Following tragic terrorist attacks committed by ISIS agents in Paris last week, the online hacker group Anonymous declared in a video that it would launch a cyber-attack on ISIS.

The masked Anonymous speaker in the video warns ISIS, in French, to be prepared for a massive retaliation.

The "hacktivist" group has been tangling with ISIS since it attacked the Charlie Hebdo magazine's office in Paris last January, taking over email and social media accounts, or crashing public Islamic State websites by overwhelming them with traffic.

Anonymous members are already boasting that they have taken down ISIS-related websites and several thousand messaging or social media accounts.

Herbert Lin, senior research scholar for cyber policy and security at Stanford's Center for International Security and Cooperation and a research fellow at the Hoover Institution, says that Anonymous' activities against ISIS provide a useful nuisance to the terror group, but aren't quite legal under U.S. laws.

What types of attacks will Anonymous likely launch?

They don't have the capability to do the kind of things that a nation-state could do. The NSA, for instance, has the ability to place implants into hardware. Anonymous is more likely to engage in hacking that is less sophisticated. For example, ISIS almost certainly doesn't have a bank account that is coupled to the international banking system; they operate outside that particular channel. But they have lots of money, some of which may be stored in a personal- or business-like bank account. If so, that means that it can be hacked the same way that your bank account can be hacked, by cracking the username and password.

Similarly, Anonymous has been successful in the past at getting into ISIS members' email and messaging accounts, or taking down their Twitter feeds, which can disrupt their ability to coordinate terrorism-related activities; we can expect more in the future.

What kind of damage can Anonymous do to ISIS, and how effective will it be?

This approach clearly isn't the silver bullet that takes down ISIS, but attacking messaging abilities or bank accounts are useful harassing activities. Repairing these systems and accounts wastes ISIS's time and annoys them – the same way it does to you when your personal accounts are hacked. Having to untangle these messes can disrupt their overall operations, which is a perfectly good thing to do.

Do governments frown upon private citizens taking this type of action?

I think that the official line of the U.S. government on this is that it violates U.S. law for Anonymous to take on ISIS. It's vigilante justice in cyberspace, which is illegal under the Computer Fraud and Abuse Act. On the other hand, while the U.S. government might not be favorably disposed to it, I think it is unlikely that any prosecutor would actually indict an American for harassing ISIS in this way. And maybe the Anonymous hacker will uncover some information that is really useful to the U.S. government and be inclined to pass it along.

U.S. Senator John McCain told a select group of Stanford undergraduate students that technological innovation had created both unparalleled opportunities for the United States as well as new national security risks, during a visit to Silicon Valley this week.

“This has changed the world,” Senator McCain told the students as he held up his smart phone.

“This is the biggest change in our ability to inform and educate than any invention since the printing press.”

However, McCain told students that he believed the United States needed to develop a clearer policy for responding to cyber attacks from foreign nations.

Image

“The people who are doing these cyber attacks have to realize that the costs will be higher than the benefits of the attack. Everybody has to know that there will be a price to pay for it.”

McCain called on the students, who included several computer science majors, to step up and defend the United States in cyber space.

“I would call on the people here to help us develop defensive capabilities, and frankly, offensive capabilities,” McCain said.

In the wide-ranging conversation, McCain fielded questions from students and shared his views on the conflict in Syria, the Iran nuclear deal, Russia’s imperial ambitions and the pullout of U.S. troops from Afghanistan.

“I study international security, and I feel that his dedication to national security and to veterans have been fundamental, and it was an honor to meet him and hear him talk about these issues,” said Chelsea Green.

The forty students who met with McCain were selected for their special interest in international affairs and politics, and included representatives from the Center for International Security and Cooperation’s honors program, Hoover Institution National Security Mentees and Stanford in Government student group.

International relations major Kayla Bonstrom said she was excited to meet the Senator from her home state of Arizona.

“He was very easy to talk to,” she said.

Bonstrom said McCain’s casual style, which included the occasional joke, helped put the students at ease.

“It was nice to see him in a different setting.”

Mathematical and computation science major Varun Gupta said he was touched by the empathy McCain showed when he shared his experiences visiting refugee camps in war zones.

