mission to collect/report on these types of foreign intrusions. The exfiltrated data does not contain any Fl other than what is reported in order to understand what the foreign hacker was seeking, and what the foreign hacker obtained for damage assessments. 54 (S) Implementing the PROCEDURES You are targeting an hacker has implanted a US companv?s commuter overseas. You are collecting the exfiltration of information and communications from that US company?s computer that contains communications between the US company and a US Government organization. Is the collection valid? Do you have USG communications. What do you do with the information? 1. Yes, can look for anything suspicious in the IA data to protect the system. The initial SIGINT can be disseminated in a report if it satisfies a requirement. If task the Bluesash/Tutelage deny list, must obtain dissemination approval. 2. No, not as a direct hit but may use UMD mail server IP address. 3. The collection is valid. The target is a foreign person overseas. No USG communications because the target is not communicating with a legitimate USG official or employee or even a legitimate USP. All the exfiltrated data is incidental. Use dissemination procedures. Because this type of exfiltrated data potentially can contain so much USP information, OGC advises that this type of exfiltrated data be segregated from the rest of the SIGINT raw traffic and is made availabe only to those who have the mission to collect/report on these types of foreign intrusions. The exfiltrated data does not contain any Fl other than what is reported in order to understand what the foreign hacker was seeking, and what the foreign hacker obtained for damage assessments. ignature in conjunction with the 55 Reporting Conventions Need to know what data you are working with. Need to follow the correct purpose/procedures for the type of data collected. If reporting both and IA information, must follow both rules. USSID 18 minimization is not sanitization. Policy governs sanitization to protect sources and methods. Important sometimes when have intrusion activity. 56 Oversioht Cont liance 'Oversight Compliance is everyone?s responsibility. 'Local management has responsibility to ensure day-to-day activities are carried out in accordance with applicable law and policy direction. piotetluies Inust he lot and dissemination. li\l) must he lot tollt'ttion it'tt'ntion and dissemination. Dissemination taking both sets of procedures into account can be done. 'Contrary to popular belief. it is usually smarter to ask permission first rather than seek forgiveness later. i( has personnel to questions. Refer to USSID SP 0018 and IAD Oversight and Compliance policy, IAD Management Directive 20. 57 Com ')liance on the NTOC floor 'Personnel from other organizations sit on the NTOC I'loor. NTOC has signed MoUs with these organizations granting the personnel ?dual-parent? authority. 'These personnel are working under NSA SIGINT and IA authorities (as well as their own ?parent? authorities) and max see the ram trallic. l\o Dissemination Ran trallic back to the orgaui?atious themselves, must follow dissemination rules. 'The sharable SIGINT raw tral'l'ic does include ran data derived lroni nor [-81 NBA. 'Any FBI PISA disseminated must retain the FBI PISA caveat on all lurther disseminations. The idea of the TOC ?oor is to allow all the personnel on the ?oor to be able to collaborate, indicate what information is relevant to their organizations mission and facilitate dissemination. However, dissemination back to the organizations themselves is a dissemination and must follow the dissemination rules. 58 Questions to REMEMBER What authorities are being used to collect information that I?m looking at? Where is this information being collected? SIGINT platforms? -Tutelage sensors? ?Collateral source? Who will receive access to the collected information? What retention and dissemination restrictions apply to the collected information (9.9., SIGINT Procedures, COMSEC Procedures, Service Provider Rules, eta)? QUESTIONS illance Purposes Law Enforcement l?oreign Intelligence 10 Service Provider Information 5v stems Admin. Security l{engations l?ederal Law US. Constitution 4th Amendment Electronic Communications Privacy Act Stored Electronic Communications Privacy Act (Iomputer I'raud and Abuse Act l'oreign Intelligence Surveillance Act Many federal laws in this area because of information privacy rights. Must follow the procedures that apply to the purpose. If mix purposes and procedures, may find themselves outside one of the exceptions to the federal laws. [SECPA-diminished Expectation of Privacy but still need supoena.] CF AA-prohibits intentional, unauthorized access to a ?protected computer? any computer that has been or is involved in interstate commerce to include foreign computers) Exceed authorized access-protect from insider threat included. Allows intel and LE and protect activities. For protect, still need permission from the system owner. 61 COMSEC Monitoring NTISSD No. 600 Telecommunications or information system?s ?owner? must request COMSEC services. Must certify existence of notification process that system?s users know that their use of the system constitutes implied consent to COMSEC monitoring. CONSENT BANNERS Dissemination of collected information usually done without attribution to a particular individual. 2 exceptions-passing of classified info. Evidence of a significant crime or it is necessary in order to mitigate the vulnerability. Used really only by JCMA Non attribution because purpose is to secure systems, not to be punitive. 62 (S) NSCID 6 is tasked with establishing an effective, unified organization and controlling all collection and processing activities of the United States so that it is effective, efficient, and coordinated. Toward this end, the Central Security Service (military was established under the in accordance with a plan approved by the SECDEF. includes Electronics intelligence (ELINT) and Communications Intelligence (COMINT). COMINT is technical and intelligence information derived from foreign communications by other than the intended recipients. Mention something about ELINT not having an expectation of privacy but is still bound by the mission of SA. 63 (U) Authorities Continued Develop Computer Network Attack capabilities, Not employ Conduct analysis of foreign information infrastructure systems for CNA technology development, Develop analytic modeling and simulation techniques to characterize vulnerabilities of information systems and effectiveness of developed CNA techniques. 