INVITATION TO CYBERSECURITY 46 such as non-disclosure agreements (NDAs) that state that they will keep the results of the pentest and any information they discover confidential. After the penetration testing is completed, pentesters deliver a pentest report to the client. This report lists the activities undertaken by the pentesters and the detailed results. It also includes a list of the vulnerabilities discovered, their severity, and prioritized recommendations. 3.1.1.2 Cyber Warriors “USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.” - USCYBERCOM original mission statement Conflict between nation states has taken place in different domains across time. First there was land, sometime shortly after followed sea, many years later, after the Wright brothers invented flight in the 1900s, came air, and in the 1950s came rockets and outer space. The newest domain since the 1980s is cyberspace. The United States Department of Defense (DOD) has referred to these settings as the five domains of warfare. Cyber operations are intelligence and military operations that take place in and through cyberspace. Cyber operations include activities like espionage (e.g., spying), sabotage, and subversion (e.g., disinformation campaigns). The United States sometimes refers to cyber operations activities as the five Ds: disrupting, degrading, denying, destroying, and deceiving our adversary’s capabilities in and through cyberspace. Cyber warriors are individuals that hack with the authorization of the government. In the United States, cyber warriors work for the DOD, either in the military or for an intelligence agency. It is important for ethical hackers, and in particular cyber operators, to understand the authorities applicable to international scenarios. Their work is protected by Titles 10 and 50, respectively, of the United States Code. They are explicitly authorized to obtain unauthorized access to computer systems owned and operated by our adversaries. This type of hacking happens both in peacetime and wartime. The rules describing what is in and out of bounds are carefully defined and lawyers are consulted when needed to determine whether or not a specific activity is permitted. Title 50: War and National Defense, outlines national security, including all foreign intelligence and counterintelligence activities. Signals intelligence (SIGINT) focuses on electronic communications and includes covert cyber operations to gather foreign intelligence—this is a primary function of the United States National Security Agency (NSA). These cyber operations activities are governed under Title 50 and must comply with the United States Constitution, federal law, and executive orders. For example, Title 50 outlines the Foreign Intelligence Surveillance Act (FISA). FISA explicitly allows the United
RkJQdWJsaXNoZXIy MTM4ODY=