CSCE 790 – Secure Database Systems by hedongchenchen



Incident Response and
 Information Security: ―The protection of
  information against unauthorized
  disclosure, transfer, modification, or
  destruction, whether accidental or
  intentional.‖ (U.S. federal standards)
 Information assurance: Information security
  + defensive information warfare
 Information Warfare: Only intentional
  attacks + offensive operations

CSCE 727 - Farkas                           2
                Information Warfare
 Information resources
 Players
 Offensive operations
 Defensive operations


CSCE 727 - Farkas                            3
                Value of Resources
   Exchange value
     – Determined by market value
     – Quantifiable
   Operational value
     – Determined by the benefits that can be derived from
       using the resource
     – May no be quantifiable
 May not be the same value for each player
  (offensive and defensive players)
 Actual (before) and potential (after) value

CSCE 727 - Farkas                                            4
   Offense: motives, means, opportunity
     – Insiders, hackers, criminals, corporations, government,
   Defense: protection
     – Federal Bureau of Investigation
     – U.S., Secret Service
     – Department of Treasury
     – Department of Defense
     – National Institute of Standards and technology

                      ROLE OF GOVERNMENT

CSCE 727 - Farkas                                                5
Offensive Information Warfare
 Target: particular information resources –
  resources does not need to be owned or managed
  by the defense
 Objective: increase the value of the resource for
  the offense and decrease it for the defense
 Gain: financial, strategic, thrill, etc.
 Loss (defense): financial, strategic, reputation,
  human loss, etc.

CSCE 727 - Farkas                                     6
    Cost of Information Warfare
 Monetary expense
 Personal time
 Risk of getting caught
 Punishment
 Resources used

CSCE 727 - Farkas                 7
 Increase availability of resource
 Decrease integrity of resource
 Decrease availability of resource for

CSCE 727 - Farkas                         8
 Prevent availability of resource for offense
 Ensure integrity
 Ensure availability

CSCE 727 - Farkas                                9
Offense: Increased availability
   Collection of secret:
     – Espionage (illegal) and intelligence (may be
 Piracy
 Penetration (hacking)
 Superimposition fraud
 Identity theft
 Perception management

CSCE 727 - Farkas                                     10
Offense: Decrease Availability
         for Defense
 Physical theft
 Sabotage
 Censorship

CSCE 727 - Farkas            11
  Offense: Decreased Integrity
 Tampering
 Penetration
     – Cover up
     – Virus, worm, malicious code
   Perception management
     – Fabrication, forgeries, fraud, identity theft,
         social engineering

CSCE 727 - Farkas                                       12
 Prevention: keeps attacks from occurring
 Deterrence: makes attack unattractive
 Indications and warning: recognize attacks
  before it occurs
 Detection: recognize attacks
 Emergency preparedness: capability to
  recover from and response to attacks
 Response: actions taken after the attack

CSCE 727 - Farkas                              13
Open Sources
                    Open Source
 Unclassified information in the public
  domain or available from commercial
 Example: newspapers, magazines, scientific
  publications, television and radio
  broadcasting, databases, etc.

CSCE 727 - Farkas                          15
        Open Source Intelligence
 Intelligence operation that uses open source
 Goal: answer specific question in support of
  some mission
 Process:
     – Requirement analysis
     – Data collection/filtering/analysis
     – Information integration Intelligence about

CSCE 727 - Farkas                                   16
              IW and Open Source
 Generally legal (uses readily available
 Attacker gains access to protected information,
     – Business trade secrets
     – Military strategy,
     – Personal information
   Protected information: readily available in public
    domain, can be inferred from public data, or
    deduced from aggregated public data
CSCE 727 - Farkas                                        17
        Open Source Intelligence
   Widely used (e.g., Department of Defense)
   Cheap, fast, or timely
   Most often legal
   Advantages: no risk for collector, provides
    context, mode of information acquisition, cover
    for data discovery by secret operations
   Disadvantages: may not discover important
    information, assurance of discovery(?)