'SecDef Memo dated 3 March 1997. Because NTOC works closely with JFCC-NW to provide support, provide info on other computer network related authorities at Meade. CNE and CNE enabling activities can easily be converted to CNA capabilities. purpose is to conduct or enable CNE. Sometimes fine line between CNE enabling and CNA. Look at purpose and what the capability does. Funding can be an issue. SA does not have authority to conduct CNA 64 (S) NSCID 6, dated 17 February 1972 DIRNSA responsible for the SIGINT mission of the United States, except for certain SIGINT activities conducted in support of clandestine CIA operations (NSCID 5) Pursuant to his SIGINT authority, DIRNSA has promulgated USSID SP0018 and other policies to govern the collection, processing, retention, and dissemination of SIGINT, especially SIGINT that includes US person information. (S) NSCID 6 COMINT activities shall be construed to mean those activities that produce COMINT by the collection and processing of foreign communications passed by radio, wire, or other electromagnetic means, and by the processing of foreign communications, however transmitted. Collection comprises search, intercept, and direction l?inding. Processing comprises range estimation, transmitter/operator identification, signal analysis, traffic analysis, study of plain text, the fusion of these processes, and the reporting of results. I don?t? go over this in any detail at all. The important piece is the definition and how the SCEs fit. SECRET//REL TO FVEY CYBERSPACE POLICY REVIEW (U) Appendix D: Evaluation of the Comprehensive National Cybersecurity Initiative (U) Presidential Directive NSPD-54/HSPD-23, Cybersecurity Policy, established "United States policy, strategy, guidelines, and implementation actions to secure cyberspace." It includes a Comprehensive National Cybersecurity Initiative (CNCI), created to strengthen policies for protecting U.S. Government information and systems, clarify roles and responsibilities of Federal agencies related to cybersecurity, and explore how the Federal government might enhance its relationship with the private sector in order to better protect our critical infrastructures. The resourcing and implementation of the CNCI has been undertaken by the Federal government with a sense of urgency that reflects the nature and severity of the threat. The major "initiatives" within the CNCI are: Manage the Federal Enterprise Network as a single network enterprise, with Trusted Internet Connections that collapse the number of portals between government networks and the Internet; Deploy consistent intrusion detection capabilities across the Federal enterprise; Pursue deployment of intrusion prevention systems across the Federal enterprise; Catalogue, coordinate and redirect as appropriate cyber research and development efforts; Connect current cyber centers to enhance cyber situation awareness; Develop a government-wide cyber counterintelligence plan; Increase the security of classified networks; Expand cyber education; Define and develop enduring "leap-ahead" technology, strategies, and programs; Define and develop enduring deterrence strategies and programs; Develop a multi-pronged approach for global supply chain risk management; and Define the Federal role for extending cybersecurity into critical infrastructure domains by working with the private sector. (U) These major portions of the CNCI required strengthening key strategic foundational capabilities within the Federal government, hence the CNCI includes several strategic "enablers" that augment ongoing cyber-related activities at specific departments and agencies: SECRET//REL TO FVEY D-1 SECRET//REL TO FVEY CYBERSPACE POLICY REVIEW Ensuring adequate support to neutralize, mitigate, and disrupt domestic illegal computer activity; Increasing information assurance programs and activities; Increasing predictive, behavioral, information and trend analysis of foreign intrusion activities and computer network operational threats; Expanding and enhancing U.S. offensive capabilities in support of network defense; Increasing investment in U.S. Government cryptanalysis; Developing, deploying, and managing an intrusion response capability; and Monitoring and coordinating implementation of the CNCI. (U) Significant CNCI accomplishments to date include rapid progress on many of the initiatives and their strategic enablers; extensive engagement with the Congress; the development of a consolidated view of the disparate budget resources committed to cyber programs funded under national intelligence, military, information assurance, law enforcement, and civilian agency program budgets; and the initiation of key out-of-cycle resource and acquisition activities that would have been difficult within normal legislative appropriations schedules. As a consolidated portfolio scarcely more than one year in existence, the results achieved have been overwhelmingly positive, and although challenges remain, the objectives are clear and in keeping with the larger strategy. The Federal government should continue to go forward with CNCI implementation. (U) NSPD-54/HSPD-23 assigned responsibility for monitoring, coordinating, and reporting on implementation of the CNCI to the Director of National Intelligence (DNI), despite the fact that much of the CNCI portfolio falls outside of the Intelligence Community. The DNI has done a commendable and effective job using a Joint Interagency Cyber Task Force (JIACTF) created to carry out these responsibilities. The JIACTF uses a portfolio approach--complete with detailed performance measures and target achievement goals--for tracking the status of the 19 separate initiatives and enablers. Under this approach, the JIACTF serves as the central "steward" for oversight and monitoring, but unlike a traditional joint program management office, individual departments and agencies maintain responsibility for the development of business requirements, program