Following tragic terrorist attacks committed by ISIS agents in Paris last week, the online hacker group Anonymous declared in a video that it would launch a cyber-attack on ISIS.

The masked Anonymous speaker in the video warns ISIS, in French, to be prepared for a massive retaliation.

The "hacktivist" group has been tangling with ISIS since it attacked the Charlie Hebdo magazine's office in Paris last January, taking over email and social media accounts, or crashing public Islamic State websites by overwhelming them with traffic.

Anonymous members are already boasting that they have taken down ISIS-related websites and several thousand messaging or social media accounts.

Herbert Lin, senior research scholar for cyber policy and security at Stanford's Center for International Security and Cooperation and a research fellow at the Hoover Institution, says that Anonymous' activities against ISIS provide a useful nuisance to the terror group, but aren't quite legal under U.S. laws.

What types of attacks will Anonymous likely launch?

They don't have the capability to do the kind of things that a nation-state could do. The NSA, for instance, has the ability to place implants into hardware. Anonymous is more likely to engage in hacking that is less sophisticated. For example, ISIS almost certainly doesn't have a bank account that is coupled to the international banking system; they operate outside that particular channel. But they have lots of money, some of which may be stored in a personal- or business-like bank account. If so, that means that it can be hacked the same way that your bank account can be hacked, by cracking the username and password.

Similarly, Anonymous has been successful in the past at getting into ISIS members' email and messaging accounts, or taking down their Twitter feeds, which can disrupt their ability to coordinate terrorism-related activities; we can expect more in the future.

What kind of damage can Anonymous do to ISIS, and how effective will it be?

This approach clearly isn't the silver bullet that takes down ISIS, but attacking messaging abilities or bank accounts are useful harassing activities. Repairing these systems and accounts wastes ISIS's time and annoys them – the same way it does to you when your personal accounts are hacked. Having to untangle these messes can disrupt their overall operations, which is a perfectly good thing to do.

Do governments frown upon private citizens taking this type of action?

I think that the official line of the U.S. government on this is that it violates U.S. law for Anonymous to take on ISIS. It's vigilante justice in cyberspace, which is illegal under the Computer Fraud and Abuse Act. On the other hand, while the U.S. government might not be favorably disposed to it, I think it is unlikely that any prosecutor would actually indict an American for harassing ISIS in this way. And maybe the Anonymous hacker will uncover some information that is really useful to the U.S. government and be inclined to pass it along.

U.S. Senator John McCain told a select group of Stanford undergraduate students that technological innovation had created both unparalleled opportunities for the United States as well as new national security risks, during a visit to Silicon Valley this week.

“This has changed the world,” Senator McCain told the students as he held up his smart phone.

“This is the biggest change in our ability to inform and educate than any invention since the printing press.”

However, McCain told students that he believed the United States needed to develop a clearer policy for responding to cyber attacks from foreign nations.

Image

“The people who are doing these cyber attacks have to realize that the costs will be higher than the benefits of the attack. Everybody has to know that there will be a price to pay for it.”

McCain called on the students, who included several computer science majors, to step up and defend the United States in cyber space.

“I would call on the people here to help us develop defensive capabilities, and frankly, offensive capabilities,” McCain said.

In the wide-ranging conversation, McCain fielded questions from students and shared his views on the conflict in Syria, the Iran nuclear deal, Russia’s imperial ambitions and the pullout of U.S. troops from Afghanistan.

“I study international security, and I feel that his dedication to national security and to veterans have been fundamental, and it was an honor to meet him and hear him talk about these issues,” said Chelsea Green.

The forty students who met with McCain were selected for their special interest in international affairs and politics, and included representatives from the Center for International Security and Cooperation’s honors program, Hoover Institution National Security Mentees and Stanford in Government student group.

International relations major Kayla Bonstrom said she was excited to meet the Senator from her home state of Arizona.

“He was very easy to talk to,” she said.

Bonstrom said McCain’s casual style, which included the occasional joke, helped put the students at ease.

“It was nice to see him in a different setting.”