CSCE 727 - Farkas                                     18
               Online Open Source
   Large amount of public data online
     – Web pages, online databases, digital
         collections, organizations on line, government
         offices, etc.
 Freedom and Information Act (FOIA):
  industry data
 U.S. Patent Office: copies of U.S. patents
 Trade shows, public records, etc.

CSCE 727 - Farkas                                         19
 Use open source to find out confidential
  data about people
 Find confidential data about people while
  they browse through open source (e.g., Web

CSCE 727 - Farkas                          20
       Online Investigative Tools
   Find out confidential data for small fee
     – Net Detective (
     – Dig Dirt ( )
     – Accurate Info Search (http://www.accurate-
         people- )
   Privacy Tools
    ( )
CSCE 727 - Farkas                                   21
   Privacy Act of 1974, U.S. Department of Justice
    ( )
   Family Educational Rights and Privacy Act (FERPA), U.S.
    Department of Education,
    ( )
   Health Insurance Portability and Accountability Act of 1996
    (HIPAA), ( )
   Privacy Initiatives, Federal Trade Commission,
    ( )
   Telecommunications Consumer Privacy Act
    487.HTM )
   Electronic Privacy Information Center ( )
CSCE 727 - Farkas                                               22
                    Privacy Violations
 Snooping via Open Sources
 Online activities
     – Questionnaires
     – Customers’ data
     – Web site data collection (Cookies, IP address,
         operating system, browser, requested page, time
         of request, etc.) – without user’s permission

CSCE 727 - Farkas                                       23
    Other Open Source Attacks
   Piracy
     – Available in open source, but still protected by
       copyright, patent, trademark, etc.
   Copyright Infringement
     – Acquisition of protected work without the owner’s
       permission and sold for a fee
     – Human perception: not serious crime
     – Significant loss for marketing/manufacturing/owner
     – Berman Bill
       ( )
     – Copyright Law of the United States
       ( )
   Trademark Infringement
CSCE 727 - Farkas                                           24
Domestic Intelligence,
What is Intelligence?

 Information
 Activities
 Organization

CSCE 727 - Farkas       26
   Activities:
    – Collection and analysis on intelligence
    – Counterintelligence

CSCE 727 - Farkas                               27
 National Security
 Nature of regime
 Law

CSCE 727 - Farkas       28
       Goal of
   National Security
     – Kinds of threats
     – Information to be collected
     – Purpose served
     – Legislation
   Democracy

CSCE 727 - Farkas                    29
   Foreign intelligence guidelines: classified
     – Investigation of:
              Illegal activities: detecting and preventing foreign
               espionage and terrorist activities
              Legal activities: foreign legal political activities like
               fund-raising, organizational work, etc.
   Domestic intelligence guidelines (―Levi
    Guidelines‖): public
     – Investigation of groups that
              hostile to government policies and fundamental
              seeks to deprive some class of people
              has violent approach to political change
    CSCE 727 - Farkas                                                      30
   Surveillance of own citizens
     – Legislations
     – Circumstances permitting surveillance
     – Limits
     – Amount and kind of surveillance
   U.S.: Constitutional law
     – Fourth Amendment: prohibition against unreasonable
         searches and seizures (e.g., wiretap)

CSCE 727 - Farkas                                           31
 1978: Foreign Intelligence Surveillance Act (FISA)
   – Regulates government’s collection of ―foreign
     intelligence‖ for the purpose of counterintelligence
   – Electronic eavesdropping and wiretapping
 1994: amended to physical entries in connection with
  ―security‖ investigations
 1998: amended to permit pen/trap orders
 FISA applications for search warrant:
   – Probable cause that the surveillance target is a foreign
     power or agent
   – Does not need to be criminal activity
 Foreign Intelligence Surveillance Court
   – Attorney General
CSCE 727 - Farkas                                               32
Psyops and Perception
   Information operations that aim to affect
    perception of others to influence
     – Emotions
     – Reasoning
     – Decisions
     – Actions