[[{"fid":"220696","view_mode":"crop_870xauto","fields":{"format":"crop_870xauto","field_file_image_description[und][0][value]":"","field_file_image_alt_text[und][0][value]":"","field_file_image_title_text[und][0][value]":"U.S. Senator John McCain gives an impassioned presentation to students about American foreign policy, as CISAC faculty member Coit Blacker looks on.","field_credit[und][0][value]":"Rod Searcey","field_caption[und][0][value]":"","field_related_image_aspect[und][0][value]":"","thumbnails":"crop_870xauto"},"type":"media","attributes":{"title":"U.S. Senator John McCain gives an impassioned presentation to students about American foreign policy, as CISAC faculty member Coit Blacker looks on.","width":"870","style":"width: 400px; height: 267px; float: left; margin-right: 15px","class":"media-element file-crop-870xauto"}}]]“It was good to see his concern, his actual visceral concern for these issues,” Gupta said.

“It was really great to see the more human side.”

Other students were also impressed by McCain’s sincerity.

“He seems to sincerely believe in all of his views,” said Alexa Andaya, a political science major.

“You can tell when he says something he’s genuine about it.”

Matt Nussbaum, another political science major, said that while he disagreed with many of McCain’s hawkish positions on national security, he welcomed the opportunity to hear the opinions of such a seasoned veteran of foreign policy.

“A lot of times, we’re looking at the academic side of things, and I think that’s very interesting, but Senator McCain and other policy makers use the theory to create policy, so it’s useful to see what they think, how they think and why they think that way,” Nussbaum said.

McCain ended his talk by urging the students to get more involved in politics, whether they were “Democrat or Republican, libertarian or vegetarian.”

He told them that he believed the next presidential election was going to be the most important decision point for the country since 1980, when Republican Ronald Regan defeated Democratic incumbent Jimmy Carter.

“Pick the cause that you want to support, pick the candidate you want to support, and be engaged,” he said.

“It’s your future. You’re the ones that are going to live with the person that you choose to be president of the United States.”

Anything networked can be hacked.

Everything is being networked.

Therefore everything is vulnerable.

That was one of the key takeaways for the 30 Captiol Hill staffers who flew to Stanford University from Washington D.C. last week to attend three days of intensive cybersecurity training at the second Congressional Cyber Boot Camp.

Image

Silicon Valley executives and entrepreneurs, academics and former high-level government officials painted a picture of a complex threat landscape, where foreign nation states routinely hack into U.S. companies and government agencies with near impunity, and everything from utilities and critical infrastructure, to cell phones and cars could be vulnerable to cyber attack.

“The next conflict, if it happens tomorrow, it’s not going to be pretty in cyber space,” said Kevin Mandia, president of FireEye and one of the world’s leading experts on counter forensics, in an onstage conversation with Michael McFaul, the former US ambassador to Russia and director of the Freeman Spogli Institute for International Studies.

Mandia said that 29 out of the 30 significant cyber attacks his company was currently investigating were the handiwork of state-sponsored hackers, with the Chinese and Russian governments among the chief offenders.

Image

“They can hack any company they choose. They can hack any government agency they choose.

“We’ve spent billions of dollars on defense, but I don’t think we’ve raised the cost of offense a dollar.”

The asymmetrical nature of conflict in cyber space was a common refrain.

“The people that want to attack have distinct and profound advantages over the defender,” said Herb Lin, senior research scholar at the Center for International Security and Cooperation (CISAC) and research fellow at the Hoover Institution.

That’s because finding flaws in commonly used software, which can have more than 40 million lines of code, is like looking for the proverbial needle in the haystack.

“Each one of those lines of logic might have a flaw that can be exploited by an attacker to break in,” said Corey Nachenberg, chief architect of Symantec’s Security Technology and Response division.

“There’s no silver bullet solution…because the attacks are constantly shifting.”

Dan Boneh, a Stanford computer science professor and CISAC affiliate, demonstrated how a seemingly benign sensor, like the one that measures battery life in your iPhone, could be hijacked to pinpoint your exact location.

He also showed how the gyroscope that enables interactive games on your iPhone could be used to measure minute vibrations on a tabletop surface and eavesdrop on conversations.

Even everyday objects like cars can be compromised.

“Our mental models are focused on servers and laptops…but the vast majority of processors that ship every year look nothing like computers,” said Stefan Savage, a professor of computer science and engineering at the University of California at San Diego.

