DHP P236/CS150-08 Cyber in the Civil Sector: Threats and Upheavals: Syllabus
Professor Susan Landau
Offices: Fletcher: Mugar 251D; Halligan: 241
Office Hours Spring 2018: Mondays 2:00-3:00 Halligan 241
Tuesdays 1:30-2:30 Mugar 251D (Fletcher)
Course Description: There is a myth that the Internet erases borders. But as Internet companies' ability to place localized ads show, that's false. What’s more accurate is that the Internet complicates a nation’s ability to control of the flow of information within its borders. (This is not a new challenge for sovereign nations; consider the telegraph.) This fluidity has created great economic opportunity and simplified trans-border access, the latter potentially threatening security and other basic state functions. With bits increasingly controlling the world around us, the Digital Revolution poses a highly disruptive threat. In this course, we'll explore cyber clashes in the civilian sector: from jurisdictional issues and the challenges posed by new technologies to criminal activities and impacts on civil infrastructures. While several of the topics are also covered in International Cyber Conflict: An Introduction to Power and Conflict in Cyberspace, DHP P249, the intersection between the two courses will be relatively minimal. Cyber in the Civilian Sector will have a greater focus on technology and, naturally enough, on the civilian, as opposed to national-security, side of the house.
Prerequisites: For CS students in A&S or SoE: COMP 11: Introduction to Computer Science and COMP 15: Data Structures. Note that this is a Fletcher graduate course: some technical and academic maturity is required.
Enrollment requirements: No programming background needed, but a willingness to, and interest in, playing with digital tools is required.
Course schedule: This course will meet weekly on Mondays and Wednesdays 11-12:20 during the 2018 spring term. There will be no class on February 28 and April 23.
You will have three written assignments and one group presentation. Three of the writing assignments will be three-page briefing papers; the fifth will be longer (ten pages) and will be written in conjunction with a group presentation for the final day of the module. Though the project and presentation will be a group effort, the paper itself should be an individual effort.
Three short papers (3 pages): 10% of grade each
Group presentation: 20%
Ten-page paper: 30%
Class participation: 20%
Class participation matters in your grade.
Note that there are no late assignments. Any assignment not handed in at the beginning of the class in which it was due will not be accepted, and you will receive a "0" for that particular effort.
The course has lots of readings and no exams---but class participation counts 20% of your grade. Do the reading before class, think about what you've read, and come in informed and ready to discuss the issues.
I like to grade papers with a pen in my hand and paper rustling. So please hand in your papers in hard copy as well also sending me a version via email (please put DHP P236/CS150-08 in the email subject; thanks). Papers are due at the beginning of class. There are no exceptions to that rule.
Writing well is important in virtually any career you might have, and I expect clear, careful writing in all assignments. Writing well involves thinking clearly, organizing your thoughts, and then expressing them clearly. Although three of the papers for this course are just three pages, don't be fooled by the short length of the assignments. Such brevity means you must work hard to get important ideas into a small amount of space (and please use 12 point fonts). Woodrow Wilson is said to have responded when asked how long it would take to write a speech, "That depends on the length of the speech. If it is a ten-minute speech it takes me all of two weeks to prepare it; if it is a half-hour speech it takes me a week; if I can talk as long as I want to, it requires no preparation at all. I am ready now." That's exactly right. Think hard, write down your ideas, and then express them succinctly.
My personal favorite book on writing is the decades-old Strunk and White, Elements of Style. If you need more help on writing, take advantage of the Tufts Writing Center.
Please also see the Course Policies page.
Important Note: This syllabus is a work in progress; some readings may change as the term progresses.
Second Important Note: There are a variety of readings in this course. The books are on reserve (though there may only be one copy, so plan accordingly). Any National Academies studies can be accessed for free online. Finally, note that unless otherwise noted, please read the entire assigned paper.
Topic I: How the world has changed
January 17: Introduction
- Clashes and change enabled by cyber in the developed and developing world.
- Cyber in Africa and the Arab Spring; Cyberespionage and Open Networks: the US/China clash.
January 22: The Digital Revolution in context
- What cyberspace is: size, usage, and growth; genesis of the Internet.
- Rasha Abdullah, The Revolution Will Be Tweeted, Cairo Review of Global Affairs, November 2011.
- Sean Aday, Henry Farrell, Marc Lynch, John Sides, Deen Freelon. Blogs and Bullets II: New Media and Conflict After the Arab Spring, Peaceworks No. 80, Washington, DC: United States Institute of Peace, 2012 (download and read the report).
- Internet World Stats.
- Jacob Poushter and Rhonda Stewart, Smartphone Ownership and Internet Usage Continues to Climb in Emerging Economies, February 22, 2016.
- Barry Leiner, Vinton Cerf, David Clark, Robert Kahn, Leonard Kleinrock, Daniel Lynch, Jon Postel, Larry Roberts, and Stephen Wolff, Brief History of the Internet, 1997.