CSCE 727 - Farkas                               34
          Covert Action

   ―…attempt by one government to pursue its
    foreign policy objectives by conducting
    some secret activity to influence the
    behavior of a foreign government or
    political, military, economic, or societal
    events and circumstances in a foreign
           (Silent Warfare)
CSCE 727 - Farkas                            35

 Total secrecy: details or even the existence
  of activities are confidential
 Unaccounted; actions are public knowledge,
  government involvement is concealed
 Goal: direct furthering of national foreign
  policy objectives
 Wide range of activities:
     – Today’s topic: perception management

CSCE 727 - Farkas                             36
      Perception of a
    Foreign Government
 Goal: change foreign government’s policy
  to support offense’s political interest
 Influence
     – Foreign government’s perception
     – Perceptions of elements of foreign society

CSCE 727 - Farkas                                   37
  Agents of Influence
 Influence directly government policy
 Data collection is not necessary
 Persuade colleagues to adopt certain policies
 E.g., government officials
     – 1930-40s: Soviet intelligence agents working for U.S.
       government (Harry Dexter White – Assistant Secretary
       of the Dept. of Treasury)
     – 1976: in France Pierre-Charles Pathe founded Synthese
       (political newsletter). 1979: convicted for espionage
       and being an agent of influence.

CSCE 727 - Farkas                                              38
Agent of Influence

 Trusted contact – willing to work for a
  foreign government, no detailed
  instructions, not paid
 Controlled agent – receives precise
  instructions, usually paid
 Manipulated agent – unaware of serving a
  foreign government

CSCE 727 - Farkas                            39
    Use of Information
    and Disinformation
   Providing information (or misinformation)
     – Influence a desired action
     – E.g., revealing identities of opponents’ intelligence
   Origin of information
   Sender of information
   Misinformation
     – Plausible
     – ―silent forgery‖
     – ―deception operation‖

CSCE 727 - Farkas                                              40
Perception of Foreign
 Hard to measure
 Cumulative effect over long period of time
 Agents of Influence
     – Reach public – journalists, TV commentator,
     – Prominent person – political figure, aid
       organization, etc.
   Culture

CSCE 727 - Farkas                                    41
 ―Black‖ propaganda: origin is concealed
 Disseminating opinions, information or
  misinformation via media
 Government may not be directly associated
  with materials
     – Increase believability
     – Government may not want to be associated
         with certain opinions

CSCE 727 - Farkas                                 42
 ―Gray‖ propaganda: origin not public
 E.g., Radio Free Europe, Radio Liberty
     – Information about targets’ own countries
     – Information about the West
     – Set up as private U.S. organizations but were
         run by CIA
   Planting stories in independent news media

CSCE 727 - Farkas                                      43
 Information Space
 Communication Medium: any (TV, radio,
  Internet, Web sites, e-mail, news groups,
 Target: individuals, groups, nations, World

CSCE 727 - Farkas                               44
 Global Access – mass audiences
 Easy to set up Web sites
 Low cost (compare with broadcasting
  radio, TV, etc.)
 ―great equalizer‖
 Authority over Internet?

CSCE 727 - Farkas                       45
Tools for Perception
    In War and Anti-War by Alvin and Heidi
    1. Atrocity accusations
    2. Hyperbolic inflations
    3. Demonization and/or dehumanization
    4. Polarization
    5. Claim of divine sanction
    6. Meta-propaganda
CSCE 727 - Farkas                             46

   Affect human psyche
    – Goal: influence behavior
    – Means: fear, desire, logic, etc.