Savage’s research team published pioneering work on car hacking in 2010 that proved it was possible for a hacker to remotely take control of a car’s engine and brakes.

And cars are just the tip of the iceberg.

“There’s probably not a single mode of transportation that’s not controlled by a computer,” Savage said.

His next research target is the aviation industry.

Amy Zegart, CISAC co-director and senior fellow at the Hoover Institution, led a hands-on simulation exercise for visiting congressional staffers, where they assumed the roles of tech company employees responding to a major cyber breach.

Experienced executives from Intel, Uber, and Palo Alto Networks acted as board members and quizzed the staffers on how their assigned departments (including legal, marketing, business strategy and engineering) would manage the crisis.

Image

Zegart said she wanted to expose congressional staff to a diverse range of experts, drawn from the tech industry, legal, technical and policy fields.

“We’ve got to figure out how to accelerate the learning process and work across disciplines,” Zegart said.

Other speakers agreed.

“The time to tackle these difficult policy challenges is now, not after one of these attacks happen,” said U.S. Air Force Col. Matteo Martemucci, division chief for the Joint Staff at the Pentagon.

The Cyber Boot Camp was hosted jointly by CISAC, the Freeman Spogli Institute for International Studies and the Hoover Institution, and co-sponsored by the Stanford Cyber Initiative.

Thirty congressional staffers are set to get a primer on cybersecurity challenges and countermeasures from some of Silicon Valley’s leading academic, industry and public policy practitioners as part of an intensive three-day workshop to be held at Stanford University from August 17–19.

“Cybersecurity threats are growing more serious and evolving rapidly,” said Amy Zegart, CISAC co-director and Davies Family senior fellow at the Hoover Institution.

Image

The second annual Congressional Cyber Boot Camp is an invitation-only event that will feature lectures from industry experts including LinkedIn cofounder Reid Hoffman, Uber Chief Security Officer Joe Sullivan, Palantir Technologies Global head of Cyber Security Melody Hildebrandt, and Facebook Chief Security Officer Alex Stamos.

Participants will also hear from some of the top academics in the field, including CISAC senior research scholar and Hoover Institution research fellow Herb Lin, and CISAC affiliates Dan Boneh, John Villasenor and John Mitchell.

Image

Sessions will cover a wide range of topics, from the fundamentals of cybersecurity, to how to think like an attacker, domestic and international legal considerations, and the interplay between cybersecurity and civil liberties.

Zegart will lead a live, hands-on simulation of a cyber attack, with staffers playing the roles of corporate executives responding to the crisis.

“The boot camp is an invaluable experience that brought congressional staff together to deliberate the complex cyber policy issues we’re facing on Capitol Hill and to hear from across academic disciplines different ways to think about these tough problems,” said past participant Brett DeWitt, staff director of the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies.

Image

The three-day conference will conclude with a tour of the Facebook’s new headquarters in Menlo Park.

Although the cyber workshop is by invitation only, Hoover, Stanford, and CISAC will provide live updates on Twitter throughout the event. Follow the conversation at #StanfordCyber.

The event will be jointly hosted by CISAC, the Freeman Spogli Institute for International Studies and the Hoover Institution, and is co-sponsored by the Stanford Cyber Initiative.

It’s a technique that’s been used to calculate the odds of everything from the likelihood of a nuclear meltdown to the chances of getting sick from eating bad seafood.

Today, a CISAC scholar told the U.S. Senate Judiciary Committee that he hoped probabilistic risk analysis could help move the ball forward in the debate over encryption that’s pitted law enforcement and national security agencies against some of Silicon Valley’s most influential technology companies.

“Neither side can prove its case, and we see a clash of theological absolutes,” said Herb Lin, senior research scholar for cybersecurity at the Center for International Security and Cooperation and research fellow at the Hoover Institution, in his testimony before a full hearing of the committee.

The contentious debate over encryption has developed in the wake of the National Security Agency spying scandal, with tech titans Apple and Google recently announcing plans to implement stringent new cryptography protocols to protect customer data.

“When the Snowden documents revealed that NSA was hacking [the tech companies], there was a real sense of betrayal,” Lin said.

“You now hear tech companies talking about the U.S. government in the same way they talk about China. They feel like they have to protect themselves against the U.S. government in the same way they have to protect themselves against China. That’s a terrifying thought. In that kind of environment, there’s no trust.”

