Part 5 (2/2)

PURPOSE. THIS MESSAGE ANNOUNCES AN IMMEDIATE BAN ON INTERNET SNS WITHIN THE MCEN UNCLa.s.sIFIED NETWORK (NIPRNET).

BACKGROUND. INTERNET SNS ARE DEFINED AS WEB-BASED SERVICES THAT ALLOW COMMUNITIES OF PEOPLE TO SHARE COMMON INTERESTS AND/OR EXPERIENCES (EXISTING OUTSIDE OF DOD NETWORKS) OR FOR THOSE WHO WANT TO EXPLORE INTERESTS AND BACKGROUND DIFFERENT FROM THEIR OWN. THESE INTERNET SITES IN GENERAL ARE A PROVEN HAVEN FOR MALICIOUS ACTORS AND CONTENT AND ARE PARTICULARLY HIGH RISK DUE TO INFORMATION EXPOSURE, USER GENERATED CONTENT AND TARGETING BY ADVERSARIES. THE VERY NATURE OF SNS CREATES A LARGER ATTACK AND EXPLOITATION WINDOW, EXPOSES UNNECESSARY INFORMATION TO ADVERSARIES AND PROVIDES AN EASY CONDUIT FOR INFORMATION LEAKAGE THAT PUTS OPSEC, COMSEC, PERSONNEL AND THE MCEN AT AN ELEVATED RISK OF COMPROMISE. EXAMPLES OF INTERNET SNS SITES INCLUDE FACEBOOK, MYs.p.a.cE, AND TWITTER.

ACTIONS. TO MEET THE REQUIREMENTS OF REF A, ACCESS IS HEREBY PROHIBITED TO INTERNET SNS FROM THE MCEN NIPRNET, INCLUDING OVER VIRTUAL PRIVATE NETWORK (VPN) CONNECTIONS.

EXCEPTIONS.

ACCESS MAY BE ALLOWED BY MCEN DESIGNATED ACCREDITATION AUTHORITY (DAA) THROUGH A WAIVER PROCESS.

ACCESS IS ALLOWED TO DOD-SPONSORED SNS-LIKE SERVICES INSIDE THE GLOBAL INFORMATION GRID (GIG) ON AUTHORIZED DOD MILITARY SYSTEMS THAT ARE CONFIGURED IN ACCORDANCE WITH DISA SECURITY TECHNICAL IMPLEMENTATION GUIDES (E.G., INTELINK, ARMY KNOWLEDGE ONLINE, DEFENSE KNOWLEDGE ONLINE, ETC).

WAIVER REQUEST PROCESS.

IF MISSION-CRITICAL REQUIREMENTS EXIST FOR ACCESS TO INTERNET SNS, WAIVER REQUESTS MUST BE SUBMITTED TO COMMAND INFORMATION a.s.sURANCE MANAGER (IAM) FOR VALIDATION AND FORWARDING PER NETOPS C2 STRUCTURE.

WAIVER REQUIREMENTS.

(1) COMMAND/UNIT.

(2) POINT OF CONTACT.

(3) NAME OF SNS.

(4) OPERATIONAL NEED FOR SNS.

(5) OPERATIONAL IMPACT WITHOUT SNS.

(6) NUMBER OF SNS USERS.

(7) NUMBER OF TIMES ACCESSED PER WEEK PER USER.

(8) ACCESS METHOD: NIPRNET OR GOVERNMENT-FURNISHED COMMERCIAL INFRASTRUCTURE AND COMPUTERS C. ROLES AND RESPONSIBILITIES.

(1) COMMAND IAM: INVESTIGATE AND VALIDATE MISSION-CRITICAL NEED FOR INTERNET SNS ACCESS. IF NEED IS JUSTIFIED, FORWARD REQUEST TO MARINE CORPS NETWORK SECURITY OPERATIONS CENTER (MCNOSC).

(2) MCNOSC: INVESTIGATE THE TECHNICAL IMPLEMENTATION OPTIONS AND FORWARD TO MCEN DAA.

(3) MCEN DAA: FINAL APPROVAL AUTHORITY. MCEN DAA WILL STIPULATE HOW ACCESS TO INTERNET SNS IS OBTAINED BASED ON MISSION NEED (I.E., THROUGH NIPRNET OR GOVERNMENT-FURNISHED COMMERCIAL INFRASTRUCTURE).

IT PROCUREMENT. IT PROCUREMENTS MADE TO FACILITATE INTERNET SNS USE MUST CONTAIN AN APPROVED WAIVER REQUEST.