Mathematical and computation science major Varun Gupta said he was touched by the empathy McCain showed when he shared his experiences visiting refugee camps in war zones.

[[{"fid":"220696","view_mode":"crop_870xauto","fields":{"format":"crop_870xauto","field_file_image_description[und][0][value]":"","field_file_image_alt_text[und][0][value]":"","field_file_image_title_text[und][0][value]":"U.S. Senator John McCain gives an impassioned presentation to students about American foreign policy, as CISAC faculty member Coit Blacker looks on.","field_credit[und][0][value]":"Rod Searcey","field_caption[und][0][value]":"","field_related_image_aspect[und][0][value]":"","thumbnails":"crop_870xauto"},"type":"media","attributes":{"title":"U.S. Senator John McCain gives an impassioned presentation to students about American foreign policy, as CISAC faculty member Coit Blacker looks on.","width":"870","style":"width: 400px; height: 267px; float: left; margin-right: 15px","class":"media-element file-crop-870xauto"}}]]“It was good to see his concern, his actual visceral concern for these issues,” Gupta said.

“It was really great to see the more human side.”

Other students were also impressed by McCain’s sincerity.

“He seems to sincerely believe in all of his views,” said Alexa Andaya, a political science major.

“You can tell when he says something he’s genuine about it.”

Matt Nussbaum, another political science major, said that while he disagreed with many of McCain’s hawkish positions on national security, he welcomed the opportunity to hear the opinions of such a seasoned veteran of foreign policy.

“A lot of times, we’re looking at the academic side of things, and I think that’s very interesting, but Senator McCain and other policy makers use the theory to create policy, so it’s useful to see what they think, how they think and why they think that way,” Nussbaum said.

McCain ended his talk by urging the students to get more involved in politics, whether they were “Democrat or Republican, libertarian or vegetarian.”

He told them that he believed the next presidential election was going to be the most important decision point for the country since 1980, when Republican Ronald Regan defeated Democratic incumbent Jimmy Carter.

“Pick the cause that you want to support, pick the candidate you want to support, and be engaged,” he said.

“It’s your future. You’re the ones that are going to live with the person that you choose to be president of the United States.”

Anything networked can be hacked.

Everything is being networked.

Therefore everything is vulnerable.

That was one of the key takeaways for the 30 Captiol Hill staffers who flew to Stanford University from Washington D.C. last week to attend three days of intensive cybersecurity training at the second Congressional Cyber Boot Camp.

Image

Silicon Valley executives and entrepreneurs, academics and former high-level government officials painted a picture of a complex threat landscape, where foreign nation states routinely hack into U.S. companies and government agencies with near impunity, and everything from utilities and critical infrastructure, to cell phones and cars could be vulnerable to cyber attack.

“The next conflict, if it happens tomorrow, it’s not going to be pretty in cyber space,” said Kevin Mandia, president of FireEye and one of the world’s leading experts on counter forensics, in an onstage conversation with Michael McFaul, the former US ambassador to Russia and director of the Freeman Spogli Institute for International Studies.

Mandia said that 29 out of the 30 significant cyber attacks his company was currently investigating were the handiwork of state-sponsored hackers, with the Chinese and Russian governments among the chief offenders.

Image

“They can hack any company they choose. They can hack any government agency they choose.

“We’ve spent billions of dollars on defense, but I don’t think we’ve raised the cost of offense a dollar.”

The asymmetrical nature of conflict in cyber space was a common refrain.

“The people that want to attack have distinct and profound advantages over the defender,” said Herb Lin, senior research scholar at the Center for International Security and Cooperation (CISAC) and research fellow at the Hoover Institution.

That’s because finding flaws in commonly used software, which can have more than 40 million lines of code, is like looking for the proverbial needle in the haystack.

“Each one of those lines of logic might have a flaw that can be exploited by an attacker to break in,” said Corey Nachenberg, chief architect of Symantec’s Security Technology and Response division.

“There’s no silver bullet solution…because the attacks are constantly shifting.”