Law enforcement and national security agencies want tech companies to integrate a mechanism for the government to gain “exceptional access” to encrypted data into their new encryption technology. But, industry and privacy advocates have resisted, arguing that creating a so-called “backdoor” would make their software more vulnerable to attacks from hackers.

FBI director James B. Comey, who also testified before the committee, warned that the latest generation of encryption technology was putting American lives at risk. He said that the Islamic State in Iraq and Syria (ISIS) was actively recruiting homegrown terrorists via Twitter then using end-to-end encrypted mobile messaging apps to secretly send orders for them to carry out attacks within the United States.

FBI Director James B. Comey (right) testifies before the U.S. Senate Judiciary Committee about the national security risks of end-to-end encryption, with Deputy Attorney General Sally Quillian Yates (left) at his side, as CISAC senior research scholar Herb Lin looks on from the gallery.

“Our job is to look in a haystack the size of this country for needles that are increasingly invisible to us because of end-to-end encryption,” Comey said.

Deputy Attorney General Sally Quillian Yates, who testified at Comey’s side, said law enforcement could not get access to that kind of encrypted communications, even with a valid court order.

“Critical information becomes in effect ‘warrant proof’,” she said.

“Because of this, we are creating safe zones where dangerous terrorists and criminals can operate and avoid detection.”

It is a polarizing debate.

Image

“I’d like to find a way to move the ball forward rather than seeing both sides being stuck in the trenches shouting at each other.”

Lin’s proposal, which he presented to the Senate Judiciary Committee on Wednesday, recommended that both sides focus on estimating how long it would take a hacker to break into an encrypted device equipped for “exceptional access.”

“If it takes a thousand years for a bad guy to figure out how to hack…that’s probably secure enough,” Lin testified.

“If it takes him 30 seconds, using that mechanism is a dumb idea. So somewhere between 30 seconds and a thousand years, the mechanism changes from being unworkable to being secure enough.”

Not all computer security experts believe such a calculation would be possible.

“It’s challenging to come up with a defensible methodology for estimating the risk that a backdoor system will be compromised,” said Jonathan Mayer, a Stanford PhD candidate in Computer Science and former CISAC cybersecurity fellow who garnered national headlines for his research demonstrating that the NSA could use phone metadata to reconstruct detailed personal information.

“Not only are the risks of compromise unknown – they’re unknowable.”

However, Lin said the mathematical methodology known as probabilistic risk analysis, which has widely been used to predict the likelihood of catastrophic failure in complex systems from nuclear power plants to the space shuttle, might be able to shed some useful light on the risks.

And, he said, the only way to find out if it could successfully be used to calculate the risks of encryption software getting hacked would be to conduct more research.

Veterans of the so-called “Crypto Wars” of the ‘70s and ‘90s (when the U.S. government tried to limit public access to encryption technology), like Stanford professor emeritus of electrical engineering and CISAC affiliated faculty member Martin Hellman, said proposals like Lin’s could help advance the public debate and bring both sides closer together.

“Getting the two opposing sides to talk — and listen — is really important,” Hellman said.

“That's what happened 20 years ago when Congress asked the National Academies to look at an almost identical problem. It got those different groups talking and working out compromises.”

A recent Lawfare blogpost by Mailyn Fidler (Class of 2014) featured research findings on zero-day vulnerabilities, the topic of both her CISAC honors thesis and a forthcoming law review paper. Fidler graduated from Stanford a year ago, having successfully completed the CISAC Honors Program in International Security Studies. Martha Crenshaw, who co-directs the Honors Program with Chip Blacker, and was a mentor to Fidler, comments: “We are enormously proud of and gratified by Mailyn’s accomplishment.  The publication of her research findings about zero-day exploits is exactly what we aspire to for our honors students.  We will cite her as a model and inspiration for years to come.  But of course first and foremost the credit is Mailyn’s, for her command of the subject and her determination and professionalism – qualities that have long been evident.”

Fidler, who is currently a Marshall Scholar at Oxford University, studying for a master’s degree in International Relations, is eventually planning to head to law school, as an aspiring legal academic.  In the short term, Fidler is looking forward to the publication in summer 2015 of a paper titled  “Regulating The Zero-Day Vulnerability Trade: A Preliminary Analysis.” The paper, a revised version of her honors thesis, will appear in I/S: A Journal of Law and Policy for the Information Society, a law review focused on the intersection of technology and law.

