Cover Image

PAPERBACK
$78.50



View/Hide Left Panel
Click for next page ( 328


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 327
Thinking Through Active Defense in Cyberspace Jay P. Kesan and Carol M. Hayes Uniersity of illinois at Urbana-Champaign I. INTRODuCTION To the collective eyes of the information technology (IT) industry, cyber attacks appear to occur with disturbing frequency. One source indicates that during the six months between September 2007 and March 2008, 1,300 distributed denial of service attacks (DDoS attacks) occurred each day on average. 1 The Pentagon reported being electronically attacked 6 million times during one day in 2008, and a New York executive of a financial house indicated that his company was attacked 1 million times over the course of another day.2 The danger of cyber crime that defies jurisdictional boundaries is an example of an area where the legal approach requires updating. The current legal system is very effective at address - ing attacks using conventional weapons intended to inflict bodily harm, like guns, knives, and bombs. This same legal system, however, is ill-equipped to adequately address issues surrounding attacks where the weapons and targets are computers. This paper is meant to be forward-looking, addressing the use of self defense in response to cyber attacks, which is currently a controversial topic with a questionable legal status, but this topic is also one which many members of the IT industry find attractive. Cyber attacks, though they generally do not involve bodily harm, are nonetheless very dangerous. Massive economic damage is possible if an important server goes down due to an attack. The damage may be localized, including lost sales due to website down time and substantial costs to replace damaged hardware, but the damage can also be far-reaching due to the extent to which the modern economy relies on Internet activities.3 Beyond economic harm, if the targeted system is part of the critical infrastructure (such as dams or power plants), damage to the system’s network could have dangerous physical con - sequences. Cyber attacks are also very unpredictable by nature. Because malicious hackers only need a computer and an Internet connection to cause harm throughout the world, the number of possible 1 Chenfeng Vincent Zhou, Christopher Leckie, Shanika Karunasekera, A survey of coordinated attacks and collaborative intru - sion detection, 29 Computers & Security 124 (2010). 2 Patrick W. Franzese, Soereignty in Cyberspace: Can it Exist?, 64 a.F. l. Rev. 1, 2 (2009). 3An estimated $3.5 billion in damage was caused by the Sasser worm in 2004, which exploited a vulnerability in the Windows Operating System. Amitai Aviram, Network Responses to Network Threats: The Evolution into Private Cybersecurity Associa - tions, in the law and Economics of Cybersecurity 143, 144 (Mark F. Grady & Francesco Parisi, eds., 2006). 2

OCR for page 327
2 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS origins of attack is nearly limitless.4 This inability to accurately predict the location of attackers on an on-going basis currently renders it difficult for governments to protect attack victims. Cyber attacks, however, are just one possible avenue of cyber harm. Another category of harm may be referred to as “cyber exploitation,” where the goal of the hacker is to obtain data from the target system. This is different from the idea of “cyber attacks,” which are executed with the goal of causing direct harm to the target. However, there is some overlap, since an act that is considered cyber exploitation may be aimed at obtaining information necessary for executing a future cyber attack. The ideas of this paper generally apply to cyber attacks, but there are some implications for cyber exploitation as well. When an issue only implicates cyber exploitations, that term will be used. When both types of harm are implicated, the term “cyber intrusion” will be used. Otherwise, the term “cyber attack” will be used. What sort of recourse might the organization have in the case of a malicious cyber intrusion? Cur- rently, there are three primary options: civil liability, criminal liability, and purely defensive response. However, it would be difficult to sue the hackers because in almost all cases, hackers route their mali - cious signals through many different computer systems, finding vulnerable networks that the hacker can use toward his ultimate ends. Even if fast and accurate software could locate the attacking computer, it would be almost impossible to establish who was using the computer to conduct the attack. Criminal liability is also difficult because of criminal jurisdiction issues, since it could be difficult to subject the hackers to criminal liability in another country even if the attacking computer could be found using effective technology to trace the signal back to its original source and the human operator of the attacking computer could be identified with sufficient certainty for purposes of prosecution. A purely defensive approach is sometimes effective, but it may be inadequate for mitigating the harm to the system or deterring attacks, and therefore that approach may be insufficient as well. A fourth more controversial option is that the actors could employ active defense by returning fire at the hackers in order to prevent further disruption of the target system. Active defense can be accom - plished by using a combination of intrusion detection systems (IDS) and traceback technology, and then sending data back at the attacker to disrupt the attack. Counterstrikes of this nature have already been occurring on the Internet over the last decade, by both government 5 and private actors,6 and full soft- ware packages designed to enable counterstriking have also been made commercially available, 7 even though such counterstrikes are of questionable legality under the current regime. It is thus apparent that cyber counterstriking is already a practice within the IT industry, and the question then arises as to whether this active defense practice of cyber counterstriking should be regulated and standardized. This paper promotes the idea that currently, technology may not be sufficient to ensure safely executed counterstrikes, and thus continued prohibition may be appropriate. Such prohibition, however, should be explicit and should be in the context of encouraging technological developments so that the sorts of behaviors that are currently being undertaken in secret may eventually be permitted within the optimal framework. This paper will first discuss a model that evaluates factors to determine whether and when active defense is the socially optimal solution to address cyber attacks. The focus will then shift to a discus - sion of the policy considerations implicated by this model. What are the capabilities of the current 4 Even developing countries regularly have internet kiosks available in urban areas. 5 In late 1998, when the activist group Electronic Disturbance Theater attacked the Pentagon’s website with a flood of requests, the Pentagon redirected the requests and sent graphics and messages back to the group’s system to cause it to crash. Winn Schwartau, Striking Back, Network World (Jan. 11, 1999), http://www.networkworld.com/news/0111vigilante.html. 6 In 2002, secure software developer Mullen developed a technology for identifying and loading a code on the attacking system in order to “neutralize” the attacking process and stop the propagation of the Code Red and Nimda worms. See Thomas C. Greene, Attacking nimda-infected Attackers, The Register (Aug. 8, 2002), http://www.theregister.co.uk/2002/08/08/attacking_nimda infected_attackers/. 7 In 2004, Symbiot Security announced a new product, iSIMS, that would permit firms to counterstrike when their network came under fire from malicious hackers. Press Release, Symbiot Security Announces World’s First Solution to Strike Back Against Network-Based Attackers, http://www.symbiot.com/pdf/pr.030404.pdf (Mar. 4, 2004) (“Symbiot provides the equivalent of an active missile defense system.”).