management, and budgeting for each specific initiative and activity. (U) As anticipated by individual CNCI component implementation plans, much work remains to achieve the objectives of the CNCI program and of NSPD-54/HSPD-23. Progress has been uneven, and subsequent oversight must put greater emphasis on scalability and sustainability. While the "steward" model for monitoring and coordinating CNCI activities has been effective as a start-up approach for a complex, multi-agency portfolio, stronger central coordination and oversight will be required to ensure that the individual components are commensurately resourced and mesh effectively to attain the required joint operating capabilities. Only the White House has sufficiently broad authority to provide the required central leadership. JIACTF-like staff support would be necessary to sustain and strengthen the interagency coordination that has been a hallmark of the CNCI successes. Anticipated outcomes SECRET//REL TO FVEY D-2 SECRET//REL TO FVEY CYBERSPACE POLICY REVIEW would include more effective collaboration and development of joint standard operating procedures where needed; more fully integrated program acquisition and management; and accelerated opportunities for technology training and re-use. (U) The CNCI and associated activities identified by NSPD-54/HSPD-23 must evolve to become key base elements of the broader, updated national cyberspace strategy. Successful programs within NSPD- 54/HSPD-23 should proceed apace; other programs are keys to the overall success of the strategy but have not fully matured or achieved their anticipated results. Where necessary, "Go Forward" recommendations should endorse the objectives of these programs and provide new direction for resolving roadblocks as well as considering innovative alternatives to accomplish the objectives. (U) Status of CNCI Activities (U) The JIACTF, in its "monitoring and coordinating" role, has highlighted areas of concern with CNCI implementation and recommended areas for course correction and has highlighted successes within the CNCI that could be expanded as the program advances. The 60-day cyberspace review team, based on inputs from the JIACTF, the Office of Management and Budget (OMB), and the departments and agencies, makes the following observations about the various CNCI components: (U) Initiative #1. Manage the Federal Enterprise Network as a single network enterprise, with Trusted Internet Connections (TICs). Currently, Federal government networks have thousands of Internet access points that have proven to be too difficult to manage and secure. This Initiative, the primary purpose of which was publicly announced in November 2007,106 aimed to cut the number of portals between government and the Internet to fewer than 100, using the General Services Administration award of the NETWORX contract for telecommunications service and the Federal Desktop Core Configuration (FDCC) to implement secure desktop configurations. These program goals and timeframes have proven to be overly ambitious: the TIC and NETWORX consolidation initiative is behind schedule and unlikely to achieve its goal of delivering less than 100 connections either in short- or mid- term timeframes. (U) Initiative #2. Deploy an intrusion detection system of sensors across the Federal enterprise. Intrusion Detection requires software to identify when unauthorized entities have gained access to computer networks. The Department of Homeland Security (DHS) EINSTEIN 1 software package offers "after the fact" analysis of network flow information from participating Federal agencies and provides a high-level perspective from which to observe potential malicious activity in computer network traffic. The updated version, EINSTEIN 2, incorporates network intrusion detection technology capable of alerting the U.S. Computer Emergency Readiness Team (US-CERT) in real time to the presence of malicious or potentially harmful computer network activity in federal executive agencies' network traffic based on specific pre-defined signatures derived from known malicious activity. DHS reviewed the legal and privacy implications of this system and published a Privacy Impact Assessment for EINSTEIN 2 on its website,107 thereby providing greater transparency for this part of the CNCI than for most of the other program elements. Unfortunately, EINSTEIN 2 was envisioned for deployment at the Trusted Internet Connections established by Initiative #1--and hence this Initiative's deployment schedule has slipped because of the slippage in the TIC and NETWORX consolidation. 106 (U) http://www.whitehouse.gov/omb/memoranda/fy2008/m08-05.pdf (U) http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_einstein2.pdf 107 SECRET//REL TO FVEY D-3 SECRET//REL TO FVEY CYBERSPACE POLICY REVIEW (S//REL TO FVEY) Initiative #3. Pursue deployment of intrusion prevention systems across the Federal enterprise. Intrusion prevention requires a capability to not only identify intrusions in progress, but to block the attacker from successfully entering the network. Work is under way on developing EINSTEIN 3, a sensor-based system that will automatically block or otherwise mitigate the impact of attempted cyber intrusions. In practice, intrusion prevention is a capability required and routinely deployed by private industry, typically through managed security services offered by Internet Service Providers and Data Exchange Internet Exchange Points, and for home users through commercially available firewall and antivirus programs. The Initiative #3 plan offers advantages unavailable commercially, in particular NSA cryptanalysis and decryption services to address threats masked by encryption. The linkage of EINSTEIN 3 to the NSA Signals Intelligence system, similar to the system already being deployed to defend Department of Defense networks, raises civil liberties and privacy concerns that have significantly complicated EINSTEIN 3 development. The need for sophisticated intrusion prevention capabilities for government networks is beyond question. There also is a need for greater transparency and public dialogue on the means by which this will be accomplished, taking into account civil liberties and privacy concerns while remaining mindful of the need to protect