Image

She took away lasting lessons from the Honors College, a two-week program that takes place in Washington DC, providing students with exposure to policy-makers who are prominent in the students’ fields of research. “Something that stood out to me was meeting role models at the tops of their fields with such integrity and kindness,” she reflects. “Colleen Hanabusa [US Rep, Hawaii, 2011-2015], Jane Harman [Director of the Woodrow Wilson Center], and our own Karl Eikenberry and Tom Fingar particularly left a lasting impact for this reason exactly.”

Another teaching moment took place during a visit to the National Security Agency: “There was a picture of the Twin Towers front and center on the speakers’ table, and they had us pass it around and hold the picture. For me, this was indicative of how deeply this event has influenced government policy, that even a group of student visitors was asked to engage with surveillance very clearly through the lens of 9/11.”

To Fidler, the ability to have access to experts in the field of international security studies during her year at CISAC has been a great benefit to her work: “With the support of CISAC, I was able to interview and otherwise engage with a range of high-level contacts in policy, industry, and academia, and I still connect with them now, when relevant.”

In Fidler’s eyes, one of the highlights of the CISAC program was the opportunity to engage with fellow honors students as scholars and as friends and the resulting broadening of her interests: “One of my CISAC cohort just Facebook messaged me because she saw something in the news about zero-days, which she now cares about, and I, similarly, care a lot more about topics beyond my own field, such as the Indian Civil Nuclear deal and Arctic cooperation, than I did before.”

In addition to Crenshaw, Fidler was also mentored by Jennifer Granick. Granick, an expert on privacy in cyber, is the Director of Civil Liberties at the Stanford Law School Center for Internet and Society's (CIS) and a CISAC affiliate. 

Image

“Having Crenshaw and Granick as my mentors was a great pairing. Crenshaw helped me with the more academic side of my research, and Granick was invaluable in connecting me with policy movers and shakers. I ended up writing a blog post with her on Just Security, and have reached out to her numerous times for advice on how to best engage in public debate on my research topic.”

“Mailyn is a great thinker. Her thesis was smart and well-researched, and as it turns out, incredibly timely,” observes Granick. She is a real public asset as both a scholar and a voice in important policy debates.”

Fidler’s research is a work in progress. As different opportunities arise, she is constantly refocusing the lens through which she is looking at the zero-day issue: “As I have continued this work, I have had the opportunity to engage with a much wider range of actors, so I have had to rethink and reanalyze my research from multiple angles. For instance, I had the opportunity to give a presentation on zero-days to Amnesty International’s Technology & Human Rights group, which meant I rethought the issue from a human rights perspective.” Fidler researched specific instances of abuse or potential abuse of human rights using zero-days, she said, and presented the Technology & Human Rights group with several possible normative stances, a change from the more cost/benefit-oriented analysis originally laid out in her thesis.

In Crenshaw’s view, students like Fidler exemplify what the Honors program hopes to accomplish once those students go out into the real world. "We want our students to make a substantive contribution to our understanding of international security,” she notes, “and Mailyn has done just that."

When it comes to contributing to research in international security issues, Fidler is hardly alone among CISAC Honors alums. A partial listing of publications and presentations based on CISAC Honors Theses can be found here.

As a new class of incoming Honors students prepares to join CISAC, Fidler has this advice for her successors: “Don’t be afraid to ask for help or advice“ even if you think it is unlikely or intimidating, “Asking never hurts and often has a good upside.”

CISAC's Honors Program in International Studies recently awarded three prizes to some of its students, instead of the traditional two. “At the end of the year we award prizes to three of the thesis writers. It’s always a hard decision to make because they are all really good,” said FSI Senior Fellow and Honors Co-director Martha Crenshaw.

Taylor Grossman, Patrick Cirenza, and Teo Lamiot were awarded the Firestone Medal for Excellence in Undergraduate Research, the William J. Perry Prize, and the John Holland Slusser World Peace Prize, respectively. They presented their work in front of faculty, advisors, and friends at a packed seminar in early June.