OCR for page 327
2 JAY P. kESAn And CARol m. HAYES technology, and how might those capabilities shape policy? What sort of attacks (type and strength) could justify counterstrike? Who should be permitted to counterstrike: private companies, the govern - ment, or an agency representing the interests of both? If the government is permitted to counterstrike on the behalf of private companies, what might be some possible advantages and controversies arising from such an arrangement? If the government is involved with conducting counterstrikes, what sort of process should be utilized? Lastly, this paper will examine how to address potential harm caused to third parties by active defense. II. gAME THEORETIC MODEL—WHEN IS ACTIvE DEFENSE THE SOCIALLy OPTIMAL SOLuTION? In an earlier paper, we proposed using game theory to model the interaction between several mea - sures: technology (IDS and traceback), legal remedies (criminal law and tort-based litigation), and the economic incentives to engage in active defense.8 One observation was that sufficiently strong criminal enforcement would effectively deter cyber intrusions such that there would be no need for active defense. As noted above, however, there are significant issues with criminal enforcement of laws against cyber crime because of jurisdiction issues and the ease with which hackers can currently render themselves almost impossible to find. One potential solution to the problem of insufficient criminal enforcement could be to coordinate an international cyber crime treaty to permit enforcement under international law. The Council of Europe’s Convention on Cybercrime could potentially provide a regime for international enforcement, but the relatively low participation in the convention makes it difficult to enforce on a wide scale at this time. In an environment where there was accurate technology to identify the origin of cyber intrusions and a capability to hold the hacker criminally liable across national borders, there would be sufficient incen - tives against cyber crime to avoid needing active defense as an option. Proposing a specific international criminal law treaty on cyber crime is beyond the scope of this paper, but it is an action that we would support and strongly urge the international community to undertake. 9 As discussed above, criminal enforcement is just one possible way to address cyber crime. Two other alternatives are civil litigation and a purely defensive approach. Active defense is anticipated by the model to be more appealing than civil litigation in situations where litigating would be impractical. 10 The model also concludes that active defense may be appropriate when purely defensive strategies, such as simply dropping incoming packets, would not effectively mitigate harm. These three primary methods for addressing cyber intrusions (criminal sanctions, litigation, and purely defensive remedies), thus must all be found to be unavailable, impractical, or ineffective in order for active defense to be the socially optimal solution. The model further emphasizes the importance of the technology utilized: reasonable effort must be exerted to employ good IDS technology to assist the firm in detecting intrusions, and advanced traceback technology must also be employed to ensure that the victim firm is accurately targeting the hacker.11 The model also anticipates holding counterstrikers liable for damage to innocent third parties, with the expectation that potential tort liability will give firms incentive to not use unnecessary force when engaging in active defense. Potential tort liability to third parties also provides incentive for counter- strikers to use the most accurate technology. The model further posits that third-party damages are an 8 Ruperto P. Majuca & Jay P. Kesan, Hacking Back: Optimal Use of Self-Defense in Cyberspace (Mar. 2009 Working Paper, Illinois Public Law Research Paper No. 08-20), available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1363932. References to “the model” in this paper refer to the findings of this working paper. 9 See Monika Ermert, itU Calls for global Cybersecurity measures, the H Security (May 24, 2009), http://www.h-online.com/ security/news/item/ITU-calls-for-global-cybersecurity-measures-741711.htm l (discussing proposals by the International Tele- communication Union for the establishment of a “Cybersecurity Toolkit”). 10 Majuca & Kesan, supra note 8. 11 Id.

OCR for page 327
0 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS important factor in attaining the socially optimal solution.12 However, some injured third parties may not have the knowledge or resources to litigate harm caused by a counterstrike, so one possibility is that active defense could be subject to government regulation to protect those third parties. The model also emphasizes that counterstrikers must be permitted to only use necessary and proportionate force and refrain from wantonly damaging hackers’ systems out of retaliation. 13 The model does not, however, address who should be permitted to engage in active defense. At its core, proportionate cyber-counterstriking is self-defense. The right to self-defense springs from the natural instinct for self-preservation, and self-defense is viewed as the use of reasonable force for self-protection. The model focuses on applying this idea of self-defense to the issue of cyber intru - sions. The model promotes a view that the socially optimal solution to the threat of cyber intrusions, in the absence of effective remedies being available through criminal law enforcement, civil litigation, or effective passive defense strategies, is to permit (but not require) parties to act in self-defense when reliable technology can be utilized, subject to potential liability for harm caused to the systems of inno - cent third parties, whose interests are further protected by making counterstrikes subject to government regulation. This liability rule ensures that firms have sufficient incentive to utilize the most effective IDS and traceback technologies to ensure that any counterstrike will have a genuine prospect of hitting the attacker. In sum, this model provides helpful guidance concerning the optimal use of self-defense in cyberspace. III. THE HOW, WHEN, AND WHO OF ACTIvE DEFENSE IN CybERSPACE Having examined the results of our model establishing the socially optimal framework for active defense, the next important questions address the technology involved in active defense, the situations where active defense would be appropriate, and who should be permitted to engage in active defense in a context where such counterstrikes are subject to government regulation. As to the latter question, the two primary possibilities are that the firms themselves could be permitted to counterstrike, or that the government could be the entity entrusted with engaging in counterstriking on behalf of the victim of the cyber intrusion. A. The Technology Involved in Active Defense Even in situations where permitting active defense would be socially optimal, allowing cyber counterstriking may still be irresponsible if the technology is inadequate to ensure the accuracy of counterstrikes. In-depth analysis of the full state of the art is outside of the scope of this paper, but it is important to note that the technology involved in active defense is not in its infant stages, and that it is currently the subject of a significant amount of research aimed at improving accuracy and efficiency. Cyber attacks occur very rapidly, so responses must be prompt in order to best mitigate harm to the targeted system. Detecting a cyber intrusion may require an attack to continue for some time so that a pattern may be detected.14 Once an attack is detected, however, tracing it to its origin can take a matter of seconds, with error potentially being measured in milliseconds. 15 When engaging in active defense, the first essential technology is IDS, which has been develop - ing significantly over the past decade. IDS works partly by detecting patterns of attack by a particular attacker, so there is a challenge in detecting intrusions when the intrusion is being executed remotely 12 Id. 13Id. 14 See Zhou, Leckie, & Karunasekera, supra note 1, at 131. 15 See Ethan Katz-Bassett, et. al, Reverse Traceroute 2, 12, USENIX Symposium on Networked Systems Design & Implementation (NSDI) (2010), available at http://www.cs.washington.edu/research/networking/astronomy/reverse-traceroute.html (Awarded Best Paper). Traceroute and traceback are not interchangeable terms, but the underlying technology is similar enough that mea - surement of errors in traceroute may be used as a description of potential error level in traceback.