from release any information that would allow adversaries to subvert U.S. defenses. Given the significant challenges facing this implementation as well as those of Initiatives #1 and #2, EINSTEIN 3 implementation should proceed with a) enhanced transparency and dialogue to address civil liberties and privacy concerns, and b) concurrent assessment of additional implementation concepts that could reduce risks to program implementation while meeting the goals and objectives of Initiative #3. (U) Initiative #4: Coordinate and redirect research and development efforts. No single individual or organization is aware of all of the cyber-related R&D activities being funded by the Federal government. This Initiative remains critical to determining whether there is redundancy, figuring out research gaps, and ensuring the taxpayers are getting full value for their money as we shape our strategic investments. Our review determined that a successful process has been created, and the government is beginning to identify shortfalls needing additional investment and those where overlap exists. (U) Initiative #5: Connect current cyber centers to enhance situation awareness. There is a pressing need to ensure that government information security offices and cyber operations centers share data as legally appropriate regarding malicious activities against federal systems in order to have a better understanding of the entire threat to government systems. This effort focuses on key aspects necessary to enable practical mission bridging across the elements of U.S. cyber activities: network connectivity, common information standards, and shared standard operating procedures. The review determined that full connectivity at all levels of data classification does not yet exist between the centers, and the continued use of disparate toolsets complicates the development of common situation awareness. The success of this Initiative requires reconsideration of its governance structure and its resourcing requirements. (U) Initiative #6: Develop a government-wide cyber counterintelligence (CI) plan, encompassing development of a plan across agencies to identify, analyze, share information, and respond as appropriate to foreign-sponsored cyber intelligence threats to the United States. This government-wide Cyber CI Program plan is aligned with the National Counterintelligence Strategy of the United States of America--which predates the creation of the CNCI--and supports the other programmatic elements of the CNCI. The plan is in place and execution is under way, although out-year funding remains a concern. SECRET//REL TO FVEY D-4 SECRET//REL TO FVEY CYBERSPACE POLICY REVIEW (U) Initiative #7: Increase the security of our classified networks. These are the networks that house the Federal government's classified and most sensitive information. A detailed implementation plan has been approved for some Federal government components, although issues surrounding the authorities needed to enforce the plan remain unresolved, as do funding concerns associated with government-wide implementation. (U) Initiative #8: Expand cyber education. There are too few cybersecurity experts within the Federal government or private sector to adequately implement the CNCI, nor is there an adequately established Federal cybersecurity career field to build upon. Cyber training and personnel development programs, while good, are limited in focus and lack unity of effort. In order effectively to address the scope of the cyber threat, we must develop a technologically-skilled and cyber-savvy workforce and ensure an adequate pipeline for the future. Our review concluded that the current effort is behind schedule, lacks focus, and requires additional senior level policy guidance. (U) Initiative #9: Define and develop enduring "leap-ahead" technology, strategies, and programs. One goal of the CNCI is to develop technologies that provide increases in cyber security by orders of magnitude above our current systems and which are deployable 5 to 10 years hence. The Federal government has begun to outline Grand Challenges for the research community to help solve these hard problems, which require "out of the box" thinking. In dealing with the private sector, the government is identifying and communicating common needs that should drive mutual investment in key research areas. In this regard, the government has publicly issued three Requests for Input. 108 An approved plan is in place and is proceeding well, although some elements are behind schedule in implementation. (U) Initiative #10: Define and develop enduring deterrence strategies and programs. Senior U.S. policymakers must think through the long-range strategic options available to the United States in a world that depends on assuring the use of cyberspace. To date, the U.S. Government has been implementing traditional approaches to the cybersecurity problem, and these measures have not achieved the level of security needed. This Initiative is proceeding methodically to build an approach to cyber defense strategy that deters interference and attack in cyberspace using such tools as warning and communication of "red lines", roles for private sector and international partners, and appropriate response by both state and non-state actors. Outreach to a number of key constituencies that can contribute to the development of this strategy has been successful. Out-year funding remains a concern and implementation of the previously approved strategy is lagging. (U) Initiative #11: Develop a multi-pronged approach for global supply chain risk management. Today's information technology marketplace often provides insufficient software assurance, hardware assurance, or data integrity assurance. Risks stemming both from the domestic and globalized supply chain must be managed in a strategic and comprehensive way over the entire lifecycle of products, systems and services. Managing this risk requires greater awareness of the threats, vulnerabilities, and consequences associated with acquisition decisions; development and employment of tools and resources to mitigate risk technically and operationally across the lifecycle of products (from design 108 (U) As stated on the website of the Networking and Information Technology