CANCELLATION. THIS MARADMIN WILL BE CANCELLED ONE YEAR FROM DATE OF PUBLICATION.

RELEASE AUTHORIZED BY BGEN G. J. ALLEN, DIRECTOR, COMMAND, CONTROL, COMMUNICATIONS, AND COMPUTERS/CHIEF INFORMATION OFFICER OF THE MARINE CORPS.//.

DMC-PR-05-07-02 dated 5 August 2009 Version 1.0 ONLINE ENGAGEMENT GUIDELINES.

SUMMARY.

Not everyone agrees with the USMC's new policy, including the chairman of the joint chiefs of staff, who said in an interview with Next.gov: ”Obviously we need to find right balance between security and transparency,” Adm. Mike Mullen Tweeted (twitter.com/TheJointStaff) after the Marine Corps said (/nextgov/ng_20090804_3800.php?oref=topnews) it would ban social networking sites. ”We are working on that. But am I still going to tweet? You bet.”

While the US Department of Defense continues to study the issues surrounding the use of social media, the UK Ministry of Defense released its social software guidelines for service members on August 5, 2009.

Service and MOD civilian personnel are encouraged to talk about what they do, but within certain limits to protect security, reputation and privacy. An increasingly important channel for this engagement, and to keep in touch with family and friends is social media (such as social networking sites, blogs and other internet self-publis.h.i.+ng). Personnel may make full use of these but must: Follow the same high standards of conduct and behaviour online as would be expected elsewhere; Always maintain personal, information and operational security and be careful about the information they share online; Get authorisation from their chain of command when appropriate (see para 2 below); Service and MOD civilian personnel do not need to seek clearance when talking online about factual, uncla.s.sified, uncontroversial nonoperational matters, but should seek authorisation from their chain of command before publis.h.i.+ng any wider information relating to their work which: Relates to operations or deployments; Offers opinions on wider Defence and Armed Forces activity, or on third parties without their permission; or Attempts to speak, or could be interpreted as speaking, on behalf of your Service or the MOD; or, Relates to controversial, sensitive or political matters.

If in doubt personnel should always seek advice from their chain of command / line management.

The UK approach to managing its Defense Ministry personnel's online activities is much saner and safer than an outright ban. The solution lies in discussion and training. A ban would simply drive the unwanted behavior underground, where it would morph into something potentially even more dangerous and unmanageable.

Chapter 4. Responding to International Cyber Attacks as Acts of War.

Whereas the previous chapter discussed some of the legal questions and strategies being debated among the international community of legal scholars, this chapter focuses on one strategy in particular that addresses the fuzzy role of nonstate actors in cyber conflicts between nation-states, that is, a.s.signing states responsibility for their nonaction and enacting consequences because of it.

I want to thank Lt. Cdr. Matt Sklerov for laboriously rewriting his 111-page thesis so that I could include it in this book.[3] In my opinion, Matt is one of the rising stars of the Department of Defense, and I feel privileged that he has consented to have his work republished here. Although there are still unresolved issues with Active Defense (such as confusion around attribution), he makes his case so thoroughly and persuasively that I believe it will serve as an excellent platform for further discussion, not just in the US government, but in governments and military commands around the world.

-Jeffrey Carr By Lieutenant Commander Matthew J. Sklerov One of the most heavily debated issues in international law is when states may lawfully respond to cyber attacks in self-defense. While the law of war is comprised of well-known and widely accepted principles, applying these principles to cyber attacks is a difficult task. This difficulty arises out of the fact that the law of war developed, for the most part, in response to conventional wars between states. When evaluating armed attacks in that paradigm, it was easy to a.s.sess the scope of an attack and the ident.i.ty of an attacker. Unfortunately, when a cyber attack is in progress, it becomes difficult for states to a.s.sess the scope of an attack or figure out who is responsible for it. These difficulties have made states reluctant to respond to cyber attacks in self-defense for fear of violating the law of war, and they have turned cyber warfare into one of the hottest topics in international law.

This chapter explores the unique challenges that cyber attacks pose to the law of war and provides an a.n.a.lytical framework for dealing with them. Once the current state of the law of war is fully explored, this chapter will demonstrate that states have a right under international law to: View and respond to cyber attacks as acts of war and not solely as criminal matters.

Use active, not just pa.s.sive, defenses[4] against the computer networks in other states, that may or may not have initiated an attack, but have neglected their duty to prevent cyber attacks from within their borders.

<script>