OCR for page 327
1 JAY P. kESAn And CARol m. HAYES by one person attacking through thousands of compromised computers in a botnet. One possible way of addressing collaborative attacks of this nature is to develop collaborative intrusion detection systems (CIDS), and a number of researchers have been examining various methods of doing so. 16 The three pri- mary categories for an approach to CIDS are (1) centralized; (2) hierarchical; and (3) fully distributed. 17 The Zhou et. al article provides a helpful survey of the research concerning CIDS, and also sets out the areas that should be the focus for further research in the topic, including expressiveness, scalability, and accuracy.18 Once an attack has been detected, the next step in active defense is to identify the source of the attack. This identification is achieved through some form of traceroute, which is the most widely used diagnostic tool on the Internet.19 Traceroute is commonly used to evaluate Internet traffic to ensure that data is transmitted effectively, but similar technology can also be utilized to identify an attack’s source, and traceroute technology used to achieve that end may be referred to as traceback. Guan’s overview of network forensics provides a helpful look into the state of the art of traceback, giving summaries of the four primary IP traceback schemes: (1) active probing; (2) ICMP traceback; (3) packet marking; and (4) log-based traceback.20 A recent study into reverse traceroute is a helpful illustration of the improve- ments to the technology.21 The researchers’ reverse traceroute technique was found to offer improve - ments over both the accuracy and coverage of traditional direct traceroute techniques. 22 The reverse traceroute study found that the median accuracy of reverse traceroute was 87%, compared to 75% median accuracy for direct traceroute.23 One additional concern about the technology used in active defense is that the attacker might be spoofing his IP address in order to evade detection. Issues caused by IP spoofing (including harm to third parties) would be most acute in a situation where only traceback technology was used to determine an attack’s origin. However, IDS provides additional information to the victim that can indicate if the apparent origin identified by traceback may be inaccurate due to IP spoofing, and this knowledge can prevent the victim from counterstriking against an incorrect IP address, and also potentially help locate the actual source of the attack.24 The amount of research into IDS and traceback technology and the results of research into these topics provide strong evidence that the state of the art relevant to active defense is steadily improving. Because the state of the art indicates that the technology will eventually have the capability of addressing some current attribution problems, this paper contains a forward-looking analysis of the potential direc - tions that might be taken by policymakers concerning active defense once the technology is sufficiently advanced. This paper focuses on an idea of active defense that utilizes IDS and traceback technology combined with counterstrikes, in a detect-trace-counterstrike pattern, where the attack is detected via IDS, traced with traceback technology, and then an active response occurs. Further research is needed to determine what level of confidence in a traceback should be necessary to permit cyber-counterstrikes; for example, is an accuracy rating of 85% sufficient, or should counter- strikes remain illegal until traceback technology’s standard error is 5% or less? While additional techno - logical improvements would be beneficial, it is clear that the current state of the technology is adequately advanced to permit the discussion about active defense to move forward into an evaluation of how an 16 Zhou, Leckie, & Karunasekera, supra note 1. 17 Id. 18 Id. at 136 (2010). 19 Katz-Bassett, supra note 15, at 2, 12. 20Yong Guan, network Forensics (Chapter 20), Computer and information Security Handbook (2009). 21 Katz-Bassett, supra note 15, at 2, 12. 22 Id. at 9, 11. 23 Id. at 9. 24 See Tom Chmielarski, Intrusion Detection FAQ: Reconnaissance Techniques Using Spoofed IP Addresses, SANS (Apr. 4, 2001), http://www.sans.org/security-resources/idfaq/spoofed_ip.php. (“One way to help determine which hosts did not send the packets (and therein which host did) is to search firewall and router logs for incoming error messages from the ten hosts that were spoofed, as those hosts react to the packets sent by the target in response to the stimulus from the attacker .”)