Research and Development (NITRD) Program, "*O+ver 160 responses were submitted to the first RFI issued by the NITRD SSG (October 14, 2008), indicating a strong desire by the technical community to participate. RFI-2 (issued on December 30, 2008) expanded the opportunity for participation by permitting submitters to designate parts of submissions as proprietary. RFI-3 presents prospective cyber security categories derived from responses to RFI- 1 for further consideration." http://www.nitrd.gov/leapyear/NCLY_RFI-3.pdf SECRET//REL TO FVEY D-5 SECRET//REL TO FVEY CYBERSPACE POLICY REVIEW through retirement); and development of new acquisition policies and practices that influence industry to develop and adopt supply chain and risk management standards and best practices. One significant Federal component--the Department of Defense--has issued policy guidance assigning roles and responsibilities and is proceeding to pilot implementation of its approach. This Initiative must continue with increased emphasis on expanding education about supply chain risks and on including more government and private sector communities. (U) Initiative #12. Define the Federal role for extending cybersecurity into critical infrastructure domains. Dialogue about cyber security between the Federal government and the private sector (which owns and operates most of the U.S. critical cyber infrastructure) is essential and has been ongoing for well over a decade. It is widely accepted that the government needs to gain and share with the private sector an operational understanding of how adversaries create and exploit our cyber vulnerabilities, including an assessment of the extent and reach of these adversarial activities and informing the private sector of what is being targeted and, if possible, why. Progress is being made on multiple fronts, but the government's efforts are not well aligned and, as a result, create an undue burden on private-sector entities that wish to work with the government but cannot commit the resources necessary to participate in multiple forums. As a result, this Initiative should proceed while cataloguing current efforts, determining overlaps and gaps, and communicating in a more streamlined manner with industry. (S//REL TO FVEY) Strategic Enablers: Ensure adequate support to neutralize, mitigate, and disrupt domestic illegal computer activity. This law enforcement-led activity has made significant operational progress, especially with respect to the establishment and implementation of the FBI's National Cyber Investigative Joint Task Force. Increase Information Assurance programs and activities: This activity is making progress and is poised to serve as a model for wider Federal adoption. Increase predictive, behavioral, information and trend analysis of foreign intrusion activities and computer network operational threats: Foundational work to build the requisite workforce and analytic framework is under way consistent with the strategic plan. Increase investment in U.S Government cryptanalysis: Capabilities are under development. Develop, deploy, and manage an intrusion response capability: Substantial research and development is under way, and capabilities are being field tested within the Department of Defense's .mil environment. Monitor and coordinate implementation of the CNCI: The Joint Interagency Cyber Task Force model of a "steward" coordinating implementation has worked for the CNCI's start-up operations, but is not scalable or sustainable over the entire life-cycle of the program. It should evolve to a stronger central White House leadership effort. (U) The following table provides an overview of the status of the CNCI programs along with major recommended actions. The strategic goals of each of the CNCI programs are sound. An evaluation of SECRET//REL TO FVEY D-6 SECRET//REL TO FVEY CYBERSPACE POLICY REVIEW "Green" reflects that the strategy is sound and its implementation is proceeding as expected; "Yellow" indicates that progress is lagging and requires attention but that successful implementation of the strategy is still expected; "Orange" indicates that alternative strategies should be considered but work should continue in the meantime; "Red" indicates that implementation is so far off course that an alternative strategy is required. This table is S//REL TO FVEY CNCI Initiatives Initiative 1: Trusted Internet Connections Initiative 2: Deploy Passive Sensors Across Federal Systems Initiative 3: Deployment of Intrusion Prevention Systems Initiative 4: Coordinate and Redirect Research and Development Efforts SECRET//REL TO FVEY Recommendation Evaluation Review and re-baseline implementation schedule and approach Subsequent strategy must incorporate all connection types (SATCOM, Wi-Fi, Cable) Reconcile implementation timeframes with other Federal legislation (stimulus investments, omnibus budget provisions) Evaluate alternatives for achieving compliance with security objectives In light of Initiative 1 delays, continue Einstein 2 while evaluating complementary approaches to achieve Initiative 2 goals Engage Congress and private sector interests in public dialogue regarding intrusion detection approaches and U.S. Government requirements Engage Congress and private sector interests in public dialogue regarding intrusion prevention approaches and U.S. Government requirements Work with the Attorney General, OMB, White House, and the Office of the DNI to fulfill legal, civil liberties, and privacy requirements already described in implementation plans Assess additional implementation concepts that could reduce risks to program implementation while meeting the goals and objectives of Initiative #3 Continue as planned D-7 Orange Orange Yellow Green SECRET//REL TO FVEY CYBERSPACE POLICY REVIEW This table is S//REL TO FVEY CNCI Initiatives Initiative 5: Connect Current Cyber Centers To Enhance Situational Awareness Initiative 6: Develop a Government-Wide Cyber Counter- intelligence Plan Initiative 7: Secure Classified Networks Initiative 8: Expand Cyber Education Initiative 9: Define and Develop Enduring Leap-Ahead Technology, Strategies, and Programs Initiative 10: Define and Develop Enduring Deterrence Strategies and Programs Initiative 11: Develop Multi-Pronged Approach for Global Supply