I think I’m going to have to split this report into two parts: So let’s start with Part I – an excellent presentation on Active Cyber Defense: Emerging Legal Dialogue. The panelists were Stewart Baker (Partner, Steptoe & Johnson and former General Counsel of the National Security Agency), Steve Chabinsky (Senior Vice President of Legal Affairs for Crowdstrike) and Emily Frye (Principal Engineer
at The MITRE Corporation).
Here are some of my notes from the panel’s discussion.
Too many people think “If we could just plug all the holes, we’d be fine.” That will never happen.
Technology changes too fast and threats are ever-evolving. It is smarter to track back breaches to their source and to hold those responsible legally accountable.
It makes no sense to attack the IP address that appears to be the source of the breach since you would probably be attacking someone’s grandmother whose computer has been compromised.
The common procedure for many hackers is to lift your data and then store it on a third party server (called a command and control server). It will sit there for a while before being picked up by someone else – then you can get their IP address. Of course, since it is on a third party’s server, you will need the assistance of law enforcement.
It is possible, of course, to put “something bad” in a file with an attractive name which calls home (and maybe does something nasty to the server it is on) when it is moved.
One significant development is that the federal government recognizes that it does not have the resources to effectively defend against cyberattacks on our critical infrastructure, though it does have the authority. The private sector has the resources, but lacks the authority. So a partnership has begun to emerge.
Oversight is clearly needed for the private sector actions. We cannot have vigilantes who are interested in revenge. Also, if a private sector corporation finds its data in a third party command and control server, it is very likely that it will find the stolen data of others. What then?
In the very complicated cyberspace world, attacks come so quickly that defenses need to be realtime – there is no time for humans to intervene.
Many privacy advocates worry about the privacy intrusions implicit in the thoughts above. The panel fundamentally said that the intrusions of privacy that have already occurred are beyond public imagination – and that the advocates fail to realize the real threat is not from those conducting cyberdefense, though the panel does not ignore the need for oversight.
The legality of cyber offenses (e.g. the alleged involvement of the U.S. in Stuxnet) was raised (yes, by me). The ABA is looking at this – and related issues involving cybersecurity – but has not yet spoken. But as one panelist noted, it may be that the U.S. and Iran are bedfellows – of a sort.
Good defenses do make a difference, especially in preventing intrusions by garden variety hackers. But, as the panel noted, you will not be able to keep out a determined bad actor, such as a nation state. And that is why penalty-based deterrence is necessary.
But don’t underestimate the value of being proactive – as one panelist put it, if you think of these
incidents on a continuum, being proactive puts you on the left of the BOOM!
E-mail: [email protected] Phone: 703-359-0700