CSCE 727 - Farkas                        47
       Lies and
   Widely used
   Destroys the integrity of the carrying media
   Ethical/unethical?
   Bad/Useful?
   Digital media
     – Fabrication, spoofed originator, modification, etc.
     – Easy to carry out
     – Trust in observation (senses: see, hear, touch, taste,

CSCE 727 - Farkas                                               48
 Distort information
 Conscious/Unconscious
 Important elements ignored, down played
 Insignificant elements made to appear
 Digital media:
     – Web page metatags: hidden data

CSCE 727 - Farkas                           49

 Fake information
 Must seem legitimate
 Goal: influence decision/activities of enemy
  or competition, financial gain, popularity,
 Can be very effective
 Must know target
 Errors and intentional fabrications
CSCE 727 - Farkas                            50
   Fabrications to
     – Amuse
     – Create fear
     – Discredit/damage
   Digital media:
     – Easy to send hoax mail or post information
     – Virus hoaxes

CSCE 727 - Farkas                                   51
 Trick people into doing something they
  would not do if the truth is known.
 Means:
    – Impersonating
    – Threatening
    – Pretend position/relationship/urgency/etc.

CSCE 727 - Farkas                                  52
   Discredit, defame, demonize, or dehumanize an
   Goal: gain of support for the entity performing the
    denouncement and loss for the adversary
   Military/politics/economy/personal
   Hate groups
   Conspiracy theory
   Defamation: damage the reputation and good
    name of another

CSCE 727 - Farkas                                     53
 Targets opponent directly
 Unwanted, threatening messages
 Communication: in person, via medium
 Examples:
     – Physical threat
     – Hate mails
     – Sexual harassment

CSCE 727 - Farkas                        54
   Scam: cone artists lure customers into scam
     – Fake prizes, telemarketing, etc.
     – Internet: easy solicitations – junk e-mail, chat
         room, newsgroups, Web site, etc.
   Spam: junk e-mail
     – Time consuming: read/process/delete
     – Unwanted/useless/harmful data

CSCE 727 - Farkas                                         55
 Offensive: denies population access to certain
 Defensive: protect society from materials that
  would undermine its culture or governance
 Internet: makes censorship difficult
     – Children Internet Protection Act, 2000
       ( , )
     – Free speech online
              Electronic Frontier Foundation
CSCE 727 - Farkas                                                        56
Incident Response
                     Incident Response
• Federal Communications Commission: Computer
Security Incident Response Guide, 2001,
•Incident Response Team, R. Nellis,
•NIST special publications,
 CSCE 727 - Farkas                                      58
                    Intrusion Recovery
   Actions to avoid further loss from intrusion
   Terminate intrusion and protect against reoccurrence
   Law enforcement
   Enhance defensive security
   Reconstructive methods based on:
     – Time period of intrusion
     – Changes made by legitimate users during the effected
     – Regular backups, audit trail based detection of effected
       components, semantic based recovery, minimal roll-
       back for recovery.

CSCE 727 - Farkas                                                 59
           What is “Survivability”?
    To decide whether a computer system is
    ―survivable‖, you must first decide what
    ―survivable‖ means.

CSCE 727 - Farkas                              60
             Vulnerable Components

              1. Hardware
              2. Software
              3. Data
              4. Communications
              5. People

CSCE 727 - Farkas                    61
   Effect Modeling and Vulnerability
Seriously                       Weakly
effected                        effected
components                      component

effects                         Not effected

  CSCE 727 - Farkas                  62
    Robust System Development
   Effects and system dependencies  cascading
   Cascading and escalating effect modeling 
   Vulnerabilities and their priorities  reduce
    vulnerabilities: installing safeguards, reconstruct
    network, redundancy, etc.
   Reduced vulnerabilities  estimation of
    components’ security (reliability, correctness,
   Estimation of components’ security: cost effective
    dynamic network resource allocations
CSCE 727 - Farkas                                         63
               Due Care and Liability
   Organizational liability for misuse
     – US Federal Sentencing Guidelines: chief executive
       officer and top management are responsible for fraud,
       theft, and antivirus violations committed by insiders or
       outsiders using the company’s resources.
     – Fines and penalties
              Base fine
              Culpability score (95%-400%)
     – Good faith efforts: written policies, procedures, security
         awareness program, disciplinary standards, monitoring
         and auditing, reporting, and cooperation with

CSCE 727 - Farkas                                              64
                    How to Respond?