Dan Boneh, a Stanford computer science professor and CISAC affiliate, demonstrated how a seemingly benign sensor, like the one that measures battery life in your iPhone, could be hijacked to pinpoint your exact location.

He also showed how the gyroscope that enables interactive games on your iPhone could be used to measure minute vibrations on a tabletop surface and eavesdrop on conversations.

Even everyday objects like cars can be compromised.

“Our mental models are focused on servers and laptops…but the vast majority of processors that ship every year look nothing like computers,” said Stefan Savage, a professor of computer science and engineering at the University of California at San Diego.

Savage’s research team published pioneering work on car hacking in 2010 that proved it was possible for a hacker to remotely take control of a car’s engine and brakes.

And cars are just the tip of the iceberg.

“There’s probably not a single mode of transportation that’s not controlled by a computer,” Savage said.

His next research target is the aviation industry.

Amy Zegart, CISAC co-director and senior fellow at the Hoover Institution, led a hands-on simulation exercise for visiting congressional staffers, where they assumed the roles of tech company employees responding to a major cyber breach.

Experienced executives from Intel, Uber, and Palo Alto Networks acted as board members and quizzed the staffers on how their assigned departments (including legal, marketing, business strategy and engineering) would manage the crisis.

Image

Zegart said she wanted to expose congressional staff to a diverse range of experts, drawn from the tech industry, legal, technical and policy fields.

“We’ve got to figure out how to accelerate the learning process and work across disciplines,” Zegart said.

Other speakers agreed.

“The time to tackle these difficult policy challenges is now, not after one of these attacks happen,” said U.S. Air Force Col. Matteo Martemucci, division chief for the Joint Staff at the Pentagon.

The Cyber Boot Camp was hosted jointly by CISAC, the Freeman Spogli Institute for International Studies and the Hoover Institution, and co-sponsored by the Stanford Cyber Initiative.

Thirty congressional staffers are set to get a primer on cybersecurity challenges and countermeasures from some of Silicon Valley’s leading academic, industry and public policy practitioners as part of an intensive three-day workshop to be held at Stanford University from August 17–19.

“Cybersecurity threats are growing more serious and evolving rapidly,” said Amy Zegart, CISAC co-director and Davies Family senior fellow at the Hoover Institution.

Image

The second annual Congressional Cyber Boot Camp is an invitation-only event that will feature lectures from industry experts including LinkedIn cofounder Reid Hoffman, Uber Chief Security Officer Joe Sullivan, Palantir Technologies Global head of Cyber Security Melody Hildebrandt, and Facebook Chief Security Officer Alex Stamos.

Participants will also hear from some of the top academics in the field, including CISAC senior research scholar and Hoover Institution research fellow Herb Lin, and CISAC affiliates Dan Boneh, John Villasenor and John Mitchell.

Image

Sessions will cover a wide range of topics, from the fundamentals of cybersecurity, to how to think like an attacker, domestic and international legal considerations, and the interplay between cybersecurity and civil liberties.

Zegart will lead a live, hands-on simulation of a cyber attack, with staffers playing the roles of corporate executives responding to the crisis.

“The boot camp is an invaluable experience that brought congressional staff together to deliberate the complex cyber policy issues we’re facing on Capitol Hill and to hear from across academic disciplines different ways to think about these tough problems,” said past participant Brett DeWitt, staff director of the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies.

Image

The three-day conference will conclude with a tour of the Facebook’s new headquarters in Menlo Park.

Although the cyber workshop is by invitation only, Hoover, Stanford, and CISAC will provide live updates on Twitter throughout the event. Follow the conversation at #StanfordCyber.

The event will be jointly hosted by CISAC, the Freeman Spogli Institute for International Studies and the Hoover Institution, and is co-sponsored by the Stanford Cyber Initiative.

It’s a technique that’s been used to calculate the odds of everything from the likelihood of a nuclear meltdown to the chances of getting sick from eating bad seafood.

Today, a CISAC scholar told the U.S. Senate Judiciary Committee that he hoped probabilistic risk analysis could help move the ball forward in the debate over encryption that’s pitted law enforcement and national security agencies against some of Silicon Valley’s most influential technology companies.