OCR for page 327
2 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS active defense scheme should be implemented, even if implementation is delayed until the technology is sufficiently accurate. Because one of the key determinants of whether active defense is socially optimal is the availability of accurate technology, this paper does not condone the current vigilante behavior of those currently using less reliable active defense techniques, and instead supports the continued pro - hibition of cyber-counterstriking until such time as the technology is sufficiently advanced to enable victims to obtain reliable attribution data. The goal of this paper, then, is to provide a framework that can be looked to when the circumstances are ripe for new policy concerning active defense. b. When Would Active Defense be Appropriate? Having established that accurate active defense may be feasible, the discussion now turns to when active defense might be appropriate. This question has two parts: What types of intrusions may justifi - ably result in counterstrike, and how severe must these intrusions be? 1. what types of intrusions Can Be Addressed by Actie defense? One important consideration is the type of intrusions that could be appropriately addressed using active defense. For our purposes, the key point in the process is the detection stage. Because of the nature of IDS as requiring multiple attempts at accessing the target, active defense would likely not be applicable in circumstances where the intrusion is a single event. There are two types of intrusion that this paper anticipates as being appropriate to address by active defense: DDoS attacks and spiders. DDoS attacks would be categorized as cyber attacks. One way that a DDoS attack can be undertaken is for the attacker to compromise a large number of computers to create a hoard of zombie systems in order to flood a target with data to knock it off line. When an attacker undertakes a DDoS attack of this type, he first must identify a vulnerability to target and disseminate malicious code to take advantage of that vulnerability (like a virus or a worm) in a large number of systems (perhaps hundreds of thou - sands). Once the hacker has control of this zombie hoard, he has at his disposal an army of computers that can be ordered to attack repeatedly until the target is taken out. The repetitive nature of a DDoS attack makes it well-suited for the detect-trace-counterstrike pattern of active defense. The use of spiders to mine data would be categorized as cyber exploitation, rather than cyber attack, because the goal is to obtain data, not to cause immediate harm. Because the hacker accesses the target system repeatedly, there would likely be sufficient activity for a firm’s IDS to detect a pattern, making the use of spiders another kind of intrusion that can be appropriately handled using active defense. Whether active defense should be used to respond to the threat of spiders, however, is a question related to the severity of the attack. 2. How Seere Should an Attack Be to Justify Actie defense? The model discussed in Section II sets out a number of factors to consider when determining if active defense is the socially optimal solution. It may be advisable, however, to establish a concrete definition to determine when counterstriking is appropriate. Walker supports a consequences-based approach, where an information-based attack (such as DDoS) would be considered an “act of violence” under international humanitarian law if said information-based attack is aimed at causing the sort of harm (including the damage or destruction of property) that international humanitarian law is intended to prevent.25 Such an approach provides an important standard that could be applied in the context of active defense, whereby counterstriking would not be deemed an appropriate recourse except in 25 Paul Walker, Rethinking Computer Network “Attack”: Implications for Law and U.S. Doctrine at 23 (Journal of National Security Law and Policy, Forthcoming, 2010), available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1586504.

OCR for page 327
 JAY P. kESAn And CARol m. HAYES relatively narrow situations where the initial intrusion was severe enough to rise to the level of being an “act of violence.” Since responsive counterstriking is most easily justified as self-defense, and the U.N. Charter permits self-defense in response to an armed attack, another standard is to look at whether the initial attack is an “armed attack” under Article 51 of the U.N. Charter. An armed attack is more than a “use of force,” as discussed below, and therefore mere intrusions would not provide sufficient justification for the use of active defense. A threat to critical infrastructure, such as to an electrical grid, would probably rise to the level of being an armed attack, but it is not clear what other type of intrusion would be considered an armed attack such that self-defense would be permissible. It is also unclear whether a cyber exploitation could ever be considered an “armed attack,” or if that designation would be restricted to cyber attacks. C. Should Firms Participate Directly in Active Defense? In the socially optimal situation where accurate technology is used and no other means of recourse would be practicable, there are potential advantages to permitting the attacked firms to counterstrike directly, such as the increased speed with which counterstrikes could be undertaken, but there are many concerns about permitting this as well. Technology often outpaces legal developments, so private sectors would likely have access to technology that potentially has significant negative effects on third par - ties, but that essentially exists outside the law. This could lead to hundreds of companies competing to provide IDS, traceback, and counterstrike technologies to thousands of private firms in the absence of any kind of oversight to ensure quality and protect third parties. The lack of technological uniformity could also raise issues. If there is a significant amount of variation and competition among software providers, developers may have incentive to cut costs in order to compete, leading to some software being cheaper but lower quality than others. Beyond the issues of consistency of implementation and product quality, there is a more signifi - cant downside of entrusting active defense to private firms. Our model addressing the optimal use of active defense emphasizes that there are threshold points where permitting counterstrikes would be the socially optimal solution. However, it does not define these thresholds, and determining these thresholds requires some sort of standardization. It would be unwise to allow individual companies to make these decisions on a case by case basis. Some companies would be more risk averse, while some may be more inclined to behave like cyber vigilantes. It is thus important to not place this significant discretion in the hands of private firms, because that would result in a wide array of differing results. In order to ensure that only socially optimal usage of active defense occurs, there needs to be some form of standardization for how an active defense program is implemented. One possible way to achieve this sort of standardization is to utilize a central government entity for the purpose of deciding when counterstriking would be appropriate. If private firms were permitted to directly engage in active defense, one possible restriction that the government could place would be a requirement that a counterstriking firm have a certain percentage of its capital invested in IT infrastructure. This could potentially help ensure that counterstriking was only engaged in by firms that had the most to lose from an attack that cripples its IT system. If this sort of restriction is adopted, it should probably not apply to firms that control essential services such as hospitals and power grids. However, given the significant downsides of permitting private firms to counterstrike directly, an alternative implementation may be advisable. D. Should the government be Responsible for Conducting Active Defense? As an alternative to entrusting active defense to the private firms who are injured by the initial cyber intrusions, the government (or a government contractor) may also be placed in charge of any counter- strike deemed necessary. This proposal has several advantages, though there are also some potential pitfalls that must be carefully monitored.

