Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy (2010)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Appendix C Biosketches of Authors W. Earl boebert is an expert on information security, with experience in national security and intelligence as well as commercial applications. He recently retired as senior scientist at Sandia National Laborato - ries and currently consults for Sandia’s Office of Intelligence and Counterintelligence. He has 30 years’ experience in communications and computer security and is the holder or co-holder of 13 patents. Prior to joining Sandia, he was the technical founder and chief scientist of Secure Computing Corporation, where he developed the Sidewinder security server, a system that currently protects several thousand sites. Before that he worked 22 years at Honeywell, rising to the position of senior research fellow. At Honeywell Mr. Boebert worked on secure systems, cryptographic devices, flight software, and a vari - ety of real-time simulation and control systems, and he won Honeywell’s highest award for technical achievement for his part in developing a very large scale radar landmass simulator. He also developed and presented a course on systems engineering and project management that was eventually given to more than 3,000 students in 13 countries. Prior to joining Honeywell he served as an EDP Officer in the U.S. Air Force where he was awarded the Air Force Commendation Medal. He graduated from Stanford University in 1962. He has served on the National Research Council committees that produced Computers at Risk: Computing in the information Age; For the Record: Protecting Electronic Health information; information technology for Counterterrorism: immediate Actions and Future Possibilities; and Risk-Based Approaches for Securing the doE nuclear weapons Complex. He was a special advisor to the Committee on Information Systems Trustworthiness. David Clark is a senior research scientist for the Computer Science and Artificial Intelligence Labora - tory at the Massachusetts Institute of Technology. Since the mid 1970s, Dr. Clark has been leading the development of the Internet; from 1981 to 1989 he acted as chief protocol architect in this development, and he chaired the Internet Activities Board. Recent activities include extensions to the Internet to support real-time traffic, explicit allocation of service, pricing and related economic issues, and policy issues surrounding local loop employment. New activities focus on the architecture of the Internet in the post-PC era. He is a former chair of the Computer Science and Telecommunications Board of the National Research Council. geoff A. Cohen is a computer scientist at Elysium Digital, a technology litigation consulting company. He specializes in computer intellectual property, networking, mobile phone technology, computational  

 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS biology, and security. His previous experience includes the M.I.T. Communications Futures Program, where he led the Internet Security & Privacy working group; the National Academies, where he con - sulted on research at the intersection of computer science and biology; the Ernst & Young Center for Busi- ness Innovation; IBM; and Data General. He also worked as an analyst in the National Security Division of the Congressional Budget Office. He holds a Ph.D. in computer science from Duke University and an A.B. from the Woodrow Wilson School of Public and International Affairs at Princeton University. Whitfield Diffie is vice president for Information Security and Cryptography at the Internet Corpora - tion for Assigned Names and Numbers and Visiting Scholar at the Center for International Security and Cooperation at Stanford University. He is a U.S. cryptographer and one of the pioneers of public-key cryptography. In 1991 he joined Sun Microsystems as a Distinguished Engineer, working primarily on public policy aspects of cryptography. Promoted to vice president and fellow, Diffie remained with Sun, serving as its chief security officer, until 2009. He received a bachelor of science degree in mathematics from the Massachusetts Institute of Technology in 1965. In 1992 he was awarded a doctorate in technical sciences (Honoris Causa) by the ETH Zurich and, in July 2008, a degree of doctor of science (Honoris Causa) by Royal Holloway College, University of London. He is also a fellow of the Marconi Founda - tion and a Franklin Institute Laureate. He has received recognition from numerous organizations, most recently the Hamming Award of the Institute for Electrical and Electronic Engineers. Diffie and Martin Hellman’s 1976 paper “New Directions in Cryptography” introduced public-key cryptography, a radi - cally new class of cryptographic system whose asymmetry made it possible to manage cryptographic keys on an unprecedented scale. The article set off an explosion of cryptographic research by academic and industrial researchers and led to the rise of an open cryptographic community. Diffie and Susan Landau’s book Priacy on the line about the politics of wiretapping and encryption was published in 1998; an updated and expanded edition appeared in 2007. Robert gellman is an information and privacy consultant. Since 1995, he has assisted large and small companies, organizations, U.S. government agencies, and foreign governments to develop, implement, and maintain policies for personal privacy and fair information practices. Specialty areas include privacy policy for health (including HIPAA), the Internet and Internet websites, the homeless (HMIS), freedom of information policy, and other information