-
.QUESTION
Week 7
we focused on the issue of cybercrime: its costs, the resultant burden on the user, and the issues related to the identification, tracking, and prosecution of hackers. This week, we will be looking at similar issues, but in this case, the focus will be attacks that are alleged to have government sponsorship.
"In June 2015, OPM discovered that the background investigation records of current, former, and prospective Federal employees and contractors had been stolen. OPM and the interagency incident response team have concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases. This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, primarily spouses or co-habitants of applicants. Some records also include findings from interviews conducted by background investigators and approximately 5.6 million include fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen." (Retrieved from: https://www.opm.gov/cybersecurity/cybersecurity-incidents/)
What is the impact? What are the legal ramifications? What can be done? What has been done?
: Analyze the legal and ethical issues related to cyberespionage.
Prepare a 300-word Group discussion post in response to the following: As indicated under Rule 66.4 in the Tallinn Manual, “…there is no express prohibition on cyber espionage in the law of armed conflict (or international law more generally)…” Does this make such actions (including the recent OPM break-in) legal? Under what conditions might such actions be considered ethical?
Your response should reflect information you synthesized from this week’s readings.be sure to address the Biblical perspective in your analysis.
OPM hit for mishandling data breach cleanup
By Tal Kopan, CNN
Updated 12:03 PM ET, Thu December 10, 2015
Washington (CNN)The federal agency that had more than 21 million Americans' personal information stolen in a massive hack is once again in congressional cross-hairs -- this time for improperly
doling out taxpayer dollars to protect those Americans after the data breach.
The Office of Personnel Management's inspector general released a report this month, made public Thursday, finding that the agency improperly handled its contract award to a company hired to
protect the identities of the first 4 million federal employees affected by the breach, which has been blamed on China.
That spurred House Oversight Committee Chairman Jason Chaffetz to once again call for heads to roll -- sending a letter to the White House demanding the firing of OPM's chief information officer
on Thursday.
"I write once again to augment my concerns that Ms. Donna Seymour, chief information officer for the Office of Personnel Management, is unfit to perform the significant duties for which she is
responsible," Chaffetz wrote in the letter. "It is troubling that yet another IG report has found that Ms. Seymour failed to effectively fulfill her duties."
The director of OPM stepped down in the weeks following the hack's discovery, but lawmakers have also called for Seymour's resignation since revelations about the cyberattack.
OPM first announced that a cyberattack had compromised the personal files of more than 4 million current, former and prospective federal employees in June, and they immediately began offering
identity protection services to those individuals through a company called CSID. The contract was worth nearly $21 million.
But that contract came under intense scrutiny after affected individuals complained of long wait times to sign up, website crashes and incomplete policies for the services -- and the three-day
turnaround on the contract solicitation raised flags.
When OPM announced it had determined a second breach compromised more than 21 million sensitive records, it did not use CSID for services, and engaged in a comprehensive contract
solicitation before ultimately choosing a provider.
OPM's IG said that initial agreement with CSID violated federal contracting regulations in five ways: OPM did not offer a complete scope of the work, conduced inadequate market research, had an
incomplete acquisition plan, exceeded dollar limits on blanket agreements and had an unreliable contract file.
The agency agreed on nearly every point of the IG's findings, and said it had put in place steps to correctly follow federal regulations in the future.
The IG has also repeatedly found deficiencies in OPM's information security procedures, including warning about weaknesses before the attack. OPM is undertaking a project to upgrade its
information technology.
President Barack Obama formally nominated acting Director Beth Cobert to be the new permanent director of OPM last month.
| Subject | Technology | Pages | 4 | Style | APA |
|---|
Answer
-
Ethical Implications of Provisions of Rule 66.4 in the Tallinn Manual
Section 4 of rule 66 in in the Tallinn Manual specifies information access or gathering activities that constitute cyber espionage and those that do not. Cyber espionage describes a form of cyber-attack that involves an authorized user obtaining or attempting to obtain or steal sensitive and classified information; that is, information which is not normally publicly available. In specific, it is an act undertaken using cyber capabilities, and under false pretenses or surreptitiously, to collect confidential or classified information with the purpose of communicating it to the rival party (Schmitt, 2013). The Tallinn Manual, through its Rule 66.4, renders some acts of cyber espionage permissible. Which this provision makes such acts legal is debatable. Personally, I believe the acts are still illegal despite the provision under Rule 66.4 that attempts to legalize them.
First, cyber espionage is synonymous with cyber spying which gives the perpetrator unauthorized access to other people’s or organizations’ classified information. The accessed information can be very sensitive and confidential, and thus compromise the security, safety health and social status of victims. For instance, the 2015 data breach at Office of Personnel Management (OPM) exposed sensitive information of millions of background investigators, including Social Security Numbers and marital status, which potentially threatened their security as well as negatively affected their social wellness (Kopan, 2015). Moreover, since cyber espionage is sometimes motivated by terrorism, greed and other forms of crime, attackers can use the gathered sensitive information as the basis for demanding ramson from the affected parties. Lastly, cyber spies often use a series of attacks (advance persistent threats) to gain access to computer networks and systems in order to gather data from the targeted entities. These activities can cause significance damage to computer systems and networks, which is inherently illegal due to related financial losses.
Despite the illegal nature of cyber espionage, the act can be considered ethical under certain conditions. Notably, as cited in Schmitt (2013), the International Group of Experts concur that information gathering using cyber capabilities is not considered cyber espionage if the information in question is collected on behalf of the affected party.
References
Kopan, T. (2015, December 10). OPM hit for mishandling data breach cleanup. Retrieved October 7, 2020, from https://edition.cnn.com/2015/12/10/politics/opm- data-breach-contract-improper-ig/index.html
Schmitt, M. N. (Ed.). (2013). Tallinn manual on the international law applicable to cyber warfare. Cambridge University Press.
|
|
||
|
|
|
|
|
|||
|
|
||||