The Perry Prize, named after former Defense Secretary and current FSI Senior Fellow William Perry, is awarded to a student for excellence in policy-relevant research in international security studies. Cirenza’s thesis, “An Evaluation of the Analogy between Nuclear and Cyber Deterrence,” examined whether cyber weapons can be accurately understood by comparing them to nuclear weapons.

Image

“My thesis topic definitely evolved over time,” Cirenza said. “I really did not know that much about cyber weapons. I initially wanted to look at non-state actors in cyber space and I asked Professor Scott Sagan about that and he asked what I knew about cyber and the reality was I really did not know anything. But I still really wanted to study it and at the time I was in Condoleezza Rice’s seminar and she suggested examining the analogy between nuclear and cyber weapons, which was being used a lot at the time. I went through several different topics and ultimately landed on deterrence.”

Cirenza was advised by FSI Senior Fellow Coit Blacker, who co-directs the honors program with Crenshaw, and by consulting professor Phil Taubman. Next fall he will attend Cambridge for a one year M.Phil program in international relations. After that he hopes to join the Marine Corps infantry.

“I never wanted a desk job in my twenties and I think it’s the best way to serve my country at this time,” he said.

The newly created Slusser Prize goes to the thesis that best contributes to the development of “permanent world peace.” Lamiot’s thesis, “When Blue Helmets Do Battle: Civilian Protection in the Democratic Republic of the Congo” examined whether the use of force against rebel groups in the DRC by UN peacekeepers had any effect on atrocities committed against civilians. He was advised by FSI Senior Fellow Stephen Stedman, who formerly served as Assistant Secretary-General and Special Advisor to the Secretary-General of the United Nations.

Lamiot started formulating his thesis topic when he was working in the U.S. embassy in the DRC. “I worked in the unit that is tasked with monitoring the conflict in the eastern part of the country. Part of my work was investigating a massacre that had taken place in that region about a month before I arrived in country. The massacre was of interest to the U.S. government because the Congolese and U.N. peacekeeping forces stationed nearby did not respond to the massacre despite knowing that it was going on,” he recounted.

Image

“This sparked my interest and, at first, I wanted to answer the question why do peacekeepers use force in some cases but not in others, but I ultimately decided on answering what happens when they do use force. I’m hoping that my argument that in some cases using force has positive effects and decreases rebel violence against civilians informs these decision-makers on the ground when they are choosing what to do.”

After graduation Lamiot will be on a Center for Democracy, Development, and Rule of Law fellowship in Uganda doing development work. “I’ll likely be working on democratic and political development. I’m trying to learn something about how outside actors can try to bring about these development outcomes in foreign countries.”

The Firestone Medal is a Stanford-wide prize awarded to the top ten percent of all honors theses in social science, science, and engineering. Grossman, who will also graduate with a B.A. Political Science, wrote hers on homeland security and the evolution of terrorism advisory systems. She was advised by CISAC Co-Director Amy Zegart.

“I really wanted to look at effectiveness of communication and intelligence sharing, but in a way that I could actually see government information. That led me to public warning systems for terrorism where there is a lot of public information available. Not a lot has been written on how effective they are, how they operate, or how they have evolved,” Grossman said.

Image

After graduation she plans on joining the Hoover Institution as a research assistant.

“I feel like I majored in CISAC. Ever since I took the class ‘The Face of Battle’ with Professor Scott Sagan and Colonel Joe Felter, I’ve been hooked on international security and the issues CISAC focuses on. I think the honors program has been the defining part of my undergraduate career. It was really rewarding and challenging and I’m glad I did it.”

Grossman and Cirenza were also elected to the Phi Beta Kappa Society in May 2015, as was Geo Saba, a political science major. Phi Beta Kappa is a nationwide society honoring students for the excellence and breadth of their undergraduate scholarly accomplishments.

Additionally, the Stanford Alumni Association (SAA) selected Cirenza, Grossman, and Akshai Baskaran, who majored in chemical engineering, to receive an Award of Excellence. 

Congratulations to all graduates of the Class of 2015: Akshai Baskaran, Patrick Cirenza, Kelsey Dayton, Taylor Grossman, Sean Hiroshima, Annie Kapnick, Sarah Kunis, Teo Lamiot, Austin Lewis, Sam Rebo, Geo Saba, Eliza Thompson, and Adrienne von Schulthess.