policy areas. He previously served as chief counsel for the Subcommittee on Information, Justice, Transportation, and Agriculture, part of the House Committee on Government Operations. Carol M. Hayes completed her JD at the University of Illinois College of Law in 2010. During law school, she worked as a research assistant to Professor Jay Kesan and was the Recent Developments Editor of the Journal of law, technology and Policy (JLTP). Her student note, which was published in the Fall 2009 issue of JLTP, examined regulatory questions surrounding network neutrality. Prior to law school, Hayes received a B.A. in psychology from the University of Arkansas at Fayetteville. She is a member of the Fall 2010 class of the Christine Mirzayan Science and Technology Policy Graduate Fellowship at the National Academies, working with the Committee on Law and Justice. Jason Healey has worked cyber security policy and operations since 1996—from the White House to Wall Street. In addition to being a world-class cyber defense strategist, he has experience in crisis management, business continuity, and intelligence collection and analysis. He is currently teaching the cyber conflict curriculum for Delta Risk to bring together national security expertise with the technical problems of conflict in cyberspace. Mr. Healey is also executive director and a founding board member of the Cyber Conflict Studies Association, which seeks to create a multidisciplinary discussion of issues related to warfare in cyberspace. Most recently, he worked for Goldman Sachs in Hong Kong—first as the Asia head of business continuity, and then as crisis manager, overseeing preparation and response for all hazards in Asia including the Sichuan earthquake, terrorist attacks in India, and the 2006 Asia-wide 

 APPEndiX C network outages. Earlier in his career, working from New York, Mr. Healy was Goldman’s first com - puter emergency response coordinator and was also the vice chair of the Financial Services Information Sharing and Analysis Center. During his time at the White House as director of critical infrastructure protection, he assisted the President in prioritizing and overseeing the government’s efforts in cyber security, resilient telecommunications, and infrastructure protection. He is a certified information sys - tems security professional (CISSP) has a bachelor’s degree in political science from the U.S. Air Force Academy and master’s degrees in liberal arts (Johns Hopkins University) and information security (James Madison University). Jay P. kesan’s academic interests are in the areas of technology, law, and business. Specifically, his work focuses on patent law, intellectual property, entrepreneurship, Internet law/regulation, digital government (e-gov), agricultural biotechnology law, and biofuels regulation (recent publications are on SSRN). At the University of Illinois, Professor Kesan is appointed in the College of Law, the Institute of Genomic Biology, the Information Trust Institute, the Coordinated Science Laboratory, the Department of Electrical & Computer Engineering, the Department of Agricultural & Consumer Economics, and the College of Business. Professor Kesan continues to be professionally active in the areas of patent litigation and technology entrepreneurship. He was appointed by federal judges to serve as a special master in patent litigations, and he has served as a technical and legal expert and counsel in patent matters. He also serves on the boards of directors/advisors of start-up technology companies. He serves as faculty editor-in-chief of the University of Illinois’s Journal of law, technology & Policy, which published its inau- gural issue in spring 2001. He has also developed an online course, “Legal Issues in Technology Entre - preneurship,” supported by a grant from the Coleman Foundation. Professor Kesan received his J.D. summa cum laude from Georgetown University, where he received several awards, including the Order of the Coif, and served as associate editor of the georgetown law Journal. After graduation, he clerked for Judge Patrick E. Higginbotham of the U.S. Court of Appeals for the 5th Circuit. Prior to attending law school, Professor Kesan—who also holds a Ph.D. in electrical and computer engineering—worked as a research scientist at the IBM T.J. Watson Research Center in New York. He is a registered patent attorney and practiced at the former firm of Pennie & Edmonds LLP in the areas of patent litigation and patent prosecution. In addition, he has published numerous scientific papers and obtained several patents in the United States and abroad. Susan Landau is a fellow at the Radcliffe Institute for Advanced Study during the academic year 2010- 2011. From 1999 to 2010 Landau was a Distinguished Engineer at Sun Microsystems Laboratories, where she worked on security, cryptography, and policy, including surveillance and digital-rights management issues. Landau had previously been a faculty member at the University of Massachusetts and Wesleyan University, where her research was in algebraic algorithms. Landau’s book Sureillance or Security? the Risks of new wiretapping technologies will be published by MIT Press in the spring of 2011. She is the coauthor, with Whitfeld Diffie, of Priacy on the line: the Politics of wiretapping and Encryption (MIT Press, original edition: 1998; updated and expanded edition: 2007), a participant in a 2006 ITAA study on the security risks of applying the Communications Assistance for Law Enforcement Act to VoIP, lead author on the 1994 ACM study Codes, keys, and Conflicts: issues in U.S. Crypto Policy, and author of numerous