- J.H. Saltzer, D.P. Reed, and D.D.Clark, End-to-End Arguments in System Design, ACM Transactions on Computer Systems, Vol. 2, Issue 4, November 1984.
Topic II: How the Internet: Technical and—Attempted and Successful—Policy Controls
January 24: Who controls the network? Guest Speaker: Scott Bradner
- Differing players (IETF, ICANN, companies, nations).
- Laura DiNardis, The Emerging Field of Internet Governance, 2014.
January 29: How the Internet works: Part 1, cryptography
- Public and symmetric key crypto
- The Crypto Wars
- By way of Scott Bradner, short take on net neutrality:
- Bruce Sewell, Statement for the Record, Hearing on "Deciphering the Debate over Encryption: Industry and Law Enforcement Perspectives," US House of Representatives, Committee on Energy and Commerce, Subcommittee on Oversight and Investigations, April, 19, 2016.
- Deputy Attorney General Rod Rosenstein, Remarks on Encryption at the US Naval Academy, October 10, 2017.
- Sven Herpig and Stefan Heumann, Germany’s Crypto Past and Hacking Future, Lawfareblog, April 13, 2017.
January 31: How the Internet works: Part 2, protocols
- PKI, DNS, certs
- Susan Landau, Surveillance or Security? The Risks Posed by New Wiretapping Technologies, MIT Press, 2011, Chapter 2 (on reserve).
February 5: Does Geography Matter? Part 1: Governments try to control events
- How does Internet data flows change commerce and jurisdiction? Or do they?
- Governments exercising local control: controls and costs.
- Jack Goldsmith and Tim Wu, Who Controls the Internet?: Illusions of a Borderless World, Oxford University Press, 2006.
Assignment: You are the staff member responsible for technical issues for a national elected official. Prepare a 3-page briefing paper on how to determine geographic location of an Internet user. Your brief should be non-technical but explain technical issues; your document should include the complexities of doing so and the circumstances under which it is possible.
February 7: Does Geography Matter? Part II: Governments control events
- Simon Denyer, China's Scary Lesson to the Rest of the World: Censoring the Internet Works, Washington Post, May 23, 2016.
- Tracy Staedter, Why Russia is Building Its Own Internet, IEEE Spectrum, January 17, 2018.
- Ananya Bhattacharya, Iran is giving its citizens fast internet, but cutting them off from the rest of the world, August 30, 2016.
- Center for Human Rights in Iran, Guards at the Gate: The Expanding Control of the Internet in Iran, 2018, pp. 26-39.
Topic III: An introduction to understanding cyberattacks
February 12: Why cybersecurity is hard:
- Protect yourself. Two-factor authentication as a case study.
- Anne Adams and Martine Angela Sasse, Users Are Not the Enemy, Communications of the ACM, Volume 42, Issue 12, December 1999.
- Duo, Guide to Two-Factor Authentication.
February 14: Why cybersecurity is hard:
- Programming errors/complexity; interfaces are where the problems occur; security/usability tradeoffs; determining risk is hard.
- Ross Anderson, Why Information Security is Hard, ACSAC 2001.
February 21: Cyberthreats
- Cyberexploit v cyberattack; how attacks occur; how surveillance changes in the Internet era; cyberexploits, an old tool, now repurposed.
- William Owens, Kenneth Dam, and Herbert Lin, Technology, Policy, Law, and Ethics Regarding US Acquisition and Use of Cyberattack Capabilities, 1.1-1.7, Box 1.4 on page 32.
February 26: A brief history of cyberattacks
- Jason Healey, A Fierce Domain: Conflict in Cyberspace, 1986-2012, Cyber Conflict Studies Association, 2013, pp. 27-38.
“Lab” assignment: Go through two of your electronic devices (laptop, smartphone, etc.) with an eye to protecting your security and privacy. Explain the decisions you’ve made configuring them. In a three-page document, provide the general principles you’ve used to protect your devices, explain where you’ve deviated from them-and why. Include a bibliography of materials you used to make your choices; this bibliography is an important aspect of the assignment and is not part of the page count.
February 28: No class.
- This would be an excellent time to work together on your group project.
March 5: Why securing systems is hard: attacks on protocols
- Matt Green, Falling through the KRACKs, October 16, 2017.
March 7: Why securing systems is hard: attacks on protocols; unprotected systems.
- Attacks on TLS.
- The weakness of SCADA systems.
- Matt Green, On the "Provable" Security of TLS, Part I.
- Industrial Control Systems Cyber Emergency Response Team, Alert (IR-ALERT-H-16-056-01), February 25, 2016.
March 12: Why securing systems is hard: securing critical infrastructure is hard
- NIST framework.
- Nicole Perlroth, In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back, New York Times, October 23, 2012.I
- National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, 2017, pp. 1-25.
Topic IV: Cybercrime and its complexities
March 14: Tracing users, Tracing crime:
- Part I: shutting it down: Spam and prescription drugs
- Part II: jurisdictional issues: Attribution and following the money MLATs—and the difficulties of criminal investigations
- David Clark and Susan Landau, Untangling Attribution, Harvard National Security Journal, Vol. 2, Issue 2 (2011).