Chain Risk Management Initiative 12: Define the Federal Role for Extending Cybersecurity into Critical Infrastructure SECRET//REL TO FVEY Recommendation Evaluation Yellow Identify resources to proceed with connectivity or for collocation of centers Develop integrated program/budget/ governance strategy for ensuring that individual tool capabilities may be acquired and used by all participants Establish data and product standards and an operational framework for common situation awareness and reporting Green Evaluate as objectives are reached Need to ensure agencies are programming funds for next program build in order to pay for activities Green Evaluate as milestones reached Need to ensure agencies are programming funds for next program build in order to pay for activities Red Completely reshape to include a strategy for national-level leadership, comprehensive training programs, and broad-based public dialogue Yellow Need to accelerate program activities Need to implement key recommendations from previously approved strategy Yellow Yellow Continue to identify pilot programs Determine resource requirements for threat evaluation support to all departments and agencies Evaluate existing legal framework for effecting rapid, threat-based procurement Yellow Accelerate review of policy, legal, process, and resource barriers Ensure agencies are programming funds for next program build Catalogue, distinguish, and align current public/private partnerships D-8 SECRET//REL TO FVEY CYBERSPACE POLICY REVIEW This table is S//REL TO FVEY CNCI Enablers Ensure Adequate Support To Neutralize, Mitigate, and Disrupt Domestic Illegal Computer Activity Consider how to expand capacity between and among federal, state and local law enforcement entities Green Increase DoD Information Assurance Evaluate mechanisms for deploying capabilities more quickly Green Increase cybersecurity policy training efforts Strategic Analysis of Intrusion Activities and CNO Threats Evaluate how this analytic effort will dovetail with other departments and agencies Yellow Increase Investment in U.S Government Cryptanalysis Continue long-term investment Green Develop, Deploy, and Manage an Intrusion Response Capability Continue to evaluate solution Monitor and coordinate CNCI SECRET//REL TO FVEY Evaluate additional national cybersecurity needs Yellow Resolve issues associated with adaptability for extending to state, local and private sectors Identify single National Cyber Mission Owner Reaffirm CNCI roles and responsibilities to maintain momentum D-9 Green SECRET//REL TO FVEY CYBERSPACE POLICY REVIEW SECRET//REL TO FVEY D-10 SECRET//REL TO FVEY CYBERSPACE POLICY REVIEW (U) Appendix E: Case for Developing an International Cybersecurity Policy Framework (U//FOUO) The United States lacks a comprehensive strategic international policy framework and coordinated engagement strategy that spans the full range of U.S. economic, national security, public safety and privacy interests in cyberspace. Before the United States can effectively engage its foreign partners, the U.S. Government first needs to make national-level decisions to: Identify and prioritize U.S. national interests in cyberspace; Review existing U.S. Government policy positions regarding cybersecurity; Consider the strategic connections and possible contradictions between the numerous U.S. Government policy objectives for cybersecurity; Develop new or refined positions regarding cybersecurity (where needed); Effectively engage the private sector, since it comprises the owners and operators of a majority of the information and communications infrastructure; Prioritize multi-lateral forums, coordinate positions in them with our close allies and other foreign partners, and assess the appropriate U.S. Government representation for those events; Prioritize countries that pose the greatest challenges or opportunities for bi-lateral engagement on cybersecurity issues; and Move forward with coordinated diplomacy and outreach efforts across the executive branch, including more proactive and targeted engagement to advance agreed upon U.S. positions. (U//FOUO) Based on the feedback that departments and agencies provided to the 60-day cyberspace policy review team and discussions with key allies and members of the private sector, the priority topics for international engagement can be conceptually organized into three broad categories: Internet governance, international law and security, and multi-lateral public policy. Recognizing that several of the issues identified within these categories have implications extending beyond cybersecurity and require broader coordination, they all have a significant international component involving cybersecurity that requires attention. All three categories should be addressed in a coordinated fashion to advance national objectives of global prosperity and security. First, Internet governance refers to the decision making process for developing secure architectures, technical standards, administrative procedures, and best practices at the international level and ensure the secure, resilient and operation of the Internet. Second, because cyberspace now constitutes the primary domain for global communications and commerce, it has become a critical national asset for many nations. This criticality may lead to reexamination of traditional questions of public international law and military doctrine (e.g., strategic deterrence) in this new context. Third, because of the global nature of communications networks, an array of public policy, regulatory, and law enforcement issues that are being addressed within independent domestic jurisdictions have wider ramifications for the United States and other countries. Domestic SECRET//REL TO FVEY E-1 SECRET//REL TO FVEY CYBERSPACE POLICY REVIEW policies developed in isolation could significantly hamper necessary interoperability and cooperation at both the regional and international levels. Better coordination is required so that competing policy interests (e.g., data privacy, security, commercial innovation, etc.) are balanced by individual countries in ways that account for the global effects of those policies. (U//FOUO) Each of those three general areas, in turn, encompasses both substantive issues for determination and