computer science and public policy papers. She has also written several op-ed pieces on computer science policy issues and has appeared on National Public Radio a number of times. Landau is a member of the National Research Council’s Computer Science and Telecommunications Board, serves on the advisory committee for the National Science Foundation’s Directorate for Computer and Information Science and Engineering, and serves on the Commission on Cyber Security for the 44th Presidency, established by the Center for Strategic and International Studies. She is also an associate editor for iEEE Security and Priacy and a section board member of Communications of the ACm. Landau serves on the executive council for the Association for Computing Machinery Committee on Women in Computing, and she served for many years on the Computing Research Association Committee on the 

0 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS Status of Women in Computing Research. She was a member of the National Institute of Standards and Technology’s Information Security and Privacy Advisory Board for 6 years. Landau is the recipient of the 2008 Women of Vision Social Impact Award, a AAAS Fellow, and an ACM Distinguished Engineer. She received her B.A. from Princeton University, her M.S. from Cornell University, and her Ph.D. from MIT. Martin Libicki has been a senior management scientist at RAND since 1998, focusing on the impacts of information technology on domestic and national security. This work is documented in commer- cially published books (Conquest in Cyberspace: national Security and information warfare [200] and information technology Standards: Quest for the Common Byte [1994]) as well as in numerous monographs, notably How insurgencies End (with Alfred Connable), How terrorist groups End (with Seth Jones), Explor- ing terrorist target Preferences (with Peter Chalk), Cyber-deterrence and Cyber-war, and who Runs what in the global information grid. He was also the editor of the RAND textbook new Challenges new tools for defense decisionmaking. His most recent assignments were on the subjects of cyber/IT acquisition, multi-factor authentication, organizing the Air Force for cyber-war, exploiting cell phones in counter- insurgency, developing a post-9/11 information technology strategy for the U.S. Department of Justice, using biometrics for identity management, assessing the Defense Advanced Research Projects Agency’s (DARPA’s) Terrorist Information Awareness program, conducting information security analysis for the FBI, and evaluating In-Q-Tel. Prior employment includes 12 years at the National Defense University, 3 years on the Navy Staff as program sponsor for industrial preparedness, and 3 years as a policy analyst for the Government Accountability Office’s (GAO’s) Energy and Minerals Division. He has received a master’s degree (1974) and a Ph.D. (1978) in city and regional planning, both from the University of California, Berkeley. Steve J. Lukasik received a B.S. in physics from Rensselaer Polytechnic Institute and a Ph.D. in physics from the Massachusetts Institute of Technology. His early research at Stevens Institute of Technology was on the physics of fluids and plasmas. While a member of the Defense Advanced Research Projects Agency (DARPA), he was responsible for research in support of nuclear test ban negotiations and sub - sequently served from 1967 to 1974 as deputy director and director of the agency. Later government service was as chief scientist of the Federal Communications Commission (1979-1982), where he was responsible for advising the commission on technical issues in communication regulation and for the management of nongovernment use of the electromagnetic spectrum. He is a member of the Interna - tional Institute for Strategic Studies, the American Physical Society, and the American Association for the Advancement of Science. Dr Lukasik was awarded the Department of Defense Distinguished Service Medal in 1973 and 1974 and a D. Eng. (Hon.) from Stevens Institute of Technology. He is a founder of the information Society: An international Journal, and he has served on the boards of trustees of Harvey Mudd College and Stevens Institute of Technology. He currently holds an appointment as distinguished senior research fellow at the Center for International Strategy, Technology, and Policy, at Georgia Insti - tute of Technology. Rose McDermott is a fellow at the Radcliffe Institute for Advanced Study during the 2010-2011 academic year. Previously, she was a professor in the Brown University Department of Political Science. Profes - sor McDermott’s main area of research concerns political psychology in international relations. She is the author of Risk taking in international Relations: Prospect theory in American Foreign Policy (University of Michigan Press, 1998), Political Psychology in international Relations (University of Michigan Press, 2004), and Presidential illness, leadership and decision making (Cambridge University Press, 2007). She is co-editor of measuring identity: A guide for Social Science Research, with R. Abdelal, Y. Herrera, and A. I. Johnson (Cambridge University Press, 2009). She has written numerous articles and book chapters on experimentation, evolutionary and neuroscientific models of political science, political behavior genet - ics, and the impact of emotion on decision making. Professor McDermott has held fellowships at the 