OCR for page 327
 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS 1. Adantages and disadantages to Requiring goernment Control of Actie defense If the government were placed in charge of any necessary counterstrike, this would simplify mat - ters by ensuring technological uniformity in the software utilized for detection, traceback, and counter - striking. IDS and traceback technologies are developing rapidly, and having one actor responsible for acquiring the technology will ensure that the best technology is put into place for the benefit of society. Another advantage of placing the responsibility for counterstriking with government entities is that there will be uniformity of personnel, and the uniformity can help ensure that all employees responsible for counterstriking will be adequately informed of the processes and dangers. Our previous paper concluded that a liability rule is important to preserve the optimality of active defense. Targeted firms, under such a liability rule, would be responsible for harm a counterstrike causes to innocent third parties. We also suggest retaining this liability rule if government is responsible for coordinating active defense. If the original liability rule is preserved and firms are still held responsible for harm caused to innocent third parties, on the theory that the government was acting as an agent of the counterstriking firm, that would ensure that firms will not capriciously submit a request to the relevant government agency for counterstrike assistance. A potential liability rule is discussed in more detail below in Section IV. Another advantage of placing active defense under government control is that such a system would help to control for the dangers of rapid escalation. The future battlefields of cyber wars will likely be found in the private sector. As discussed above, some members of the private sector are already resort - ing to self-help to defend themselves against cyber attacks. This could lead to a dangerous pattern of attack-counterstrike-countercounterstrike that will escalate rapidly and cause significant damage. Plac - ing control of active defense implementation with the government could help to control this and prevent potentially dangerous rapid escalation of cyber attacks. On the other hand, there are some potential downsides of permitting the government to control all aspects of active defense. Any advantage that the government has in putting the best technology in place, for instance, is almost exclusively an advantage on the front end only, as once that technology is in place, there may be insufficient incentive to ensure that the technology is consistently kept up to date. Additionally, the nature of government action requires that all actions are undertaken slowly and carefully. While this serves to protect third parties from the hasty responses of others, it may cause issues for those who are the actual victims of attacks due to the increase in response time. Government involvement could also lead to international political conflicts in the event that a gov - ernment action has negative effects on another nation’s government or population. If individual actors in one country took cyber action against aggressors in another country and inadvertently harmed innocent individuals, the government would likely not be held responsible if it did not somehow encourage the harmful acts. The same government, however, would be the party held responsible if government- sanctioned active defense caused harm to innocents in the other country. This sort of accountability could also be an advantage of government involvement, but it would likely only be optimal if governments uniformly accepted responsibility for active defense within their borders to ensure that the behavior was addressed consistently between all potentially affected countries. 2. Potential legal issues with Actie defense There are many possible issues that might arise from counterstrikes. Some of these potential issues would arise in the context of counterstrikes being conducted by state actors, while other potential issues would exist regardless of the party engaging in the counterstrike. Legal Implications Resulting from Active Defense by State Actors Because of the nature of coun- terstriking, the act of mitigating harm to the victim’s computer could potentially be viewed as inflict - ing punishment to the attacker in a manner inconsistent with Procedural Due Process under the 5th

OCR for page 327
 JAY P. kESAn And CARol m. HAYES Amendment. Under the United States Constitution, the 5th amendment’s Due Process clause guarantees that procedures will be adequate to ensure against improper deprivation of life, liberty, or property. 26 However, that is why the model emphasizes the importance of only using as much force as is necessary to mitigate harm to the counterstriker.27 Our view is that when properly executed, active defense is proportionate response, not punishment, and that it is grounded solely on self-defense and mitigation. Accepting this characterization of active defense, if there is ever an incident where the force inflicted during counterstriking is disproportionate to the amount of force inflicted during the initial intrusion, there may be a Due Process violation. However, if the model is followed appropriately, standard use of active defense should not raise due process concerns. In addition to constitutional concerns, it is also important to consider the implications of interna - tional law. The DOD General Counsel issued an opinion in 1999 stating that the law of war should apply to cyber attacks, and therefore any attacks must be based on the necessity of war in order to avoid potential war crimes charges.28 The law of war includes requirements such as that the attacker must be able to make effective distinction between combatants and noncombatants, that attacks be founded on military necessity, that steps are made to ensure that any collateral damage is proportionate to the military advantage attained from the attack, and that only weapons that can be targeted with precision at combatants may be used.29 There would also be a danger of retaliation or retorsion by governments whose citizens are harmed by cyber counterstrikes executed by the U.S. government, which is another reason why it is essential for any government involvement in counterstriking to be very careful and precise. The potential danger of war crimes charges is why our previous paper on the optimality of active defense urges decisions about counterstriking to be made consistent with the idea of a just war. 30 Other Legal Implications of Active Defense Two other significant areas of law are implicated by active defense, regardless of the party conducting the counterstriking: international humanitarian law, and the Computer Fraud and Abuse Act (CFAA). War crimes charges would likely only be implicated when the counterstrike is executed by the gov - ernment, but some international law implications could apply even if the actor was not a state actor. Cyber counterstrikes implicate several elements of international humanitarian law. The initial attack may violate the U.N. Charter if the attack rises to the level of “use of force.” 31 However, the U.N. Charter would prohibit the target of an attack from responding in self-defense unless the initial attack was severe enough to be considered an “armed attack.”32 This dichotomy indicates that it is possible for an attack to violate the U.N. Charter without the attack being severe enough to justify the use of self-defense. On its face, the U.N. Charter applies to states, but because of the nature of cyberspace, it has become apparent to many that private entities will play a key role in future cyberwars. When many government websites operated in the country of Georgia were shut down by DDoS attacks (which evidence linked to computers in Russia), the Georgian government sought “cyber refuge” by moving many of its important websites to private servers in the United States.33 This action was without the consent of the U.S. govern- 26 US CoNSt. amend. V. Another potentially relevant clause in the 5th amendment is the Takings Clause, which prohibits the government from taking private property for public use. If state actions cause damage to someone’s computer due to cyber counterstriking, this could potentially be a taking under the 5th amendment. It is unclear, however, how Supreme Court takings jurisprudence would apply in this cyber context. Beyond the threshold question of whether a taking occurred, a takings argument would likely fail unless it is shown that the interference with computer property was related to a “public use.” 27 Majuca & Kesan, supra note 8. 28 Office of General Counsel, Department of Defense, An Assessment of International Legal Issues in Information Operations (May 1999), available at http://www.au.af.mil/au/awc/awcgate/dod-io-legal/dod-io-legal.pdf. 29 Id. at 10-11. 30 Majuca & Kesan, supra note 8. 31 U.N. Charter art. 2 para. 4. 32 U.N. Charter art. 51. 33 Joshua E. Kastenberg, non-interention and neutrality in Cyberspace: An Emerging Principle in the national Practice of international law, 64 a.F.l. Rev. 43, 46-47 (2009).