“Neither side can prove its case, and we see a clash of theological absolutes,” said Herb Lin, senior research scholar for cybersecurity at the Center for International Security and Cooperation and research fellow at the Hoover Institution, in his testimony before a full hearing of the committee.

The contentious debate over encryption has developed in the wake of the National Security Agency spying scandal, with tech titans Apple and Google recently announcing plans to implement stringent new cryptography protocols to protect customer data.

“When the Snowden documents revealed that NSA was hacking [the tech companies], there was a real sense of betrayal,” Lin said.

“You now hear tech companies talking about the U.S. government in the same way they talk about China. They feel like they have to protect themselves against the U.S. government in the same way they have to protect themselves against China. That’s a terrifying thought. In that kind of environment, there’s no trust.”

Law enforcement and national security agencies want tech companies to integrate a mechanism for the government to gain “exceptional access” to encrypted data into their new encryption technology. But, industry and privacy advocates have resisted, arguing that creating a so-called “backdoor” would make their software more vulnerable to attacks from hackers.

FBI director James B. Comey, who also testified before the committee, warned that the latest generation of encryption technology was putting American lives at risk. He said that the Islamic State in Iraq and Syria (ISIS) was actively recruiting homegrown terrorists via Twitter then using end-to-end encrypted mobile messaging apps to secretly send orders for them to carry out attacks within the United States.

FBI Director James B. Comey (right) testifies before the U.S. Senate Judiciary Committee about the national security risks of end-to-end encryption, with Deputy Attorney General Sally Quillian Yates (left) at his side, as CISAC senior research scholar Herb Lin looks on from the gallery.

“Our job is to look in a haystack the size of this country for needles that are increasingly invisible to us because of end-to-end encryption,” Comey said.

Deputy Attorney General Sally Quillian Yates, who testified at Comey’s side, said law enforcement could not get access to that kind of encrypted communications, even with a valid court order.

“Critical information becomes in effect ‘warrant proof’,” she said.

“Because of this, we are creating safe zones where dangerous terrorists and criminals can operate and avoid detection.”

It is a polarizing debate.

Image

“I’d like to find a way to move the ball forward rather than seeing both sides being stuck in the trenches shouting at each other.”

Lin’s proposal, which he presented to the Senate Judiciary Committee on Wednesday, recommended that both sides focus on estimating how long it would take a hacker to break into an encrypted device equipped for “exceptional access.”

“If it takes a thousand years for a bad guy to figure out how to hack…that’s probably secure enough,” Lin testified.

“If it takes him 30 seconds, using that mechanism is a dumb idea. So somewhere between 30 seconds and a thousand years, the mechanism changes from being unworkable to being secure enough.”

Not all computer security experts believe such a calculation would be possible.

“It’s challenging to come up with a defensible methodology for estimating the risk that a backdoor system will be compromised,” said Jonathan Mayer, a Stanford PhD candidate in Computer Science and former CISAC cybersecurity fellow who garnered national headlines for his research demonstrating that the NSA could use phone metadata to reconstruct detailed personal information.

“Not only are the risks of compromise unknown – they’re unknowable.”

However, Lin said the mathematical methodology known as probabilistic risk analysis, which has widely been used to predict the likelihood of catastrophic failure in complex systems from nuclear power plants to the space shuttle, might be able to shed some useful light on the risks.

And, he said, the only way to find out if it could successfully be used to calculate the risks of encryption software getting hacked would be to conduct more research.

Veterans of the so-called “Crypto Wars” of the ‘70s and ‘90s (when the U.S. government tried to limit public access to encryption technology), like Stanford professor emeritus of electrical engineering and CISAC affiliated faculty member Martin Hellman, said proposals like Lin’s could help advance the public debate and bring both sides closer together.

“Getting the two opposing sides to talk — and listen — is really important,” Hellman said.

“That's what happened 20 years ago when Congress asked the National Academies to look at an almost identical problem. It got those different groups talking and working out compromises.”