1 APPEndiX C John M. Olin Institute for Strategic Studies and the Women and Public Policy Program, both at Harvard University. Prior to joining Brown University, she was a fellow at the Stanford Center for Advanced Study in the Behavioral Sciences. Tyler Moore is a postdoctoral fellow at Harvard University’s Center for Research on Computation and Society. His research interests include the economics of information security, the study of elec - tronic crime, and the development of policy for strengthening security. Moore completed his Ph.D. in computer science at the University of Cambridge, supervised by Professor Ross Anderson. His Ph.D. thesis investigated cooperative attack and defense in the design of decentralized wireless networks and through empirical analysis of phishing attacks on the Internet. Dr. Moore has also co-authored a report for the European Union detailing policy recommendations for overcoming failures in the provision of information security. As an undergraduate, he studied at the University of Tulsa, identifying several vulnerabilities in the public telephone network’s underlying signaling protocols. He is a 2004 Marshall Scholar. Patrick M. Morgan is the Tierney Chair of Peace & Conflict in the Political Science Department at Uni - versity of California, Irvine’s School of Social Sciences. Professor Morgan has concentrated his research primarily on national and international security matters—deterrence theory, strategic surprise attack, arms control, and related subjects. He has also had a longstanding interest in theoretical approaches to the study of international politics. Currently he is involved in projects on the theory and practice of deterrence in the post-Cold War era, security strategies for global security management, and security in Northeast Asia. gregory Rattray is an internationally recognized cyber defense and policy expert with more than 20 years of experience in cyber security, operations, and intelligence. He served as the director of cyber secu- rity on the White House National Security Council Staff under Richard Clarke and Dr. Condoleezza Rice. He is currently the chief Internet security advisor for ICANN—the Internet Corporation for Assigned Names and Numbers—and he continues to advise the White House, Department of Defense, intelligence community, academic education, and research programs on global risk and enterprise policy. Addition - ally, Mr. Rattray is a partner at Delta Risk, where he provides consulting services for the development of cyber security initiatives across both the government and private sectors. From 2003 to 2005, while serving as the director for cyber security on the National Security Council (NSC), he led national policy development and NSC oversight for cyber security to include the Executive Order on Information Shar- ing, Homeland Security Policy Directives on Critical Infrastructure and Incident Response, the establish- ment of cyber security roles for the Department of Homeland Security, and interagency responsibilities in the National Response Plan. Prior to working on the NSC, he was an Air Force fellow serving the President’s Critical Infrastructure Protection Board. During his tenure he was a key contributor to the President’s National Strategy to Secure Cyberspace and served on the White House team for legislation and policy on establishment of the Department of Homeland Security. Paul Rosenzweig is the founder of Red Branch Consulting PLLC, which provides comprehensive advice to companies, individuals, and governments seeking homeland security and privacy solutions for the challenges they face. Mr. Rosenzweig formerly served as deputy assistant secretary for policy in the Department of Homeland Security and twice as acting assistant secretary for international affairs. He also serves as an adjunct professor at the National Defense University, College of International Security Affairs, a professorial lecturer in law at George Washington University, a senior editor of the Journal of national Security law & Policy, and as a visiting fellow at the Heritage Foundation. Mr. Rosenzweig is a cum laude graduate of the University of Chicago Law School. He has an M.S. in chemical oceanography from the Scripps Institution of Oceanography, University of California at San Diego and a B.A from Haverford College. Following graduation from law school he served as a law clerk to the Honorable 

2 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS R. Lanier Anderson III of the U.S. Court of Appeals for the Eleventh Circuit. He is the coauthor (with James Jay Carafano) of the book winning the long war: lessons from the Cold war for defeating terrorism and Presering Freedom. Michael N. Schmitt is the chair of public international law at Durham Law School in the United Kingdom. He was previously dean of the George C. Marshall European Center for Security Studies in Garmisch-Partenkirchen, Germany, where he had served as professor of international law since 1999. From 2007 through 2008, he occupied the Charles H. Stockton Visiting Chair of International Law at the U.S. Naval War College. He was the 2006 Sir Ninian Stephen Visiting Scholar at Melbourne University and has been a visiting scholar at Yale Law School and the Australian National University. Before joining the Marshall Center, Professor Schmitt served 20 years in the U.S. Air Force, specializing in operational and international law. Professor Schmitt’s works on law and military affairs have been published in Belgium, Chile, Germany, Israel, Italy, Norway, Peru, Sweden, Switzerland, the Netherlands, the United Kingdom, and the United States. He is the general editor of the Yearbook of international Humanitarian law and serves on the editorial boards of the international Reiew of the Red Cross, international Peacekeep- ing, the Journal of military