CSCE 727 - Farkas                     65
                    How to Respond?

CSCE 727 - Farkas                     66
                    How to Respond?

CSCE 727 - Farkas                     67
                    How to Response?
   Actions to avoid further loss from intrusion
   Terminate intrusion and protect against reoccurrence
   Law enforcement – prosecute
   Enhance defensive security
   Reconstructive methods based on:
     – Time period of intrusion
     – Changes made by legitimate users during the effected
     – Regular backups, audit trail based detection of effected
       components, semantic based recovery, minimal roll-
       back for recovery.

CSCE 727 - Farkas                                                 68
      Roles and Responsibilities
   User:
     – Vigilant for unusual behavior
     – Report incidents
   Manager:
     – Awareness training
     – Policies and procedures
   System administration:
     – Install safeguards
     – Monitor system
     – Respond to incidents, including preservation of evidences

CSCE 727 - Farkas                                                  69
      Computer Incident Response
   Assist in handling security incidents
     – Formal
     – Informal
 Incident reporting and dissemination of incident
 Computer Security Officer
     – Coordinate computer security efforts
   Others: law enforcement coordinator, investigative
    support, media relations, etc.

CSCE 727 - Farkas                                    70
Incident Response Process 1.
     – Baseline Protection
     – Planning and guidance
     – Roles and Responsibilities – Training
     – Incident response team

CSCE 727 - Farkas                              71
Incident Response Process 2.
Identification and assessment
     –      Symptoms
     –      Nature of incident
               Identify perpetrator, origin and extent of attack
               Can be done during attack or after the attack
     –      Gather evidences
               Key stroke monitoring, honey nets, system logs, network
                traffic, etc.
               Legislations on Monitoring!
     –      Report on preliminary findings

CSCE 727 - Farkas                                                         72
Incident Response Process 3.
     – Reduce the chance of spread of incident
     – Determine sensitive data
     – Terminate suspicious connections, personnel,
       applications, etc.
     – Move critical computing services
     – Handle human aspects, e.g., perception
       management, panic, etc.
CSCE 727 - Farkas                                     73
Incident Response Process 4.
     –      Determine and remove cause of incident if
            economically feasible
     –      Improve defenses, software, hardware,
            middleware, physical security, etc.
     –      Increase awareness and training
     –      Perform vulnerability analysis

CSCE 727 - Farkas                                       74
Incident Response Process 5.
     – Determine course of action
     – Reestablish system functionality
     – Reporting and notifications
     – Documentation of incident handling and
         evidence preservation

CSCE 727 - Farkas                               75
            Follow Up Procedures
   Incident evaluation:
     – Quality of incident (preparation, time to
       response, tools used, evaluation of response,
     – Cost of incident (monetary cost, disruption, lost
       data, hardware damage, etc.)
 Preparing report
 Revise policies and procedures
CSCE 727 - Farkas                                      76
The Economic Impact of Cyber
     The Global Picture
      Csilla Farkas               John Rose 

    Center of Information Assurance Engineering
  Department of Computer Science and Engineering
            University of South Carolina
                    Risk Assessment


    Vulnerabilities               Consequences

CSCE 727 - Farkas                                78
                      Financial Loss
Dollar Amount Losses by Type

Total Loss (2006): $53,494,290   CSI/FBI Computer Crime and Security Survey
                                 Computer Security Institute
  CSCE 727 - Farkas                                                     79
             Security Protection
   Percentage of IT Budget Percentage of Organizations
       Spent on Security         Using ROI, NPV, or IRR Metrics

                           CSI/FBI Computer Crime and Security Survey
                           Computer Security Institute