OCR for page 327
 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS ment, and at least one commentator views this as illustrating that international law issues like neutrality may potentially be implicated by the actions of private actors. The language of Article 51 refers to “the inherent right of individual or collective self-defense” in the event that an armed attack occurs against a U.N. Member,34 which may suggest that individual actions may be included in the language just like state actions. Since the language seems to permit it and the reality of cyber warfare may even require it, considerations relating to articles of the U.N. Charter should be interpreted as potentially applying to private actors in the context of cyberspace where national boundaries are at best amorphous. Another domestic legal issue is the implications for active defense from the CFAA. The CFAA’s broad language prohibits knowingly transmitting data to intentionally cause damage to a protected computer, and also prohibits the intentional unauthorized accessing of a protected computer where damage is caused recklessly.35 Some commentators have persuasively observed that even the act of tracing an attack through intermediaries might violate the CFAA if harm is caused to the intermediaries. 36 The phrase “protected computers” is defined as computers that are at least sometimes used by or for financial insti - tutions or the U.S. government where the conduct of the offense affects that protected use, or computers that are used in or affect interstate or foreign commerce.37 The latter category could potentially make all computers connected to the Internet into “protected computers” under the CFAA. It is an issue of statutory interpretation as to whether a statute enacted in 1986 was passed with the intent that it should apply to the Internet age reality of 2010. The CFAA clearly distinguished between sections that apply to all computers and sections that apply only to “protected computers.” 38 The provisions at issue here, the ones prohibiting actions that cause damage, use the phrase “protected computer,” whereas provisions that just use the term “computer” cover activities like hacking into sys - tems to obtain information relevant to national security. A broad interpretation of the phrase “protected computers” would be inconsistent with the canons of statutory interpretation, since it would mean that the phrase “protected computer” is redundant of the same concepts communicated by the larger label “computer.”39 If the CFAA was intended to potentially cover every computer in the United States as a “protected computer,” there would not have been some sections that referred to “computers” while others specified “protected computers.” Therefore, to preserve the vitality of the CFAA, the phrase “protected computer” must be reunderstood in the statute to bring this decades-old statute in line with the reality of the Internet age in 2010. Preserving the vitality of the CFAA as it was intended can be accomplished in a couple of ways. First, courts can adopt a more narrow interpretation of the second half of the definition of “protected computers,” interpreting it to apply only to computers containing sensitive, commerce-related informa - tion that would affect a large number of people. This could leave open the possibility of CFAA-based liability for harm caused to health institutions by active defense, without imposing liability under the CFAA for most incidental intrusions into the computers of private individuals whose computers only participate in interstate commerce by virtue of being connected to the Internet. A second way to pre - serve the integrity of the CFAA for these purposes would be to amend the statute to either eliminate the second half of the definition of “protected computers” or to amend the language in such a way as to narrow the scope of the definition. International humanitarian law and the CFAA are thus two areas that must be considered when forming a policy concerning active defense. The CFAA is potentially more prohibitive of the sorts of 34 U.N. Charter art. 51. 35 18 USC. § 1030 (2008). 36 See Bruce P. Smith, Hacking, Poaching, and Counterattacking: digital Counterstrikes and the Contours of Self-Help , 1 J.l. eCoN. & Pol’y 171, 182 (2005). 37 18 USC. § 1030(e)(2) (2008). 38 E.g., 18 USC. § 1030(a)(2) (2008) (“. . . intentionally accesses a computer without authorization . . .”); 18 USC. § 1030(a)(4) (2008) (“. . . knowingly and with intent to defraud, accesses a protected computer without authorization . . .”). 39 18 USC. § 1030(e)(1) (2008) (“[T]he term “computer” means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions . . .”).

OCR for page 327
 JAY P. kESAn And CARol m. HAYES behaviors that would be involved with active defense, but it is our position that a broad reading of the CFAA would be inconsistent with the canons of statutory interpretation, and thus the CFAA would likely not prove to be a substantial obstacle to implementation of a system to permit active defense. . Public-Priate Partnerships as an Alternatie to Pure goernment Control Even though there are several advantages to permitting the government to have control over active defense, it is important to acknowledge the weaknesses of a pure, state-run regime. As noted in subsection (1), while there is a benefit to having uniformity in software due to a single state entity having control, that benefit exists primarily on the front end, and the benefit would degrade over time if the contractor who supplies the software is not given incentive to continue to improve its product. A purely private regime, on the other hand, would be undesirable, because the lack of uniformity in software and procedure for active defense indicates that a privately run active defense regime would be unpredictable at best. The importance of the private sector to the future of handling cyber conflicts cannot be under emphasized, however, since the private sector arguably has an interest in addressing vulnerabilities that is at least equal to that of the government. The private sector also may have access to more advanced technologies and more experts than are readily available to the government, since considerable develop- ment is undertaken as part of for-profit ventures. One core competency of the private sector, then, is its potentially superior technological expertise and access to cutting edge technology. The corresponding core competencies of the public sector include access to highly relevant, non-public information, the ability to develop uniform procedures, and its access to enforcement mechanisms. One potential way to address these disparities in strengths is to establish a public-private partnership to address active defense issues. A situation where the private sector and government routinely coordinate on matters of active defense would provide the uniformity and legal benefits of government-coordinated active defense, while taking advantage of the private sector’s access to top technologies and experts. Looking to a public-private partnership as a model could be very helpful in forming and shaping a new organization designed to bring private and public actors together to address security and active defense issues. One possible model for such a public-private partnership in this context is the Infor- mation Sharing and Analysis Centers (ISACs), which have the goal of advancing and protecting “the physical and cyber security of the critical infrastructures of North America.”40 There are several different ISACs to cover major sectors relating to critical infrastructure, including the Communications ISAC and the Information Technology ISAC.41 The IT ISAC only lists 20 current members on its website,42 which does not sound like a significant proportion since some sources indicate that over 70,000 IT companies exist in the United States.43 However, the member list of the IT ISAC includes Microsoft, IBM, McAfee and Symantec, representing a significant proportion of several areas of the IT market. The website of the IT ISAC contains several sections, most of which are viewable by members only. The public area of the website includes a Daily News section, a collection of Best Practices documents from a variety of sources, alerts and advisories issued by the United States Computer Emergency Readi - ness Team (US-CERT), alerts issued by X-Force (a service of IBM Internet Security Systems 44), a form for members of the public to submit suspicious files to the organization’s attention, and a collection of legal documents.45 The sort of information that is publicly available on the IT ISAC website demonstrates the sort of coordination between private enterprise and government that characterizes public-private 40 ISAC Council Home Page, http://www.isaccouncil.org/about/ (last visited July 6, 2010). 41 Id. 42 IT-ISAC, https://www.it-isac.org/memberlist.php (last visited July 6, 2010). 43 Information Technology in the United States, manta.com, http://www.manta.com/mb_33_G4_000/information_technology (last visited July 6, 2010). 44 Internet Security Systems—Research, http://xforce.iss.net/ (last visited July 8, 2010). 45 IT-ISAC, https://www.it-isac.org/ (last visited July 6, 2010).