- Gail Kent, The Mutual Legal Assistance Problem Explained, February 23, 2015.
March 26: Facebook, Advertising, and Privacy
- Everything you need to know about the Cambridge Analytica Expose, The Guardian, March 19, 2018.
March 28: Economics of information security
- How big a problem?
- Behavioral economics: how users react to security choices.
- Economic incentives and alignments.
- Ross Anderson, Chris Barton, Rainer Bohme, Richard Clayton, Michel van Eeton, Michael Levi, Tyler Moore, Stefan Savage, Measuring the Cost of Cybercrime, 2012.
- Dinei Florenico and Cormac Herley, Sex, Lies and Cybercrime Surveys, in Economics of Information Security and Privacy III, 2013.
- Tyler Moore, Richard Clayton, Ross Anderson, The Economics of Online Crime, Journal of Economic Perspectives, 2009.
Topic V: Changing technologies and their implications
April 2: How technology changes basic assumptions
- FANUC Embraces IoT Through Cisco Intercloud.
- Paul Seidenman and David Spanovich, Aircraft Health Monitoring Sensors Cut MRO Costs, August 12, 2016.
- Leigh Giangreco, New F-35 Software Could Quell ALIS Sovereignty Concerns, Flight Global, October 27, 2016.
You have a choice of topics.
- You are a member of the National Security Council. Write a 2-page briefing document arguing why the North Korean attack on Sony rises to a national-security threat.
- Pick one of the cyberattacks discussed in class, and propose a fix from either a regulatory or process (the latter within industry) standpoint that would prevent an attack of this sort in the future. Note that "of this sort" is intentionally vague. Part of this assignment is to scope the type of attack you seek to prevent. In this 2-page briefing document you present to your legislator or Chief Technology Officer you should delineate the costs (societal, economic, etc.) that are likely to ensue from your proposal and describe the likelihood of your solution's success.
Please be careful to cite; note that citations can be on page 3 (and thus not part of the page count).
April 4: Big data and machine learning on a massive scale
- Ben Buchanan and Taylor Miller, Machine Learning for Policy Makers: What It Is and Why It Matters, Belfer Center, June 2017.
April 9: Attacking civil society
- Attacks on voting.
- Russian attacks: the technical steps behind how they worked.
- Exploring risks to civil society.
- Matt Blaze, Testimony, United States House of Representatives, Committee on Oversight and Government Reform, Subcommittee on Intergovernmental Affairs, Hearing on Cybersecurity of Voting Machines, November 29, 2017.
- Arquilla, J. J., and D. F. Ronfeldt, Cyberwar and Netwar: New Modes, Old Concepts, of Conflict, Rand Review, Fall 1995.
- Susan Landau, Russia’s Hybrid Warriors Got the White House, Now They’re Coming for America's Town Halls, Foreign Policy, September 26, 2017.
- Alexis Madrigal, What Facebook Did to American Democracy---and Why it was So Hard to See It Coming Atlantic Monthly, October 12, 2017.
- Roger McNamee, How to Fix Facebook—Before It Fixes Us, Washington Monthly, Jan/Feb/March 2018.
- Moira Whelan, It's Time for the State Department to Stop Throwing Money at Facebook, October 31, 2017.
April 11: What enabled the US to become a leader in cyber?
- Ex ante regulation.
- What enables a nation to enter the market?
- Scale matters.
Vannevar Bush, "As We May Think," Atlantic Monthly, July 1945, (recommended, not required).
April 18: Borders: Open net/open society; localization: national sovereignty and economic concerns.
- EU response to Snowden: privacy or protectionism?
- James Woolsey, Why We Spy on our Allies, Wall Street Journal (March 17, 2000).
- Magnus Hjortdal, China’s Use of Cyber Warfare: Espionage Meets Strategic Deterrence (Links to an external site.) Journal of Strategic Security, Volume 4, Number 2 (Summer 2011), Article 2, pp. 6-8.
- Ann Marie Slaughter, “How to Succeed in the Networked World: A Grand Strategy for the Digital Age,” Foreign Affairs, November/December 2016.
- Anthony Dworkin, Surveillance, privacy, and security: Europe’s confused response to Snowden (Links to an external site.), January 20, 2015.
April 23: No class. Use the time to practice your group presentations.
April 25: Student presentations: what enables a country to compete in the digital economy?
Student presentations on what enables technology/country X to succeed, what causes it to fail (10-page individual briefing paper plus group presentation):
- North Korea
- South Korea
- Israel and cybersecurity market
- More topic choices to be added; you may also propose some.
April 26, 4-5 pm: Student presentations (extra class)
- Please note the date; the room is 231 Mugar.
April 30: Wrap-up: Discussion on what is needed to secure society.
The syllabus page shows a table-oriented view of the course schedule, and the basics of course grading. You can add any other comments, notes, or thoughts you have about the course structure, course policies or anything else.
To add some comments, click the "Edit" link at the top.