CSCE 727 - Farkas                                              80
       Real Cost of Cyber Attack
 Damage of the target may not reflect the
  real amount of damage
 Services may rely on the attacked service,
  causing a cascading and escalating damage
 Project Goal: support decision makers to
     – Evaluate risk and consequences of cyber attacks
     – Support methods to prevent, deter, and mitigate
         consequences of attacks
CSCE 727 - Farkas                                    81
                    THEMIS: Threat Evaluation
                    Metamodel for Information
             OFFENSE                           DEFENSE

                         Attack                          System
                                        Cascading and Escalating



CSCE 727 - Farkas                                                   82
             Jess-Based Modeling
   Graphical tool to model system
    components, values,
    dependencies, and
    compensating rules

CSCE 727 - Farkas                    83
Cascading and Escalating Effects

   Model cascading and escalating damage.

CSCE 727 - Farkas                            84
                    Ongoing Work
    Developing simulation components and
      – Requirement analysis
      – Level of abstraction
      – Information hiding
    Types of dependencies
      – Compensating dependencies
      – Throughput
      – Adaptation
CSCE 727 - Farkas                           85
                    Ongoing Work
   Temporal modeling
     – Real time analysis and response
     – Long-term analysis
   Macro- and microeconomics
     – National-level perspective
     – Organizational level perspective

CSCE 727 - Farkas                         86
                    Legal Aspects
   National law
   International law
   Legal regime to apply
   Gray areas of law
   Legal response
   Evidence preservation

CSCE 727 - Farkas                   87
THEMIS: Threat Evaluation Metamodel
     for Information Systems

 Presented at the 2nd Symposium on Intelligence and Security
                       Informatics, 2004
     Csilla Farkas, Thomas Wingfield, James B. Michael
                     Duminda Wijesekera

         Themis, Goddess of Justice
    Attacks Against Critical
 Swedish hacker jammed 911 in central Florida in 1997
 Juvenile hacker penetrated and disabled a telco computer
  servicing Worcester Airport in March 1997
 Brisbane hacker used radio transmissions to create raw
  sewage overflows on Sunshine coast in 2000
 Hackers broke into Gazprom’s system controlling gas
  flows in pipelines in 1999
 Hackers got into California Independent Service Operator
  (ISO) development network for regional power grid in
  spring 2001
 Numerous denial-of-service attacks against ISPs – some
                                              Source: D. Denning Information Warfare
  shut down
 CSCE 727 - Farkas                                                            89
       Rules Defining the Use of Force
              Schmitt Analysis
     Thomas Wingfield: The Law of Information Conflict:
     National Security Law in Cyberspace
     Michael N. Schmitt: Computer Network Attack and the
     Use of Force in International Law: Thoughts on a
     Normative Framework

CSCE 727 - Farkas                                          90
CSCE 727 - Farkas   91
                    Spectrum of Conflict

CSCE 727 - Farkas                          92
                    Spectrum of Conflict

CSCE 727 - Farkas                          93
                    Spectrum of Conflict

               Art. 39

               The Security Council shall determine the existence of
               any threat to the peace, breach of the peace, or act of
               aggression and shall make recommendations, or decide
               what measures shall be taken in accordance with
               Articles 41 and 42, to maintain or restore international
               peace and security.

CSCE 727 - Farkas                                                         94
                    Spectrum of Conflict

                                   Art. 2(4)

               All members shall refrain in their international
               relations from the threat or use of force against
               the territorial integrity or political independence
               of any state, or in any other manner inconsistent
               with the Purposes of the United Nations.

CSCE 727 - Farkas                                                    95
                    Spectrum of Conflict

                                                            Art. 51

          Nothing in the present Charter shall impair the inherent right of
          individual or collective self-defense if an armed attack occurs
          against a Member of the United Nations, until the Security Council
          has taken measures necessary to maintain international peace and
          security. Measures taken by Members in the exercise of this right of
          self-defense shall be immediately reported to the Security Council
          and shall not in any way affect the authority and responsibility of
          the Security Council under the present Charter to take at any time
          such action as it deems necessary in order to maintain or restore
          international peace and security.