Ethics, Connections, Journal of international Humanitarian legal Studies, and the international Humanitarian law Series (Brill). Professor Schmitt sits on numerous international advisory boards and has been active in multiple expert working groups, including those on the Manual on the International Law of Air and Missile Warfare (Harvard Program on Conflict Research) and Direct Partici- pation by Civilians in Hostilities (ICRC). A frequent speaker on international humanitarian law, Profes - sor Schmitt delivered the 2003 Waldemar A. Solf Lecture at the U.S. Army’s Judge Advocate General’s School and the 2008 Hilaire McCoubrey Lecture at the University of Hull Law School. Abraham D. Sofaer, who served as legal adviser to the U.S. Department of State from 1985 to 1990, was appointed the first George P. Shultz Distinguished Scholar and Senior Fellow at the Hoover Institution in 1994. Mr. Sofaer’s work has focused on separation of powers issues in the American system of govern - ment, including the power over war, and on issues related to international law, terrorism, diplomacy, national security, the Middle East conflict, and water resources. He has taught a course on transnational law at the Stanford Law School. During his distinguished career, Mr. Sofaer has been a prosecutor, legal educator, federal judge, government official, and attorney in private practice. His most recent book is Best defense? legitimacy and Preentie Force (Hoover Institution Press, 2010). Mr. Sofaer has extensive experience in international negotiations. During his 5 years as legal adviser to the U.S. Department of State, he was the principal negotiator in various interstate matters that were successfully resolved, including the dispute between Egypt and Israel over Taba, the claim against Iraq for its attack on the USS Stark, and the claims against Chile for the assassination of diplomat Orlando Letelier. He received the Distinguished Service Award in 1989, the highest State Department award given to a non-civil servant. In 2000, Mr. Sofaer, along with Seymour Goodman, published a proposed multilateral treaty aimed at enhancing cyber security, along with a commentary on the issues then being considered. Michael A. vatis is a partner in the New York office of Steptoe & Johnson LLP. His practice focuses on Internet, e-commerce, and technology matters, providing legal advice and strategic counsel on matters involving privacy, security, encryption, intelligence, law enforcement, Internet gambling, and interna - tional regulation of Internet content. He also is an experienced appellate litigator, representing clients before the U.S. Supreme Court and federal courts of appeals. Mr. Vatis has spent most of his career addressing cutting-edge issues at the intersection of law, policy, and technology. He was the founding director of the National Infrastructure Protection Center at the FBI, the first government organization responsible for detecting, warning of, and responding to cyber attacks, including computer crimes, cyber terrorism, cyber espionage, and information warfare. Before that, Mr. Vatis served as associate deputy attorney general and deputy director of the Executive Office for National Security in the Department of Justice, where he advised the attorney general and deputy 

 APPEndiX C attorney general and coordinated the department’s activities involving counterterrorism, intelligence, encryption, and cyber crime. In that capacity, he also helped lead the development of the nation’s first policies regarding critical infrastructure protection. Mr. Vatis served as special counsel at the Department of Defense, where he handled sensitive legal and policy issues for the secretary and deputy secretary of defense and the general counsel, receiving the Secretary of Defense Award for Excellence. After leaving the government in 2001, Mr. Vatis served as the first director of the Institute for Secu - rity Technology Studies at Dartmouth, a federally funded counterterrorism and cyber security research institute. He was simultaneously the founding chairman of the Institute for Information Infrastruc - ture Protection (I3P). I3P, a consortium of leading cyber security research organizations, worked with industry, government, and academia to develop a comprehensive research and development agenda to improve the security of the nation’s computer and communications networks. Mr. Vatis also served as the executive director of the Markle Task Force on National Security in the Information Age, a highly influential group of technology company executives, former government officials, and civil libertar- ians that recommended ways the government could more effectively use information and technology to combat terrorism while preserving civil liberties. Mr. Vatis was the principal author of the group’s second report, whose recommendations were adopted by the 9/11 Commission and included in the 2004 Intelligence Reform Act. Mr. Vatis has been a senior fellow at New York University Law School’s Center on Law and Security and a member of numerous expert working groups on counterterrorism, intelligence, and technology issues. He recently served as a member of both the National Research Council Committee on Offensive Information Warfare and the Commission on Cyber Security for the 44th presidency. Mr. Vatis has also regularly testified before congressional committees on counterterrorism, intelligence, and cyber secu - rity issues. He is also interviewed frequently on television, radio, and in print media and has been a guest lecturer at many prestigious law schools and universities and a speaker at industry conferences worldwide.