Jonathan Zittrain Topics: Code, Computing, Trust Stuxnet, V

Monday, January 13th: Code as a Weapon Guest Speakers: Ralph Langner; Jonathan Zittrain

Topics: Code, computing, trust Stuxnet, viruses, and worms

Required Readings: 1.) Ken Thompson. “Reflections on Trusting Trust.” Communication of the ACM. 27.8 (Aug. 1984): 761-763. Available Online: http://cm.bell-labs.com/who/ken/trust.html

2.) Committee on Offensive Information Warfare, National Research Council. Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities. Washington, DC: National Academies Press, 2009. “Preface” and “Synopsis.” Available Online: http://www.nap.edu/catalog.php?record_id=12651

3.) Nicolas Falliere, Liam O Murchu, and Eric Chien. W32.Stuxnet Dossier, Version 1.4. February 2011. Available Online: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_st uxnet_dossier.pdf

4.) Mandiant. APT1: Exposing One of China’s Cyber Espionage Units. 2013. Available online: http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

Recommended Readings: 1.) Center for Strategic and International Studies. Securing Cyberspace for the 44th Presidency. Dec. 2008. Available Online: http://csis.org/files/media/csis/pubs/081208_securingcyberspace_44.pdf

The Center for Strategic and International Studies (CSIS) argues that US policy must craft a strategy for cyberspace that is both expansive in its reach and accepting of the importance of civil liberties. The report offers a series of far-reaching recommendations, touching on the significance of regulatory policy, federal acquisitions, and international diplomacy.

2.) United States. Executive Office of the President. Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communication Infrastructure. May 2009. Available Online: http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf

The White House’s comprehensive review of US cyber policy provides a window into the administration’s priorities. The review notes that inaction is no longer possible: in the face of real threat to national security and competitiveness, federal engagement is crucial.

3.) Symantec. Symantec Internet Security Threat Report: Trends for 2013. Vol. 18 (April 2013). Available Online: http://www.symantec.com/content/en/us/enterprise/other_resources/b- istr_main_report_v18_2012_21291018.en-us.pdf

Symantec, a leading security firm, provides a detailed overview of the current threat landscape. The report provides detailed statistics for 2012, including information regarding malware, vulnerabilities, and spam.

4.) W. Brian Arthur. Increasing Returns and Path Dependence in the Economy. Ann Arbor, MI: University of Michigan Press, 1994.

Arthur’s classic work on increasing returns can help explain why, occasionally, flawed or sub-optimal technologies become common. Arthur’s work highlights the central role that chance and sequence play in development. The cream does not always rise to the top.

5.) Susan Leigh Star. “The Ethnography of Infrastructure.” American Behavioral Scientist (1999) 43: 377-391.

Star’s work on infrastructure is central the field of Science and Technology Studies (STS). Star reminds us of the important role that infrastructures play in our everyday lives and highlights the constitutive choices that are often buried within the minutia of technical standards.

6.) Paul A. David. “Clio and the Economics of QWERTY.” The American Economic Review 75.2 (1985): 332-337.

How and why did the QWERTY keyboard emerge to become the de facto standard? David’s classic work, like Arthur’s above, demonstrates that the story of technological development is rarely straight-forward. David’s work underscores the importance that decisions that are made about technologies today will have for tomorrow.

7.) Janet Abbate. Inventing the Internet. Cambridge: MIT Press, 2000.

Abbate’s detailed and readable history of the Internet, explores the origins of a technology that we now take for granted.

Tuesday, January 14th: A Networked World Guest Speakers: Bruce Schneier; Scott Bradner

Topics: The network Authentication, anonymity, and jurisdiction

Required Readings: 1.) J.H. Saltzer, D.P.Reed, and D.D. Clark. “End-to-End Arguments in System Design.” ACM Transactions in Computer Systems. 2.4 (Nov. 1984): 277-288. Available Online: http://web.mit.edu/Saltzer/www/publications/endtoend/endtoend.pdf

2.) David D. Clark and Marjory S. Blumenthal. “Rethinking the Design of the Internet: The End to End Arguments vs. the Brave New World.” (2000). Available Online: http://dspace.mit.edu/bitstream/handle/1721.1/1519/TPRC_Clark_Blumenthal.pdf

3.) United States. Government Accountability Office (GAO). “Information Security: Additional Guidance Needed to Address Cloud Computing Concerns.” Oct. 2011. Available Online: http://www.gao.gov/assets/590/585638.pdf

4.) Tyler Moore, Richard Clayton, and Ross Anderson. “The Economics of Online Crime.” Journal of Economic Perspectives. 23.3 (2009): 3-20. Available Online: http://pubs.aeaweb.org/doi/pdfplus/10.1257/jep.23.3.3

5.) Lawrence Lessig. “The Laws of Cyberspace.” 1998. Available Online: https://cyber.law.harvard.edu/works/lessig/laws_cyberspace.pdf

Recommended Readings: 1.) Steven M. Bellovin, Scott O. Bradner, Whitfield Diffie, Susan Landau, and Jennifer Rexford. “Can It Really Work? Problems with Extending EINSTEIN 3 to Critical Infrastructure.” Harvard National Security Journal. 3.1 (2011): 1-38. Available Online: http://harvardnsj.org/volume-3/

Bellovin et al. discuss the technical barriers to expanding EINSTEIN 3 to a broader set of critical infrastructure. The article highlights the importance of placing policy on a sound technical footing.