CSCE 727 - Farkas                                                            96
            Rules Defining the Use of Force

               Art. 39               Art. 2(4)               Art. 51

                                           Threat of force     Use of force
R                                                              Armed attack
E                        Threat to
S                        the peace
                                            Hostile intent       Hostile act
S                                            Anticipatory       Self-defense
E                                            self-defense
                             Jus ad bellum applies            Jus in bello applies

                            Peacetime regime applies

CSCE 727 - Farkas                                                              97
             Use of Force in Cyberspace

  Cyber vs. Kinetic Attack
  Academic State-of-the-Art: Effects-Based
  Problem: Charter Paradigm Means-Based
  The Schmitt Reconciliation
    – Distinguishing Military from Diplomatic
      and Economic Coercion
    – Seven Factors

CSCE 727 - Farkas                               98
                    Schmitt Factors

      Severity
      Immediacy
      Directness
      Invasiveness
      Measurability
      Presumptive Legitimacy
      Responsibility

CSCE 727 - Farkas                     99

Armed attacks threaten                              How many people were
physical injury or             People Killed;
                                People Killed;      killed?
destruction of property      Severe Property
                           Severe Property Damage
                                  Damage            How large an area was
to a much greater extent
                                                    attacked? (Scope)
than other forms of
coercion. Physical                                  How much damage was
well-being usually           People Injured;        done within this area?
occupies the [lowest,          Moderate
                            Property Damage
most basic level] of the
human hierarchy of
                            People Unaffected;
                             No Discernable
                            Property Damage

CSCE 727 - Farkas                                                     100

The negative                                      Over how long a period
consequences of armed                             did the action take
                         Seconds toKilled;
coercion, or threat      Severe Property Damage   place? (Duration)
thereof, usually occur
                                                  How soon were its
with great immediacy,
                                                  effects felt?
while those of other
forms of coercion                                 How soon until its
                            Hours to Days
develop more slowly.                              effects abate?

                          Weeks to Months

CSCE 727 - Farkas                                                      101

The consequences of                                  Was the action distinctly
armed coercion are          Action SoleKilled; of
                                 People Cause        identifiable from
more directly tied to the           Result
                            Severe Property Damage   parallel or competing
actus reus than in other                             actions?
forms of coercion,
                                                     Was the action the
which often depend on
                            Action Identifiable as   proximate cause of the
numerous contributory       One Cause of Result,     effects?
factors to operate.          and to an Indefinite

                              Action Played No
                             Identifiable Role in

CSCE 727 - Farkas                                                        102

In armed coercion, the act                                  Did the action involve
causing the harm usually            Border Physically       physically crossing the
                                        People Killed;
crosses into the target state,     Crossed; Action Has
                                   Severe Property Damage   target country’s
whereas in economic warfare            Point Locus
the acts generally occur
beyond the target’s borders.                                Was the locus of the
As a result, even though                                    action within the target
                                   Border Electronically
armed and economic acts
                                  Crossed; Action Occurs    country?
may have roughly similar
                                    Over Diffuse Area
consequences, the former
represents a greater intrusion
on the rights of the target
state and, therefore, is more      Border Not Crossed;
likely to disrupt international       Action Has No
stability.                         Identifiable Locus in
                                     Target Country

  CSCE 727 - Farkas                                                             103

While the consequences of           Effects Can Be         Can the effects of the
armed coercion are usually      Quantified Immediately     action be quantified?
                                      People Killed;
easy to ascertain (e.g., a       by Traditional Means
                                 Severe Property Damage
certain level of                 (BDA, etc.) with High     Are the effects of the
destruction), the actual          Degree of Certainty      action distinct from the
negative consequences of                                   results of parallel or
other forms of coercion are     Effects Can Be Estimated   competing actions?
harder to measure. This            by Rough Order of
fact renders the                     Magnitude with        What was the level of
appropriateness of                 Moderate Certainty      certainty?
community condemnation,
and the degree of
vehemence contained                Effects Cannot be
therein, less suspect in the    Separated from Those of
case of armed force.             Other Actions; Overall
                                   Certainty is Low