procedural considerations for international engagement. Not only should the U.S. Government reach its own policy decisions on specific issues after concerted discussion within the U.S. Government and with our allies, but it should also strategize how best to engage the rest of the world to support these positions. Key to that process will be public-private exchanges within the United States as well as careful selection of the multi-lateral forums that are best suited to considering, deciding, and advancing each aspect of international cybersecurity policy. The United States and its allies should select forums for affirmative policy advancement and recognize where it is necessary to participate in others for defensive reasons. The multiplicity of international organizations currently striving to set international policy in cyberspace, with some developing as independent proponents of policy, is taxing many countries' abilities to staff participation in those organizations and track their respective activities. This situation poses the risk of producing disjointed, conflicting, or incomplete solutions while allowing some countries to advance interests adverse to the United States or its allies in forums where engagement by the United States is insufficient. (U) Internet Governance, Technical Oversight, and Standards Issues (U//FOUO) One of the U.S. Government's highest priorities should be to determine, in concert with its close allies and other partners in the international community of Internet users, how to ensure the continued stability and global interoperability of the Internet, while increasing security and reliability for all users. A core component of this endeavor is how to ensure the secure and efficient operation of the domain name and addressing system (DNS). (U//FOUO) Enhancing the security of the global Internet will require the identification, development, and deployment of new technical architectures; improved engineering standards and protocols; and possibly the adoption of revised best practices. Immediate issues in this area include assessment of the strategic options for deployment of the DNS security extensions protocol (DNSSEC) in the root zone, for encouraging its deployment throughout the Internet infrastructure, and for facilitating the smooth migration to Internet Protocol version 6 (IPv6). Other areas warranting attention include (but are not limited to) research and development of new methods and capabilities for identity management and authentication for certain types of online activity. Currently, these technical issues are being discussed in a range of specialized organizations like the Internet Engineering Task Force (IETF), the Institute of Electrical and Electronics Engineers (IEEE), and the International Telecommunication Union (ITU). As information and communications technologies continue to evolve, standards bodies will need to be able to adapt, identify, and promulgate new best practices and needed technical standards to address emerging needs of the next-generation architecture. The United States and its foreign partners should develop an action plan for working in these various forums to advance agreed upon strategic objectives in the standards area. (U//FOUO) Finally, apart from the foregoing technical and operational matters, a broad range of other multi-lateral public policy issues also emanate from the operation of the Internet. These issues, some of which are more generally discussed below, hold strategic implications for the United States and its allies and cannot be fully or comprehensively addressed in any individual forum. They are presently the SECRET//REL TO FVEY E-2 SECRET//REL TO FVEY CYBERSPACE POLICY REVIEW subject of action in a range of organizations including the Internet Corporation for Assigned Names and Numbers (ICANN), the Internet Governance Forum (IGF), the ITU, and other broader, multi-lateral venues such as the United Nations (UN), the G-8, the Organization for Economic Cooperation and Development (OECD), the Organization for Security and Cooperation in Europe (OSCE), and the Organization of American States (OAS). While recognizing that the international dialogue on these various issues should (and invariably will) continue in multiple forums, the United States and its foreign partners should assess for each strategic objective which forums are most advantageous for achieving desired outcomes. (U) International Law and Security (S//REL TO FVEY) The international community has not yet achieved consensus on several key concepts of international law as they pertain to cyberspace. Different countries apply the traditional legal notions of territorial jurisdiction, use of force, and humanitarian law inconsistently in the cyberspace context. Accordingly, the United States needs to consider how to establish collective, acceptable international norms and redlines for nation-state conduct in cyberspace. Before engaging in that dialogue, the U.S. Government should first balance the need for increased international cybersecurity with its own need to develop and employ cyber capabilities to protect U.S. national security. Given the growing dependence of all sectors of our society on the Internet, the United States also needs to recognize that the international scale of cybercrime, because of the growing severity of its cumulative effects, increasingly constitutes a national security concern in its own right. (S//REL TO FVEY) Several international efforts are under way to define and address evolving concepts of cyber arms control, cyberterrorism, and cybercrime. For example, the Russian Federation has advanced the position in the UN, OSCE, and a plethora of other forums that a new arms control regime is required for cyberspace. The United States does not concur with the Russian position or a related argument they make that a new international instrument is required to deal with cyberterrorism (where that term is used to describe terrorist attacks on information systems). The United States' position has been that no new international agreements are needed in these areas and that work should instead focus on implementing strong cybersecurity and cybercrime provisions. With respect to cybercrime laws, the United States advocates the Council of Europe's