2.) Fred Schneider and Deirdre Mulligan. “Doctrine for Cybersecurity.” Daedalus. Fall 2011, 70- 92. Available Online: http://www.cs.cornell.edu/fbs/publications/publicCYbersecDaed.pdf

The authors survey the shortcoming of a variety of different approaches to cybersecurity—including, prevention, risk management, and deterrence. Additionally, they consider a different model, treating cybersecurity as a type of public good, and discuss its implications.

3.) Vivek Kundra. Federal Cloud Computing Strategy. Feb. 2011. 1-6; 26-28. Available Online: http://ctovision.com/wp-content/uploads/2011/02/Federal-Cloud-Computing-Strategy1.pdf

Cloud computing offers enormous efficiencies and benefits, but also introduces new challenges. In this document, Kundra, US CIO, outlines the federal cloud computing strategy and examines ways to mange the new trade-offs associated with cloud computing.

4.) Scott D. Sagan. The Limits of Safety: Organizations, Accidents, and Nuclear Weapons. Princeton, NJ: Princeton UP, 1993.

Sagan reviews the difficulties of managing a complex, high-risk technologies. He provides an overview of the strengths and weakness of different organizational strategies. Although analogies between the nuclear and the cyber domain should be drawn lightly, Sagan’s work on the organizational dimensions of safety and security are invaluable.

5.) Charles Perrow. Normal Accidents: Living with High-Risk Technologies. Princeton, NJ: Princeton UP, 1984/1999. “Introduction,” and “Chapter 3: Complexity, Coupling, and Catastrophe.”

Perrow’s classic introduces the concept of “normal accidents” and demonstrates the importance of viewing high-risk technologies within an organizational and institutional context.

6.) Charles Perrow. The Next Catastrophe: Reducing Our Vulnerability to Natural, Industrial, and Terrorist Disasters. Princeton, NJ: Princeton UP, 2007/2011.

Perrow’s recent work updates normal accident theory for the post-9/11 eara. Perrow considers directly cybersecurity, as well as other forms of intentional harm.

7.) Philip Auerswald, et al. Seeds of Disaster, Roots of Response. Oxford UP: 2006.

Auerswald et al. focus on the role that the private sector plays—and government can support—in security. The book introduces the concept of “security externalities,” a helpful concept that can usefully be applied to the challenges of cybersecurity.

8.) Langdon Winner. “Complexity, Trust and Terror.” NetFuture #137, October 22, 2002.

Winner, a scholar of Science and Technology Studies (STS) examines the importance of trust in sustaining complex systems. Often, we take for granted the availability and reliability of the complex systems on which we rely. What happens when our trust in these systems is shaken?

Wednesday, January 15th: Privacy and Authentication Guest Speakers: Dan Geer

Topics: Privacy and Security Data, Metadata, taps and traces Circuit networks and packet networks

Required Readings: 1.) David D. Clark and Susan Landau. “Untangling Attribution.” National Security Journal. 2.2. (2011). Available Online: http://harvardnsj.org/wp-content/uploads/2011/03/Vol.-2_Clark-Landau_Final-Version.pdf

2.) Bruce Schneier, “The Eternal Value of Privacy”, Wired, May 18, 2006, http://www.wired.com/politics/security/commentary/securitymatters/2006/05/70886

3.) Bruce Schneier, “Attack Trees”, Dr. Dobb’s Journal, December, 1999, https://www.schneier.com/paper-attacktrees-ddj-ft.html

4.) Samuel D. Warren and Louis D. Brandeis, “The Right to Privacy”, Harvard Law Review, Vol. IV, Number 5, December 1890, Available Online: http://faculty.uml.edu/sgallagher/Brandeisprivacy.htm

5.) Orin S. Kerr. “Cybercrime's Scope: Interpreting 'Access' and 'Authorization' in Computer Misuse Statutes.” New York University Law Review. 78.5 (2003). Available Online: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=399740

6.) Steven Levy. “How the NSA Almost Killed the Internet.” Wired. Jan. 7, 2014. Available Online: http://www.wired.com/threatlevel/2014/01/how-the-us-almost-killed-the- internet/all/