CSCE 727 - Farkas                                                              104
                     Presumptive Legitimacy

In most cases, whether under                              Has this type of action
domestic or international       Action Accomplished by    achieved a customary
law, the application of               People Killed;
                                   Means of Kinetic
                                 Severe Property Damage   acceptance within the
violence is deemed                       Attack
illegitimate absent some                                  international
specific exception such as                                community?
self-defense. The cognitive     Action Accomplished in
approach is prohibitory. By         Cyberspace but        Is the means
contrast, most other forms of       Manifested by a       qualitatively similar to
coercion—again in the             “Smoking Hole” in       others presumed
domestic and international          Physical Space        legitimate under
sphere—are presumptively
lawful, absent a prohibition                              international law?
to the contrary. The            Action Accomplished in
cognitive approach is           Cyberspace and Effects
permissive.                        Not Apparent in
                                    Physical World

 CSCE 727 - Farkas                                                             105

Armed coercion is the                                        Is the action directly or
exclusive province of              Responsibility for
                                      People Killed;
                                 Action Acknowledged         indirectly attributable to
states; only they may                                        the acting state?
generally engage in uses of
                                 Severe Property Degree
                                by Acting State; Damage
                                 of Involvement Large
force across borders, and in                                 But for the acting state’s
most cases only they have                                    sake, would the action
the ability to do so with       Target State Government
                                 Aware of Acting State’s     have occurred?
any meaningful impact.
By contrast, non-              Responsibility; Public Role
governmental entities are      Unacknowledged; Degree
often capable of engaging       of Involvement Moderate
in other forms of coercion
(propaganda, boycotts,            Action Unattributable
etc.).                           to Acting State; Degree
                                   of Involvement Low

CSCE 727 - Farkas                                                                 106
                    Overall Analysis

                                                Have enough of the
                        Use People Killed;
                            of Force Under      qualities of a use of
                            Article 2(4)
                       Severe Property Damage   force been identified to
                                                characterize the
                                                information operation as
                                                a use of force?
                      Arguably Use of Force
                             or Not

                        Not a Use of Force
                        Under Article 2(4)

CSCE 727 - Farkas                                                  107

       Threat Evaluation Metamodel for
             Information Systems

CSCE 727 - Farkas                    108

   Attack Response Policy (ARP) language
    – ARP alphabet and predicates to represent attacks,
       consequences, and legal concepts
 Interoperable legal ontologies
 Attack evaluation and response rules
 SWRL - A Semantic Web Rule Language
  combining OWL and RuleML

 CSCE 727 - Farkas                                   109
                Security Policy Specification

                    resolution     specification

CSCE 727 - Farkas                                          110
             OFFENSE                           DEFENSE

                         Attack                          System



CSCE 727 - Farkas                                                   111
                     Attack Response
                      Policy (ARP)
 ARP alphabet: constant symbols, variables,
  functions, and terms
 ARP predicates: used to build rules
 ARP rules: reason about the damages, express
  legal restrictions, and determine legitimacy of
  counter actions

 CSCE 727 - Farkas                            112
   Predicates:
     – attack(a-id, a-name, orig, targ)
     – consequence(a-id, c-type, targ)
     – causes(c-type1, targ1, c-type2, targ 2)
   Rule:
     – attack(a-id, a-name, orig, targ1) 
                     attack(a-id, a-name, orig, targ)
                     consequence(a-id, c-type, targ)
CSCE 727 - Farkas    causes(c-type, targ, c-type1,      113

   Automated decision support system
   Attack Response Policy Language
        – Alphabet
        – Predicates
        – Rules
     Schmitt Analysis

CSCE 727 - Farkas                       114

To top