Building a Better Cybersecurity Act: Empowering the Executive Branch Against Cybersecurity Emergencies

• Author: John S. Fredland
• Position: Judge Advocate, U.S. Air Force
• Pages: 1-42

MILITARY LAW REVIEW

Volume 206 Winter 2010

BUILDING A BETTER CYBERSECURITY ACT:

EMPOWERING THE EXECUTIVE BRANCH AGAINST

CYBERSECURITY EMERGENCIES

MAJOR JOHN S. FREDLAND∗

I. “An Order of Magnitude Greater Economic Impact Than 9/11”1:

Introduction

On July 19, 2008, a salvo of digital commands bombarded the

official website of Georgian President Mikhail Saakashvili.2 Bearing

innocuous-sounding names like “flood http www.president.gov.ge/,”

“flood tcp www.president.gov.ge,” and “flood icmp

www.president.gov.ge,” the commands rapidly rendered the presidential

∗ Judge Advocate, U.S. Air Force. Presently assigned as Staff Judge Advocate, National

Air & Space Intelligence Center, Wright-Patterson Air Force Base, Ohio. LL.M., 2010,

The Judge Advocate General’s Legal Center and School, U.S. Army, Charlottesville,

Virginia; J.D., 2000, Vanderbilt University Law School; B.A., 1997, Rice University.

Previous assignments include Deputy Staff Judge Advocate, 92d Air Refueling Wing,

Fairchild Air Force Base, Washington, 2007–2009; Appellate Defense Counsel,

Appellate Defense Division, Air Force Legal Operations Agency, Bolling Air Force

Base, D.C., 2005–2007; Area Defense Counsel, Air Force Legal Services Agency,

Yokota Air Base, Japan, 2004–2005; Chief of Civil Law, 374th Airlift Wing, Yokota Air

Base, Japan, 2003–2004; Chief of Legal Assistance, Operations Law and Claims, 12th

Flying Training Wing, Randolph Air Force Base, Texas, 2000–2003. Member of the bars

of Pennsylvania, the U.S. Court of Appeals for the Armed Forces, and the U.S. Supreme

Court. This article was submitted in partial completion of the Master of Laws

requirements of the 58th Judge Advocate Officer Graduate Course. The author would like

to thank Major Robert Barnsby for his guidance, advice, and friendship throughout the

writing process. He would also like to thank Major Christopher Ford and Major Benjamin

Grimes for their insightful comments. Finally, the author would like to thank his parents,

John W. Fredland and Kathleen Terleski, for their love and support.

1 Nathan Gardels, Mike McConnell: An American Cyber Expert on Cyberwar,

http://www.boozallen.com/consulting-services/services_article/42400037 (last visited

Nov. 24, 2009).

2 Posting of Steven Adair to Shadowserver Foundation, http://www.shadowserver.org

/wiki/pmwiki.php/Calendar/2008720 (July 19, 2008, 21:57 EST) (on file with author).

2 MILITARY LAW REVIEW [Vol. 206

website inoperable.3 A cyberattack4 had compromised Georgia’s

information infrastructure.5

Fortunately for Tbilisi, it had allies in cyberspace. An on-line

cyberwatchdog group identified a U.S.-based server6—most likely

infected by malicious code as a precursor to the distributed-denial-of-

service attack7—as the seemingly unwitting command and control host

for the cyberattackers’ offensive.8 Apparently eager to do their part for

Georgia’s national security, the private owner of the pirated server

blocked the cyberattackers’ access, ending the attack.9

The July 2008 cyberattack, occurring at a time of high tension

between Tbilisi and Moscow,10 proved to be mere prelude. On August 7,

3 Id.

4 This article includes derivatives of the root word “cyber,” such as “cyberattack,”

“cyberinfrastructure,” and “cybersecurity.” “Cyber,” with roots in author William

Gibson’s coinage of the term “cyberspace” in the 1984 novel Neuromancer, is an

adjective that means “relating to computers or computer networks.” Consequently, a

cyberattack would be an attack carried out against a computer or computer network;

cyberinfrastructure would be a country’s computer network systems. Definition of

“Cyber,” MERRIAM-WEBSTER ONLINE DICTIONARY, http://www.merriam-

webster.com/dictiomary/cyber (last visited Jan. 12, 2010); Lieutenant Commander

Matthew Sklerov, Solving the Dilemma of State Responses to Cyberattacks: A

Justification for the Use of Active Defenses Against States Who Neglect Their Duty to

Prevent, 201 MIL. L. REV. 1, 2 n.4 (2009); David Wallis, After Cyberoverkill Comes

Cyberburnout, N.Y. TIMES, Aug. 4, 1996, available at http://www.nytimes.com/1996/08/

04/style/after-cyberoverkill-comes-cyberburnout.html.