Convention on Cybercrime as a way of building a common substantive and procedural criminal legal framework in countries around the world. Although the U.S. has worked with other countries on terrorist use of the Internet, that topic presents a number of challenges including differing legal protections for content and differing views on tactics and information sharing. The U.S. Government should take an active role in shaping international norms through its own diplomatic efforts, capacity building and military practices. The United States will need to determine its own national interests regarding a range of issues in cyberspace, carefully select the preferred forums for international policy development, and devise both affirmative and defensive issue positions that will enlist the support of other countries. (S//REL TO FVEY) In addition, the United States and our allies will need to develop new technical capabilities, doctrines, and rules of engagement premised on any substantive future cybersecurity norms that are recognized by the international community. In the absence of effective technical methods for the timely attribution of cyber incidents, reliance on legal authorities that make theoretical distinctions between armed attacks, terrorism, and criminal activity may prove impractical. Moreover, what constitutes a proportional response in cyberspace is complicated by the fact that both public and private networks may be affected by a cyber action. Consideration should also be given to diplomatic and sovereignty issues where the networks of friendly countries are affected by a response. Another SECRET//REL TO FVEY E-3 SECRET//REL TO FVEY CYBERSPACE POLICY REVIEW key implementation priority is strategic deterrence. The United States should decide how state and non-state actors can be deterred, taking into account the general lack of credible verification procedures and reliable attribution methods. (U) Multi-Lateral Public Policy (U//FOUO) The global nature of cyberspace requires unprecedented cooperation to foster commercial interoperability, protect critical infrastructures, and enable effective transnational law enforcement. Cooperation and some consistent capability is required, in part, due to a "weakest link" problem; because malicious actors can easily route electronic attacks through the country with weakest domestic law, capacity or political will, every country needs robust, and relatively consistent, capabilities. The current discrepancies in national (or regional) data protection laws, substantive and procedural domestic criminal statutes, forensic capabilities, and investigative capacity all pose obstacles to international cooperation. By establishing consistent norms for non-state actors in cyberspace, ensuring that there is sufficient capacity and prioritization, and building and strengthening transnational cooperative networks for law enforcement and network defense, the international community could improve global critical infrastructure protection and law enforcement. Consideration of civil liberties, privacy rights, and other human rights, coupled with the recognition that good cybersecurity and law enforcement should enhance privacy, will be an integral part of this effort. (U//FOUO) Accordingly, the United States, working with its allies, should continue to promote domestic legal structures, cooperative mechanisms, and national best practices in countries around the world. The United States will also need to prioritize resources (i.e., time, money, and personnel) and leverage the resources of its allies to build capacity through legislative, investigative, technical and other training of foreign partners. Moreover, in order to implement any mutually agreed policies, the United States will need to support greater information sharing both with other governments and the private sector (especially of time-sensitive and classified information, as necessary). Better information sharing will require identification of the best channels to use to share information, determination of the parties with whom it should be shared, and consideration of how information can be shared with multi-national companies. (U//FOUO) Many of these substantive issues are already being discussed by international organizations, including the G-8, COE, EU, OSCE, and OECD. Implementation measures are also being pursued bilaterally with close allies, through U.S.-led regional programs, and through international organizations, such as the UN, the International Telecommunications Union, the North Atlantic Treaty Organization (NATO), the OAS, and the Asia Pacific Economic Cooperation (APEC) forum. Once again, the selection of preferred forums for international engagement on each relevant cybersecurity policy topic, and the prioritization of those topics, will eliminate redundancy, focus debate, and achieve more effective solutions. (U//FOUO) The United States should also recognize and develop a strategy to address the domestic actions of countries that have a profound effect on U.S. businesses and security. As storage of computer data moves to "the cloud," countries are increasingly requiring the data of its respective citizens be stored within its borders. Although the United States has occasionally required this as a condition of approving changes of ownership, it has no comprehensive policy on this issue. Some countries increasingly have demanded data from U.S. providers through subsidiaries of those companies located or operating within the foreign territory, even when access to that data, stored in the United States requires more stringent legal procedures under U.S. law. In addition, countries also have demanded SECRET//REL TO FVEY E-4 SECRET//REL TO FVEY CYBERSPACE POLICY REVIEW access to the source code of companies' software products as a condition of doing business in their jurisdictions. Censorship and free speech concerns are implicated when countries have laws restricting certain kinds of speech protected in the United States and try to apply that law to U.S. providers. Promotion of free speech is an even greater concern when authoritarian regimes seek to censor speech and put pressure on U.S. providers and subsidiaries to that end. SECRET//REL TO FVEY E-5 FVEY CYBERSPACE POLICY REVIEW TO FVEY