OCR for page 327
 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS partnerships. An analogous arrangement in the context of active defense could consist of frequent updates concerning IDS and traceroute/traceback research, reports concerning potential cyber intrusion trends, and alerts about newly discovered vulnerabilities. However, public-private partnerships can be difficult to implement. The private sector and govern - ment are dominated by two very different cultures, and getting the two groups to work together can be problematic. For instance, there may be a lack of trust between the two groups, with resistance on both sides to share fully with the other, leading to informational asymmetry where one party knows more than the other with respect to some matters. To mitigate these informational asymmetries, the public and private parties need to be encouraged to trust each other and share their expertise so that they can work together in a coordinated fashion in order to attain the expected synergies that drive the collaboration. If a public- private partnership is to succeed, building trust between the parties will be extremely important. ISACs are generally not viewed as being hugely successful, in part due to the relatively low private sector participation. This low participation is perhaps due to the inherent difficulties of fostering trust between the private and public sectors, and perhaps also because of the resistance some members of the private sector might have to engaging in full cooperation and information sharing with their competi - tors. A full case study of the ISAC regime is outside the scope of this paper, but would likely be helpful in understanding the advantages and pitfalls of public-private partnerships in the cyber context. E. Potential Process for Active Defense Having evaluated the possible advantages and pitfalls of active defense, the next important con - sideration is the process that should be followed in the event that government-involved active defense is concluded to be the optimal approach. Because of the necessity for quick action when engaging in counterstrike, the first important point is that the process should contain elements conducive to expe - dited review. One possible approach might be to establish a process that in some ways resembles the manner in which wiretapping approvals are obtained. Currently, wiretaps are available through the Foreign Intelli - gence Surveillance Act (FISA), which provides a process for requesting surveillance of a foreign power or an agent of a foreign power through the FISA court.46 An analogous process could be developed whereby decisions concerning potential counterstrikes are made by an independent body staffed by persons skilled in Internet-related legal issues and who are also specialists in matters concerning complicated computer network and cyber intrusion issues. Such a body could be responsible for evaluating whether counterstrike was appropriate, and could also serve to verify the precision of the technology used. The agency responsible for active defense must also establish criteria to clearly set forth the threshold requirements necessary to justify active defense intervention. When experiencing a cyber intrusion, the entity requiring assistance should be permitted to petition the agency for such assistance, providing specific information about the intrusion and any harm currently inflicted or anticipated to be inflicted if the harm is not mitigated. The agency in charge of active defense might decide that it would be appropriate to have higher threshold requirements in situations where the victim organization is a private entity versus when the victim organization is a government entity. Such disparate treatment may be justified given the national security importance of prompt termination of cyber intrusions on sensitive government systems. Also, the agency in charge of the active defense process could potentially contract the counterstriking activity out to a private organization with employees that fulfill government or military functions. Iv. EFFECT OF ACTIvE DEFENSE ON THIRD PARTIES Hackers who engage in cyber intrusions generally seek to avoid getting caught, and one method that they use to evade detection is to route their message through other computers on the Internet in order 46 5 0 USC. § 1805 (2008).