5 Posting of Steven Adair to SHADOWSERVER FOUNDATION, supra note 2 (on file with

author).

6 Id.

7 Cyberattackers typically launch distributed-denial-of-service attacks from zombies,

malicious code that entrenches itself inside a computer system and remains dormant until

the attacker triggers it to action. Sklerov, supra note 4, at 15–16 nn.78, 85. See infra notes

50–54 and accompanying text (providing further discussion of denial-of-service attacks

and distributed-denial-of-service attacks).

8 Posting of Steven Adair to Shadowserver Foundation, supra note 2 (on file with author).

Similarly, Project Grey Goose, a voluntary collaboration of cybersleuths, traced the July

2009 cyberattacks against the United States and South Korea, see infra notes 13–15 and

accompanying text, to a Miami, Florida-based server belonging to a company called

Digital Latin America, likewise without a criminal meeting of the minds between the

cyberattackers and the private entity owning the hardware. See JEFFREY CARR, INSIDE

CYBER WARFARE 78 (2010).

9 Posting of Steven Adair to SHADOWSERVER FOUNDATION, supra note 2 (July 20, 2008,

13:36 EST) (on file with author).

10 Georgia Row Spirals as Rice Lands, BBC NEWS, July 9, 2008,

http://news.bbc.co.uk/go/pr/fr/-/2/hi/europe/7498340.stm (discussing tensions between

Georgia and Russia that led to the South Ossetia War in August 2008).

2010] CYBERSECURITY ACT & EXECUTIVE BRANCH 3

heavy fighting erupted in and around the town of Tskhinvali in South

Ossetia—the beginning of a five-day war between Georgia and Russia.11

Almost simultaneously with the outbreak of kinetic combat, Georgian

commercial and governmental websites experienced a wave of

distributed-denial-of-service attacks, more substantial than the ones in

July, rendering most governmental websites inoperable within two days

and dramatically limiting governmental communication over the

Internet.12

Cyberattackers have not restricted their digital barrage to Georgia.

The United States’ information infrastructure likewise stands as a

frequent target. On a single day in 2008, the Pentagon experienced six

million attacks from would-be cyberintruders.13 Over the Independence

Day weekend in 2009, distributed-denial-of-service attacks, tactically

similar to those that Georgia faced in 2008, targeted several significant

American governmental and commercial websites: the White House,

Department of Homeland Security, Secret Service, National Security

Agency, Federal Trade Commission, Department of the Treasury,

Department of Defense, Department of State, New York Stock

Exchange, NASDAQ Stock Market, Amazon, and Yahoo.14 The attacks

ultimately shut down the Treasury Department and Federal Trade

Commission websites.15 When the same network of fifty thousand

computers targeted and shut down eleven websites of the South Korean

government a few days later, military and political observers blamed

North Korea for the attacks.16

These incidents have spurred American cyberwatchers and national

security professionals to voice concerns about the potential for greater

disasters involving the country’s information infrastructure. Admiral

Mike McConnell, former Director of National Intelligence, told an

11 INDEPENDENT INTERNATIONAL FACT-FINDING MISSION ON THE CONFLICT IN GEORGIA, 1

REPORT 5 (2009), available at http://www.ceiig.ch/IIFFMCG_Volume_I.pdf.

12 Joshua E. Kastenberg, Non-Intervention and Neutrality in Cyberspace: An Emerging

Principle in the National Practice of International Law, 64 A.F. L. REV. 43, 46 (2009).

13 Ardaud de Borchgrave, Silent Cyberwar, WASH. TIMES, Feb. 19, 2009, available at

http://www.washingtontimes.com/news/2009/feb/19/silent-cyberwar/.

14 U.S. Eyes N. Korea for “Massive” Cyber Attacks, MSNBC.COM, July 9, 2009,

http://www.msnbc.msn.com/id/31789294/ns/technology_and_science-security; MCAFEE,

VIRTUAL CRIMINOLOGY REPORT 2009, at 4–5 (2009), available at http://resources.mcafee.

com/content/NAMcAfeeCriminologyReport (last visited Mar. 4, 2010).

15 U.S. Eyes N. Korea for “Massive” Cyber Attacks, supra note 14; MCAFEE, supra note

14, at 4–5.

16 MCAFEE, supra note 14, at 4–6.