OCR for page 327
 JAY P. kESAn And CARol m. HAYES to obscure the origin of their original signal. In addition to using other computers to evade detection, a hacker who compromises a large number of systems could use those computers against the ultimate victim. One possibility is that a hacker might use a virus to gain access to the computers of unsuspecting third parties, turning the computers into “zombies.” A hacker with a large army of zombie computers can now initiate DDoS attacks against a firm, flooding the firm’s network with data until it crashes. 47 A firm that is monitoring for such attacks could then initiate the process necessary to counterstrike, but what if the ultimate counterstrike causes harm to the zombie computers, whose owners were not involved with or aware of the hacker’s malicious intentions? One very important concern is that these third parties, who we will refer to as “oblivious interme - diaries,” should be protected from damage caused by counterstrike—but if ignorance of the law is no excuse, why should ignorance of the technology (or at least the basic protections provided by easily available support software) be acceptable? In addition, in some circumstances, the oblivious interme - diaries may be unaware not only of the intrusions by the initial hacker, but also of harm caused by counterstrikes. If those oblivious intermediary firms are unaware that their system has been harmed, has their system truly been harmed? And if the oblivious intermediary firms unwittingly became tools of the hacker because of their negligence in maintaining their own systems, why should they be afforded extra protection? One possible solution, then, is to afford no protection for injured third parties, because additional protection creates a moral hazard by permitting firms to avoid the consequence of their own negligence. Policymakers could point to the risk of damage due to counterstrikes as another incentive for computer operators to be more diligent in installing security updates for their operating systems and programs, as well as providing incentive for operators to be more consistent in their usage of firewalls and anti-virus/anti-malware products. As a policy matter, however, such a harsh approach may be inappropriate. A company with a thousand responsible computer-using corporate employees should not necessarily be punished (via the denial of a remedy) for the careless actions of a single employee on the network. It is standard practice to hold a firm responsible for the negligence of its employees, but ineligibility for remedy would likely be too harsh, since it would be a per se rule that does not easily lend itself to flexibility when consider- ing the circumstances of the situation. Therefore, the firm that finds itself as an oblivious intermediary should be afforded remedy by being permitted to sue the original target of the attack if the oblivious intermediary’s system suffered harm as a result of a negligent or reckless counterstrike. However, we are still left with the problem of avoiding the moral hazard posed by rewarding computer users who willingly remain ill-equipped to handle the threats of modern cyber attacks. The first step that should be taken is education. In order to minimize potential zombie armies, educational materials should be disseminated to underscore the importance of timely security updates and use of software packages that prevent infiltration and that detect if the system has been compromised. Using education to reduce the number of potential third parties that can be harmed could potentially ease the implementation of a liability rule as part of a regime designed to permit defensive actions under the appropriate circumstances. Failure to protect their systems appropriately should not render parties ineligible for causes of action, but allowing the neglect of the oblivious intermediaries to decrease the damages owed may be an appropriate compromise to ensure that all firms are provided with the incentive to exercise due care in managing their IT infrastructure. Because of variations in tort law between the states, federal statutory intervention may be necessary, potentially in the form of some type of federal cybercrime tort statute. Such a statute should include provisions stating that contributory negligence is not a defense available to a counterstriker in a lawsuit brought by the oblivious intermediary. The statute should, however, make available a comparative negligence option for reducing damages owed. For example, a firm with one careless employee who inadvertently renders the firm’s entire network vulnerable would 47 How Zombie Computers Work, http://computer.howstuffworks.com/zombie-computer3.htm (last visited July 8, 2010).

OCR for page 327
0 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS likely be entitled to a larger damage award than a firm that lacks any systematic controls of network content and quality. If the government is placed in control of conducting counterstrikes, one possibility to extend civil liability may be to permit suits by foreign citizens against the United States under the Federal Tort Claims Act (FTCA).48 The government could then resolve the dispute, and then begin a new process to recover the damages from the party that required government assistance. The most significant problem with using the FTCA in this manner, however, is that the FTCA contains an exception for claims that arise in a foreign country.49 The nature of the Internet age leads to many complications when the question becomes where a cyber harm “arises.” One possible solution could be to treat the harm as arising in the state where the counterstrike began, given the almost instantaneous effect that the counterstrike would have on the third party, to be governed by the tort law for negligence of that state. v. CONCLuSION In certain circumstances, counterstrikes in response to cyber attacks can be the socially optimal solution. The optimal approach to active defense is to permit (but not require) counterstriking in certain circumstances, while making the exercise of counterstrikes subject to potential liability for damages that the counterstrike causes to the systems of the oblivious intermediaries whose computers have been compromised by the original hacker. Current technology is supported by a large body of research indicating a steady improvement in accuracy in active defense technologies, thus the current state of the art does not necessarily detract from the social optimality of permitting active defense, though further technological developments may be necessary if higher degrees of accuracy are found to be needed. If active defense is deemed necessary, its existence should be carefully regulated by the govern - ment in order to prevent harm to third parties and to prevent escalation by private entities that could potentially lead to crises of international relations. It may also be advisable for a government entity to control the application of active defense in order to ensure consistency and accuracy in counterstriking. Centralizing the exercise of active defense may be preferable to permitting private firms to counter - strike directly due to the need for standardization and consistency when making determinations about whether to counterstrike. A related option could be to create a public-private partnership to address active defense issues, where government and private enterprise would work together on designing and implementing an active defense program. There are some potential concerns with permitting the government to coordinate active defense efforts. A possible constitutional objection to state involvement in counterstrikes is the danger of a Due Process violation. This paper, however, is based in part on a model emphasizing that the force used during counterstrike should be proportionate and should be no more than that necessary to mitigate the effects of an attack. If this model is followed appropriately, there will be no Due Process violation in standard execution of active defense, because any response will be proportionate and responsive, not punitive. There are, however, other legal provisions, including the self-defense provision of the U.N. Charter, that suggest that the use of active defense would be inappropriate in most cyber intru - sion situations. If the use of active defense is limited to narrow situations and is found to not be inconsistent with current law (including the CFAA), the implications of counterstriking on third parties must also be considered. This paper stresses that the third parties whose computers are used by hackers in further- ing attacks against a target must be given incentive to exercise due care in the maintenance of their systems and networks. Offering a pure liability rule that will permit these oblivious intermediaries to recover significant amounts in damages regardless of their own actions would create a moral hazard. 48 See28 USC. 1346(b) (2008). 49 Henry Cohen and Vanessa K. Burrows, CRS Report for Congress, Federal Tort Claims Act 5 (Dec. 11, 2007), available at http://www.fas.org/sgp/crs/misc/95-717.pdf.

OCR for page 327
1 JAY P. kESAn And CARol m. HAYES Avoiding this problem consists of two parts. First, people must be provided with educational material to underscore the importance of maintaining their systems adequately, including installation of all security updates and the usage of functional firewalls and anti-virus/anti-malware software packages. Second, the cause of action brought by the oblivious intermediary against the target of the hacker’s attack could be governed by a new federal cybercrime tort statute, which would provide for a comparative negligence scheme, or potentially by an extension of the Federal Tort Claims Act. In the absence of effective deterrents under international criminal law, a self-help method like active defense offers sufficient deterrence to malicious hacker activity, with the added advantage of possibly mitigating damage to the target of the intrusion. Since there are some situations where the socially opti - mal solution would be to permit counterstrikes, active defense should not be perpetually prohibited as a matter of policy, but it should be regulated carefully to ensure that counterstrikes are used only in the socially optimal way. Further research in this area is required to ensure the optimal implementation of a potential active defense legal regime.

OCR for page 327